99 comments

[ 2.7 ms ] story [ 170 ms ] thread
With the billions of records breached this year alone, I'm feeling quite apathetic to these stories now.

Thousands or millions of records are breached due to X (usually egregious negligence, sometimes not), the company makes an apology full of mental gymnastics, blame game, and bold lies ("Your privacy is our number one concern, we're sorry we are only pretending to care now."), a few days later the heat is off because another company let loose a few million other records. Repeat.

I feel like I need to be re-sensitized. This is a major problem - and I just can't seem to muster up any care for it anymore.

I wonder about the extent to which the seemingly endless supply of breaches has translated into an increase in identity theft (or any other negative consequences that I haven't thought of)
I think a bigger use-case for these breaches is credential stuffing and more elaborate phishing rather than old fashioned identity theft - but I'm honestly just guessing and have no data to point to.
You don't need phishing if they have the credit card numbers and name/address information.
If the credit card number is the end goal, sure.

However, there are many other goals of phishing: Pivoting through another person/company to reach another target, IP theft, espionage, corporate sabotage, impersonation, etc.

I'm more concerned about the propaganda issue. I argued a couple years ago (heavily edited) when I left the Army that foreign actors (read: Russia) were data mining stolen data for fracture lines to amplify [0] which makes it hard to form a comprehensive list of politically relevant topics.

[0] https://www.armyupress.army.mil/Journals/NCO-Journal/Archive...

Partisan politics really gets in the way of that point. Both sides of the aisle have been pointing to the other side saying “Russia” or “China” for the past few years, so admitting civil division is their primary objective would almost be admitting complicity.
I feel the same way about pretty much everything and anything related to any type of news. Whether it's tech news like this, environmental news, or political news. It's the same thing over and over, as you described. Incident, Twitter/media coverage/hype, blame, lies, apologies, and then it's not talked about again a week later. Sigh.
The president's new outrageous tweet / orange man = bad, another wedding blown up in some middle eastern country, someone famous said something inappropriate / groped someone that got them fired, earthquake/fire/tsunami wiped out a few thousand people in some distant land, another school got shot up, "clear signs we're in a bubble" and the market is about to crash, something generic about Silicon Valley's hubris, something about how another oppressed group is being screwed over etc etc.

I don't think we're really meant as a species for this constant stream of depressing information we can't act upon, it's not good for us. Apathy seems like the only natural response to this barrage of stressors.

Had an annual checkup recently and did a screening for anxiety/depression. It felt unrealistic - is it a problem with me to be "Worrying 'too much' about different things"?
A small counterpoint to your last point: the youngsters at Fridays for future and the folks of Extinction rebellion
I actually believe that the present and the future are bright. Pinker's last book does a great job at showing how we're all simply victims of recency/availability/selection/confirmation bias when consuming the news. The world is getting dramatically better, it's our perception of it that is getting constantly worse.
With all the information exposed probably 60-70% of all people have been exposed. We need to stop the ability of anyone to do anything useful with this data. Which means forcing banks to improve their security standards... rather than calling it identity theft and forgetting about it.
I think it might be too late to put the genie back in the bottle without a multi-industry, multi-system overhaul.

I agree banks need to improve security standards (along with just about every other major and minor company). But banks being more secure doesn't get to the root of the issue any more than just forgetting about it (after all, it's generally not the bank having their innards on display). There is no silver bullet.

How about 2 forms of government ID to open an account just like you need to get a passport. Identity theft is so easily facilitated by just having to enter a social security number online and the banks are responsible because they are trying to make it as easy as possible for anyone to sign up.
This doesn't address credential stuffing, spear-phishing, propaganda, or many of the other issues that come along with data breaches. Identity theft is a piece of the puzzle, but no where near the whole thing.

