i'm sorry but the person who had the idea of exposing an api endpoint to get admin user and password in cleartext (and for something related to politics above that) hasn't ever set foot in a computer science class.
The level of incompetence required to commit such a fault is beyond what i would expect from any "third world" country. So, the fact that it happened in a country that advertize itself as a startup nation, and is exposed to one of the highest level of terrorist threat in the world is beyond my comprehension.
If i were israeli i would recognize this event as one of the most damaging one of the last decade in term of public image. Israel has a huge flourishing business related to cybersecurity, mostly based on the reputation the country has for having the best specialists. If you know anything about business, you know how much image is important, and how this issue should be treated as a PR disaster for the whole country.
Agree, but I am going to make a prediction about what will happen to the executives of the company responsible for releasing this atrocious API. Absolutely nothing. They are going to continue to operate with nothing more than a slap on the wrist at worst.
And that is why applications dealing with sensitive data are still being produced by people with no clue about security. Because there are never any consequences for leaking sensitive data, there is zero incentive for companies to spend the money on hiring competent developers.
> i'm sorry but the person who had the idea of exposing an api endpoint to get admin user and password in cleartext (and for something related to politics above that) hasn't ever set foot in a computer science class.
I've set foot in ~20 computing science classes, out of a ~134 credit-hour degree, and only one optional class ever mentioned that this sort of thing would be a bad idea.
It also didn't actually rigorously teach best practices, only mentioned a laundry list of security blunders that you probably want to avoid, without proscribing any solutions. We also were not tested on this.
And this degree wasn't in some middle-of-nowhere community college.
Also, as anyone who has ever set foot in a computer science class ought to know, these kinds of failures aren't the fault of any one person. One person may be undereducated, ignorant, lazy, stupid, or just in a hurry to ship. It's the entire organization's responsibility to provide checks and balances that prevent this sort of thing from hitting production.
in some cases no particular individual are able to see something's wrong, and only someone with a general overview of the system can see the pb.
in this case, every single individual in the chain ( from backend dev to frontend dev to tester to enduser) are able to see that something's very wrong. Which means none of those people are competent. Not any of them.
As above poster noted, best talent isn't flocking to work for the bureaucratic arms of the govt. In fact I'd venture as far to say that a large portion of the Israeli population has a very negative view of the government itself.
It's a self-fulfilling prophecy we see a lot in the US as well. Underfund the government, they become inefficient, use that inefficiency as the reason for cutting funding yet again because everyone is sick of the inefficiency.
I wonder if, or when computing will be superceded as the main driver of innovation. In 1950 computers existed but you couldn't have guessed that computation and the innovations derived from it would eat the World. What exists today that will transform the World again?
> I wonder what the next 100, 500 years will look like, after all this has 'settled' down.
> Breaches like this should be impossible as there should be designs against it.
I see it the other way around. Privacy is equal to security, it is only as strong as its weakest link, and there are many many “links” (attack vectors) and the amount of data you can breach with asymmetric attacks is unprecedented. By way of ergodicity, everything’s going to be leaked eventually, no matter how good our intentions are to protect it.
If you take everything to its logical conclusion, it is inevitable that the concept of privacy is going to be absolutely destroyed in the future, and everyone will know everything about everyone at all times. The latest privacy laws are futile attempts to put the finger in the dike before it explodes; too little, too late.
IMO the logical conclusion of current trend is people don't knowing each other, themselves, or what's in front of them. At first I wanted to add that some elites know everything about the majority, while being opaque to them, but on second thought that's utterly irrelevant in light of the fact that even the elite of the elite won't know their asses from their elbows. We'll die of thirst in an ocean of data, for want of information.
> it is inevitable that the concept of privacy is going to be absolutely destroyed in the future,
Totally agree, and I am on record as saying that this will happen sooner than people think. Given the rate at which large-scale data breeches keep happening and the lack of ANY kind of consequences for companies and institutions who fail to protect data, I firmly believe that pretty much all personal data belonging to everyone will be either publicly accessible or available for sale by 2025 at the latest.
For most people their address history, phone numbers, medical history, financial transaction history, account- and other ID numbers, browser/search history and every email they ever sent or received will be available for search or purchase.
