Edit: The person raising that question is working for Atlassian (Jira), looks like Atlassian got their database deleted lol
> I'm running an elastic search for a personal project on google-cloud and I use as a search index for my application.
He very clearly says it’s a personal project. Trying to learn new topics outside of your direct responsibilities, while employed, is very common in the software industry. Not everyone that works at a company is involved in databases at that company.
I think some people in this thread want to be a bit too "absolutist" about it. Everyone's servers were exposed to heartbleed, spectre, meltdown, etc so the absolutists would apparently want the whole internet deleted.
Edit: It would be helpful if down-voter could explain (I might learn something).
Would you like it if someone involved you in adjudicating potentially illegal (under CFAA & others) without your consent?
This is clearly not a white hat hacker looking to teach people lessons about security. If it were, they could have furnished a list to the major cloud providers of broken instances and given them time to notify and remediate.
No just my Webserver/HAProxy. The difference is, don't expose services that are not meant to face the Inet directly.
Production-Type Webservers are, SSH, VPN, HAProxy etc are.
Databases, devel-webservers, NFS, Samba are not!
Sure even the best hardened Service can have vulnerabilities, but that's how life is, better have a door with a key than one without, even when someone is capable to open your door with a Lock-pick.
I did not (in the slightest) suggest that people should do this. I was commenting on the "free-ness" of the lesson (read the comment I was replying to). It could have been more "free" with a little more effort. Straight-up deletion wasn't the only option.
No but a good one.
>It could have been more "free" with a little more effort.
Even White-Hats work not for free (for companys).
Don't build Cars if you don't know how a break work, don't build IT-Services if you have no the slightest idea how to secure them.
Stuff like this is what drives away underrepresented groups from engaging on the internet. Maybe everyone who upvoted and participated in the uninformed speculation from 'user5994461 should reconsider.
That kind of public ridicule and possible resulting flak from management is why more and more developers participate in knowledge exchange by asking questions from under a throwaway pseudonym (much like user5994461), and only answer or edit other questions from accounts that connect to their identity in any way.
This is not what people mean by open data
True, but a deleted database is secure again ;)
I understand that some people won't learn without encouragement but it's not a good thing for all.
Ultimately, companies like MongoDB and Elasticsearch are culpable for selling database technology that is insecure by default, presumably because that's the easiest way to boost their metrics for the VC overlords.
They could have altered the data and no one would have been the wiser
Making decisions based on a writable database (to the world, and not just from data sources like census, etc) is utterly useless.
Rather, for the first two, large numbers of agents may request access limited to a specific account, with limited capabilities granted.
Even Mediawiki, with an extraordinarily open access model (painfully so in most cases) has checks on extensive abuse, and gradations of permissions.
Suggesting that any of these are comparable to full DBA access as the Meow attack (with considerable merits0 targets suggests an exceeding poor grasp of distinctions or misreading of GP's comment.
You can do better.
> I’d much rather have my data deleted until it’s secured than have it stolen by someone else
There are multiple logical fallacies in this sentence. First is the use of the world 'until' which is ambiguous here; it suggests that your data can be 'undeleted' after the DB has been secured or you would rather not have any data stored anywhere that is not secured. Either option to me seems like an incorrect read of your comment but I'm not sure. And "than have it stolen by someone else" seems to imply that you know that this data was never copied and cannot be stolen still. I think that seems incorrect, unless there is something I missed that assures everyone that the data could not have been stolen during these hacks.
Lastly, your personally preferred outcome for your personal data is not a measure for all of society, but you grant it that "public service" label as if your preference matters above everyone else's. You don't know what other people think about their data. You don't know what the data even is. What if some of it was just a hobby project for someone, with no financial implications of unsecured data or of data loss, but with emotional attachment to their data? Do they not matter to you?
A blind deletion of unknown data belonging to unknown people is not a public service.
No, there aren't any fallacies in that sentence and can't be.
The statement expresses a personal preference; to be fallacious there must be some logic that can be unsound. That is, it must start from some premises and then derive a conclusion. To find a fallacy, you have to show that at some point the conclusion does not follow from the premises.
Since it's a simple assertion, it is implicitly sound. (The graph of premises to conclusions is just a single node.) And since the author knows with certainty what his preferences are, we can take it as true. It's fruitless to argue with people about what their preferences are.
> First is the use of the world 'until' which is ambiguous here
Virtually all "fallacies" you see online are just people typing their thoughts in a hurry. Take advantage of interaction and ask them to clarify.
> Lastly, your personally preferred outcome for your personal data is not a measure for all of society, but you grant it that "public service" label as if your preference matters above everyone else's.
And as a member of the public, if it serves my interest, it is a public service to some extent.
Now, fair enough, you're trying to attack it as not being some broader notion of a public service. You have that broader notion in mind, but you don't explain what it is.
Instead you apply your internal definition through "as if..." which puts you in the territory of inventing a claim they simply never made. That's not even fallacious, it's pure fiction.
> A blind deletion of unknown data belonging to unknown people is not a public service.
You do make some claims, mostly coached as questions, that might lead to this conclusion. You never plainly state your premises, nor do you connect them to this conclusion.
