HIV Dating Company Accuses Researchers of Hacking Database

itwbennett writes: Slashdot readers will recall the story posted last week about the misconfiguration of the MongoDB database that powers Hzone, a dating app for the HIV-positive, and the ensuing threat of HIV infection the company hurled at DataBreaches.net, who sent the notification. (Hzone later apologized.) But that's not the end of the story. Among other twists and turns that point to a CEO who was in way over his head, in several emails to Dissent, the admin of DataBreaches.net, Hzone CEO Justin Robert accused Dissent of changing the Hzone user database. But follow-up emails suggest that the company couldn't tell what was accessed or when, as Robert says Hzone doesn't have 'a strong tech team to maintain the site.'

That's a first

I know this warning is unnecessary here, but do not follow the second link in the summary (same as the one under the title). This is the first time a /. summary has been better written than the source article.

What content there was to be found between the typos and grammar errors indicated that the immunocompromised dating site owners are incompetent, sue happy, and really bad liars. (A fairly common combination, so nothing unusual there.)

Re:That's a first

It's itwbennett. What do you expect?

"Researchers"

How long will Slashdot keep up this stupid practice of calling people who illegally hack into computer systems, "researchers"?

You are a researcher if you buy the software, install it, and then see what you can do. If you try to get into a system belonging to someone else, you are a fucking criminal.

The Hypocrisy of it all is sickening.

Re:"Researchers"

[ls671]

But, but, I have plenty of requests hitting my web server that have user agent strings matching "*research*", same for some abuse contact addresses for the IP (whois lookup) and they don't even set the evil bit so I thought it was OK to let them through.

Do you mean I should block those requests?

Re:"Researchers"

[DarkOx]

The Hypocrisy of it all is sickening

While I am incline toward agreement with you where exactly is the hypocrisy? Researches in other fields have a long history of being caught doing things that were illegal or determined to be unethical we can and do call them criminals, I am not sure we stop calling them scientists and researches. Its seems very possible to me to be both a criminal and researcher.

Re:"Researchers"

[NatasRevol]

And what if there's a clearly open port that provides unfettered access?

Say port 80 brigs up phpMyAdmin and is configured to allow access without a password?

Is this criminal or just browsing their website?

Failure to properly and fully secure your externally facing computers is your fault and anyone accessing it has every right to. It is NOT synonymous to leaving your door unlocked.

Re:"Researchers"

[Nidi62]

Failure to properly and fully secure your externally facing computers is your fault and anyone accessing it has every right to. It is NOT synonymous to leaving your door unlocked.

Ok, so it's more like walking down the street, seeing a front door someone left open, and going inside and looking around. Still wrong.

Re:"Researchers"

And what if there's a clearly open port that provides unfettered access?

Say port 80 brigs up phpMyAdmin and is configured to allow access without a password?

Is this criminal or just browsing their website?

Failure to properly and fully secure your externally facing computers is your fault and anyone accessing it has every right to. It is NOT synonymous to leaving your door unlocked.

Sure it is. If I leave my door unlocked... who said you can go in?

Re:"Researchers"

Oh yes I forgot we must use emotive language everywhere in order to keep people in line. It's only science if it's ethical, and any deviation from adoration for government/capital is by definition mental illness.

Look I think people who break into other people's systems FOR RESEARCH PURPOSES LOL are cunts, but it doesn't mean that they're not researching.

Re:"Researchers"

I don't know. How long will morons keep pretending that if we shun and punish those who disclose vulnerabilities, the vulnerabilities won't be exploited by malicious actors?

Re:"Researchers"

Really don't know what to say to cunts like you expect that I hope someone breaks into your home and burns you alive in your bed.

Re:"Researchers"

[sycodon]

Western Civilization is based on a fairly simple precept...you don't mess with people or their shit. Even if they leave that shit accessible, the door unlocked, etc. It's not yours, so don't fuck with it.

If you DO fuck with either, it's our right to fuck you up, either through the system or personally (certain restrictions apply).

Re:"Researchers"

You are a researcher if you buy the software, install it, and then see what you can do. If you try to get into a system belonging to someone else, you are a fucking criminal.

