There are zero consequences to anyone important when a data breach happens; therefore there is no incentive for companies to protect their user data and the number of breaches will continue to grow for the foreseeable future.
By 2025 at the latest, there will effectively be no such thing as privacy anymore. All personal data belonging to everyone will have been exfiltrated and will be available for sale.
You will be able to purchase the full medical history, all financial transactions, all addresses, phone numbers, location history (often with photo/video evidence), all account numbers, ID numbers (government and otherwise), biometric data, browser/search history, every email, sms or chat message they ever sent or received and any other information you can think of for the vast majority of people on earth.
I've been long arguing that there should be severe legal consequences for companies who leak data. Right now there's almost no legal repercussions for this sort of thing. I expect better from Microsoft, but I really don't expect any better from the thousands of tiny startups out there. Unless the people involved suffer any serious consequences for leaking their customer's data, they won't bother spending the time and money to do a good job and these breaches will continue to be commonplace.
As much as I love the free market, we're completely failing to protect consumers. I think we need the government to step in and align incentives. I don't know if we need engineers to be personally liable in the case of data breaches, but I'm serious enough about this that I wouldn't take it off the table. Medicine has malpractice suits. Engineers have a professional duty of care. Builders have building codes. We need an equivalent for software engineering.
Its not the wild west anymore when we didn't know how to do this right. For almost all modern software, best practices are out there and well known. The way you secure a password database hasn't changed much in the last decade. Apparently people just don't care enough to learn and apply those techniques. Bootcamps don't even bother to teach any security practices. Given how much the world relies on our industry's ability and knowledge, that needs to change in a hurry.
>As much as I love the free market, we're completely failing to protect consumers. I think we need the government to step in and align incentives.
>Medicine has malpractice suits. Engineers have a professional duty of care. Builders have building codes. We need an equivalent for software engineering.
The key difference is that when a doctor or engineer screws up, people die. The burden is on the people calling for regulation to show the tangible, measurable harm to peoples' health or finances resulting from these data breaches, otherwise the average person won't take them seriously.
It's also the case that doctors and engineers aren't dealing with adversarial input. If somebody blows up a bridge nobody blames the engineer, and if a patient deliberately harms themselves nobody blames the doctor. Yet web infrastructure is constantly dealing with adversaries across the world trying to breach it.
Nobody would blame the coders if the customers were willingly exposing all their private info, would be the comparison. Nobody would blame the coders if an APT socially engineered their way into a well-programmed secure system.
Everyone rightfully blames the coders if they keep building projects that aren't up to modern standards (and if their company asked them and allowed them the time and resources to build something secure. Otherwise, it's on management.)
Also most of the dialogs have been lying from the start, implying that they need permission for the cookies "required to run the site", which are in fact session cookies, which do not require the dialog. It seems they've become stricter about what the dialogs should say (probably the GDPR? which is predated by the cookie dialog law), but in the beginning there was a lot of misinformation (not always deliberate, some frontend devs were also just misinformed). And this, at least in part, caused the wrong reaction from the public: That the cookie dialogs are stupid and annoying, instead of informing them that certain sites would really like to use cookies for purposes of 3rd party advertising and tracking networks. Maybe if there had been more websites proudly displaying a (non annoying) banner "our site's cookies are fine; they do not require a cookie dialog!". I don't know.
Maybe more thought could be put into why this is, rather than normalizing it? How many people on this here web site pay their bills with the fruits of these breaches?
Because WhatsApp uses the Signal protocol design nobody ends up able to prove anything useful about the message history. To any outsider, including the WhatsApp server operators, the messages are opaque. To a participant, including you, the system delivers authenticated messages but deliberately doesn't sign them. So:
Alice knows she didn't send this message, so it's from Bob, but she can't prove to anyone else that she didn't just fake it.
Bob knows he sent the message but he can deny it and there's no proof.
Eve has no idea what the message was, even if Alice or Bob show her the real message she can't verify they aren't lying.
there are lots of reasons someone can fear for their lives if their whatsapp history became public, that do not involve unethical behaviour by that person. usually involves unethical behaviour by other persons, though. probably wise not to judge as quickly without knowledge of the entire picture.
