[HN Gopher] Terrorist watchlist exposed via misconfigured Elasti... ___________________________________________________________________ Terrorist watchlist exposed via misconfigured Elasticsearch cluster Author : david_shaw Score : 266 points Date : 2021-08-16 17:37 UTC (2 days ago) (HTM) web link (www.bleepingcomputer.com) (TXT) w3m dump (www.bleepingcomputer.com) | commandlinefan wrote: | At least last time I looked at it, ElasticSearch is shockingly | insecure by default (as are Mongo, Cassandra, Hadoop, and | everything else that's popular in the relatively recent Java | ecosystem). | Saris wrote: | It's crazy how much stuff is just no auth and listens on all | interfaces by default. | snarf21 wrote: | Yeah, this is the same as Wi-Fi routers all being | admin/password. They finally started assigning them random | pwds. Why isn't secure by default chosen? | l0b0 wrote: | That's easy: perverse incentives. | | 1. Secure by default makes for a higher barrier to entry. | It's human nature to want to keep barriers of entry low for | your life's work. (I have similar thoughts around copyleft | licenses being better for the users but hard to sell to the | creators.) | | 2. Security is "available" to anyone savvy enough to clear | all the hurdles to secure the system, so the creators feel | justified to blame the user. | | 3. The product is developed with an assumption that something | _outside_ the product is supposed to provide security. For | example, the Go.CD devs (excellent product otherwise) scoffed | at the idea of improving their crappy password hashing | (single round of SHA256 with no salt IIRC), instead | suggesting that I should wrap the service in some other, | safer authentication mechanism. | 1023bytes wrote: | Perhaps yet another unsecured MongoDB? | thepasswordis wrote: | So this is definitely going to be used for character | assassinations right? | scrps wrote: | >The researcher considers this data leak to be serious, | considering watchlists can list people who are suspected of an | illicit activity but not necessarily charged with any crime. | | "In the wrong hands, this list could be used to oppress, harass, | or persecute people on the list and their families." | | I'd imagine being on a list that limits your personal freedom | without being charged with a crime and convicted falls pretty | squarely within the definition of being oppressed & persecuted | before even considering any second order effects of the list | being leaked. | sschueller wrote: | The list should be public or at least I should have the right | find out if I am on that list. | MeinBlutIstBlau wrote: | You can request if youre on the tsa no fly list iirc. | brokenmachine wrote: | Wouldn't you find out if you tried to book a flight? | MeinBlutIstBlau wrote: | sorry...I mean TSA watch list. But yes you're right haha. | imglorp wrote: | Book or board? The difference is you bought the tickets | in one case and might not get the money back. | tom7 wrote: | It leaked so hard that nobody outside of mainstream media saw it. | You people are idiots. | r1ch wrote: | It's amazing how many hacks and data breaches all come down to | dangerous default settings. Elasticsearch defaulted to no | security, anyone hitting the IP has full access to the cluster. | MongoDB is another infamous example. Even today, one of my sites | is being DDoSed by a bunch of 2007-era Ubiquiti network devices | which use ubnt / ubnt as the root login and naturally got exposed | to the internet. Bad defaults linger for a long time. | londons_explore wrote: | With 1.9 million people,there must be plenty of people here whose | data is in this list. | | Any of you care to comment? | _moof wrote: | "In the wrong hands, this list could be used to oppress, harass, | or persecute people on the list and their families." | | Teetering on the brink of an epiphany. | dane-pgp wrote: | The person who you're quoting is likely a "SelfAwarewolf": | | "A person who, when trying to criticize those who match a | certain description, fails to realize that they have (in the | process of criticizing others) revealed themselves to match the | exact same description" | | https://neologisms.rice.edu/index.php?a=term&d=1&t=24708 | afrcnc wrote: | Source of this convoluted blog spam: | https://www.linkedin.com/pulse/americas-secret-terrorist-wat... | criticaltinker wrote: | _> [cybersecurity researcher Bob Diachenko] was able to find | about 1.9 million records detailing individuals' no-fly statuses, | full names, citizenship, genders, passport numbers, and more. _ | | _> "it seems plausible that the entire list was exposed" _ | thepasswordis wrote: | Suggestion: | | Take the Facebook leak from earlier. Create hundreds of | collections if 1.9M people. Release it to the dark web. | | Just flood then zone with noise. FBI can still keep their list | (and know it's legit), and peoples privacy will be ensured. | | Otherwise this is going to 100% get integrated into various | social credit systems we have in the US. | trident5000 wrote: | Once government agencies are given approval from congress they | typically have very little oversight from that point on including | from congress. Its why we get abusive behavior from so many of | them. | | NSA: Prism | | DEA: Asset forfeiture | | FBI/CIA: Abusing fisa and using five eyes to spy domestically | | IRS: Political targeting | | etc etc etc | giantg2 wrote: | ATF: Approving background checks on known traffickers and | continuing to sell them guns even after there were concerns | they couldn't track the weapons. (And ruby ridge, and waco... ) | tester756 wrote: | Why "misconfigured" Elastichsearch being reason appears this | often? | Saris wrote: | It has no authentication by default, and it listens on all | interfaces instead of just localhost by default. | | I used it for a while at home for a project, and setting up | auth was quite a process, very difficult compared to most other | databases. | kieselguhr_kid wrote: | By default, Elasticsearch is unsecured. If you manage your own | ES cluster, you have to go through a few steps to secure it | manually. Lots of people either don't know/don't care about | this though, so they regularly expose their data to the whole | internet. | [deleted] | mygoodaccount wrote: | Did some perusing - can't find it anywhere you'd normally find | these things. Let me know if anyone does! | cyberlurker wrote: | > "The terrorist watchlist is made up of people who are suspected | of terrorism but who have not necessarily been charged with any | crime," Diachenko wrote. "In the wrong hands, this list could be | used to oppress, harass, or persecute people on the list and | their families. It could cause any number of personal and | professional problems for innocent people whose names are | included in the list." | | I'm curious how many journalists are on the list. Now that we are | pulling