Yeah. I don't care if some big business loses their Elasticsearch data and their site stops working until they get it secured and re-hydrated with data from their relational database. Good, they learned a lesson.
But I would feel bad if someone's small business had to shut down or lose a bunch of money because they lost all their customer data. I'd feel bad if someone lost all the data they'd been using for a personal project. If they didn't have backups and proper security, shame on them, but ideally they would be contacted and given advice. Ideally, their data would only be deleted if the effect would be minimal.
On the other hand, if this is something that happens consistently -- all unsecured databases get deleted immediately -- maybe the data would be stolen less and everyone would have to learn their lesson early...
> But I would feel bad if someone's small business had to shut down or lose a bunch of money because they lost all their customer data.
Don't. When businesses of any size cut corners and provide services they aren't qualified to provide, it gives them an advantage compared to businesses that try to do it properly. They make more money or charge less and can often out compete competent owners. They'll also be the first ones to brag about how brilliant they are at business (in my experience).
Small businesses are no exception. Delete away IMO.
Said small businesses might have no idea their data wasn’t secure. That would be on whoever developed their technology, not necessarily the business. Not all small businesses with customer or sales data is a technology company.
Good point. You're right. I was really only thinking about tech companies that are doing their own deployments, but I guess there's plenty of room for collateral damage where people don't deserve it.
Seems like a lost opportunity to have a more nuanced position here. And when you can't think of a single case that could make you feel bad for someone, it's usually a sign that you don't have one.
I’d feel bad if someone’s hobby project was deleted. Small businesses losing customer data is only slightly more sympathetic than people getting sick because they didn’t think the health code applied to them.
If you collect it, you need to be responsible for keeping it safe. Anything affected by this is already exposed and has to be assumed to have been breached.
What if it was a small business's inventory data rather than customer data?
Seems to me, there are a lot of things businesses could store in a database which don't necessarily need to be private, or which at worst won't harm anyone other than the database creator if exposed.
That’s why I was specific about customer data: it’s basically a question of who’s harmed - if the cost is borne by the person cutting corners it’s more of a self-correcting problem.
It's not a matter of "cutting corners." Think of all of the small businesses that recently moved online due to store closures. These businesses simply do not have the budget required to create something comparable to, say, Best Buy's e-commerce. Sure, Shopify might come close, but how do you think Mom and Pop will find and create an e-commerce solution?
That’s the very definition of cutting corners. If they aren’t confident of their ability to operate safely they need to either hire a professional or go without - just as not wanting to pay a plumber doesn’t exempt you from meeting the health code or saving on accountants will be a get out of jail free card when you get audited.
If it sounds like I’m unsympathetic, yes, that’s true. Playing around with building your own database is a good learning experience but that changes once you expose other people to your mistakes. I’ve also dealt with a few small businesses and the people trying to run a business like this are always trying to save a buck - they’re the same ones who stiff contractors, avoid paying overtime, do their own taxes creatively, etc. If you have a successful business, you’ll drop a few bucks on Shopify, Wix, etc. to focus on the business rather than a distraction.
Think how easy it is to take advantage of grandma for "tech support," whether it be from India or at a seedy computer repair shop. It wouldn't surprise me to hear that the majority of small business owners have never heard of Shopify or Wix, as they are more likely to turn to someone they trust, whether that be a "tech-literate" cousin or a local service. Keep in mind that many of these businesses didn't even have websites a few months ago, let alone e-commerce solutions. Not everyone lives in SV or NYC and is perennially exposed to their ads.
I agree that these businesses shouldn't be doing this by themselves, but the tech industry shares some culpability. It should be ingrained in people's heads to think of security first. Most people outside the SV bubble are still using [SO or pet's name]123 as their password. I go to a university in NYC. I've tried to convince several (college) friends to use password managers to no avail. This isn't just a problem endemic in old people. Someone needs to "mainstream" good security. A good start would come from, say, Apple, by including security keys with new iPhones, as much of a pipe dream as that might be.
> Yeah, I don't care if a big chain restaurant is closed down for having too poor hygiene. But I would feel bad if someone's small restaurant had to shut down because the cook doesn't bother to wash his hands at work.
If you are holding other people's data for them, you have a responsibility to do your best to keep the data safe. If you don't know how to do that and don't have time to learn, you can hire someone who is more knowledgeable.
And what about the responsibility to not destroy someone's property?
Do you have the same opinion about shoplifters walking away with merchandise? Would your argument be that there should be armed guards and searches in every retail store? Isn't it reasonable that a thief be criticized and penalized for their actions even if the theft was "easy" to commit and is it OK to blame the victim for not being prepared?
Agree with nkrisc -- this is like, if I contracted with a storage company, and then my stuff was vandalized because the company's "secure storage location" was an unlocked box out on the sidewalk. Obviously the vandal is directly to blame, but it's also absolutely negligence from the company.
I'm sympathetic for the people who were only storing their own data, but not for companies that failed to safeguard their customers' data. If I borrow stuff from friends, I take better care of it than if it were mine. I hold companies to the same standard.
I'm not trying to disregard the negligence concern but I am trying to ensure that the perpetrator is also called out. Several of the top rated comments on this article are praising the perpetrator.
You will notice that in my post I'm not defending the people behind the meow attacks. I agree, they are very much in the wrong.
