Slashdot Mirror
Database Error Exposes Sensitive Information On 1,700 Kids (csoonline.com)
itwbennett writes: Researcher Chris Vickery discovered that the Arlington, Virginia based child monitoring service uKnowKids.com had a misconfigured MongoDB installation that left sensitive details on over 1,700 children exposed for months. UKnowKids helps parents monitor their child's activities online, by watching their mobile communications, social media activities, and their location. And so the database stored 6.8 million private text messages, 1.8 million images (many depicting children), Facebook, Twitter, and Instagram account details, in addition to the children's full names, email addresses, GPS coordinates, date of birth.
Would it really hurt so bad if private information was you know, kept on a private network? It's not like everything in the world needs to be internet-facing.
And how else do you propose to monitor things on the internet if it's not internet-facing? Please do tell.
Well. $SUBJECT says it all, really.
Hiring an external service to monitor your kids. This is so revolting that I'll keep my reaction to myself :-(
No Bennett Haselton articles, please. Not sure if that's who this is or not, but better just nix all Bennetts and Haseltons - it's the only way to be sure.
Summary:
Stupidity of helicopter parents backfires.
There are fewer illiterates than people who can't read.
W0t, no SIN numbers in the DB?
Anyone dumb enough to put information about their kids into a database on the internet deserves everything they get.
About whom shall we think?
mostly kids... they could use some press?
Well, clearly the only way you can gather this much information is to install a monitor daemon on all their client appliances.
Rather than having it talk to a single central server as it did in this case, why not run that server on a PC in the household and have it sync to that when it's on domestic wifi?
Oh, right : because it wouldn't enable the corporation to collect a huge corpus of highly monetizable data about children for later analysis.
The central problem is that average Joe does not have their own servers. There is a whole economy revolving around ensuring that you need to update things to a server that you do not own. The whole concept of IoT will be a disaster because people have no servers. If there was some easy way to get a private locally hosted server that would somehow be able to take over apps for these kind of tasks you'd suddenly see the ecosystem exploding,.
For this to happen everybody would need to be able to have a local only accessible server infrastructure sold to them as a idea.
mostly kids... they could use some press?
There's nothing wrong with putting a topic in perspective. Parent should not have been modded offtopic.
What possible benefit is there to having data about your kid online, vs. the risks?
These kids were already in danger, from lazy dumbass parents.
It's been those idiotic DBA and system administrator. It's too easy to blame software and hardware. There's always a person behind these cases!
Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
At what point to we admit to ourselves that sensitive data should not be stored in computers at all?
Cool story bro, and nice SEO you got going on there. I can't stand people who post links to their own sites in this fashion. You could do it once or twice without causing a fuss, but acting like an organic RSS feed? No thanks.
-SR
what idiot would put their kid's info here?
nothing to see here - move along
F***?! There should never be any article where you read about GPS coordinates for kids published/stored/gathered anywhere for ANY reason (exception: SAR).
I'm never using any bullshit like this for my kids.
Well, this is the result that you get after years of advertising whatever db engines to be easy to setup and configure - idiots will actually believe it after a while and will think they know what they are doing, start puting db-professional into their CVs, some other idiot hires them, and so on and so forth.
:P
And, well, I'm sorry, but I just can't submit without the compulsory "Won't somebody please think of the children!"
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
Seems they misconfigured their Mongo DB, MongoDB server's firewall, inter-vlan firewall, and edge firewall. When the entire system is misconfigured, you use the word "inept".
Comment removed based on user account deletion
time to shut off the internets!
In addition to the privacy issues, I'm surprised no one has blasted them yet for using MongoDB in the first place!
This post is so heavily accurate, so well written, Basically it is what it is; And it sucks; but its the reality we should face when considering such "Internet Facing things"; for at the very least, our Family Members?
I understand monitoring children for safety, but theres a line that should be drawn between Overprotective and Obviously Stupid (To hand such Goldmine Info away and pay for the right to do so.)
I feel very anxious, full of anxiety for our Digital, Internet-esque world going forward. Too many monkeys are already in the barrel of the internets, Somethings bound to burst with the amount of this kind of stupidity going on; be safe...
Don't rely on anything internet facing, Keep local copies of everything is a best practice. Especially those niche-survival Forum Posts/website guides that you only wish you had when the time comes, when their server has been blown up; washed away or is no longer on the grid... You'll wish you had saved that website, or at least printed it to a PDF for your backup vault(s).
Am I rite?
-DrCide
Hell, I guess in todays Bizarro world, my folks would have been arrested for being neglectful parents, and I'd be in safe, loving foster care....
I'm sad that kids can't grow to be kids like we did back in the day....actually having the freedom to fail and fuck up, and learn valuable life lessons from said mistakes.
It also helped there wasn't a camera everywhere too, for obvious reasons.
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
How does something like this slip through testing?
Ever hear of private servers and VPNs?
Oh wait, I forgot that due to the hipster marketing armageddon it is impossible to conceive of any technology application that does not get routed through 8 different countries and mandate communism for any software developer that interacts with related services.
Testing ? Hah.
