[HN Gopher] Terrorist watchlist exposed via misconfigured Elasti...
___________________________________________________________________
Terrorist watchlist exposed via misconfigured Elasticsearch cluster
Author : david_shaw
Score : 266 points
Date : 2021-08-16 17:37 UTC (2 days ago)
(HTM) web link (www.bleepingcomputer.com)
(TXT) w3m dump (www.bleepingcomputer.com)
| commandlinefan wrote:
| At least last time I looked at it, ElasticSearch is shockingly
| insecure by default (as are Mongo, Cassandra, Hadoop, and
| everything else that's popular in the relatively recent Java
| ecosystem).
| Saris wrote:
| It's crazy how much stuff is just no auth and listens on all
| interfaces by default.
| snarf21 wrote:
| Yeah, this is the same as Wi-Fi routers all being
| admin/password. They finally started assigning them random
| pwds. Why isn't secure by default chosen?
| l0b0 wrote:
| That's easy: perverse incentives.
|
| 1. Secure by default makes for a higher barrier to entry.
| It's human nature to want to keep barriers of entry low for
| your life's work. (I have similar thoughts around copyleft
| licenses being better for the users but hard to sell to the
| creators.)
|
| 2. Security is "available" to anyone savvy enough to clear
| all the hurdles to secure the system, so the creators feel
| justified to blame the user.
|
| 3. The product is developed with an assumption that something
| _outside_ the product is supposed to provide security. For
| example, the Go.CD devs (excellent product otherwise) scoffed
| at the idea of improving their crappy password hashing
| (single round of SHA256 with no salt IIRC), instead
| suggesting that I should wrap the service in some other,
| safer authentication mechanism.
| 1023bytes wrote:
| Perhaps yet another unsecured MongoDB?
| thepasswordis wrote:
| So this is definitely going to be used for character
| assassinations right?
| scrps wrote:
| >The researcher considers this data leak to be serious,
| considering watchlists can list people who are suspected of an
| illicit activity but not necessarily charged with any crime.
|
| "In the wrong hands, this list could be used to oppress, harass,
| or persecute people on the list and their families."
|
| I'd imagine being on a list that limits your personal freedom
| without being charged with a crime and convicted falls pretty
| squarely within the definition of being oppressed & persecuted
| before even considering any second order effects of the list
| being leaked.
| sschueller wrote:
| The list should be public or at least I should have the right
| find out if I am on that list.
| MeinBlutIstBlau wrote:
| You can request if youre on the tsa no fly list iirc.
| brokenmachine wrote:
| Wouldn't you find out if you tried to book a flight?
| MeinBlutIstBlau wrote:
| sorry...I mean TSA watch list. But yes you're right haha.
| imglorp wrote:
| Book or board? The difference is you bought the tickets
| in one case and might not get the money back.
| tom7 wrote:
| It leaked so hard that nobody outside of mainstream media saw it.
| You people are idiots.
| r1ch wrote:
| It's amazing how many hacks and data breaches all come down to
| dangerous default settings. Elasticsearch defaulted to no
| security, anyone hitting the IP has full access to the cluster.
| MongoDB is another infamous example. Even today, one of my sites
| is being DDoSed by a bunch of 2007-era Ubiquiti network devices
| which use ubnt / ubnt as the root login and naturally got exposed
| to the internet. Bad defaults linger for a long time.
| londons_explore wrote:
| With 1.9 million people,there must be plenty of people here whose
| data is in this list.
|
| Any of you care to comment?
| _moof wrote:
| "In the wrong hands, this list could be used to oppress, harass,
| or persecute people on the list and their families."
|
| Teetering on the brink of an epiphany.
| dane-pgp wrote:
| The person who you're quoting is likely a "SelfAwarewolf":
|
| "A person who, when trying to criticize those who match a
| certain description, fails to realize that they have (in the
| process of criticizing others) revealed themselves to match the
| exact same description"
|
| https://neologisms.rice.edu/index.php?a=term&d=1&t=24708
| afrcnc wrote:
| Source of this convoluted blog spam:
| https://www.linkedin.com/pulse/americas-secret-terrorist-wat...
| criticaltinker wrote:
| _> [cybersecurity researcher Bob Diachenko] was able to find
| about 1.9 million records detailing individuals' no-fly statuses,
| full names, citizenship, genders, passport numbers, and more. _
|
| _> "it seems plausible that the entire list was exposed" _
| thepasswordis wrote:
| Suggestion:
|
| Take the Facebook leak from earlier. Create hundreds of
| collections if 1.9M people. Release it to the dark web.
|
| Just flood then zone with noise. FBI can still keep their list
| (and know it's legit), and peoples privacy will be ensured.
|
| Otherwise this is going to 100% get integrated into various
| social credit systems we have in the US.
| trident5000 wrote:
| Once government agencies are given approval from congress they
| typically have very little oversight from that point on including
| from congress. Its why we get abusive behavior from so many of
| them.
|
| NSA: Prism
|
| DEA: Asset forfeiture
|
| FBI/CIA: Abusing fisa and using five eyes to spy domestically
|
| IRS: Political targeting
|
| etc etc etc
| giantg2 wrote:
| ATF: Approving background checks on known traffickers and
| continuing to sell them guns even after there were concerns
| they couldn't track the weapons. (And ruby ridge, and waco... )
| tester756 wrote:
| Why "misconfigured" Elastichsearch being reason appears this
| often?
| Saris wrote:
| It has no authentication by default, and it listens on all
| interfaces instead of just localhost by default.
|
| I used it for a while at home for a project, and setting up
| auth was quite a process, very difficult compared to most other
| databases.
| kieselguhr_kid wrote:
| By default, Elasticsearch is unsecured. If you manage your own
| ES cluster, you have to go through a few steps to secure it
| manually. Lots of people either don't know/don't care about
| this though, so they regularly expose their data to the whole
| internet.
| [deleted]
| mygoodaccount wrote:
| Did some perusing - can't find it anywhere you'd normally find
| these things. Let me know if anyone does!
| cyberlurker wrote:
| > "The terrorist watchlist is made up of people who are suspected
| of terrorism but who have not necessarily been charged with any
| crime," Diachenko wrote. "In the wrong hands, this list could be
| used to oppress, harass, or persecute people on the list and
| their families. It could cause any number of personal and
| professional problems for innocent people whose names are
| included in the list."
