There are zero consequences to anyone important when a data breach happens; therefore there is no incentive for companies to protect their user data and the number of breaches will continue to grow for the foreseeable future.
By 2025 at the latest, there will effectively be no such thing as privacy anymore. All personal data belonging to everyone will have been exfiltrated and will be available for sale.
You will be able to purchase the full medical history, all financial transactions, all addresses, phone numbers, location history (often with photo/video evidence), all account numbers, ID numbers (government and otherwise), biometric data, browser/search history, every email, sms or chat message they ever sent or received and any other information you can think of for the vast majority of people on earth.
I've been long arguing that there should be severe legal consequences for companies who leak data. Right now there's almost no legal repercussions for this sort of thing. I expect better from Microsoft, but I really don't expect any better from the thousands of tiny startups out there. Unless the people involved suffer any serious consequences for leaking their customer's data, they won't bother spending the time and money to do a good job and these breaches will continue to be commonplace.
As much as I love the free market, we're completely failing to protect consumers. I think we need the government to step in and align incentives. I don't know if we need engineers to be personally liable in the case of data breaches, but I'm serious enough about this that I wouldn't take it off the table. Medicine has malpractice suits. Engineers have a professional duty of care. Builders have building codes. We need an equivalent for software engineering.
Its not the wild west anymore when we didn't know how to do this right. For almost all modern software, best practices are out there and well known. The way you secure a password database hasn't changed much in the last decade. Apparently people just don't care enough to learn and apply those techniques. Bootcamps don't even bother to teach any security practices. Given how much the world relies on our industry's ability and knowledge, that needs to change in a hurry.
Maybe more thought could be put into why this is, rather than normalizing it? How many people on this here web site pay their bills with the fruits of these breaches?
Some of us are working on solutions that keep one of the biggest metadata streams, your photos and videos, off the FAANG. At least it's a choice you can make, even today.
That still leaves medical and financial records, which is a tangle substantially more herculean.
> By 2025 at the latest, there will effectively be no such thing as privacy anymore. All personal data belonging to everyone will have been exfiltrated and will be available for sale.
Does your 2025 prediction apply to black market sale or legal market sale?
I imagine most of these are support issues handled by contractors they have had over the years. Windows 95 through XP had Keane and Convergy's in Tucson running their Windows support (which then forked into Canada and India.) Not sure who they have doing it now.
The Windows parts of these records might be a good resource as it's probably part of the documentation which builds up to become the MSKB articles. Each support case was documented and linked to either a KB article, an internal "not yet KB article" or you had to submit it as a unique issue. After the "not yet KB articles" were referenced X times, then it would go to consideration as a KB article. Collectively, all this formed their internal KB.
Worked there. Pay was terrible once Convergy's took over. Then they moved everything to India and the support got terrible also. Too bad. They had quite the brain drain from that process. There were a lot of Windows gurus in that building. I learned far more than I needed to know about Windows and went way more in depth than I ever have tinkering with Linux.
retweet.
I agree worked there too, had a KB article. Can't say I learned much only thing I remember that was new and I use to this day was (windows + pause key) to bring up system info.
"Misconfigurations are unfortunately a common error across the industry. We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database."
They need a solution to watch their solution that watches their configs.
An idea for someone looking for a fun "Show HN" project: build a scoreboard that searches all of the known data breaches for this year and tells me where I rank for how many breaches I've been in (eg: I'm 89/132 on breaches of 50,000 records or more).
Over 8.5BB customer records were exposed last year; the estimate for this year is in excess of 10BB.
How about a leaderboard? You get points for each breach that you were in and how much of your data was exposed. Each data point could score different points: your name is 5 points, social security number 10 points etc.
Then the you can see that you're 880654th out of 1.1B people on the leaderboard and maybe feel slightly better.. or worse.
I find it really intriguing hearing about all these data breaches - never before in human history have we been able to store so much information about ourselves and our world and how readily accessible that information is, just sitting on hard disks around the world.
