Behind Grindr's Doomed Hookup in China(reuters.com)
reuters.com
Behind Grindr's Doomed Hookup in China
https://www.reuters.com/article/us-usa-china-grindr-exclusive/exclusive-behind-grindrs-doomed-hookup-in-china-a-data-misstep-and-scramble-to-make-up-idUSKCN1SS10H
36 comments
Bloomberg's 'Decrypted' podcast had an episode [0] about the company and founder behind Blue. They are also getting into the business of surrogacy abroad for gay Chinese couples. The interesting thing is that the company have managed to frame what they are doing as a business matter first and foremost. This is helping them avoid pressure from the government that are usually hostile towards LGBT causes.
[0] https://www.bloomberg.com/news/audio/2019-04-15/the-app-that...
[0] https://www.bloomberg.com/news/audio/2019-04-15/the-app-that...
I have Blued, but I barely use it as loading pics and messages on it is so sluggish. There's literally a spinning cursor that comes up for actions that should be quite trivial for the user.
The servers are probably only in the great firewall, so any outside of china connection will be make horrible on purpose by the chinese government.
[deleted]
I know a number of Tencent engineers through college and past tech job. There's this game among employees on certain teams - find compromising pics your ex has sent through WeChat messaging, and put them side by side with the screenshot of your ex breaking up with you (as in "who's laughing now").
I don't think this is a political / trade issue, but rather a difference in cultural norms. It strikes me when people outside of China willingly send their most private info (including nudes & PII) to WeChat, Grindr, Tiktok, or any other Chinese apps.
I don't think this is a political / trade issue, but rather a difference in cultural norms. It strikes me when people outside of China willingly send their most private info (including nudes & PII) to WeChat, Grindr, Tiktok, or any other Chinese apps.
I don't think it's a difference in cultural norms. It's just what happens if you give people access to production databases without oversight. Snapchat [1], Uber [2] and police departments [3] have had employees abuse their database access, and there are probably many more cases that didn't turn up in a quick search.
Whether or not a company has proper access control in place is mostly a function of whether they've had a scandal in the past that required them to lock things down. If it were widely known that Tencent employees are spying on WeChat users, they'd probably pretty quickly lose that access to stop the inevitable outrage.
[1] https://www.vice.com/en_us/article/xwnva7/snapchat-employees...
[2] https://www.nbcnews.com/tech/tech-news/uber-whistleblower-sa...
[3] https://apnews.com/699236946e3140659fff8a2362e16f43
Whether or not a company has proper access control in place is mostly a function of whether they've had a scandal in the past that required them to lock things down. If it were widely known that Tencent employees are spying on WeChat users, they'd probably pretty quickly lose that access to stop the inevitable outrage.
[1] https://www.vice.com/en_us/article/xwnva7/snapchat-employees...
[2] https://www.nbcnews.com/tech/tech-news/uber-whistleblower-sa...
[3] https://apnews.com/699236946e3140659fff8a2362e16f43
That’s profoundly horrifying.
In America, unauthorized dissemination of nude photos is both criminalized and widely reviled. What I don’t know is if it’s that difference or end to end encryption platforms that makes the difference.
In America, unauthorized dissemination of nude photos is both criminalized and widely reviled. What I don’t know is if it’s that difference or end to end encryption platforms that makes the difference.
There are entire websites dedicated to it, and the photographers/subjects willingly provide the data to companies like Facebook and Snapchat under permissive licenses (read the TOS!) in the US.
I am not sure the contrast between the US and China is quite as stark as you imagine.
I am not sure the contrast between the US and China is quite as stark as you imagine.
Story sounds made up. Definitely not an acceptable cultural norm in China.
Humans being petty and abusing their power for personal revenge has been a global cultural norm for how many millennia?
[deleted]
This data set will be a blackmail goldmine. I'd be shocked if the Chinese government hasn't already mined it for "discreet" users.
There’s so much throwaway data in there I’d be hard pressed to believe there’s much of value. They don’t even validate the users email beyond “contains @“.
I wouldn't be so sure. Grindr tracks users locations pretty precisely, and although many users hide their faces in profile pictures, many more demand a face be sent through direct messages, etc. If you have location and a face, and your target is even remotely popular, some internet sleuthing can put the rest together pretty easily.
How much of this can be validated and proven to not be a masquerade (fake pictures / profiles are ridiculously common, as are bot accounts on the platform) is anyone's guess, but for blackmail purposes, that doesn't really matter.
Given how the app is marketed, and how pervasive it is throughout gay culture in the US (pretty much everyone in that community at least knows about it, whether they use it or not) just being shown to have an account on the service carries a pretty strong implication that the user is seeking a hookup of some kind. Now imagine if the target is married, or they're a closeted politician... it's pretty easy to see how dangerous the dataset can be from there.
How much of this can be validated and proven to not be a masquerade (fake pictures / profiles are ridiculously common, as are bot accounts on the platform) is anyone's guess, but for blackmail purposes, that doesn't really matter.
