this post was submitted on 11 Feb 2024

826 points (100.0% liked)

linuxmemes

24192 readers

2837 users here now

Hint: :q!

Sister communities:

Community rules (click to expand)

1. Follow the site-wide rules

Instance-wide TOS: https://legal.lemmy.world/tos/
Lemmy code of conduct: https://join-lemmy.org/docs/code_of_conduct.html

2. Be civil

Understand the difference between a joke and an insult.

Do not harrass or attack users for any reason. This includes using blanket terms, like "every user of thing".

Don't get baited into back-and-forth insults. We are not animals.

Leave remarks of "peasantry" to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.

Bigotry will not be tolerated.

3. Post Linux-related content

Including Unix and BSD.

Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of sudo in Windows.

No porn, no politics, no trolling or ragebaiting.

4. No recent reposts

Everybody uses Arch btw, can't quit Vim, <loves/tolerates/hates> systemd, and wants to interject for a moment. You can stop now.

5. 🇬🇧 Language/язык/Sprache

This is primarily an English-speaking community. 🇬🇧🇦🇺🇺🇸

Comments written in other languages are allowed.

The substance of a post should be comprehensible for people who only speak English.

Titles and post bodies written in other languages will be allowed, but only as long as the above rule is observed.

6. (NEW!) Regarding public figures

We all have our opinions, and certain public figures can be divisive. Keep in mind that this is a community for memes and light-hearted fun, not for airing grievances or leveling accusations.

Keep discussions polite and free of disparagement.

We are never in possession of all of the facts. Defamatory comments will not be tolerated.

Discussions that get too heated will be locked and offending comments removed.

Please report posts and comments that break these rules!

Important: never execute code or follow advice that you don't understand or can't verify, especially here. The word of the day is credibility. This is a meme community -- even the most helpful comments might just be shitposts that can damage your system. Be aware, be smart, don't remove France.

founded 2 years ago

MODERATORS

[email protected]

826

classic opsec mistake (discuss.tchncs.de)

submitted 1 year ago by [email protected] to c/[email protected]

46 comments fedilink hide all child comments

cross-posted from: https://discuss.tchncs.de/post/10692187

so, the company was Vastaamo. was because it got bankrupt after the breach, and GDPR violations.

the "hacker"(or rather cracker) was extradited from France to Finland.
you can read about how terrible the company's security was here: https://tietosuoja.fi/en/-/administrative-fine-imposed-on-psychotherapy-centre-vastaamo-for-data-protection-violations

or watch mental outlaw's video on the matter, or the Wikipedia article on the breach.

now there are several things that shouldn't have happened (e.g.: don't do these things on your main OS, have root access disabled, etc.), but I'll leave that to you experts.

all 49 comments

sorted by: hot top controversial new old

[–] [email protected] 105 points 1 year ago (4 children)

No. This is fake, it's gotta be. Not even the "I use Kali by the way" script kiddies are that stupid.

[–] [email protected] 116 points 1 year ago* (last edited 1 year ago) (1 children)

you're underestimating people's capability to make such mistakes. remember silk road? the guy used the same username in two places, and gave his email id(which had his full name) in one of them.

[–] [email protected] 37 points 1 year ago (1 children)

Really who the fuck creates an email for that kinda thing with full names !

[–] [email protected] 59 points 1 year ago (1 children)

it was late 2000s(he was arrested in 2013, before snowden leaks). and the guy wasn't a "hacker". he created the website where stuff(both legal and illegal) was sold. so, you have to keep that perspective in mind.

[–] [email protected] 8 points 1 year ago* (last edited 1 year ago) (2 children)

Oh yeah i remember that guy i i thought you were talking about someone else. And in my opinion they should just free him he has done more time that he should have to whie other bigger criminals than him with money are running around free . But still it was a very noob mistake of course unless he did it delibretly because he didn't care about anonymity.

[–] [email protected] 8 points 1 year ago

it's USA. don't expect much.

[–] [email protected] 3 points 1 year ago

If you're facilitating drung sales in tor anonymity should be your main priority.

[–] [email protected] 22 points 1 year ago (1 children)

Not saying its actually what happened but I would ask how he knew about the data.