|
| I'm curious how many journalists are on the list. Now that we are
| pulling out of Afghanistan, we should reevaluate the other
| actions we took after 9/11. The patriot act deserves another look
| and possible edit.
| __blockcipher__ wrote:
| > The patriot act deserves another look and possible edit.
|
| Boy, that was the understatement of the year.
|
| The patriot act doesn't need an edit or another look. It needs
| to be completely abolished, yesterday.
| arthurcolle wrote:
| It expired already.
| plorkyeran wrote:
| Portions of it expired. Large parts did not.
| EGreg wrote:
| The PATRIOT act was largely the result of US foreign policy
| affecting domestic policy and erosion of civil liberties:
|
| https://magarshak.com/blog/?p=349
|
| In an ideal world, we'd be constantly re-evaluating both
| foreign and domestic policies, but will we?
|
| Remember this signed by Obama: https://www.aclu.org/press-
| releases/president-obama-signs-in...
|
| And he was not able to even close down Gitmo
| lostlogin wrote:
| > "In the wrong hands..."
|
| It's in the wrong hands already - the wrong hands made the
| list, and there are plenty of examples of what has happened to
| various misidentified people over the years.
| beambot wrote:
| > The terrorist watchlist [...] could be used to oppress,
| harass, or persecute people on the list and their families.
|
| So... what was it actually used for? Wasn't this the same list
| that results in extra scrutiny at airports & whatnot --
| wouldn't that count as harassment?
| staticautomatic wrote:
| Yeah it's already used for that purpose...by the government.
| ashtonkem wrote:
| Given the history of the FBI deciding that journalists and
| activists are actually terrorists to be suppressed? Probably
| quite a few.
| flatiron wrote:
| Wouldn't that be hard in practice though? Journalists
| typically have to travel for work so it would soon be
| apparent. And if they work for a big media outlet would be
| instantly litigated.
| ashtonkem wrote:
| This is the terrorism watch list, not the no fly list. Any
| of us could be on that list and it would take a while for
| us to know.
|
| The no fly list is much smaller, and far less ambiguous in
| its impact. You're on that, you'll find out the first time
| you try and fly.
| justinzollars wrote:
| I'm curious about this list too. For example are Islamic people
| I know on it? There are never any details on how to access
| these lists. The article could be fake for all I know.
| programmarchy wrote:
| I thought that the Patriot Act was not renewed as of December
| 2020. It failed to pass in the Senate because Trump threatened
| a veto. [1]
|
| [1] https://en.wikipedia.org/wiki/Patriot_Act#cite_note-256
| rolph wrote:
| this suggests many of the processes that have become
| constituative due to patriot act, maybe are still occurring
| outside of a legal framework, it seems patriot act is still
| in the system even if not renewed
| ipaddr wrote:
| Interesting no one reported this. Either everyone missed this
| or it is still in place.
| A4ET8a8uTh0 wrote:
| Short answer, its spirit lives on. Not to search very far,
| FinCEN did not stop contacting financial institutions for
| 314(a) compliance.
|
| https://www.fincen.gov/sites/default/files/shared/314afacts
| h...
| datavirtue wrote:
| I'm on a huge greenfield application project at a major
| bank to collect and send patriot act mandated information
| to FinCEN. The Patriot act expiring did not even come up
| and I had no idea it expired. I thought it was a shoe-in
| for rubber stamping.
| MichaelApproved wrote:
| EFF reported on it.
|
| https://eff.org/deeplinks/2020/12/section-215-expired-
| year-r...
|
| > _" On March 15, 2020, Section 215 of the PATRIOT Act--a
| surveillance law with a rich history of government
| overreach and abuse--expired due to its sunset clause.
| Along with two other PATRIOT Act provisions, Section 215
| lapsed after lawmakers failed to reach an agreement on a
| broader set of reforms to the Foreign Intelligence
| Surveillance Act (FISA)."_
| LeifCarrotson wrote:
| In their defense, there has been an awful lot going on.
|
| The EFF reported on the expiration in the brief window when
| there were no authorizations:
|
| https://www.eff.org/deeplinks/2020/04/yes-
| section-215-expire...
|
| It's being reintroduced as the equally doublespeak "USA
| FREEDOM Reauthorization Act":
|
| https://www.congress.gov/bill/116th-congress/house-
| bill/6172
|
| I'd be interested to know if any behavior was changed
| during the few weeks that the permissions were not covered
| by either law.
| adventured wrote:
| To be fair, they do have to reauthorize the Freedom
| Unmitigated Bill for Appropriations Reconciliation
| Defense act every year or we're not allowed to leave our
| homes. Those F35-Liberty planes aren't going to pay for
| themselves.
| vmception wrote:
| this is the second backronym pun I've seen today, whats
| going on?
|
| _rate-limit edit:
|
| I don't think Baader Meinhoff applies when I already know
| what a backcronym is and also have to extrapolate the
| first letter of all the words to get the joke.
|
| Was there a show or pop culture thing that has people
| leaning towards this joke?
|
| If anything, this could be a perceptive bias where I am
| forcing meaning into something, but a FUBAR Defense Act
| is exactly what that poster was going for. Who knows
| about the other one I saw earlier._
| vlovich123 wrote:
| Likely just Baader-Meinhof phenomenon[1]. Interestingly,
| I think that phenomenon ignores the superset of when you
| actually had seen something multiple times before but for
| whatever reason started noticing the frequency more
| frequently (eg you've seen backronym's before, but you're
| happening but your brain has decided to notice them more
| because maybe you saw them in quicker succession than
| you're used to).
|
| [1] https://en.wikipedia.org/wiki/Frequency_illusion
| adamrezich wrote:
| definitely interesting but certainly unsurprising
| lancemurdock wrote:
| > The patriot act deserves another look and possible edit.
|
| once you give the gov power, it is never given back to the
| people.
| syrrim wrote:
| Didn't the patriot act expire without renewal?
| dopamean wrote:
| It did.
| weaksauce wrote:
| huh interesting. So is it basically gone then or were there
| any permanent things that came from it?