So after all that, your conclusion is a non sequitur!
Consider if this happened five years ago, it would have had a smaller cost than happening today. And it was probably going to happen at some point, so better that it happened five years ago than today. By the same argument, better that it happened now than at any point in the future.
I'm not sure how serious I am about this argument but...at least a little bit? I guess the alternative argument is that any day now software vendors would have all moved to secure-by-default platforms where deploying a world-writable Redis in production would have been so difficult that it rarely happened.
A docker container can have internal ports exposed explicitly, or use host networking. In any case these are ports exposed by the docker-proxy executable - an executable like any other on the system.
Then come the iptables rules of the system (which open or not data flow to the ports exposed by docker-proxy).
Or is it different?
ACCEPT tcp -- anywhere 172.19.0.10 tcp dpt:8843
So not too concerned about partition tolerance, huh?
It is, better than to steal the data, you know what a really bad service is? Let your Database wide open, and expose your customers data (maybe?) for everyone to read.
It's a lot more work when doing it in the cloud and spinning up these things from docker containers in K8S...but you're entirely to blame if you don't know what you're deploying and don't understand any of the potential threats.
What the parent post said is pretty much it in a nutshell, but I use that GitHub for basic Ubuntu server setup.
For reference, the standard practice in a company is to have a (third) separate subnet for databases, with zero internet access (no NAT gateway). Connection must be explicitly opened from/to database clients. It's a nightmare to manage on premise but it works really well in the cloud with firewalls allowing traffic based on instance tags.
This is very good advice. We recently had a uni project where we had to use a MongoDB database. Somebody just apt-get installed a mongodb onto a DO droplet called it a day. Two days later the only remaining records prompted us to transfer x amount of BTC to a adress that was store in our DB. It just contained dummy data, but it is worrying that something like this apparently happens to lots of companies as well.
The only thing I find weird is that ElasticSearch itself does not offer a way to handle authentication, it was just enabled by a plugin that was paid (it seems like its free now).
"Wierd" is an interesting euphemism for "irresponsible." Defaults are very important. Insecure by default is insecure for 90+% of deployments.
I have a bunch of fairly important personal documents in a filing cabinet with no lock. And I'm perfectly fine with that. I wouldn't keep it in my front yard, because that's obviously stupid, but keeping it inside behind my locked door and upstairs in my office? A perfectly acceptable risk (for me and my files).
I do agree that ElasticSearch do a quite poor/irresponsible job of pointing out their cabinet has no lock. I think Redis do a better job, but are seriously let down by all the internet tutorials that just say "sudo yum install redis" as a minor intermediate step in getting example-todo-list-de-jour working - without even a footnote explaining that anybody who actually visited the redis site now has instructions on how to p0wn your box. ( http://antirez.com/news/96 ) I do think the "Securing Redis" section of this page - https://redis.io/topics/quickstart - deserves to be much closer to the top - I'd have put it before the how to download/install/start instructions myself (though I _think_ recent versions of redis only bind to localhost in the default config, maybe?)
Cave ne recipiens donum...
The vendor / developer has both awareness and capability to ensure this.
If the default install does this, then I'd blame the package /distro maintainers. It should definitely at least only listen on localhost by default, with stern warnings what is going to happen if you change that without setting up proper security.
Most of our services were created like a POC & deployed to production, & I joined my company fairly recently.
We had a planned release this week to secure ES. And Saturday, we got "meow"ed
Just block access to it on your firewall to the public ports and require people SSH or VPN for access if needed.
note: the DO tutorial will hold your hand a little; the hardening doc expects a (minor) degree of familiarity
I don't see anything about subnets in there though. Did I miss something?
It's not though. Subnetting and firewalling are like the foundation of any corporate network.
For real code, you wouldn't generate a web page with 5 million entries in it, so you can be pretty sure that the data is bad even if it's not cyclical (but it probably is)
If we pretend we're using readline here, ^W (yank previous word) and ^U (yank to the start of the line) should save you some key presses.
Some recommended bedtime reading:
My favorite is ^U, which 90% of the time lets you start over on a password prompt when you are sure you just fat fingered but not sure how badly.
Do you have a reference to the history of key combos like ctrl f, b, n, p and a and e? Those are typically referred to as emacs style navigation and I am genuinely unaware of history of those as common tty control codes outside of emacs for cursor movement. They weren’t dec vt control codes. Ctrl-U was though and even has ASCII assignment as “NAK”. Ctrl-H and C are similar.. but people don’t typically refer to those as “emacs” keys.
I've always heard of it as an ASCII control character and gets its history from Unix interpretations of really old IBM keyboards which got its history from typewriters. I've literally never used emacs for anything other than ^X to exit; I'd rather use cat than emacs. I use vim. But ^H has worked for me as intended on a serial console and on telnet.
