Slashdot Mirror

← Back to Stories (view on slashdot.org)

Over 1,800 MongoDB Databases Held For Ransom By Mysterious Attacker (bleepingcomputer.com)

Posted by BeauHD on from the give-me-your-money-or-else dept.

An anonymous reader writes: "An attacker going by the name of Harak1r1 is hijacking unprotected MongoDB databases, stealing and replacing their content, and asking for a 0.2 Bitcoin ($200) ransom to return the data," reports Bleeping Computer. According to John Matherly, Shodan founder, over 1,800 MongoDB databases have had their content replaced with a table called WARNING that contains the ransom note. Spotted by security researcher Victor Gevers, these databases are MongoDB instances that feature no administrator password and are exposed to external connections from the internet. Database owners in China have been hit, while Bleeping Computer and MacKeeper have confirmed other infections, one which hit a prominent U.S. healthcare organization and blocked access to over 200,000 user records. These attacks are somewhat similar to attacks on Redis servers in 2016, when an unknown attacker had hijacked and installed the Fairware ransomware on hundreds of Linux servers running Redis DB. The two series of attacks don't appear to be related.

71 of 115 comments (clear)

  1. lol by Anonymous Coward · · Score: 4, Insightful

    a passwordless admin interface exposed to the internet? the only story here is why it didn't happen earlier

    1. Re:lol by Mr+D+from+63 · · Score: 3, Funny

      a passwordless admin interface exposed to the internet?

      It had to be the Russians, according to federal officials they are the only one's smart enough to pull this off.

    2. Re:lol by ls671 · · Score: 1

      a passwordless admin interface exposed to the internet? the only story here is why it didn't happen earlier

      Irrelevant, the important thing is that it scales.

      --
      Everything I write is lies, read between the lines.
    3. Re:lol by gtall · · Score: 1

      Hey Vlad, things getting a bit boring around Thug Central and yer former KGB buddies?

    4. Re:lol by fbobraga · · Score: 1
      one which hit a prominent U.S. healthcare organization

      passwordless access to medical records? OMFG!

    5. Re:lol by fbobraga · · Score: 1

      one which hit a prominent U.S. healthcare organization

      passwordless access to medical records? OMFG!

      * fixing my own post

    6. Re: lol by Insanity+Defense · · Score: 1

      Let's be honest, it's an open secret that the Linux kernel contains large sections of copyrighted code from SCO UNIX. For those familiar with both collections of source code, it was generally assumed that SCO would win their lawsuit, and simply a question of what the fallout would be. Although dismissed out of hand by IBM and members of the open source community who were constantly moving the goalposts, SCO did provide a comprehensive list of source files and line numbers in Linux that matched portions of SCO UNIX. The fact is, SCO's claims of copyright violations by Linux developers and users were valid, factual, and completely legal. To this day, the Linux kernel contains large sections of copyrighted code that came straight from SCO UNIX. The open source community generally is vocal in favoring the "little guy" against large corporations like Microsoft and Google, whose motives and actions are frequently called into question. It's bemoaned that the so-called little guy is unlikely to stand a chance against the massive and well-funded legal teams retained by large corporations. This is for good reason, that everyone should be entitled to the same rights, regardless of their ability to afford top notch legal teams. SCO was the little guy compared to IBM, a small company with limited resources simply trying to ensure their copyrights were protected. IBM squashed them like a bug, not because the lawsuit was invalid. In fact, SCO's claims of copyright infringement are generally accepted as mostly correct. Rather, IBM had the legal resources to draw out legal battles and win a war of attrition against SCO, no matter the validity of the claims. If the open source community truly cares about ensuring the little guy has the same rights as large corporations, they should have been supporting SCO against a behemoth like IBM. To this day, I fail to understand the hypocrisy in supporting the little guy against giants like Apple and Microsoft, but rooting for another giant, IBM, to decimate SCO.

      Sorry Jeff but you must have missed the memo. The SCO Group lost all that in court. They didn't have a legal leg to stand on. They are bankrupt with no assets. Have a nice day.

    7. Re:lol by EndlessNameless · · Score: 1

      I don't usually say people deserve to have bad things happen to them, but this is going to be an exception.

      An admin leaving a database with direct connectivity to the internet is bad enough---borderline negligence, in my opinion. But a blank admin password?

      That's like walking down the street with $100 bills bulging out of your pockets on the bad side of town.

      It's not just stupidity---most stupid people don't even do things that stupid.