Some of us are working on solutions that keep one of the biggest metadata streams, your photos and videos, off the FAANG. At least it's a choice you can make, even today.
That still leaves medical and financial records, which is a tangle substantially more herculean.
> By 2025 at the latest, there will effectively be no such thing as privacy anymore. All personal data belonging to everyone will have been exfiltrated and will be available for sale.
Does your 2025 prediction apply to black market sale or legal market sale?
> Does your 2025 prediction apply to black market sale or legal market sale?
Your comment bring back Microsoft's Project Bali news from my memory [1]; this supposed data bank allows users to "manage, control, share and monetize the data.". That was bit than year ago and it seems they abandoned the idea as page doesn't load anymore (at least for me).
"Exfiltrated" implies black market, but for the prediction come true, data would have to be leaked by the vast majority of organizations, including most of the banks. Possible, I suppose, given the difficulty of protecting data against all possible attacks, including release by insiders.
I imagine most of these are support issues handled by contractors they have had over the years. Windows 95 through XP had Keane and Convergy's in Tucson running their Windows support (which then forked into Canada and India.) Not sure who they have doing it now.
The Windows parts of these records might be a good resource as it's probably part of the documentation which builds up to become the MSKB articles. Each support case was documented and linked to either a KB article, an internal "not yet KB article" or you had to submit it as a unique issue. After the "not yet KB articles" were referenced X times, then it would go to consideration as a KB article. Collectively, all this formed their internal KB.
Worked there. Pay was terrible once Convergy's took over. Then they moved everything to India and the support got terrible also. Too bad. They had quite the brain drain from that process. There were a lot of Windows gurus in that building. I learned far more than I needed to know about Windows and went way more in depth than I ever have tinkering with Linux.
retweet.
I agree worked there too, had a KB article. Can't say I learned much only thing I remember that was new and I use to this day was (windows + pause key) to bring up system info.
Looking at the dates again, records I was part of was probably before this date. I believe I was gone by 2005. That may also be around the time the Tucson location moved from the IBM campus to the Convergy's buildings. I declined when they asked me if I was going to make the move.
I got there right after Convergy's took over from Keane. The training at that time was still really good. Tony Agee and John Mott were legends (unsure of spelling.) I credit this time with my beginnings in tech and learning how to think for troubleshooting. They taught linear, logical troubleshooting which was so simple and yet I still don't see much of it today. It was also a place to develop my search skills. It's incredibly valuable to be able to sift through a load of technical discussions and separate the signal from the noise.
"Misconfigurations are unfortunately a common error across the industry. We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database."
They need a solution to watch their solution that watches their configs.
There's a massive reason these misconfigurations shouldn't be felonies. Since such errors are so hard to avoid (no company has perfect practice), few sane people would be willing to work in any role that involved taking such responsibility, so a bunch of services would suddenly cease to exist, and the economic cost from the loss of those services could well be way greater than the cost from the occasional breach (which I've as of yet never seen anyone here try to quantify).
People work in those roles all the time, do you say "well nobody has perfect practice" when a doctor leaves a thermometer in your child's skull after surgery?
There are malpractice regimes all over the place, it just results in having real training and an assessment of risks and, y'know, not cowboy'ing, before making changes. "What difference does it make that this girder is 1/2" out of alignment? Nobody's perfect."
Sure but laying off random people isn't free to the corporation either. They have to hire new people which is costly, or end up with less people. And if the people actually responsible are still there, it will happen again. Unless they change their tune. In which case it's sad about the layoffs, but at least you've got a corporation to behave. Which is also nothing to sneeze at.
In Juvenal's context the question is rhetorical. An unfaithful partner will sleep with the people you set to watch over them, duh. But in the context where we use this phrase today the best answer is a full circle. Watching us, watching them, watching you.
An idea for someone looking for a fun "Show HN" project: build a scoreboard that searches all of the known data breaches for this year and tells me where I rank for how many breaches I've been in (eg: I'm 89/132 on breaches of 50,000 records or more).
Over 8.5BB customer records were exposed last year; the estimate for this year is in excess of 10BB.
How about a leaderboard? You get points for each breach that you were in and how much of your data was exposed. Each data point could score different points: your name is 5 points, social security number 10 points etc.