out of Afghanistan, we should reevaluate the other | actions we took after 9/11. The patriot act deserves another look | and possible edit. | __blockcipher__ wrote: | > The patriot act deserves another look and possible edit. | | Boy, that was the understatement of the year. | | The patriot act doesn't need an edit or another look. It needs | to be completely abolished, yesterday. | arthurcolle wrote: | It expired already. | plorkyeran wrote: | Portions of it expired. Large parts did not. | EGreg wrote: | The PATRIOT act was largely the result of US foreign policy | affecting domestic policy and erosion of civil liberties: | | https://magarshak.com/blog/?p=349 | | In an ideal world, we'd be constantly re-evaluating both | foreign and domestic policies, but will we? | | Remember this signed by Obama: https://www.aclu.org/press- | releases/president-obama-signs-in... | | And he was not able to even close down Gitmo | lostlogin wrote: | > "In the wrong hands..." | | It's in the wrong hands already - the wrong hands made the | list, and there are plenty of examples of what has happened to | various misidentified people over the years. | beambot wrote: | > The terrorist watchlist [...] could be used to oppress, | harass, or persecute people on the list and their families. | | So... what was it actually used for? Wasn't this the same list | that results in extra scrutiny at airports & whatnot -- | wouldn't that count as harassment? | staticautomatic wrote: | Yeah it's already used for that purpose...by the government. | ashtonkem wrote: | Given the history of the FBI deciding that journalists and | activists are actually terrorists to be suppressed? Probably | quite a few. | flatiron wrote: | Wouldn't that be hard in practice though? Journalists | typically have to travel for work so it would soon be | apparent. And if they work for a big media outlet would be | instantly litigated. | ashtonkem wrote: | This is the terrorism watch list, not the no fly list. Any | of us could be on that list and it would take a while for | us to know. | | The no fly list is much smaller, and far less ambiguous in | its impact. You're on that, you'll find out the first time | you try and fly. | justinzollars wrote: | I'm curious about this list too. For example are Islamic people | I know on it? There are never any details on how to access | these lists. The article could be fake for all I know. | programmarchy wrote: | I thought that the Patriot Act was not renewed as of December | 2020. It failed to pass in the Senate because Trump threatened | a veto. [1] | | [1] https://en.wikipedia.org/wiki/Patriot_Act#cite_note-256 | rolph wrote: | this suggests many of the processes that have become | constituative due to patriot act, maybe are still occurring | outside of a legal framework, it seems patriot act is still | in the system even if not renewed | ipaddr wrote: | Interesting no one reported this. Either everyone missed this | or it is still in place. | A4ET8a8uTh0 wrote: | Short answer, its spirit lives on. Not to search very far, | FinCEN did not stop contacting financial institutions for | 314(a) compliance. | | https://www.fincen.gov/sites/default/files/shared/314afacts | h... | datavirtue wrote: | I'm on a huge greenfield application project at a major | bank to collect and send patriot act mandated information | to FinCEN. The Patriot act expiring did not even come up | and I had no idea it expired. I thought it was a shoe-in | for rubber stamping. | MichaelApproved wrote: | EFF reported on it. | | https://eff.org/deeplinks/2020/12/section-215-expired- | year-r... | | > _" On March 15, 2020, Section 215 of the PATRIOT Act--a | surveillance law with a rich history of government | overreach and abuse--expired due to its sunset clause. | Along with two other PATRIOT Act provisions, Section 215 | lapsed after lawmakers failed to reach an agreement on a | broader set of reforms to the Foreign Intelligence | Surveillance Act (FISA)."_ | LeifCarrotson wrote: | In their defense, there has been an awful lot going on. | | The EFF reported on the expiration in the brief window when | there were no authorizations: | | https://www.eff.org/deeplinks/2020/04/yes- | section-215-expire... | | It's being reintroduced as the equally doublespeak "USA | FREEDOM Reauthorization Act": | | https://www.congress.gov/bill/116th-congress/house- | bill/6172 | | I'd be interested to know if any behavior was changed | during the few weeks that the permissions were not covered | by either law. | adventured wrote: | To be fair, they do have to reauthorize the Freedom | Unmitigated Bill for Appropriations Reconciliation | Defense act every year or we're not allowed to leave our | homes. Those F35-Liberty planes aren't going to pay for | themselves. | vmception wrote: | this is the second backronym pun I've seen today, whats | going on? | | _rate-limit edit: | | I don't think Baader Meinhoff applies when I already know | what a backcronym is and also have to extrapolate the | first letter of all the words to get the joke. | | Was there a show or pop culture thing that has people | leaning towards this joke? | | If anything, this could be a perceptive bias where I am | forcing meaning into something, but a FUBAR Defense Act | is exactly what that poster was going for. Who knows | about the other one I saw earlier._ | vlovich123 wrote: | Likely just Baader-Meinhof phenomenon[1]. Interestingly, | I think that phenomenon ignores the superset of when you | actually had seen something multiple times before but for | whatever reason started noticing the frequency more | frequently (eg you've seen backronym's before, but you're | happening but your brain has decided to notice them more | because maybe you saw them in quicker succession than | you're used to). | | [1] https://en.wikipedia.org/wiki/Frequency_illusion | adamrezich wrote: | definitely interesting but certainly unsurprising | lancemurdock wrote: | > The patriot act deserves another look and possible edit. | | once you give the gov power, it is never given back to the | people. | syrrim wrote: | Didn't the patriot act expire without renewal? | dopamean wrote: | It did. | weaksauce wrote: | huh interesting. So is it basically gone then or were there | any permanent things that came from it? | giantg2 wrote: | Some things were made permanent under subsequent laws (or | at least extended). For example, financial reporting for | people depositing "large" amounts of cash. I think it | started out at $10k under the patriot act. Now I think it's | $5k. That is a good bit of cash, but it could easily be | made selling a used car or something. | silisili wrote: | Unless it changed very recently, I'm pretty sure it's | still 10k. | jellicle wrote: | 90% of the Patriot Act was permanent law and is law today. | A few of the most objectionable parts had "sunset" | provisions in them and those (after