Some diving through wikipedia:
 says: Pressing the backspace key on a computer terminal would generate the ASCII code 08, BS or Backspace, a control code which would delete the preceding character. That control code could also be accessed by pressing Control-H, as H is the eighth letter of the Latin alphabet.
 says: In some typewriters, a typist would, for example, type a lowercase letter A with acute accent (á) by typing a lowercase letter A, backspace, and then the acute accent key. This technique (also known as overstrike) is the basis for such spacing modifiers in computer character sets such as the ASCII caret (^, for the circumflex accent).
 says: Unix (command line and programs using readline): Ctrl+H = Delete previous character
 supports  and says: Caret notation is a notation for control characters in ASCII. The notation assigns ^A to control-code 1, sequentially through the alphabet to ^Z assigned to control-code 26 (0x1A). Often a control character can be typed on a keyboard by holding down the Ctrl and typing the character shown after the caret.
However, it's worth noting that it also says The meaning or interpretation of, or response to the individual control-codes is not prescribed by the caret notation.
But, despite that, ASCII describes control character 8 as backspace  .
According to this Wikipedia article, work on ASCII began in 1960 and its first release in 1963 .
Emacs' first release was in 1985 .
I suggest that perhaps in your bubble control sequences are referred to as emacs style navigation even if it's not necessarily the most historically accurate. I'm glad you're working with *nix enough to be familiar with emacs and there's always new old things to learn. There's a lot of history to learn and understand.
I read your post and thought, "I've misremembered the story."
But the Wikipedia page for the Teletype-33 claims that it 1) had control characters, and 2) was inspiration for some of the ASCII character set, which was defined later in the same year:
Obviously there are variants to this, depending on what you‘re actually trying to achieve with it. My point is that a stack would be a very inefficient way to deal with loops.
2) a visited flag on an edge? That won't support simultaneous traversals. Keeping a stack is a lot more efficient than permitting only one traversal at a time.
My point still is that looking something up in a stack (did I visit this node?) costs O(n) time, so the BFS will degrade from O(m+n) to O(m*n+n).
To come back to the concurrency, if you can index your edges in some way, you can also store the visited flag in a separate datastracture to support concurrent access (one „flag store“ for each access).
Not using data structures that enable concurrency prevents performance improvements since modern hardware is, in general, more parallel than vertical.
> An interesting theory as to why the attacker used the term "meow" is because cats like to drop (or knock) items from tables.
One of the first publicly known examples of a Meow attack is an Elasticsearch database belonging to a VPN provider that claimed not to keep any logs.
Secure your damned database.
The fault and responsibility lie with the deploying organisation and tools vendor. Meow is just the messenger.
If that happens, then the attack can arguably be justified despite the damage — consider all the future database installations which wouldn't otherwise have been secured which are now spared from not only destruction but theft.
I entirely agree the vendors are (partially) to blame here.
Locking RBAC and TLS behind a paid subscription is a sure way to force companies with security teams to pay for it (or not to use it).
This particular lesson comes relatively cheap--dropping your data is not the worst an attacker could do with it. Hopefully, more people will research what I'd call "security 101"...
It _can_ be. At the same time some of the most used software in the world manages just fine without a company running paid subscription plans and locking free users out of critical security components.
ElasticSearch/MongoDB/Redis et al are trying a new model for how to create OSS with a company behind it funding all/most of the development. That's OK, and I'm super interested to see how it works out long term. But there are many many counter examples of similar sized or way bigger software projects that never needed to do this. Pretty much everything that those three databases depend on to be used in applications is OSS that never had a "paid subscription" locking access up. How useful would any of them be without Linux, or Apache/Nginx, or Ruby/Python/PHP/Perl.
My fear is that half-assed-OSS that does a _great_ job of "capturing developer mindshare" but a lousy job of securing free use of their software - is one day going to be the root cause of some _spectacularly expensive_ data breach, after which pointy haired bosses and less technical C suite suits are going to feel the full power of Oracle's golf-course-and-expensive-restaurant marketing army, and nobody in a company bigger than 10 or 12 people will ever be able to use any database with less that a half million a year license because "due diligence!" and "risk mitigation!" (and "Waygu steak with expensive whiskey" and "dirty free software hippies exposing you to data breaches!!!")
Don't make excuses for their shitty business practices.
This probably isn't an excuse for Elastic anymore, but it's how Elastic was born ("easier than Solr!" -- they didn't invent full-text search, after all) and it's how whatever supplants Elastic will be born. Why is MySQL dominant over Postgres even though "referential integrity" didn't come to the game until v5? Why Docker over jails or OpenVZ? etc. People adopt technology because it's fashionable and it becomes fashionable in part because it's perceived as easy to use. Security and ease-of-use are not quite true opposites, but there's definitely some intrinsic tension.
We have a lot of hapless practitioners in the space and the root problems here won't go away until we get some standards. Better solutions usually lose because crappy stuff focuses more effort on marketing and an "easy" onboarding process, where better stuff focuses on the operational complications of the real world.
An example of an issue I am dealing with currently: while you can create a gin index to speed up containment queries, Postgres doesn’t keep any statistics about jsonb columns. This means the query planner will sometimes do stupid things, like using the index even for very non-selective overlap conditions, which is a lot slower than just doing a sequential scan.