I’d call that “safe” rather than “secure”. To me, “secure” implies that the target remains safe even against a motivated adversary, not that it just happens to be safe because no such adversary happens to exist. Semantics aside, it just isn’t that hard to gain unauthorized entry into most homes.
1. The only people who can attempt to breach into my home are within driving distance.
2. My home has security systems which can either stop a crime from occurring (security lights, security doors, dogs, alarms, me) or will result in those perpetrators being caught (alarms which contact police, cameras).
3. I don't have the voter details of 6.5M Israelis in my house.
Yes, we are at the primitive end of history, even the first transistor is still within living memory. What these breaches do is normalize the loss of privacy, the protection of which eats into the profits that fuel the growth of the companies that collect it, and threaten their foundational roles in this early history. That this is early in the game is also why protective laws need to be passed for people to retain the power over their own information. Data is not as cheap as the law treats it, Google makes almost $100MM every week.
Furthermore, how much time do these breaches steal in lost productivity, or in diminished free time, for all of us? Quite a bit, but the only time you hear about that metric is when management is complaining about employees talking to each other in the hallway.
Protections not established early become harder to impose later, which is why the companies and lawmakers to which they donate downplay the severity of these breaches via pittances of penalties, 30min of revenues or something. Fines should be $1000 per individual exfiltrated, or a year of revenues (at last year's number), or other figure that would be actually effective...and with strict liability.
A big problem with slapping huge statutory damages / fines onto data breaches is that only the "suckers" will ever pay or even own up to it.
Recently in Washington State, a small research group at WSU lost a couple of hard drives that had PII data on them on order of 1 M people. They even had them in a safe; the safe was stolen and no real evidence of the data being the target of the theft was found.
Nonetheless, being good civil servants they scrupulously reported what happened and carried out required notification procedures to the million folks.
Their reward was to be sued for basically the maximum that their insurance would pay out.
How many thousands of times per year do similar things happen in private industry? Nobody knows. You don't even have to posit malice or a coverup; just think about how many times a year a hard drive backup of a database with a mere million records gets accidentally thrown away or sold off with surplus.
If the liability had been $50MM or $500MM, you can bet their storage practices would reflect it (not to mention actually telling people you're collecting their data). "Eh, whaddya gonna do?" is absolutely a normalization and a devaluing well out of proportion to the damage that is done.
> concept of storing PB's of easily searchable and accessible data
The scale of this dataset is probably on the two/three digit MB scale. It's 6.5 million people and everyone adds probably less than 500 bytes to the dataset.
Let's say it's 500 MB. This isn't "big data", but it's still highly sensitive. It's still "only" a file on your Computer and deleting it still doesn't delete it safely.
The issue is the effectivity of our data handling devices. As the file is so small, it fits onto current USB sticks cheaply. People can put those USB sticks anywhere and smuggle them out of their jobs. Snowden claims to have gotten the NSA data out this way and even if he lies, it's certainly a plausible method.
The more effective our data handling devices get, the more data can be leaked.
I'm a bit of a pessimist and think we won't be able to stop such leaks in every domain. They'll just get worse and worse over time, the larger the data sets get that are being accumulated about people.
Former Google CEO Schmidt has famously said that there won't be privacy in the future. Maybe he's right. Maybe he's wrong and we figure out a way to preserve it. But doing that is super hard.
Maybe society is just ever changing and the "stable" state will be some form of singularity where a concept like "living on a planet" is regarded as outdated because we live in emulated environments in free orbit around a sun and the planets are better off being dismantled to build more emulated environments, and all our thoughts, dreams, plans, our entire existence is accessible to the environment's operators who claim to be "fair" like Google, Twitter or Facebook claim today.
Unless said designs/process/overview was deliberately overlooked. This is a political app...
Given the history of obvious, obliviously bad flaws in elections machines everywhere, how can one not come to the conclusion that the rigging of the game is just being swept inside the box with the blinkenlights? Where no one can see or audit the process because this is SECURE code, no can see...
Investigations to see exactly who is funding the election tech companies, board members, prime investors, etc etc etc.
"Embedded in the code was a file path labelled "get-admin-users." He simply copied and pasted that back into the URL bar, and then suddenly saw a list of admins, including their usernames and passwords."