Then the you can see that you're 880654th out of 1.1B people on the leaderboard and maybe feel slightly better.. or worse.
I find it really intriguing hearing about all these data breaches - never before in human history have we been able to store so much information about ourselves and our world and how readily accessible that information is, just sitting on hard disks around the world.
Which makes me wonder, is there information that's leaked so much it's no longer "private"? Names, addresses, phone numbers, contacts lists, photos, emails, cloud documents, IP address logs, search history...It's all there, waiting to be leaked...
And why the insistence on storing information for an unlimited period of time - it should be illegal to store data above 5+ years without explicit consent from the user (after reviewing the data and clicking "I am okay with this data continuing to be stored").
These sites really bother me sometimes. I just registered on Dehashed and it requires me to pay for a subscription... to see my own stolen data. I reject that on principle alone.
Mostly so it’s not abused my script kiddies. If you want to see if you are in a breach it will tell you but just censor the password if it has been successfully reversed.
Haveibeenpwned is the same but doesn’t reverse the passwords.
The only difference I can see between them and businesses that have gotten people sent to prison [0] is a slight change in the marketing materials. Dehashed even advertises taking Cryptocurrency payments for "unlimited searches".
Guy mentioned in the article here using a throwaway (I'm active on this site). Never went to trial, never went to prison, charges were withdrawn.
> An investigation by infosec journalist Brian Krebs claimed that a second suspect, a US man named Jeremy Wade, was also behind the service. He was never charged
According to American prosecutors, freedom of speech prevents prosecution in America without intent to commit a crime.
I wouldn't bet your freedom on it. The FBI was involved in taking down a similar website just last week [0]. I'm sure they have a solid legal basis for it.
I'm sure they did have a solid basis. The FBI statutes referenced are forfeiture related and don't describe the underlying crime they are accused of, and I'm not familiar with UK or NL law where the accused are located. USA is ironically the only country I would hypothetically bet freedom on to operate such a website not that I need/want to, if it's done without intent to defraud. I'll reply why to a lower comment but the fact that no Americans were able to be charged is a good start.
The most relevant section of US criminal law I'm told is 1030 6a which reads:
>(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if—
>(A) such trafficking affects interstate or foreign commerce; or
>(B) such computer is used by or for the Government of the United States;
The key text here is with intent to defraud as an element of the offense. Prosecutors in the USA must prove beyond a reasonable doubt that you had intent to defraud. This language is very clear due to the first amendment and they cannot speculate nor can they say ignorance alone proves intent. Obviously my earlier post of "without intent to commit a crime" was wrong, but should have read "without intent to defraud".
I don’t know why they would have told you this, this isn’t really anything to do with the first amendment. virtually identical laws exist in many countries.
Edit: I just realized that you said prosecutors told you this. My guess is they lied so that you’d do it again when they were watching.
How do you know who has been in these breaches? Are websites like haveibeenpwned doing business with hackers to get a hold of emails and websites? And just because one person discovers an open server does that mean that hackers have also discovered and copied all the data? I'm just confused about the actual technical aspects about data breaches.
I got an email from Microsoft Azure in relation to this (didn't read the article, but people are quoting parts of the email I received here).
I appreciate that they sent something, but sometimes it'd be nice for them to allow someone to access the data related to them that was exposed as they say "our analysis of the support information indicates that specific personal or organizational identifiable information related to your support case was potentially visible." Okay, what specific personal or organizational identifiable information of mine was visible?
I assume the representative or I may've listed said info in our communications back and forth so let me see what was exposed so I can make a judgement of what, if anything, I should do here.
I got the same email, and I agree with what you said - I'd really like to know if this is even personally relevant, and if it is, I'd really like to know precisely what information is relevant. I'm in the EU, so I guess I could ask under the GDPR, but I wouldn't even know who to ask, and with such a large organisation, I can only imagine there would be a lot of run-arpund, requiring a lot of follow-ups from me :/
Under the GDPR, that Microsoft Data Protection Officer will have 30 days to respond to you.
If they don't respond, you can complain to the supervisory authority (in the case of UK that is https://ico.org.uk/make-a-complaint/).
Now, Microsoft does not necessarily have to tell you exactly what of your data was leaked. They probably do not know! In this case, they may just respond to your request with all of the personal data they hold.
