Most active commenters

    ←back to thread

    Redbox left PII on decommissioned machines

    (digipres.club)
    294 points NotPractical | 15 comments | 16 Oct 24 00:15 UTC | HN request time: 0.628s | source | bottom
    1. jordigh ◴[16 Oct 24 02:43 UTC] No.41855104[source]
    Where does Foone keep finding this stuff?

    Earlier, Foone finds a NUC:

    https://news.ycombinator.com/item?id=41294585

    replies(5): >>41855984 #>>41856364 #>>41856898 #>>41864253 #>>41864689 #
    2. neonate ◴[16 Oct 24 05:49 UTC] No.41855984[source]
    https://news.ycombinator.com/item?id=41298430 had the comments
    3. raffraffraff ◴[16 Oct 24 07:08 UTC] No.41856364[source]
    I know an employee in an IT company. He told me that they have hundreds of decommissioned laptops and no time to wipe them. And they won't pay someone else to do it because it's too expensive. So right now they are in storage. If they go bust, the storage company will likely dump them.

    I've seen a lot of stuff in e-waste. There are several facilities within 5 miles of my home, and you can walk right in and drop off your old TVs, toasters and laptops in large metal bins. And if you have a quiet word with the attendant you can usually walk off with stuff that someone else dropped off. "Good for the environment mate! I can use this for parts!"

    If social engineering works at banks, you can be damn sure it works at an e-waste facility. And if that fails, a few bank notes help.

    I don't do this but I have intercepted e-waste coming from family and friends. In one case I found a treasure trove of photos from my deceased sister. Nobody had ever seen them before. I also found personal documents, internet history and saved passwords in the browser, which got me into her iCloud account which, until then, nobody could access. This lead to more photos and documents. And it was all destined for e-waste.

    replies(3): >>41856579 #>>41856796 #>>41864727 #
    4. michaelt ◴[16 Oct 24 07:44 UTC] No.41856579[source]
    > I've seen a lot of stuff in e-waste. [...] if you have a quiet word with the attendant you can usually walk off with stuff that someone else dropped off.

    In my country, there are specialist e-waste disposal companies large IT organisations can hire, which guarantee to remove and shred the hard drives before recycling the rest.

    replies(4): >>41856650 #>>41856682 #>>41857720 #>>41861897 #
    5. theshrike79 ◴[16 Oct 24 07:54 UTC] No.41856650{3}[source]
    "they won't pay someone else to do it because it's too expensive"

    This is the relevant bit. It's cheaper just to pile the old computers in storage vs doing something about it.

    6. Crosseye_Jack ◴[16 Oct 24 08:00 UTC] No.41856682{3}[source]
    >> And they won't pay someone else to do it because it's too expensive.

    Its not that such entities that will correctly handle the e-waste don't exist, its that the company doesn't want to pay to have it donem esp when storage is cheap, let those containers of old laptops and towers be someone else's (budgetary) problem.

    7. cpach ◴[16 Oct 24 08:21 UTC] No.41856796[source]
    Hopefully that company had enabled FDE on those laptops. (It still would be prudent to wipe them before recycling, of course.)
    8. hggigg ◴[16 Oct 24 08:39 UTC] No.41856898[source]
    I know someone who worked at a recycler who was paid to physically destroy and certify media as destroyed. It took time and money to destroy media so it just sat in a warehouse for months and the paperwork was lies. Eventually they went bankrupt and another company bought the stock and sold it on eBay by the palette load as is.

    The only companies that do a proper job are the ones that turn up to your office and shred the hardware in front of you. Paperwork is worth shit otherwise.

    9. BlueTemplar ◴[16 Oct 24 11:04 UTC] No.41857720{3}[source]
    I don't think that the people responsible for dealing with the mess left from bankruptcy are large IT organizations, they probably barely have the money to transport the waste to the nearest trash dump, unsorted, and forget about "recycling" now that poor countries are less willing to take the e-waste.

    Companies leaving their waste as someone else's problem to deal with is a common occurrence (heck, even before they go bankrupt), and in many cases they would never have existed in the first place if they had to pay for all of it, for instance :

    https://www.desmog.com/2019/12/20/fracking-oil-gas-bankruptc...

    (Note also that there are funds set aside for cleanup, but they are typically woefully insufficient.)

    How to prevent companies that are a net negative for society from existing remains an unsolved problem.

    (Aside of course from disallowing companies altogether, I wonder when is the point that the limited liability company as a concept is a net negative to society ? Could it be in the past already ? Of course comes the question of whether any alternative can have a positive contribution, in a context of overshoot...)

    10. adolph ◴[16 Oct 24 18:05 UTC] No.41861897{3}[source]
    > guarantee to remove and shred the hard drives

    Now that storage is often an indistinct chip on the motherboard, I wonder how that works.

    replies(1): >>41864141 #
    11. bombcar ◴[16 Oct 24 21:43 UTC] No.41864141{4}[source]
    About as well as it always did, which was some variation between “they shredded it whilst I watched” and “they probably wiped it before letting someone take it home” to “it shows up on eBay in three days untouched.”
    12. viernullvier ◴[16 Oct 24 21:57 UTC] No.41864253[source]
    In this specific case, they started digging through a HDD image that someone else pulled. They're still trying to get hold of an actual Redbox machine to investigate the hardware as well.
    13. protocolture ◴[16 Oct 24 22:52 UTC] No.41864689[source]
    I once worked on an ewaste shipment from a rail carrier.

    99% of the stuff they sent us was boring corporate desktops running standard, secure soe.

    1 laptop however, booted into windows with saved credentials, connected to a vpn automatically, logged into the rail companys in house software automatically, and began displaying what I can only assume was a live map of the rail network. Little green lines running along red lines, the green lines would come to junctions and stop. It had buttons. I think I shucked the hard drive and drilled it within 60 seconds and had the hardware completely disintegrated.

    One other time a games company that got liquidated sent us a pallet of computers that had source code for a relatively popular strategy game on the drives.

    Another games company shipped us their test kits one of which had a dev build of a relatively well known action adventure game. The warehouse guys would play the dev build of the game on their lunch breaks.

    Basically no one gives a shit.

    All of that before I worked for a business that stored their customer info including credit cards in plain text one dirwalk away on their public website. When we complained we were told that it was fine because they "encrypted" the card numbers. The encryption was adding 1 to the card number. I died.

    replies(1): >>41865584 #
    14. protocolture ◴[16 Oct 24 22:57 UTC] No.41864727[source]
    I am loosely aware of a time that a local bank performed a large data centre migration.

    They built new infrastructure at the new site, then just decommed the old building.

    Pretty standard stuff, but the old building was like, 1930s era or something. After the hardware was deracked, it was left in a loading dock, in a now abandoned building, behind an unlocked roller door for like 6 months before it was recovered for data destruction.

    15. nar001 ◴[17 Oct 24 01:28 UTC] No.41865584[source]
    I hope someone backed all of these up, they sound like a goldmine