
Engineer admits hacking Yahoo accounts searching for images - prostoalex
http://www.ktvu.com/business/engineer-admits-hacking-yahoo-accounts-searching-for-images-1
======
raz32dust
End-to-end encryption is the only foolproof was of preventing this. But if
that is not possible, training and audit/alerts is the next best thing.

Training is important because new employees or new college grads might not be
aware of truly how egregious it is to view someone's personal data. It really
had to be drilled into the culture. By audits and alerts, I mean that if one
employee accesses sensitive information, they know that other teammates are
getting an alert about it. People do such things when they think nobody will
know.

~~~
oyebenny
I'd actually love to have this implemented client side - i.e if an employee
views accesses your info, the client gets an alert.

~~~
radres
Yea, it'll flourish your business.

------
JazzXP
The fact he was able to usually means something is lacking in the backend
security. Yes, bad employee, but more encryption and security models are
required. Back when I was working on share trading software, this was one of
our requirements of the system.

~~~
alfiedotwtf
Encryption, in email? lol...

This is what happens when end-to-end encryption isn't the default in
communications software. All email providers are vulnerable to this bar none.

~~~
nailer
Honestly I'd like to see one of the webmail providers do a decent attempt at
gpg. The web migrated from a primarily unencrypted state to an encrypted one -
it's not impossible with the right UX.

~~~
Yiin
ProtonMail?

~~~
alfiedotwtf
Communication between a ProtonMail customer and a non-customer, there is no
end-to-end encryption.

Communication between ProtonMail customers, you still have to trust that their
UI hasn't been MiTM'd.

------
Trias11
Banks routinely hire hit-n-run contractors to manage systems will low level,
uncontrolled, unaudited access to mind boggling resources and eye popping
access to private customers info.

Email porn? Child play.

~~~
d-d
Everything has to get decrypted at some point, right? I try not to think about
what would happen if a Google employee decided to leak everyone's search
history.

~~~
dodobirdlord
The fact that it hasn't happened yet when there are so many Google employees
suggests that it's infeasibly difficult.

~~~
lonelappde
It's a rare person who throws away millions of dollars of income just for the
lulz.

~~~
tester347
you meant 150k?

------
tennessee5
Chris Putnam, who used to work at Facebook, did almost exactly the same thing
with videos.

~~~
glandium
Wait, what? I knew the part where he wormed Facebook and eventually got hired,
but I didn't know that. Do you have a source? I only was able to find the part
I already know about.

~~~
xuki
Given that it's a brand new account you can take it with a grain of salt.

------
raxxorrax
This is probably a common occurrence in the industry, especially at companies
that make money with user data. This is at the core of the issue why the
recommendation has always been to minimize data exposure from industry
experts.

Even if end-to-end encryption would be applied, there will never be 100%
security from administrators and developers. You cannot even reasonably audit
these systems with current technologies.

And yes, protected HR and user information will regularly leak into IT
departments. If the latter is outsourced to third parties, this means data
leaks galore.

------
SteveNuts
I truly don't understand how Yahoo still exists. How have they survived this
long?

~~~
peterhookgen
I ask myself the same question, especially when it was announced on HN they
just spent cash on a new branding logo
[https://www.underconsideration.com/brandnew/archives/new_log...](https://www.underconsideration.com/brandnew/archives/new_logo_and_identity_for_yahoo_by_pentagram.php)

~~~
sincerely
Working for Pentagram seems sweet. Huge cool designer cachet despite the fact
that all you do is redesign logos and branding for incredibly uncool legacy
corporations

~~~
sizzle
Sounds like the description of a miserable circle of hell from Dante's inferno
for me.

~~~
sincerely
Clock in, clock out ;)

------
zarro
Oh you think this is bad, just imagine all the guys at the NSA

~~~
zantana
Seriously optic nerve [https://www.extremetech.com/extreme/177500-gchq-nsa-
secretly...](https://www.extremetech.com/extreme/177500-gchq-nsa-secretly-
collected-webcam-images-from-millions-of-yahoo-users) was the equivalent a
whole floor of that guy.

------
spedru
It's sobering to think about this in tandem with the fact that people in the
IQ bracket for “engineer” tend to get away with crimes. Honestly, though, at
least this can be turned into a concrete example to shoot down “if you don't
have anything to hide...” and the like. The banal, lascivious panopticon
elicits a real disgust response that might be moving, as opposed to the “shut
up you alex jones weirdo” that sticks to talk of the NSA no matter how many
Snowdens happen.

~~~
duxup
Just for the sake of feedback, I found your post confusing.

It's not really clear to me what you are saying exactly.

~~~
Nzen
Presumably, this person is airing frustration with common responses to privacy
oriented discussions he or she has experienced as participant and/or
vicariously. He or she has characterized them ending in ad homenims, whereby
the privacy minded individual is construed as politically or intellectually
unmoored, similar to Alex Jones.

Spedru posits the covert and exposed deviants within companies, that we've
exchanged our data with, are another style of entity (besides state actors)
that we ought to strive to deprive of access to that data.

At least, that's as charitably as I can characterize the comment.

~~~
spedru
Yes. This is exactly what I meant. Didn't mean to come off as obscure, sorry,
I'm a little out of it and English isn't my best language on a _good_ day. I
meant to tack a “distributed” onto that “panopticon”. A bunch of perverts
scattered around tech companies might make for a convincing “actor” to bring
up to ordinary people who think talking about government agencies is too
crazy-sounding. As for the intelligence bit, I mean to say, “engineers are
typically high-IQ, high-IQ people get away with crimes, imagine how many
creeps have gotten away with this sort of thing and we'll never know”.

