
Breach affecting 1M was caught only after hacker maxed out target’s storage - heshiebee
https://arstechnica.com/information-technology/2019/11/breach-affecting-1-million-was-caught-only-after-hacker-maxed-out-targets-storage/
======
hn_throwaway_99
Given the fair assumption that any piece of data you give to a third party
system that has access to the internet will eventually be breached, I feel
like we need an entirely new system for data sharing.

The problem with most of these hacks isn't usually so much that the hacked
system itself has lots of valuable data, but that the data from the hacked
system can be used to hack into _other_ systems that _do_ have valuable data.
Just like we tell people to only use a different password per-site, we need
the option to essentially give only tokenized versions of our data to third
parties. We've started somewhat with tokenization in place of credit card
numbers, but we should be able to do this in many more areas.

There are obvious difficulties here regarding how we'd handle certain fields
(e.g. how do I calculate your shipping if I don't know your exact zip code),
but these should still be solvable problems.

The alternative of believing that every rinky dink (or non-rinky dink) site
out there will be able to keep your data secure is laughable.

~~~
pavel_lishin
> _There are obvious difficulties here regarding how we 'd handle certain
> fields (e.g. how do I calculate your shipping if I don't know your exact zip
> code)_

Forget calculating shipping; how do you ship me my product _at all_ without me
giving you my address?

(A quick napkin sketch would be that I wouldn't, I'd give you a USPS reference
number, which you could use to calculate shipping costs as well as actually
mail me a thing; only the USPS would be able to link the reference number to
my physical location. There's almost certainly problems with this idea, which
is why it's a napkin sketch.)

~~~
hn_throwaway_99
"USPS reference number" seems like it could work relatively similarly to a PO
Box.

Main difference of course being that you want the ability to generate a unique
"PO Box" per merchant.

Of course, there is a 3rd party (the post office in this case) that would need
to know the mappings between real address and "reference number", but even in
the case the post office got hacked at least they would only get your _old_
mappings. Any new purchases would use new reference numbers.

------
social_quotient
Does the title bother anyone else? 1M what? People, records, a subsidiary of
3M.

~~~
jjtheblunt
"subsidiary of 3M" : made me laugh quietly.

------
erulabs
I’ve got a long running bet this is how AGI will be discovered as well. A full
disk alert will lead a tired sysadmin to ssh into an old R&D GPU system and be
greeted with “Hello, Dave”

------
kjaftaedi
plaintext passwords in 2019 .. it hurts to read articles like these.

~~~
mattferderer
These are often found in log files when people get a bit to log happy.

I've seen many smart developers accidentally log a request in an API that also
happens to show the login credentials.

~~~
jacquesm
Even Google fell for that one recently.

~~~
NullPrefix
Didn't Facebook fell for it too?

~~~
EGreg
No. Never.

~~~
NullPrefix
Could "Never" be defined as a time frame from year 2012 to at least 2019 ?

[https://krebsonsecurity.com/2019/03/facebook-stored-
hundreds...](https://krebsonsecurity.com/2019/03/facebook-stored-hundreds-of-
millions-of-user-passwords-in-plain-text-for-years/)

[https://www.theverge.com/2019/3/21/18275837/facebook-
plain-t...](https://www.theverge.com/2019/3/21/18275837/facebook-plain-text-
password-storage-hundreds-millions-users)

[https://arstechnica.com/information-
technology/2019/03/faceb...](https://arstechnica.com/information-
technology/2019/03/facebook-developers-wrote-apps-that-stored-users-passwords-
in-plaintext/)

[https://www.wired.com/story/facebook-passwords-plaintext-
cha...](https://www.wired.com/story/facebook-passwords-plaintext-change-
yours/)

------
ptah
>full payment card numbers

storing these in plain text violates PCI-DSS

~~~
garden3r
The article doesn't say that they were stored in plaintext. Still a PCI
violation though!

~~~
donarb
From the FTC complaint:

"... stored consumers’ personal information, including consumers’ SSNs,
payment card information (including full or partial credit card and debit card
numbers, CVVs, and expiration dates), bank account information (including
account and routing numbers), and authentication credentials such as user IDs
and passwords, in clear, readable text on InfoTrax’s network."

------
fgnkj
Reminds me of something similar that happened to me once a long time ago.

I hacked into a server. I wanted to take a copy of everything so I made a tar
of / to wget it to computer later. Only that the disk was at >50% usage so I
filled it by making the tar file. Everything stopped to work with 0 bytes left
of disk space (I wasn't root) so I kinda bricked the machine. I had to walk
away in shame.

~~~
jacquesm
> I had to walk away in shame.

No, you'd have walked away in shame if you had walked away in handcuffs. Don't
do stupid stuff. Imnsho you got lucky that disk filled up before you could
notch up a(nother?) crime.

~~~
fgnkj
What happened is arguably more stupid: by filling up the disk, 1) they
definitely noticed, 2) I couldn't get what I wanted, and 3) I couldn't clean
up the logs after it. Thankfully I had covered up my steps (or, more probably,
the sysadmin was ashamed to see he had been hacked and chose to fix it and say
nothing).

~~~
jacquesm
I hope you learned and not just to use 'df' more often.