Your idea might cut down on identity theft - I'm not sure. But it doesn't speak to the root issue. (Not to say it isn't worth pursuing, just that it doesn't do anything if I shared a password between my email, bank, and MoviePass)

Sign all communication with a private key. Have mail clients verify it. Make that government mandated.
How are you doing to deal with 11-30 million of people who are here illegally/visa overstays/etc? What about people who are in SF but were born in Maine and need a birth certificate from the county court house to get that "government issued key"? (The Maine court house would need that key to issue a certificate though ).

If we are claiming that it is too difficult for people especially poor people to get a current state photo ID ( which is why we do not want to mandate it for voting ) what are we going to do with 20-30% of the US population that won't have a key?

We need to shift identity theft back onto the businesses being the ones to bear the costs. This would be hard to do, but would be far simpler than trying to force all businesses to use a new identity system (that just ends up being leaked with two years). It creates an incentive for the businesses to care about actually verifying one's id.
Maybe we could accept that despite the leaks society is carrying on just fine?

Perhaps the paranoia is a bit overblown, and is implicitly allowed to satisfy notions that financial market performance is somehow the highest priority or literally reflective of efficiency.

Remember, scores of people are convinced Sky Wizards are literal things. I’ve seen no reason to believe common held beliefs in economics are anything less than qualification without well reasoned checking.

My priorities in life are not a rich person’s financial portfolio. And we can see how they treat each other when these breaches happen. They don’t care and pat each other on the back coughEquifaxcough.

Why should we take such a serious posture if the rich owners don’t?

Bad actors having access to intimate personal details (health and financial records), past passwords (not everyone uses 1 password per site), etc. is not a matter of my paranoia being overblown.

I don't know how someone getting access to my medical records or locking me out of my email account is related to financial market performance.

>Remember, scores of people are convinced Sky Wizards are literal things.

We know, for a fact, that data is being breached and ending up in the hands of the wrong people. How are you honestly making a comparison to "Sky Wizards"?

Why should we take such a serious posture if the rich owners don’t?

Because it's my f'in data.

I’m questioning your belief in a system that clearly doesn’t a give shit about your data and your ability to do anything about it in that system.

You and some other engineers on this forum can conjure all the concepts you want about how to fix it, and the perceived value in doing so, on here in these forums and nothing will come of it. Because by and large the system doesn’t give a shit.

You’re “f’in” data is being bought and sold to bad actors without you even knowing it. And you agreed to that by using these services.

Like you said in another post, the genie is out of the bottle.

The value of securing an inherently insecure society is stupid.

You’re thinking about this like an engineer only and you’re losing and have been for years. There’s no engineering solution to these problems at the technical or social level.

We’ve been fighting fraud since society began. Good luck. I’m sure a hardcore software engineer will figure it out

>And you agreed to that by using these services.

I have no right to complain if the service I sign up to tells me they are selling my data to 3rd parties. I certainly have a right to complain if the service I sign up to tells me my data is private, then through their negligence someone lays their DB bare.

>The value of securing an inherently insecure society is stupid.

A real live nihilist. Better give up on everything that's broken, eh?

>There’s no engineering solution to these problems at the technical or social level.

No technical engineering solutions to a technical issue, that's a hot take I haven't heard. As for social, luckily we are able to communicate with other humans and work together on different aspects of a problem. Or I guess some people just shit on others, claim everything is insolvable, and ride their high horse into the sunset.

>Good luck. I’m sure a hardcore software engineer will figure it out

Thanks, friend.

Haha yes you’ve nailed me in two posts on a forum as a nihilist

Like I’ve nailed you as a self aggrandizing tech bro who thinks he’s smarter and more aware than anyone else and can tackle a problem there’s no social will to tackle in earnest.

Good luck.

That's a pointless sentiment, there's no social will to tackle an emergent problem until there is.
Data is our century’s version of leaded petrol, CFCs [0], greenhouse gases and long-term nuclear waste containment.

Not saying those things are no longer problems, but they weren’t seen as ones until they suddenly became ones.

Like toxic waste, data always finds a way to escape its container. Data wants to be free - just not in the way we originally hoped.

Just like those early fridge manufacturers, we don’t yet know what the long-term effects of releasing so much data into the atmosphere are going to be.

