68 comments

[ 3.7 ms ] story [ 125 ms ] thread
Google trolling competitors?
That's quite scary. I wonder if something like this is possible at Google or Microsoft or Yahoo. Even if multiple people need to approve that kind of access, it must be possible to socially overcome those barriers (via influence, bribery, etc.) if the right actors can be identified. It would be preferable to have control over this from the user-side.
This is the idea of local-first software[0]. Imagine you owning your own database and the only thing you get when you go to a website is the software and none of the data (it accesses your database instead). Projects like Textile[1] are building out tools that could help with that sort of project. I really hope it takes off, the cloud sort of freaks me out.

[0] https://www.inkandswitch.com/local-first.html

[1] http://textile.io/

So the core problem is that when something is running on someone else's server, you can't even verify what they're running.

E2E encryption avoids that by not trusting whatever is running on the servers Local DBs avoid that by not giving up local data.

However, it would be quite interesting to have a way to remotely know that a certain service is running the code you think it's running.

> it would be quite interesting to have a way to remotely know that a certain service is running the code you think it's running.

It sure would, and it would be a hell of a discovery if someone could come up with it. Because I sure can't think of a way that I can't easily debunk.

Intel has done some work on this front that can hypothetically be used this way, but I wouldn't say it's practical, for various reasons.
You mean like intel TXT remote attestation?
The trick here would be integrating that to play nicely with load balancers, REST-style APIs, and reducing overhead from establishing yet another secure connection.
Related: Solid Project

- HN discussion: https://news.ycombinator.com/item?id=25989698

- A great article about the project: https://ruben.verborgh.org/blog/2020/12/07/a-data-ecosystem-...

Slightly related, we're working with a similar philosophy. As a machine learning consultancy that has done many learning projects for enterprise, we're building our machine learning operations, "MLOps", platform (https://iko.ai) to simplify our work. However, what we're doing is working from the architecture level to have as little and preferrably no sensitive information on our service. We're architecting it so that you give us specific access to deploy on your cluster, and everything happens there: the notebook servers are there, your data is where you choose to put it, your training jobs are there, your experiments are tracked there. Your models are deployed there.

I have a saying that the platform should be able to run on a Raspberry PI.

One of my personal pet peeves working with the team is to be able to disappear without impacting them, and it has become the same with our platform: it must be able to disappear users having to scramble to exfiltrate or export their work or data from our infrastructure, because it simply is not there.

It is. For example, machine learning teams at Microsoft run software that reads all email content on Exchange servers. There are guardrails to make sure the engineers don't gain access to the data themselves, but there are accidental slip ups from time to time, and certainly a motivated engineer can always find a way to peek at the data of any inbox.
Yeah. That could be resolved if the ML teams only had access to the aggregated, anonymized data or the output of the models. And if a privileged access token (for example, the one the model training flow ostensibly uses) is logged as querying specific subsets of the raw data or ferrying it out of band, that should throw an immediate alarm with an audit trail.
(comment deleted)
Not just possible, it happens.

Google: https://gawker.com/5637234/gcreep-google-engineer-stalked-te...

Facebook: https://www.theguardian.com/technology/2018/may/02/facebook-...

The NSA: https://www.reuters.com/article/us-usa-surveillance-watchdog...

These are presumably just the tip of the iceberg of people dumb enough to get caught.

Yahoo historically (for decades) monitors customer support IC staff for application-level access abuse to user account data, and does investigations for misuse. Mgmt. takes that seriously, so the Yandex scenario mentioned in the article wouldn't happen for long.

However, as at all companies, engineers have alternate server-level access to row-level data, otherwise nobody could troubleshoot internal systems. Yahoo is divided into 50+ engineering silos, so that access is very diffused.

So far, so good.

But in the case of Yahoo, the govt. does kernel-level keyword sniffing on email servers. (AFAIK that's unique to Yahoo. Never even heard of that for FAANG.) Yahoo was also pwned for a few years:

https://www.theregister.com/2018/04/24/yahoo_fined_35m/

https://www.theregister.com/2016/10/04/yahoo_was_nsa_stooge/

Source: worked there.

That Google link is from 2010. Access controls at Google are much stricter now.
Did you even read the article about Facebook? Some dude got fired over a screenshot of a out-of-context lame joke text message. It was a weak allegation
I hope the HN crowd doesn't write this off because it's Russia - employee abuse of customer data is all too common in tech:

- Google Engineer Stalked Teens, Spied on Chats: https://gawker.com/5637234/gcreep-google-engineer-stalked-te...

- Lyft Investigates Allegation That Employees Abused Customer Data: https://www.theinformation.com/articles/lyft-investigates-al...

- Uber Employees Allegedly Use Data to Stalk Exes, Celebs: https://www.newser.com/story/235409/lawsuit-uber-employees-u...

- Facebook Investigating Claim That Employee Used 'Privileged Access' to Cyber-Stalk Women: https://gizmodo.com/facebook-investigating-claim-that-employ...