      It's too bad IT doesn't require professional licenses like doctors and lawyers, so we can kick these people out of the profession before they hurt somebody else.

      --

      ---
      According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
    8. Re: lol by gweihir · · Score: 1

      Behold people, the "big lie" technique at work.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  2. Managed by morons by rossz · · Score: 3, Interesting

    Your database is exposed to the internet and doesn't have a password? How is it you are still employed?

    --
    -- Will program for bandwidth
    1. Re:Managed by morons by anchovy_chekov · · Score: 3, Interesting

      Your database is exposed to the internet and doesn't have a password? How is it you are still employed?

      This is what Mongoworld looks like. A bunch of people who never understood SQL try to solve a problem they thought they had by moving to a NoSQL DB.

      Mongo's security model has improved with recent releases, but the earlier approach of leaving the door wide open should never have been allowed in the first place. Compare and contrast pretty much any traditional RDBMS that is secured by default - at least minimally - because we learned our lessons the hard way years ago.

    2. Re:Managed by morons by thegarbz · · Score: 2

      Either a) 1800 people are about to be unemployed, or more likely b) Many of these databases aren't critical in the first place.

      If they were the price would be set higher.

    3. Re:Managed by morons by tomhath · · Score: 4, Interesting

      I may be mistaken (don't administer any Mongo databases), but as I understand it, many databases were exposed by an upgrade. Even if you had a password set the upgrade wiped it out and quietly left you exposed.

      If that's what actually happened, the Mongo project has some explaining to do

    4. Re:Managed by morons by plopez · · Score: 1

      As many breaches are inside jobs exposure to the internet is not even a valid criteria. No DB should ever have open security by default. See Postgresql for a much better model.

      --
      putting the 'B' in LGBTQ+
    5. Re:Managed by morons by anchovy_chekov · · Score: 2

      I may be mistaken (don't administer any Mongo databases), but as I understand it, many databases were exposed by an upgrade. Even if you had a password set the upgrade wiped it out and quietly left you exposed.

      If that's what actually happened, the Mongo project has some explaining to do

      Wow. If that's true that's the most mindblowingly insane thing I've ever heard about Mongo. I avoid it because of a host of other issues, but if they actively screwed installs - and any of those users have support contracts with MongoDB Inc - it could well spell the end of the company. Can't find anything on the webs about it, so if you do stumble across any details I'd be interested to see them.

    6. Re:Managed by morons by Solandri · · Score: 2

      Either a) 1800 people are about to be unemployed, or more likely b) Many of these databases aren't critical in the first place.

      There's a third possibility: c) database is (semi)critical, but the person/manager who made/approved it was too cheap to pay a real database administrator to help with the original setup and configuration.

      Most engineering professions where lives or large dollar amounts are at risk (civil engineering, structural engineering, many forms of mechanical engineering) require the person designing the system to have some sort of outside certification that s/he knows what s/he is doing. But software is still the Wild West where you can get your 13 year old nephew to set up that database for you.

    7. Re:Managed by morons by Dr.Saeuerlich · · Score: 1

      It's China. Really, regular IT people (not the government's hackers) here are notoriously clueless about security. I've encountered various systems in the last years here in China that ran with no passwords or default passwords, because some underpaid drone didn't care to do some extra work. Favorite Chinese passwords? qwerty, 12345, companynameCURRENTYEAR, some patterns you can type on your keyboard like 147896. Security through obscurity is also a favorite concept.

    8. Re: Managed by morons by guruevi · · Score: 2

      Just because a project is open source doesn't mean everyone can contribute to it. MongoDB has been rife with issues since the beginning, the company behind it is only interested in selling its subscription technical service and has a culture that doesn't accept anything that isn't the "Mongo" way or would interfere in the commercialization of its platform kind of like Poettering on steroids.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    9. Re:Managed by morons by JoeMerchant · · Score: 1

      200,000 patient records sounds like they might be important to somebody...

    10. Re:Managed by morons by JoeMerchant · · Score: 1

      I worked in software/electrical engineering for 10 years, then took a look at maybe getting my PE license in electrical - it's a whole different mindset in the PE world, one that software would benefit from, but will take decades to adapt. The people who should be PEs in software are too valuable to industry right now to be bothered with such things. Industry would really be serving itself if they pushed for a PE type of licensing to be instituted, but "learn Java in 21 days" software schools don't even come close to preparing their students for the rigor of a PE licensing process.