But being careless with other people's data is also wrong and we should not feel bad for companies whose negligent practices backfire on them. That is what I was trying to highlight with my analogy.
Like bacteria, there will always be bad actors trying to exploit poor security. If not these attackers, then someone else. That is why we have security measures.
The people we should feel bad for are the individual customers affected.
Ps also, there is a big difference between being careless with your own property (your analogy) and someone else's property/data/wellbeing (my analogy and the case at hand).
I agree but I don't think that changes my point that the person who destroys the data has more culpability than the storage service in the destruction of the data.
There tends to be a pass given to people destroying data and I don't think that is right.
As engineers we have to assume that there is always someone out there looking to break into our systems. We don't get to blame them for our failure to secure our systems.
For us to be angry at the hackers is as fruitless as it would be for the unhygienic cook to be angry at the bacteria.
Why are you making the assumption that I'm making the point "as an engineer" as opposed to just a citizen who thinks it is reasonable to expect people not do destroy something that doesn't belong to them?
Your analogy about bacteria doesn't make any sense, we don't expect the bacteria to be actively seeking out unhygienic cooks. If you want to use your analogy it would be like having someone shake the cook's hand in order to put a mild irritant on their hands so that when they prepare food without washing or gloving their hands the irritant is spread to the food, thus highlighting the fact that the chef wasn't following good hygiene. Would you expect that behavior to be excused? Would you be OK with that if you were the one throwing up?
You're presumably an engineer, I'm an engineer, this is an engineering forum. That is why I may have "assumed you made the point as an engineer".
It sounds as if you think I'm defending the attackers. I'm not. I'm pointing out that the presence of malicious actors is a fact of life on the Internet, like it or not.
I'm not going to take my analogy further. I think it's reasonably clear what I meant.
I'm not sure wiping out data from these unsecured databases is the answer, but even for amateur installations which have data of no relevance, the database could be used for nefarious things or the machine itself it runs on could be taken over and used for things such as DDOS attacks.
In that sense, receiving a strong notification that your compute is available to anyone and you should secure it is a good thing.
This is more akin to a person knowing the basics of driving a car but not which side of the road to use or what to do at a traffic light. They are a danger to themselves and others, the others in this case being the users of whatever services the unsecured databases provide.
My sympathy for people learning the basics of our field and missing a few points stops when others are harmed.
Although the parent's analogy is arguably flawed, there's a very good point in the fact that there are users who are not involved in the implementation of the service - "People with IoT apps for their home". They're not drivers, to follow the driving analogy.
It's unrealistic to expect that the population at large starts to pay a significant attention, in particular because the services/gadgets are a black box. How does one know if a device is safe? A layman surely can't; even somebody who's "just a dev" likely can't.
Given the large-scale nature, probably some form of regulation would be the most realistic mitigation. Following the analogy, such users are taxi clients, and for similar reasons, taxis are regulated.
With that in mind, certainly the engineering side of the equation should be held accountable. But it seems that the market is not punishing it at all.
Yup. My point is some people might not even know that their database is accessible from the web lol. It’s pretty easy to follow a tutorial or get something OOTB that’s not secure, so we shouldn’t be saying we’re glad this happened. Even if it’s big businesses, what if said businesses were storing important data such as health records?
I think the learn by failing is a good mentality but was hoping we can be mindful of the fact that this harms more than just the “big bad man”
Edit: Addendum for a more thoughtful discussion, it would be great if these databases and tools provided some default security OOTB requiring no configuration whatsoever. Example: rather than creating user and password with root, is rather have some CMS site generate a random one!
Legislation is just so far behind. User data is useful, but there should be requirements before you can just accumulate it. Cars are useful too but require a licence and insurance to drive.
> Given the large-scale nature, probably some form of regulation would be the most realistic mitigation.
Rather than regulation, how about trademark-protected certification? I.e., similar to what Underwriter Laboratories ("UL") does for consumer electrical products in the U.S.?
Except rather than the government requiring certification by UL or similar, organizations could simply decide for themselves whether or not to use uncertified products. And perhaps insurance companies could price certification status into relevant policies.
This is my thought - why would an IoT device expose a database publicly? And if so, shouldn't the companies producing those devices not be following such bad practices? Maybe the consumer who bought such a device should go to the manufacturer and complain about being sold an inherently insecure device.
Just because its offering some useful service doesn't indemnify the ownership from the bad methods they use to deliver the service.
Exposing your database to the internet with default creds is not "standards and best practices" - its highly negligent, and if you are taking people's money for such a service, I have no pity for you.
If you can't or don't know how to secure it, it shouldn't be online.
My argument is more akin to a child learning not to leave their bike unattended on a city street corner overnight. I can come by pick up the bike, and tell you the dangers, but there's only one real way to learn.
And clearly my opinion isn't even close to comparison with somebody being killed in a robbery.
Just putting a password on a database is more than a 'standard', it's truly common sense. Really, even a beginner should think of this. Otherwise they shouldn't be messing with this stuff.
And if they do get 'meowed', lesson well deserved.
Our field is vast and there is a large variance in people just using the basics of CS and those who keep up with standards and best practices, etc.
Your statement is basically akin to someone saying that it’s fine for people to get robbed if they went out with their wallet; or worse.. killed.