- Snapchat Employees Abused Data Access to Spy on Users: https://www.vice.com/en_us/article/xwnva7/snapchat-employees...

- Yahoo Engineer Used Insider Access to Get Private Photos of Women: https://www.vice.com/en_asia/article/59nwyk/yahoo-engineer-u...

Most occurrences likely never even make it into the news.

It's a real big problem. Employees from our version of the cdc (ggd) were caught selling peoples data who were tested positive for covid. including social security numbers.

https://www.rtlnieuws.nl/nieuws/nederland/artikel/5210644/ha...

Who would be buying this info? Are Dutch insurers allowed to procure such information?
If you have a name, phone number and BSN (Dutch SSN) you can easily do lage-scale identity fraud
Can you? I don't have any Dutch examples of that, but seeing the high prices the information sells for, I guess I'm missing something.
Also, plenty of employees in car dealerships and finance companies in the US sell access to credit reports (i.e. they make a new credit report search on demand, not a previously stolen one). Just go to any of the darkweb markets and you'll find them there, with a lot of glowing "reviews".

If the money is there, and it can be done anonymously, people will keep doing it.

Which should be __SCORCHINGLY__ illegal because too many credit report requests can actually affect your credit score.
Yandex is not russian. It is developed by a company in switzerland and primarily targets the russian market.
Yandex is a company registered at the Netherlands, 99% of the company's developers are located in Russia. So, technically Yandex is Russian.
What, you're joking surely? Yandex was founded by three Russians and the HQ is in Moscow, and they obviously target the Russian market. If Yandex is not Russian, what is?

Like saying Google is Irish because they have some center there for the EU business. Google is surely a US-based company.

Sergey Brin is from Russia. He only co-founded Google...
From their wikipedia page [0]:

>Yandex is a Russian Dutch-domiciled multinational corporation providing Internet-related products and services, including transportation, search and information services, eCommerce, navigation, mobile applications, and online advertising.

>The firm is registered in Schiphol, the Netherlands as a naamloze vennootschap (Dutch public limited company), but the company founders and most of the team members are located in Russia.

So yes, technically the company is registered outside of Russia (Netherlands, not Switzerland like you claimed), but their HQ and heavy majority of their workforce and the founders are located in Moscow. I would definitely count it as a Russian company.

0. https://en.wikipedia.org/wiki/Yandex

It's also a service whose users are mostly in Russia and neighboring countries. The country selector on their .com home page links to localized sites for Russia, Ukraine, Belarus, Kazakhstan, Uzbekistan, and Turkey -- neither Switzerlands nor the Netherlands are an option.
And it was banned in Ukraine for being a national threat (which, as a Ukrainian, I fully support). Should also be a hint
Sadly that you are supporting the censorship of yourself. Especially about banning Yandex whose maps showed Crimea as Ukrainian's for any visitor with Ukrainian IP.
While I am, overall, fully with you on censorship and don't think it is acceptable, this specific case is a bit different.

It is one thing to censor something due to a hypothetical possibility of a threat or due to some "dangerous ideas". But it is another thing to censor a tech giant from an authoritarian country (with the government of which that said tech giant is almost definitely collaborating) that is literally physically invading your borders by force and taking your territory using shady tactics and excuses ("these are not our soldiers, they are just some unmarked militia that has access to our top tier weaponry... oh wait, jk, we lied, it was our troops all along").

Especially given the fact that tech giants in Russia are all, pretty much, under a thumb of the government. Just check up on what happened to Pavel Durov (the Telegram guy, previously known for creating another russian tech giant VK.com aka russian version of FB), he ended up having to give up his company and flee the country, because he didn't collaborate with the regime readily.

And no, I am not a russophobe, I grew up in Russia myself, and I am not the kind to fall for the "every hack is now attributed to russian government-funded hackers" hysteria that seems to have polluted mass media in the west recently. Which is why, imo, it is important to emphasize when the real threats happen and address them, just like Ukraine did with the Yandex ban.

I find it funny when companies are registered in Schiphol.

It means they can literally run their mandatory board meetings in the transit lounge at the airport.

Ferrari has a similar structure at Schiphol, but I think it’s also because Italy has a “speculator tax” on stock transactions, so they just register elsewhere.

"I hope the HN crowd doesn't write this off because it's Russia"

Sorta. I worked next to them in Burlingame, CA.

Not saying it does not occur in tech in general, but there is a difference in scale between selling the data and abusing it for personal reasons. The examples you provided are exclusively the latter.

The mentioned employee sold access to 4,887 email accounts.

Not sure if this would make anyone feel better or worse, but you can find these kinds of examples everywhere. Abuse of position, often with results way, way worse than a hacked account, is extremely common in every single industry. We're all human, after all.
I don't want to speak to the other companies, but that Google link is over a decade old.

They absolutely have very strict access control now — it would be 100% impossible for a Google employee to do this nowdays.