The Hypocrisy of it all is sickening.

Yes, stupidity and hypocrisy such as yours is very sickening.

Analogy:

I purchase my very own door lock (wow, just as you said I should!) and discover it is vulnerable to a simple attack.

Later you go around the Internet bragging about owning that same lock. I reply telling you that brand of lock is fucked and you may want to think of switching.

Then your stupid ass claims I broke into your home, despite the fact I never touched your home or your lock, because you are too stupid to realize you do not own the one single sole existing version of that brand of lock, but MANY people do.

So fuck off troll, and stop criminally slandering people who have done nothing but point out your stupidity.

Re:"Researchers"

[dissy]

You are a researcher if you buy the software, install it, and then see what you can do. If you try to get into a system belonging to someone else, you are a fucking criminal.

You are aware the researcher simply saw a "HIV dating site database dump.zip" up on bittorrent and decided to inform the site owner that he may want to check that shit out to see if it is theirs and if so maybe fix their site up, right?

If I found something of yours across town in the middle of the street, that you put your own name and address on, why am I a criminal for returning it to you or informing you where I found it, if I am not the one that took it and put it there?

Re:"Researchers"

[TWX]

No, it's more like a business or storefront leaving the lights on and the doors unlocked without any staff present and without any sort of door chime or camera. While it's not right for patrons to start looking through the drawers or the paperwork or the receipts, let alone steal any merchandise, it should be expected that some people will do this and it's the obligation of the entity to take steps to prevent it.

Those that do not understand at least the basics of security and do not take steps to learn the specifics or to hire-out for them have no business operating on the Internet. They deserve whatever civil legal repercussions are brought down upon them. It doesn't matter if they too are victims when they have a responsibility to protect themselves and their users from a world that is understood to be unkind.

Re:"Researchers"

[arth1]

I don't know. How long will morons keep pretending that if we shun and punish those who disclose vulnerabilities, the vulnerabilities won't be exploited by malicious actors?

What are the ratio between (a) criminals using 0-day exploits they've found out through own research or obtaining them from other criminals, and (b) criminals using N-day expoits they have been made aware of by public disclosure?

As a sysadmin, I would have to say the (b) is by far what hammers the systems the most these days, and costs my company quite a lot of work and resources. I'm not saying that is work that shouldn't be done, but that the cumulative cost of disclosure for the sake of disclosure can be higher to society than the cumulative cost of 0-day attacks.

Re:"Researchers"

[NatasRevol]

No, it's like moving your house to the middle of the road, taking the front door off the hinge & expecting no one to walk in.

Re:"Researchers"

Why would it be wrong? If I am walking down a street & see a front door wide open I am likely to assume 1 of 2 things:

1) The owner is about to come out/go in again any second now
2) There is a crime being committed already/some harm occurring & maybe I should help.

In the former case if I go check things out than at worst its embarrassing but explainable because of item 2, if its the latter than I'm helping someone or hoping to help someone.

The point being is that it is EXTREMELY uncommon to see a door wide open and simple logical deduction can lead someone to want to 'research' why its wide open. There is no malice intended & its quite likely someone is just trying to help...o look, that's generally the same reason 'security researchers' do their job. Of course things are generally harder for them than a wide open door (MongoDB exposed on the web) but when they see one they are trying to help.

Re:"Researchers"

[NatasRevol]

If it's in the middle of the road (internet), those are the rules.

Re:"Researchers"

[NatasRevol]

Clueless idiot threatens people anonymously online.

No one runs away scared.

Re:"Researchers"

[NatasRevol]

So web browsing isn't allowed?

Or just maybe it's not the same principal as a house.

Re:"Researchers"

WTF? What 'breaking in' was being done in this case? The MongoDB was entirely exposed on the internet for anyone to see. This is equivalent to leaving your drapes open & having sex in the front room...if I notify you that MAYBE just MAYBE you want to close your drapes is that 'being a cunt'? Really? What exactly did I 'break in' to? You are the cunt/asshole for doing something that is generally considered socially unacceptable.

Re:"Researchers"

How many of those exploits are disclosed to the companies responsible before being publicly disclosed, only to have nothing at all done about them? How many of these companies try to sweep it under the rug without notifying anyone whose data they've potentially compromised?