      On the flip side, a PE software specialization test would be necessarily ludicrous, as are the electrical and mechanical tests today.

    11. Re:Managed by morons by ls671 · · Score: 1

      Yep, in 2017, we expose stuff to the Internet and it is perfectly safe to do so as long as you know what you are doing. In the old days, dedicated physical pipes were viewed as much safer and were commonly used. Then came "virtual physical pipes". Nowadays, very few outfits use real physical dedicated pipes.

      --
      Everything I write is lies, read between the lines.
    12. Re:Managed by morons by Anne+Thwacks · · Score: 1
      virtual physical pipes

      The problem here is that the "virtual idiots" responsible for systems administration have been replaced by "complete idiots". Not having a password on a database, even if it is not exposed to anything is extremely foolish, and comparable to leaving fivers lying around on the floor. Sure leaving them on you bedroom floor is more secure than leaving them on the pavement in the high street, but if you wish to keep them, "on the floor" is not the place for banknotes. If you don't know this, you are not a fit person to handle money of any denomination. Same logic applies to sysadmins.

      we expose stuff to the Internet and it is perfectly safe to do so as long as you know what you are doing

      How is a PHB expected to employ someone who knows what he is doing, when he can't tie his own shoelaces? This problem is society wide, and not a computer specific problem. Idiots are unfit to hold high^H^H^H^H any office. More news at 10.

      --
      Sent from my ASR33 using ASCII
    13. Re:Managed by morons by Anne+Thwacks · · Score: 1
      you can get your 13 year old nephew

      My 13 year old nephews know full well what they can do with a database that is not secured, thank you.

      Beware: We may not be the only family to teach 11 year olds SQL.

      --
      Sent from my ASR33 using ASCII
    14. Re: Managed by morons by Anne+Thwacks · · Score: 1
      I can try to connect to 192.168.1.1 (or similar) and that is your machine ?

      Yes, my machine IS 192.168.1.1 you insensitive clod!

      --
      Sent from my ASR33 using ASCII
    15. Re:Managed by morons by ls671 · · Score: 1

      Nice to meet you Anne.

      --
      Everything I write is lies, read between the lines.
    16. Re:Managed by morons by AlphaBro · · Score: 1

      The solution is simple, and the onus is on software developers.

      First, secure by default is a requirement. Always prompt for a strong user specified password by default. Most people take the path of least resistance when installing and configuring software, so this will drastically reduce instances of network exposed services that lack creds or have documented default creds. Second, if insecure features must be enabled e.g. anonymous access is required in some legitimate use cases, bury such settings deep in configuration files and UI-based advanced configuration settings. This too will deter people from using bad security configurations, unless the truly feel they must.

      This is a solved problem, and that's why we see this type of issue in a small subset of domain specific programs. It's always the shitty IoT devices and hipster databases. Blame devs that lack security consciousness, if you want somebody to point a finger at.

    17. Re:Managed by morons by thegarbz · · Score: 1

      Except this clearly wasn't a targetted attack. So we're down to 1 person losing their job and 1799 people going *sigh* followed by *meh* followed by just nuking their crappy database from orbit.

    18. Re:Managed by morons by thegarbz · · Score: 1

      Beware: We may not be the only family to teach 11 year olds SQL.

      Harsh. Back in my day we got a spanking and were sent to our room.

    19. Re:Managed by morons by mlts · · Score: 1

      I wouldn't blame the devs. They know where the money is buttered, and that is placating people who scream the loudest, which tends to be marketing and sales. A sales guy clenches a new contract, but told the customer the product has "xxx" feature. It really doesn't, so dev has to cough that feature up ASAP or else the sale gets lost. Management looks at security and the time it takes to do it right versus cur corners, sees that it doesn't bring any revenue, and tells the dev staff that security can be strapped on later after the sale is made.

      In a number of places, the devs are in an offshore sweatshop, and really don't know any better. Tell them to code a widget, they do that. They will not know, nor care about defensive programming because it takes time away from doing code quantity.

      The person to blame are the PMs who pooh-pooh security because they think it has no ROI.

    20. Re: Managed by morons by mlts · · Score: 1

      The ironic thing is that you don't have to run MongoDB to get MongoDB functionality. PostgreSQL can do the same thing, except it has a proven track record of security.

      The real question... why bother with MongoDB at all, unless something like Splunk requires it? There are better solutions available, both F/OSS and non.