The law just says that they have to notify you of the "nature of the personal data breach as well as recommendations for the natural person concerned to mitigate potential adverse effects".
Do you think the ICO will do anything? Usually their answer seems to be "well we told the company about your case, and they said they wouldn't do it again, so everything is fine now; you're welcome!".
Notably, elastic's Kubernetes operator which just went 1.0 defaults to requiring a username and password (and generates one if it isn't provided). It also doesn't seem to allow you to opt out of using TLS.
Wow! So the person on the telephone who tells me in a soft Indian accent that my computer has a problem can now can authenticate themselves with authority, making it easier for them to get me (or my proxy) to enable remote administration so they can do real damage.
Security is difficult. Microsoft is supposed to be skilled at preventing data breeches and exploits, but apparently not. What can be done to prevent this sort of thing?
It's a wildly asymmetrical relationship that means 9 billion people get a try to knock you out and your team of what??? 25, 50, 100, 1000? Security specialists have to see everything possible and plan for any and all possibilities.
It's never going to happen.
This is the simple reality of the internet and I'm sure you know this, but I saw your comment and thought I'd add this for the next person who may not realize this.
I'm personally curious to know, because I'm no SecOps; if there is even a theoretical solution to the internet that would have greater integrity for the users or if this is as good as it gets.
Please don't do this. Something can be done, we all know it, but for some reason don't think it's possible? Prison sentences should have started with the Target CTO in 2013 (at the very latest), but the more the public is cowed by shrug emojis, the less likely companies will protect your data for anything other than commercial advantage.
Imprisoning CTOs for incompetence would be unprecedented. We don't imprison people for that reason and I can't imagine any knowledgeable CTO ever taking that position again once that precedent was set.
But we do need much more oversight and serious punishment for companies that lose data like this.
US soldiers fight in combat knowing failure to obey orders can land them in jail for years. The US Code of Military Justice is not fun, and you sign up for it when you join implicitly. Is there an armed service staffing problem?
Our general US legal system is flawed, but cops can go to jail for ethical violations and criminal behavior for actions that are integral parts of their job function. Is there a cop staffing shortage?
I have argued this, ironically, about US Congresspeople: if we have a volunteer army with stringent legal codes with special punishment by virtue of their job, serving us, why are other classes of people not worthy of higher standards and why do we suspect people will shy away from that? How can we pay others more for higher probability of incompetence and less repercussions?
I am not trolling. When I suggested this shows the power of commitment in volunteer armies and I wish Congress had that kind of self respect people tell me I'm nuts. I would like a CTO and security industry jobs to mean something.
A CTO can go to jail for unethical and illegal behavior. But you are suggesting they be jailed for incompetence.
And considering the fact that no amount of competence will protect you from a sufficiently motivated and resourceful hacker, seems unfair.
Now if we come up with a framework and a security checklist that must be followed and certified by the CTO every quarter or something, and they don't do it, or lie, then sure, jail them.
I have another proposal: let's stop connecting every computer together for the sake of connecting them together. Unless there is real functionality provided by said connection that doesn't exist just to excuse the connection, computers should do all their work locally.
We rely way too much on Other People's Computers to do stuff. The only real way to avoid issues is to make them technically impossible, not to rely on laws (that can be abused).
(yes, i know i am asking for putting the cat back in the bag long after the cat's own grandchildren have died...)
Yes, legislation is the first step. They made it illegal to access certain data with the CFAA, there's no reason illegally accessing data of a person can't be legislated too. Well, except for "businesses should be allowed to do anything they want."
Databases that involve more than X users need to be regulated.No big database should be deployed in public before being vetted on whether it is secured properly. I am tired of reading every week for breaches of personal data and passwords saved in plain text. If no company can secure our data voluntarily then we should use the law to force them to at least meet a bare minimum of standards.
When people ask why we're so concerned about the privacy implications and specifically the telemetry functionality of modern software... This. This is why.
Even if that functionality is implemented with good intentions and the data is only intended to be used for responsible purposes, the biggest and most technically capable organisations in the world can still make mistakes and suffer data leaks, which are potentially a gift to criminals, commercial competitors, and so on.