As a sysadmin, the fact that you're a sysadmin scares the living shit out of me.

Re:"Researchers"

And furthering this analogy, this reaction is like trying to crucify the one guy who goes through shit to find a number to call to let someone know "hey, your shit's unlocked."

Re:"Researchers"

[sycodon]

If I hold an open house, with a sign that says come on in, fine. Otherwise, stay the fuck out.

Re:"Researchers"

[Wootery]

it should be expected that some people will do this

Not relevant to the questions of whether it's moral or legal.

Re:"Researchers"

What do you think listening for connection requestion on port 80 mean?

• client: knock knock
• server: Who is there?
• client: The web browser, want this cookie back?
• server: Whatever. Here is the documents I allow you to access and action you are permitted to perform.

Serving stuff on a internet facing server without password is EXACTLY like holding a sign that invite everyone to come in. Deal with it fucktard. The Internet is no "safe space" for over sensitive millennial.

Re:"Researchers"

The door mat that said "Welcome!".

Re:"Researchers"

[TWX]

Immoral and illegal things happen all of the time. You are obligated to prevent them from happening to you. We have attempted to build a society that reduces the number of immoral and illegal things that happen and reduces the number of people victimized, but ultimately the individual is the final line of defense against becoming a victim.

Re:"Researchers"

Irrelevant to whether you have "researchers" on your hands. You were demolishing a strawman.

Re:"Researchers"

Let's just grab your keys and maybe distribute copies (how would you know). Totally ethical.

Besides, the door isn't "wide open", it's just not locked, locked with a blank key or a window is cracked open depending on what the circumstances may be. You aren't researching if someone needs help, you are "researching" if the door/window is locked.

Re:"Researchers"

[NatasRevol]

Guess what open ports say?

'Come on in'.

Re:"Researchers"

[NatasRevol]

open ports = open doors

On the internet = with an invitation to come in.

Deal with it.

Re:"Researchers"

My door mat says 'Go Away'.

Seriously.

Normal

[nospam007]

"...point to a CEO who was in way over his head,"

Aren't they all, these days?

Re:Normal

[DarkOx]

What you mean its not possible to completely abstract all management activities and decision making processes. Are you making the radical suggestion there isn't a completely generic way to run a business? Is you assertion you have to understand at least the basic nuts and bolts of what a company does to run it effectively?

Re:Normal

[Buchenskjoll]

"...point to a CEO who was in way over his head,"

He'd better wear a comdom then! (drum roll)

Re:Normal

[jellomizer]

Well with IT security nowadays it is very hard for a small focused business to survive in today's market.

Back in the 1980's and 1990's we had a slew of applications created by non-developers due to easy to learn languages such as Basic/Visual Basic, FoxPro, DBase, Access, etc... Being that these applications ran on a local network via file shares, with a more or less trusted group of employees. Security was never a concern. So the small company can make a custom app with a very small investment and allow them to be agile to adjust their business processes.

However now with hackers who will blindly attack any system that is vulnerable, or worse the hackers who think they have a mission to expose the bad people in the world. Means you need staff that are specialized in IT security. To keep their data safe, and be able to track and report on vulnerabilities.

This is like forcing a Mom and Pop candy shop to have armed guards on the payroll just in case someone breaks in and steals the candy, and exposes all the candy customers in the store. As to shame them for being the cause of obesity in the world.

Re:Normal

[unencode200x]

This is a huge point. The company and therefore the CEO are responsible for their customers' very sensitive information. Saying that they don't have a strong IT team is like a bank saying they don't have a safe. What the hell? Of all places you would think a website that knows you have a highly stigmatic disease would get this and spend appropriately even if it meant charging their clients more. I'm guessing those clients would have been happy to do so.

Re:Normal

[gstoddart]

The company and therefore the CEO are responsible for their customers' very sensitive information.

Show me the case law which says that.

Time and time again companies are utterly inept at security, get hacked, and basically say "gee, we'd like to say we're sorry but we're not really, and since we're not liable we don't care".