The next 50 years are going to be bumpy as we find out.

[0] Fun fact: the inventor of leaded petrol also invented CFCs. He probably did more damage to the environment than anyone else ever, living or dead. https://en.m.wikipedia.org/wiki/Thomas_Midgley_Jr.

> Why should we take such a serious posture if the rich owners don’t?

If somebody’s ssn or sexual preferences got leaked and They had their identity stolen, or lost a job, and the rich ceo doesn’t care, you are suggesting that they shouldn’t take it seriously until the damage is proven?

The issue is that there are no punishments for the leaks, not that they are harmless

At this point, security measures need to assume that your information has been made public.
For the technically savvy, great. I'm sure most of us think like that.

My poor mom on the other hand doesn't necessarily know what that entails, and what steps she should take.

It should not be up to your mom. It needs to be on the banks, government agencies, and everyone else who needs to verify people's identity.

"Oh, you've got the correct address and the last 4 digits of a social" is no longer acceptable as proof that someone is who they say they are. Something else needs to be in place. Whatever that is, the burden should be on the banks, etc. to develop that and explain to your mom what it is and how it works.

I agree with you wholeheartedly, but right now it is up to her. So, your first comment is great for the technically savvy, but everyone else is SOL.
Everyone has an opinion on why Amazon is a monopoly and should be broken up, but this is what they don't think about. I trust Amazon not to get breached. No one is infallible, but tech is their thing.

I have no interest however, in further increasing the amount of online shopping accounts I maintain, because that means I have to keep tabs on the shenanigans of even more, highly technically incompetent, companies to know if I've been compromised.

Just use a password manager so you can have a different password for each site. It's not that hard.
The article points out that MoviePass had user and credit card data in plain text. A password manager wouldn't have helped with that.
The credit agencies are supposed to protect cardholders via PCI DSS audits (see https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storag...). This is definitely non-compliant. Obviously this system is broken.

Additionally, I don't understand why companies continue to roll their own payment processing rather than paying a service that knows how to do it. I guess it seems easy...

Well if you can make more profit, have all the advantages without being PCI DSS compliant. Why would you not roll your own payment processing? Since nothing happens apparently when the data of your customers get "breached"
> Why would you not roll your own payment processing?

There are various "financial hammers" these types of breaches will induce, depending on the network (Visa, MasterCard, etc.). Plus, processors (the banks) will put the liability onto Merchants which are shown to have violated thier ToS. Storing PAN's in clear text (or at all in some cases) is certain to trigger one or both of these ramifications.

What about being “big enough that they will discount all of these ramifications”?
PCI DSS is a program of the card associations to protect the issuing banks from fraud losses. Merchants have difficulty complying so it ends up as a balancing act between keeping the wheels of commerce moving and preventing fraud.

Fully outsourced payment solutions are a good fit for some business models but not for others.

Great post.

One thing I would add is that PCI DSS is also applicable for ISO's as well VAR's which operate payment processing gateways.

It is a hard-ish habit to start, and fully migrate into. But easy to maintain
I do use a password manager. Offline, in a separate VM. No amount of password security is going to protect my credit card information, address, phone number, shopping data, and other PI from being leaked by incompetent companies.
That and 2FA. If a service fucks even 2FA up, then I don't know.
Aspects of Amazon's businesses have been breached in the past. One could argue that tech is Facebook's thing too, but that didn't stop them from storing millions of passwords in plaintext[0]. Drinking the kool-aid of a big tech brand does not a secure platform make. Amazon is inevitably gonna get hit again someday precisely because they're Amazon.

Whether or not they could theoretically provide a more secure service has no bearing on the monopoly argument because the moment that we accept companies completely destroying fundamental tenets of capitalism (i.e. not controlling a market) because they can do it better is the moment that capitalism truly begins to die. Amazon shouldn't have the power to control the ecommerce market regardless of their security, and the fact that there are people out there willing to make this trade-off kinda scares me.