| giantg2 wrote:
| Some things were made permanent under subsequent laws (or
| at least extended). For example, financial reporting for
| people depositing "large" amounts of cash. I think it
| started out at $10k under the patriot act. Now I think it's
| $5k. That is a good bit of cash, but it could easily be
| made selling a used car or something.
| silisili wrote:
| Unless it changed very recently, I'm pretty sure it's
| still 10k.
| jellicle wrote:
| 90% of the Patriot Act was permanent law and is law today.
| A few of the most objectionable parts had "sunset"
| provisions in them and those (after several rounds of
| modifications and numerous extensions) are what has,
| finally, been allowed to expire. Most of the provisions of
| the Patriot Act are in effect today and will be until a
| future Congress changes them.
| pessimizer wrote:
| You mean being put on a restricted rights/law enforcement
| attention list with no due process? Definitely. I hate to be
| the slippery slope guy, but this began with gang affiliation
| lists.
|
| https://blockclubchicago.org/2021/07/28/police-gang-database...
|
| https://www.tampabay.com/news/publicsafety/crime/police-gang...
|
| https://www.avvo.com/legal-answers/i-was-put-on-the-gang-lis...
|
| https://www.policemag.com/340392/identifying-and-documenting...
| andai wrote:
| The slope to totalitarianism is always slippery.
| vmception wrote:
| Its not a slippery slope when we've been at the bottom of the
| slope your whole life
| pessimizer wrote:
| The people on the bottom of the slope are the people on the
| lists. As they grow to 1.9MM people.
| tinalumfoil wrote:
| > but this began with gang affiliation lists
|
| Civil courts have been able to exercise significant control
| of your life, including extended imprisonment without due
| process, for longer than these lists have been in effect.
| Frankly Americans have a lot fewer rights than they think
| they have, including the non-right of due process for being
| on a government list.
|
| Edit: To pre-empt some comments I know are coming, civil
| courts do not require due process in the way you probably
| think of due process: a civil court can act against you
| without giving you representation, without allowing you to
| have representation, without you present, in secret from the
| public, and even without notifying you
|
| EDIT2: While I'm soapboxing I'll note the power the civil
| court has over you isn't much different than the power three-
| letter agencies have over you (since they are usually given
| very broad mandates), it's just that civil courts have been
| around so much longer it's a good retort to people thinking
| they used to have rights. Whatever three-letters can't do to
| you is generally picked up by similar state agencies.
| vmception wrote:
| I've never had a good experience "pre-empting" comments
| that will inevitably be used to derail your thread.
|
| In any case, I was mostly thinking that it has to be a form
| of privilege to feel like a particular slippery slope
| hasn't happened yet. I think about how the word "privilege"
| is used, and its more like "exemption from some
| inconveniences that aren't obvious". Your post about people
| not noticing that civil courts and agencies have these
| power over assumed rights is a decent example of that.
| giantg2 wrote:
| "Frankly Americans have a lot fewer rights than they think
| they have"
|
| Very true
| owl_troupe wrote:
| > a civil court can act against you without giving you
| representation, without allowing you to have
| representation, without you present, in secret from the
| public, and even without notifying you
|
| While there is no right to be afforded free legal
| representation in civil court in most US jurisdictions
| (some do) and a civil court can render rulings and
| judgments against parties who are not represented by
| counsel, a civil court cannot prohibit a party from having
| legal representation, which is what your comment seems to
| suggest.
|
| A civil court can render a ruling against a party if the
| party is not present, but it will typically go to great
| lengths to ensure that notice is given to parties before
| doing so (pleadings served to last address by process
| server, notice published, etc.). There are typically strict
| requirements that have to be met before civil court can
| render a ruling or judgment without a party present,
| especially where there is no indication that the party has
| received notice first.
|
| A lot of anecdotes about drastic judgments and rulings
| being handed down by civil courts happen when parties
| ignore notice of the proceedings. There are a lot of rules
| for handling cases in civil court and they are grounded in
| the constitutional right to due process. Notice and due
| process are taken really seriously in most US
| jurisdictions. Federal Courts are especially strict about
| following the rules.
|
| https://www.law.cornell.edu/rules/frcp
| tinalumfoil wrote:
| > a civil court cannot prohibit a party from having legal
| representation, which is what your comment seems to
| suggest.
|
| > https://www.law.cornell.edu/rules/frcp
|
| This is a good point for federal cases, but I meant my
| comment to cover civil action in state courts too. These
| are the courts that are most likely to affect someone's
| life. For instance in California small claims courts you
| are not allowed to be represented.
| Spooky23 wrote:
| That's by design to make justice more accessible. IIRC,
| you can petition the judge to adjourn the case and move
| it to normal court.
|
| Also, I believe in small claims as a defendant you can
| appoint an attorney to represent you. I sued a tow
| operator in small claims court and the dude who showed up
| was definitely an attorney.
| giantg2 wrote:
| "A civil court can render a ruling against a party if the
| party is not present, but it will typically go to great
| lengths to ensure that notice is given to parties before
| doing so"
|
| In many types of cases, but not all. Protection from
| abuse order hearings generally happen without the
| knowledge of the target of the order.
| dillondoyle wrote:
| plus even more relevant to HN is when authorities are using
| algorithms as a scapegoat. we probably know what will happen
| when they start using black box ML with a ton of bias baked
| in.
|
| There is a scary (gross in my mind) story that reports on
| some dystopian pre-crime Minority Report Sheriff targeting
| kids.
|
| Looks like the court case is in process, though not sure why
| court didn't immediately shut it down pending trial given how
| (to my non-lawyer brain) this seems that plaintiffs will
| almost definitely prevail given clear violations of multiple
| Amendments.
|
| From the reporting: "Over the span of five months, police
| went to his home 21 times. They also showed up at his gym and
| his parent's place of work. The Tampa Bay Times revealed that
| since 2015, the sheriff's office has made more than 12,500
| similar preemptive visits to people.
|
| These visits often resulted in other, unrelated fines and
| arrests that further victimized families and added to the
| likelihood that they would be visited and harassed again. In
| one incident, the mother of a targeted teenager was issued a
| $2,500 fine for having chickens in the backyard. In another
| incident, a father was arrested because his 17-year-old was
| smoking a cigarette. These behaviors occur in all
| neighborhoods, across all economic strata--but only
| marginalized people, who live under near constant police
| scrutiny, face penalization."
