Since it'll be offline for a while, perhaps... Israeli Online Attack Service ‘vDOS’ Earned $600,000 in Two Years.
vDOS — a “booter” service that has earned in excess of $600,000 over the past two years helping customers coordinate more than 150,000 so-called distributed denial-of-service (DDoS) attacks designed to knock Web sites offline — has been massively hacked, spilling secrets about tens of thousands of paying customers and their targets.
The vDOS database, obtained by KrebsOnSecurity.com at the end of July 2016, points to two young men in Israel as the principal owners and masterminds of the attack service, with support services coming from several young hackers in the United States. [...]
The law that Snyder signed in 2014, Public Act 345 of 2014, codified as section 445.1574 Prohibited conduct by manufacturer, has a lot of detailed regulations about how manufacturers may treat dealers. The requirement that manufacturers only sell through dealers is terse, and buried in the middle of it:
(1) A manufacturer shall not do any of the following: [...] (h) Directly or indirectly own, operate, or control a new motor vehicle dealer, including, but not limited to, a new motor vehicle dealer engaged primarily in performing warranty repair services on motor vehicles under the manufacturer's warranty, or a used motor vehicle dealer. This subdivision does not apply to any of the following: [...] (i) Sell any new motor vehicle directly to a retail customer other than through franchised dealers, unless the retail customer is a nonprofit organization or a federal, state, or local
government or agency. [...]
(There are several exceptions, some are grandfather clauses for pre-2000 manufacturer-owned dealers, the others don't appear to apply to Tesla.) Subsections (h) and (i) were present in the prior version of the law, so I'm not sure how old some form of that requirement is. The bill changed the tail end of subsection (i) from a reference to "the manufacturer's" dealers to "franchised" dealers, but the substantiative changes to the law were a new subsection (y) "Prevent, attempt to prevent, prohibit, coerce, or attempt to coerce a new motor vehicle dealer from charging a consumer any documentary preparation fee allowed to be charged by the dealer under the laws of this state" and a new section (3) "This section applies to a manufacturer that sells, services, displays, or advertises its new motor vehicles in this state".
That's one thing I thought of after I saw the announcement, but I doubt that's the primary reason. Probably the main reason is just that they want to avoid the service getting eaten up by people who don't even understand what the "quality" and "resolution" settings on their cameras or other camera-enabled devices mean. Even with Google's compression, I imagine it's not too hard to use steganography to fit the Constitution, or a chunk of the Bible, or most of 1984, or the Kama Sutra, or the technical plans for a planet-destroying battle station in an image.
If a service like Google, Amazon, Facebook, or Yahoo! resizes and recompresses the image data, that's one thing. If they start stripping iTXt chunks that contain copyright or attribution information, that could be a serious legal problem; likewise if they reduce quality so much that it obscures a watermark containing a copyright or trademark notice.
The first time, he makes a big deal about the address in question not being really his, but one he did use for WHOIS registration. I know there are people who have legitimate reasons for hiding their personal address when operating a controversial website, but the solution for that isn't to give a totally bogus address. Or maybe the CSA saw that it had been used as a "private" registration (not knowing it had been subsequently revealed) and assumed it was a relevant secret on that basis? And how is it's Amazon's fault if the address was used to cause the sending of a replacement credit card? Did the scammer rent a room at said hotel and request that the card be sent there?
The second time, he complains about the disclosure of the last purchased item and the shipping address. I'd say that the majority of the time when there's fraud, if the real customer calls in, he'd like to know where the item is actually going so he can include that in his police report. In spite of the scammer's attempt, the agent really didn't give out any useful information about the credit card.
The third time, we don't have a the transcript, so it's possible that the agent read off all the addresses, the AWS username, and all credit-card numbers ever associated with the account. More likely, the agent said, "I'm sorry, I can't give you that information. I can send a copy of your invoice to your e-mail address on file."
Even the last-purchased item is arguably sensitive. What if it's a bulk-pack of condoms, for example? Or (back to Amazon's roots) a book on the list of banned books? I'd encourage Amazon to close that hole, but I'm not sure I have a good solution.
No problem is so large it can't be fit in somewhere.