Statistically, it should have been a random port scan that got in but since he‘s from the same country, he‘s either professionally or privately connected I assume. He either worked there in IT function, visited as a patient, dated an employee, etc.

So in other words, he‘s not a master hacker but probably stumbled across this. I had this with a webspace provider once were I could see all other customers folders when I used ssh instead of the web interface. I couldnt access them but I got a wiff of how stuff like this happens. 99.9% of their customers are inept at IT stuff so a mistake in ssh would never come up since customers wouldn’t use it and in that one case, they overlook it.

So, this might have been his first hack ever and it probably took a long time til he even understood what he had in his hands. Thats why I dont do stuff like this, I‘m prone to such mistakes as well. Most elaborate scheme imaginable and cc it by mistake to someone I know.

[–] [email protected] 10 points 1 year ago (1 children)

I just was reading Wikipedia and it said he was arrested previously for hacking.

In 2015, when he was still a teenager, a Finnish court found Kivimäki guilty of more than 50,000 aggravated computer break-ins. Among other targets, he attacked large educational institutions in the US, hijacking emails, stealing credit card details and blocking site traffic.

Kivimäki received a two year suspended sentence for those charges.

https://yle.fi/a/3-12669196

You're probably right he had some connection and stumbled onto the data, but this wasn't his first rodeo.

[–] [email protected] 5 points 1 year ago

Thanks for pointing it out. This makes it even more embarassing that he made a mistake like this. But I can still see how it could happen.

[–] [email protected] 6 points 1 year ago

Oh you wish. It was huge news, a shit ton of people.got their information and social security numbers leaked in plain text

[–] [email protected] 4 points 1 year ago

The main reason I've never done anything illegal online (not counting piracy) is that I'm confident I've been that stupid many times and will be if I do.

[–] [email protected] 93 points 1 year ago* (last edited 1 year ago) (1 children)

While in the U.S., your mental health data are just on the market, waiting to be brought.

https://www.ftc.gov/business-guidance/blog/2023/03/ftc-says-online-counseling-service-betterhelp-pushed-people-handing-over-health-information-broke

In the good case, there will be a class action law suit, and every victim will get approximately 2 dollars back for all their health data sold; but only after giving more sensitive information to the company that distributes these two dollars.

https://www.morrisbart.com/faqs/how-is-money-divided-in-a-class-action-lawsuit/

What a fun time to be alive.

[–] [email protected] 25 points 1 year ago (1 children)

What the fuck, I had no idea about betterhelp being so scummy.

[–] [email protected] 54 points 1 year ago (3 children)

I firmly believe any service that advertises that much on YouTube and podcasts is evil.

I'm waiting to hear about Hello Fresh's child trafficking ring or whatever they're up to.

[–] [email protected] 21 points 1 year ago

Hello Fresh is notorious for being an abusive employer who LOVES union busting!

https://www.theguardian.com/us-news/2021/nov/11/hellofresh-employees-union-claims-abuse

[–] [email protected] 13 points 1 year ago (2 children)

Yeah. Turns out, Raid: Shadow Legends is just about the least scummy thing being advertised on YouTube.

[–] [email protected] 13 points 1 year ago

Raid Shadow Legends is connected to an Israeli gambling company

Anything that advertises heavily is most likely to be a piece of shit

[–] [email protected] 8 points 1 year ago (1 children)

I find Nord’s sponsor scripts misleading at the best and lies at the worst but the service for what it is is pretty good. Still would recommend Mullvad

[–] [email protected] 6 points 1 year ago (1 children)

but the service for what it is is pretty good

I disagree. Most people wouldn't need it at all, and for most people that would actually need it it's useless due to not supporting port forwarding

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

Mainly so someone doesn’t get my ip and know my city and sometimes I sail the high seas

I know ip is useless. I just don’t want someone to get my city and send an investigator

I fully agree with your point. I feel like sponsor scripts should say these points. 1: if somebody sends you an ip tracker link Nord won’t leak your IP 2. if you want to watch georestricted content 3. If you are on someone else’s network and you don’t want them peeping your websites. 4. 🏴‍☠️

[–] [email protected] 1 points 1 year ago (1 children)

and sometimes I sail the high seas

Yeah, but it's useless for that. If you pirate from Usenet or one click hosters you don't need a VPN, and if you use torrents or other peer to peer protocols you need port forwarding, which NordVPN doesn't support

[–] [email protected] 2 points 1 year ago

It works for me and the ISP hasn’t caught on

[–] [email protected] 67 points 1 year ago* (last edited 1 year ago) (1 children)

Not exactly an indictment on the hacker as much as it is one on these predatory online psych dealerships.

