Slashdot Mirror

← Back to Stories (view on slashdot.org)

MongoDB Config Error Exposed 93M Mexican Voter Records (csoonline.com)

Posted by msmash on from the you-just-got-famous dept.

An anonymous reader cites an article on CSOOnline: A 132 GB database, containing the personal information on 93.4 million Mexican voters has finally been taken offline. The database sat exposed to the public for at least eight days after its discovery by researcher Chris Vickery, but originally went public in September 2015. Vickery, who works as a security researcher at Kromtech, discovered the MongoDB instance on April 14, but had difficulty tracking down the person or company responsible for placing the voter data on Amazon's AWS. He first reached out to the U.S. State Department, as well as the Mexican Embassy, but had little success. The database contains all of the information that Mexican citizens need for their government-issued photo IDs that enable them to vote. Along with their municipality, and district information, the database records include the voter's name, address, voter ID number, date of birth, the names of their parents, occupation, and more. [...] Given that the database has been online since September 2015, it isn't clear how many people have accessed the records. Additionally, the actual owner of the account hosting the data remains unknown.

69 comments

  1. I'm sure the MongoDB devs must be proud by Anonymous Coward · · Score: 4, Insightful

    Look at all this fail they've enabled with their shitty defaults.

    Even mysql demands that I configure a root password when I install it.

    1. Re: I'm sure the MongoDB devs must be proud by Anonymous Coward · · Score: 0

      It comes in handy, I've taken out credit cards in all their names!

  2. Turkey... by SumDog · · Score: 1

    It's happened with Turkey and now Mexico (although with Turkey that was more malicious).

    We haven't had this sense of digital identity that we have today. In the US, our tax numbers are secrete (SSN numbers) but in many other countries, tax ID numbers are considered public or non-identifying (Australian's TFNs and NZ's IRD # come to mind).

    Go back 100 years and you didn't have passports or work visas. If you could speak the language in your destination, you could go and attempt to work and survive (and if you failed there was a good chance you'd end up a slave; either by selling yourself or being sold).

    Today you are attached to a digital identity. It is you, and a you that you cannot escape. Your crimes will always follow you. You cannot live or work anywhere without that digital identity of you being allowed to.

    This just needs to happen in the US. The release of everyone's names, addresses, SSNs and SSN questions/histories would be almost a Fight Club like reset.

    1. Re:Turkey... by Anonymous Coward · · Score: 0

      It actually happened with the US and Philippines as well. http://www.databreaches.net/19... http://news.softpedia.com/news...

    2. Re:Turkey... by Cimexus · · Score: 2

      That not how I would characterise the difference between Australian TFNs and US SSNs (I have both).

      In Australia, the TFN is a very sensitive piece of information and the only people who would ever ask for it are those you would expect to ask for a tax number: the tax department, your employer, and your bank/financial institutions. There are strict guidelines governing its use and it is explicitly defined as identifying information: https://www.oaic.gov.au/indivi...

      On the other hand, the US SSN is used for freaking everything. I had to prove my SSN to sign up for cable TV! I'd say the Australian TFN is far more 'secret' than the US SSN...

    3. Re:Turkey... by Anonymous Coward · · Score: 0

      This just needs to happen in the US. The release of everyone's names, addresses, SSNs and SSN questions/histories would be almost a Fight Club like reset.

      And instead of buildings being 9/11'd, we will get a new and improved identifier, courtesy of the NWO.

    4. Re:Turkey... by Anonymous Coward · · Score: 0

      Yes. You are right. Once computers were thought as ways to free mankind from drudgery. Today they are used to enslave the masses in a digital prison. Your identity is a number on a computer

  3. So the new Ubuntu with its missing systemd... by Anonymous Coward · · Score: 0

    unit file is more secure! MongoDB won't even start, much less expose data!

    1. Re:So the new Ubuntu with its missing systemd... by Anonymous Coward · · Score: 0


      $ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv EA312927
      $ echo "deb http://repo.mongodb.org/apt/ubuntu trusty/mongodb-org/3.2 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.2.list
      $ apt install mongodb-org
      $ ls -l /lib/systemd/system/mongod.service
      ls: cannot access '/lib/systemd/system/mongod.service': No such file or directory
      $ ls -l /lib/systemd/system/mongo*
      ls: cannot access '/lib/systemd/system/mongo*': No such file or directory

      Seriously?

