|
as I understand gdpr, auth is a totally valid reason to retain phone number pii, and Twitter's waivers for monetization probably hold water. however that's only the right to forget part of the equation;EU resident pii protection is the component that would create a significant liability here
|
# ? Aug 23, 2022 19:19 |
|
|
# ? May 29, 2024 14:14 |
|
Potato Salad posted:as I understand gdpr, auth is a totally valid reason to retain phone number pii, and Twitter's waivers for monetization probably hold water. Acquiring phones are fine as long as they are used ONLY for the reasons the user consented for. Twitter asks the users for accessing their accounts, mfa and recovery purposes. If their employees accessed the numbers for anything but the original consent purposes the realm of violence they are getting into will make hellraiser looks like heidi.
|
# ? Aug 23, 2022 19:39 |
BonHair posted:Sounds like everyone in Twitter IT had access to change tweets by anyone.
|
|
# ? Aug 23, 2022 19:48 |
|
Turns out the whole platform runs on top of an open-source release of BlackBerry Messenger
|
# ? Aug 23, 2022 20:00 |
|
The relevant issue for GDPR is that this could negatively impact the lives of the users in a way they didn't consent to. If there's a risk of users getting their life ruined, that's a huge fine basically. And I'd say subtly editing pedophilia into your posts could do that...
|
# ? Aug 23, 2022 20:05 |
|
BonHair posted:The relevant issue for GDPR is that this could negatively impact the lives of the users in a way they didn't consent to. If there's a risk of users getting their life ruined, that's a huge fine basically. And I'd say subtly editing pedophilia into your posts could do that... Slander via post editing is not covered by GDPR. Having the user mobile numbers easily accessible and possible to ship to third party is.
|
# ? Aug 23, 2022 20:25 |
|
https://twitter.com/chrisrohlf/status/1562152113190354946
|
# ? Aug 23, 2022 20:28 |
|
If Twitter stores any EU user's personal data in the USA, or gives access to any EU user's PII to anyone in the USA, they're noncompliant with GDPR anyhow.
|
# ? Aug 23, 2022 20:31 |
|
Rust Martialis posted:If Twitter stores any EU user's personal data in the USA, or gives access to any EU user's PII to anyone in the USA, they're noncompliant with GDPR anyhow.
|
# ? Aug 23, 2022 20:51 |
|
Diva Cupcake posted:Ehhh. That's lots of SaaS solutions. Most of them are now using standard contractual clauses and transfer impact assessments to fulfill their "due care" in light of Schrems 2 and just hoping for the best. Oh, yeah, agreed but it's building on shaky ground with the hope the EU folds on privacy because the USA simply utterly fails the equivalent protection requirement. Ed: obviously you can magic a solution where all data stored in SaaS is encrypted before it leaves your control and you keep the keys. Also it's not like Azure is *cheap*. Rust Martialis fucked around with this message at 21:13 on Aug 23, 2022 |
# ? Aug 23, 2022 21:10 |
|
Yes yes yes this is all well and good but how does this affect Elon Musk
|
# ? Aug 23, 2022 21:17 |
|
Hopefully it damages both of them
|
# ? Aug 23, 2022 21:31 |
|
This could make prosecuting people for, say, inciting a violent insurrection via Twitter posts more difficult. "Prove beyond a reasonable doubt that none of several thousand Twitter employees modified my tweet. Also there are no logs."
|
# ? Aug 23, 2022 21:33 |
|
Ynglaur posted:This could make prosecuting people for, say, inciting a violent insurrection via Twitter posts more difficult. "Prove beyond a reasonable doubt that none of several thousand Twitter employees modified my tweet. Also there are no logs." You are not going to suggest blockchain for social media posting, are you?
|
# ? Aug 23, 2022 21:43 |
|
SlowBloke posted:You are not going to suggest blockchain for social media posting, are you? No, just logging in production and a limited ACL. Maybe distinct userids with lots of automated alarms if used for break-glass accounts.
