
A passwordless server run by NSO Group sparks contact-tracing privacy concerns - jbegley
https://techcrunch.com/2020/05/07/nso-group-fleming-contact-tracing/
======
tsjq
[https://outline.com/GhnRqx](https://outline.com/GhnRqx)

That article doesn't open in my browser. I have a slightly aggressive
adblocking & cookie blocking setup. hence sharing the Outline link for similar
folks

~~~
moepstar
Same here - what concerns me, is that upon clicking on a TC article link, my
browser opens (and fails because it is blocked w/ Pi-Hole) the URL
[https://guce.advertising.com/collectIdentifiers?sessionId=3_...](https://guce.advertising.com/collectIdentifiers?sessionId=3_cc-
session_<somesessionid>) \- seems pretty shady to me :( (or, well, at least
not something i'd expect...)

~~~
StavrosK
Same here, it fails to open because that domain is blocked. Maybe TechCrunch
should just be banned here outright.

------
afrcnc
I've seen this server, and contrary to popular belief, this appears to have
been, indeed, a demo server with dummy random data. Still, you should
password-protect your demo servers too. Just saying.

~~~
oefrha
The article is pretty clear on this being a demo server with dummy data, so
I’m not sure where the contrary “popular belief” is coming from.

~~~
lonelappde
The deceptive healne, for one.

HN is also a "passwordless server" for non logged in users.

------
rapsey
So there already is a way to abuse contact tracing.

This is why there is pretty much no trust in institutions anymore.

Apple and Google can talk about privacy all day, but there is way too much
money and interest in de-anonymizing that data.

~~~
judge2020
> While most governments lean toward privacy-focused apps that use Bluetooth
> signals to create an anonymous profile of a person’s whereabouts, others,
> like Israel, use location and cell phone data to track the spread of the
> virus.

Doesn't look like that's what was found being attempted here.

------
oefrha
> Security researcher Bob Diachenko discovered one of NSO’s contact-tracing
> systems on the internet, unprotected and without a password, for anyone to
> access. After he contacted the company, NSO pulled the unprotected database
> offline. Diachenko said he believes the database contains dummy data.

Doesn’t say which database and can’t find a first-hand account from the
researcher, but let me guess: MongoDB at it again?

------
rkagerer
Please fix the spelling mistake in the title. "Contract-tracing" is a lot less
topical right now than contact-tracing.

~~~
dang
Fixed. Thanks!

~~~
lonelappde
Please also add "public demo" to the title. This wasn't a private server.

