29 comments

[ 2.6 ms ] story [ 67.0 ms ] thread
No doubt the same "intruder" who hacked the Office of Personnel Management a few years ago.
From the article:

"Security is Clearview's top priority," he said in a statement provided to The Daily Beast. "Unfortunately, data breaches are part of life in the 21st century. Our servers were never accessed. We patched the flaw, and continue to work to strengthen our security."

Servers never accessed? Then how was the client list stolen? Was a paper copy stolen from a filing cabinet? I find this posture somewhat arrogant and dismissive. Also, the article is light on technical details- does anyone have info on what flaw was exploited and patched?

I agree -- the language is just so vague, but getting the client list and not accessing the server seems to be either obfuscation or a cloud service was also hacked.
Could the "intruder" have been Joe from sales who came back the night he was laid off using his secondary keycard, which IT hadn't quite gotten around to deactivating yet, and grabbed his old rolodex?
I've been at several places where this happened.

I was at a large web dev company where an employee put in his two week notice, then was able to access several of the companies servers and exfiltrate nearly every app or web site they had built in the last two years.

Rumor had it he was using the code to start a dev company on his own and this was the "seed" code that would help him get up and running much faster. AFAIK nothing ever happened to him legally.

I worked for a hedge fund where a quant dev emailed to his gmail a copy of the source for the quant models. He was sued in federal court 4 hours before he was terminated. Criminal charges came around 2-3 months later, IIRC. Once he realized he was fucked, he tried dumping his hard drives in a river. Yes, police diving squad was involved.

Dumbass didn't realize that all SSL traffic was being MITM'd. I never sent any sensitive over personal email from work, being well aware of the practices (also helps to have friends in compliance).

It's always the dumb ones that get caught?
Doesn't the browser display a warning in the case of SSL MITM?
Not if the browser has been specifically given the cert. It is typical on corporate networks send all HTTP traffic to a router that acts on behalf of the outside world. If your browser (and browsers these days relying on OS installed certs) has a cert validating the router, it will be legitimate: you have a valid cert for the router you're talking to.

The trick is to use a piece of software that doesn't use your system's certs but has it's own built in, like run Linux in a VM and use that browser. That way, you'll see the MitM attack.

Hopefully it's a whistleblower. Shaming specific police departments and causing a local political issue is a good way to prevent its adoption.
I wonder if the key word is "our" servers. I wonder if they had a weak password on some associated account (accounting software or something).
"data breaches are part of life" is a fun new take. I hadn't seen it before, but now I imagine all such communications will include this sentiment in some form. Man, we really have rolled over on this issue.
>Unfortunately, data breaches are part of life in the 21st century.

They are not. Just don't collect the data in the first place.

21st century tech companies: "If we fuck up, too bad for you." All the profits, none of the responsibility.
That’s the whole idea behind the term “identity theft”. They are too cheap to set up proper systems so let’s just move the problem to the customer.
The proper title is, of course, "identity fraud" or "bank fraud" at a bank, where the fault is on the part of the bank to prove that you are you, not on the consumer to "protect" their information that someone else lost.
I agree that this behaviour should not be 'normalized' ever, its not acceptable.

I find it hard to justify that companies should not collect any data.. It should just be the minimum required. Such as GDPR attempts.

It's so frustrating that there is no recourse usually. Organising class action suits just takes too long to co-ordinate in a timely fasion that would point a larger spotlight on security.

World's smallest fiddle. I hope they get the ever living snot sued out of them so they understand they can't throw security to the four winds and just swim around in their profits. They were reckless and irresponsible in assembling that data and I have no doubt they were reckless and irresponsible in storing it.
Agreed. Maybe if the company wasn't doing the things they were doing they wouldn't have been targeted. I have about as much sympathy for them as I do for Hacking Team, FinFisher, et al after their respective breaches.
> “Security is Clearview’s top priority,”

Clearly...

"Everything in JIRA is the default 'medium'."
I apologise for a low value comment, but I can't resist the opportunity:

Did Clearview get a picture of the 'intruder'?

some earlier discussion:

>The firm drew national attention when The New York Times ran a front-page story about its work with law-enforcement agencies. The Times reported that the company scraped 3 billion images from the internet, including from Facebook, YouTube, and Venmo. That process violated Facebook’s terms of service, according to the paper. It also created a resource that drew the attention of hundreds of law-enforcement agencies, including the FBI and the Department of Homeland Security, according to that report. In a follow-up story, the Times reported that law-enforcement officials have used the tools to identify children who are victims of sexual abuse. One anonymous Canadian law-enforcement official told the paper that Clearview was “the biggest breakthrough in the last decade” for investigations of those crimes.

https://news.ycombinator.com/item?id=22424828

https://news.ycombinator.com/item?id=22426599

I know not popular, but set your email and other retention periods to a relatively short time frame - even a year or two drops tons of sensitive data off. Flag important or file elsewhere for stuff you want to keep.
This is often not legal. For example, Sarbanes Oxley requires seven years retention for public companies in the US[0]. Depending on industry it can be higher; I believe some financial segments are required to retain email indefinitely.

[0]: https://www.sec.gov/rules/final/33-8180.htm