I worked at a computer rental shop in the mid-90s (renting computers was a thing back then). Customers used to leave files on the returned computers all the time. My colleagues and I used to look at them sometimes. It was almost always boring stuff. Until once a customer returned a computer with CSAM jpeg images. Hundreds of them. Very bad stuff. We called the local police. They were basically useless. They just didn't know what we were talking about. Remember, this was almost 30 years ago, before the web. We asked if they had any contacts at the FBI, and if so, to forward the info to them. The next day a couple of FBI suits showed up and took the computer. They knew exactly what we were talking about. The suits were very technical. I was totally impressed.
The FBI suits came back about a week later and took statements from everyone. We tried to get info from them about the case, but they wouldn't give us anything. However, one suit said the computer wouldn't help much for a conviction or even making an arrest because too many hands had touched it. Depressing. However, he did say that the customer is on their radar, and an active investigation had begun. He hinted that it was only a matter of time before the dude was caught in the investigation. I felt a tiny bit better after that. But still, the only experience made me feel like shit. It still does.
The same reason that they could not use this for evidence (too many hands, too much opportunity for tampering) seems like the reason this is exploitable for using the FBI as a weapon for targeted harassment against an arbitrarily chosen victim.
Getting someone put on the FBI's radar is a great way to ruin a life. If you can target anyone you wish this way, that is a lot of destructive power to wield, akin to swatting.
>Getting someone put on the FBI's radar is a great way to ruin a life. If you can target anyone you wish this way, that is a lot of destructive power to wield, akin to swatting.
Doesn't even have to be the feds. Local .gov attention is more than sufficient to make life indefinitely reasonable.
I think anonymous tipping needs to be curtailed to some degree. When simply being investigated is only slightly short of a probation sentence in practice one's right to know the evidince against them and the public's right to be privy to the proceedings should apply.
It's a travesty that a report from a jaded ex or obnoxious neighbor can result in one having CPS, the state tax authorities, etc, crawling all over somebody for however long an investigation takes. And from the point of the person being investigated and more importantly, the broader community it is anonymous. The person using the investigative process as harassment stands to lose nothing by doing so.
The FBI suits interviewed myself and all my colleagues independently. It felt like an interrogation, like I was the accused. They even made me sign a form, basically giving them the right to investigate me. Oh, and they also told us not to talk to anyone about, well, anything. So yeah, these guys knew what they were doing, and it felt like they were aware this whole thing might be some sort of setup.
But yeah, I definitely get your point. I actually have a friend that works for CPS, and she said bitter ex's call in bogus claims all the time. There's a protocol she's required to follow, and that protocol doesn't involve investigating if the claim is false, even if it's totally obvious that it is. And the worst part is, even if the claim is obviously fake (like, the accused moved to Florida 6 months ago with his new girlfriend; he hasn't seen his kid in months, how could he leave recent bruises on her?), there's no consequences to the accuser. Nothing. She's not allowed to do anything, just close the investigation and move on. That's it.
Continuing on the topic of CPS, she once told me that they work very closely with the local cops. Also, CPS doesn't need warrants or court approval to enter a home. If they get an accusation of child abuse, they have the right to enter and investigate, and they use the local cops to assist them. Well, the local cops know this, and they use it to get around warrants and such. She said when the cops want to get access to someone's house, but they don't have enough for a warrant or the whole case is shady (like, they just wanna harass someone), they have an anonymous idiot on the street call in a bogus child abuse claim to an address, then they call their contact at CPS and work out a date/time to enter, based on the abuse claim they initiated (through their anonymous idiot). Once the cops are inside, they can pretty much do whatever they want. She's been on "investigations" where she was told to wait in her car, meaning she had to be there as a formality, but that's it. She said CPS knows what's going on, but they can't/won't do anything about it, because they need the support of local cops for their own, legitimate investigations.
I don't know if you were referring to this, but it certainly was front-on-mind for me. (There's a GoFundMe for their legal troubles if you want to donate. Please consider it.)
Strongly disagree. Very often we see troubled individuals who have gotten under the fed's radar, both local and FBI. Yet these individuals would pass background checks, purchase firearms and commit atrocities. The FBI is not going to come and knock on your door or do anything to you. You have to be breaking the law to get in trouble with them. I reckon a local sheriff/police in a small town would make someone's life a nightmare.
