Am I missing something or is misconfiguring your cloud the way to go if you're a vendor of an osint product?
Information from public sources - no liability?
No DJ customer details - no loss of business?
Bob Diachenko discovered it - so no dumps floating around?
3rd responsible - remains unnamed, no brand damage?
Free sample included in the high traffic TC article
It probably was not intentional, but could Dow Jones have benefited from this press overall?
Does anyone know if the targets of this database have a right of reply, and given it is from public sources, does that mean media reports are the primary sources that inform it?
The consequences of those questions could be quite serious.
The data didn't leak from Dow Jones, and the article doesn't cover how Dow Jones stores the data internally. Some customer who had the data leaked it from their own open system.
Data from various arbitrary public sources would be difficult to put into a rational schema. Querying that schema would also be more difficult that a full tact text ES query
Yet another sensitive database with probably no way to know if you're in it - GDPR sounds like a pain but I'm coming around to believing it's a necessary evil to stop this nonsense.
OTOH I guess this is relevant information and so they should be allowed to have it under GDPR rules? I'm obviously not a lawyer although my work, like most programmers' is affected by GDPR, PCI and whatnot.
Or we could just start punishing companies for massive and widely damaging data leaks. AFAIK about GDPR, it wouldn't prevent this. These things keep happening because nothing bad happens to companies that let it happen.
Shouldn't we see if GDPR actually starts preventing these leaks before declaring it a success? I'd imagine it being a 'success' is a predicate on it being useful right?
Not just punishing the small percentage who get 'caught' while doing nothing to actually help the problem - ala the drug war. And for everyone who thinks it's just big evil companies who get punished, one of the first GDPR fines was $4k against an Austrian small business owner whose video surveillance around his building was deemed too broad it violated peoples privacy.
I'm not declaring GDPR a failure by any means but all policy must be judged on a long-term full-picture basis. Not simply on "good intentions" of the bill + a few high visibility wins early on, then moving on as if the world is a better place.
It is newsworthly for a number of reasons. Firstly, most people do not know that companies are scanning their customers, suppliers and employees against these Watchlists.
Secondly, people are placed on these watchlists with no burden of proof or right to recourse.
Thirdly, if you appear on these lists, which can be quite fuzzy, you can find that your banks accounts are frozen, with no explanation. Banks are now very risk adverse meaning that they are more than happy to alienate a few customers if it means avoiding the risk of massive fines.
Compiling and updating this information requires many man hours, which has value, thus Dow Jones can receive payment for access to this database (and many are very willing to pay). It's an asset.
We are big aws customers at my current employer and have generally had success, and I use amazon products, but that said:
This is totally on amazon for not having vpc-enabled elasticsearch clusters for way too long, AND, not providing an upgrade mechanism to move an existing internet-accessible cluster to a vpc. I was mindblown when I first utilized elasticsearch service and was sure that there would be data leaks for only having public net.
While I agree and those defaults are certainly suboptimal with blame to share, I would argue the buck stops with the individual that indexed all the proprietary data on :9200 open to the internet. You can do all sorts of stupid things with AWS (or any other tool). That doesn't make it Amazon's fault entirely. The individual is responsible for attempting a basic understanding of the tools they use.
When I learned the ropes of ES, configuring the endpoint was one of the first things that came up in a large number of docs and posts. In this case, I also wonder if the person doing it even realized it would be a problem since the database was based on "Publicly Available data". "Sure, turn CORS on, let's roll."
Thankfully this leak was of public data combined into a proprietary reporting tool, rather than something more sinister that would cause greater harm.
[+] [-] captainpete|7 years ago|reply
Information from public sources - no liability? No DJ customer details - no loss of business? Bob Diachenko discovered it - so no dumps floating around? 3rd responsible - remains unnamed, no brand damage? Free sample included in the high traffic TC article
It probably was not intentional, but could Dow Jones have benefited from this press overall?
[+] [-] xmly|7 years ago|reply
AWS can not know what is your true intention.
[+] [-] jstanley|7 years ago|reply
[+] [-] i_phish_cats|7 years ago|reply
[+] [-] jdsully|7 years ago|reply
[+] [-] sschueller|7 years ago|reply
[+] [-] motohagiography|7 years ago|reply
The consequences of those questions could be quite serious.
[+] [-] georgewfraser|7 years ago|reply
[+] [-] caymanjim|7 years ago|reply
[+] [-] vel0city|7 years ago|reply
[+] [-] lurkertroll|7 years ago|reply
[+] [-] xmly|7 years ago|reply
[+] [-] ncr100|7 years ago|reply
We could find intel out about political candidates.
[+] [-] GFischer|7 years ago|reply
OTOH I guess this is relevant information and so they should be allowed to have it under GDPR rules? I'm obviously not a lawyer although my work, like most programmers' is affected by GDPR, PCI and whatnot.
[+] [-] astura|7 years ago|reply
>The data is all collected from public sources, such as news articles and government filings.
[+] [-] dariusj18|7 years ago|reply
[+] [-] anigbrowl|7 years ago|reply
[+] [-] Miredly|7 years ago|reply
[+] [-] chr_o_mium|7 years ago|reply
[deleted]
[+] [-] dmix|7 years ago|reply
Not just punishing the small percentage who get 'caught' while doing nothing to actually help the problem - ala the drug war. And for everyone who thinks it's just big evil companies who get punished, one of the first GDPR fines was $4k against an Austrian small business owner whose video surveillance around his building was deemed too broad it violated peoples privacy.
I'm not declaring GDPR a failure by any means but all policy must be judged on a long-term full-picture basis. Not simply on "good intentions" of the bill + a few high visibility wins early on, then moving on as if the world is a better place.
[+] [-] RickJWagner|7 years ago|reply
You could probably build most of it with Google.
[+] [-] ID1452319|7 years ago|reply
Secondly, people are placed on these watchlists with no burden of proof or right to recourse.
Thirdly, if you appear on these lists, which can be quite fuzzy, you can find that your banks accounts are frozen, with no explanation. Banks are now very risk adverse meaning that they are more than happy to alienate a few customers if it means avoiding the risk of massive fines.
[+] [-] astura|7 years ago|reply
[+] [-] awinder|7 years ago|reply
This is totally on amazon for not having vpc-enabled elasticsearch clusters for way too long, AND, not providing an upgrade mechanism to move an existing internet-accessible cluster to a vpc. I was mindblown when I first utilized elasticsearch service and was sure that there would be data leaks for only having public net.
[+] [-] sailfast|7 years ago|reply
When I learned the ropes of ES, configuring the endpoint was one of the first things that came up in a large number of docs and posts. In this case, I also wonder if the person doing it even realized it would be a problem since the database was based on "Publicly Available data". "Sure, turn CORS on, let's roll."
Thankfully this leak was of public data combined into a proprietary reporting tool, rather than something more sinister that would cause greater harm.