    2. Re: So the new Ubuntu with its missing systemd... by Anonymous Coward · · Score: 1

      systemd is simply a disaster.

    3. Re: So the new Ubuntu with its missing systemd... by Anonymous Coward · · Score: 0

      It's also broken on Red Hat. When both Debian and Red Hat can't get systemd to work, at what point do you just give-up on it?

    4. Re: So the new Ubuntu with its missing systemd... by Anonymous Coward · · Score: 0

      By moving to systemd, Debian is trashing their hated-earned reputation of stability built over two decades.

    5. Re: So the new Ubuntu with its missing systemd... by Anonymous Coward · · Score: 0

      Security through nonfunctionality? Sounds like Microsoft security.

    6. Re: So the new Ubuntu with its missing systemd... by Anonymous Coward · · Score: 0

      Oh please. It's not that bad. Most systemd features work on Debian/Ubuntu.

    7. Re: So the new Ubuntu with its missing systemd... by Hognoxious · · Score: 0, Troll

      When that nazi cunt Poettering stops taking bribes from the CIA, or just admits that he's a kiddy-diddler and takes the hit.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    8. Re: So the new Ubuntu with its missing systemd... by JustAnotherOldGuy · · Score: 0

      When that nazi cunt Poettering stops taking bribes from the CIA, or just admits that he's a kiddy-diddler and takes the hit.

      It almost makes kiddy-diddling look like the least offensive thing he's done.

      --
      Just cruising through this digital world at 33 1/3 rpm...
    9. Re: So the new Ubuntu with its missing systemd... by Anonymous Coward · · Score: 0

      Debian switching to systemd has been the best thing to happen to FreeBSD in ages. Many of the best and brightest Debian users have sought refuge with FreeBSD now that systemd had rendered Debian unusable for them.

    10. Re:So the new Ubuntu with its missing systemd... by F.Ultra · · Score: 1

      Please explain why the MongoDB binary built for trusty (Ubuntu 14.04LTS) which you choose to use in your example should contain a systemd unit file when systemd wasn't introduced until wily (Ubuntu 15.10)?

    11. Re:So the new Ubuntu with its missing systemd... by F.Ultra · · Score: 2

      Why do you anti systemd trolls keep lying when it's so easy to prove you wrong? All one have to do is look at the File List of the mongodb-server package in Ubuntu 16.04LTS: http://packages.ubuntu.com/xen... and what do we find there:

      /lib/systemd/system/mongodb.service

      Well I be damned, a systemd unit file, which you now have claimed in several articles does not exist even though it does. Interesting isn't it?

    12. Re: So the new Ubuntu with its missing systemd... by F.Ultra · · Score: 1

      Remind me again how this is Red Hats fault when Red Hat does not provide any MongoDB packages at all? If you want to run MongoDB on Red Hat you have to download a rpm from MongoDB:s third party repository so any unit or script included there is all done by MongoDB and not Red Hat.

    13. Re: So the new Ubuntu with its missing systemd... by Anonymous Coward · · Score: 0

      That's for 2.6. MongoDB 3.x has been out for quite a while and doesn't include a unit file. Look a few posts above, and you'll see repro steps.

    14. Re:So the new Ubuntu with its missing systemd... by Anonymous Coward · · Score: 0

      Check-out these reproduction steps:

      https://tech.slashdot.org/comments.pl?sid=9016253&cid=51965719

      I ran them, and the AC is correct that the unit file is missing.

    15. Re:So the new Ubuntu with its missing systemd... by Anonymous Coward · · Score: 0

      I understand Mongo will be integrated into the upcoming release of systemd.

    16. Re:So the new Ubuntu with its missing systemd... by F.Ultra · · Score: 1

      And those steps download the MongoDB binary built for precise which is even older (Ubuntu 12.04LTS). It's like you are not even trying here.

