
Dating Apps Exposed 845 GB of Explicit Photos, Chats, and More - georgecmu
https://www.wired.com/story/dating-apps-leak-explicit-photos-screenshots/
======
whatever1
We need a certification org like ISO to look into the practices of any data
storing web service. Until recently we neglected it because the outsiders
thought that it is straightforward to do so, but time after time we see
ridiculous mistakes exposing sensitive data & passwords. This has to end
yesterday. It is fine to fall victim of an elaborate hacking attack and lose
customer data, it is not fine to not even follow a bare minimum of practices
to protect their data.

~~~
henryfjordan
I would like to see a Professional Personal Data Engineer license similar to
becoming a PE in other engineering fields that would specifically qualify an
engineer to build systems that contain PII.

Then if you have a data breach you can investigate and potentially pull the
license and assign personal liability similar to if a bridge fell over.

~~~
txcwpalpha
I've seen this comparison a lot and on some level I agree with the idea, but I
don't think the comparison is actually that applicable.

This big difference is that this isn't just "the bridge fell over". In the
case of a cyber attack, it's more like "a terrorist detonated a bomb on the
bridge and blew it up". And in such a case, I think it would be a pretty big
stretch to blame the engineer who designed the bridge.

~~~
majormajor
There's a scale, here.

"Somone crashed into the bridge support pillar in the median and the bridge
fell down" sounds like the fault of the engineer.

"A foreign nation sent a fighter jet" doesn't.

I don't have any ideas on how to have a reasonable standard of "this is the
sort of attack you shouldn't fall to," though. How do you keep this from being
years outdated very quickly?

------
sosuke
Looks like the developer in question took action to correct the situation the
same day they became aware of it. That at least is good.

If the data was never secured in the first place can you call it a breach?

They found this, great, was there any indication it was accessed directly
before that? Is that something that can even be investigated?

You find a door to the data unlocked. You open the door. Can you tell if
someone else had opened the door before you? Did you prevent 845 GB of data
being found by a black hat or did you find that data because of a black hat?

~~~
thephyber
> If the data was never secured in the first place can you call it a breach?

Yes. It's a "breach" even if just a security researcher found it. It's
sometimes even a breach even if only an employee found it (depending on the
specific role of the employee and controls on the data).

> They found this, great, was there any indication it was accessed directly
> before that? Is that something that can even be investigated?

You can be found "not guilty" by a jury, but that doesn't mean you are
innocent. Sometimes there just isn't enough evidence of the crime.

We should care more about whether a crime happened than we care about whether
we can prove the crime. In cybersecurity, not having enough logging should be
something along the line of negligence.

> Did you prevent 845 GB of data being found by a black hat or did you find
> that data because of a black hat?

I've seen it both ways. Some employees are diligent and go out of their way to
investigate proactively. Sometimes an employee only investigates if there is a
sufficiently suspicious finding. I've seen instances where the only hint that
a user breached a database was a SQL query error that got logged in an
application such that the app as designed couldn't generate that query.

~~~
sosuke
Thank you and thanks to the other replies. I don't often have a comment that
is so full of questions and speculative thinking as this one was.

Negligence makes sense in this case. Just thinking out loud now. If that were
made illegal/legal would software engineers need to be state/federally
certified having a license to code? Would they possibly need to carry
insurance like doctors do? Curious possibilities.

~~~
thephyber
> If that were made illegal/legal would software engineers need to be
> state/federally certified having a license to code?

Not sure. I've certainly entertained that possibility, trying to think about
the trade-offs.

In essence, programming is sometimes low level machine language or high level
scripting. I don't think writing formulas in Excel (or any other spreadsheet)
should be limited to just certified, licensed, and bonded Software Engineers.

> Would they possibly need to carry insurance like doctors do?

Software in the USA is not currently considered a "product", so it has no
legal requirement to carry warranty guarantees. If that legal requirement is
ever changed, or if a programmer works on a product which can cause loss of
life either employer indemnification in the engineer's employment contract or
a professional insurance policy should be considered. That said, of all
programmers, this seems like a small subset.

------
csunbird
Another miss-configured S3 bucket, again? Really?

I actually lost the count of this happening.

~~~
fragmede
If you're using AWS, where else would you put it? Fire up an EC2 instance and
obscurely store it in /var/www/?

These days S3 buckets start off private, and the AWS console warns you "hey,
the data in this bucket is publicly accessible, are you sure?"
Irresponsibility is irresponsibility, no matter the system being used. An SFTP
server can be configured with PermitRootLogin yes and PermitEmptyPasswords yes
so at some point it's not the software that's the issue.

~~~
Retric
Amazon allows S3 to be unsecured after multiple breaches. Simply the existence
of the option is a security issue.

PS: It's a basic question of convenience vs security. If you allow people to
lower security settings, they will. However, if Amazon onky allowed the
unsecured option to be temporary say 24 hours then it would be less convenient
to leave things open.

~~~
Pfhreak
I used to agree with you, back when S3 defaulted to public or at the very
least made public a very easy checkbox.

These days it defaults to private and you have to click many warnings and
unhide options to even expose the public options.

That said, I don't know that many organizations practice good hygiene about
which buckets they use. Like they might just use 'the one bucket that we have
as a company' rather than separating their uses into many smaller buckets that
are appropriately access controlled.

------
coding123
I think to make some aspect of an S3 bucket public, you should be required to
type into a box: YES, PUBLIC

~~~
weikju
This is how it works since last year or so

~~~
coding123
Aah, didn't know, I thought it was the other way around for some reason.

~~~
ashtonkem
Used to be the other away around, IIRC.

