17 comments

[ 2.9 ms ] story [ 36.6 ms ] thread
> "I want to emphasise that the database in our website is accessible to the public,"

Was it supposed to be? :-)

> “I want to emphasise that the database in our website is accessible to the public,” Comelec spokesperson James Jimene said, the Philippine Daily Inquirer reports. “There is no sensitive information there. We will be using a different website for the election, especially for results reporting and that one we are protecting very well,” he added.

Yes.

> Based on our investigation, the data dumps include 1.3 million records of overseas Filipino voters, which included passport numbers and expiry dates. What is alarming is that this crucial data is just in plain text and accessible for everyone. Interestingly, we also found a whopping 15.8 million record of fingerprints and list of peoples running for office since the 2010 elections.

None of this information is particularly secret or sensitive.

1) Fingerprints are left everywhere anyway. You aren't going to be able to hide these.

2) Passport information is recorded in 2930423904239049203 places already. Much like your IP address, social security number, etc. it should be treated like a username and not a password. [i.e. It is the publicly known portion of your identity]

3) If you are treating PII as private, you are doing everything wrong. These are all basically public record at this point and pretending otherwise is silly. The whole reason they are "identifying" is because other people can look at it and recognize you.

Other "sensitive information":

> Among the data leaked were files on all candidates running on the election with the filename VOTESOBTAINED. Based on the filename, it reflects the number of votes obtained by the candidate. Currently, all VOTESOBTAINED file are set to have NULL as figure. > Included in the data COMELEC deemed public was a list of COMELEC officials that have admin accounts. > list of peoples running for office since the 2010 elections.

http://blog.trendmicro.com/trendlabs-security-intelligence/5...

Yes, having a list of candidates that is already public knowledge is sensitive. Similarly, the list of election officials that have that access is also basically public knowledge.

This is being played up as some "great secret trove of knowledge" when the reality is you've given this information to 2903420934239042390 different people and its basically public record. Simply because information identifies you doesn't make it private.

> 1) Fingerprints are left everywhere anyway. You aren't going to be able to hide these.

Most people don't leave their name/address/uid along side those prints. Imagine this scenario: you are hanging out at your friend's house, for whatever reason you find yourself handling his dildo, he sells it on ebay, 4chan buys it and lifts your prints, your mother gets a call...

https://www.avvo.com/legal-answers/are-fingerprints-from-a-c...

> Yes. You may be eligible for a motion to seal or expunge and in that case they would be sealed or destroyed. Otherwise, they are public record.

https://www.eff.org/deeplinks/2015/09/little-fanfare-fbi-ram...

> Being a job seeker isn’t a crime. But the FBI has made a big change in how it deals with fingerprints that might make it seem that way. For the first time, fingerprints and biographical information sent to the FBI for a background check will be stored and searched right along with fingerprints taken for criminal purposes.

http://www.secureidnews.com/news-item/countries-adopt-biomet...

etc.

1) There are tons of ways you can end up in a public database with all of that linked to your fingerprints.

2) Background checks require fingerprints, ever ask yourself how secure that information is? [ Hint: Not so much, much like SSNs, you have to assume they are public knowledge if you've ever had this happen. ]

3) Voting records in quite a few countries include this information and they are basically public record.

> Most people don't leave their name/address/uid along side those prints. Imagine this scenario: you are hanging out at your friend's house, for whatever reason you find yourself handling his dildo, he sells it on ebay, 4chan buys it and lifts your prints, your mother gets a call...

Yes they do.

> None of this information is particularly secret or sensitive.

You are intentionally being obtuse if you don't see how a fingerprint database is "sensitive". The argument doesn't take practicality into consideration, potential bad actors just jumped from:

1) The government

2) Anybody who would go through the trouble of very noisily pulling all the scattered public data together

To:

1) Anybody

While I am of the opinion that any data held by a third part (to include the government) should be considered insecure, that doesn't blind me to the practical impact of a massive data dump.

> 2) Anybody who would go through the trouble of very noisily pulling all the scattered public data together

I guess I consider that Anybody but fair enough.

Is it only me who thinks that all this is being orchestrated. Starting from the panama leaks to Turkish leaks and now this. I don't want to pointlessly plug a conspiracy theory here. But I would like to know if this argument can be supported/refuted.
I have predicted it few years ago. You dump the database, zip it, and upload it to your Google Cloud. It's that easy if you are insider. You only need half hour and no one will notice. It is more likly to leak if there are more databases, like citizen db, voters db, social secufity db etc. We will see more leaks in the future.
It's only that easy if you work somewhere with zero network security. Given how mismanaged government IT departments seem to be, that's not unlikely though :)
Or if you can connect your phone to your pc and copy the data over the cellular network. I currently have mine connected in order to charge it. I presume many people do. I know of people working in BANKS who do.
It doesn't take a conspiracy for hacker groups in one country to be inspired by the work of hacker groups in another country.

Likewise, whistleblowers are more likely to emerge if they see other whistleblowers making an impact.

Seriously? All links that aren't directly to one of their mirrors are facebook links?

EDIT: Also, looks like all their mirrors are down, so here's the magnet link (from the archive.org torrent): magnet:?xt=urn:btih:bf682442530dac923d030ce225e92fd6d0284f21&dn=ComelecDB1

I don't get it. What is the point of a breach like this?