I think this is a little simplistic. Depending on what data is being deleted, it may have real life economic consequences for individual people. What if one of the databases has a record of credits you've purchased at your local spin studio? Hopefully they have a back up, but if they don't, you and/or the owners stand to make significant losses. Are there databases that could be lost without consequence except to their owner? Sure. But that is far from all of them.
I also just think it is a little uncharitable to wish harm on people simply because whoever did their IT was inexpert at their job? Like, how does the local mom and pop correctly evaluate a person's IT chops? The nephew says they can set up their website for cheap, and they want to be nice, so they give him the job. Turns out he's a newb and later their database gets deleted and you are on here saying that's a good thing? Hrm. I don't agree.
It can definitely have real world consequences, but couldn't the same be said for somebody being a whistleblower for a company that doesn't following building codes? The company could take a huge financial hit and people might lose their jobs because of their practices being exposed.
Sometimes the best path forward does harm, sure. It's just hard for me to agree that deleting these databases is the harm-minimizing path. One example of a less harmful path that comes to mind immediately is installing a random password on the unsecured database and emailing the domain owner the password. That would cause downtime but it would limit the irreversible damage. You could even say that you will delete the database if it is found again with an unsecured password, if you wanted to add some stick to your carrot. It does not seem like this attack has harm-minimization in mind.
What you propose is illegal in most 1st/2nd world countries. In mine, the company could thank you and then put you straight to jail for 30 years.
Unfortunately very few small businesses run sade reporting programs and often react with attack.
The problem is with the e-mailing part. A mom&pop is unlikely to track you down if you lock out their DB, but they'll likely report you to police if you contact them about it.
Unfortunately it's rarely that simple. If you look at the currently exposed MongoDB instances you'll see that most of them are in the cloud without any obvious attribution. You could email the cloud providers and see if they will reach out to the end-user but chances are they already know about it. Here's an article I wrote on that subject, although it was related to industrial control systems:
It's easy to say "you could have just emailed them" when you are not the one doing this for years without things getting better. Often admins flat out ignore you. Even if not they usually do nothing. And if they do something it takes ages.
In the article one provider was notified that their database was without a password an publicly accessible.
They secured it, and somehow managed to make it publicly accessible again without password, this time it got hit by this attack.
Honestly this is like if a company decides to keep their paper records with my information on a public side walk, and somebody saw that and decided to bring them to the landfill.
Is it legal or fair? In a perfect world no, but at this point the company is not blameless.
I certainly think the most legal approach is to do nothing except notify, or maybe nothing at all. But if you must modify the database, locking it reversibly is more defensible morally.
Your comparison isn't fair - blowing the whistle is supposed to be a last resort. Internal disclosure and attempting to fix the issue collaboratively is always the first step.
This attack is indiscriminate and is without warning, so it eliminates the possibility for database owners to fix the problem in good faith.
Finally, after years and years and years of being told over and over and the bottom line never improving.
I got doxxed with the Equifax breach. How many other companies in the world will take someone's word that they are me based on that data, and what potential is there for my life amongst millions of others to go completely sideways because of companies who won't addmit the systems are broken?
I say the house is already burning, but maybe throwing some fireworks into the blaze will convince the right parties to finally put the damn fire out.
Beyond sick and tired of breach after breach after breach after "oh, there were millions of voter records showing publicly" "no, <insert product name> defaults to no security"
Just because it's understandable for Mom & Pop to not care about the privacy of the people whose data they've collected doesn't make it a good idea. They should care. If the buck doesn't stop with business owners, with whom does it stop?
IMO we specialize too much and miss important things that we mentally outsource to other people. I'm equally disturbed how often I meet people in tech who are unable to do basic home repairs or cook for themselves. Something, like say, a few weeks of quarantine, and people's anxiety goes through the roof because they've relied on other people for basic life skills.
I don't find your example very convincing. Any database storing personal data needs to be properly secured, and if that gym also has ID credit card or other more sensitive data, that data might better be destroyed than stolen.
If it's a publicly accessible wiki with no sensitive data whatsoever, and that's meant to be publicly accessible, then there's a reasonable excuse for the poor security and it's not helping anyone to destroy it.
The point is that, if my credit card info is staying in a web-exposed, insecure DB, it is safer for me that it be destroyed than left alone.
I have no idea of that is the intention of the attackers, or if they are maybe even stealing the info before deleting it. But assuming they were good Samaritans and just deleting it, that is the best outcome for me as a user, better than if it stayed up for another day.
What happens when mom & pop are storing your name and credit card # in plain text and then your identity gets stolen and credit ruined? Should we still be "charitable" to them and their d-bag nephew?
Your credit card number being stolen is a problem for your bank, not a problem for you. You can't steal someone's identity with a credit card number.
The concern in this case is when there is some social problem with being in Mom & Pop Inc's customer database. There are probably some people that buy some things that they don't want other people to know about. When the database gets hacked and you are linked to being their customer, that is the unfortunate and potentially damaging information leak. A credit card just gets reissued and the bank reverses the transaction. No big deal.
It's a problem for the vendors, not the banks. They get hit with chargebacks for fraud that's no fault of their own, hurting the whole ecosystem of vendors and their customers.
The problem could be easily solved by Visa/MC/Discover/Amex implementing chip and pin, or at least 2FA SMS authorization. Bestbuy.com has it working somehow.