|
# ? Aug 23, 2022 22:08 |
|
Ynglaur posted:This could make prosecuting people for, say, inciting a violent insurrection via Twitter posts more difficult. "Prove beyond a reasonable doubt that none of several thousand Twitter employees modified my tweet. Also there are no logs." Also any logs can be accessed and changed by those same employees. I think you can technically argue that phone numbers carry a low risk for the users, especially since it's semi public information. It wouldn't hold up in court, but you could argue it for a while. But on the flipside, I think your opinions, which are expressed on Twitter, count as personal information, including sensitive if you tweeted about sexuality, politics or any of the other sensitive topics. I would argue that it could seriously harm at least public figures if they appeared to be on record as saying they supported pedophilia, or just something more innocent like worker's rights. Think of the backlash of right-wing nutjobs if some well known influencer was "outed" as being pro choice. Besides hurting their revenue from Patreon, it could lead to various more or less credible threats and harassment.
|
# ? Aug 23, 2022 22:32 |
|
lol https://twitter.com/alsutton/status/1562140431319810048
|
# ? Aug 24, 2022 02:33 |
|
Holy poo poo. Did they hand out SSL keys to root domains while they were at it?
|
# ? Aug 24, 2022 03:24 |
|
BonHair posted:Also any logs can be accessed and changed by those same employees. GDPR has been used for phone numbers with success with rather drastic fees but NOT for posting stuff. That's slander + hacking not GDPR. GDPR is a sure fire way to get their rear end, slander + other stuff is likely a slap on the wrist. SlowBloke fucked around with this message at 06:17 on Aug 24, 2022 |
# ? Aug 24, 2022 06:13 |
|
I mean, I think the intent here is not to deflect criticism of the organization or the reality of the situation, but to emphasize that it's important we not start publicly hunting down folks who have the misfortune to have Twitter and Security in their bio on LinkedIn this week who are almost certainly prohibited from making any specific statements to defend themselves in the court of public opinion. As we've seen repeatedly in this thread, sometimes your org just does stupid rear end poo poo despite your best efforts and you have to hold on till you either find a better paycheck or you die inside. I agree it shouldn't need to be said, but anecdotally I work in fintech and I've straight up had people message me on LinkedIn when their money wasn't where they expected it to be or something, so I 100% don't trust people to be rational and to understand that "works for" doesn't mean "is solely responsible for every aspect of".
|
# ? Aug 24, 2022 12:32 |
|
looks like plex got popped. they seem to be handling it well though
|
# ? Aug 24, 2022 14:30 |
|
Achmed Jones posted:looks like plex got popped. they seem to be handling it well though Yeah just got that email as well.
|
# ? Aug 24, 2022 14:38 |
|
Yup. Now the hackers have my list of futurama episodes
|
# ? Aug 24, 2022 14:46 |
|
I think SANS has a 'how to handle your ransomware incident' course. Like seriously have a communications plan.
|
# ? Aug 24, 2022 14:51 |
|
Rust Martialis posted:I think SANS has a 'how to handle your ransomware incident' course. Like seriously have a communications plan. Yup, and be transparent. It pays to be transparent and upfront. Even if you don't know the full impact yet.
|
# ? Aug 24, 2022 14:54 |
|
CommieGIR posted:Yup, and be transparent. It pays to be transparent and upfront. Even if you don't know the full impact yet. Yep, if you hide stuff, it's either gonna be super obvious that you're hiding stuff or it's gonna be revealed by someone else. Or both. And you're gonna contradict yourself later. Own up, shut down and start over.
|
# ? Aug 24, 2022 15:12 |
I would have liked it if, instead of requiring everyone to login and change passwords + invalidate logins, simply auto-invalidated all logins forcibly.
|
|
# ? Aug 24, 2022 19:14 |
|
BlankSystemDaemon posted:I would have liked it if, instead of requiring everyone to login and change passwords + invalidate logins, simply auto-invalidated all logins forcibly. Maybe plex access tokens won't react if the credentials are the same?