|
| https://projects.tampabay.com/projects/2020/investigations/p.
| ..
|
| https://ij.org/press-release/pasco-families-win-round-one-
| in...
| vkou wrote:
| > You mean being put on a restricted rights/law enforcement
| attention list with no due process?
|
| What novel 'due process' do you believe is necessary for the
| police to _unintrusively_ start investigating someone?
|
| We already require judge-issued warrants for _intrusive_
| investigations (Searching your things, tapping your phone
| lines, arresting you, etc).
|
| I don't believe there's any country in the world that
| requires a judge to review the police putting you on a list
| as a person of interest. I am no legal scholar, so I should
| probably cut myself off right here - but do you not think
| that perhaps, there is a valid reason for this? You're
| inventing novel legal practices without precedent, here.
| pessimizer wrote:
| If I, as a police department, put you on a secret list of
| possible pedophiles based on the fact that we saw you
| speaking to another person on that list, noticed you in a
| board game store patronized by many local young Magic: The
| Gathering fans, you were single with no children, and you
| were the brother of someone who once dated the sister of
| the cop who put you on the list, would you have a problem
| with that?
|
| What if we weren't allowed to confirm or deny you were on
| the list, except to a prospective landlord or employer who
| filled out a form?
|
| What if there were no way to find out those were the
| reasons I put you on the list, and no appeals process to be
| removed from the list?
|
| What if you couldn't prove standing in court because there
| was no legal way to prove you were on the list at all
| without a friendly judge?
|
| > You're inventing novel legal practices without precedent
|
| Which is why people are forced to rely on the racial makeup
| of these horrifying lists in order to challenge them. The
| problem becomes a lot clearer if your local police force
| makes up a list of all Jews in the neighborhood (whatever
| criteria they decide to use, i.e. "valid reason") for
| special treatment.
|
| edit: and, of course, what if the list leaks, and is used
| as an automated first step for disqualification by
| employers and landlords for the rest of your life?
| vkou wrote:
| Would I have a problem with being on a list that, from my
| perspective, I can't tell the difference between being on
| it, and not on it?
|
| I don't know, I wouldn't be able to tell. If a tree falls
| in the forest, and nobody's there to hear it, does it
| matter to anyone whether it makes a sound?
|
| > What if we weren't allowed to confirm or deny you were
| on the list, except to a prospective landlord or employer
| who filled out a form?
|
| You're swinging at strawmen. Nobody in this thread is
| defending intrusive lists.
|
| For some reason, though, you are conflating unintrusive
| lists (Which don't require oversight anywhere in the
| world) with intrusive lists (Which do require oversight
| in... well-governed parts of the world).
|
| Do you have arguments against the former? I'm not
| interested in being convinced that the latter are bad,
| I'm already convinced that they are bad.
|
| > edit: and, of course, what if the list leaks, and is
| used as an automated first step for disqualification by
| employers and landlords for the rest of your life?
|
| If there's an unholy decades-long alliance between the
| FBI, the background check bureaus, and millions of
| employers and landlords, that neither my federal, state,
| or municipal government is interested in doing anything
| about, I think my main problem is not 'the FBI has a
| list'. I think my main problem is 'My society, on every
| imaginable level, is broken.'
| salawat wrote:
| >Would I have a problem with being on a list that, from
| my perspective, I can't tell the difference between being
| on it, and not on it?
|
| >I don't know, I wouldn't be able to tell. If a tree
| falls in the forest, and nobody's there to hear it, does
| it matter to anyone whether it makes a sound?
|
| Spoken like someone who hasn't had the long arm of the
| law drop in on them before, or a person who "doesn't care
| about that liberty anyway, so why not vote it away?"
|
| Just because you don't see the problem doesn't mean it
| isn't there. Just because you didn't see the tree fall,
| doesn't mean the world is uneffected. These are concepts
| 3-4 year olds manage to divest themselves of once they
| grap the permanence of objects. Just because you don't
| get much out of a liberty doesn't mean that it's cool to
| force the loss of it on somebody else. Liberty is to be
| treasured and protected. The selective relinquishment,
| revocation, or limiting of one for anyone should be a
| Big. Frigging. Deal.
|
| The fact people are so cavalier with wisking away the
| freedoms that underpin American Civil Life on mere
| suspicion of something that the State is not even
| required to be transparent about should disturb
| everybody.
| octaonalocto wrote:
| Your tone is inappropriate, please try to make your point
| without implying GP is dumber than a third grader. It
| implies malicious intent and is bad for discussion.
| isoskeles wrote:
| I don't understand this response. He was told it was a
| "secret list." Why would you take such a tone in response
| to him saying he might not have a problem since he
| doesn't know about the list? It's a hypothetical about a
| secret list, and since he doesn't immediately agree with
| the conclusion, you browbeat him about not having the
| long arm of the law drop down on him, etc.
|
| More importantly, this:
|
| > Spoken like someone who hasn't had the long arm of the
| law drop in on them before, or a person who "doesn't care
| about that liberty anyway, so why not vote it away?"
|
| Who are you quoting here? No one said this at all.
|
| I'm actually disgusted by your comment and the logic you
| present in it.
| RHSeeger wrote:
| The problem is when that list is used to prevent you from
| accessing common services, like fly on planes.
|
| Edit: Because people assumed I was talking about the no-fly
| list specifically; I'm not. The terror watch list also
| winds up being used to cause problems for people.
|
| From: THE PROGRESS AND PITFALLS OF THE TERRORIST WATCH LIST
| By: COMMITTEE ON HOMELAND SECURITY https://www.govinfo.gov/
| content/pkg/CHRG-110hhrg48979/html/C...
|
| > Inaccurate watch list information also increases the
| chances of innocent persons being stopped or detained
| because of misidentification.
|
| A page by the ACLU goes into some detail.
| https://www.aclu.org/other/us-government-watchlisting-
| unfair...
|
| That list, and others, are not innocent "we're just keeping
| an eye on these people" lists. Their use causes serious
| harm.
| AnimalMuppet wrote:
| Except that, if I understand correctly, this is _not_ the
| no-fly list. So...