several rounds of | modifications and numerous extensions) are what has, | finally, been allowed to expire. Most of the provisions of | the Patriot Act are in effect today and will be until a | future Congress changes them. | pessimizer wrote: | You mean being put on a restricted rights/law enforcement | attention list with no due process? Definitely. I hate to be | the slippery slope guy, but this began with gang affiliation | lists. | | https://blockclubchicago.org/2021/07/28/police-gang-database... | | https://www.tampabay.com/news/publicsafety/crime/police-gang... | | https://www.avvo.com/legal-answers/i-was-put-on-the-gang-lis... | | https://www.policemag.com/340392/identifying-and-documenting... | andai wrote: | The slope to totalitarianism is always slippery. | vmception wrote: | Its not a slippery slope when we've been at the bottom of the | slope your whole life | pessimizer wrote: | The people on the bottom of the slope are the people on the | lists. As they grow to 1.9MM people. | tinalumfoil wrote: | > but this began with gang affiliation lists | | Civil courts have been able to exercise significant control | of your life, including extended imprisonment without due | process, for longer than these lists have been in effect. | Frankly Americans have a lot fewer rights than they think | they have, including the non-right of due process for being | on a government list. | | Edit: To pre-empt some comments I know are coming, civil | courts do not require due process in the way you probably | think of due process: a civil court can act against you | without giving you representation, without allowing you to | have representation, without you present, in secret from the | public, and even without notifying you | | EDIT2: While I'm soapboxing I'll note the power the civil | court has over you isn't much different than the power three- | letter agencies have over you (since they are usually given | very broad mandates), it's just that civil courts have been | around so much longer it's a good retort to people thinking | they used to have rights. Whatever three-letters can't do to | you is generally picked up by similar state agencies. | vmception wrote: | I've never had a good experience "pre-empting" comments | that will inevitably be used to derail your thread. | | In any case, I was mostly thinking that it has to be a form | of privilege to feel like a particular slippery slope | hasn't happened yet. I think about how the word "privilege" | is used, and its more like "exemption from some | inconveniences that aren't obvious". Your post about people | not noticing that civil courts and agencies have these | power over assumed rights is a decent example of that. | giantg2 wrote: | "Frankly Americans have a lot fewer rights than they think | they have" | | Very true | owl_troupe wrote: | > a civil court can act against you without giving you | representation, without allowing you to have | representation, without you present, in secret from the | public, and even without notifying you | | While there is no right to be afforded free legal | representation in civil court in most US jurisdictions | (some do) and a civil court can render rulings and | judgments against parties who are not represented by | counsel, a civil court cannot prohibit a party from having | legal representation, which is what your comment seems to | suggest. | | A civil court can render a ruling against a party if the | party is not present, but it will typically go to great | lengths to ensure that notice is given to parties before | doing so (pleadings served to last address by process | server, notice published, etc.). There are typically strict | requirements that have to be met before civil court can | render a ruling or judgment without a party present, | especially where there is no indication that the party has | received notice first. | | A lot of anecdotes about drastic judgments and rulings | being handed down by civil courts happen when parties | ignore notice of the proceedings. There are a lot of rules | for handling cases in civil court and they are grounded in | the constitutional right to due process. Notice and due | process are taken really seriously in most US | jurisdictions. Federal Courts are especially strict about | following the rules. | | https://www.law.cornell.edu/rules/frcp | tinalumfoil wrote: | > a civil court cannot prohibit a party from having legal | representation, which is what your comment seems to | suggest. | | > https://www.law.cornell.edu/rules/frcp | | This is a good point for federal cases, but I meant my | comment to cover civil action in state courts too. These | are the courts that are most likely to affect someone's | life. For instance in California small claims courts you | are not allowed to be represented. | Spooky23 wrote: | That's by design to make justice more accessible. IIRC, | you can petition the judge to adjourn the case and move | it to normal court. | | Also, I believe in small claims as a defendant you can | appoint an attorney to represent you. I sued a tow | operator in small claims court and the dude who showed up | was definitely an attorney. | giantg2 wrote: | "A civil court can render a ruling against a party if the | party is not present, but it will typically go to great | lengths to ensure that notice is given to parties before | doing so" | | In many types of cases, but not all. Protection from | abuse order hearings generally happen without the | knowledge of the target of the order. | dillondoyle wrote: | plus even more relevant to HN is when authorities are using | algorithms as a scapegoat. we probably know what will happen | when they start using black box ML with a ton of bias baked | in. | | There is a scary (gross in my mind) story that reports on | some dystopian pre-crime Minority Report Sheriff targeting | kids. | | Looks like the court case is in process, though not sure why | court didn't immediately shut it down pending trial given how | (to my non-lawyer brain) this seems that plaintiffs will | almost definitely prevail given clear violations of multiple | Amendments. | | From the reporting: "Over the span of five months, police | went to his home 21 times. They also showed up at his gym and | his parent's place of work. The Tampa Bay Times revealed that | since 2015, the sheriff's office has made more than 12,500 | similar preemptive visits to people. | | These visits often resulted in other, unrelated fines and | arrests that further victimized families and added to the | likelihood that they would be visited and harassed again. In | one incident, the mother of a targeted teenager was issued a | $2,500 fine for having chickens in the backyard. In another | incident, a father was arrested because his 17-year-old was | smoking a cigarette. These behaviors occur in all | neighborhoods, across all economic strata--but only | marginalized people, who live under near constant police | scrutiny, face penalization." | | https://projects.tampabay.com/projects/2020/investigations/p. | .. | | https://ij.org/press-release/pasco-families-win-round-one- | in... | vkou wrote: | > You mean being put on a restricted rights/law enforcement | attention list with no due process? | | What novel 'due process' do you believe is necessary for the | police to _unintrusively_ start investigating someone? | | We already require judge-issued warrants for _intrusive_ | investigations (Searching your things, tapping your phone | lines, arresting you, etc). | | I don't believe there's any country in the world that | requires a judge to review the police putting you on a list | as a person of interest. I am no legal scholar, so I should | probably cut myself off right here - but do you not think | that perhaps, there is a valid reason for this? You're | inventing novel legal practices without precedent, here. | pessimizer wrote: | If I, as a police department, put you on a secret list of | possible pedophiles based on the fact that we saw you | speaking to another person on that list, noticed you in a | board game store patronized by many local young Magic: The | Gathering fans, you were single with no children, and you | were the brother of someone who once dated the sister of | the cop who put you on the list, would you have a problem | with that? | | What if we weren't allowed to confirm or deny you were on | the list, except to a prospective landlord or employer who | filled out a form? | | What if there were no way to find out those were the | reasons I put you on the list, and no appeals process to be | removed from the list? | | What if you couldn't prove standing in court because there | was no legal way to prove you were on the list at all | without a friendly judge? | | > You're inventing novel legal practices without precedent | | Which is why people are forced to rely on the racial makeup | of these horrifying lists in order to challenge them. The | problem becomes a lot clearer if your local police force | makes up a list of all Jews in the neighborhood (whatever | criteria they decide to use, i.e. "valid reason") for | special treatment. | | edit: and, of course, what if the list leaks, and is used | as an automated first step for disqualification by | employers and landlords for the rest of your life? | vkou wrote: | Would I have a problem with being on a list that, from my | perspective, I can't tell the difference between being on | it, and not on it? | | I don't know, I wouldn't be able to tell. If a tree falls | in the forest, and nobody's there to hear it, does it | matter to anyone whether it makes a sound? | | > What if we weren't allowed to confirm or deny you were | on the list, except to a prospective landlord or employer | who filled out a form? | | You're swinging at strawmen. Nobody in this thread is | defending intrusive lists. | | For some reason, though, you are conflating unintrusive | lists (Which don't require oversight anywhere in the | world) with intrusive lists (Which do require oversight | in... well-governed parts of the world). | | Do you have arguments against the former? I'm not | interested in being convinced that the latter are bad, | I'm already convinced that they are bad. | | > edit: and, of course, what if the list leaks, and is | used as an automated first step for disqualification by | employers and landlords for the rest of your life? | | If there's an unholy decades-long alliance between the | FBI, the background check bureaus, and millions of | employers and landlords, that neither my federal, state, | or municipal government is interested in doing anything | about, I think my main problem is not 'the FBI has a | list'. I think my main problem is 'My society, on every | imaginable level, is broken.' | salawat wrote: | >Would I have a problem with being on a list that, from | my perspective, I can't tell the difference between being | on it, and not on it? | | >I don't know, I wouldn't be able to tell. If a tree | falls in the forest, and nobody's there to hear it, does | it matter to anyone whether it makes a sound? | | Spoken like someone who hasn't had the long arm of the | law drop in on them before, or a person who "doesn't care | about that liberty anyway, so why not vote it away?" | | Just because you don't see the problem doesn't mean it | isn't there. Just because you didn't see the tree fall, | doesn't mean the world is uneffected. These are concepts | 3-4 year olds manage to divest themselves of once they | grap the permanence of objects. Just because you don't | get much out of a liberty doesn't mean that it's cool to | force the loss of it on somebody else. Liberty is to be | treasured and protected. The selective relinquishment, | revocation, or limiting of one for anyone should be a | Big. Frigging. Deal. | | The fact people are so cavalier with wisking away the | freedoms that underpin American Civil Life on mere | suspicion of something that the State is not even | required to be transparent about should disturb | everybody. | octaonalocto wrote: | Your tone is inappropriate, please try to make your point | without implying GP is dumber than a third grader. It | implies malicious intent and is bad for discussion. | isoskeles wrote: | I don't understand this response. He was told it was a | "secret list." Why would you take such a tone in response | to him saying he might not have a problem since he | doesn't know about the list? It's a hypothetical about a | secret list, and since he doesn't immediately agree with | the conclusion, you browbeat him about not having the | long arm of the law drop down on him, etc. | | More importantly, this: | | > Spoken like someone who hasn't had the long arm of the | law drop in on them before, or a person who "doesn't care | about that liberty anyway, so why not vote it away?" | | Who are you quoting here? No one said this at all. | | I'm actually disgusted by your comment and the logic you | present in it. | RHSeeger wrote: | The problem is when that list is used to prevent you from | accessing common services, like fly on planes. | | Edit: Because people assumed I was talking about the no-fly | list specifically; I'm not. The terror watch list also | winds up being used to cause problems for people. | | From: THE PROGRESS AND PITFALLS OF THE TERRORIST WATCH LIST | By: COMMITTEE ON HOMELAND SECURITY https://www.govinfo.gov/ | content/pkg/CHRG-110hhrg48979/html/C... | | > Inaccurate watch list information also increases the | chances of innocent persons being stopped or detained | because of misidentification. | | A page by the ACLU goes into some detail. | https://www.aclu.org/other/us-government-watchlisting- | unfair... | | That list, and others, are not innocent "we're just keeping | an eye on these people" lists. Their use