CEOs are, in my opinion, largely responsible for being greedy assholes doing PR and sales ... and they don't think they have any such responsibility as protecting your data. At the small company level, a CEO is a self appointed title by some schmuck who thinks he's got a winning business idea. My guess is this is more of the same.

Make companies and CEOs actually responsible for such stuff, and something might happen. Right now corporations can be utterly incompetent, and they have no liability at all.

If your'e expecting some kind of 'moral' responsibility, good luck with that.

So, some guy has an idea for a website, does a shitty job of building and securing it, and gets hacked. Do you really think the CEO is losing any sleep?

Re:Normal

[unencode200x]

Fair enough. Someone made the point a few posts up that this isn't subject to HIPAA and while I'm no lawyer they're probably right. The longer I work in business the more I see morality thrown out the window for better or for worse. I feel bad for these people but it's true, buyer beware.

The same is true with the CISA act this week. Put all your stuff in the cloud and were under the impression you were protected by warrants and all that? Too bad!

Re:Normal

[dbIII]

With dotnet that sort of shit is still happening, and just like back in the day it's not only security that suffers from newbie mistakes. It's not really the platform just people who cut and paste their way into getting stuff halfway working instead of knowing how to write things for the platform.
I'm sick of stuff that takes 30 seconds to start due to a huge 24bit background pic and a slow needless text to speech thing saying hello. Can I skip that shit on the hobby inventory list program and actually start using it please?

Re:Normal

[gstoddart]

Fair enough. Someone made the point a few posts up that this isn't subject to HIPAA and while I'm no lawyer they're probably right.

Well, think about it ... HIPAA covers medical professionals and hospitals with an expectation of confidentiality.

If you sign up for a private web site which ends up more or less saying you have HIV, then you chose to give that to a private entity. And then what happens to the data they have is entirely legally different. The same way that governments can demand from corporations what they're not allowed to collect from you. So, no warrant when a company can be forced to hand over data which is now considered "their" property.

There are no protections in place against corporations, and they have no liability.

The longer I work in business the more I see morality thrown out the window for better or for worse. I feel bad for these people but it's true, buyer beware.

It's sad, but it's true.

Honestly, I go straight to assuming all corporations are ran by greedy, incompetent douchebags who don't give a crap about you ... and that all of them are probably vastly insecure and not to be trusted with your data. It's a cynical world view, but it saves a lot of time.

The sheer number of security stories we see every year says it's better to assume companies are inept, and withhold your data, than it is to think "gee, these nice people seem trustworthy with my personal information". As long as people will hand over their private information to any old website, and as long as corporations have no legal liability, this will keep happening.

If you don't give this shit out to these companies, they don't have it to betray your trust. You might miss out on a shiny bauble, but the company can't get hacked and release your information.

But, nobody wants to listen to that kind of stuff. They want free things on the interwebs, and don't know or don't care about the consequences.

Withhold your data, or give it away ... but don't be surprised that when you give it out it might be accessed by someone you didn't intend to, or used for things it wasn't supposed to.

Because at the end of the day it's about greedy assholes maximizing profits, minimizing costs, and not giving a crap about you except for how it makes them money.

Re:Normal

The problem is not the "hackers who will blindly attach any systemthat is vulnerable" or the clueless "hacktivists".

The candy shop doesn't have a a lot of other people's private data in their shop. It's more like forcing the Mom and Pop candy shop to have a door with a lock and security cameras. The armed guards bit would be like forcing small businesses to do security audits and get security certification.

To put it another way, you are full of shit.

Re:Normal

[jellomizer]

The locks and security cameras are the equivalent on making sure you have a login and password to sensitive data. For the Mom and Pop shop this is usually enough, however for internet commerce it isn't. The internet is like placing your business in the middle of the worst neighborhood you can find. So you need the security guards (aka an IT Staff with strong security knowledge), who will be more proactive in keeping the site secure.

No doubt their venture is not commercially viable

The cost required to have the expertise to prevent a breach of the data plus remain HIPAA compliant is really huge. I doubt they can make enough scratch with this gimmick to have the funds to maintain that talent. They probably just have a few Brogrammers over there that try to configure their servers to some settings matching an outdated tutorial they found via Google. Hopefully this will get them to realize if they continue to operate they will doom a lot of people to having their status revealed to the world, and probably create a huge fine for everyone involved.

