Why are so many MongoDB databases left unsecured? Are they extraordinarily hard to secure? I imagine the people who are working with these databases must be aware of the numerous leaks, and pay close attention to securing the data, no?
Historically, MongoDB was unauthenticated and insecure by default. Because that's always a good idea.
You should never assume anyone is going to use your product in a secure fashion, and make it so that they have to at least make _some_ effort towards security.
Other than that, writing new features is fun, and you can get so many developers (that don't think about security) for the same amount of money as a good security professional, or a developer with even half an ounce of security sense, commands.
Security is always inconvenient, takes extra effort, and is invisible. So many companies and managers deprioritise it over more visible feature work, forgetting that security in and of itself IS a feature.
A lot of databases have this weird idea that there is some secure "internal network" and its OK to just pretend its 1995 in there. Antirez actively blogs about how "insecure" Redis is but its OK because just don't put it on the internet [1]. Others just avoid the subject completely. Never mind that internal networks get infiltrated all the time.
Security in depth is just not a thing a lot of people think about right now.
Okay, let's be fair, and I'm sure you realize this: having network ACLs that prevent unauthorized access is absolutely a good idea. "Internal networks" are not dead - they've become more advanced with "VPC" services and software defined networking.
Tunnelling Redis protocol over mutual TLS or something like that sounds like a good idea, but I don't think I've seen anyone doing that :(
Frankly, I would love it if there were a simple, open standard for authentication so every database didn't have to redo it. Maybe mutual TLS is that answer, though traditionally getting the infrastructure for that correct has been difficult.
Because if you make any mistake at all Redis will allow you shell access to the machine. This is not a theoretical attack Antirez tells you how to do it in his blog post.
And as you said, nobody bothers to tunnel with TLS. Your lucky if they even use a password.
Yeah exactly; which is why ideally, the container or box running Redis:
- Has practically nothing other than Redis on it.
- Has Redis running with minimal permissions and capabilities.
- Has no ability to make outgoing connections.
Which I'd say is vital security practice for anything running in production.
Few people will bother with TLS and you can see that based on the fact that I don't think cloud providers generally support it, but I personally did do this with stunnel at a time. Apparently Redis now recommends spiped, which looks good to me.
On an isolated network, even the compromise of a low level user/service account of a device/VM/container on that network gives you keys to the kingdom. A layered approach slows down or brings the penetration to a halt allowing time for detection and remediation.
In practice, people using AWS, GCP, Digital Ocean, etc. have options for setting more detailed network ACLs. Kubernetes implements a primitive called Network Policies that can also implement network ACLs, if you are running that.
In my opinion network ACLs are a pretty important part of a modern defense in depth, though you are absolutely right in that these measures are far from a panacea and usually only slow down horizontal movement.
They (for a long time) were default-no-auth is why.
Someone in a semi-technical role started one up, dumped a bunch of data on it, and it got left publicly accessible.
The problem is for people to be aware of the leaks, they need to be thinking about security at all, and I'd wager in most cases of mongo-based leaks, that wasn't even a consideration of the people who set them up.
That was my initial thought as well seeing as you can freely and anonymously discuss. But perhaps it's in the government's interest to have the people openly criticize these capitalist practices that have a negative impact on public health?
Regarding being labelled a right winger: not necessarily the case. The most left-wing political party in Sweden are against the EU, the Euro, and have a long term goal for Sweden to exit the EU. They "criticize EU for prioritizing the European single market's interest over the environment, public health, worker and consumer interests" [0]
I thought so too, but for some reason they're actually using cjk unified ideograph 4e00, 一 which is the Chinese (also used in Japanese) character for 1...
What about doing A/B testing with say $5 vs $7.5 for a product? The people who bought it for $7.5 will feel cheated when they find out it cost someone else $5. But at the time of purchase the product was seemingly worth $7.5 to the customer who paid for it. Isn't it fair to pay in relation to how much you value a product?
SKAT... When paying my taxes in Denmark using a foreign bank I have to manually "enter my CPR number and describe what the payment is for" in the message field.
> Court documents[0] reveal Durachinsky wasn't particularly interested in financial crime but was primarily focused on watching victims, having collected millions of images on his computer, including many of underage children.
Well the relevant thing here is that he still had the pictures on his computer. Maybe he was taking pictures of 15 year olds when he was 14 or whatever, but they arrested a 28 year old man whose hard drive was full of images of people that are at most 17 years old.
This is a computer guy. Nobody would be surprised if he had spare hardware lying around from as far back as the 90s. If he just quick-formatted a bunch of spare drives and tossed them on a shelf years ago any forensics software would find what was on them before he formatted them. Considering that he's been collecting pictures since he was 14 I think it would be hard not to get him for possession if he's a hardware pack-rat.
That's a good point. I would probably forget about old drives as well - I thought they found the pictures on an active drive but realise now that this was a baseless assumption.
To be clear, I mean that the the way US laws are enforced, to the best of my knowledge, being underage yourself doesn't mean you are off the hook for having underage material.
I'd be interested to learn if this isn't the case.
> Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed. We also don’t know who’s behind these attacks or where they’re based. We’re working hard to better understand these details — and we will update this post when we have more information, or if the facts change. In addition, if we find more affected accounts, we will immediately reset their access tokens.
From the press release[0] posted elsewhere in this thread
> The perspective as to what's going on with this demo is much different if you actually play the game. It's a strategy low skilled players engage in with the hope of overwhelming opponents with brute force. The character restrictions favor it.
As a dota player who has been in the 99.5th percentile mmr at several occasions (right now at 98th) I disagree with this and a lot of the stuff you're trying to say. Dota is a strategy game, and the meta dictates what strategies are strong at a given point in time. The death ball strategy that the bots played is a result of that being the best strategy in the bot meta. So in contrast to what you said, it's not low skilled players that play these strategies, but rather high skilled players that play whatever strategy is popular in the meta (regardless of how 'intelligent' it is), in order to increase the chances of winning.