causes serious | harm. | AnimalMuppet wrote: | Except that, if I understand correctly, this is _not_ the | no-fly list. So... | vkou wrote: | Yes, that is a problem. But that's not what the parent | poster is talking about. It's absolutely irrelevant to | this conversation. | | The parent poster takes issue with the fact that an | unintrusive person of interest list exists, and wants | oversight on it. This is an absolutely unprecedented | legal take. | | It doesn't help that they are conflating the two (one of | which is, at a first glance reasonable, and the other is | not), when they are not the same thing. All that does is | muddy the waters. | __blockcipher__ wrote: | There's no such thing as an "unintrusive" list. They make | the lists for a reason. | vkou wrote: | If that's the case, you should have no trouble answering | two simple questions: | | 1. What do you think happens to people on it? | | 2. Which of those actions should require judicial | oversight, but currently don't? | | So far, the only answers to those questions in this | thread have been 'imagine if...' tangents. I don't need | to imagine strawmen, I'd like to know what is _currently_ | wrong. | | Imagining disasters is how we're in this mess, I'd like | to know what the actionable problem is. | RHSeeger wrote: | > Imagining disasters is how we're in this mess | | I posted some links in my original comment that talk | about specific problems. That being said, "allowing those | in authority to do things that could be used | inappropriately... and then it turning out that they did | exactly that" doesn't require ANY imagination. The US | government engages in such behavior on a daily basis. | vkou wrote: | Please note the four demands the ACLU makes in the | publication you linked. | | None of them demand that police lists should not exist, | or that judicial oversight should be necessary to put a | person on one. | | Instead, they demand that: | | 1. The lists be accurate. | | 2. The lists be accurate. | | 3. Allowing people to contest them on a case-by-case | basis. | | 4. To not blacklist people from employment based on them. | | The ACLU seems to be in agreement with me. | godelski wrote: | Worse than that, sometimes these intelligence agencies create | said terrorists. | | > Of these defendants caught up in FBI terrorism sting | operations, an FBI informant was the person who led one of | every three terrorist plots, and the FBI also provided all of | the necessary weapons, money, and transportation. | | I'm sure such a thing is something no American would agree | with. I wouldn't be surprised if similar actions were | happening at all levels (gangs to terrorists). I'm sure this | also isn't isolated to America either, as it appears to be | the incentives that causes this and how we measure success | (i.e. how many criminals are caught). | | These conversations are extremely complex. But I think we | need large social discussions about how to actually solve | crime and prevent animosity in the world. I think it is time | for a big rethink. If there's 2 million people on a list, I'm | not sure that list is very effective. It's like looking for | needles in a haystack by adding more hay. | | [0] https://www.brandeis.edu/investigate/government- | corporate-wr... | frickinLasers wrote: | > I think it is time for a big rethink. | | I'm in. Where's the convention, and how do we get our idiot | representatives to play along? | godelski wrote: | Here's my positions, but of course I'm open to other | opinions. I wrote a big list and I realized I could | distill a lot of my ideas. For one I'm a big fan of STAR | and Approval voting. We've seen over a hundred years of | ordinal methods in various countries (including America) | and seen the failure. Time to move to what the experts | are suggesting. Which brings me to the second point. Lots | of these topics are extremely complex and contain a lot | of nuance. Us non-experts can see a high level but | sometimes these nuanced points matter a lot. So let's not | be so aggressive in asserting how right we are. Also, we | need to focus on unity. Mic drops and calling people | names doesn't help us. We need nuanced and calm | conversations. Our fellow citizens, no matter how crazy | their beliefs, are not our enemies. Don't dehumanize | people, that's divide and rule. Lastly, we need to stay | focused. I think there is a new thing to be outraged | about every other day. Let's talk about what the big | important problems are and focus on those first. Let's | recognize that doing so isn't dismissing the other | problems. We only have so much bandwidth. Right now we | have no such priority list, we're just jumping from thing | to thing. Solving problems takes time (a thing we often | forget). If our attention to the problem is shorter than | the time it takes to solve the problem then we will never | solve these problems. | | Edit: One thing I wanted to add is that we can have | different groups focus on different things. It's not a | zero sum game. This is because not everyone is an expert | in everything, and thus the utility they contribute isn't | the same as every task they contribute to. | arminiusreturns wrote: | You refuse the two party system and work on a third party | geared towards pre-emptive avoidance of the corruption | mechanisms that got the two big ones. Do that at the | local and state level first, attacking gerrymandering and | other incumbent favoring electoral manipulation methods | to weaken the two party strangle hold, such as heavy | petitioning and lobbying to force state Secretaries of | State to fix election laws. | | Until we the people are actually represented in the | legislative branch nothing fundamental will change. Being | that the other branches are largely unaccountable to the | citizenry, the legislative branch is the logical entity | to focus on (and the fourth estate, heavily under attack | by the executive et al) | frickinLasers wrote: | There have been many third parties, and I'm not aware of | any that have achieved even middling success ( _maybe_ | Libertarian?) since I 've been alive. How would this | party fare any better? | not2b wrote: | Under the US system as it is, with first-past-the-post | voting and all votes for a state going to the | presidential candidate who got the most, a third party | can't gain any traction. Worse, third parties under the | US system are another vehicle for corruption (example: | Republicans paying fees and collecting signatures to get | Greens on the ballot to divide the left vote and get a | Republican in office, though this problem could be fixed | with some form of instant runoff). You'd need | constitutional reform. | | While imperfect, I think that German electoral system is | much better. Any party that gets 5% or more of the vote | is guaranteed fair representation, gerrymandering isn't a | possibility. | | However, in a multiparty system deals still have to be | struck to put together governing coalitions, so a party | that insists on being purist is likely to be shut out. | dane-pgp wrote: | > to get Greens on the ballot to divide the left vote and | get a Republican in office | | If people are serious about voting reform (and they | should be) then this "spoiler effect" can be weaponized: | start a grassroots campaign to vote third party until the | Democrats support changing the voting system at the state | level (and vote in primaries for Democrats who support | this change). | | This may lead to few tight state races being lost, but | that means that only a small percentage of the population | would be enough to get the Democrat party officials to | take notice. To make the signal even more clear, the | third party chosen should be one that focuses as narrowly | as possible on voting reform, such as the Alliance | Party[0], which may also encourage some disgruntled | Republicans to temporarily lend their votes, whereas they | would be more reluctant to support the Green Party, for | example. | | Of course there is a danger that voting reform would get | portrayed as a pro-Democrat policy (if it isn't already), | but once enough Republicans (in majority Democrat states) | have experience casting their ballot in a more expressive | and representative system, it will be harder for | Republicans in other states to oppose it. | | [0] https://www.theallianceparty.com/political_reform | amznthrwaway wrote: | The third party would need to get local traction first. | This is the best way forward on a number of dimensions, | but most third party candidates go national instead, | because while it cannot effect change, it is | substantially more profitable. | godelski wrote: | Honestly voting is high on my priority list. The reason | is because I believe that voting will have a lot of | downstream effects. It will make a lot of other things | easier. But I don't believe we should be trying to change | things at the national level at this point (that's down | the line). I think we should be trying to implement | systems like STAR and Approval at local levels. City, | County, State. We know that these are the systems the | experts are suggesting. So let's stop doing the same | experiment we've seen fail a hundred times. And while the | dragon is the end goal, if we can't defeat the low level | monsters it would be insane to go fight the final boss. | some_hacker_55 wrote: | So status quo then. | | Cmon hackers, think harder... | pibechorro wrote: | Edit? | pibechorro wrote: | Edit? Cancel it entirely. | gjsman-1000 wrote: | Just an hour ago I was having a dialogue with someone on Hacker | News saying we needed a national ID system after the T-Mobile | hack. I said that the US Government should not be trusted to be | any more secure than T-Mobile with such a system. | | I rest my case. | jackson1442 wrote: | We already have a national identity card- the social security | card. Problem is, it's absolutely terrible at being an ID card, | so we should replace it with something more secure that is | purpose-built. | | If we're going to treat this magic number like a national ID | number, the least we can do is buff it up a little. | creato wrote: | A national ID doesn't necessarily have data security | implications any more than the current state-by-state DMV | system does. | | The relevance of a national ID is (presumably) so that banks | can check identity more reliably, i.e. making security breaches | like the T-Mobile one irrelevant. It wouldn't matter if your | SSN was public information. | adolph wrote: | > check identity more reliably | | Most states in the current system seem to have a crude | biometric identity verification of a photo plus point in time | stats of height/weight/coloring, all of which is nominally | protected/validated by counterfeit protection. How would a | national ID be any different? | nautilius wrote: | Do you have to have a 'crude state ID'? Is there any legal | pressure to keep the data on it up-to-date? Are the | standards for 'crude state IDs' identical between states or | would you have to know the rules and regulations of 50 | different jurisdictions? | jedimastert wrote: | It's not like "the government" doesn't already have all of this | information. Most information on an ID is OSI anyways. I can go | from my name to everything on my state-issued license from | public records. | YeBanKo wrote: | We already have a national id system. It's called a passport, a | birth certificate, a DMV id or driver's license, a social | security number. Those are all national id systems. | jandrewrogers wrote: | A passport and SSN are national IDs. Birth certificates and | DMV docs are State IDs only. | [deleted] | Rd6n6 wrote: | Wikipedia says the no fly list only had 47k people on it. The | terror watch list had about 1.9M though, so this must be the | terror watch list. | | 1.9M people is a massive number of people | | > The No Fly List is different from the Terrorist Watch List, a | much longer list of people said to be suspected of some | involvement with terrorism. As of June 2016, the Terrorist Watch | List is estimated to contain over 2,484,442 records, consisting | of 1,877,133 individual identities. | | https://en.m.wikipedia.org/wiki/No_Fly_List | LeoPanthera wrote: | Non-mobile URL https://en.wikipedia.org/wiki/No_Fly_List | OJFord wrote: | The submitted article does say watch list, it's just the title | here that ~has~ had the error. (Editing it was fair enough IMO, | at least to remove from 'and boy'...) | tvirosi wrote: | Or the 47k no fly number is just a lie | jedimastert wrote: | It's pretty easy to check, but I'm guessing it's just _far_ | easier to get yourself on the watch list. | mrits wrote: | Must be really annoying when your terrorist cousin comes | over and uses your wifi on the holidays. | [deleted] | Joker_vD wrote: | You know, I can understand why the Terrorist Watch List is secret | -- but not why the No Fly list is. If there is a list that | governmental agencies and/or commercial companies are _obliged_ | to check you 're not on before providing you with their service, | then _surely_ such list must be public or at the very least, one | should be able to easily inquire about whether he /she is on it | or not. | | For a related example, Russian government maintains a list of | banned Internet resources. The list is not public -- at least in | theory -- but there is an official web site where you can input | an URL or a domain name and it would response either with "no, | it's not on the list", or with "yes, it's on the list, here's who | ordered it and when". | londons_explore wrote: | Surely the easy way to check if a name is on the list is to | book a flight in that name. If the booking gets rejected, it's | on the list. | | Repeat for