Less of an issue for me but worth considering: the size of the gin index in my use case seems to be about 5x bigger than the size of the unindexed data. I was surprised by the size increase. I only use the containment operator so I could make a smaller/faster index using the jsonb_path_ops operator class. This is on my todo list :)
Like all non-btree indexes in Postgres, the index is unordered. That means sorting by values in the jsonb column will always be slow. This doesn’t matter for selective queries, but exacerbates my already slow non-selective queries that return large result sets.
That said, if your queries are selective, jsonb + gin indexes are surprisingly performant (in the 0.5-10ms range for small result sets). My use case is a mix of structured relational data with jsonb for user-defined values (which of course they want to use for querying/sorting and I was dumb enough to say “sure, why not?”)
In terms of the magnitude of data, there’s roughly 10 million rows. Each team using this service has the query scoped to about 500k-1 million records, and then additional filters (on the jsonb column) will scope that down to anywhere between 60k-0 results.
I ask because where I work we sync postgres to a secondary store for search, but the way it's done in a piecemeal, application-specific way gives me the heebie jeebies. It almost certainly will result in that secondary store drifting. Unfortunately we can't use something like zombodb  as we're on amazon RDS. It seems like you know your stuff, and seeing non-deterministic consistency irritates the heck out of me!
- Proper replication in its first-class, default configuration
- Automatically managed cluster membership
- Seamless automated failover
- First-class async client libraries in many languages
- A non-awful query language
Focusing on the JSON is beside the point (though it is a convenience). Wake me up when you've got a properly distributed database.
But I'll be happy to replace it by something else, my load is extremely small and only single requirement is to have DB as network daemon, not as embedded storage as it will be used by 2 applications (main daemon an API).
RethinkDB was really nice candidate for it but it's not alive anymore: https://rethinkdb.com/blog/rethinkdb-shutdown/
That said, I've incidentally heard a lot about Mongo in the last half a year. Might be my bubble. Might be MongoDB actually maturing and getting really good. I hope it's the latter.
For everyone else, JUP ("Just Use Postgres")
Snark aside, Postgres should hold you over for quite some time.
With Postgres you probably don't need Redis, Elastic Search, Mongo or Kafka.
Anything that is insecure by default in 2020 should be killed off IMO.
In general I would recommend putting some kind of protection between machines running Docker (and especially orchestrators) and the internet. This could be cloud provider mechanisms (security groups, ACLs, etc), a firewall appliance, NAT gateway configuration, etc. depending on the situation. It's not necessary, but it makes the situation easier to audit/validate, and more layers of protection seldom hurt. If nothing else it means that much of the time you'll need to make a mistake in two places instead of one, in order to have an unintended exposure.
Use nmap to evaluate your policy from the outside, don't try to validate it in your head by inspection.
"The EXPOSE instruction does not actually publish the port. It functions as a type of documentation between the person who builds the image and the person who runs the container, about which ports are intended to be published."
Although the similar words with different meanings no doubt contribute to confusion.
I'm 58 and bald, so channeling yoda is easy: a valuable lesson you need to learn, and learn it the cheap way or the expensive way you can.
The cheap way is to invest in a cheap VPS for a month, fire up sshd and a webserver, and then check the logs when the month is up.
The expensive way is to carry on treating security as an afterthought. It'll cost you your pride, your reputation, and possibly your career.
The fact it's not, is why we're seeing major attacks/leaks/etc almost every single day now.
A secure by default product is a dead on arrival product.
When you use ufw with a default DENY policy, you tend to assume that whatever isn't explicitly listed gets DENIED. This is not the case with Docker, and I think it's just a matter of time until someone loses big because of this issue.
But, after some search, I found that simply setting "network_mode" to "host" could solve my problem. So, I ended up not to deal with iptable.
If someone want to deploy some self-hosted service, I would suggest using traefik v2. Outfit docker quite well especially with letsencrypt.
reads TFA again Wait, one of the victims is a VPN provider???
It also works at any level of security: "Lock your doors and hire guards if you don't want clever thieves breaking a window..."
But if you require everyone to take adequate measures to physically secure their houses, you don't even need laws and morality!
And while this may provide the sort of negative reinforcement you are hoping for, actual damages in each case are going to be all over the place. That makes this one of the worst possible punishments. Imagine the penalty for speeding is a random outcome somewhere between a stern reminder and the death penality. There would be nothing fair and little useful about that, even though it does follow the same basic principle of do bad -> be harmed.
If laws and morality were sufficient protection against malicious actors, I might agree with you.
However, in a world where cyber vandals are often beyond any accessible jurisdiction (and may even be supported by their local authorities), laws and morality are clearly not effective at keeping unauthorized users out of private systems. As such, the responsibility for keeping private information secure naturally falls on the people running the systems.
Putting up a network firewall (or at least requiring authentication) would have prevented the damage described in the OP, and is a rudimentary security measure that has been common practice for decades. The people who suffered significant damage from this attack should strongly consider outsourcing system administration to someone who knows what they're doing.
At least google "securing X" before just pumping data in.
This article says Redis is affected but I would be curious to see which version of Redis was being used because they changed their default configuration after crackit was wide spread.
I was using arno-iptables-firewall and this suffered from that, docker containers would be world accessible. In general I only bind them to localhost anyway, but I figured this out when testing. It doesn't seem to happen with UFW.