    21. Re:Managed by morons by coofercat · · Score: 1

      I can't confirm if this is true, as I have a Mongodb with no password (and so upgrades didn't remove anything). My difference is that (a) it's only accessible through localhost, and (b) if any remote clients ever want to use it, they'll do so through an stunnel, which will only accept connections from the known IPs of the clients that should be connecting. In my book, even opening up a properly secured database to the Internet is unnecessary - just open it up to the IPs that need it.

      If you're wondering, we use it for Errbit - if we ever did get p0wned, I'd just blow it away and re-install (hence my somewhat rough-shod approach to security in this case).

    22. Re:Managed by morons by Whorhay · · Score: 1

      Some years ago I had a customer passed to me that wanted to know what kind of hoops they needed to jump through to get a Mongo DB approved for our network. No one I knew had ever even heard of it and after about 45 minutes of googling we had to just tell them it would likely never get approved. Getting a big name RDBMS that is actually engineered towards being secure approved is enough of a headache once the developers have had their way with it, Mongo was basically out of the question.

    23. Re:Managed by morons by gweihir · · Score: 1

      Simple: Morons in IT are far-cheaper salary-wise than people with a clue. And morons in management are too stupid to see that these people cost extremely much more overall than people with a clue. This is why such gross stupidity happens all the time in modern IT.

      I imagine this is how things were done in the Roman Empire, right before it collapsed...

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    24. Re:Managed by morons by gweihir · · Score: 1

      No traditional RDBMS is "secured by default". You have absolutely no clue what you are talking about. That said, in my experience the only people even more arrogant and stupid in the DB world than the "No SQL" crowd are the traditional RDBMS people.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    25. Re:Managed by morons by AlphaBro · · Score: 1

      Actually, you're right in many cases. As a dev that has shipped software with poor security at the behest of ignorant management that didn't care to understand the problems, I shouldn't be so shortsighted. Open source software is another matter, however; somebody should step up, and do things the right way.

    26. Re:Managed by morons by anchovy_chekov · · Score: 1

      Our experiences may differ here. Depending on the package manager you're using, Postgres (as an example) typically won't even allow remote access until you explicitly enable it. And usually the user associated with the base schema has at least a password. There are exceptions I realise. I guess it's part of the culture. If you've grown up with old school database systems it's almost second nature to check the security model, whereas NoSQL fans I've worked with seem to be happy that things have installed (and configuring apps to connect is simple if there's no actual password).

      But I take your point. Any system needs to be hardened, and there's nothing worse than being complacent.

    27. Re:Managed by morons by gweihir · · Score: 1

      Well, I agree that good security habits may be far less known and followed in the NoSQL-crowd, because they are "hip" and "dynamic" and often inexperienced in server system configuration and management. Also, because all these mistakes _have_ been made with RDBM Systems in the past, they are less likely to be insecure by default, but it still is a risk and you need to check.

      In the best case, hardening just involves checks and you find everything is fine. It still needs to be done and sometimes you find insecure things were you least expect them.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    28. Re:Managed by morons by mlts · · Score: 1

      I would agree here. F/OSS tends to be about "scratching an itch", but I would say developers of a lot of projects have pride in their work and go above and beyond the call of duty. One example is Borg Backup, which I've been following. Even though nobody is funding the project, it is active and has matured a lot from the Attic fork it once was. This type of code quality where even attacks in theory are fixed is pretty much nonexistent in the private sector for the most part.

  3. $200 by ShanghaiBill · · Score: 2

    ... asking for 0.2 Bitcoin ($200) ransom

    That seems like a modest ransom. At least he isn't greedy.

    1. Re:$200 by thegarbz · · Score: 3, Interesting

      Let's face it. If this attack is automated it would be a reasonable assumption that you're dealing with complete idiots on the other end and not people storing valuable data. The fact that he hit a healthcare organisation sounds more like a fluke than a targeted attack. If it were then it would be more than $200.

    2. Re:$200 by plopez · · Score: 1

      How do he get rich! Volume! As well as the attitude of "let's just pay it it's so small". Factor in that it might even be a misdemeanor in some places. And we do not even know how many places were hit. Overall a clever strategy.

      --
      putting the 'B' in LGBTQ+
    3. Re:$200 by coofercat · · Score: 1

      We also don't know what the healthcare organisation used it for. It could just be an admin's experimental project, and contain literally nothing of interest to anyone. Less likely is that it contains any actual medical information for identifiable people.