| vkou wrote:
| Yes, that is a problem. But that's not what the parent
| poster is talking about. It's absolutely irrelevant to
| this conversation.
|
| The parent poster takes issue with the fact that an
| unintrusive person of interest list exists, and wants
| oversight on it. This is an absolutely unprecedented
| legal take.
|
| It doesn't help that they are conflating the two (one of
| which is, at a first glance reasonable, and the other is
| not), when they are not the same thing. All that does is
| muddy the waters.
| __blockcipher__ wrote:
| There's no such thing as an "unintrusive" list. They make
| the lists for a reason.
| vkou wrote:
| If that's the case, you should have no trouble answering
| two simple questions:
|
| 1. What do you think happens to people on it?
|
| 2. Which of those actions should require judicial
| oversight, but currently don't?
|
| So far, the only answers to those questions in this
| thread have been 'imagine if...' tangents. I don't need
| to imagine strawmen, I'd like to know what is _currently_
| wrong.
|
| Imagining disasters is how we're in this mess, I'd like
| to know what the actionable problem is.
| RHSeeger wrote:
| > Imagining disasters is how we're in this mess
|
| I posted some links in my original comment that talk
| about specific problems. That being said, "allowing those
| in authority to do things that could be used
| inappropriately... and then it turning out that they did
| exactly that" doesn't require ANY imagination. The US
| government engages in such behavior on a daily basis.
| vkou wrote:
| Please note the four demands the ACLU makes in the
| publication you linked.
|
| None of them demand that police lists should not exist,
| or that judicial oversight should be necessary to put a
| person on one.
|
| Instead, they demand that:
|
| 1. The lists be accurate.
|
| 2. The lists be accurate.
|
| 3. Allowing people to contest them on a case-by-case
| basis.
|
| 4. To not blacklist people from employment based on them.
|
| The ACLU seems to be in agreement with me.
| godelski wrote:
| Worse than that, sometimes these intelligence agencies create
| said terrorists.
|
| > Of these defendants caught up in FBI terrorism sting
| operations, an FBI informant was the person who led one of
| every three terrorist plots, and the FBI also provided all of
| the necessary weapons, money, and transportation.
|
| I'm sure such a thing is something no American would agree
| with. I wouldn't be surprised if similar actions were
| happening at all levels (gangs to terrorists). I'm sure this
| also isn't isolated to America either, as it appears to be
| the incentives that causes this and how we measure success
| (i.e. how many criminals are caught).
|
| These conversations are extremely complex. But I think we
| need large social discussions about how to actually solve
| crime and prevent animosity in the world. I think it is time
| for a big rethink. If there's 2 million people on a list, I'm
| not sure that list is very effective. It's like looking for
| needles in a haystack by adding more hay.
|
| [0] https://www.brandeis.edu/investigate/government-
| corporate-wr...
| frickinLasers wrote:
| > I think it is time for a big rethink.
|
| I'm in. Where's the convention, and how do we get our idiot
| representatives to play along?
| godelski wrote:
| Here's my positions, but of course I'm open to other
| opinions. I wrote a big list and I realized I could
| distill a lot of my ideas. For one I'm a big fan of STAR
| and Approval voting. We've seen over a hundred years of
| ordinal methods in various countries (including America)
| and seen the failure. Time to move to what the experts
| are suggesting. Which brings me to the second point. Lots
| of these topics are extremely complex and contain a lot
| of nuance. Us non-experts can see a high level but
| sometimes these nuanced points matter a lot. So let's not
| be so aggressive in asserting how right we are. Also, we
| need to focus on unity. Mic drops and calling people
| names doesn't help us. We need nuanced and calm
| conversations. Our fellow citizens, no matter how crazy
| their beliefs, are not our enemies. Don't dehumanize
| people, that's divide and rule. Lastly, we need to stay
| focused. I think there is a new thing to be outraged
| about every other day. Let's talk about what the big
| important problems are and focus on those first. Let's
| recognize that doing so isn't dismissing the other
| problems. We only have so much bandwidth. Right now we
| have no such priority list, we're just jumping from thing
| to thing. Solving problems takes time (a thing we often
| forget). If our attention to the problem is shorter than
| the time it takes to solve the problem then we will never
| solve these problems.
|
| Edit: One thing I wanted to add is that we can have
| different groups focus on different things. It's not a
| zero sum game. This is because not everyone is an expert
| in everything, and thus the utility they contribute isn't
| the same as every task they contribute to.
| arminiusreturns wrote:
| You refuse the two party system and work on a third party
| geared towards pre-emptive avoidance of the corruption
| mechanisms that got the two big ones. Do that at the
| local and state level first, attacking gerrymandering and
| other incumbent favoring electoral manipulation methods
| to weaken the two party strangle hold, such as heavy
| petitioning and lobbying to force state Secretaries of
| State to fix election laws.
|
| Until we the people are actually represented in the
| legislative branch nothing fundamental will change. Being
| that the other branches are largely unaccountable to the
| citizenry, the legislative branch is the logical entity
| to focus on (and the fourth estate, heavily under attack
| by the executive et al)
| frickinLasers wrote:
| There have been many third parties, and I'm not aware of
| any that have achieved even middling success ( _maybe_
| Libertarian?) since I 've been alive. How would this
| party fare any better?
| not2b wrote:
| Under the US system as it is, with first-past-the-post
| voting and all votes for a state going to the
| presidential candidate who got the most, a third party
| can't gain any traction. Worse, third parties under the
| US system are another vehicle for corruption (example:
| Republicans paying fees and collecting signatures to get
| Greens on the ballot to divide the left vote and get a
| Republican in office, though this problem could be fixed
| with some form of instant runoff). You'd need
| constitutional reform.
|
| While imperfect, I think that German electoral system is
| much better. Any party that gets 5% or more of the vote
| is guaranteed fair representation, gerrymandering isn't a
| possibility.
|
| However, in a multiparty system deals still have to be
| struck to put together governing coalitions, so a party
| that insists on being purist is likely to be shut out.
| dane-pgp wrote:
| > to get Greens on the ballot to divide the left vote and
| get a Republican in office
|
| If people are serious about voting reform (and they
| should be) then this "spoiler effect" can be weaponized:
| start a grassroots campaign to vote third party until the
| Democrats support changing the voting system at the state
| level (and vote in primaries for Democrats who support
| this change).
