If you check it with Tor Browser in a clean VM, you are not leaking much more than the plate number as such (which I wouldn’t say has the same sensitivity as a password) and the time of lookup. Obviously not safe to use this from your normal smartphone or home IP.
TragicNotCute@lemmy.world
on 14 Jan 18:00
collapse
We’re talking about a government sponsored surveillance operation. I promise you they already know which license plates belong to you. I’m not sure I understand the risk here.
What would you say is a better way to allow users to check if their password is in, last time I looked, over a petabyte of data breaches than to have them enter it?
For data leaks, haveibeenpwned only requires your email, and they send you a notification if it ever shows up. They don’t actually check passwords.
Unfortunately there’s no secondary info linked with a license plate that makes doing this sort of notification private without just downloading the full database locally.
And as far as I remember: only a hash of your password is sent. So, if the hash you sent matches something on their powned list, they’ll tell you. If it’s not on their list, then it is just a meaningless hash (your personal information was not exposed)
Apologies, I didn’t want to assume you knew how hibp works based only on your verbiage. I think I misread your comment and assumed you were implying they werent trustworthy or something.
Out of curiosity, what do you think the vector of attack would be if someone had a honeypot of tokens they were offering people a look at?
Get the browsers unique id and tie it to the token they’re asking about? How would that not be defeated by naming a bunch of queries about extant tokens?
The problem I see is that there’s this public knowledge thing, the license tag number, and it requires monitored access to a restricted system in order to correlate that public piece of information to a human being. So would just fuzzing requests with tags in the db work?
The sort of information they could gather from a site like this would be a list of license plates that somebody is worried about being tracked. I can think of several government organizations who would love that sort of information right now.
It’s a sort of Streisand effect
doodoo_wizard@lemmy.ml
on 15 Jan 03:24
nextcollapse
Yeah but do you think that a frontend that makes ten requests for tags, including somewhere between 3 and 6 tags in the db and between 3 and 6 tags not in the db with the actual tag the user wants to know about as well would add enough obfuscation to prevent that?
This site has data from the publicly shared information by Flock. I’m more than sure that any government organization already has the data. Also, your license plate is already public, meaning it’s visible on your car at any time. I don’t understand your fear about it being present on their database. (maybe I’m misunderstanding)
they have a list of their current collection of 239 .csv files but sadly don’t appear to let you actually download them to query offline
they now have 519 sources, some of which are downloadable from muckrock but many aren’t.
i still don’t understand why this website isn’t open source and open data, and i strongly recommend thinking carefully about it (eg, thinking about if you’d mind if the existence of your query becomes known to police and/or the public) before deciding if you want to type a given plate number in to it.
threaded - newest
Is this international or only works in one country?
Flock Safety operates in only one country.
The land of the free?
The most (data privacy) free (surveillance) state in the world!
I’ll be honest, I have more concerns about this site potentially logging my license plate than I do of someone having already looked it up.
It’s a little like if haveibeenpwned asked you for your password to check if it’s been leaked.
If you check it with Tor Browser in a clean VM, you are not leaking much more than the plate number as such (which I wouldn’t say has the same sensitivity as a password) and the time of lookup. Obviously not safe to use this from your normal smartphone or home IP.
We’re talking about a government sponsored surveillance operation. I promise you they already know which license plates belong to you. I’m not sure I understand the risk here.
the fact that they know your plate number is different than knowing if you (or someone) queried a website about which police queried flock about it
No see I got my license plates from the department of motor vehicles, not the government
That was my immediate thought as well.
What would you say is a better way to allow users to check if their password is in, last time I looked, over a petabyte of data breaches than to have them enter it?
For data leaks, haveibeenpwned only requires your email, and they send you a notification if it ever shows up. They don’t actually check passwords.
Unfortunately there’s no secondary info linked with a license plate that makes doing this sort of notification private without just downloading the full database locally.
They have an API for checking passwords I believe
And as far as I remember: only a hash of your password is sent. So, if the hash you sent matches something on their powned list, they’ll tell you. If it’s not on their list, then it is just a meaningless hash (your personal information was not exposed)
Apologies, I didn’t want to assume you knew how hibp works based only on your verbiage. I think I misread your comment and assumed you were implying they werent trustworthy or something.
Out of curiosity, what do you think the vector of attack would be if someone had a honeypot of tokens they were offering people a look at?
Get the browsers unique id and tie it to the token they’re asking about? How would that not be defeated by naming a bunch of queries about extant tokens?
The problem I see is that there’s this public knowledge thing, the license tag number, and it requires monitored access to a restricted system in order to correlate that public piece of information to a human being. So would just fuzzing requests with tags in the db work?
The sort of information they could gather from a site like this would be a list of license plates that somebody is worried about being tracked. I can think of several government organizations who would love that sort of information right now.
It’s a sort of Streisand effect
Yeah but do you think that a frontend that makes ten requests for tags, including somewhere between 3 and 6 tags in the db and between 3 and 6 tags not in the db with the actual tag the user wants to know about as well would add enough obfuscation to prevent that?
This site has data from the publicly shared information by Flock. I’m more than sure that any government organization already has the data. Also, your license plate is already public, meaning it’s visible on your car at any time. I don’t understand your fear about it being present on their database. (maybe I’m misunderstanding)
reposting my comment from the thread yesterday:
Yeah no way in hell should you use this the csvs should be public access. Anyone know if they’re floating around?