If there's anything sensitive in there -- personal data, commercial information that was provided under NDA -- we're probably still on the hook for it legally, too.
Is there any signs that this data is actually out in the wild? From the article, it was found, reporter and fixed within 24 hours, and they claim there's no sign of other unauthorized access.
Covering up is not always technically possible. It’s easy to expose data through some unprotected end point, but that end point might still be logged, and turning off the logging/deleting the logs might be a completely different challenge.
Even more challenging if the log destination is external, and if the logging system is an entirely independent system, even potentially provided by a third party. Makes this hard to do.
I know full well it could've been accessed, I never rejected such a possibility. I'm just saying that so far, there is no sign that the data has been dumped anywhere. It could exist, but right now we can't "grep through it" because there isn't a dump of it in the wild yet.
That assumes they have bandwidth graphs. And sure, ES generates a lot of logs, but have you ever tried using them to investigate an exposure like this? Unless the “xpack.security” module is on (off by default), it’s nothing useful.
Linux itself gives you decent data from procfs (see /sbin/ifconfig, shows you data transfer in/out per adapter), you can just compare data transfer from the server to any of the boxes that are supposed to connected to.
I can’t imagine that even MS would be running ES on windows, although then you’d probably have even more data available.
My home computer, which is on for 4hrs a day, used to get hundreds of SSH login attempts. I imagine the number of people trying to scan MS is a couple of orders of magnitude higher, and some of those will have enough savvy to exploit a security hole. Comparitech found/accessed it, what are the chances they're the only ones? (I say, very low.)
I'd say it seems likely. But I only have domestic experience. People with industry experience, what do you think?
SSH worms are a completely different subject, MS does not get orders of magnitude more scan traffic than you do.
Services like greynoise provide an easy answer to “who’s scanning for elasticsearch?”, although most of those are trying to RCE and not exfil data.
It’s certainly possible that someone else found this ES and dumped the data during the few hours it was exposed, but I certainly wouldn’t call that likely.
The company reporting it found the breach, so we know someone found it.
What's your background? I'd be surprised to find corporate IPs were only scanned at the rate of domestic non-fixed IPs.
If a black hat cracker finds data they can exfiltrate do you think they'd just leave it; especially data like this that has obvious value to phishers/fraudsters?
> What's your background? I'd be surprised to find corporate IPs were only scanned at the rate of domestic non-fixed IPs.
I scan for a living, have been doing so for a better part of the last 10 years. I spend lots of time keeping up with what other people are scanning for.
> If a black hat cracker finds data they can exfiltrate do you think they'd just leave it
Yeah sure, if a malicious hacker had access and knew what they had access to they wouldn’t just leave the data there. Odds are this would just be discovered by scripts trying to drop malware for DDoS, or ransomware.
As a black hat hacker scanning for things like this I always had the problem that I was finding way more data than I could realistically store and process, I’m sure I missed hundreds of things like this in my results because of that. The criminals doing this stuff don’t have teams of people working for them analyzing the data.
Then there’s the fact that a very significant chunk of blackhat hackers just won’t be working in late december. I understand that this may not sound like such an convincing argument at first, but this’ll almost certainly exclude at least half of the malicious actors who could’ve possibly found it.
I’m not saying it’s impossible, I just don’t think it’s particularly likely.
I was referring to the comment above which was microsoft's description, saying there was no evidence of any data being stolen - because there couldn't be any because there was no logging. So I was saying microsoft's claim was not the whole truth, the truth is that they just don't know, not that there was no evidence, because there could not be any evidence.
I wouldn't be so definite about "there was no logging". I was just speculating. If they do have logging, then maybe they are sure that no one illegally got their data (but if that was the case, I would expect a sentence with more confidence).
There's been a lot of news along the lines of "We found an unsecured database of voters, and we don't even know who owns it", now those idiots I'd be more sure that they didn't turn on logging. With Microsoft, I'd believe them a bit more, because they'd be afraid of getting busted for using weasel sentences.
How do you know there was no logging? Linux distros log by default, as does elasticsearch. Most networking setups also keep some sort of BW usage logs.
Unless you have some insider knowledge it sounds like you’re full of shit. If you’re going to claim that they’ve deliberately turned off all logging, you’ll need to show some evidence. (Or at the very least claim that you have some!)
