The Doctor

Disclaimer: I am not a lawyer.

I don’t know.

If a company is dissolved before lawsuits or charges are filed, the argument could be made that the entity in question no longer exists and the filings are invalid. Just like you can’t sue somebody who’s dead. It might not hold up in court but I wouldn’t put it past some very expensive lawyers to try it anyway because it might work.

This article says that “it depends.” There might be a period of time after a company dissolves that it can still be sued, namely, if the legal process to go about it wasn’t followed precisely. If there are no assets remaining sometimes the former owners can be sued. There is also the question of whether or not you’ll spend more on a lawsuit than you’ll get from the settlement.

I just realized something: Most of the time when talking about stuff like this, people seem to implicitly be talking about getting some money out of it (as punishment, maybe). Rarely do folks ever talk about suing for the express purpose of preventing the thing (in this case, selling customers’ genomic information to third parties) from ever happening.

This article talks about suing for undistributed assets. Suing to get your genomic data back and verifying that it’s been destroyed before it could be sold to anyone else is a possibility. It also talks about suing shareholders; if 23andMe is being delisted that seems like a legal gray area to be exploited: If a company is delisted are there still shareholders? Logically, yes (people hold worthless shares of stock in a company that doesn’t exist anymore) but legally? It might be state-dependent as this article suggests (per Favila v. Katten Muchin Rosenman LLP (2010) 188 Cal.App.4th 189, 213).

Maybe under a quiet title action to get the genomic data back?

I’ve had bots scouting for such a thing for a couple of years. So far, we haven’t found any that aren’t way sketchy. Your best bet might be to social engineer the folks at a cellular biology lab at a big college or something, get them to sequence your DNA, and have them copy the data onto a flash drive or something. Then the trick is finding somebody who can analyze the data and make sense of it all.

Let’s break this down a bit:

There is a service that people are likely to use only once. Send them a DNA sample, they sequence it and send you a report. It is highly unlikely that customers are going to have their DNA sequenced repeatedly. The company fails to introduce any other services that lead to customers sending them more money.

This means a revenue curve that goes up, plateaus, and then drops back down.

It was all right there to begin with. The “good while it lasted” curve doesn’t take a lot of imagination.

HIPAA does categorize genetic information as protected health information: https://www.hhs.gov/hipaa/for-professionals/faq/354/does-hipaa-protect-genetic-information/index.html

That said… it wouldn’t surprise me if all of that data gets sold right before 23andMe tanks, the higher-ups take the cash and split, and there isn’t much left of a company to fine. Company tanks and that’s the end of it.

Articles like this go very far toward chasing people away from things that work and toward things that are dangerous.

Like Telegram.

There are lots of things I could say to agree with you, but all I can do is gesture helplessly.

Practice safe hex - always wear a write protect chip!

The golden rule: “He who has the gold makes the rules.”

The only way you won’t have to provide PII is if you buy it from someone outside of the exchange ecosystem (from somebody face to face with cash or a gift card (note: Local Bitcoin has been gone for about a year now)). Exchanges have to comply with KYC (Know Your Customer) laws if they want to operate in the US, which is why they’re asking for PII.

Librewolf on my personal laptop.

Let’s see here…

Potato Chat - This is the first I’ve heard of it so I can’t speak to it one way or another. A cursory glance suggests that it’s had no security reviews.

Enigma - Same. The privacy policy talks about cloud storage, so there’s that. The following is also in their privacy policy:

A super group can hold up to 100,000 people, and it is not technically suitable for end-to-end encryption. You will get this prompt when you set up a group chat. Our global communication with the server is based on TLS encryption, which prevents your chat data from being eavesdropped or tampered with by others… The server will index the chat data of the super large group so that you can use the complete message search function when the local message is incomplete, and it is only valid for chat participants… we will record the ID, mobile phone number, IP location information, login time and other information of the users we have processed.

So, plaintext abounds. Definite OPSEC problem.

nandbox - No idea, but the service offers a webapp client as a first class citizen to users. This makes me wonder about their security profile.

Telegram - Lol. And I really wish they hadn’t mentioned that hidden API…

Tor - No reason to re-litigate this argument that happens once a year, every year ever since the very beginning. Suffice it to say that it has a threat model that defines what it can and cannot defend against, and attacks that deanonymize users are well known, documented, and uses by law enforcement.

mega.nz - I don’t use it, I haven’t looked into it, so I’m not going to run my mouth (fingers? keyboard?) about it.

Web-based generative AI tools/chatbots - Depending on which ones, there might be checks and traps for stuff like this that could have twigged him.

This bit is doing a lot of heavy lifting in the article: “…created his own public Telegram group to store his CSAM.”

Stop and think about that for a second.

LEOs using what amount to phishing attacks to grab folks looking for CSAM has a long and storied history behind it.

for compliance we’d have to get everything re-vetted yearly

So, it’ll cost them an hour’s worth of revenue in fines.

It really depends on the company. When I was working for that company a few jobs back, we crunched the numbers and the cost of C&C and IV&V (Certification and Accreditation; Independent Verification and Validation) for an in-house TOTP had one more zero to the left of the decimal point than the Twilio bill (added up for the year). Plus, for compliance we’d have to get everything re-vetted yearly.

That’s kinda of the definition of government contracting. :) I think the only US government org that has actual govvies doing anything other than management is NASA.

In case anybody’s curious about what those are:

• https://rublon.com/blog/nydfs-23-nycrr-part-500-mfa-compliance/
• https://metomic.io/resource-centre/financial-services-compliance-regulations
• https://rublon.com/blog/ffiec-mfa-compliance-best-practices/
• https://www.ffiec.gov/press/pdf/Authentication-and-Access-to-Financial-Institution-Services-and-Systems.pdf

The biggest reason they use phone calls or SMS, however, is because they don’t want to go to the hassle of getting an in-house MFA service (a TOTP backend, in other words), approved, pen tested, analyzed, verified… all things considered, it’s faster and easier to go with a service like Twilio that already did all that legwork. A couple of years back I worked for a company in just that position, and after we did all the legwork, research, and consultation with the independent third party specialists trying to run our own TOTP would have easily doubled the yearly cost because of all the compliance stuff.

That implies that they pass parameters in URLs… FFS.

Mew!

You joke, but…

• https://www.microfocus.com/documentation/visual-cobol/vc70/VS2017/GUID-78091B18-A9B3-4212-BE5F-3E28C7196413.html
• https://github.com/loveOSS/awesome-cobol

(No, I will never forgive the college I went to for undergrad for forcing us to take two semesters of COBOL. Why do you ask?)

Which begs the question, how often do people really change their passwords unless they’re forced to? This feels like the sort of thing that somebody should have studied.