|
| This may lead to few tight state races being lost, but
| that means that only a small percentage of the population
| would be enough to get the Democrat party officials to
| take notice. To make the signal even more clear, the
| third party chosen should be one that focuses as narrowly
| as possible on voting reform, such as the Alliance
| Party[0], which may also encourage some disgruntled
| Republicans to temporarily lend their votes, whereas they
| would be more reluctant to support the Green Party, for
| example.
|
| Of course there is a danger that voting reform would get
| portrayed as a pro-Democrat policy (if it isn't already),
| but once enough Republicans (in majority Democrat states)
| have experience casting their ballot in a more expressive
| and representative system, it will be harder for
| Republicans in other states to oppose it.
|
| [0] https://www.theallianceparty.com/political_reform
| amznthrwaway wrote:
| The third party would need to get local traction first.
| This is the best way forward on a number of dimensions,
| but most third party candidates go national instead,
| because while it cannot effect change, it is
| substantially more profitable.
| godelski wrote:
| Honestly voting is high on my priority list. The reason
| is because I believe that voting will have a lot of
| downstream effects. It will make a lot of other things
| easier. But I don't believe we should be trying to change
| things at the national level at this point (that's down
| the line). I think we should be trying to implement
| systems like STAR and Approval at local levels. City,
| County, State. We know that these are the systems the
| experts are suggesting. So let's stop doing the same
| experiment we've seen fail a hundred times. And while the
| dragon is the end goal, if we can't defeat the low level
| monsters it would be insane to go fight the final boss.
| some_hacker_55 wrote:
| So status quo then.
|
| Cmon hackers, think harder...
| pibechorro wrote:
| Edit?
| pibechorro wrote:
| Edit? Cancel it entirely.
| gjsman-1000 wrote:
| Just an hour ago I was having a dialogue with someone on Hacker
| News saying we needed a national ID system after the T-Mobile
| hack. I said that the US Government should not be trusted to be
| any more secure than T-Mobile with such a system.
|
| I rest my case.
| jackson1442 wrote:
| We already have a national identity card- the social security
| card. Problem is, it's absolutely terrible at being an ID card,
| so we should replace it with something more secure that is
| purpose-built.
|
| If we're going to treat this magic number like a national ID
| number, the least we can do is buff it up a little.
| creato wrote:
| A national ID doesn't necessarily have data security
| implications any more than the current state-by-state DMV
| system does.
|
| The relevance of a national ID is (presumably) so that banks
| can check identity more reliably, i.e. making security breaches
| like the T-Mobile one irrelevant. It wouldn't matter if your
| SSN was public information.
| adolph wrote:
| > check identity more reliably
|
| Most states in the current system seem to have a crude
| biometric identity verification of a photo plus point in time
| stats of height/weight/coloring, all of which is nominally
| protected/validated by counterfeit protection. How would a
| national ID be any different?
| nautilius wrote:
| Do you have to have a 'crude state ID'? Is there any legal
| pressure to keep the data on it up-to-date? Are the
| standards for 'crude state IDs' identical between states or
| would you have to know the rules and regulations of 50
| different jurisdictions?
| jedimastert wrote:
| It's not like "the government" doesn't already have all of this
| information. Most information on an ID is OSI anyways. I can go
| from my name to everything on my state-issued license from
| public records.
| YeBanKo wrote:
| We already have a national id system. It's called a passport, a
| birth certificate, a DMV id or driver's license, a social
| security number. Those are all national id systems.
| jandrewrogers wrote:
| A passport and SSN are national IDs. Birth certificates and
| DMV docs are State IDs only.
| [deleted]
| Rd6n6 wrote:
| Wikipedia says the no fly list only had 47k people on it. The
| terror watch list had about 1.9M though, so this must be the
| terror watch list.
|
| 1.9M people is a massive number of people
|
| > The No Fly List is different from the Terrorist Watch List, a
| much longer list of people said to be suspected of some
| involvement with terrorism. As of June 2016, the Terrorist Watch
| List is estimated to contain over 2,484,442 records, consisting
| of 1,877,133 individual identities.
|
| https://en.m.wikipedia.org/wiki/No_Fly_List
| LeoPanthera wrote:
| Non-mobile URL https://en.wikipedia.org/wiki/No_Fly_List
| OJFord wrote:
| The submitted article does say watch list, it's just the title
| here that ~has~ had the error. (Editing it was fair enough IMO,
| at least to remove from 'and boy'...)
| tvirosi wrote:
| Or the 47k no fly number is just a lie
| jedimastert wrote:
| It's pretty easy to check, but I'm guessing it's just _far_
| easier to get yourself on the watch list.
| mrits wrote:
| Must be really annoying when your terrorist cousin comes
| over and uses your wifi on the holidays.
| [deleted]
| Joker_vD wrote:
| You know, I can understand why the Terrorist Watch List is secret
| -- but not why the No Fly list is. If there is a list that
| governmental agencies and/or commercial companies are _obliged_
| to check you 're not on before providing you with their service,
| then _surely_ such list must be public or at the very least, one
| should be able to easily inquire about whether he /she is on it
| or not.
|
| For a related example, Russian government maintains a list of
| banned Internet resources. The list is not public -- at least in
| theory -- but there is an official web site where you can input
| an URL or a domain name and it would response either with "no,
| it's not on the list", or with "yes, it's on the list, here's who
| ordered it and when".
| londons_explore wrote:
| Surely the easy way to check if a name is on the list is to
| book a flight in that name. If the booking gets rejected, it's
| on the list.
|
| Repeat for every name you want to check, and make use of the
| airlines free cancellation policy so you don't actually have to
| spend money.
| ch4s3 wrote:
| Sometimes they just turn people away at security without an
| explanation.
| datavirtue wrote:
| It's not a secret, just need-to-know basis.
| outworlder wrote:
| potato potato
| jl6 wrote:
| Would love to know how the FBI dealt with transliteration
| deduplication of non-Latin names, cf. the many spellings of
| Muammar Gaddafi. Although I guess they would just use whatever's
| on the passport?
