"5. Reduce the UTS threat by outlawing most domestic surveillance capitalism. Including having severe criminal penalties for companies found illegally capturing, compiling, retaining, selling, sharing, or leaking what has been designated as rightfully private data."
The FBI/DEA made an anonymous toll-free tip line for people to call with tips on the cartel activity. The cartel was able to get the phone records for people who called the tip line through bribes, extortion, or violence to the telco employees. They identified the people who called the tip lines, and then one-by-one eliminated them all.
makeitdouble•4h ago
> The hired hacker [...] was able to use the [attache's] mobile phone number to obtain calls made and received, as well as geolocation data, associated with the [attache's] phone."
> the hacker also used Mexico City's camera system to follow the [attache] through the city and identify people the [attache] met with
bilbo0s•3h ago
It's like the advice I would give to anyone, assume anything you put into a networked digital device, your voice, text, gps trails, oven temperature, anything.. is public, with an unknown publish date. Full stop. Plan your organization's operations in accordance with that assumption.
trod1234•50m ago
The issues we are having today are also the direct consequential result of collection in those treasure troves of security exploits; instead of fixing them, and their subsequent leaking.
Technically speaking for most common devices and software today, an AS# level attacker can transparently terminate encryption early to MITM with no indicator of compromise.
They can also disrupt interrupt driven communications with similar level of access (where a communication is strategically not sent without either parties awareness of the occurrence except as indirect after-action backscatter).
Princeton wrote a paper on it related to Tor back in 2014 iirc (the Raptor attack or something like that). The structure can easily be applied to more than just Tor, and that level of access would be quite valuable to well funded adversaries.
The incentives toward profit and power along with lack of liability for security, prevent many of the mfg companies involved from having effective security.
I can't remember where but there was a comment in either a talk or -con presentation where someone said the paper suggests TLS fails completely to these type of attacks; and there has been some speculation online as to if there is a connection between this and why leaked guidelines from various places say to never trust TLS.
The lack of security as an outcome can be seen as caused by government regulation mandates for the ISP industry, as thoroughly called out in this talk:
https://cyphercon.com/portfolio/exposing-the-threat-uncoveri...
You can find it available on youtube if they no longer have the direct link on the site.
Security has always had an issue with usability being compromised as security requirements increase. Organizations can't really compete on an even field with their competitors if the competitors have a technological edge because they happen to not be being attacked.