Which makes me wonder, is there information that's leaked so much it's no longer "private"? Names, addresses, phone numbers, contacts lists, photos, emails, cloud documents, IP address logs, search history...It's all there, waiting to be leaked...
And why the insistence on storing information for an unlimited period of time - it should be illegal to store data above 5+ years without explicit consent from the user (after reviewing the data and clicking "I am okay with this data continuing to be stored").
How do you know who has been in these breaches? Are websites like haveibeenpwned doing business with hackers to get a hold of emails and websites? And just because one person discovers an open server does that mean that hackers have also discovered and copied all the data? I'm just confused about the actual technical aspects about data breaches.
I got an email from Microsoft Azure in relation to this (didn't read the article, but people are quoting parts of the email I received here).
I appreciate that they sent something, but sometimes it'd be nice for them to allow someone to access the data related to them that was exposed as they say "our analysis of the support information indicates that specific personal or organizational identifiable information related to your support case was potentially visible." Okay, what specific personal or organizational identifiable information of mine was visible?
I assume the representative or I may've listed said info in our communications back and forth so let me see what was exposed so I can make a judgement of what, if anything, I should do here.
I got the same email, and I agree with what you said - I'd really like to know if this is even personally relevant, and if it is, I'd really like to know precisely what information is relevant. I'm in the EU, so I guess I could ask under the GDPR, but I wouldn't even know who to ask, and with such a large organisation, I can only imagine there would be a lot of run-arpund, requiring a lot of follow-ups from me :/
Notably, elastic's Kubernetes operator which just went 1.0 defaults to requiring a username and password (and generates one if it isn't provided). It also doesn't seem to allow you to opt out of using TLS.
Wow! So the person on the telephone who tells me in a soft Indian accent that my computer has a problem can now can authenticate themselves with authority, making it easier for them to get me (or my proxy) to enable remote administration so they can do real damage.
Security is difficult. Microsoft is supposed to be skilled at preventing data breeches and exploits, but apparently not. What can be done to prevent this sort of thing?
It's a wildly asymmetrical relationship that means 9 billion people get a try to knock you out and your team of what??? 25, 50, 100, 1000? Security specialists have to see everything possible and plan for any and all possibilities.
It's never going to happen.
This is the simple reality of the internet and I'm sure you know this, but I saw your comment and thought I'd add this for the next person who may not realize this.
I'm personally curious to know, because I'm no SecOps; if there is even a theoretical solution to the internet that would have greater integrity for the users or if this is as good as it gets.
Databases that involve more than X users need to be regulated.No big database should be deployed in public before being vetted on whether it is secured properly. I am tired of reading every week for breaches of personal data and passwords saved in plain text. If no company can secure our data voluntarily then we should use the law to force them to at least meet a bare minimum of standards.
When people ask why we're so concerned about the privacy implications and specifically the telemetry functionality of modern software... This. This is why.
Even if that functionality is implemented with good intentions and the data is only intended to be used for responsible purposes, the biggest and most technically capable organisations in the world can still make mistakes and suffer data leaks, which are potentially a gift to criminals, commercial competitors, and so on.
If there's anything sensitive in there -- personal data, commercial information that was provided under NDA -- we're probably still on the hook for it legally, too.
Is there any signs that this data is actually out in the wild? From the article, it was found, reporter and fixed within 24 hours, and they claim there's no sign of other unauthorized access.
My opinion is that ALL information that has ever being put online will, sooner or later, be made public. Despite the advances in crypto, there are so many ways to exploit security flaws and vulnerability in all kinds of software. And now with machine learning, which can also be used to help in hacking exploits, there not much that can be done.
Does this have anything to do with Dell support info - it used to be literally right after buying a dell product (within a week or so) you'd start getting scam calls with your dell info.
Dell always denied it, but it was pretty funny. They had service tags and everything - anyone else get that?