Once again we're seeing deregulations leading to McSolutions that A) are of lower quality, and B) more expensive than what we had.

[–] WhoPutDisHere 10 points 1 year ago

Yeah, it felt like the clown man was the company in the first two panels, then it shifts to hacker, then the final few are just confusing. Poor clown man, so many internal conflicts.

[–] [email protected] 54 points 1 year ago (1 children)

Sad that the company was able to declare bankruptcy, rather than the directors being held criminally liable.

[–] [email protected] 33 points 1 year ago (3 children)

CEO got a 3-month suspended sentence

[–] [email protected] 27 points 1 year ago

Not even remotely enough

[–] [email protected] 11 points 1 year ago

That's a start, but on its own pretty meaningless. A suspended sentence means he does not go to prison, so long as he behaves himself for a year or however long.

The article doesn't go into it, but I hope he was also fined heavily. All we have is "the court determined it could not be resolve through fines, a prison sentence is warranted".

[–] [email protected] 2 points 1 year ago

See? CEOs get criminal liabilities! Capitalism works!

(/s alas)

[–] [email protected] 30 points 1 year ago (1 children)

A good criminal is a dumb one

[–] [email protected] 2 points 1 year ago (1 children)

Whu? No, that's not right.

[–] [email protected] 12 points 1 year ago

It's good for us because they get caught is what they mean.

[–] [email protected] 23 points 1 year ago (1 children)

where linux

[–] [email protected] 25 points 1 year ago

You don't accidentally tar your ~ on wondows, I guess

[–] [email protected] 15 points 1 year ago (1 children)

I'm always worried when making .tars that I'm doing something wrong when the file also has a . file inside. I know this is probably nothing but it makes me think of something like this.

[–] [email protected] 11 points 1 year ago

. and .. are how terminals navigate around file systems.

The command cd . means "change directory (cd) to here (.)"

cd .. means "change directory to here, but one level up: my parent directory."

So following that model, winrar and maybe older versions of 7zip used folders called '.' as navigational tools within the archive browser. If you double-clicked through them, you'd see where they go.

I don't know how much of this you knew, but the point is it shouldn't freak you out too see them.

[–] [email protected] 9 points 1 year ago

Here is an alternative Piped link(s):

mental outlaw's video

Piped is a privacy-respecting open-source alternative frontend to YouTube.

I'm open-source; check me out at GitHub.

[–] [email protected] 7 points 1 year ago* (last edited 1 year ago) (1 children)

On one hand what the fuck just happeend, on the other hand it's Finland, in Finland massmurderer will complain about lack of PS5 in prison and.

Edit: nevermind, it was PS3

[–] [email protected] 17 points 1 year ago (2 children)

Dude, did you even read the (very short, obviously biased and sometimes factually incorrect) article you linked? Breivik is in Norway, not in Finland.

[–] [email protected] 16 points 1 year ago* (last edited 1 year ago) (2 children)

Also, why the fuck should they not have access to ps3, books and such. Prison is about taking away one's freedom, not about putting people in psychological or physical distress. In Norway we want convicts to be in a better state when they come out than when they got incarcerated (though Breivik will most likely never come out). Who wants to live next to a person who have been 20 years in solitary, I mean come on.

[–] [email protected] 8 points 1 year ago

If you're not a bloodthirsty Calvinist predestination lover I don't know if you would understand the American mindset at all.

[–] [email protected] 5 points 1 year ago

Yep. The American system of punishment over rehabilitation is so strange to me. It won't help one bit when (if in this case) they get out.

[–] [email protected] 2 points 1 year ago

Edit: also Norway, not Finland I guess