A bit tangential, but what can you share about the computer rental industry? When did it die out? What sort of customers were there? How long until computers would leave the rental circuit? Would they just be sold?
Renting fits occasional usage better, housing being a notable exception. But people need a computer (PC, laptop, tablet, or phone) all the time these days and almost always have a lot tied into a particular device. It's far more convenient to buy one outright especially since they're affordable.
Now the rental moved towards more expensive and less convenient stuff to have at home full time like servers and hosting.
Nathan Fielder (who graduated from one of Canada's top business schools with really good grades) tried to address this in an episode of Nathan For You (s04e07).
The plan? Put customers at ease by offering the world's first asexual computer repair.
When I had to replace my old Thinkpad's screen, I really liked that the repair shop explicitly said that they didn't need the credentials to my bitlockered drive and in fact offered to take the drive out physically and give it to me. They could boot off USB into a portable Linux install and do whatever and in fact they did.
Lenovo offers a "keep your drive" warranty option. I thought this upgrade option was needed to keep the drive when something (drive or other) fails, but maybe it is only relevant in case a drive fails and is replaced under warranty?
"keep your drive" option is for people that need to physically shred their drives when they fail. Many financial organizations utilize this policy and document it in their SOC1/SOC2 controls and sometimes in their customer contracts. I was in a cloud provider that did this with over 50k servers.
Indeed. In our case mobile shredding services would pull up to our datacenters around the world and DC Operations would bring them out on a cart. They scan the serial numbers and then same deal, into the machine, out as tiny specs of metal.
That's an upgrade option now? It used to be standard, I think even suggested that you remove your drive before sending in your thinkpad. Granted, the last time I had to do that was 2009 or so.
It sometimes is included in the warranty depending on how you buy it
I know when we were RMAing drives as a company there was an $8 option to not return the drive. As it was free shipping to return it we’d just send it back - no sensitive data.
If you really need to be secure you encrypt AND shred. But you have to encrypt before it fails of course.
Harder for mobile repair since they often need access to test things. I'd suggest just factory resetting things before bringing them in. Apple pretty commonly just hands you a new device and sends your old one to be repaired in a cheaper country.
Toshiba once "repaired" our laptop by replacing swapping in a completely different motherboard. They asked for the drive, but I pulled it myself before mailing it in.
The resulting computer could no longer boot Linux, or the windows factory recovery disk that came with the machine (or stock windows).
That (and the shoddy initial design with a half life of 6 months) is the reason I will never buy a Toshiba laptop again.
Ah yes, the factory recovery disks, such a low point in computing. I remember it not working when needed (and if it did, it would wipe the machine), having to use Windows XP/7 CD-Roms from older computers to fix my installation. Microsoft handing out Windows 10 for free and OEM keys being available for 10€ on Ebay ended this weird time when Microsoft had piracy-anxiety even though Windows came preinstalled on new computers, while at the same time the hype around the Apple's MacBooks was at an all-time high.
I swing by the local Goodwill clearance outlet occasionally looking for vintage electronics. The other day I grabbed a Commodore 1541 floppy drive from a bin. At the checkout, the young employee balked and said “sorry, that shouldn’t have made it out there, it’s against our policy to sell call computer drives because they might have personal info on them”. I asked him to please double check with the oldest, greyest employee in the store. I walked away with it for 3 bucks.
There was a sweet spot in the mid to late 90s where you could find awesome ancient hardware at Goodwill. Around that time I lived in a town of about 150K people, so it had several Goodwill locations, but there was one where all of the computer equipment got sent. My last good score there was a PDP-11/7-something that was in perfect working order with a hard drive for something insane like $20, and the hard drive came complete with about 100 people's personal details *and* mental health records on it. And that's why they have that (very good) policy.
I know someone who scored a couple of very large VAXen from the prison service, and discovered they contained a lot - really a lot - of records of prisoner details that should absolutely not have made it out of the door.
Cue a couple of police and prison service cars rolling up outside his house and disgorging a lot of very beardy old sysadmins, who copied everything off onto modern media and wiped the drivers. They then offered the guy a contract to maintain the VAXen they still had, and help in the project to transfer stuff onto more modern databases.
Things became interesting when the guy got jailed for a few months for a minor incident that escalated a bit, but still needed to be given access to the prison service computers...
I found a great WiFi router at a thrift store, along with the original transformer brick, and it was in service at my home, unpwned, for about a decade until I could afford a brand new replacement.
> we drop rigged devices for repair at 16 service providers and collect data on widespread privacy violations by technicians, including snooping on personal data, copying data off the device, and removing tracks of snooping activities
I believe you'd have to be able to show that you'd been harmed. This came up at the top of a search for "sue law standing":
> To file a lawsuit in court, you have to be someone directly affected by the legal dispute you are suing about. In legal terms, this is called having “standing” to file the lawsuit.
I think that'd be difficult to prove / show unless you had some pretty direct evidence. I don't think you'd have that unless you setup logging / monitoring software in advance, as in the article. Regular consumers wouldn't have that.
I had this experience a couple of weeks ago at an authorised repairer. They asked for my password, and I refused, but I was curious. So I said, "I'm surprised you're allowed to ask" and the guy said, "We're allowed to ask, but we're not allowed to insist".
A few years ago my bank would ring me up every couple of weeks and say "Hi, I am calling from your bank, we want to talk to Doctor Eval(), can you please verify your date of birth and we can get started?". They would get so pissed off when I wouldn't tell them. I was like, "how do I know you're from my bank?". (Banks seem to have stopped doing this now).
For companies which should be putting security at the centre of their business, they apparently have no idea that they're normalising phishing.
> For companies which should be putting security at the centre of their business, they apparently have no idea that they're normalising phishing.
Yeah, this appears to have stopped, but was somewhat common a few years ago. My standard response was 'you called me, tell me who you are and I will call back on the official line'. They couldn't object to that. It was obviously some plan to 'ensure user privacy' that once it became known to one or two people with the authority to do something about it and the knowledge to know better it was quashed.
Now if only they would allow you to enable 2FA options that aren't SMS and also disable SMS. They don't understand that SMS is a terrible 2FA system isn't mitigated by 'but you can enable other things' if you cannot remove SMS as an option.
Now if only they gave me a real 2FA option that doesn't actually decrease security. So they made a fancy app where I need to confirm PC logins with a 5 digit pin. But the same app is also their official banking app and lets me do everything with my account, all with the same 5 digit pin. I don't even need to enter the credentials necessary on the PC. This is what you get when the government tries to mandate security.
Don't blame the government -- they outlined an ideal way to do it on many levels of need. Blame the specific people who implemented that specific system.
"SMS-transmitted OTPs are susceptible to a variety of attacks. One is by obtaining control of a target’s cell phone number, often by calling the cellular provider or going into a retail store of the provider and impersonating the subscriber. In 2016, the chief technology officer of the US Federal Trade Commission had her number hijacked this way. In other cases, the interception is the result of compromising the mobile account because it’s protected by a password the subscriber used on a different site that was breached. Still other interceptions are the result of exploiting decade-old weaknesses in the SS7 routing protocol that carriers around the world use to ensure their networks interoperate. OTPs are also vulnerable to phishing and social engineering attacks, as long as the attackers enter the codes quickly after obtaining them."
For one thing, there are a lot of security holes that let people reset passwords by getting a code via SMS
For another, what's the point in having 2FA if one of the factors is completely insecure? It's just an annoyance at that point, and a good way to ... tie your account to your phone number, which just coincidentally happens to be the primary key for most advertising tracking services. What a coincidence
Having the possibility/capability of intercepting the SMS is only effective if the ID and PIN are already known, and while surely there are "other" ways to get them, the attacker needs all three.
From what I have read/seen, most if not all successful attempts to access someone else's bank account online go through some form of phishing.
Not only phishing, but too many people have the terrible habit of using the same password everywhere. So with public breach data, it's not a stretch to think bad actors would try, and probably be successful way too often, to use said credentials on bank sites.
Assume for all these attacks that the user has been first thoroughly keylogged via malware or had all static credentials stolen first via leak or phishing.
The SIMjacking is the last barrier to access.
In most cases people reuse passwords and their login/password are known via any number of a million dumps of large websites whose dbs have been breached.
You build a fake website. The victim enters their ID and password. The fake website asks for the SMS TAN. The victim gets an SMS from the actual bank and enters the TAN. Profit.
It doesn't have any security benefit for phishing like this, it's just one additional password input field.
Sure, but in this case, like in many "phishing" schemes, there is no interception of the SMS, this same approach applies to all other authentication tokens, as it is the victim that enters the OTP on the (fake) site or communicates it to the phisher who calls impersonating a bank employee.
> this same approach applies to all other authentication tokens
Not true. FIDO and prevents this. The key is bound to the site you authorized it on, so inputting the key while connected to a phishing site will do nothing.
Yes, I meant those (I believe much more common) various hardware token generators and those "in-app" ones (issued by the bank), that end up as a 6 or 8 digits that you have to type on the site.
how easy it is to sim swap, you can go to any phone store and unless the manager at the location is competent, you can get a new line in a persons name or a new phone with an old number. Its incredibly easy and you can read a lot of them happening in krebs website
Banks in the UK used to get you to enter a PIN on your phone keypad to authorise them (different PIN from your ATM cards!). I pointed out to the call handler one day that when I entered my PIN I could still hear background noise from his open mike, and did that mean he could hear what I typed?
"Yes, I hear you typing in the PIN"
Oho, but that's a bit of security hole, isn't it?
"It's just beeps though, I can't tell what you typed"
Yeah but someone suitably skilled *could*, is my point!
"Yeah but it's just beeps, like this <beep beep beep beep>"
Okay and you typed 1 3 5 8.
"Uhhh... oh. Yes, I did. Uh, how did you do that?"
I've got an ear for it. This is absolutely not a criticism of you in any way and thanks for helping me demonstrate it, but could you get your supervisor to play this call to their manager and get back to me, once we're done with the call?
"Yes, I'll do that"
Awesome! Now these bank transfers...
They didn't call me back, but now call handlers transfer you to a totally different service to put a PIN in.
It probably depends. There is no official Apple repair shops here, but some partners. Some years ago I had to replace a battery on my mothers' Apple laptop and one of them refused to replace battery if I don't give them admin password. I had to make full backup, erase all data and restore it after battery replacement. I haven't had such experience with other Apple repair shop here.
I've had two macs repaired - once at an apple retail shop, and once at an "authorized repair" place. I either wasn't asked for a password, or they asked but made it clear they didn't need it. Of course I would never give it. Maybe that's not the norm.
In my experience, They’ve always asked, but I’ve always refused and they say OK actually we can boot a test image another way (like their diagnostics thing that they boot from the network to run tests while you’re there).
When I worked there back in the day, it was mostly a pro-active thing, especially for any repairs that weren't obvious hardware faults so that when/if something was fixed, we could validate that it was fixed for the actual user too. Customers for some reason I can't fathom (/s) absolutely hate it when they drop a machine off for repair, we "fix it" (by which I mean, do whatever or nothing and find that it works in a clean test image) and then when they take it home / turn it on at the store the problem remains because the issue was either software to begin with or a combination of hardware/software.
They equally hate the "we told you your computer would be ready in 3-5 days, but we haven't been able to reach you for the last 5 days to get your password since we determined it was a software issue and we couldn't go any further so it's still going to be another few days" experience.
So the default was to ask to make the experience as smooth as possible. But we were never instructed to pressure someone into giving up their password, just that we inform them upfront that without it all we can do is boot a test image to validate and that there's always the possibility software may play a part and still be a problem and we would want them to boot and confirm before leaving when they come to pick it up. Guest accounts were fine too. As was the customer giving us a formatted machine if they wanted. That was usually the best of the options because if the issue was present in a freshly formatted machine, we already rule out most / all of the software and we didn't have to deal with data loss issues (more than one customer signed the "I know I will likely lose data in this hard drive repair and I have a backup" line and then still pitched a fit when they did indeed lose data).
Apple had very strong rules about customer data privacy and snooping around was a good way to get fired (and I knew one person who did get fired for it). In fact, I've worked in health care and frankly Apple's rules for data privacy and secrecy (both theirs and their customers) was far more stringent than the health care job. HIPAA says protected info is any combination of identifying information AND medical information[1]. So your address and phone number, not PHI. A list of all your medications with nothing that identifies you, also not PHI. Technically your list of medications with your "patient number" could also be "not PHI" if the only thing there is no reasonable way for the patient number to be tied to identifying information without having access to the other protected data. At Apple, all data was considered private and confidential and anything that wasn't required to be kept for record keeping was to be shredded when it was no longer needed, regardless of whether that data could have ever been connected back to a customer.
Not to say that people don't abuse their access (again I knew someone who got fired for that), but at least in my time there they were very serious about only using the least access you needed and never told us to give anyone a hard time about wanting to keep their data private.
They shop can only be as serious about privacy as the local manager of that location is. Sounds like your manager was a mensch, but I would imagine (and the study indicates) most are not.
Agreed that (especially at scale) you're only as good as your local management is. But there's something to be said about company culture too, and Apple's infamous secrecy permeated all parts of the culture to apply to all data, not just Apple proprietary data. A manager that allowed employees to get away with snooping would have at the time found themselves just as fired as the snooping employees if/when word of that made it to the regional managers.
Whether it's still like that I couldn't say. From the outside, it certainly seems like some of that infamous secrecy has been toned dow. Though whether that's culture/company change or the nature of being so big that even the smallest parts of your supply chain make noise I couldn't say. At the size and rate they've grown the retail business, there's also the possibility of just hiring so many "warm bodies" that embedding that culture is more difficult too.
And being fair to this study's subjects, I'm not sure you can even say much about the managers themselves. This sort of thing would be exceptionally easy for any half way competent tech to do without tipping off their manager. Apple might have the power and clout to heavily restrict what devices you bring into the back rooms, but I suspect your average local tech shop isn't doing bag checks and device checks on their employees. Who's really going to question the local tech carrying one more thumb drive than normal? And since these are customer machines, it's not like you have corporate MDM software installed that can report when an external storage device is plugged in.
Yep, except this one 3rd party repair shop insisted on my password to my drive just for a screen clamshell assembly (MacBook) and keyboard replacement.
I let him watched me type it in (on a cracked screen with a broken A key) and the proceeded to erasing all partitions before I left it with him.
Apparently you are a very advanced user. 99% time users want, explicitly or implicitly (more often, and they get sad or mad if their implication is failed) you to return their devices with all their files intact. So the technician needs access to dump their files and put them back in after re-installing the OS. Advanced users just backup and wipe their data themselves before they handle the computer to the service.
Don't understand the downvotes.. you gotta vote with your wallet. Anyone asking for a password immediately loses all credibility in my eyes.
And besides, Apple churns out a lot of hype around their good privacy policies; it is good to know that not everything is gold dust when it comes to them.
There have always been stories about geek squad and other places saving customer's files for their personal use, reporting customers to the police for content found on their drives, or handing customer's data over to the state. I doubt the government or the repair shops have any interest in putting a stop to it.
Any time I've had to take my PCs in for something I pull out the hard drives before driving them over. As long as the machine can POST, I can take care of the rest. It gets a lot trickier with other devices though. I can't imagine trying to pull the storage out of laptops, tablets, cell phones, or game consoles.
I recently sent my Steam Deck for RMA, and interestingly in the packing instruction to send it, Valve tells to do a factory reset. Which I did.
First I thought it was to simplify their tests when they get it, but now I'm thinking it could be to make sure technicians don't have access to my personal data.
Yes, but like most of these "provisions" it assumes that the device is working to be able to set/enter that "maintenance mode", so it is really a "maintenance mode" as opposed to a "repair mode".
If you have a broken (black) screen or touch not working or if the device doesn't boot properly it is useless.
Anybody interested in watching electronics repair videos I highly recommend the YouTuber northridgefix
https://m.youtube.com/@NorthridgeFix
I can not recommend his videos enough. So fun to watch and see we don’t need to throw every device that breaks into the garbage. If I was to need something repaired he is the guy I would send my stuff to.
NorthridgeFix is known by other repair professionals as a hack who makes his money selling rebranded Chinese tools. You can read recent poor experiences people have had with his business here: https://old.reddit.com/r/all/search/?q=northridgefix&sort=ne...
You know, I've actually taken devices to his shop personally. These were one-of-a-kind devices with pretty serious soldering challenges, and he fixed them same day. So he's at _least_ as competent as he presents on video, not a "hack".
Rebrands Chinese tools? That's most of the electronics repair industry. It's a side business for him.
I have over a decade of experience manufacturing medical, aerospace, and military electronics and I will say authoritatively that he is a hack. His main income stream is from selling Chinese tools (which are garbage), followed by YouTube ads, followed by repairing devices. Just because he fixed something you believe to be difficult the same day does not make him competent.
That is kind of disappointing to see. I’ve been watching him for maybe a couple of months now and really enjoyed watching him repair things. I wonder if there are any similar creators with electronic repair content.
Sad as it is - there is a lot of corruption in the repair industry, with this only being one facet of the issue. It’s why companies like Apple look on R2R activists like Louis Rossmann with pity internally but won’t budge.
How does R2R relate to privacy violations during repair? Apple repair techs can snoop on user data more (i.e. pressure users to hand over admin pw, as reported in this thread) as long as we can't easily swap a MacBook hard disc ourselves.
One of their favorite methods to fight and denounce independent repair shops is to suggest that those repair shops could snoop through user data, or more generally that independent repair means no control and oversight. Basic FUD. The US car lobby went even farther by producing an ad that implied independent car repair makes you an easier target for stalkers and sexual predators[0].
Of course all those efforts are kind of hampered when authorized repair shops mess up. Like that time when an Apple repair tech uploaded a customer's selfies and sex tape on Facebook[1].
It seems like its not a bad move to replace your hard drive with an empty one before you turn it over for repair. Too bad these new "privacy focused" macs don't let you do that anymore. Maybe you can use an external ssd as your main boot disk and storage volume and not keep anything on the internal ssd.
This paper seems like it could really benefit from the peer review. The sample size seems to be very small and seems to ignore that people are more likely to respond to such a survey if they had a bad experience. (Arxiv is a preprint server, the materials uploaded here have not been peer reviewed.)
I was shocked by section 5. It's not just a survey, they imaged laptops with fake personal data that matched the persona (male or female).
For the female persona look at how many times the local shops went digging for private data.
Sure the sample size is small but it is still a random sample so the data is worrying. Even more worrying is the shops that claimed the systems had viruses and they installed antivirus software - conveniently the paper authors weren't able to find any activity log data on those machines. That suggests that some repair techs are actively cleaning up their tracks.
> Even more worrying is the shops that claimed the systems had viruses and they installed antivirus software - conveniently the paper authors weren't able to find any activity log data on those machines. That suggests that some repair techs are actively cleaning up their tracks.
This is the conclusion that the researchers imply, but keep in mind that these computers did have malware on them: the spyware the researchers planted there! As a former repair tech, if I’d seen some thing writing screenshots and activity logs to disk (we would use, among other things, sysinternals tools like procmon to look for malware) I would definitely be deleting that.
Regardless, the fact of the matter is that a negative finding in this study is meaningless, since the laptops could have had the disks removed and imaged separately, or the techs could have booted a live USB to copy off files. The researchers’ spyware would have not noticed in these cases. It is concerning to me (in terms of the quality of the overall research) that this is not mentioned in the limitations section of the paper given how obvious it is.
>[...] keep in mind that these computers did have malware on them: the spyware the researchers planted there! As a former repair tech, if I’d seen some thing writing screenshots and activity logs to disk (we would use, among other things, sysinternals tools like procmon to look for malware) I would definitely be deleting that.
I don't think that you as repair tech are entitled to manipulate any software installed by the owner. Even if your order covers malware removal and you see such activity and you suspect that it isn't installed by the customer you should contact them first, simply because such software isn't malware by definition (only in case it is installed against owner's/user's will).
It may very well be that these things happened, but making sweeping statements about an entire industry based on such a low sample size is problematic to say the least.
I skipped the survey section. Did it add anything interesting to the paper? The findings showing that five of the six repair shops they went to violated their users trust and snooped on devices was bad enough for me.
If you work at some retail electronics hellscape long enough I'm sure even Mother Teresa would eventually give in to the temptation to supplement her income by selling customer data, or at least alleviate boredom by browsing pics. I guess I trust apple's file vault enough that I'll allow them to repair a laptop without a password. I've had two apple laptops fixed and to their credit they didn't even ask for the password.
I would never give a repair place a password though. It is better to just buy a new device.
I used to think that people wouldn't do these things, but some do them regularly and unapologetically.
I once caught a car technician from a reputable dealership's service taking my car out for personal chores, as the guy did not even unplug my dashcam. I had a rude awakening when I realized these things aren't just urban myths but that they do happen. Some people have no qualms about taking advantage of our unattended things. Of course, this is an anecdote with a sample size of 1, and I can't speak about how often these things happen.
But I'm honestly not that surprised to read section 5 in this paper. Not even surprised to see that there was no attempt to cover tracks on most laptops.
A mechanic taking a car for a ride is at least plausibly productive; the mechanic tests the car out to make sure it's running well, no weird noises/etc. Of course if you just brought the car in for an oil change and not asking them to investigate a weird intermittent noise, I can see why you'd be upset.
During the so-called "Fappening" one of the rumours about the source of the photos was a group of Geek Squad type tech support employees that were trading the photos that they pulled off of devices in their care. According to that theory the ages of the photos were mixed because that group had mostly kept them to themelves until the large leak of the whole corpus.
These arguments rely on the person making them to act incredulous if you suggest that a company like Apple would do anything unsavory. There's an entire school of rhetoric dedicated to conflating "companies securing their trillion dollar bottom lines" with "end-user security", when the two are almost always orthogonal.
It'll be a nice study to cite when trying to convince friends that (a) they must use full disk encryption/have a good backup strategy; (b) it is a good idea to do a factory reset before sending in a device for repair (if applicable); and (c) it can make sense to discard device rather give up its PIN/etc.
An addendum to (b) is that a factory reset sometimes isn't enough, considering it's still possible to image a drive after file deletion or formatting to recover "deleted" data.
"Researchers are proposing a logging program that
cannot be disabled by the repair technician. It
would be clear if the logs were deleted by the technicians."
Nice, now we just need EU getting together and creating a new law forcing that all hardware should have such capability /s
One time I didn’t have the time to fix my PC myself so I took it to Fry’s. The tech was bemused when my answer to if I had backed it up was that I had pulled the drives. They did fix it though.
You did a stint on the helpdesk at your college? I can't quite tell what you learned -- did people disclose material non-public information to you and you were afraid the SEC might come after you for acting on it?
Maybe I’m phrasing poorly. More like you learn someone’s deepest hopes and dreams, the psychic “initialization vectors” that allow you to predict how they’ll act.
(And then by extension how large groups of people with similar backgrounds will act.)
Index funds are pretty much the only thing worth investing in, so in a weird way by trying to avoid "good" investments you probably saved yourself a lot of money. Also what school was it? I can't imagine a university is a hot bed of insider trading information. Certainly mine wasn't :) Or were you working off campus somewhere?
>Index funds are pretty much the only thing worth investing in, so in a weird way by trying to avoid "good" investments you probably saved yourself a lot of money.
On the other hand, I also used to joke “someone’s gotta adjust the Vanguard” back before I knew “Vanguard” was also the name of a neo-nazi group[1].
Someone has to at least pick high level things like the ratio of stocks to bonds, national to international, that sort of thing… and I’d remarked to many people in many contexts that one downside to index funds is that folks selling off shares might have a disproportionate effect on the market.
Especially if the person selling explicitly mentions they’re purposely selling over 10k’s worth to trigger a report to the feds, because they feel they’re facing persistent issues with irrational actors, so it’s time to get cash into your checking account in preparation for emigration, since the state refuses to honor its promises unless you make them think the alternative is… well go look at the returns for VASIX[2]since about October 2021 and use your imagination :-)
A Bunch of young, mostly male, underpaid, low-authority folks abuse their customers? Shocker. I mean, sure, we should expect better, but being surprised by this is naive. To the extent that you could once trust your sysadmin, those days are over, that culture is long gone. And even when that was a thing, there were still a bunch of creeps with root around.
This is why I fix my own machines, and replace phones when they break.
The FBI suits came back about a week later and took statements from everyone. We tried to get info from them about the case, but they wouldn't give us anything. However, one suit said the computer wouldn't help much for a conviction or even making an arrest because too many hands had touched it. Depressing. However, he did say that the customer is on their radar, and an active investigation had begun. He hinted that it was only a matter of time before the dude was caught in the investigation. I felt a tiny bit better after that. But still, the only experience made me feel like shit. It still does.