Given how the app is marketed, and how pervasive it is throughout gay culture in the US (pretty much everyone in that community at least knows about it, whether they use it or not) just being shown to have an account on the service carries a pretty strong implication that the user is seeking a hookup of some kind. Now imagine if the target is married, or they're a closeted politician... it's pretty easy to see how dangerous the dataset can be from there.
There's also the matter of device finger printing. If a malicious actor can get you to install a less illicit app that can personally identify you, they can finger print the device and then do the same in Grindr and compare prints to find targets.
Yeah if you're doing dumb string matching. But they have access to all of the photos as well. So index all of the faces and then query it on the face matches, then pull the rest of the chats and dk pics.
Yes I know that not everybody sends face pics, but the majority do, and this is good enough to harvest for data.
Yes I know that not everybody sends face pics, but the majority do, and this is good enough to harvest for data.
Luckily (or not) database join with the OPM hack is trivial.
Anyone can just claim any image/video is a deep fake.
Guess who wins in a battle of hearsay against the Chinese Government.
The Chinese hacked the entire OPM database and siphoned of the data of all government employees. Hacked Marriot. It’s anyone’s guess how will they mine and use this information.
The entire CIA network in China was recently brought down from stuff like this while the agents of Chinese military are masquerading as innocent Chinese graduate students and copying University hard drives as fast as possible. My coworker from Carnegie Mellon described the situation years ago and it seems pretty grim.
Their intentions are pretty obvious. Use that data to identify intelligence sources to blackmail, find potential double agents to recruit, and stop potential infiltration into their own intelligence agencies.
It's easy to think of ways to combine all of these hack data streams into one database that can be cross referenced. You go to China on a visa, your entry to the country trips a flag in a system, and an intelligence agent shows up at your hotel to recruit you.
It's easy to think of ways to combine all of these hack data streams into one database that can be cross referenced. You go to China on a visa, your entry to the country trips a flag in a system, and an intelligence agent shows up at your hotel to recruit you.
i'm trying my absolute hardest to be constructive, but what in the hell are you smoking?
This sounds plausible when thought about in the context of cases that are publicly known: https://en.m.wikipedia.org/wiki/List_of_Chinese_spy_cases_in...
Sorry, have you not been paying attention for the last 10 years?
They didn't exactly hack Marriott. They hacked Starwood, which had been bought by Marriott. I don't mean to nitpick but there are far more Marriott guests than Starwood guests.
The Marriott system is still riddled with vulnerabilities. Had someone transfer 200,000 points out of my account recently. No way they stole my session cookie, and the password was very complex, unique to Marriott and generated / stored by LastPass. There was no attempt to change my password. Now what's interesting is that the points to airline infrastructure likely is a SPG legacy backend that is still running.
Most people who have workstation malware are unaware of the fact that they have workstation malware.
So assuming that his machine is compromised, the first method of attack was Marriott points? Sounds shockingly similar to the responses I got in a similar situation with my Bethesda.net account getting hacked. Again, complex PW from a manager. How likely is it that if someone gained access to that vault or my PC the first thing they would attack would be an account which only lets them gain access to a garbage fallout game and not my email/social media/bank account?
Considering the large amount of points in OP's Marriott account, I highly doubt that was the highest-value target available. Considering it's already known that parts of their network were compromised, Occam's razor points to this being a vuln on the hotel's end.
Considering the large amount of points in OP's Marriott account, I highly doubt that was the highest-value target available. Considering it's already known that parts of their network were compromised, Occam's razor points to this being a vuln on the hotel's end.
Sounds like they would be specifically targeted. It could be mailware that's delivered over the hotel's wifi or perhaps the maids dropping mailware on unattended laptops? If Marriott investigates this, they should look if similar incidents happened and correlate them with recent stays.
Woah. 200,000 points. Thats a lot of stays and or purchases. Did they acknowledge the theft ?
Far fewer is still: 343 million customer records, 25.55 million passport numbers (5.25 million in plaintext), 8.6 million encrypted payment cards.
https://www.reuters.com/article/us-marriott-intnl-cyber/marr...
https://www.reuters.com/article/us-marriott-intnl-cyber/marr...
Cat has left the bag. Database is probably already being matched with OPM hack etc to find the targets.
So some high profile US govt officials were at risk of exposure. Yet they’re happy to collect and use data of and against everyone in the world including their own so called citizens. (Subjects really.) Privacy for me, not for thee.
And grindr isn't obscure or known only among gays, I've heard it joked about on late night television and light-hearted NPR shows. It's part of the zietgiest whether you're in the target demo or not.
I guess the domain space is inherently regional since it's about meeting locals but I'm still continually amazed at how unknown some of the largest players are outside their market.
It's like the regional scooter/rideshare/delivery competitors. I listen to UK podcasts and they act like everyone on the planet has heard of and constantly uses a company named "Deliveroo", which I, even in the startup world had only maybe tangentially heard of, but not in any significant way. It serves in 14 countries and has 13,000 employees and 20,000 deliverers.