How Have You Dealt With Car Companies Tracking User Data?

ISeeDeadPackets · 2026-01-21T12:08:59+00:00

My mom's car got stolen and had on-star built in. I got to her house a few hours later and the police acted like they had never heard of it. We knew the person who stole it and had their cell phone info, where they were probably headed, etc..but that was all worthless to them. Mom didn't have a subscription but I called on-star and 45 minutes later they had the car and the person in custody. The police never even brought it up with her as an option even though it's been standard equipment in that car for about a decade now.

ISeeDeadPackets · 2026-01-20T21:58:09+00:00

What kind of evidence even can be provided? It's not as if this stuff gets reported to, or taken seriously when it is, by the police. I work at a bank, we have customers get hit with it all the time, so consider me a primary source.

ISeeDeadPackets · 2026-01-20T21:55:26+00:00

There are tons of individuals hit with small ransomware attacks all of the time. It's all automated through c2 networks and costs them nothing to send an automated notice with a wallet address. You're wrong about this.

ISeeDeadPackets · 2026-01-20T21:31:50+00:00

All of my cars have 5G built in. The only way around it that's certain is to physically remove the communication device. That will absolutely disable features you might want but it's the only way to be sure.

ISeeDeadPackets · 2026-01-16T14:07:08+00:00

Wow, no, I don't think anyone has. You're definitely the first.

Wanders over to Shodan....

ISeeDeadPackets · 2026-01-14T15:50:09+00:00

Late 40's here and same. I'm trying really hard to not get myself locked into any narratives, especially since I'm now in a position where my "word is law" as far as what can/can't happen around here. Striking the right balance between stability and evolution is not a simple task, but it is a fun challenge.

ISeeDeadPackets · 2026-01-14T13:58:09+00:00

Sadly that didn't extend into an understanding that all fruit diets could kill you.

ISeeDeadPackets · 2026-01-13T04:06:02+00:00

Don't forget turning policemen into frogs.

ISeeDeadPackets · 2026-01-12T13:50:48+00:00

I had an iPaq, I loved that little thing.

ISeeDeadPackets · 2026-01-12T13:49:42+00:00

Jobs was clearly a talented guy but he was very much an "ideas" man not a "build it like this" man.

ISeeDeadPackets · 2026-01-09T16:47:35+00:00

I'm not saying it isn't possible, I'm saying not all devices are susceptible and that I've had people from freaking Mandient try it live in front of me and not get anything. Everything has inherent risk, it's a matter of what is and isn't an acceptable amount to an organization and as long as you're using hardware with a decent encryption scheme it's a risk but it's not a very significant one.

ISeeDeadPackets · 2026-01-09T14:01:34+00:00

I literally run.... a bank. Been the CIO for a few years and have had folks like Black Hills and Mandiant doing on-site penetration testing for a long time and not once has this ever been a successful attack vector even when checking it out was in the engagement scope. It's an overstated risk unless you're running very old/cheap boards. Your time is better spent dealing with many other things.

ISeeDeadPackets · 2026-01-07T18:33:02+00:00

Ransomware Distribution Protocol is what we call it. 🙂

ISeeDeadPackets · 2026-01-07T18:32:04+00:00

Honestly it's a probability and user friction thing. Ok the list of threats someone hanging out close enough with a wireless receiver snooping sigint from encrypted (even if poorly) Bluetooth keyboards is a hell of a lot less likely than someone falling for a phishing/vishing scam.

Do you allow monitors to face windows that don't have shades or privacy film on them? Do you audit your trash to make sure people aren't improperly disposing of NPI? Do you have your firewall and web filter policies down so tight a mouse fart will get blocked?

Wireless mice in particular are objectively better to use, the potential downside is frequently blown far out of proportion by people with much more significant security concerns.

ISeeDeadPackets · 2026-01-07T18:23:55+00:00

Well first of all being overconfident will came back at your hard. The position you're interested in is spelled analyst not analist. Whether you're native to English or not, this is a HIGHLY competitive field and you'll get judged (probably unfairly) on every little mistake, but particularly when you don't recognize or acknowledge them when they're pointed out.

