Interesting part from the Dutch version of the article:
Booking is nooit eerder op spionage gestuit. Het bedrijf is er ook niet echt naar op zoek. Zolang die geen hinder oplevert, kost het geen geld. De onuitgesproken consensus onder specialisten binnen het bedrijf is: we vermoeden dat inlichtingendiensten meekijken, maar zolang we ze niet zien, maken we ons niet druk.
Which roughly translates to We are not looking for espionage and if it doesn't hinder us we don't care.
> Booking has never encountered espionage before. The company isn't really looking for it either. As long as it doesn't cause any hindrance, it won't cost you any money. The unspoken consensus among specialists within the company is: we suspect that intelligence services are watching, but as long as we don't see them, we don't worry.
What should make me believe that they don't have the same approach towards black hat hackers which are silently farming their data?
How are foreign intelligence services not black hats? They are stealing data in order to use it for any number of non-nice things. Not selling the data on the dark web doesn't bleach their hats.
They are definitely black hats. Intelligence services operating in foreign countries (physically or digitally) are by definition criminals, in that they are breaking the local laws where they are operating / accessing.
That they are doing it for a 'good cause' (often debatable) is somewhat irrelevant, that is a risk/reward calculation that the country/agency/spy needs to make themselves.
If a a friendly country of the Dutch government wants to access records of a Dutch company (Booking.com), there are numerous legal methods to access this data. What's instead happening is that the CIA hacks NL companies and the Dutch RIVM hacks American ones and they share information/metadata with each other so that they can make and end-run around the legal constraints of both nations.
>the CIA hacks NL companies and the Dutch RIVM hacks American ones and they share information/metadata
The AIVD is the Dutch intelligence service, the RIVM is the public health institute. I don't think even the most out-there of Dutch conspiracy theorists have accused the RIVM of hacking American companies on behalf of the CIA...
Both intelligence agencies and cyber-criminals can be considered threats, but they are quite different. Intel agencies would present a serious threat to confidentiality, but are very unlikely to threaten the integrity & availability of business systems.
Illegal activities done with good intention (and usually outcome) is what the term greyhat is for. It would be fair to argue that's the correct term here for government agency hackers but personally I don't have strong enough stance on the subject to say either way.
The examples of the 'good guy' spies carrying out 'bad intention' activities are legion, and so the conclusion that trusting any covert intelligence organization is a good idea is extremely flawed.
There's a fair argument to be made that they're grey hat. On the whole though I agree with you and you shouldn't give blanket trust to people performing these kinds of activities. I would just assign a bit different value to a black hat activity (illegal and/or harmful and only beneficial by accident if at all) vs grey hat activity (illegal and potentially harmful but attempting to be beneficial)
Unless you truly believe that interfering with the results of a free election is for the better of the participants of that election, no that's a black hat activity. There's nuance here since you have to think about perspective, no one is a villain in their own eyes, but personally I find the most useful perspective for the kind of hat to be from the victim.
This line of thinking comes from buying into the narrative that America (and west) is by definition good and so their activities are fine no matter what. They hack and steal data, we are ok with it. It's extremely dangerous.
If intelligence agencies are after you you’ve got way bigger problems than some fraudsters using your data for financial scams. It’s the same reason smart lock hacks don’t scare me… Anyone who is exploiting technology to gain physical access to my physical body is going to get me, regardless if I get hacked or not (e.g. thugs could just kick my door in, or wait outside and launch an ambush).
Even if a smart lock used ROT13 encryption, the easiest way to defeat it is still probably a mechanical attack. The state of mechanical security is a whole new level of weak.
My boss once bought a really expensive lock with a magnetic key. He was going on about how it was unpickable. When the key was forgotten one time, we found it could be opened by sticking scissors in and turning.
I'm not sure what the moral is. Your comment reminded me of this story.
My house has one sided locks all over it. Kids are constantly locking themselves out of rooms / bathrooms.
We use dry spaghetti to unlock them. Keep a few above door frame.
I remember watching a Saturday Morning Cartoon of the 1966 animated version of the Incredible Hulk, where the evil mad scientist build this amazingly secure super-duper fancy high-tech Hulk-Proof Door that he was sure there was no way the Hulk could possibly open.
So the Hulk just knocked a hole in his stone castle wall next to the door, and walked into the lab.
I hope at least the garage door, doors, and all your windows have 'circuit breaker'-style sensors (inside the window frame) that trigger the alarm when is activated.
Long time ago I had to upgrade my whole bloody alarm system of my old house because I wanted to insure a watch.
And if you ever accidentally lock yourself out, it's going to be a PITA. There's one good think about Kwiksets -- you don't always need to call a locksmith if you lock yourself out :)
I would assume most are hackers for hire. Just because their customers are goverments doesn't change the fact they're selling their wares and data found.