There are so many organizations who get junior/intermediate developers who are told to build it fast, without a plan and without consideration of what they are storing. There are probably hundreds of companies who set up a system, make it big, and never do audits of their code, data or protection. Anyone storing sensitive data should be doing a periodic audit so the people "upstairs" know what is stored and how it is stored. It's not enough for it to "just work". It's not just the medical and psychology industries that keep sensitive data. US laws regarding the protection of such data are often vague, vary from state the state and are rather weak. We should probably be solidifying those laws a bit, and standardizing on a federal level. Then again, since the Federal government seems fixated on compromising data security (see recent "request" by the FBI to Apple), they may not in fact be that concerned and some of of them have actually spoken AGAINST encryption. They could hash things like names and date of birth of course, but they they couldn't do as much in market analysis. Parents should be more care who they trust with their data in my opinion. They can do monitoring themselves through various means or have a neighbourhood server employed rather than some big (and careless) corporation whose sole purpose is to make money and sell their data to marketing companies. That goes double for people like this who collect gigs of data on children and don't even audit the data they keep. I'd go as far as to recommend a government audit/lawsuit in a case this big.This was so easily prevented.
"Imagination is more important than knowledge" - Einstein
I think that all of these services are, in some capacity, ran by pedophiles, and the clueless parents are simply facilitators. This wouldn't be anything out of the ordinary, in fact: parents often, unwittingly, facilitate abuse of their children by family members or "friends". If you really need to use a service like that, your family relationships are already broken and you should be seeking counseling, not monitoring.
A successful API design takes a mixture of software design and pedagogy.
Somebody found it. That's testing, isn't it?
(see also: ketchup).
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
There are these things called one-way gateways. You can only steal data from such a system if you catch it in-flight, via a MITM attack. Once the data enters such a system, it is not accessible from outside. At the most basic level, syslog over UDP is such a system: you can only send messages to it, but there's no way to access any of the data. You can use a hardware fixed-function firewall to guarantee the unidirectionality of the barrier. This is not hard to do, an FPGA dev board with two gigabit ethernet ports and a couple afternoons is all you need to implement it, if you know what you're doing. As long as the internal side of the gateway has no connection to internet, you're golden.
A successful API design takes a mixture of software design and pedagogy.
If the bottom line is "risk it with us or risk it on your own," someone should be making at-home host-your-own solutions about as complicated as a blender. Too bad the capital is still going toward Facebook aping meta marketing.
they are pikers - I worked for an educational service company in 2006 - we had every server in our co-lo hacked - millions of school kids all across the US had data stolen - we sat there and watched 1433 connections to eastern europe & asia that would come back seconds after we killed them.
management realized that disclose could be fatal to the company and as we had no in-state customers at the time and no federal disclosure law exists... we did nothing
If the FBI just had a backdoor in there then this would never have happened...
as are the leaks
Table-ized A.I.
Hmm... I've seen you post before and I'm starting to have my doubts. You're not really a barn owl, are you?
"So long and thanks for all the fish."
We live in a different era. Kids must learn to grow up in the world of the Surveillance Age. Having the "freedom" to do anything by your own is no longer an option. In fact, I think you would be well advised not to dwell on the thought anymore. It may be dangerous to your and those you care about. One careless word and the consequences may be terrible.
This sounds like a job for Little Bobby Tables. Unprotected database? He can take care of it.
But, but, but...Mongo DB is web scale!
Many schools have adopted a Facebook like platform that is provided freely or very cheap.
All their grades are on there, and they are required to like others homework, and have social discussion. They post thief work online, and it keeps a diary of their schedule and activities including after school.
All that harvested data while conditioning kids on how to give up information to social media.
To add insult to injury I have seem some schools require every student to get a linkedin account.
It's a throwback to my earlier days online... I was playing a flight game where you could set your callsign at the time. I like barn owls, so that's what I set as a callsign.
Then I started going online. That name was taken most places, but I was at med school - hence the prefix.
I'm really a doctor! (In the sense that I have a medical degree - I no longer practice).
Heh! The goal was to make you chuckle and maybe go, "What the hell?" I was bored and you were there. Oddly, my handle comes from a game as well - but it's a table top RPG. I am also a Doctor but no... I'm not a medical doctor. It's always been a problem because I've been introduced as Dr. D. and had many, many people ask me about medical issues. Even after I point out that I'm not a medical doctor, they'll say, "Yeah, but you must be smart." No, I'm not even really all that smart and I have no idea if that mole is benign. I've often wondered if medical doctors get asked questions about applied mathematics.
"So long and thanks for all the fish."
This constant monitoring and invasion of privacy is quite disturbing. Any parent whose monitoring there kid like this is doing a terrible job. I get that parenting is hard, but you don't generally need to monitor your average kid like this. I don't care if your kid is 5 or 15. It sets a really bad precedent *at any stage*. Having had an overly "protective" mother and secrets to keep I damn well didn't trust her and wouldn't to this day. It's not that she doesn't have my interest at heart necessarily, but parents don't always know best, and there are some things kids should keep from there parents. There are things in life that revealing will only end badly. I certainly would hope that my kid would be smart enough *not* to tell me about certain things. If homosexuality were a crime and I was a conservative type in the south in the 1950s- well I think you get where I am going with this. The smart ones aren't going to tell you such things. They know it'll end badly. There is a good reason a lot of adults don't end up in jail or don't end up in jail until there later years. They kept there mouth shut to those they'd even generally trust. They were actually making smart choices. A parent might think they're doing good by sticking the police/psychologist/whatever on there kid, but it will often lead places like prison or worse. You want help for your child's drug problem? You called the police? They arrest your child? Well, you only have yourself to blame. There are some things in life you should STFU about and a smart young person won't tell there parents. Particularly the over-"protective" types.