|
# ? Aug 24, 2022 19:54 |
|
BlankSystemDaemon posted:I would have liked it if, instead of requiring everyone to login and change passwords + invalidate logins, simply auto-invalidated all logins forcibly. I use google to log into it, and as such this literally required no action from me, apparently
|
# ? Aug 25, 2022 05:40 |
|
lol https://blog.lastpass.com/2022/08/notice-of-recent-security-incident/
|
# ? Aug 25, 2022 20:46 |
lol another one
|
|
# ? Aug 25, 2022 20:58 |
|
FAQ kind of fixates on the wrong thing (intentionally?). If you use a password manager, you should be prepared and semi-comfortable with the idea that someday somebody will get their hands on your encrypted vault. The real risk here with someone getting into their development environment is sneaking something nasty into the software/webpage/browser plugin that then gets pushed to you via auto updates or via the web interface.
|
# ? Aug 25, 2022 21:02 |
|
Rescue Toaster posted:FAQ kind of fixates on the wrong thing (intentionally?). If you use a password manager, you should be prepared and semi-comfortable with the idea that someday somebody will get their hands on your encrypted vault. The real risk here with someone getting into their development environment is sneaking something nasty into the software/webpage/browser plugin that then gets pushed to you via auto updates or via the web interface. like the last breach where they claimed the same thing about no one getting access inside the vaults. meanwhile a researcher was disclosing to them that the vault can be breached, but let's not tie those events together it's somewhere in my post history itt
|
# ? Aug 25, 2022 21:39 |
|
Wiggly Wayne DDS posted:or the vault not actually being tied to the master password as they led the users to believe and them having a way into it anyway Oh definitely, I don't consider lastpass trustworthy anyway. Frankly I don't have a lot of confidence in any of the cloud-based password managers that use your master password as the login to the website (all of the big ones). Though I seem to be in the minority about that. This exact scenario is the kind of thing where, oh somebody got into the build environment and maybe snuck something tiny into the webpage js for a couple months... there go all your master passwords.
|
# ? Aug 25, 2022 22:55 |
|
https://dawnproject.com/ Gotta love that tagline Cup Runneth Over fucked around with this message at 03:41 on Aug 26, 2022 |
# ? Aug 26, 2022 03:23 |
|
Cup Runneth Over posted:https://dawnproject.com/ If you have been able to produce software that never fails and can’t be hacked for the last 25 years why aren’t you a billionaire? I am a billionaire, but my software has been mainly used by the military, and I have kept a low profile until now. Wtf
|
# ? Aug 26, 2022 05:02 |
|
quote:So why are you now working on stopping cyberattacks on our infrastructure? i wanna be this guys friend. or maybe we're internet friends already, im like 85% sure he posts in yospos
|
# ? Aug 26, 2022 05:28 |
|
Re LastPass... I have a meeting about it in a couple of hours. We have a small department that uses it. I plan to say: you do not need to change your passwords, and this was not An Incident on us (my company) at this point. However we should explore getting some other password management solution in the future that isn't lastpass because their reputation is just totally hosed at this point IMO. Is this a good message? The main thing is I think someone in the meeting will suggest "let's change all the passwords" and I want to know if there's ANY reason to do that, because it doesn't sound like it.
|
# ? Aug 26, 2022 12:58 |
No it is not. If they're not trusted enough to remain your password solution after this incident, how can you have trust the PWs are secure?
|
|
# ? Aug 26, 2022 13:04 |
|
|
# ? May 29, 2024 14:14 |
|
Good question. I think the reason is while I don't think our password db is compromised RIGHT NOW, the source code compromise could lead to bigger risks in the future as someone mentioned earlier in the thread. But maybe I'm thinking about this completely wrong. Do you think the users should change all their passwords stored in lastpass? What's the bet advice to give to current lastpass customers?
|
# ? Aug 26, 2022 13:14 |