I reported similar issues in the past and there's no bounty, but of course Microsoft reserves the right to deviate. (And I hope they did in this case!) Minimally, you get placement on the Microsoft Online Services Acknowledgments page. https://portal.msrc.microsoft.com/en-us/security-guidance/re...
[+] [-] deepspace|6 years ago|reply
There are zero consequences to anyone important when a data breach happens; therefore there is no incentive for companies to protect their user data and the number of breaches will continue to grow for the foreseeable future.
By 2025 at the latest, there will effectively be no such thing as privacy anymore. All personal data belonging to everyone will have been exfiltrated and will be available for sale.
You will be able to purchase the full medical history, all financial transactions, all addresses, phone numbers, location history (often with photo/video evidence), all account numbers, ID numbers (government and otherwise), biometric data, browser/search history, every email, sms or chat message they ever sent or received and any other information you can think of for the vast majority of people on earth.
[+] [-] josephg|6 years ago|reply
As much as I love the free market, we're completely failing to protect consumers. I think we need the government to step in and align incentives. I don't know if we need engineers to be personally liable in the case of data breaches, but I'm serious enough about this that I wouldn't take it off the table. Medicine has malpractice suits. Engineers have a professional duty of care. Builders have building codes. We need an equivalent for software engineering.
Its not the wild west anymore when we didn't know how to do this right. For almost all modern software, best practices are out there and well known. The way you secure a password database hasn't changed much in the last decade. Apparently people just don't care enough to learn and apply those techniques. Bootcamps don't even bother to teach any security practices. Given how much the world relies on our industry's ability and knowledge, that needs to change in a hurry.
[+] [-] rhizome|6 years ago|reply
Maybe more thought could be put into why this is, rather than normalizing it? How many people on this here web site pay their bills with the fruits of these breaches?
[+] [-] mathdev|6 years ago|reply
[+] [-] mceachen|6 years ago|reply
That still leaves medical and financial records, which is a tangle substantially more herculean.
[+] [-] ajdlinux|6 years ago|reply
Does your 2025 prediction apply to black market sale or legal market sale?
[+] [-] d10r|6 years ago|reply
probably not in the EU - at least not if some kind of negligence, as specified by the GDPR, took place.
[+] [-] gexla|6 years ago|reply
The Windows parts of these records might be a good resource as it's probably part of the documentation which builds up to become the MSKB articles. Each support case was documented and linked to either a KB article, an internal "not yet KB article" or you had to submit it as a unique issue. After the "not yet KB articles" were referenced X times, then it would go to consideration as a KB article. Collectively, all this formed their internal KB.
Worked there. Pay was terrible once Convergy's took over. Then they moved everything to India and the support got terrible also. Too bad. They had quite the brain drain from that process. There were a lot of Windows gurus in that building. I learned far more than I needed to know about Windows and went way more in depth than I ever have tinkering with Linux.
[+] [-] ct520|6 years ago|reply
[+] [-] el_duderino|6 years ago|reply
[+] [-] IanDrake|6 years ago|reply
They need a solution to watch their solution that watches their configs.
[+] [-] mikece|6 years ago|reply
Over 8.5BB customer records were exposed last year; the estimate for this year is in excess of 10BB.
[+] [-] emerongi|6 years ago|reply
Then the you can see that you're 880654th out of 1.1B people on the leaderboard and maybe feel slightly better.. or worse.
[+] [-] tcd|6 years ago|reply
Which makes me wonder, is there information that's leaked so much it's no longer "private"? Names, addresses, phone numbers, contacts lists, photos, emails, cloud documents, IP address logs, search history...It's all there, waiting to be leaked...
And why the insistence on storing information for an unlimited period of time - it should be illegal to store data above 5+ years without explicit consent from the user (after reviewing the data and clicking "I am okay with this data continuing to be stored").
[+] [-] dgrin91|6 years ago|reply
[+] [-] dijit|6 years ago|reply
https://snusbase.com/
https://www.dehashed.com/
[+] [-] kart23|6 years ago|reply
[+] [-] HenryKissinger|6 years ago|reply
[+] [-] Barrin92|6 years ago|reply
this might be something you're looking for.
