• 11 Posts
  • 150 Comments
Joined 1 year ago
cake
Cake day: June 9th, 2023

help-circle











  • Hier mal ein paar mehr mögliche Situationen beleuchtet, was das bedeutet. Mein Lieblingsteil:

    Die E-Control verweist dabei auf bestehendes EU-Recht. Laut diesem müssen Fernleitungsnetzbetreiber freie Transportkapazitäten „transparent und nicht diskriminierend“ anbieten. Zwar ist die Ukraine noch nicht Teil der EU. Allerdings will das Land in Zukunft Teil der Staatengemeinschaft werden. „Wir gehen davon aus, dass daher diese Regeln auch für den ukrainischen Netzbetreiber relevant sind und bleiben“, so die E-Control.

    Kurz: Die Ukraine wird schon liefern, sonst erpressen wir sie

    Und die nötige Pipeline nach Deutschland um über die Gas zu kaufen wird leider erst 2027 fertig und keiner bekommts hin den Prozess zu beschleunigen.











  • The company apparently sees these leaks not as a data breach, but as a violation of site rules. Well, I’m taking on a bit of the role of enlightening the public then; If the source of the leak is solely “credential stuffing attack,” why haven’t you taken measures against it even in 2023? There’s only one login service on web and mobile platforms; why didn’t you use captcha, turnstile, etc., there? Despite knowing that the user:pass data of 92 million users of MyHeritage, where many of your joint common members, including your CEO, are known to be, has been circulating for years, you took no action.

    What’s worse, there’s no need for email verification even for a user to download raw data. Additionally, you don’t necessarily have to download to obtain raw data. There are three different methods possible to take raw data directly from the db without downloading it. Is it the members’ fault if your sense of security is terrible? What a foolish defense!

    To extract data in this way from 14 million people, at least 100,000 credentials are needed because most members have common relatives. How did you not notice that 100,000 of your customers’ accounts had been accessed? How did you not detect this while millions of data belonging to other users were being scraped? Why didn’t you define a rate limit rule based on endpoint or parameter?

    Suppose I did scrape profiles through the hacked accounts in the shared relatives list. But what about other vulnerabilities?