Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
A passwordless server run by NSO Group sparks contact-tracing privacy concerns (techcrunch.com)
60 points by jbegley on May 8, 2020 | hide | past | favorite | 15 comments


https://outline.com/GhnRqx

That article doesn't open in my browser. I have a slightly aggressive adblocking & cookie blocking setup. hence sharing the Outline link for similar folks


Same here - what concerns me, is that upon clicking on a TC article link, my browser opens (and fails because it is blocked w/ Pi-Hole) the URL https://guce.advertising.com/collectIdentifiers?sessionId=3_... - seems pretty shady to me :( (or, well, at least not something i'd expect...)


Same here, it fails to open because that domain is blocked. Maybe TechCrunch should just be banned here outright.


Yup, all TC articles fail to open with uMatrix installed here too.


Fails with NextDNS also (y)


I've seen this server, and contrary to popular belief, this appears to have been, indeed, a demo server with dummy random data. Still, you should password-protect your demo servers too. Just saying.


The article is pretty clear on this being a demo server with dummy data, so I’m not sure where the contrary “popular belief” is coming from.


The deceptive healne, for one.

HN is also a "passwordless server" for non logged in users.


So there already is a way to abuse contact tracing.

This is why there is pretty much no trust in institutions anymore.

Apple and Google can talk about privacy all day, but there is way too much money and interest in de-anonymizing that data.


> While most governments lean toward privacy-focused apps that use Bluetooth signals to create an anonymous profile of a person’s whereabouts, others, like Israel, use location and cell phone data to track the spread of the virus.

Doesn't look like that's what was found being attempted here.


> Security researcher Bob Diachenko discovered one of NSO’s contact-tracing systems on the internet, unprotected and without a password, for anyone to access. After he contacted the company, NSO pulled the unprotected database offline. Diachenko said he believes the database contains dummy data.

Doesn’t say which database and can’t find a first-hand account from the researcher, but let me guess: MongoDB at it again?


Please fix the spelling mistake in the title. "Contract-tracing" is a lot less topical right now than contact-tracing.


And while you’re at it, please correct “group” to “Group” so we know it’s not about a group of NSOs (are those like NGOs or something?) but rather a company called “NSO Group”.


Fixed. Thanks!


Please also add "public demo" to the title. This wasn't a private server.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: