GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE
  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Conversation

Notices

  1. Embed this notice
    BrianKrebs (briankrebs@infosec.exchange)'s status on Wednesday, 08-Jan-2025 01:50:10 JST BrianKrebs BrianKrebs

    2025 is turning out to be very meta so far. Good scoop by 404 Media.

    Gravy Analytics was the supplier of location data for the service that both Joe Cox and I wrote about recently at Babel Street that makes it simple to track the whereabouts of hundreds of millions of mobile devices just by looking at mobile ad data. They were recently sued by the FTC.

    Hackers Claim Massive Breach of Location Data Giant, Threaten to Leak Data

    https://www.404media.co/hackers-claim-massive-breach-of-location-data-giant-threaten-to-leak-data/

    https://www.ftc.gov/news-events/news/press-releases/2024/12/ftc-takes-action-against-gravy-analytics-venntel-unlawfully-selling-location-data-tracking-consumers

    https://krebsonsecurity.com/2024/10/the-global-surveillance-free-for-all-in-mobile-ad-data/

    In conversation about 5 months ago from infosec.exchange permalink
    • Embed this notice
      Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 08-Jan-2025 01:52:33 JST Rich Felker Rich Felker
      in reply to

      @briankrebs I'm confused how they end up getting so much location data. Are mobile carriers colluding with adtech industry to link up information (port and IP address used for ads -> subscriber id -> carrier location info), or is it just that Google and Apple have such bad permissions defaults/UX that junkware is able to access location unless you lock it down?

      In conversation about 5 months ago permalink
    • Embed this notice
      BrianKrebs (briankrebs@infosec.exchange)'s status on Wednesday, 08-Jan-2025 01:59:04 JST BrianKrebs BrianKrebs
      in reply to
      • Rich Felker

      @dalias It's basically the nature of the mobile ad ecosystem in general. When you visit a website with your mobile, in a microsecond the ability to place a certain ad in front of you is put out as an automated bid request to hundreds of ad networks that can all bid on the ability to show their ad. There is a robust market now of participants to this real-time bidding market that simply collect and resell all the live bidstream data, which can include the phone's unique ID, precise location coordinates, and enriched data from other marketing and advertising firms that provide more details about the user.

      If you're really interested in learning more about how it all works, you could do a lot worse than to read my linked story, which explains it in more detail.

      In conversation about 5 months ago permalink
    • Embed this notice
      Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 08-Jan-2025 01:59:04 JST Rich Felker Rich Felker
      in reply to

      @briankrebs What I'm asking is the technical question of where the location data originates from.

      Is the user's phone doxxing them due to defaults or poor ux tricking the user into letting the adtech libraries integrated into junkware apps access location api?

      Or are they getting access to location from the carrier via some identifying info the carrier can resolve back to a subscriber id to dox them?

      In conversation about 5 months ago permalink

      Attachments


    • Embed this notice
      BrianKrebs (briankrebs@infosec.exchange)'s status on Wednesday, 08-Jan-2025 02:02:52 JST BrianKrebs BrianKrebs
      in reply to
      • Rich Felker

      @dalias There are a lot of self-interested parties to blame for this current situation. Among them are Apple and Google, for giving each phone a unique identifier for advertisers (IDFA) that could be used to track/differentiate users over time.

      In conversation about 5 months ago permalink
    • Embed this notice
      Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 08-Jan-2025 02:02:52 JST Rich Felker Rich Felker
      in reply to

      @briankrebs Advertising IDs definitely can play some role, but they're not themselves a vector for leaking location, just linking up datasets.

      In conversation about 5 months ago permalink
    • Embed this notice
      BrianKrebs (briankrebs@infosec.exchange)'s status on Wednesday, 08-Jan-2025 02:03:36 JST BrianKrebs BrianKrebs
      in reply to
      • Rich Felker

      @dalias Some of this is from mobile apps which sell user location data. A lot of it is from mobile websites that share location data with advertisers

      In conversation about 5 months ago permalink
    • Embed this notice
      Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 08-Jan-2025 02:03:36 JST Rich Felker Rich Felker
      in reply to

      @briankrebs But none of those should have access to location to begin with. Unless they've exploited bugs or tricked the user (or exploited bad OS defaults) to have location permission.

      In conversation about 5 months ago permalink
    • Embed this notice
      Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 08-Jan-2025 02:05:28 JST Rich Felker Rich Felker
      in reply to

      @briankrebs I'm not asking this to be difficult or to blame users for installing junk apps and not locking down permissions right.

      I'm trying to understand who the real culprits in leaking this data are, to know both who to target, and who is affected (like, are carriers doxxing us even if we have location properly locked down?).

      In conversation about 5 months ago permalink
    • Embed this notice
      BrianKrebs (briankrebs@infosec.exchange)'s status on Wednesday, 08-Jan-2025 02:06:11 JST BrianKrebs BrianKrebs
      in reply to
      • Rich Felker

      @dalias Yeah you're asking good questions, but afaict they are answered in the story I wrote and linked to. I realize it's long, but that's because it's also complicated.

      In conversation about 5 months ago permalink
    • Embed this notice
      Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 08-Jan-2025 02:06:11 JST Rich Felker Rich Felker
      in reply to

      @briankrebs I didn't see answers but I'll re-scan or read it in detail again and see if I can find it. Thanks.

      In conversation about 5 months ago permalink
    • Embed this notice
      Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 08-Jan-2025 02:15:47 JST Rich Felker Rich Felker
      in reply to
      • Buccia

      @BucciaBuccia @briankrebs This seems like it's going to collect very limited data with a permission of "only while using the app".

      In conversation about 5 months ago permalink
    • Embed this notice
      Buccia (bucciabuccia@mastodon.social)'s status on Wednesday, 08-Jan-2025 02:15:48 JST Buccia Buccia
      in reply to
      • Rich Felker

      @dalias @briankrebs You give location access to the app or site to get the weather, the embedded SDK passes the location to data brokers.

      In conversation about 5 months ago permalink

Feeds

  • Activity Streams
  • RSS 2.0
  • Atom
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.