But I can imagine some people know how to set up a firewall but then just assume it works and don't check. This is the kind I do feel sorry for, at least they tried to protect it.
Ended up deleting the server.
Downsizing and other false economies are definitely a contributing factor. Security and reliability are easy to dismiss as expensive overhead until they suddenly aren’t.
I also just think it is a little uncharitable to wish harm on people simply because whoever did their IT was inexpert at their job? Like, how does the local mom and pop correctly evaluate a person's IT chops? The nephew says they can set up their website for cheap, and they want to be nice, so they give him the job. Turns out he's a newb and later their database gets deleted and you are on here saying that's a good thing? Hrm. I don't agree.
Putting a password and emailing the admin would solve the password problem.
But I agree doing anything is probably illegal. I would leave it... not worth hassle of wearing the superman cape.
Emails have a bunch of info in the headers, so there is more meta-data in the email it self.
Neither is perfect for finding the culprit but one scenario has zero meta-data and the other has some.
That still doesn't justify vandalism.
They secured it, and somehow managed to make it publicly accessible again without password, this time it got hit by this attack.
Honestly this is like if a company decides to keep their paper records with my information on a public side walk, and somebody saw that and decided to bring them to the landfill.
Is it legal or fair? In a perfect world no, but at this point the company is not blameless.
No. The equivalent would be exploiting their buildings weakness to cause them to collapse - maybe with people in them.
Pointing out a vulnerability is not the same as demonstrating it.
That said, a demonstration will get their attention more.
This attack is indiscriminate and is without warning, so it eliminates the possibility for database owners to fix the problem in good faith.
I got doxxed with the Equifax breach. How many other companies in the world will take someone's word that they are me based on that data, and what potential is there for my life amongst millions of others to go completely sideways because of companies who won't addmit the systems are broken?
I say the house is already burning, but maybe throwing some fireworks into the blaze will convince the right parties to finally put the damn fire out.
Beyond sick and tired of breach after breach after breach after "oh, there were millions of voter records showing publicly" "no, <insert product name> defaults to no security"
IMO we specialize too much and miss important things that we mentally outsource to other people. I'm equally disturbed how often I meet people in tech who are unable to do basic home repairs or cook for themselves. Something, like say, a few weeks of quarantine, and people's anxiety goes through the roof because they've relied on other people for basic life skills.
If it's a publicly accessible wiki with no sensitive data whatsoever, and that's meant to be publicly accessible, then there's a reasonable excuse for the poor security and it's not helping anyone to destroy it.
I have no idea of that is the intention of the attackers, or if they are maybe even stealing the info before deleting it. But assuming they were good Samaritans and just deleting it, that is the best outcome for me as a user, better than if it stayed up for another day.
The concern in this case is when there is some social problem with being in Mom & Pop Inc's customer database. There are probably some people that buy some things that they don't want other people to know about. When the database gets hacked and you are linked to being their customer, that is the unfortunate and potentially damaging information leak. A credit card just gets reissued and the bank reverses the transaction. No big deal.
Not necessarily, depending on where you're based.
Usually by price and unfortunately both mom and pop like a bargain - I've seen this play out more times than I would like.
Also how do you evaluate, say, a landscaper's chops? Or any other kind of contractor's for that matter? By doing research beforehand, checking what kind of reputation that person has etc.
Low-effort or lack of research gives you bad services, for which you pay in losses like these.
In software, financial recourse generally means you have to jump straight to lawsuits. There's no licensing for who's qualified to build a website, developers don't have to escrow funds or carry malpractice insurance in case they make a mistake, a development business should have insurance in place but there's not always easy or affordable ways to assign fault in most IT situations if you want to pursue them. Software and IT forensics are prohibitively costly and usually mean a lot of money has to be on the line which rule out mom and pop businesses entirely. IT and software mistakes also usually take longer to rear their heads, and people in IT and software also aren't known for sticking around for decades. How do you sue an LLC that dissolved 5 years ago?
It's apples and oranges in my opinion.
I hail from a post-communist country so I assumed the culture in the US is more developed in this regard.
I would certainly hope the owner of the insecure database would face massive consequences. IMO there's not _nearly_ enough of that. This sort of breach should be financially ruinous for _any_ company.
Not everything is about you, and also you totally misunderstood the post you quoted.
And if you've configured your database that poorly, am I supposed to assume you've properly configured your server against becoming part of a DDoS attack? Or a bot net? The base level of negligence you're defending enables a multitude of attacks. Losing your DB would be an immediate sign you don't know what you're doing, and thus shouldn't be doing it.
Deleting exposed databases is genious, there need to be real repercussions for companies if they leak user data.
That is a very rich person statement.
Yours is also a rich person statement.
Unsecured databases are a huge loss for everyone.
Anything that forces a shift in this naive behavior of vendors, implementors and executives is not just fine by me, I welcome it. If my life suffers because of data of mine that's lost from companies' databases, I now know who to cease doing business with.
No one wants to see their local pizza shop lose their pizza-credit database, but if that's the price to pay for data security then so be it.