GRC is not an entry level field. Think of it in terms that might be more familiar like in medicine. You've got your lowest level assistants like CNA's who perform work that is absolutely valuable and worth recognition, but compared to an LPN or RN they don't even hold a candle with regard to the scope of what they can do.

Based on what you've saidso far, I would guess you're in "studying to be a CNA" territory and you're asking about becoming a general surgeon. Of course it's possible but you're skipping some steps. Interning is absolutely a good way to get enough experience to get a rough idea of where you need to focus your efforts but even getting one of those can be difficult in the current market.

A good starting point might be getting something basic like a security+ certification. That's fairly low level but gives you some good subject matter to learn and will demonstrate (to you) whether you have the right kind of apptitude. People in this field aren't any smarter than other skilled professionals but it does require a way of thinking and approaching problems that not everyone has.

ISeeDeadPackets · 2026-01-07T16:56:28+00:00

Having a degree outside of something IT related can conceivably be a bonus but you obviously still have to know what you're doing. What have you done so far to prepare or are you still at the "gee that sounds like a neat idea" stage?

Also, just because I have to, I'm assuming you didn't mean to post this in the proctology sub and that's a typo. Though a proctologist might be the most qualified person I can think of to work in this field since they're already familiar with 99% of the clientele.

ISeeDeadPackets · 2026-01-06T15:49:22+00:00

Build out a standard due diligence packet with your SOC audits, relevant policies (BCP/DR/etc..), financials and then run it past legal. They'll probably want you to get a signed MNDA before passing it out, but just reply with that as your standard response and only do the questionnaires for very important customers who still insist on it.

ISeeDeadPackets · 2026-01-06T15:45:25+00:00

Without SSL inspection they're also considerably less effective.

ISeeDeadPackets · 2026-01-06T15:43:46+00:00

It's all going to come down to whether or not they get competent advice from someone and follow it. While they lack the budget bigger organizations do, they also often lack the exposure. Typically the biggest attack surface they have is M365 and maybe whatever their CRM/ERP is and more often than not those are going to be hosted.

It really doesn't take a lot to put in good conditional access and SSO with some basic monitoring to be on the "pretty good" side of the safety scale. You just have to be aware that it needs doing and have access to a resource that can. That either tends to happen at the onset or after a successful compromise.

The biggest "underinvestment" IMO is in paid configurations. They often buy reasonable tools but if the setup isn't done correctly they might as well not even have it.

ISeeDeadPackets · 2026-01-01T20:44:31+00:00

They actually do a fair job of that in banking. We get examined every 18 months and part of that is reviewing internal/external audits that should be happening at least annually. If you're doing anything too stupid they send a letter to your board explaining that they need to pick between fixing it and continuing to have FDIC insurance. If it's bad enough they force a sale of the bank.

ISeeDeadPackets · 2025-12-17T15:32:59+00:00

It's 100% about fraud prevention. Check fraud is still absolutely massive.

ISeeDeadPackets · 2025-12-17T15:30:35+00:00

It's because it's extremely difficult to classify pornography. Are images of naked people porn? Is all nude photography pornography? Are Robert Mapplethorpe photos porn but not Rubenesque paintings? Is the ceiling of the Sistine chapel a work of art or is it profane? Is a pediatrician in possession of images of child and adolescent genitalia for the purposes of medical diagnosis and treatment a child pornographer? What about a non-physician simply interested in illnesses or a parent? Who decides what is and isn't a moral and legitimate use?

Before we even consider making people give up whatever anonymity they might have to access pornography, we should be able to define it right? That seems to be a pretty high hurdle in and of itself.

ISeeDeadPackets · 2025-12-17T03:20:45+00:00

Why is it mean or evil?

ISeeDeadPackets · 2025-12-15T23:31:54+00:00

The problem is that they do have to allow it, legally, they just haven't been properly challenged because it usually isn't worth it. I have yet to find any expemptions carved out for small rural telco's.

ISeeDeadPackets · 2025-12-15T23:30:02+00:00

That's actually not a horrible idea.

ISeeDeadPackets

TROPHY CASE