  4. Clearly... by QRDeNameland · · Score: 5, Funny

    MongoDB attacks are Web Scale.

    --
    Momentarily, the need for the construction of new light will no longer exist.
    1. Re:Clearly... by plopez · · Score: 3, Funny

      The lack of admin password is the secret sauce.

      --
      putting the 'B' in LGBTQ+
    2. Re:Clearly... by Hognoxious · · Score: 1

      It does have a password, but it stores it in /dev/null for higher performance.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  5. Too bad there's no CVE for retarded admins by Anonymous Coward · · Score: 1

    If there was a CVE assigned for every stupid mongodb admin, they'd have blown Android out of the water.

    You do NOT put your database on the internet! Opening your mongodb to the internet does NOT make it webscale!

    1. Re:Too bad there's no CVE for retarded admins by K.+S.+Kyosuke · · Score: 1

      Opening your mongodb to the internet does NOT make it webscale!

      True, 1800 attacks isn't quite webscale yet! I'd add two more zeros.

      --
      Ezekiel 23:20
  6. Russians by Ant2 · · Score: 2, Funny

    Those pesky Russians are at it again.

    1. Re:Russians by mwvdlee · · Score: 1

      That's what he said.
      Who do you think the "and friends" are?

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  7. You are much more sure than SCO is by raymorris · · Score: 4, Informative

    > To this day, I fail to understand the hypocrisy in supporting the little guy against giants like Apple and Microsoft, but rooting for another giant, IBM, to decimate SCO.

    Some of us pay attention to who is right and wrong, rather than deciding absolutely everything based on "big mean corporation."

    SCO originally filed for misappropriation of trade secrets and unfair competition. Later, they decided breach of contract might be better. Still later, they decided maybe copyright infringement. Obviously, SCO wasn't so sure exactly what they were complaining about - not nearly as sure as you are.

    They claimed that up to 0.0001% of the Linux kernel might have been derived from Unix, but refused to say which parts. As the judge began to strike down their claims unless they identified which code they were talking about, they pointed to some BSD licensed code written by Thompson - code they clearly had no copyright rights to.

    When it was pointed out that Novell, not SCO, owned the Unix copyright, SCO tried to buy the copyrights from Novell. Again, Novell clearly wasn't too sure they owned the copyrights, they were trying to buy them from Novell, yet you're sure that they already owned them.

    SCO then claimed that the GPL itself is illegal and unconstitutional! Which would of course mean that SCO were themselves unlawfully distributing GPL code! Yeah that annoyed some people.

    SCO didn't just lose a case, they were laughed out of court repeatedly. "We're suing you for violating the copyright on Unix, but we're still trying to buy that copyright so can we have a short delay?" What!?!? It was one of the most ridiculous cases ever. That's why people didn't root for SCO, it was because SCO was engaging in ridiculous trolling that made no sense. They argued that the "offending code" was part of the Linux kernel, then argued that it wasn't. They couldn't even make up their mind.

    1. Re:You are much more sure than SCO is by Anonymous Coward · · Score: 1

      YHBT. And rather obviously so.

    2. Re:You are much more sure than SCO is by JoeMerchant · · Score: 1

      Are we sure that this wasn't a master stroke by SCO to establish some case law in favor of all the things they appeared to be attempting to tear down?

    3. Re:You are much more sure than SCO is by Bongo · · Score: 1

      That reminds me of cases in the Good Wife, except they wisely limited their law humour scripts to half retard, whereas what you describe goes full retard.

    4. Re: You are much more sure than SCO is by mlts · · Score: 1

      From what I've seen, IBM wants to pull away from AIX because they know that the POWER8 market is shrinking, and so is AIX. This isn't to say that AIX is bad -- it is arguably extremely secure and mature, just like Solaris. However, the market in general is moving from Big Iron to x86-64, to VMs, to cloud based VMs, to serverless services (AWS Lambda), and from pets to cattle, where backups basic redundancy are viewed as a bother [1] and not an official need.

      IBM isn't dumb. Softlayer OpenStack will be an effective competitor to AWS in a few revs, and for some tasks, it is effective now. They know that a lot of businesses want only one piece of server hardware locally, and that's the edge switch/router to connect their workstations to the cloud provider.

      This is not to say AIX is dead by any means. However, IBM is following the money, and that is to be a cloud provider, guaranteeing income monthly.