Usually when you buy something, you get an email receipt. So you print out your email receipt and go to the mom and pop store.
Given they are a local mom and pop store, you likely have a long term relationship with them and they may even remember you buying credits. So it will be a hassle, but likely ok.
It is the huge corporate stores that don’t have long term relationships that would be hurt by this thing the most.
In the case of the spin studio, you can prove what you paid, the owner just lost his evidence of what he no longer owes you, and will hopefully in the future stop exposing your personal data on the Internet.
Not my problem.
> The nephew says they can set up their website for cheap, and they want to be nice, so they give him the job. Turns out he's a newb and later their database gets deleted and you are on here saying that's a good thing? Hrm. I don't agree.
Mom and pop prefer nepotism over skill, credentials and reputation, without even a second opinion. There is a reason that this is frowned upon (and has been for at least some 2000 years before mom and pop were born), regardless of the domain.
On the off chance that their database doesn't contain any personally identifying information on their customers, this is an idiot tax. In any other case, their loss is completely justified when compared to the potential losses, abuse and manipulation of their customers that come with exposing their PII to the public.
> What if one of the databases has a record of credits you've purchased at your local spin studio?
p.s. bobby tables did it first
Another side is that with their database blanked, that will force more companies to explain their downtime or complete loss of data, rather than quietly secure it again and pretend nothing happened
no, that doesn't make sense if its only meow who found it. And since there is no way to know that, it does not make sense to mail a copy to hibp
Even a bland 'we lost parts of our data and we will have to start recovery processes. please stand by' is a signal.
For me, it's not exactly "good." But I am more upset with the database owners than I am with the kitties. Don't leave the barn door open, or this (or worse) will happen to you, and happen again. If they were instead exfiltrating and selling the data, the equation would change. I'm not saying the cats are doing good, but I do say that the "responsible adults" did the greatest harm by not cat-proofing their databases that contain PII.
As someone who runs such a "public-access data library" myself, I would be slightly annoyed if someone came along and burned it down, just because it has an unpatched vulnerability.
...but if it got deleted because I left default admin creds on it, though, that'd be my own fault.
Just because it's not secure doesn't mean you should delete the data, because where does such reasoning end?
Reminds me of the super meat boy web version with database creds in client. Dev knew, but just did a quick implementation. Hacker wanted to prove his point and ruined it for everybody. Making a secure version was not worth the effort, so now because of this prick nobody could enjoy it.
Our field is vast and there is a large variance in people just using the basics of CS and those who keep up with standards and best practices, etc.
Your statement is basically akin to someone saying that it’s fine for people to get robbed if they went out with their wallet; or worse.. killed.
But I would feel bad if someone's small business had to shut down or lose a bunch of money because they lost all their customer data. I'd feel bad if someone lost all the data they'd been using for a personal project. If they didn't have backups and proper security, shame on them, but ideally they would be contacted and given advice. Ideally, their data would only be deleted if the effect would be minimal.
On the other hand, if this is something that happens consistently -- all unsecured databases get deleted immediately -- maybe the data would be stolen less and everyone would have to learn their lesson early...
Don't. When businesses of any size cut corners and provide services they aren't qualified to provide, it gives them an advantage compared to businesses that try to do it properly. They make more money or charge less and can often out compete competent owners. They'll also be the first ones to brag about how brilliant they are at business (in my experience).
Small businesses are no exception. Delete away IMO.
If you collect it, you need to be responsible for keeping it safe. Anything affected by this is already exposed and has to be assumed to have been breached.
Seems to me, there are a lot of things businesses could store in a database which don't necessarily need to be private, or which at worst won't harm anyone other than the database creator if exposed.
If it sounds like I’m unsympathetic, yes, that’s true. Playing around with building your own database is a good learning experience but that changes once you expose other people to your mistakes. I’ve also dealt with a few small businesses and the people trying to run a business like this are always trying to save a buck - they’re the same ones who stiff contractors, avoid paying overtime, do their own taxes creatively, etc. If you have a successful business, you’ll drop a few bucks on Shopify, Wix, etc. to focus on the business rather than a distraction.
I agree that these businesses shouldn't be doing this by themselves, but the tech industry shares some culpability. It should be ingrained in people's heads to think of security first. Most people outside the SV bubble are still using [SO or pet's name]123 as their password. I go to a university in NYC. I've tried to convince several (college) friends to use password managers to no avail. This isn't just a problem endemic in old people. Someone needs to "mainstream" good security. A good start would come from, say, Apple, by including security keys with new iPhones, as much of a pipe dream as that might be.
Like the old days with slammer or codered
It took 13 seconds for a freshly installed windows box to be owned when it was put online. Let those days return.
If you are holding other people's data for them, you have a responsibility to do your best to keep the data safe. If you don't know how to do that and don't have time to learn, you can hire someone who is more knowledgeable.
Do you have the same opinion about shoplifters walking away with merchandise? Would your argument be that there should be armed guards and searches in every retail store? Isn't it reasonable that a thief be criticized and penalized for their actions even if the theft was "easy" to commit and is it OK to blame the victim for not being prepared?