My opinion is that ALL information that has ever being put online will, sooner or later, be made public. Despite the advances in crypto, there are so many ways to exploit security flaws and vulnerability in all kinds of software. And now with machine learning, which can also be used to help in hacking exploits, there not much that can be done.
Funnily enough, I learned that if you submit a support ticket on a $12/month single-user Microsoft business account you get a call back from someone who saus they're with Microsoft Support.
The rep was very helpful, but a bit puzzled that I wanted him to read me my ticket title. He seemed to think him knowing my name should be sufficient verification.
Note: I can never understand Microsoft's names for different levels of the same product. It might not be called a business account, maybe professional or pro or small business or something.
By the way Microsoft has absolutely terrible azure support. If you have a legitimate issue and you dont have a dedicated support consultant good luck to you.
All the cloud providers are like that though. If you're on the cheapo tiers of AWS or GCE, you get the cheapo support. AWS might be slightly better just because more people have used it and so there are more hacky workarounds posted on StackOverflow, but that's small comfort at best.
I've had good experience with Rackspace and DigitalOcean support (other than having to repeat my problem multiple times until I get to the right person, but at least they are keen to help).... Azure support was a disaster with too many support staff that know almost nothing about the platform except by reading the same websites I can read until you spam every possible support mechanisim you can find and finally get to a "real" support person. This will take around 2-4 weeks.
And, in the event that this configuration fails to do what you expect it to you, or your network is breached via other means, you should be utilizing defense and depth and all of your DBs and other sensitive systems should require authentication.
Does this have anything to do with Dell support info - it used to be literally right after buying a dell product (within a week or so) you'd start getting scam calls with your dell info.
Dell always denied it, but it was pretty funny. They had service tags and everything - anyone else get that?
I reported similar issues in the past and there's no bounty, but of course Microsoft reserves the right to deviate. (And I hope they did in this case!) Minimally, you get placement on the Microsoft Online Services Acknowledgments page. https://portal.msrc.microsoft.com/en-us/security-guidance/re...
Elasticsearch started life as a free product and security was a paid addon to that product via the X-Pack, now Elastic Co has made the security stuff free but people still don't implement it. Elasticsearch is insecure out of the box and it takes extra steps to get it secured, and most people don't do those steps even though its pretty well documented right here:
Security features in Elastic still require paid subscription. The link you pasted even says that. You can use the xpack features for free on a trial basis but for production use you're required to buy a license.
This is not true, you can use some xpack security features such as basic auth, client TLS and node-to-node TLS for free. We use basic auth (with Vault integration) at my company using just the basic license. https://www.elastic.co/subscriptions has details on the subscription levels.
Thanks, I did not know about basic license. Although if you wanted to use OSS license my point still stands. (Not sure what restrictions the basic license brings so for some the only option might be the OSS license.)
You're right, and it is only recently that this stuff became free anyways, sometime last year. I think Amazon's OpenDistro stuff put some pressure on them. Even TLS was gated, which was the biggest offense in my opinion!
Developers are not operators and operators are not developers. The whole idea that we can do away with this specialization and and relegate operations to the people that create software because it is now possible to script infrastructure and to install complex packages with a few mouseclicks does not make it true. Operations and the complexity that goes with it is a job in its own right, no competent operator would have left this situation as it came out of the box.
A combination of businesses' desire to spend less on labor and your average developer's inherent sense of superiority mean this trend is unlikely to go away any time soon though.
I believe you can be both competent operator and a reasonable developer at the same time. The skills complement each other nicely. It is a lot of work to be these things though.
It’s not default insecure like Mongo was - this was far far worse. You couldn’t even prototype in a secure way even if you wanted to, without a massive contract. One of the most frustrating things in software - IMO they deserved to have AWS commoditize their stack.
The module is now free, but it's not open source, it is licensed under the proprietary Elastic license. The source is available but it is not licensed to be used with anything except the Elastic licensed version of Elasticsearch (not even the Apache licensed version of Elasticsearch)
However, Amazon has thankfully released a free and open source security module for Elasticsearch as part of their Open Distro project. It is based on another project called Search Guard. See: https://opendistro.github.io/
Perhaps it's a controversial opinion, but I feel like it's just flat out unethical to relegate basic security to the paid/enterprise version of your product.