It's also not that hard to replace a credit card since the industry has been regulated to cooperate with consumers on fraudulent claims. As another user mentioned, password managers help here too.

0: https://krebsonsecurity.com/2019/03/facebook-stored-hundreds...

> Aspects of Amazon's businesses have been breached in the past

What a vague condemnation. And is your post about security on its merits (examples of breaches please, unless you mean improperly configured S3 buckets)? Or is it just unrelated anti monopoly concerns?

They may have insider knowledge they ought not make public but can make vague remarks so as to not make things uncomfortable for parties involved.
If only there was a tool that you could enter search terms for and get results from :)

Black Friday 2018, names and emails leaked: https://www.theguardian.com/technology/2018/nov/21/amazon-hi...

Amazon Kindle 2016, 80K names, emails, IP addresses, etc. Worth noting that Amazon has denied that this was a legit breach: https://www.mic.com/articles/148207/a-hacker-claims-to-have-...

Zappos (Amazon subsidiary) names, emails, billing info on 24M users leaked: https://www.zdnet.com/article/amazons-zappos-in-massive-data...

Whole Foods (Amazon subsidiary), credit card data breach: https://media.wholefoodsmarket.com/news/whole-foods-market-p...

Your argument doesn't make sense. You admit that even Amazon, who makes a living in providing sophisticated technology, is not perfect when it comes to security. How does that help the argument that my data would be safer split across tons of non-technical providers? How does wanting digital security kill capitalism? What does capitalism have to do with the market of a Socialist country?
The fact that you think they’ll keep your password safe is a terrible reason to support a monopoly that is bad for society in so many other ways. But hey, it’s more convenient I guess.
They didn't say anything about passwords. This was credit cards and address information. An online retailer breach could be purchase history on top of that.
>I have to keep tabs on the shenanigans of even more, highly technically incompetent, companies to know if I've been compromised.

But why not just assume that your data has already been compromised? It has.

What could you even do with that information? How do you respond when you find out that your data has been leaked?

The point is a technological solution isn’t viable when societies norms and laws allow it to go unpunished.

You’re barking up the wrong tree trying to engineer a solution before society changes laws that would hold the power brokers accountable.

Push aside your keyboard and get out there advocating for legal accountability.

At the same time, those of us around today have been leaked. I’ve been in tech since the 80s, data tapes went missing all the time. One breach in the 90s resulted in tapes showing up in Russia.

Change the laws. Cause there is no stopping it from a tech perspective.

You’re not needing re-sensitizing. You’re needing to think of the problem outside the context of technical solutions.

I didn't anywhere in my comment say this was a purely technical issue, or that I was advocating a purely technical solution, or that the societal side does or does not need to change, or really anything that you mentioned.

I said I'm apathetic because this happens too much, and that it is a problem. Where you assumed all the other stuff about me, I'm not sure.

I think it's worth mentioning that GDPR was basically exactly this.

They're putting in systematic regulations to ensure that data isn't arbitrarily kept, it must be secure and the regulations have teeth. It's really well thought out - minimize the number of companies that have your data, minimize the data they have, minimize how long they can hold it for and hold them repsonsible for keeping it safe.

Yet, when these regulations were actually bought in, you can see especially on this forum, that people were incredibly sceptical. So whilst you might think that we need to be sensitive to private personal data, it seems like people disagree when it comes to actually implementing that.

I don't think people are skeptical so much as they are aspiring data abusers. They're taking the corporate side over users, over their friends and family.
> I think it's worth mentioning that GDPR was basically exactly this.

There is very little the GDPR would have done to prevent this.

The data was legitimatly collected from customers. It was leaked because of badly configured server or firewall. The company is no longer in business so no fines (or minimal fines) would be paid.

Your argument only makes sense because MoviePass is now gone, but MoviePass didn't design their technology stack planning to go bankrupt. GDPR would've required them to take more reasonable precautions with the storage of private info - knowing that if they failed they could be fined even if they didn't go bankrupt for other reasons.
With the billions of records breached this year alone, I'm feeling quite apathetic to these stories now.