I'm sympathetic for the people who were only storing their own data, but not for companies that failed to safeguard their customers' data. If I borrow stuff from friends, I take better care of it than if it were mine. I hold companies to the same standard.
But being careless with other people's data is also wrong and we should not feel bad for companies whose negligent practices backfire on them. That is what I was trying to highlight with my analogy.
Like bacteria, there will always be bad actors trying to exploit poor security. If not these attackers, then someone else. That is why we have security measures.
The people we should feel bad for are the individual customers affected.
Ps also, there is a big difference between being careless with your own property (your analogy) and someone else's property/data/wellbeing (my analogy and the case at hand).
There tends to be a pass given to people destroying data and I don't think that is right.
As engineers we have to assume that there is always someone out there looking to break into our systems. We don't get to blame them for our failure to secure our systems.
For us to be angry at the hackers is as fruitless as it would be for the unhygienic cook to be angry at the bacteria.
Your analogy about bacteria doesn't make any sense, we don't expect the bacteria to be actively seeking out unhygienic cooks. If you want to use your analogy it would be like having someone shake the cook's hand in order to put a mild irritant on their hands so that when they prepare food without washing or gloving their hands the irritant is spread to the food, thus highlighting the fact that the chef wasn't following good hygiene. Would you expect that behavior to be excused? Would you be OK with that if you were the one throwing up?
It sounds as if you think I'm defending the attackers. I'm not. I'm pointing out that the presence of malicious actors is a fact of life on the Internet, like it or not.
I'm not going to take my analogy further. I think it's reasonably clear what I meant.
In that sense, receiving a strong notification that your compute is available to anyone and you should secure it is a good thing.
My sympathy for people learning the basics of our field and missing a few points stops when others are harmed.
It's unrealistic to expect that the population at large starts to pay a significant attention, in particular because the services/gadgets are a black box. How does one know if a device is safe? A layman surely can't; even somebody who's "just a dev" likely can't.
Given the large-scale nature, probably some form of regulation would be the most realistic mitigation. Following the analogy, such users are taxi clients, and for similar reasons, taxis are regulated.
With that in mind, certainly the engineering side of the equation should be held accountable. But it seems that the market is not punishing it at all.
I think the learn by failing is a good mentality but was hoping we can be mindful of the fact that this harms more than just the “big bad man”
Edit: Addendum for a more thoughtful discussion, it would be great if these databases and tools provided some default security OOTB requiring no configuration whatsoever. Example: rather than creating user and password with root, is rather have some CMS site generate a random one!
Rather than regulation, how about trademark-protected certification? I.e., similar to what Underwriter Laboratories ("UL") does for consumer electrical products in the U.S.?
Except rather than the government requiring certification by UL or similar, organizations could simply decide for themselves whether or not to use uncertified products. And perhaps insurance companies could price certification status into relevant policies.
Exposing your database to the internet with default creds is not "standards and best practices" - its highly negligent, and if you are taking people's money for such a service, I have no pity for you.
Uhh no? The analogy would be that there's some benefit that comes from someone's wallet being destroyed, instead of stolen.
My argument is more akin to a child learning not to leave their bike unattended on a city street corner overnight. I can come by pick up the bike, and tell you the dangers, but there's only one real way to learn.
And clearly my opinion isn't even close to comparison with somebody being killed in a robbery.
And if they do get 'meowed', lesson well deserved.
Why aren't we applying this same logic to CS topics? It's a vast world out there and much of it's out to get you. Be prepared or die.
I think it is fine to argue that doors should be locked but that doesn't mean that a crime hasn't been committed when someone takes advantage of a situation.
If someone had a list of names/birthdays/SSNs posted on their door, I'm not too unhappy if someone blacks out every line with the word 'meow.'
You are also making an subtle assumption that the service is being administered by a 3rd party. Could be that the service is being administered by the owner of the data.
In any case it is still wrong to delete the data.
While I understand the concern that organizations aren't taking proper care to protect their data I think legitimizing vigilante punishment for those mistakes is a very problematic stance.
What if you just have a toy database for a toy project on the public internet and some jerk just deletes it to "teach you a lesson"? It's like, gee, thanks...
A better example might be a storage unit service that left the front gate unlocked. If someone torches the place to illustrate that they need better security would you be comfortable with that? Isn't there a better approach that we should encourage or is OK to encourage people to destroy things that aren't protected to teach people "lessons"?
(I've mostly lived in the northeastern US)
I live in a small (~20k population) rural technically-city (but... it's a town) where crime is not much of an issue; my car sits unlocked in my driveway and I seldom lock my house -- when I do, it's almost always when I'm at home (alone) -- it's about a feeling of security, not any real risk of a break-in. I've lived this way in this town for many years and have never experienced a robbery. I think it's pretty low risk, not irresponsible.
I've also lived in a larger city. There, I absolutely locked my doors. And I've traveled to tourist-y locations known for pickpockets, and kept an even closer watch on my belongings.
The internet is two orders of magnitude larger than the world's largest city and policing it is exceptionally difficult, since it spans national borders. There will be crime.
I wish this weren't the case. I much prefer living in a safe place where I don't have to worry about locking my doors when I go out. But when crime is common, it's negligent not to protect against it.
