Comment by xlii
3 months ago
You don’t need a upload a lot of data in order to have illegal data stash and there are creative criminals out there.
E.g. for GPS coordinates you need only a 16 digits. Emojis are 8 bytes so by selecting specific ones and adding a control character (or two) and ensuring other stay in sequence you can encode this data in.
And then I can only respond with „Did you read article on ACME Times about a car riding a bike?” which is a simple pointer for URL which you might check for the drop coordinates.
This it’s also possible to provide encryption keys, url serialization, cryptocurrency wallet pointers etc. And sure, this seems complicated and dystopian but when government asks you to provide data of your users who committed hard crimes it’s not really fun to be at position when you say „I don’t know who my users are”.
From my experience any service that allows anonymous write and anonymous read over long periods will sooner or later be used for illicit activity. It doesn’t matter if that’s 1mb or 10 bytes.
Sure, I guess that could happen. Hackernews allows anon data uploads over long periods. How many online services actually do KYC if they don't legally have to?
Any motivated criminal could also just use a book cipher or any number of less trackable options.
The GET request does not return data in sequence, does it? Just counts fr each emoji.
What exactly does the govt do if you do not have data they want? I assume if you run a service like this you would comply with any data retention requirements in your country and hand over logs - although older ones which you might have deleted to comply with other laws!
Unless you have id verification crminals can sign up with false identities.
> Unless you have id verification crminals can sign up with false identities.
Having registration is enough to not be liable, that’s why everyone is doing that. You get subpoenaed, you give logs for user that you have, case closed.
Data can be linked to your server. If you cannot pass the torch it’s you who will be investigated as potential partner in crime.
Why not just use pastebin for a "hey I left ur drugs at this coord", or even just a plain ol' encrypted message over email, Signal, etc...? I'm a little lost here, probably due to naivete. Is the storage of URLs or crypto wallet pointers really the bottleneck for cybercrime?
Because that way it’s easy to track both poster and visitor (one could say that every visitor of such URL was involved).
Indirect communication shifts focus from channel to method. And if anyone can use channel and anyone can read message then it’s impossible to pinpoint true poster and true recipient.
E.g. Few years back I was helping fix a Wordpress site which shared leaked CC through page visitor counters. Imaging proving anyone’s participation.
And finally I didn’t say anything about it cybercrime, the cases I know of were related to identity theft, assets theft, extortion and illicit videos. Seized servers and personal computer for years.