
Security lapse exposed Clearview AI source code - jbegley
https://techcrunch.com/2020/04/16/clearview-source-code-lapse/
======
dsalzman
Can we please not do this? "Hussein said that he found some 70,000 videos in
one of Clearview’s cloud storage buckets, taken from a camera installed at
face-height in the lobby of a residential building. The videos show residents
entering and leaving the building.

Ton-That explained that, “as part of prototyping a security camera product we
collected some raw video strictly for debugging purposes, with the permission
of the building management.”"

~~~
justinjlynn
> with the permission of the building management

It makes me angry that's all the permission they think they need - and even
more so that it's all they are probably legally required to need.

~~~
dannyw
That's why we need laws for facial recognition and biometric rights, much like
how some states are starting.

------
pushcx
I'm curious if the repo supports the recent story that Clearview's early
programmers came from an alt-right social circle. They've publicly denied
links that the journalists seemed to support quite well.

[https://www.huffpost.com/entry/clearview-ai-facial-
recogniti...](https://www.huffpost.com/entry/clearview-ai-facial-recognition-
alt-right_n_5e7d028bc5b6cb08a92a5c48)

Does anyone know the security researcher to ask them to run this? git log
--format='%aN' | sort | uniq -c | sort -rn

------
tptacek
Clearview is bad. And I haven't dug into the supporting materials for this
story at all. But it's disquieting that this story appears to include
sensitive private information obtained through security research and released
directly to a media outlet, including camera footage apparently taken from a
compromised cloud storage bucket. That's not how security research works.

~~~
jiveturkey
> Hussein, who has previously reported security issues at several startups,
> including MoviePass, Remine and Blind, said he reported the exposure to
> Clearview but declined to accept a bounty, which he said if signed would
> have barred him from publicly disclosing the security lapse.

seems grey to me

~~~
twomoretime
I like this Hussein guy though. Glad he acted selflessly. Need more like him.

~~~
newprint
I like Hussein as well !

------
rshnotsecure
The way the report was written, I suspect this was another open Gitlab server.

Most people who self-host Gitlab doesn't realize that between the default
self-registration and "Explore" button at the bottom, possible for entirely
random individuals to gain enormous access.

I have written the Naval Postgraduate School several times since December
about their open Gitlab server (maybe it is supposed to be open though) which
seems exposed via the "Explore" tab at the bottom:
[https://204.102.228.54/users/sign_in](https://204.102.228.54/users/sign_in)

~~~
hlieberman
Please send me an email at harlan -at- dds.mil or file a report on
[https://hackerone.com/deptofdefense](https://hackerone.com/deptofdefense) and
we'll get it closed.

------
iamleppert
Does anyone have a copy of their source code?

------
gwern
"Inside those buckets, Clearview stored copies of its finished Windows, Mac
and Android apps, as well as its iOS app, which Apple recently blocked for
violating its rules. The storage buckets also contained early, pre-release
developer app versions that are typically only for testing, Hussein said."

Smartphone apps for interfacing with a SaaS are now "Clearview AI source
code"?

~~~
detaro
The company is called "Clearview AI". Not "Clearview" source code for AI.

Directly before what you quote:

> _The repository contained Clearview’s source code, which could be used to
> compile and run the apps from scratch. The repository also stored some of
> the company’s secret keys and credentials, which granted access to
> Clearview’s cloud storage buckets. Inside those buckets, ..._

------
01100011
Is anyone aware of any attempts to pollute their database? It seems like there
should be a way of injecting bad data into their system. Maybe make a FB
account, post some mis-tagged pictures, and 3 months later file a records
request to see if they've been vacuumed up?