That's the least of their problems

Their app is so bad, you can't even sign up for an account. There's a glitch in the app for my phone which prevents me from completing the registration process.

It's clear that the people at Hzone don't know what they're doing. They better learn quick or give it up.

His name isn't Justin Robert, it's Mao JianQiang

[TechFurryFox]

I performed a reverse on the domains when the original controversy set out. This guy isn't HIV positive, he's just a guy in China trying to make a buck off others. He also has an app called SugarD and there are many other domains he has registered in an attempt to have a successful business. The company is pretty much run by him and whatever support he may have hired, which is the reason hzoneapp doesn't have a solid technical team. Check out the self published prweb for hzone, he calls himself "Justin M, CEO." Looks like you made a slip up there with keeping your name consistent Mr. JianQiang.

MongoDB

Is not HIV scale.

Irony exposes hackers to organic virus

[Bob_Who]

One way or another, hacker's exploits and malware share attack vectors.

Perhaps they're infectious...

Re:His name isn't Justin Robert, it's Mao JianQian

[TechFurryFox]

Just to give everyone the FYI, Mr. JianQiang also has the following domains: tophivdatingsites lesbiandatingonline singleparentdatingonline singleparentfish pozty - alas to hzoneapp ubaliaoyn - some chinese site xoiiixaab - some chinesesite He stopped the other site projects when he scored with hzone. He's not a single parent, he's not lesbian(well he may like women) and he's certainly not POZ. He's just a Chinese man screwing everyone over with this charade. So Mr. JianQiang, drop the act.

Doubt there would be fines

[Aaden42]

There's no reason they'd be subject to HIPAA nor be fined under it. They're not medical providers. Users of their system willingly disclosed their status to a third party, non-medical provider with the explicit purpose of being placed in contact with other people who had also disclosed their status and the understanding that their status would be disclosed to those other people in the process.

Whether there are any fines related to general personal information breach, I don't know; but I kind of doubt it. Describing those laws as "a bit loose" would be charitable.

Gotta be careful

Have to post anon on this one..... I work for an IT company. A potential client who does HIV/AIDS and maintains an HIV database for everyone in our state asked us to quote them some services. The first clue should have been that they didn't ask us to sign an NDA.... After an analsys we realized how messed up their stuff was. They had a shitty FileMaker Pro database that one of them had made where they had everyone's names, social security numbers, and a bunch of medical history. Patients weren't refered to as a number for research, they were linked directly to their history. Word of all, and get ready for this one...., they shared this database on multiple USB sticks and carried it everywhere on their Macs. There were at least 15 copies of it on the handful of Macs we looked at (they were all iPad/Mac).

We figured we would try to help them get HIPAA compliant and all and put together a set of recommendations and security policies that they would have to meet to work with us. Obviously we couldn't put our name on something like that until it was up-to-par.

I'm not even joking, they laughed us out there and hired the guy's nephew. Ridiculous. At least my company's name won't be on the news when someone finds out that the governor (or whoever) is HIV positive.

Re:Gotta be careful

[unencode200x]

Isn't that a crime? If so is one bound to report it? I mean, if you know there's going to be a serious breach, especially if the governor is on the list, holy crap man.

Re:Gotta be careful

[cjjjer]

No it is not a crime not to report violations, not yet anyway. However the fact that the OP failed to report the violations is also part of the problem.

Re:Gotta be careful

[unencode200x]

Assuming OP is in the US who would OP report it to? Perhaps it's not too late.

Re:Gotta be careful

You will stay AC until slashdot gets it db dumped and somebody wants to match AC IP to registered members IP... Not an exact science but it will certainly give interesting results.

Re:Gotta be careful

Good luck, I'm behind seven Boxxys!

MongoDB

[unencode200x]

http://www.databreaches.net/mi...

I hadn't realized it the first time around but this was also a MongoDB database. Not that it really matters, the CEO makes them all sound incompetent.

Ashley Madison

Step 1: Get Hzone dump, find an interesting table and join it with Ashley Madison am_am_members table
Step 2: ?
Step 3: Profit !