every name you want to check, and make use of the | airlines free cancellation policy so you don't actually have to | spend money. | ch4s3 wrote: | Sometimes they just turn people away at security without an | explanation. | datavirtue wrote: | It's not a secret, just need-to-know basis. | outworlder wrote: | potato potato | jl6 wrote: | Would love to know how the FBI dealt with transliteration | deduplication of non-Latin names, cf. the many spellings of | Muammar Gaddafi. Although I guess they would just use whatever's | on the passport? | oa335 wrote: | They didn't. I know of several people with an extremely common | name (Basically Muslim equivalent of "John Smith") who were | unable to fly or cross borders, even with the "Redress numbers" | that they are supposed to give out in case of mistaken | identity. | ransom1538 wrote: | Can someone post the list? | dukeofdoom wrote: | So basically a list of Trump supporters. Well known for their | opposition to COVID measures, and claims of election fraud, and | belief that Trump can be reinstated. | c3534l wrote: | What makes you say its a list of Trump supporters? | dukeofdoom wrote: | They build a fence around the capital to protect against | them. | | Since there's no way there are actual 1.9 million terrorists | in the US. 1.9 million/326 million is about 1 person out of | 200 on that list. | | In all likely hood, its just a list composed of people in | opposition to government. | | Can't be many BLM protestors, and leftists, since government | is flying their flags. Simple deductive reasoning will get | you to that this list is mostly Trump supporters from his | populist movement. | | Just read the latest Terrorism Threat bulletin from DHS. Then | visit Gab.com, if you have any doubts on the overlap. | | Summary of Terrorism Threat to the U.S. Homeland | | https://www.dhs.gov/ntas/advisory/national-terrorism- | advisor... | sunshineforever wrote: | It's so ironic that you think they are falsely putting | right-wing people on the list when historically it has been | leftists to receive such treatment. | jjulius wrote: | You could've distilled your answer to the question by | simply saying, "Pure speculation based on a faulty | assumption that only US citizens are on this list". | wolverine876 wrote: | And the falsehood that government only puts people with | right-wing beliefs on watchlists. | c3534l wrote: | So are you saying you're just guessing because you believe | the government has it out to get Trump supporters? If, it | turned out, there was a similarly large number of people on | the list prior to Trump's election, would that change your | mind? I think the concern that an extra-judicial list this | large certainly has the potential for abuse, and America's | 3-letter agencies have historically used the auspices of | national security to target and harass political opponents | and personal enemies. However, you don't have any reason to | suspect that this list contains that group specifically, | right? Other than just some perceived marginalization by | mainstream society, that is. | tubbs wrote: | The list seemingly not just citizens of the United States. | datavirtue wrote: | Another Q drop. | [deleted] | nurgasemetey wrote: | Out of curiosity, how can I search myself? | nullc wrote: | Leaks are for intelligence operatives to act with plausibility | deniability ("It was hackers!"). | | They are not for you to use to create accountability by | discovering inappropriate inclusions and demanding answers. | [deleted] | sergiomattei wrote: | Yeah, I'm curious! I recall the NSA's XKeyscore was revealed to | put Linux Journal readers in watch lists. | krapp wrote: | >I recall the NSA's XKeyscore was revealed to put Linux | Journal readers in watch lists. | | No, it didn't. | | See this comment by grkvlt[0] and another debunking here[1] | | [0]https://news.ycombinator.com/item?id=12070156 | | [1]https://blog.erratasec.com/2014/07/validating-xkeyscore- | code... | sergiomattei wrote: | Thank you for the clarification! Did not know this. | clipradiowallet wrote: | Inquiring minds want to know | hughrr wrote: | Awaiting future headline _"Secret CSAM hash list leaks online"_. | | Keeping lists secret appears to be something the human race is | really really bad at. | raxxorrax wrote: | It is amazing what the hunt for terrorism has done to modern | countries. They only look fearful and weak, exactly what | professional terrorists always wanted them to be. | | Anyone who knows bureaucratic behavior knows that even in the | absence of real terrorists, people will find their way onto lists | like these. | | I hope the lists will leak to a wide audience. Find the cases | that are wrong and sue those responsible behind the desks. This | is the only way this can stop. | | The website is extremely horrible. Did use a dev browser without | adblock. Grave mistake. | alexfromapex wrote: | The fact this wasn't protected by a VPN is amazing | ClumsyPilot wrote: | As expected, it is only a matter of time untill all the intensely | private data collected by NSA and pals is leaked or stolen and | used by criminals for fraud and extortion. | loceng wrote: | Or a list of allies and talent to hire or leverage. | vmoore wrote: | This. Eventually all sensitive data becomes concentrated enough | that it becomes leakable material | deadalus wrote: | Usually by an insider. | waynesonfire wrote: | sounds like a use case for the BLOCKCHAIN! | sneak wrote: | The main databases the NSA has are far too large to be easily | leaked. | | Even blueleaks was <1T (~300GB iirc) and many people had | trouble downloading it. I am sure many IC databases are | several hundreds or thousands of times larger even without | indices. | | It's not like you could just throw up a 4000TB torrent for a | 7z of all of the north american phone call metadata for last | year. | nonameiguess wrote: | When I worked on the main NRO ground processing station for | electro-optical collections, we were generating double- | digit petabytes daily, and that back in 2008. Don't even | know what it's up to now. | | Not only is there no practical way for anyone other than | maybe Google or CERN to download that much data, unlike the | no-fly list, actual classified information isn't attached | to any networks that can be accessed from outside of a | secure facility. This means the only way to egress data is | for an inside threat to copy it onto USB drives or possibly | optical media, maybe steal hard drives. But there are | pretty hard limits to what you can just bulk copy. It can't | be much more than a person can hide in a bag. | rsbrans wrote: | I have a feeling this post may be agedlikemilk worthy in | the not so distant future... | BrandoElFollito wrote: | Glad to see that CERN was mentioned, it is not that often | that their IT resources are known (and they are huge) | throwaway4688f wrote: | Where is the torrent, dammit? Internet ain't what it used to be. | TekMol wrote: | What would happen if you put all these people together on an | empty island? | fouc wrote: | who is John Galt? | OneLeggedCat wrote: | You'd have about 1.9 million people on an island, the vast | majority of which are normal, average people. | aaomidi wrote: | They would be super confused since there is really no checks on | who gets put on this list. | int_19h wrote: | What really bugs me about these lists isn't just that they exist, | but that there's continuous clamoring to expand the scope in | which they are applied. For example: | | https://www.theatlantic.com/politics/archive/2015/12/no-fly-... | | So, basically, politicians have found it to be a convenient tool | to skirt due process concerns in general when pushing for their | favorite agenda. | sonicggg wrote: | Where is this alleged list then? Very convenient that this guy is | not disclosing a link to this supposed leak. I think someone | wants notoriety. | mygoodaccount wrote: | It looks like it was "leaked", as in, publicly exposed server | indexed by a few search engines. It's possible that this | researcher was the only one to come across it, and reported it | immediately. In which case it'll never see the light of day. | serf wrote: | "The exposed server was taken down about three weeks later, | on August 9, 2021. It's not clear why it took so long, and I | don't know for sure whether any unauthorized parties accessed | it." | | three weeks open on the internet; it seems unlikely that no | other party accessed it. | tomc1985 wrote: | Elasticsearch is like the security breach gift that keeps on | giving... | Saris wrote: | It's crazy how many instances are setup to be accessible from | the internet, but they don't bother to secure it. | kieselguhr_kid wrote: | I mean, the FBI should 1000000% know better than to expose | their unsecured Elasticsearch cluster to the internet. While | Elasticsearch should be more secure by default, I'd say the | blame is much more on the agency. | tomc1985 wrote: | Has Elasticsearch done anything to fix its ridiculously bad | lack of access control? | | People are fucking stupid, and expecting them not to fuck | this up is a big ask. Too big, in fact. | | Secure by default or GTFO | clipradiowallet wrote: | Elasticsearch has nothing to fix - the product does | precisely what the config tells it to. Maintainers of | various distros ES packages are largely responsible for any | [mis]configuration there. | | If you'd like to read _how_ you can secure ES, go do that: | https://www.elastic.co/what-is/open-x-pack | | PS: x-pack is the piece that adds | authorization/authentication to ES. | altdataseller wrote: | You can setup username and pass auth in newer versions of | Elastic without paying for xpack (I think at version 6 or | up?) | kieselguhr_kid wrote: | I think it's reasonable to expect the FBI to not expose | this. I'm with you on Elasticsearch being too insecure but | you're talking about secret government info. If they put | that on the open internet that's a serious failure on their | part and they'd have fucked it up with another tool if they | weren't fucking it up with ES. | twobitshifter wrote: | It's not clear it was the FBI, the server was in Bahrain. | This could be bigger than just an FBI screwup. Why is US SSI | in an server in Bahrain? | outworlder wrote: | "Misconfigured Elasticsearch cluster" | | Doubly so. No passwords _and_ it was exposed. There's no real | reason to ever directly expose a database to the internet for | 0.0.0.0/0. Heck, there's no reason to expose to any routable | address. | | Yeah sure zero trust or whatever. Still, why even risk it? | Layers. | Saris wrote: | >There's no real reason to ever directly expose a database to | the internet for 0.0.0.0/0 | | And open the host firewall too, there were quite a few layers | of absolute incompetence involved here! | atonse wrote: | This is what I came here to ask. | | How did this server even have a public IP? | WrtCdEvrydy wrote: | I wonder if this will end up on haveibeenpwned? | | "The FBI leaked your name as a terrorist" | tubbs wrote: | That would be funny (I guess). At any rate, neither email | addresses nor phone numbers were part of the leak. | imglorp wrote: | I would like to know if any grumbling about the agencies on | social media--like this post--has landed me on the watch list. | gjsman-1000 wrote: | The freaking _FBI_ leaked your info. Not a stupid private | organization. The _FBI_. And also, because the FBI doesn 't | tell people they are watching them, there was absolutely | nothing - no product, no service - you could have just not | signed up for to avoid this leak. | | What next, the IRS? | nullc wrote: | > What next, the IRS? | | Already happened: https://www.propublica.org/article/the- | secret-irs-files-trov... | | They don't disclosed how many parties were included, but | their description of their validation (they verified it | against 60-some public figures who had separately disclosed | their tax filings) suggests that it's probably a significant | fraction of the US population. | tomasreimers wrote: | Yes, Equifax largely leaked many people's identity. | goodluckchuck wrote: | I wonder if we can even trust the CCP to not leak our party | membership!? | giantg2 wrote: | OPM had a breach affecting 22M. | | https://en.m.wikipedia.org/wiki/Office_of_Personnel_Manageme. | .. | | Edit: why downvote? | mike_d wrote: | Did you miss the whole OPM shit show? But hey, at least you | get 10 years of free credit monitoring! | rdtsc wrote: | Wonder if they did it on purpose. I can't figure out what the | purpose might be - a whistleblower wanting to raise awareness | about it and realizing they didn't want to have to relocate | to Russia or say live an Ecuadorian embassy for years. Or, I | can imagine, a rogue agent wanting to warn someone they are | on the list without communicating with them privately, so | there is no metadata linking them, and they "accidentally" | leaked the whole list. | [deleted] | woodruffw wrote: | > Additionally, the researcher noticed some elusive fields such | as "tag," "nomination type," and "selectee indicator," that | weren't immediately understood by him. | | I'm not sure about the others, but "selectee indicator" might be | whether the individual is on the Selectee list used for SSSS | flagging[1]. | | [1]: | https://en.wikipedia.org/wiki/Secondary_Security_Screening_S... | Ceezy wrote: | These people are morons! They claimed to be creme de la creme and | watch. Few years ago they wanted to force Apple to create a | "secure backdoor". Hope we gonna get more details. | | Sorry for the rant | ClumsyPilot wrote: | I wonder how many hacks happened purelu because of these | backdoors ___________________________________________________________________ (page generated 2021-08-18 23:00 UTC)