[+] [-] jsgo|6 years ago|reply
I appreciate that they sent something, but sometimes it'd be nice for them to allow someone to access the data related to them that was exposed as they say "our analysis of the support information indicates that specific personal or organizational identifiable information related to your support case was potentially visible." Okay, what specific personal or organizational identifiable information of mine was visible?
I assume the representative or I may've listed said info in our communications back and forth so let me see what was exposed so I can make a judgement of what, if anything, I should do here.
[+] [-] GordonS|6 years ago|reply
[+] [-] tallanvor|6 years ago|reply
[+] [-] shaabanban|6 years ago|reply
https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-ove...
[+] [-] drallison|6 years ago|reply
Security is difficult. Microsoft is supposed to be skilled at preventing data breeches and exploits, but apparently not. What can be done to prevent this sort of thing?
[+] [-] misterhtmlcss|6 years ago|reply
It's a wildly asymmetrical relationship that means 9 billion people get a try to knock you out and your team of what??? 25, 50, 100, 1000? Security specialists have to see everything possible and plan for any and all possibilities.
It's never going to happen.
This is the simple reality of the internet and I'm sure you know this, but I saw your comment and thought I'd add this for the next person who may not realize this.
I'm personally curious to know, because I'm no SecOps; if there is even a theoretical solution to the internet that would have greater integrity for the users or if this is as good as it gets.
[+] [-] whatever1|6 years ago|reply
[+] [-] Silhouette|6 years ago|reply
Even if that functionality is implemented with good intentions and the data is only intended to be used for responsible purposes, the biggest and most technically capable organisations in the world can still make mistakes and suffer data leaks, which are potentially a gift to criminals, commercial competitors, and so on.
If there's anything sensitive in there -- personal data, commercial information that was provided under NDA -- we're probably still on the hook for it legally, too.
[+] [-] reaperducer|6 years ago|reply
Someone should grep this to find out how many times people were told to turn it off and turn it on again.
[+] [-] blakes|6 years ago|reply
[+] [-] ehsankia|6 years ago|reply
[+] [-] donmcronald|6 years ago|reply
It’s like some executive saw a study showing customers like it when support understands their problem, so now the words MUST be spoken! Lmao.
[+] [-] trhway|6 years ago|reply
>The records contained logs of conversations between Microsoft support agents and customers
[+] [-] jonplackett|6 years ago|reply
Really quite incompetent. But we don’t know for sure anyone else actually accessed it.
[+] [-] netsharc|6 years ago|reply
If the DB server was configured so access was not logged, could you claim "We investigated, and we didn't see any evidence of access"?
[+] [-] Teever|6 years ago|reply
[+] [-] coliveira|6 years ago|reply
[+] [-] huzaif|6 years ago|reply
[+] [-] cobookman|6 years ago|reply
Simply stating that your network configuration prevents access isn't the best answer.
[+] [-] wang_li|6 years ago|reply
Right. The network should actually be configured to prevent access.
[+] [-] sorokod|6 years ago|reply
[+] [-] vunie|6 years ago|reply
Microsoft should not have collected anything beyond an email and a password. Payment information should only be held temporarily.
Personal information is a toxic asset. It baffles me why companies willingly hoard it.
[+] [-] bluedino|6 years ago|reply
[+] [-] TomVDB|6 years ago|reply
[+] [-] badwolf|6 years ago|reply
[+] [-] privateSFacct|6 years ago|reply
Dell always denied it, but it was pretty funny. They had service tags and everything - anyone else get that?
[+] [-] afinlayson|6 years ago|reply
Lets be honest no one can keep this data without eventually being hacked, so maybe they shouldn't have it after that transaction.
[+] [-] ifthenelseend|6 years ago|reply
[+] [-] withinrafael|6 years ago|reply
[+] [-] jacquesm|6 years ago|reply