I mean, this is probably a subset of "I don't have anything to hide, so why do I care about privacy?" But I just went to California on vacation, and, sure, I'll tell the CIA all about it if they want to know.
And I'm one of the people who understands why privacy is important. (Or maybe, based on my previous paragraph, you'll conclude that I'm not, I just think I am.)
I don't know. It just... doesn't feel that intrusive, for some reason. Maybe because for international travel, I already have to use my passport, so they already know. (Yes, maybe it's a different "they"...) Maybe because there's already a "do not fly" list, so somebody's hitting that database every time I try to book a flight, and it wouldn't be that hard for them to log the queries against it. I don't know. But as I said, at least to me, this one doesn't feel that intrusive... and I can't really rationally explain why.
Maybe it's arrogance to assume that most people are no more paranoid than I am. But I think that means that most people probably aren't going to avoid booking.com because of this.
There are many other state actors who can do this, and they wouldn't necessarily have good intentions. Wouldn't it be great if you could use it to identify which PEP (politically exposed person) is using booking.com to cheat on their partner, and use this as leverage to drive through certain political decisions ?
I agree most people aren't going to avoid booking.com, but that doesn't justify leaving your system vulnerable to advanced hackers
I don't think anyone assumes the booking for their next family vacation or business trip can't be tracked. They use their credit card and their telephone number at least
As for losing the customer base of drug kingpins and wanted terrorists, they're probably OK with losing them
You are assuming that the only black hat hackers are "trustworthy" Americans. There are a list of countries where selling on any of the collected data on the black market would either be condoned or actively pursued to maximise disruption. Would you be happy for a database of holidays to be sold to a crime ring to select their next best target for a burglary ?
Or more realistically, would you be happy for such state actors to identify PEPs (politically exposed person) who are potentially cheating on their partners and use this as leverage to drive through certain political decisions?
There is no such thing as a vulnerability that can only be abused by the good "guys"
Booking.com is kind of a Dutch company, at least the .com division, but it's actually owned by a American parent, "Booking Holdings", based in Norwalk, Connecticut.
It would have turned into one of the hundreds of articles about Russian, Chinese, Iranian, Ukrainian, North Korean, etc. hackers meant to solidify people's world view that we have a "good side" and a "bad side" of the world. The reality is that we have a "bad side" and a "worse side" but that's a hard pill to swallow for the regular person. Hence the deluge of articles meant to "straighten up" the view.
You’re mistakenly assuming that everyone sees intelligence services as bad, because as much as many people are concerned, “an enemy of an enemy is a friend.”
Nah - it is assuming they should be seen as bad actors and we would all be better off if they were all shoved feet first through a wood chipper but alas there is a tragic lack of identified targets, chippers, and people to shove them in.
We might get a couple or ten good years out of that, but it would leave an ecological void in human affairs to be filled in by bad actors. "Better the devil we know" is an unfortunately potent argument supporting the West's intelligence community.
Better legislation to restrain their abusive tendencies, and an endless global push for human rights, liberty, and human well-being is a solid long view, I think.
Lol you'd be suprised. Recently one large dutch newspaper published a scathing report published by CapGemini (large consultancy in NL) that researched the security setup at the largest telco in NL (KPN). They found that Huawei was able to listen, read and do pretty much anything they'd like with the data. But this was quickly swept beneath the rug. So no, I am pretty confident that the attitude wouldn't be different if either of those state actors seem to be responsible.
Note that it uncritically accepts report from 2009 which according to company was meant to be risk modeling exercise. Authors outright dismiss everything either KPL or CapGemini has to say themselves and does not even try presenting mitigations that presumably have been put in place, changes in infrastructure since 2009 and other more contemporary reports.
For every newspaper article that covers actual US espionage, I can show you ten that speculate on the potential of espionage by Huawei and other Chinese companies.
I think we in western europe are kind of embarrased by US surveillance and the fact that we cannot do anything about it.
That is why we try to ignore it and not talk about it.
This is one of those interesting lines of argument where you position yourself so that you can't possibly be proven wrong.
No one can prove you wrong when you claim that anyone with knowledge from the other side should be immediately discredited.
You mention sources, but if you discredit the first-party source out of the gate, what sources are even left?
Documents from the bank created by the people you discredit?
(I take no position either way, I'm just commenting because your comment amuses me.)
I have been working there. I don't work there anymore.
But I doubt that whatever I say could change your opinion, you seem to have your mind already made up.
Booking is nooit eerder op spionage gestuit. Het bedrijf is er ook niet echt naar op zoek. Zolang die geen hinder oplevert, kost het geen geld. De onuitgesproken consensus onder specialisten binnen het bedrijf is: we vermoeden dat inlichtingendiensten meekijken, maar zolang we ze niet zien, maken we ons niet druk.
Which roughly translates to We are not looking for espionage and if it doesn't hinder us we don't care.