Like, how does the local mom and pop correctly evaluate a person's IT chops?
Usually by price and unfortunately both mom and pop like a bargain - I've seen this play out more times than I would like.
Also how do you evaluate, say, a landscaper's chops? Or any other kind of contractor's for that matter? By doing research beforehand, checking what kind of reputation that person has etc.
Low-effort or lack of research gives you bad services, for which you pay in losses like these.
In construction and landscaping work those companies are usually licensed, bonded and insured. If they fuck up the work there's obvious financial recourse. Also, the measure of them fucking up is generally a lot clearer for physical labor and for mom and pop businesses, getting construction work inspected by a 3rd party is usually more straightforward and cheaper.
In software, financial recourse generally means you have to jump straight to lawsuits. There's no licensing for who's qualified to build a website, developers don't have to escrow funds or carry malpractice insurance in case they make a mistake, a development business should have insurance in place but there's not always easy or affordable ways to assign fault in most IT situations if you want to pursue them. Software and IT forensics are prohibitively costly and usually mean a lot of money has to be on the line which rule out mom and pop businesses entirely. IT and software mistakes also usually take longer to rear their heads, and people in IT and software also aren't known for sticking around for decades. How do you sue an LLC that dissolved 5 years ago?
If someone does a shitty job in home improvement stuff it's usually not visible for years down the line. And good luck with your recourse by then. I've never heard of a homeowner getting recourse unless it's insanely obviously bad right away. The vast majority end up just living with the defects or hiring someone else to do the job again.
I don't how it is in the US, but in my country an audit that would reveal such an obvious lack of security costs no more than the equivalent of a single minimum salary - usually much less. On top of that several companies that offer such services are widely known because their media presence is mostly articles about vulnerabilities in routers, phones, operating systems etc.
I hail from a post-communist country so I assumed the culture in the US is more developed in this regard.
I'm not sure what your country's going rates are but for the US, a small business might budget a few thousand dollars total for their website. A minimal security audit that would catch missing or stupid security would basically double their expenses. Unless they truly needed some custom feature they'd take one look at a security auditor's quotes and then go sign up for Wix or Squarespace immediately. It's not that the services don't exist, its just that they're expensive and typical non-technology business websites don't really need that much put into them.
> Are there databases that could be lost without consequence except to their owner
I would certainly hope the owner of the insecure database would face massive consequences. IMO there's not _nearly_ enough of that. This sort of breach should be financially ruinous for _any_ company.
What if the database only contains my blog posts? Or my own personal health information I'm tracking? Or all the Hearthstone cards? Or any other of the infinite data sets that are totally insignificant to anyone beyond the owner of the database?
Not everything is about you, and also you totally misunderstood the post you quoted.
Then you'll learn real quick to secure your database, make backups, or not post personal stuff online.
And if you've configured your database that poorly, am I supposed to assume you've properly configured your server against becoming part of a DDoS attack? Or a bot net? The base level of negligence you're defending enables a multitude of attacks. Losing your DB would be an immediate sign you don't know what you're doing, and thus shouldn't be doing it.
Fine, what about every poor person who gets their data stolen from an unsecured database, and gets their identity stolen?
Yours is also a rich person statement.
Unsecured databases are a huge loss for everyone.
Anything that forces a shift in this naive behavior of vendors, implementors and executives is not just fine by me, I welcome it. If my life suffers because of data of mine that's lost from companies' databases, I now know who to cease doing business with.
But what about the companies making millions in profit each year that are carelessly exposing sensitive data because they don't want to spend a little more on quality IT work?
No one wants to see their local pizza shop lose their pizza-credit database, but if that's the price to pay for data security then so be it.
> What if one of the databases has a record of credits you've purchased at your local spin studio?
Usually when you buy something, you get an email receipt. So you print out your email receipt and go to the mom and pop store.
Given they are a local mom and pop store, you likely have a long term relationship with them and they may even remember you buying credits. So it will be a hassle, but likely ok.
It is the huge corporate stores that don’t have long term relationships that would be hurt by this thing the most.
Depending on what data is being deleted, not deleting it could also have significantly worse consequences when it later falls into the wrong hands.
In the case of the spin studio, you can prove what you paid, the owner just lost his evidence of what he no longer owes you, and will hopefully in the future stop exposing your personal data on the Internet.
> Like, how does the local mom and pop correctly evaluate a person's IT chops?
Not my problem.
> The nephew says they can set up their website for cheap, and they want to be nice, so they give him the job. Turns out he's a newb and later their database gets deleted and you are on here saying that's a good thing? Hrm. I don't agree.
Mom and pop prefer nepotism over skill, credentials and reputation, without even a second opinion. There is a reason that this is frowned upon (and has been for at least some 2000 years before mom and pop were born), regardless of the domain.
On the off chance that their database doesn't contain any personally identifying information on their customers, this is an idiot tax. In any other case, their loss is completely justified when compared to the potential losses, abuse and manipulation of their customers that come with exposing their PII to the public.
I also just think it is a little uncharitable to wish harm on people simply because whoever did their IT was inexpert at their job? Like, how does the local mom and pop correctly evaluate a person's IT chops? The nephew says they can set up their website for cheap, and they want to be nice, so they give him the job. Turns out he's a newb and later their database gets deleted and you are on here saying that's a good thing? Hrm. I don't agree.