------
antibland
Tech shops keep asking for more and more, beneath the ever-widening "full
stack" moniker, and we developers do our best to oblige them. But, clearly,
critical decisions are being made (or not) by people who are inexperienced yet
afraid to ask for help. Maybe it's time to hire more "I-shaped" developers,
rather than an org full of shaky generalists.

------
MaximumYComb
Exposing sensitive information this stupidly should be criminally negligent.
People use these platforms under an implicit trust arrangement.

I suspect if I made myself look like a successful trader and told people I was
a trader then they would expect I'm a trader and I can be invested with. When
I lose them money I'd be charged with some serious crimes for pretending to be
a trader.

~~~
toomuchtodo
Call your Congressperson. Without laws that create incentives to treat this
data more carefully (think GDPR), nothing changes.

~~~
echelon
With increased regulation, comes an increased barrier to entry.

I'm absolutely for protecting privacy, and I hate that companies like Facebook
and Google peddle our personal details for profit. I worry that unless we are
careful, however, that we'll wind up creating barriers to bootstrapping. I
don't want EU-style cookie banners, required GDPR data export plumbing

I want privacy. But I also want an escape trajectory and ability to do thins
on my own as a sole proprietorship or startup. I don't want to have to work at
one of the big firms because they are the only ones that can pay for lawyers
and auditing.

Maybe we scale regulation with the size of a business? That seems fairer than
prohibiting small startups from getting off the ground.

~~~
mbreese
Maybe barriers for personal information isn’t a bad thing? In order to store
personal information, you should at least be competent enough to keep it safe.
I don’t think having some kind of barrier is too much to ask for a company of
any size to have to reach in order to show that they are competent to securely
store the data.

I’m not saying the barrier should be great, but _something_ (anything!) that
makes keeping personal data secure a priority for a company is a good thing.

How many instances of this kind of lax security have we seen? Perhaps if there
were a few extra hoops, then we’d not have seen as many.

~~~
echelon
What if it's a teenager's side project?

~~~
MaximumYComb
If a teenager has managed to gather personal data on 10000 people, including
sensitive data, then they damn well should be able to protect it.

~~~
likeclockwork
Do the 10,000 people who gave their information away to a teenager have no
responsibility here?

------
Noumenon72
Would be fascinating to mine it for data about how flirting works
linguistically. We've never had a corpus for that before right? Also to
confirm/disconfirm those famous OKCupid posts about who wins in the dating
game.

~~~
stjo
Do have a link to those famous posts? I’m Interested, but the only thing I
found was [https://rstudio-pubs-
static.s3.amazonaws.com/209370_b62220c8...](https://rstudio-pubs-
static.s3.amazonaws.com/209370_b62220c849b946088b463fdbec935848.html)

------
LordAtlas
OK, what is "Herpes Dating"? I really don't want to google it.

~~~
jtnjns
I was also intrigued, it seems like you select the specific type of the herpes
virus you have, and meet a partner who carries the same disease.

Since these viruses are carried for life I suppose it prevents the fear of
spreading it to a partner that doesn’t have it.

There also actually seems to be several sites in the exact same niche which
was surprising to me, when searching for the name of the site I got ads for 4
competing sites.

------
archeantus
My experience with S3 buckets was that it was super painful and annoying to
make the images publicly visible. So these people had to go out of their way
to make this publicly accessible.

~~~
cj
This is the case now. But was not the case 2-3+ years ago when most of the
original infrastructure was probably set up.

AWS S3 has made it significantly easier to restrict bucket access, but those
are all (relatively) new changes.

------
_salmon
If you own buckets personally or at work and want to scan them from an
outsider's perspective, you can use S3Scanner [1]. Disclosure: I wrote it and
there's a major re-write coming soon(tm).

[1] [https://github.com/sa7mon/S3Scanner](https://github.com/sa7mon/S3Scanner)

------
Animats
Maybe there shouldn't be publicly accessible AWS buckets. Or, if you create
one, you have to specify some public domain type license to make it clear
that's your intent.

~~~
Pfhreak
I set up a few websites for side projects that use Cloudfront + a public S3
bucket + Lambda for the backend when needed. It's extremely fire and forget
web hosting for simple static sites and I think it costs me basically nothing.

How do you enable S3 for my use case (where I am ok with all the assets being
public because they are all static JS/HTML/CSS/images) but also prevent
breaches like this?

~~~
toomuchtodo
> How do you enable S3 for my use case (where I am ok with all the assets
> being public because they are all static JS/HTML/CSS/images) but also
> prevent breaches like this?

Do not put anything you don’t want to be public in your S3 bucket. Also, best
practice would be for the bucket to be private but Cloudfront be authorized to
access the objects to retrieve from the S3 origin and cache at the edge. Use a
separate S3 bucket for sensitive data. Use lifecycle rules to delete objects
as soon as feasible so you’re not storing sensitive data for longer than you
need to. Ensure that cloudtrail logs and s3 logging is enabled for sensitive
buckets, so you have access logs for forensics if you do unintentionally leak
objects with sensitive data.

~~~
Pfhreak
Oh, sorry, yeah I'm aware of these things. I'm trying to square the circle
where the parent suggested that maybe there shouldn't be public buckets. (And
maybe that's actually true... maybe to serve from them you should be required
to figure out Cloudfront.)

------
jl2718
Sounds like a CCP info harvesting op.

------
ourmandave
This would make a great dataset to train your AI on.

"Yuri, why iz Lomonosov-2 supercomputer keep sending me dick pics?"

------
jodrellblank
> " _the researchers warn that a motivated hacker could have used the photos
> and other miscellaneous information available to identify many users_ "

FaceBook has probably done it as a part of their regular business of stalking
everyone on the planet. Isn't that more alarming than what "a motivated
hacker" might be able to do?