    17. Re: So the new Ubuntu with its missing systemd... by F.Ultra · · Score: 1

      This has nothing to do with the version of Mongo but with the version of Ubuntu it was built for. Every post that have tried to "reproduce" this step have downloaded Mongo for either 12.04LTS och 14.04LTS, both which is non systemd Ubuntu releases so of course you will not find a systemd unit file in either of them. MongoDB where however included in the official Ubuntu repository as of 16.04LTS and lo and behold it does include a systemd unit file. So you have all been played to anti systemd trolls that know exactly why the unit file is missing from the packages that the point to but still use it as an argument even though the know that it's false. It's like trying to prove that there are no penguins in the North Pole by showing that there are no Penguins in some African country, it's disingenuous.

  4. Phillipines too-55M records by schwit1 · · Score: 1

    Less than a month ago http://www.theregister.co.uk/2...

  5. Hey, Look! by Rich_Lather · · Score: 1

    Florida's voter rolls were uhhhh Hacked! http://flvoters.com/by_name/in...

  6. Awesome by Anonymous Coward · · Score: 0

    I have been trying to get a job as a brick layer for the last 2 years. However, because my name is not Hernandez, I am summarily disqualified. Now my name can be Hernandez. Finally I will be able to get a job in the country of my birth.

    Illegal immigration: "It worked for the Native Americans. It worked for the Romans. It can work for the USA too".
    -Senator Bernie Sanders.

    I expect this to be fixed promptly because the Mexican government, unlike the USAian govt. cares about it's citizens.

    1. Re:Awesome by __aaclcg7560 · · Score: 1

      I have been trying to get a job as a brick layer for the last 2 years. However, because my name is not Hernandez, I am summarily disqualified.

      That's funny. When I applied for unemployment benefits a few years ago, I discovered that "C RAMOS" was using my Social Security number. With my Social Security number, he got himself a job. Maybe your problem isn't your last name but your Social Security number (or lack thereof). Employers won't hire anyone off the street without a Social Security number.

    2. Re:Awesome by sumdumass · · Score: 1

      I think your problem goes deeper than your name. I would suggest looking into the use of USAian for starters. It probably branches out near there.

      Remember, the interview is there to either select or weed out the idiots.

    3. Re:Awesome by Anonymous Coward · · Score: 1

      What is wrong with USAian? To claim that your are an American when you are really from the USA seems a little non-specific, especially when taken in the context of nationalism (which is what this is about). One might as well just say He is from the Western Hemisphere, or the planet Earth. America is not the USA. The USA is not America. America is two fucking continents and 37 fucking countries.

    4. Re:Awesome by sumdumass · · Score: 0

      Lol.. you can go around calling a screwdriver a confabulator if it makes more sense to you but the acceptable and proper name is still a screwdriver. All it does is make you appear like a moron who thinks they are smarter than they actually are. Not exactly top job candidate material.

      Lets ignore your complete misunderstandings like there is no continent called America. They both have north or south within their official names and even geographically descripters use them or central in addition so that doesn't fit either. The fact is that there are well established names - words with actual meaning - that have been defined long before you have even been alive. When we communicate with people and make up terms in their stead, you again appear to be a moron who thinks they are smarter than they actually are. I certainly wouldn't hire anyone making up terms because it looks like they are incompetent and trying to bullshit their skills not to mention the possibility of costly screwups when they cannot be assed to use the correct terminology and acceptable names of tools, functions, processes and so on.

      If you are unemployed and wondering why while blaming others, you should look inwards to yourself when using made up terms and gibberish just because you can rationalize it.

  7. Obligatory by galabar · · Score: 2

    https://www.youtube.com/watch?...

    1. Re:Obligatory by Anonymous Coward · · Score: 1

      Mongo only pawn in game of life...

  8. Re:132GB?? by fsagx · · Score: 1

    Webscale!

  9. Stop treating Mongo as a real DB by Viol8 · · Score: 4, Insightful

    ... and start treating it as a key-value file system and it all makes sense. Sadly the mongo devs want us to think its a competitor to mySQL or even Oracle. Yeah, right.

    Amateur hour DB + amateur hour admins = trouble ahead.