Your employer is very possibly doing it to you and other employees as well, and it's perfectly legal for them to do it. I keep any work-issued equipment I have at home powered off if I'm not actually working.
In many places in the world, they can't. In Europe, the matter of employers monitoring employees is highly regulated.
never thought of this level of paranoia!

you think they would record audio/video, or just log the keystrokes?

I’m aware of at least one case of a school installing software that allowed them to remotely access the webcams of students, and they admitted to using the software on 40+ occasions. I wouldn’t be surprised if this practice existed in the corporate world as well.
There was the Robbins v. Lower Merion School District case, where a student sued after being disciplined for "taking drugs" in his bedroom (it was actually candy).

They'd remotely activated the webcam on his school-issued laptop. And, frankly, spying on a teenage boy in his bedroom, they're lucky they didn't face felony charges.

I know of a fairly large employer in the pharmaceutical space that installs spyware on company computers that employees take home, and uses that spyware to keep tabs on what websites were visited on the machines. They made decisions to fire certain employees based on it, too.
Earlier today: "I saw you spun up an Ubuntu instance on Azure...". (I'm not super paranoid but I find the timing funny).
Best approach to data is that if it can't be seen or read (through any means) then that data can't be abused or misused.

This is why end-to-end encryption should be a first choice for pretty much everything.

I'm pretty sure unless the system is based on minimum-privilege strict audit (with audit logs regularly reviewed by a dedicated inspector team) - which I never ever seen happening anywhere - somebody out of lots of people that have access will be tempted.

And the reason why most of "unicorns" likely do not have strict audit system for PI is because it costs many $$$$ but brings exactly $0 in revenue. And until it becomes many $$$$ in potential lawsuit liability exposure, it will continue so, because nobody would invest serious effort in something that is only hurting the bottom line.

The Facebook allegation looks incredibly weak. I’m not trying to defend anyone here, but it sounds like the employee was canned over a cringey bad joke text to a tinder date.

Was there any actual evidence of wrongdoing? All I’m seeing is a screenshot of a text message circulating on the Twitter outrage circuit.

> Yandex officials also said they re-secured the compromised accounts and blocked what appeared to be unauthorized logins. They are now asking impacted account owners to change their passwords.

I’m curious how access was provided to these sold accounts. The password change implies the passwords were shared and that means plan text password were available to admins!?

I'm not sure why you were downvoted - I vouched for your comment to bring it back (in fact, looking at your comment history it looks like almost all of your comments are dead).

I think you're right though--it does seem like they must have sold the passwords themselves. It's interesting to think about how you would sell access to an account if you wanted to.

Depending on your level of access, I can think of many ways.

You can do a "takeout" of all data in the account and sell that. Or it can be anything that is requested, like a dump of all the private messages.

You can change the password of the account, possibly at a time like 3am at the user's local time so they're less likely to be using the account, then change it back at say 5am. This requires DB access.

You can find the user's session token/id if they're logged in somewhere and sell that.

All 3 ways make sense. The dump and session token ways look cleaner from Yandex employees’ perspective. Although, none of the three should require a password change for the compromised user account. At no point, users password or hash of the password gets shared.
As long as it's possible to do this and there aren't serious high-level repercussions for it, it will keep happening. This is why people flock to e2e systems, because we don't trust corporations or governments to protect us.
The sad part is, most e2e aren't true e2e. Even if they are, they often backup everything in a central location like Whatsapp/ which put everything in your Google account without any additional crypto layers, making it all accessible with a subpeona or prism to any law enforcement agency.

Edit: Removed Signal as an example.

Signal only backs up messages on Android - and requires a thirty digit key to be provided to save/restore. Is this not the encryption key then?
> they often backup everything in a central location like Whatsapp/Telegram/Signal which put everything in your Google account without any additional crypto layers

I don't know about the others but I don't think Signal does this. Signal offers the user the ability to backup their messages, and lets them password protect them, but the way you've written this implies Signal is uploading messages to Google of its own volition, unencrypted, which afaik is not the case.

(comment deleted)
> As long as it's possible to do this … it will keep happening.

FTFY. The only solution is for the information never to exist in the first place, never centralized, never even collected.

Decentralization is probably the (old) new geek frontier, the way the internet used to be. I doubt it'll ever be mainstream, because the network effects, business incentives, and markets just aren't there--there'll never be a successful decentralized Spotify. But that's a feature; I don't want that stuff to go mainstream because that's how you get Slack instead of IRC (etc. etc.)
(comment deleted)
As usual, the site can't be bothered to link to the first-hand announcement. Which is absolutely a ‘dark pattern’, and half of news sites that are generally considered alright, still feel the need to do this.

https://yandex.com/company/press_center/press_releases/2021/...

Or in Russian: https://yandex.ru/company/press_releases/2021/2021-02-12

It's not "can't be bothered", implying low effort. It's very intentional SEO. Linking to the source unweights their own reporting.

And it isn't a dark pattern. Dark patterns are https://www.darkpatterns.org/types-of-dark-pattern type of things. Or, the typical cookie consent box. This is just tragedy of the commons.