My theory is that the lack of punishment is intentional for just such a purpose, in a collusion between government and industry to milk all of us for free data about every aspect of our lives, from the past into the future. They're just going to take it.

You see, people won't demand privacy protections enshrined in law if they simply don't give a shit anymore. Companies don't incur liability, people get some free "credit monitoring" service that should be provided by default.

None of this does anything about the leaked data being used to market to you, manipulate your votes, or worse. Then, at the end of the day Facebook et al doesn't have to worry about their contributory privacy violations at all. If you don't want your private messages sold (rented) to every spammer on Earth, what are you gonna do about it? What's the business case for caring on their part?

There's no accountability. Executives never see jailtime for gross negligence. They just push profits at the sake of all else, and don't give a shit about the PII of their users.
unfortunately this is just becoming the norm and companies aren't held accountable for losing data. every account i make now is with a catchall domain and a randomly generated password
This helps but I am still wishing that the Final credit card would have survived because it allowed you to generate new card numbers per each vendor AND set hard limits on transactions per month, one time use, etc etc.

edit: still doesn't solve the issues with the other personal identity problems that comes with all of this... I just want an anonymous payment method. Is that so hard? I don't want any business to ever know who I am.

Privacy.com might offer close to what you're describing.
Thank you, this looks promising. It does require bank account access because it's basically a proxy debit card, but it's better than nothing.
> It does require bank account access because it's basically a proxy debit card, but it's better than nothing.

I would be wary of any service which requires this level of access to your finances. If the offering is determined worth it, at least set up a separate account with your bank which is not "linked" to any others and transfer into it as needed via standard banking mechanisms.

> unfortunately this is just becoming the norm and companies aren't held accountable for losing data

How would a company be held accountable for losing data? Fining them? Paying out to users?

Fining a company for gross negligence of assets they are entrusted with seems like a fair path to explore for starters.
It seems like you would have to prove it is gross negligence though. It's not their fault if they lost a database to a 0day or if they were otherwise doing everything reasonably correctly.
Well... Yes. That is how it usually works.

You prove gross negligence, they pay a fine. They prove that they were doing everything reasonably in their power, they don't pay a fine.

>It seems like you would have to prove it is gross negligence though.

Storing PAN's in clear text is a violation of many, if not all, payment networks, be it done by a Merchant or any intermediary. The citation I will show below is MasterCard specific, but should not be considered restricted to that network.

> It's not their fault if they lost a database to a 0day or if they were otherwise doing everything reasonably correctly.

Actually, it very well can be. And, in this case, it almost certainly is the Merchant's liability (fault) due to not adhering to security standards. For reference regarding same, see the MasterCard "Security Rules and Procedures" document's "Chapter 10 Account Data Protection Standards and Programs"[0].

0 - https://www.mastercard.us/content/dam/mccom/en-us/documents/...

>Fining them? Paying out to users?

...Yes? With the caveat of an investigation and a ruling of negligence... by someone.

Pass a law that says every lost user account is an X dollar fine based on data "richness" that can't be discharged in bankruptcy. For simplicity, let's say $10 in this case. 160 million lost accounts is now a 1.6 billion dollar fine. That is enough to cripple a lot of companies. It would make people think long and hard about what data they wanted to keep and how they wanted to secure it.

Alternatively, create a situation where companies are responsible in perpetuity for damages related to identity theft if a victim's credentials are lost. If company X loses my SSN and then someone opens up a fake account in my name, they are automatically responsible for any costs I incur and I don't have to prove attribution.

The purpose should be to heavily, heavily disincentivize any storage of basic data or PII unless absolutely necessary.

Yes, that would also make it really easy for individuals/corporations/state actors/etc. to destroy companies: secretly employ security researchers that compromise your target's database and bam, you've just crippled/ruined them.

China tired of US putting pressure on Huawei? Bam, start targeting American companies and totally financially ruin them using their own privacy laws/fines against them!