Of course it's unethical to use said product to store real user data too, but the road goes both ways.
Just deploy it on your local network. No need to expose it to the internet. Sure, authentication is a nice bonus, but a simple firewall goes a long way.
I don't get why it ever needs to be on the internet even when it does have authentication. Surely the public/private subnet split is a common practice.
Unless the private subnet is airgapped from the Internet, it's not a good enough separation.
Hell, even if it is airgapped, it can still be compromised by viruses on USB sticks and such.
You should never be leaving sensitive systems wide open, period, regardless of how secure you might think that network is. Thousands of data breaches have been caused because networks didn't end up being as secure or as separated as hoped for.
Defense in depth is important. Lots of data breaches have been caused because things that should have just been viewable from a local network, weren't, or the network was compromised. Unless you think every single employee is invulnerable to spear-phishing (which is impossible), you should never be leaving anything sensitive wide open on your local network.
Iirc it doesn't have very good support for document formats (eg pdf, office). It's also a huge resource hog so not particularly fast in the bang for the buck sense.
Honestly, some of the most preventable and dumbest outages and failures in my career have involved ElasticSearch. Most of the time it's deployed and managed by a dev team with no operational oversight, and therefore nobody to think about or catch these types of issues. It is compounded by the fact that all the security features in ES were paywalled for a very long time and most technologists don't understand basic networking anymore.
As many other answers to your query have stated, this is caused by a broken understanding of the devops methodology among organizational management forcing developers who are not competent in systems administration to be responsible for these systems.
Equally important, we don't have network admins. It would be physically impossible to expose our search database like this to the open internet. Extra layers of protection are great.
It reminds me of companies I've worked with before that accidentally had a production site pointed to a dev database. Why the hell is that even physically possible with your network setup?
Welcome to the wonderful world of Kubernetes (or, for that matter, any Docker orchestration solution, such as DC/OS).
Anything can reach anything, provided you know the naming schema... and there's no easy way to fix it on anything that is not AWS/Azure/GCP, not without losing all the benefits of a self hosted k8s cluster in the first place.
Openstack at least provides ways to isolate machines, but that's VM-level only and truly an ultimate PITA to set up.
Not entirely true, there are network security policies (on select few CNI providers) and other means of segregation using good old iptables (although probably need to update alternatives for iptables to point to iptables-legacy for them to work).
Ew. iptables (or any other way of messing around with the black magic that Docker and the orchestrators do to provide intra-container networking) is one thing only and that is a nice way to shoot yourself in the head while aiming at your legs.
To be entirely honest, if you know what you're doing and how lets say kube-proxy works in essence, things get pretty easy and simple. If you start every configuration of firewall with iptables -F, you're gonna have an interesting time. However, if you spend some time around these beasts, they are pretty well and logically built and it is trivial to coexist and modify your chains without touching those managed by docker/k8s. There is no black magic/and or wrong with the way they manage the rules. I'm much more angry at proper iptables being moved to iptables-legacy and systemd messing around with my resolv.conf :)
Many managers use "devops" as an excuse to put a lot of burden on a small team, then this team is doing their best to automate managing a large number of machines but it's physically impossible to delve deeper into details and polish things, hence mishaps are bound to happen. And don't get me started on on what is happening inside containers.
Sorry but I'd like to get you started on what is happening inside containers ;P
Specifically can you go into more details about what worries you with containers. Is it insecure images with out of date software, or risky applications inside the containers? Something else?
Let's imagine your JIRA is insecure, someone owns it and obtains RCE, then does a privilege escalation on the host, whoops suddenly all services are accessible whereas that would have required more steps and owning in the old one-vm/bare metal-server-per-service model.
I think Microsoft's response time to this exposure (during a holiday even) is more noteworthy than the fact that it happened. We can sit in our ivory towers all day and shake our heads at what an inept organization Microsoft is for allowing human beings to make mistakes, or we can applaud the fact that once the mistake was identified they chose to act immediately, appropriately and transparently. What are we really expecting here? Perfection?
