Hacker News new | past | comments | ask | show | jobs | submit login

Sometimes the best path forward does harm, sure. It's just hard for me to agree that deleting these databases is the harm-minimizing path. One example of a less harmful path that comes to mind immediately is installing a random password on the unsecured database and emailing the domain owner the password. That would cause downtime but it would limit the irreversible damage. You could even say that you will delete the database if it is found again with an unsecured password, if you wanted to add some stick to your carrot. It does not seem like this attack has harm-minimization in mind.



What you propose is illegal in most 1st/2nd world countries. In mine, the company could thank you and then put you straight to jail for 30 years. Unfortunately very few small businesses run sade reporting programs and often react with attack.


So is deleting a database.

Putting a password and emailing the admin would solve the password problem.

But I agree doing anything is probably illegal. I would leave it... not worth hassle of wearing the superman cape.


The problem is with the e-mailing part. A mom&pop is unlikely to track you down if you lock out their DB, but they'll likely report you to police if you contact them about it.


Is an email from an anonymous address easier to trace than remote database commands?


Yes. You need good logging on the vulnerable DB to trace the command - and if your DB is vulnerable it's a good bet you forgot the logging too.

Emails have a bunch of info in the headers, so there is more meta-data in the email it self.

Neither is perfect for finding the culprit but one scenario has zero meta-data and the other has some.


How about simply emailing the admin to tell them their database is unsecured? Oh, but that would be benign; I'm sure vandalism is so much more fun.


Unfortunately it's rarely that simple. If you look at the currently exposed MongoDB instances you'll see that most of them are in the cloud without any obvious attribution. You could email the cloud providers and see if they will reach out to the end-user but chances are they already know about it. Here's an article I wrote on that subject, although it was related to industrial control systems:

https://blog.shodan.io/taking-things-offline-is-hard/


“Fix auth”. Add item to todo list and just forget because there are other more pressing tasks to do.


It's easy to say "you could have just emailed them" when you are not the one doing this for years without things getting better. Often admins flat out ignore you. Even if not they usually do nothing. And if they do something it takes ages.


I don't doubt that for a moment; I have also reported issues of various kinds -- not this specific one -- that have gone unresolved for ages.

That still doesn't justify vandalism.


In the article one provider was notified that their database was without a password an publicly accessible.

They secured it, and somehow managed to make it publicly accessible again without password, this time it got hit by this attack.

Honestly this is like if a company decides to keep their paper records with my information on a public side walk, and somebody saw that and decided to bring them to the landfill.

Is it legal or fair? In a perfect world no, but at this point the company is not blameless.


I certainly think the most legal approach is to do nothing except notify, or maybe nothing at all. But if you must modify the database, locking it reversibly is more defensible morally.


Or just set everyone's password to the same thing eg SecureMe




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: