The only thing I find more suspicous than the sudden global attack on VPNs and privacy is the people trying to hand wave it away as nothing to worry about.
The stasi could only dream of having the tools that are already available today to use.
This and similar issues have been an ongoing issue with Spectrum going back to before Congress felt the need to call them (along with the other telcos) out for failing to secure their networks. I've noticed handshake issues at one time or another with webpages, DoH and dnscrypt, and VPN with TLS over UDP on a non-stand port.
During one particularly annoying episode where it effectively became a DOS I had my router log all dropped packets and then rebooted it. Immediately after reconnecting it drops a few incoming martians and invalid packets as if they were still expecting an active connection where there shouldn't have been any. The IPs were mostly upstream endpoints or gateways but at least once it was from a residential IP instead.
Between the weird arbitrary nature of the SSL/TLS handshake issues and the possible spoofing from upstream gateways I get the impression this is much more than just a bug.
No, this paper is just exceptionally bad. It seems none of the authors are familiar with the scientific method.
Unless I missed it there's also no mention of prompt formatting, model parameters, hardware and runtime environment, temperature, etc. It's just a waste of the reviewers time.
I'm having de ja vu here. If they only found out when they attempted to extort them does it mean they don't even bother to log employee access? Is there any means for accountability at all internally?
It would be so simple to have access tracking and flag or lock out rogue employees... I look forward to seeing what the golden parachutes look like.
I built the admin panel used by internal employees and contractors at a major fintech payments processor (PCI Level 1). We had to add multiple levels of safety once we decided to hire a team outside of our US office including logging, monitoring and also rate-limiting (ask for manager to approve if more than 5 full details requests, etc.)
I think these requirements are much stringent due to PCI-DSS standards for credit card processors. I wonder if a lack of such standards in crypto makes the companies holding customer funds more lax.
Looking at their blog post, it seems like they paid customer support agents to hand over sensitive data. The attackers did not have access to any agent accounts themselves, and the customer service agents were accessing data they were already privileged to anyways.
The customer service agents were accessing data they were already privileged to anyways.
That's not how front line support agent access should work. You get access based on active cases you are working on, not the keys to the kingdom because you might need to support a member at some future point in time.
It makes me wonder what type of access support agents have in the first place. A lot of this information should require "unlocking" on a case-by-case basis by challenge/response while interacting with a customer.
Logging and retroactive auditing seems like the very least they should do. Even asking the customer service agent to first provide identifying details of the customer they can't easily know or guess by themselves doesn't seem excessive, given the sensitivity of the information.
It won't work for 100% of all calls (what if the customer is locked out themselves etc.), but those calls can then be handled by even more closely monitored agents.
"Less than 1% of monthly transacting customers" means up to 1% were accessed – that seems very high, i.e. much higher than the number of customer service contacts I'd expect.
The odds are already against their future viability after a breach like this and if they're fumbling the response this bad it really doesn't bode well for them.
They would have been better off not even bringing up their location if they weren't going to be transparent.
There's a thing in psychology called "Lucky Fool Syndrome" where people tend to take credit for success that was the result of dumb luck. Space-X was one launch failure away from oblivion when they got insanely lucky.
They're wasted potential. Burnout isn't necessarily from overwork, it comes from pouring your heart and soul into things that you never get the satisfaction of seeing completed.
Burnout is not from failing to complete things. Most work never truly "succeeds". It comes from trying hard to do good work, and having it sabotaged, prevented, micromanaged, and even punished etc...
Being denied satisfaction is the important part but yeah, there are countless circumstances that can result in it. Having to waste all your time fighting for limited resources because a handful of individuals are hoarding them is by far the most common.
In the US the so called "free market" was intended to be a way for people to achieve financial independence in spite of any persecution. Unfortunately regulatory capture has made it exceedingly difficult.
The stasi could only dream of having the tools that are already available today to use.