| oa335 wrote:
| They didn't. I know of several people with an extremely common
| name (Basically Muslim equivalent of "John Smith") who were
| unable to fly or cross borders, even with the "Redress numbers"
| that they are supposed to give out in case of mistaken
| identity.
| ransom1538 wrote:
| Can someone post the list?
| dukeofdoom wrote:
| So basically a list of Trump supporters. Well known for their
| opposition to COVID measures, and claims of election fraud, and
| belief that Trump can be reinstated.
| c3534l wrote:
| What makes you say its a list of Trump supporters?
| dukeofdoom wrote:
| They build a fence around the capital to protect against
| them.
|
| Since there's no way there are actual 1.9 million terrorists
| in the US. 1.9 million/326 million is about 1 person out of
| 200 on that list.
|
| In all likely hood, its just a list composed of people in
| opposition to government.
|
| Can't be many BLM protestors, and leftists, since government
| is flying their flags. Simple deductive reasoning will get
| you to that this list is mostly Trump supporters from his
| populist movement.
|
| Just read the latest Terrorism Threat bulletin from DHS. Then
| visit Gab.com, if you have any doubts on the overlap.
|
| Summary of Terrorism Threat to the U.S. Homeland
|
| https://www.dhs.gov/ntas/advisory/national-terrorism-
| advisor...
| sunshineforever wrote:
| It's so ironic that you think they are falsely putting
| right-wing people on the list when historically it has been
| leftists to receive such treatment.
| jjulius wrote:
| You could've distilled your answer to the question by
| simply saying, "Pure speculation based on a faulty
| assumption that only US citizens are on this list".
| wolverine876 wrote:
| And the falsehood that government only puts people with
| right-wing beliefs on watchlists.
| c3534l wrote:
| So are you saying you're just guessing because you believe
| the government has it out to get Trump supporters? If, it
| turned out, there was a similarly large number of people on
| the list prior to Trump's election, would that change your
| mind? I think the concern that an extra-judicial list this
| large certainly has the potential for abuse, and America's
| 3-letter agencies have historically used the auspices of
| national security to target and harass political opponents
| and personal enemies. However, you don't have any reason to
| suspect that this list contains that group specifically,
| right? Other than just some perceived marginalization by
| mainstream society, that is.
| tubbs wrote:
| The list seemingly not just citizens of the United States.
| datavirtue wrote:
| Another Q drop.
| [deleted]
| nurgasemetey wrote:
| Out of curiosity, how can I search myself?
| nullc wrote:
| Leaks are for intelligence operatives to act with plausibility
| deniability ("It was hackers!").
|
| They are not for you to use to create accountability by
| discovering inappropriate inclusions and demanding answers.
| [deleted]
| sergiomattei wrote:
| Yeah, I'm curious! I recall the NSA's XKeyscore was revealed to
| put Linux Journal readers in watch lists.
| krapp wrote:
| >I recall the NSA's XKeyscore was revealed to put Linux
| Journal readers in watch lists.
|
| No, it didn't.
|
| See this comment by grkvlt[0] and another debunking here[1]
|
| [0]https://news.ycombinator.com/item?id=12070156
|
| [1]https://blog.erratasec.com/2014/07/validating-xkeyscore-
| code...
| sergiomattei wrote:
| Thank you for the clarification! Did not know this.
| clipradiowallet wrote:
| Inquiring minds want to know
| hughrr wrote:
| Awaiting future headline _"Secret CSAM hash list leaks online"_.
|
| Keeping lists secret appears to be something the human race is
| really really bad at.
| raxxorrax wrote:
| It is amazing what the hunt for terrorism has done to modern
| countries. They only look fearful and weak, exactly what
| professional terrorists always wanted them to be.
|
| Anyone who knows bureaucratic behavior knows that even in the
| absence of real terrorists, people will find their way onto lists
| like these.
|
| I hope the lists will leak to a wide audience. Find the cases
| that are wrong and sue those responsible behind the desks. This
| is the only way this can stop.
|
| The website is extremely horrible. Did use a dev browser without
| adblock. Grave mistake.
| alexfromapex wrote:
| The fact this wasn't protected by a VPN is amazing
| ClumsyPilot wrote:
| As expected, it is only a matter of time untill all the intensely
| private data collected by NSA and pals is leaked or stolen and
| used by criminals for fraud and extortion.
| loceng wrote:
| Or a list of allies and talent to hire or leverage.
| vmoore wrote:
| This. Eventually all sensitive data becomes concentrated enough
| that it becomes leakable material
| deadalus wrote:
| Usually by an insider.
| waynesonfire wrote:
| sounds like a use case for the BLOCKCHAIN!
| sneak wrote:
| The main databases the NSA has are far too large to be easily
| leaked.
|
| Even blueleaks was <1T (~300GB iirc) and many people had
| trouble downloading it. I am sure many IC databases are
| several hundreds or thousands of times larger even without
| indices.
|
| It's not like you could just throw up a 4000TB torrent for a
| 7z of all of the north american phone call metadata for last
| year.
| nonameiguess wrote:
| When I worked on the main NRO ground processing station for
| electro-optical collections, we were generating double-
| digit petabytes daily, and that back in 2008. Don't even
| know what it's up to now.
|
| Not only is there no practical way for anyone other than
| maybe Google or CERN to download that much data, unlike the
| no-fly list, actual classified information isn't attached
| to any networks that can be accessed from outside of a
| secure facility. This means the only way to egress data is
| for an inside threat to copy it onto USB drives or possibly
| optical media, maybe steal hard drives. But there are
| pretty hard limits to what you can just bulk copy. It can't
| be much more than a person can hide in a bag.
| rsbrans wrote:
| I have a feeling this post may be agedlikemilk worthy in
| the not so distant future...
| BrandoElFollito wrote:
| Glad to see that CERN was mentioned, it is not that often
| that their IT resources are known (and they are huge)
| throwaway4688f wrote:
| Where is the torrent, dammit? Internet ain't what it used to be.
| TekMol wrote:
| What would happen if you put all these people together on an
| empty island?
| fouc wrote:
| who is John Galt?
| OneLeggedCat wrote:
| You'd have about 1.9 million people on an island, the vast
| majority of which are normal, average people.
| aaomidi wrote:
| They would be super confused since there is really no checks on
| who gets put on this list.
| int_19h wrote:
| What really bugs me about these lists isn't just that they exist,
| but that there's continuous clamoring to expand the scope in
| which they are applied. For example:
|
| https://www.theatlantic.com/politics/archive/2015/12/no-fly-...
|
| So, basically, politicians have found it to be a convenient tool
| to skirt due process concerns in general when pushing for their
| favorite agenda.
| sonicggg wrote:
| Where is this alleged list then? Very convenient that this guy is
| not disclosing a link to this supposed leak. I think someone
| wants notoriety.
| mygoodaccount wrote:
| It looks like it was "leaked", as in, publicly exposed server
| indexed by a few search engines. It's possible that this
| researcher was the only one to come across it, and reported it
| immediately. In which case it'll never see the light of day.
| serf wrote:
| "The exposed server was taken down about three weeks later,
| on August 9, 2021. It's not clear why it took so long, and I
| don't know for sure whether any unauthorized parties accessed
| it."
|
| three weeks open on the internet; it seems unlikely that no
| other party accessed it.
| tomc1985 wrote:
| Elasticsearch is like the security breach gift that keeps on
| giving...
| Saris wrote:
| It's crazy how many instances are setup to be accessible from
| the internet, but they don't bother to secure it.
| kieselguhr_kid wrote:
| I mean, the FBI should 1000000% know better than to expose
| their unsecured Elasticsearch cluster to the internet. While
| Elasticsearch should be more secure by default, I'd say the
| blame is much more on the agency.
| tomc1985 wrote:
| Has Elasticsearch done anything to fix its ridiculously bad
| lack of access control?
|
| People are fucking stupid, and expecting them not to fuck
| this up is a big ask. Too big, in fact.
|
| Secure by default or GTFO
| clipradiowallet wrote:
| Elasticsearch has nothing to fix - the product does
| precisely what the config tells it to. Maintainers of
| various distros ES packages are largely responsible for any
| [mis]configuration there.
|
| If you'd like to read _how_ you can secure ES, go do that:
| https://www.elastic.co/what-is/open-x-pack
|
| PS: x-pack is the piece that adds
| authorization/authentication to ES.
| altdataseller wrote:
| You can setup username and pass auth in newer versions of
| Elastic without paying for xpack (I think at version 6 or
| up?)
| kieselguhr_kid wrote:
| I think it's reasonable to expect the FBI to not expose
| this. I'm with you on Elasticsearch being too insecure but
| you're talking about secret government info. If they put
| that on the open internet that's a serious failure on their
| part and they'd have fucked it up with another tool if they
| weren't fucking it up with ES.
| twobitshifter wrote:
| It's not clear it was the FBI, the server was in Bahrain.
| This could be bigger than just an FBI screwup. Why is US SSI
| in an server in Bahrain?
| outworlder wrote:
| "Misconfigured Elasticsearch cluster"
|
| Doubly so. No passwords _and_ it was exposed. There's no real
| reason to ever directly expose a database to the internet for
| 0.0.0.0/0. Heck, there's no reason to expose to any routable
| address.
|
| Yeah sure zero trust or whatever. Still, why even risk it?
| Layers.
| Saris wrote:
| >There's no real reason to ever directly expose a database to
| the internet for 0.0.0.0/0
|
| And open the host firewall too, there were quite a few layers
| of absolute incompetence involved here!
| atonse wrote:
| This is what I came here to ask.
|
| How did this server even have a public IP?
| WrtCdEvrydy wrote:
| I wonder if this will end up on haveibeenpwned?
|
| "The FBI leaked your name as a terrorist"
| tubbs wrote:
| That would be funny (I guess). At any rate, neither email
| addresses nor phone numbers were part of the leak.
| imglorp wrote:
| I would like to know if any grumbling about the agencies on
| social media--like this post--has landed me on the watch list.
| gjsman-1000 wrote:
| The freaking _FBI_ leaked your info. Not a stupid private
| organization. The _FBI_. And also, because the FBI doesn 't
| tell people they are watching them, there was absolutely
| nothing - no product, no service - you could have just not
| signed up for to avoid this leak.
|
| What next, the IRS?
| nullc wrote:
| > What next, the IRS?
|
| Already happened: https://www.propublica.org/article/the-
| secret-irs-files-trov...
|
| They don't disclosed how many parties were included, but
| their description of their validation (they verified it
| against 60-some public figures who had separately disclosed
| their tax filings) suggests that it's probably a significant
| fraction of the US population.
| tomasreimers wrote:
| Yes, Equifax largely leaked many people's identity.
| goodluckchuck wrote:
| I wonder if we can even trust the CCP to not leak our party
| membership!?
| giantg2 wrote:
| OPM had a breach affecting 22M.
|
| https://en.m.wikipedia.org/wiki/Office_of_Personnel_Manageme.
| ..
|
| Edit: why downvote?
| mike_d wrote:
| Did you miss the whole OPM shit show? But hey, at least you
| get 10 years of free credit monitoring!
| rdtsc wrote:
| Wonder if they did it on purpose. I can't figure out what the
| purpose might be - a whistleblower wanting to raise awareness
| about it and realizing they didn't want to have to relocate
| to Russia or say live an Ecuadorian embassy for years. Or, I
| can imagine, a rogue agent wanting to warn someone they are
| on the list without communicating with them privately, so
| there is no metadata linking them, and they "accidentally"
| leaked the whole list.
| [deleted]
| woodruffw wrote:
| > Additionally, the researcher noticed some elusive fields such
| as "tag," "nomination type," and "selectee indicator," that
| weren't immediately understood by him.
|
| I'm not sure about the others, but "selectee indicator" might be
| whether the individual is on the Selectee list used for SSSS
| flagging[1].
|
| [1]:
| https://en.wikipedia.org/wiki/Secondary_Security_Screening_S...
| Ceezy wrote:
| These people are morons! They claimed to be creme de la creme and
| watch. Few years ago they wanted to force Apple to create a
| "secure backdoor". Hope we gonna get more details.
|
| Sorry for the rant
| ClumsyPilot wrote:
| I wonder how many hacks happened purelu because of these
| backdoors
___________________________________________________________________
(page generated 2021-08-18 23:00 UTC)