      [1]: A few months, during a job interview, I was told by one of the interviewers, "asking a cloud based startup about backups and uptime is like asking Tesla about what length and material their buggy whips are made from." Needless to say I went elsewhere.

    5. Re: You are much more sure than SCO is by Insanity+Defense · · Score: 1

      it's pretty simple, poors want free stuff and they want to be recognized for their frugality
      so, the poors that can only use Linux because they can't afford PCs or macs now have a vested interest in Linux succeeding because a) they want the free ride to continue and b) they can claim some level of expertise for a nice computer janitor job
      now you get to SCO vs IBM. If IBM wins, AIX becomes the standard Unix instead of smelly hippie free "as in beer and speech!!!!" Linux. poor Linux "admins" can't have that, it takes away the gravy train in favor of professionals so... it all makes sense when you think about the idiot poors that are trying hard to be real IT pros.
      this also explains why stories like databases with no admin password exposed to the internet getting hacked become news.

      Bullshit. If you are poor the machines you can buy come with Windows in the price tag. Linux machines are virtually always higher priced because the manufacturers don't get paid to install all the crapware/trial ware on the system. People who use Linux do so because they WANT to. They use Windows because it comes with the system and it is what they know already.

    6. Re:You are much more sure than SCO is by kriston · · Score: 1

      What, exactly, does this have to do with TFA?

      --

      Kriston

    7. Re: You are much more sure than SCO is by kimvette · · Score: 1

      > so, the poors that can only use Linux because they can't afford PCs or macs now have a vested interest in Linux succeeding because a) they want the free ride to continue and b) they can claim some level of expertise for a nice computer janitor job

      For a "janitor job" it pays extremely well - certainly better than your mop janitor job. ;)

      > now you get to SCO vs IBM. If IBM wins, AIX becomes the standard Unix instead of smelly hippie free "as in beer and speech!!!!" Linux

      Linux != UNIX. It never was, and was never intended to be. It was intended to work just like Linux, but free of UNIX licensing constraints. It is a UNIX clone. That it usurped UNIX's throne everywhere from appliances to big iron, from lowly tablets to the largest supercomputers only serves as a testimony to its relative stability and extensibility. Is it the perfect UNIX-like OS? Certainly not... but it is a very solidly competent jack of all trades.

      Regarding your use of the term "the poors": I'm assuming you're a white trash Trump supporter living in a red state who benefits from the wealthy blue states' paying more taxes.

        American politics are truly fucked up: the blue states pay the highest taxes because they are the wealthiest. The blue states basically vote to tax themselves more so the red states can get more assistance.. and the red states are voting against it... and based on your post, I'm assuming you're one of those idiots voting against their own best interest.

      --
      The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
    8. Re: You are much more sure than SCO is by HornWumpus · · Score: 1

      I really enjoyed shooting old hard drives containing Netmare 2 back in the day.

      --
      John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
  8. Nuke, upgrade, and restore from backups by PeeAitchPee · · Score: 1

    Fuck these ransom guys. Keeping good backups is a little bit of extra work, but at least you have the option to restore, even if you've been hacked because of gross negligence / shameful ignorance / plain stupidity like this.

    1. Re:Nuke, upgrade, and restore from backups by supremebob · · Score: 4, Insightful

      You think that someone who didn't bother setting an admin password for an Internet facing database bothered to configure backups for it?

    2. Re:Nuke, upgrade, and restore from backups by plopez · · Score: 4, Interesting

      they backed up to /dev/null because it was web scale.

      --
      putting the 'B' in LGBTQ+
  9. Personally I blame... by FlyingGuy · · Score: 1

    The idiot developers that want everything in [ insert the name of your currently favorite dev language here ] including security!

    They all want a single, or better yet, no username and password on the db in question! When will the developers EVER learn, anything

    --
    Hey KID! Yeah you, get the fuck off my lawn!
    1. Re:Personally I blame... by plopez · · Score: 1

      This is one big reason I have come to hate IT and developers. The same stupid mistakes over and over again. And when you flag it you get a an attitude of "u r old sk3w1", "you don't get it", etc.

      And in at least 2 cases I tried to warn them and when the fecal material impacted the rotary air circulation device guess who got blamed? The guy who tried to stop them. As if I had somehow jinxed them by trying to help them.

      --
      putting the 'B' in LGBTQ+
  10. True by raymorris · · Score: 1

    You are not wrong

  11. Re:Where's the training and hard experience? by BarbaraHudson · · Score: 1

    Good thing my copy of dBASE5 still runs like a charm under dosbox and is impervious to all this web crap. Clipper still works like a charm too ...

