> Comparitech conducts security research that entails scanning the web for exposed databases. When we uncover a database that hasn’t been properly secured and allows unauthorized access, we immediately notify the owner.
Germany, the government, does this. They routinely scan systems in Germany and alert the owners to security issues.
I wonder if this is something all governments should do. I'm not convinced yet, but heavily leaning toward that it is something governments should do.
Exposed servers are a national security risk. They are a risk to public safety. Governments are there to protect their citizens.
Being from Germany I never heard about government based security checks. IT-wise our government doesn't make a very competent impression. Do you have any background info on this?
I remember receiving an email from the BSI ("Bundesamt für Sicherheit in der Informationstechnik"; engl. "Federal Office for Security of Information Technology") regarding a misconfigured NTP server that could be abused for NTP reflection attacks.
The functions of the BSI are explained in English here [1] based on the following law [2]. I guess initiatives such as informing about the NTP problem fall into what is listed under §3.2.
They pretty quickly send you emails once your email comes up in the whois of a domain that’s pointing to an IP in the allocation space of German companies.
The German government has contributed the base layer to OpenStreetMaps, and uses it for their official parcel/lot line maps. It is much better than the janky pile of crap Esri dumps on most counties in the USA.
Are we sure the governments don’t already do this? The difference between the US and Germany is that the NSA doesn’t alert the company there’s a security hole. The NSA has been found multiple times to be exploiting exploits under the pretenses of catching terrorists.
Arguably, by not telling companies about holes in their systems, they are doing the exact opposite of what they were founded to do: secure the US.
Some government -- anywhere in the world -- should offer a responsible disclosure service. You disclose to them a vulnerability, anonymously (e.g. via Tor) if you prefer, then they notify the target and impose a reasonable remediation deadline before publication.
And then they would all do it because everyone would prefer that they rather than a foreign government are the ones holding 0-days during the remediation period.
In the Netherlands there is the NCSC (National Cyber Security Centre). They also scan the internet: It continuously monitors all (potentially) suspect sources on the internet. When it identifies a threat (such as a virus or an attack on a website), it alerts public authorities and organisations. and can act as a mediator: If you discover a security flaw in another government body (such as a municipality or province) or in an organisation with a vital function (such as an energy or telecoms company), please contact the body or organisation first. If you receive no response, please notify the National Cyber Security Centre, which will mediate between you and the body or organisation concerned. with anonimity garantuee: The government treats the notifications it receives confidentially. It will not share your personal details with third parties without your permission unless required to do so by law or a court order. while avoiding court cases for doing your civic duty: When you report the security flaw, check that you comply with the conditions described above. If you do so, the government will not attach any legal consequences to your notification.
I wonder if Adobe executives are aware of what kind of image their company has.
How long before Adobe reaches the Oracle stage of dickhead'ness where phasing out all their products can be found in large companies (non-public) strategy plans.
In favor of what, though? You can replace Premiere with Avid and InDesign with Quark, but what replaces After Effects? PhotoShop? Illustrator? And for the professionals that depend on these tools, retraining is a major pain, equivalent to saying to an experienced vim user that they have to switch to BBEdit.
I was a bit surprised to find that quite a few of my friends who traditionally used Photoshop and Illustrator in their work either have transitioned to Affinity products, or are making a conscious effort to look for alternatives. I would have thought it would take longer and/or that people would be extremely tied to their tools.
But you do make a point. Often there is no obvious alternative. And changing tools has a cost.
Mostly because they want to pay for software and then not have it stop working on them for silly reasons, but also due to a general "bullshit fatigue" with Adobe. It isn't a company that cares a great deal about its users.
I did something similar a few years ago. After Oracle ended up buying Sun, I really wanted to stop using Java since I didn't feel Oracle was a company that I would want to do business with.
However, it took me several years to transition away from Java. I really liked Java. Finding a new programming language that is suitable for the kind of work you do, has enough of a community etc. isn't just a matter of deciding to move. You need somewhere to move to. Eventually Go evolved to where it fit my needs really well, so I managed to make the transition. 2-3 years later and I haven't touched Java since. (Which was somewhat unexpected. I didn't expect changing languages would be that fast, but it coincided well with new projects etc).
As for switching editors, VSCode managed to attract 2.6M monthly users in roughly 2 years. If you believe estimates of how many developers that are in the world, and you squint a bit when comparing numbers, that's roughly in the neighborhood of 10% of the global developer population.
My intuition says you are right. The data seems seems to suggest it wants to disagree with both of us :-)
Another really good reason to hate these grafted on service models. After all, if you just bought a license and installed the software on your own machine at least you wouldn't have to worry about this kind of stuff. It's clear beyond a shade of doubt that even the largest companies can't be trusted to be good stewards of your data.
Sure, but that's arguing from results and you can justify an awful lot of terrible stuff like that.
Interactions between people can to a large extent be governed properly but utilitarianism but as soon as you bring in stockprice as the arbiter then you're very far from safe ground. After all; in times of war the stock price of weapons manufacturers will go up but that does not mean that the net utility gain is positive.
I'm not justifying what they did here and I get your position. I'm thinking about the motivation, progression, etc. The upside of ignoring proper security seems to outweigh the downside. Target, for example, is doing just fine. Despite their tepid response to an egregious mistake. The consequences seem paltry.
Well, they could have done that proper security and their stock price would be just as good. I think long term the only thing that will take care of these excesses will be an American version of the GDPR or something to that effect.
Microsoft and Apple are already calling for this, it's a matter of time.
> After all, if you just bought a license and installed the software on your own machine at least you wouldn't have to worry about this kind of stuff.
I don’t believe that to be true. Sure, maybe if you bought boxed software from a physical store the opportunity for data breach is limited to your name and credit card information. But if you bought a license online to download you would still have the same risk of information breach as we see here. During checkout to buy the license I’m sure they wouldn’t collect some combination of email address, license purchase date, address, CC number, etc.
Adobe hasn't learned... I still get spam to myusername+adobe@mydomain.net (or occasionally, adobe@mydomain.net if the spammers' email parser is dumb) to this day, to the point where I've had to blacklist that address.
"The exposed user data wasn’t particularly sensitive, but it could be used to create phishing campaigns that target the Adobe users whose emails were leaked. The following user data was included:
Email addresses
Account creation date
Which Adobe products they use
Subscription status
Whether the user is an Adobe employee
Member IDs
Country
Time since last login
Payment status
The data did not include payment information or passwords."
7M is way - really, way - above the disclosure floor so in the EU at least they will have to do a proper disclosure to the various DPA's.
One document I read put the lower floor at 5 records for a 'major breach' so I would very much caution against trying to wipe this sort of thing under the carpet. That's the best way to find out how serious the EU is about those fines. That and repeats while ignoring previous DPA instructions.
Well, putting in place authentication can indeed be difficult, but making the ELK nodes only accessible by a limited set of IPs (preferably private ones) instead of being directly public facing should reasonably be expected.
Germany, the government, does this. They routinely scan systems in Germany and alert the owners to security issues.
I wonder if this is something all governments should do. I'm not convinced yet, but heavily leaning toward that it is something governments should do.
Exposed servers are a national security risk. They are a risk to public safety. Governments are there to protect their citizens.