Re:His name isn't Justin Robert, it's Mao JianQian

What pun?

looming for cerebrity profires

Imagine if this hiv dating service liquidated a cdc or dohhs database... we would and should see tokens as...

Steve Jobs: i bet you are wondering about iDateme?
BuffaloBillyg: iDateme. iDateme [H]ard.

mongo is webscale

an HIV+ dating site? How is that different than a gay man dating site? Or a San Francisco bath house?

Re:mongo is webscale

Yes, an HIV+ dating site is essentially a dating site for gay men. It's not something that gets talked about much in our PC world, but HIV/AIDS is in fact a gay disease. Sure, straight people can and do contract it, but those cases are literally a tiny fraction of a percent of the total (google it bitches, its true)

Not that it matters

Re:mongo is webscale

[andymadigan]

Worldwide, more straight people have HIV than gay people, by a huge margin. You probably mean the U.S. though, in which case:

"MSM accounted for 54% of all people living with HIV infection in 2011, the most recent year these data are available."

So, straight people would appear to be 46%, hardly a "tiny fraction of a percent".

http://www.cdc.gov/hiv/statistics/overview/ataglance.html

I'm normally not

...one for blaming the victim, but if you're going to be playing around with personal and sensitive data of the type required to run a dating website, then you just CAN'T be hiring incompetent people to maintain your infrastructure.

One trait of incompetent DBAs is they don't know how to configure databases in a secure way. Another is they don't do stuff like reach out and ask others to check their work.

One trait of incompetent managers/CEOs is they tend to hire incompetent people for positions like DBA and sysadmin.

INCOMPETENCE ABOUNDS

Systematic attack

[DrYak]

This is like forcing a Mom and Pop candy shop to have armed guards on the payroll just in case someone breaks in and steals the candy, and exposes all the candy customers in the store. As to shame them for being the cause of obesity in the world.

Except the whole things happens in world with Star-Trek like teleporters and replicators. So the case of "some breaks in" are happening on massive scale.

It's not merely one guy deciding to go berserk, and then needs to walk to the (only) nearest Mom and Pop candy shop.
It's a guy deciding to go beserk, and then instantly teleport in front of all Pop and Mom shop of his country and breaking in all of them. Every single one. All in the same hour.
That's the power of Internet.

And amidst all this he also happens to also break the window to the bed room of little Shirley, because she happens to have be eating the same candy as the one in all Mom and Pop shop.

Also, the guy don't beam himself in front of all these windows. He beams some random chinese guys to break the windows for him.
In fact it's not the chinese guys who get beamed. It's their roombas/neatos/whatever robot they have at home. The chinese guys owning the robots don't even notice their little escapade and meanwhile the berserk guy has a standing army of robots systematically breaking all the Mom and Pop shops of the country.

And even if the robots are all chinese, the berserker doesn't really need to speak chinese, he only needs to point his finger in the correct direction, other have developped "finger-to-chinese" dictionnaries for him.

That's the power of large scale automatic script-kiddie attacks on the Internet.

Also the government has modified the building code and has mandated that every single shop or house has an extra separate door that can't be locked. (Just in case that the police need to be able to quickly come inside). But they have painted the door the same colour as the wall so they hope that nobody will notice.

In other words: the current state of world-wide computer security is abyssimal, and our brains accustomed to the physical world (where everything necessitate slow travelling around) are poorly equipped to grasp the menace cause by the systematic and quick access offered by modern means of communication.

Re:Systematic attack

[KGIII]

I think this thread might actually be the worst analogy thread ever. The sad truth of this is, the "researcher" didn't even *do* the "research* but found their database on a torrent site and informed them because he feared it might belong to them.

So it's like you're trying to make an analogy about a guy who isn't actually the guy who did it and cars, doors, shop keepers, candy stores, and condoms!

Worst Analogy Thread Ever!

Re:His name isn't Justin Robert, it's Mao JianQian

Not sure what the problem is. Why does the guy has to be HIV-positive to run a site for HIV-positive people? Or is it wrong to be chinese? A bunch of previous failed enterprises is completely normal too. WTF?