Disgruntled suicidal employee has a grudge? Take down the whole company on your way out with that backdoor time bomb you planted and let the $1.6B fine do the rest!

You know that there are other industries that have heavy regulatory fines like this, right? The existence of a software culture where a single rogue employee can easily destroy the privacy of hundreds of millions of people is itself a huge part of the security problem. If there were actual consequences for this kind of thing there would be a lot of changes to software development practices. I'm not saying that culture alone will make code perfectly secure, but I do think caring about the code being secure (in the sense that the company will face deep financial and legal trouble if it isn't) is a necessary prerequisite. Arguably, it's the only thing that works.

You may argue that you can't just buy absence of security bugs with money and a different culture, but there are plenty of formal verification tools out there, and they are not all toys. True, verified code is expensive compared to writing "normal" software, which is developed using the same best practices" that lead to a data breach being announced seemingly every other day. But it is quite cost-competitive with "high assurance" software (i.e. software developed when people face real consequences for the existence of bugs) and the techniques have been used to secure a number of nontrivial real systems by now. I have absolutely no doubt (as someone who's in the field) that we would see a huge boost to the state of the art in that field if there were actual money in it, especially considering how much of the current difficulty with using formal verification comes down to the lack of user-friendly tooling.

But, to reiterate, my larger argument isn't really about formal verification; I'm mostly bringing it up to refute the argument that the existence of bugs is something totally outside of any company's control. Ultimately companies are currently choosing not to pay to make their code secure, and it's not hard to see why given the current legal climate of "there are no consequences whatsoever." Ideally, the first step towards fixing this would be for the software development community at large to acknowledge that it is, actually, a choice, but frankly I don't see things happening that way. If a move towards not just safer, but genuinely bug-free (or at least, bug-free outside of hitherto undiscovered exotic side channels) software is going to happen at all, it'll be because a large government drags its country's unwilling programmers and CEOs in that direction.

That assumes the company is worth something, this company is worthless, fining them a billion dollars is useless.
There has to be a finding of gross negligence. Shit is going to happen even if a company does it's best and follows all of the best practices. Under your rules and OS zero day, which the company has zero control over, could ruin them. A single employee fooled by an email could do the same. It's far too simplistic and heavy handed. Also, not all data is equal. For example, if someone gets my HN creds I really don't care. My bank on the other hand...
Flay the directors and steep them in brine.

I can dream.

I thought MoviePass was already deep in the red. What incentive do they or any company have to protect their data if they are imminently going bankrupt? I'm guessing cybersecurity is not their most pressing concern, although maybe it is now.
Their customer database was probably the only asset of value they had.
The customers of that data were, and still are, other legitimate businesses. The security breach doesn't change that, so no reason to protect the database.
Is a list of people who like to pay less than face value for movie tickets valuable?
Yes. It's a list of price-sensitive consumers who historically respond well to perceived discounting.

General rule of thumb for spam email is 0.1% conv rate, so if you blasted this leak list then you'd have 150K sign ups.

What’s the marginal value of this kind of list though? Call me cynical but I would assume data of a similar type and quality is already readily available
None really. Keep in mind any list dumps you can easily find online have already been pillaged thoroughly.

There is an entire data broker industry that relies on selling lead/contact information, so if anything there is a value savings on the hack. I've seen high quality contact (and assoc. company) data sell anywhere from $3 to $120.

I also thought they went out of business already. Their parent company Helios and Matheson is a horrific penny stock ($0.0018) traded over the counter pink sheets.
I'm sure this was written/designed back when they were in the startup/growth phase and not going bankrupt. This is the cowboy startup attitude at fault and demonstrates why we should be wary of similar companies.
Why are they storing credit card numbers in a database in the first place? This should fall under PCI-DSS if so.
So ... twenty years of free credit monitoring, then?
We need a GDPR equivalent in the US. That's the only way this will change.
No thanks. Thats a solution worse than the problem.
It wasn’t 161m customers that were exposed, it was 0.058m

Pretty big difference to what the headline implies

Headline is accurate. 161M records were in the database. They have evidence that at least 60,000 of the records accessed had credit card data attached.

>161 million records was left unsecured and _exposed credit card and customer card information on at least 60,000 of the ticket service’s customers_.

If I want a trip down memory lane, I can just check the data breach section of CreditKarma and see a chronological history of all of my passwords from the last 25 years.

At this point, I'd join a social network that matched me with all of the people around the world that also used the same "clever, obscure" passwords.

You think exposure like that is bad, you must see this:

Soros funded child rape ring protected by Trump for $4 billion bribe, Pelosi $3b. Participants include Obama, Schumer, Cuomo, Buttgieg, DeBlasio, Theil, Dorsey, Bill Murray. Over 60+ deaths from rapes, billions in payoffs. Listen to them do it here:

BE SURE TO Listen! to previously unprocessed footage now available [Soros, 0bama child rapes 15Jan 4-6am], Obama around 524: "Why is there so much blood? Someone get me something to clean the blood off my dick..."

*note: -> groups of links are multiple ways to get the same file ->

15JanCh3_347-528.avi https://drive.google.com/file/d/1Q8YeDzghf95FQrxBaMpXK4b-SfJ... https://mega.nz/#!bTQwDQDA!jolSOqGR2Zomhtn7zIG0lGmqXSqe3KG1m...

15JanCh3_528-545.avi https://drive.google.com/file/d/1DavyRFWTRv4_teHYewpQMwMCq6L... https://mega.nz/#!DfBywKKR!llMUzB8DLM2Rcvm0QkOKdiE3PpCY5YeR3...

15JanCh4_400-600.avi https://drive.google.com/file/d/1DavnBCyhq_JRmST2QH5qlojUE6d... https://mega.nz/#!faZggSja!yF_QOcodvYXwk7qEO1N8eSaV90ZWUUaS1...

See pgs 18-23,8,11,12,35,45,61,62, and update list at end of doc.. Having trouble getting traction. Getting censored/banned. Billions in bribes paid to Trump, Pelosi, Schumer, Harris to enable a Soros funded child raping ring to operate in the USA. Please listen to the links below. Turn up the volume and put headphones on. You will hear these people, and many other high profile people, incriminate themselves in unbelievable fashion. Full 80 page document [update 20Aug] filled with red handed evidence like this at the bottom.

Go to pages 18 through 23 of this document and you will hear Dorsey and Thiel raping children. You will hear their screams. They both rape and kill three. Also at the "rape party" of note: Bill DeBlasio, Andrew Cuomo, Bill Murray, Peter Buttgieg, George Soros, Barack Obama.

Please copy and paste this post and repost it, or save it for later because it will likely get removed sooner or later. I keep getting censored by these people.

Bill DeBlasio's turn starts at 2100: https://mega.nz/#!OCJwQSBC!AlER6vRRTKS8yvSxnVwAl3ha3kGDLqoou...

Andrew Cuomo's starts at 2200: https://mega.nz/#!qKZChABY!zy-2jIHqEg4gWHNbiEym-YBdSs5Y9qzT2...

Both files in one here: 14JanCh3_2100-2300.avi https://drive.google.com/file/d/1yolCgVtY5b8d8YDcshwb-Yd3kS0...

Peter Thiel starts at 100, Jack Dorsey at 130 each raping and killing three boys. Turn the volume all the way up and put head phones on.

    https://s3.wasabisys.com/conv1/Overnight_14-17Jan/15JanCh3_100-200.avi
    https://drive.google.com/file/d/1mzZrjobxhNIEf38M3xk-IeA5SeF4aUtB/view?usp=sharing
    https://meg...
As usual, I want to ask: what are your favourite resources for security? These breaches seem like a good opportunity to share knowledge.

I like the OWASP content. Google Gruyere is also really nice for xss imho

In what scenario, a system without a db password could possibly be designed for new startups?