    1. Re:Stop treating Mongo as a real DB by Anonymous Coward · · Score: 2, Insightful

      Stop blaming the technology for the idiots who use it. If you make a DB public what do you expect? You can do the exact same thing with any other DBMS.

    2. Re:Stop treating Mongo as a real DB by Anonymous Coward · · Score: 0

      Don't be a gimp. All other DBs require a login password from the start. And apart from the non existent default security, Mongo has serious limitatios as a DB anyway which 30 seconds with google will find for you.

    3. Re:Stop treating Mongo as a real DB by JustAnotherOldGuy · · Score: 1

      Stop blaming the technology for the idiots who use it. If you make a DB public what do you expect? You can do the exact same thing with any other DBMS.

      NO, you can't. mySQL requires, yes, requires you to assign a root password upon install.

      Face it, the MongoDB defaults are shit. Just admit it and stop blaming the poor fuckers who have to use it. Yes, they should have assigned a password, but the fact of the matter is that MongoDB should have made it impossible not to.

      --
      Just cruising through this digital world at 33 1/3 rpm...
    4. Re:Stop treating Mongo as a real DB by CastrTroy · · Score: 1

      Not only does it require that you assign a root password, it also requires you to change the config to listen on an ip address other than localhost. You also have to create a new user, as the default root user can only connect from local host.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    5. Re:Stop treating Mongo as a real DB by Anonymous Coward · · Score: 0

      LOL but MySQL has not always had these defaults. Lets go back and talk about MySQL version 3.x shall we.

      Oh and what about that password has collision issue due to memset/memcpy or some such.

    6. Re:Stop treating Mongo as a real DB by Anonymous Coward · · Score: 0

      Add hiring Mexicans to the mix, and it's a perfect storm, a perfect shitstorm.

    7. Re:Stop treating Mongo as a real DB by Anonymous Coward · · Score: 0

      Well if we're going to talk about bugs (and I'm a Postgres guy not particularly a fan of MySQL).
      MongoDB had a arbitrary limit on object size of a few megabytes and sometimes it would simply fail to report that you've exceeded a size limit that would be ridiculous in 1995. And don't get me started about what MongoDB defines as integrity.

  10. Beginning to be a common headline by bano · · Score: 1

    "MongoDB Config Error Exposed..." is the new "Florida Man..."

    1. Re:Beginning to be a common headline by Anonymous Coward · · Score: 0

      Florida Man

      Worst superhero ever.

  11. Re: So the new Ubuntu with its missing systemd.. by Anonymous Coward · · Score: 1

    It's sad to see that "most" things working is now acceptable for Linux. I miss the old days when the quality bar was set much higher.

  12. Re: So the new Ubuntu with its missing systemd. by Anonymous Coward · · Score: 0

    When you have a group of kids, led by Poettering, working on something as critical as init, you're just going to have problems. They just don't have the experience necessary to understand how important it is to not have bugs and to not, as Linus has ranted about several times, ignore bug reports.

  13. Re: So the new Ubuntu with its missing systemd by Anonymous Coward · · Score: 0

    Why would you expect someone that cares about the desktop to care about server or developer problems?

  14. Mongo... by Anonymous Coward · · Score: 0

    only pawn, in game of life.

  15. Mexican voter data is very popular by Anonymous Coward · · Score: 0

    This happened in 2003:

    U.S. government purchase data on Mexico’s 65 million registered Voters

    A probe has been launched into how the Atlanta-based corporation ChoicePoint Inc. was able to purchase data on Mexico’s 65 million registered voters as well as six million licensed drivers in Mexico City.
    According to an investigation carried out by the Mexico City newspaper Milenio, ChoicePoint was commissioned by the U.S. government to obtain the data.

    ...

    According to Milenio, low-ranking Mexican government employees routinely sell electronic information to data-gathering groups in a clandestine manner and pocket the proceeds.
    ChoicePoint also offers information on 90 percent of large corporations operating in Mexico, disclosing data on names of leading executives, phone numbers, electronic systems and levels of capitalization.

    Whatever happened to Choicepoint? Are they still in business?