    --
    "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
  12. Biker war ? by Anonymous Coward · · Score: 1

    The Mongols motorcycle club have been at war with the Hells Angels for years. This might be an attempt at attacking their members.

  13. Heads should roll for this by LeftCoastThinker · · Score: 1

    This is equivalent to the facilities guy at work installing new doors with no locks and then a thief putting locks on all the doors with a note to pay him $200 to get the keys to the new locks; it is almost a public service in this case. Heads should roll for this stupidity, though most at the executive level have such a poor understanding of good security practices who knows.

    --
    If you disagree, please post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like
  14. Mongo is Ransom Scale by cstacy · · Score: 1

    https://www.youtube.com/watch?...

  15. Re:Mongoeb developed by idisots... by mlts · · Score: 1

    It is a reflection of the software development methodology in general. MongoDB is supposed to be fast... like taking a car, yanking all the seats, the windows, the doors, the hood and trunk, all but one brake pad, and saying that it is a performance monster. Of course, the fact that it has been rendered worthless for tasks that need audibility and security is beside the point.

  16. Re:Where's the training and hard experience? by BarbaraHudson · · Score: 1

    Wow, someone who wants to race to the bottom even quicker. Then again, what can you expect from an AC?

    Technically if they had configured the security there wouldn't be a problem.

    Provably false, because it is impossible to anticipate every security problem, especially since you're trying to hit a moving target. Never been done, can't be done within the heat death of the universe.

    Web enabled is inevitable

    Only if you're someone who wants to really screw over users, with things like all-time connections required, downloadable content, adware, etc. Local networks did just fine for a LONG time for all sorts of business applications, and both standalone and local networks for things like games and other forms of entertainment. You show the lack of imagination given by not knowing history. The internet is a symptom, and has caused more harm than good for the average person. Fake news wouldn't be possible without stupidity like Failbook and Twithead.

    Honestly the economy sucks, jobs are scarce and the web offers the possibility of breaking barriers by giving the average joe global reach

    First, there is a limited demand for internet-enabled jobs, and already far too many people trying to fill that demand, which is why most intenet-based jobs pay less than minimum wage by the time you account for everything. Second, we're seeing the beginning of the bursting of the second internet bubble. You can't eat virtual pizza, your bitcoin is a terrible form of currency (as seen by the 18% drop in value in 5 days, the vast majority of "App developers" still make far less than the minimum wage and that has always been the case, and always will be, because people always hope that they will be the exception.

    If you want to compete with developers in India, you'll end up with their standard of living - which means a country where, like India, there are so many people without a toilet (indoor OR outdoor) that they could literally form a line from the earth to the moon - something that will NOT change over the next 40 years because poverty is both ingrained in the corruption and class structure, and because the reservoir of poverty is just too large - and of course it doesn't help that India will have more people than China in 5 years.

    Also, your "ground breaking technologies" are not. Most of the "new technologies" are shit, same as ruby used to be the latest hotness. Anything based on javascript is inherently worse than Flash - at least flash doesn't need a web browser to run in, and can be easily confined either to the local machine or local network. It also requires far less ram and cpu to do the same job. This is the problem with so many of the "new technologies" - holier than swiss cheese, layered upon other layers that are also full of bloat and rot (even Flash was bloat, but nowhere near as bad as, say, chrome or firefox).

    We can exist fine without the internet. Specialized networks with limited access, non-interchangeable protocols, devoted to specific tasks, are going to happen, if only because the current internet is defective by design when it comes to security - the original goal was to be as failsafe as possible, no matter how much of the intervening network was destroyed - but that also means that any node can always attack anyone and everyone. Heck, it was possible at the dawn of the internet to take Microsoft down with a dial-up modem and a 386.

    Society started failing when trickle-down economics and both the left and the right started ignoring economic disparity (which includes the Clintons even before he became president, having helped dismantle some of the new deal economic protections that actually allowed the economy to grow by growing the base instead of feeding the rich - a policy Obama continued by, among other things, bailing out the car companies and

    --
    "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
  17. Even easier with Elasticsearch by kriston · · Score: 1

    This is the result of poor decision making, but a hack like this is even easier with Elasticsearch.

    Unless you pay for a license, Elasticsearch doesn't even offer something as simple as user/password authentication.

    Seriously.

    --

    Kriston