No, I don't expect perfection. However, I do expect very careful implementation of access management for very large databases containing lots of PII and other sensitive customer information. Things like huge databases being accessible without credentials shouldn't require perfection on the part of some human. That sort of stuff should be continuously audited in an automated fashion.
But the software industry is quite bad, as a whole, so even the relatively competent actors make surprising, high-impact mistakes.
Maybe it's because the stakes are relatively low (c.f., bridge collapsing vs. PII leak) and the competition relatively fierce? Maybe software engineering is still very young and moving quickly?
In any case, I think it's totally reasonable to hold the opinion that MSFT is doing things pretty well relative to the rest of the industry and also that the industry as a whole is doing a pretty poor job.
IDK, for me the story has to be one of the following:
1. MSFT made a huge and inexcusable mistake, so maybe there's something systemically wrong with MSFT; or,
2. MSFT is very competent, and even very competent people are making very big mistakes, so maybe there's something systemically wrong with the entire industry.
Architect here: from the outside looking in, you hit the nail on the head. In addition to The industry being so young the _relatively_ low-impact when bad things happen make things like this 'not a big deal'. When your mistakes result in a public outcry for a day, then fades into obscurity into the night, why change? why invest money into figuring out a better way?
When your mistake makes a building fall over...well, there's a reason why that almost never happens.
I don't think this is quite right. Most buildings don't get all their design parameters tested in reality. But say when there is an earthquake, and the building collapses and you find that various checks and balances in the design process went wrong. I know here in NZ where we have had a number of significant earthquakes all kinds of known and unknown things have been discovered about buildings, either ones that have ended up killing people or ones which now are condemned because things played out differently than the designers thought they would
Speaking about America, almost everything in a building beyond aesthetics is designed to a CODE MINIMUM. from the hangers that hang the ACT ceiling all the way, and especially to, the structural system. These systems have been designed and tested ad nauseam to provide minimum life safety standards. People in any industry can cut corners and screw up. Special situations can arise that surpass a minimum level standard (Fires started at every exit door, 9.0 earthquake...good luck) The forest you're missing through the trees here is the structured process that forces designers in a mature industry to design to a minimum agreed upon standard. Ironically, I'm highlighting the benefits of regulation...where it makes sense.
the forest I might be missing through the trees is that maybe there is an industry agreed upon standard within the Tech industry. My understanding is almost all of these breaches happen because comically silly mistakes (pw = password), not super high sophisticated attacks.
same with NZ, which has pretty strict codes as we are sitting at the junction of 3 tectonic plates. Regulation including inspection is great, and generally works great, but until you get an earthquake, you really don't know if all the checks and ticking of boxes actually did its job. Microsoft and others likely catch multiple problems through checks, but occassionally a perfect storm happens and things break down. You then adjust your "regulations" to cover any short comings (hopefully). The entire planet you are missing through the forest is that all buildings aren't constantly "penetration" tested to find where they have problems. A quick search shows that USA suffers from many live deployed buildings that have been shown that they don't meet compliance. By Engineers that should've known better....
I can respect the sentiment, and I agree your points are reasonable. And I think the problem actually stems from software development culture more than anything. Developers don't want the level of oversight you're suggesting. Many would make career decisions in order to avoid that kind of babysitting.
At the same time, the tech world is bigger than it used to be, the stakes are higher, and more is on the line than ever before. Mistakes are more costly (though in this particular case I don't think you could prove any real damages).
And worst of all, the political world remains incredibly tech-illiterate. So, those in charge of guiding us in this realm are ill-equipped to do so.
I don't have a good answer for this. In an ideal world I'd like businesses to take this sort of thing more seriously, but in reality I don't see any reason that they should.
There are zero consequences to anyone important when a data breach happens; therefore there is no incentive for companies to protect their user data and the number of breaches will continue to grow for the foreseeable future.
By 2025 at the latest, there will effectively be no such thing as privacy anymore. All personal data belonging to everyone will have been exfiltrated and will be available for sale.
You will be able to purchase the full medical history, all financial transactions, all addresses, phone numbers, location history (often with photo/video evidence), all account numbers, ID numbers (government and otherwise), biometric data, browser/search history, every email, sms or chat message they ever sent or received and any other information you can think of for the vast majority of people on earth.