  16. Re:132GB?? by omnichad · · Score: 3, Insightful

    For ~ 83 million registered voters, that's 1.57KB per voter. It's a lot, but it's not obscene. You can see a sample redacted db record on the article. They have voter ID laws, so they have a bit more info, including maternal/paternal parents.

    You can't even store 1 byte per voter on less than 50 floppy disks.

  17. Wow, 132Gb by JustAnotherOldGuy · · Score: 1

    Oh my, 132Gb of tasty, tasty user data. It's like an all-you-can-eat hacker buffet.

    --
    Just cruising through this digital world at 33 1/3 rpm...
    1. Re:Wow, 132Gb by St.Creed · · Score: 1

      That's true. But fortunately, the citizens live in a nice quiet country where there is no risk at all from having all your data publicized. Especially when you're working undercover, or get caught in the crossfire, there is no risk at all from having your adress and that of relatives exposed on the internet.

      --
      Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
  18. Now's the chance. by idbeholda · · Score: 1

    We'll finally be able to steal our jobs back from Mexico.

  19. Re: So the new Ubuntu with its missing systemd. by Anonymous Coward · · Score: 0

    Their focus is desktops so the quality isn't a high bar, as you noticed. I miss the old days when every thing was expected to work every time.

  20. Mexicans voted for the government they have? by Anonymous Coward · · Score: 0

    I wonder if El Chapo is worried about his personal data being stolen from the last election....

  21. Re: So the new Ubuntu with its missing systemd. by Anonymous Coward · · Score: 0

    As if those children care.

  22. Re: I'm sure the MongoDB devs must be proud by sumdumass · · Score: 1

    You should have used a US address on those credit card applications. The Mexican government would probably take notice of their registered voters living in the USA and build Trump's wall after all- whether he is elected or not.

  23. Now we can build Trump's wall by Anonymous Coward · · Score: 0

    Trump hackers can now vote in Mexican elections using stolen info. Those shadow Mexicans can now vote for their government paying for that wall that Trump wants to build. His plan now seems possible.

  24. Re: So the new Ubuntu with its missing systemd. by Anonymous Coward · · Score: 0

    sysvinit never worked as expected every time. I'm not saying systemd does either, but don't go and act like sysvinit is the most perfect thing out there.. It blows too.

  25. SecurityGroup issue Not MongoDB issue by Anonymous Coward · · Score: 0

    The DB was hosted on Amazon AWS. By default the port Mongo is using is not open to the world. You'd have to purposely go into the SecurityGroup for your EC2 server and open up the port to all.

  26. This could be on purpose by degantyll · · Score: 1

    Elections are harsh in Mexico, with the PRI (Institutional Revolutionary Party) doing whatever it takes to hold onto power. This might very well be on purpose to extract data on voters to fake votes and inflate ballot boxes. A good bribe to the sysadmin or even a harsh threat (political parties are known to have nexus with organized crime) could have been the reason for this.

  27. Re: So the new Ubuntu with its missing systemd.. by Anonymous Coward · · Score: 0

    Most? As if that is acceptable. It might be in the Windows world, but Open Source should demand better.

  28. wrong! U.S. = Washington D.C. by Anonymous Coward · · Score: 0

    48 States of America united to a Union with States of the Several States and U. S. States composed of outlying islands conquerred by navy or armed forces not part of America yet known colloqially as Kingdom of Havaii and Alaska and Puerto Rico.

    Fed corp U.S. != America.
    U.S. States != 48 united States of America.
    Civil war union States of the United != confederation The United States of America.

    Learn to Title 18 US Code. Ye parisite!

  29. oblig by Anonymous Coward · · Score: 0

    https://www.youtube.com/watch?v=b2F-DItXtZs

  30. Webscale! by Anonymous Coward · · Score: 0

    Sound like they should have just saved it on /dev/null

  31. nosql == no clue by Anonymous Coward · · Score: 0

    It sure seems that most people who use nosql databases have no clue. No idea about what security is, no idea about data integrity, just no freaking clue at all.

    BUT, BUT IT'S WEBSCALE!!!!

    Who gives a shit about data integrity, right?