Whatever analysis you want to put on the situation I don't think it is reasonable to start with the idea that some of the data might not be that valuable.
Or it's data that was gathered (in line of business, for example) and its destruction is anywhere from more secure to an inconvenience.
Or it's data that was aggregated beyond legitimate use (hey, FAANG) and by all means, tear it the hell up and throw it away.
I feel like the wrongness of deleting unsecured data is a pittance compared to the crapload of other wrongs that have been visited upon us 'products' by failures of diligence or desire or consequence.
I would very much like to hear, if it turns out to be so, that the operators of 'meow' are selectively targeting more likely corporate data, especially with customer/user data, but in the end I'm still ok with the idea of burn it all and let the DB vendors and IT staff who let their asses hang out explain why security was so low on their priority lists.
And yes, I'll take some potential difficulties in my own life due to unexpected deletion complications in the process. I'm not asking anyone else to accept anything I'm not going to be okay with myself.
That obviously isn't true. Some data shouldn't exist: CP. Some data can exist, but it's backed-up so well that deletion is never a problem. For example, I'm not going to forget my birth date any time soon! In fact, very little of the information that businesses have about me needs preservation. I remember it all, and if I decide the business still deserves it I can give it to them again.
It is of course possible that some of this data didn't need to be kept private, and therefore shouldn't have been deleted. Maybe some medical researchers had compiled the data they needed to formulate the ultimate cure to COVID-19? (I hope they had anonymized all the patient data!) Until those researchers come forward to lament humanity's loss, I'll just assume that all the "victims" who don't want to go into too much detail about the "lost" data were playing fast and loose with their customers' private information.
> I'll just assume that all the "victims" who don't want to go into too much detail about the "lost" data were playing fast and loose with their customers' private information.
Why the scare quotes? It takes some serious amount of chutzpah to advocate that it is a reasonable assumption to assume the data wasn't important and to use the lack of public complaint as evidence that the data wasn't really important. Why do you even think it was "customer" data?
There's very little a customer can do to determine how or even whether her confidential data is protected. Even if she had this knowledge, in many cases she can't just decide to do business elsewhere. In many cases she was never a customer in the first place! In this context, an open database is like a shoddily constructed tall building that will collapse at the first stiff breeze. It shouldn't exist, and anyone who destroys it upon discovering it is doing humanity a service. Even if the building's owners had somehow kept the general public out (which you'd like us to assume), those owners themselves increased their danger with every bit of data added. Now, since the building has been destroyed, its owners and occupants are no longer in steadily increasing danger.
As much as I agree with all the concerns posted here about how data should be protected better I don't think it is necessary to excuse and legitimize the unauthorized access along the way.
If a business left the store open with the customers credit cards details on display. Anyone passing by can go in and copy that info. Someone sees this and burns the exposed records. Perhaps they helped the victim.
Remember no one burned the store down or the table holding the records. They burned only the exposed records.
You are making several unfounded assumptions.
When you state that victims exist or that the data being deleted is important you are also making unfounded assumptions.
You can't have it both ways.
So they did.
Yes they are. The method of the hack was 'simple' to you, but that doesn't mean it's just magically not a hack any more. These are hacked databases.
> The system said welcome what do you want to do? You can read everything or delete everything or add anything.
I don't understand this. Are you suggesting that the attackers were greeted by the database with an English-language legal directive of what legal permissions they had in the database? What do you mean by this statement? Surely the databases said no such thing.
If you're implying that a private door with no lock is not private but actually shared property that can be destroyed or added to in any way, then I think you're wrong. None of this comment makes sense to me. An unsecured database holding private data, or an unlocked door to a private business or building, is not an open legal invitation for vandalism.
Databases do greet users in mostly english. Need help? Type help. On the list of things the system allows deleting data appeared to be one.
If you knock on a door and the door opens and says welcome what do you want to do (delete data, read data) and you pick delete it doesn't mean it's illegal vandalism.
I very strongly disagree with this. Can you cite somewhere that unauthorized database access is not hacking if there is no password? To me and I think the law that is definitely illegal and hacking.
> If you knock on a door and the door opens and says welcome what do you want to do (delete data, read data) and you pick delete it doesn't mean it's illegal vandalism.
Yes it does! If you don’t have authorized access then that database isn’t yours and entering it is illegal.
Were this sort of attack to become part of the "noise" of the internet (much as the continual bombarding of my SSH ports) then peoples databases would get deleted _before_ they contain any meaningful amount of data.
So in practice this sort of gross vandalism is limited to the appearance of such an attack, but not ongoing.
I had this the other day building OS images, which accidentally left the system a passwordless login. Within less than a few hours it was (presumably) spewing mail or doing awful things -- long before anything went anywhere near production data or any kind of trust.
It could be a person attempting to prevent the data from falling into the wrong hands. Problem is: once it's deleted, you have no idea whether your data was stolen and shared. A better option would be to first send a copy to Have I Been Pwned.
Any entity this irresponsible shouldn’t hold data.
Frankly anyone who is still using MongoDB is professionally negligent and this was if not deserved then certainly inevitable.