Its almost like you were asking for it. I dont even keep plain text password on my local machine.
Why would anyone? The riskiest place I would keep passwords is in an encrypted archive. Barring unknown side channel attacks, my brain is less secure than that.
How is that even possible? Beyond storing passwords unencrypted anywhere, why would you make a specific endpoint to return them.
It feels suspicious that someone could be capable of building this app (requires some level of knowledge) and creating a publicly exposed endpoint that is almost designed for malicious purposes.
Maybe something that was quickly coded up in the beginning to allow testing by team members and later forgotten. Happens all the time, that’s why you do code review and have at least two people approve changes to master.
Perhaps plausible deniability around selling data? If you outright sell data, that is illegal, but if your app "leaks" data maybe it is harder to prove malfeasance and instead say "negligence"? I am obviously not a lawyer and certainly don't know the laws of Israel. Does what I described ever happen?
I'm not sure how you'd monitize publicly leaked data. If they accepted money for access to the data, then that's selling data. I don't think that happened here though.
It doesnt surprise me. One dev creates the endpoint for testing, leaves the company and the next dev does some refactoring and it makes its way to production. Many projects are done under a lot of time pressure. Also, often devs face worse consequences for a late project than for a catastrophic error.
Maybe the international body of politicians will finally realize that while anyone can write a website, not everyone should, and certainly not their nieces and nephews
I tend to think that if
- everyone had access to military grade weaponry, and
- their actions were close to anonymous, and
- it was so obvious they were killing people by acting
then a lot more planes and elevators would be a lot less safe.
I think plane and elevator technology has had a long time to becomes more robust, and there's a lot less players in the field, with a lot more regulations, and a LOT less people actively trying to sabotage them.
All things being equal, I don't think the people designing them are much more skilled than the people writing software for some of the better firms.
39 comments
[ 2.9 ms ] story [ 82.9 ms ] threada consulting firm developing one-off mobile apps used by political parties can offer neither (see the recent Iowa caucuses debacle)
The level of incompetence required to commit such a fault is beyond what i would expect from any "third world" country. So, the fact that it happened in a country that advertize itself as a startup nation, and is exposed to one of the highest level of terrorist threat in the world is beyond my comprehension.
If i were israeli i would recognize this event as one of the most damaging one of the last decade in term of public image. Israel has a huge flourishing business related to cybersecurity, mostly based on the reputation the country has for having the best specialists. If you know anything about business, you know how much image is important, and how this issue should be treated as a PR disaster for the whole country.
And that is why applications dealing with sensitive data are still being produced by people with no clue about security. Because there are never any consequences for leaking sensitive data, there is zero incentive for companies to spend the money on hiring competent developers.
I've set foot in ~20 computing science classes, out of a ~134 credit-hour degree, and only one optional class ever mentioned that this sort of thing would be a bad idea.
It also didn't actually rigorously teach best practices, only mentioned a laundry list of security blunders that you probably want to avoid, without proscribing any solutions. We also were not tested on this.
And this degree wasn't in some middle-of-nowhere community college.
Also, as anyone who has ever set foot in a computer science class ought to know, these kinds of failures aren't the fault of any one person. One person may be undereducated, ignorant, lazy, stupid, or just in a hurry to ship. It's the entire organization's responsibility to provide checks and balances that prevent this sort of thing from hitting production.
I'd be hesitant to call out one person. A process failed. Where were the code reviews, design sessions, pentesters, QA, UAT, automated tests?
in this case, every single individual in the chain ( from backend dev to frontend dev to tester to enduser) are able to see that something's very wrong. Which means none of those people are competent. Not any of them.
It seems this submission has new technical details, so we won't treat it as a dupe.
We're still incredibly new to the concept of storing PB's of easily searchable and accessible data, and can be accessed at the speed of light.
At the same time, exposing this can do real human harm, depending on the motives (for example, Cambridge Analytica).
I wonder what the next 100, 500 years will look like, after all this has 'settled' down.
We're seeing this today with facial recognition and machine learning - new concepts today that will grow old with time.
I wish I was capable of seeing all of this 'big tech' in that time to see how it matures. To say we have a long way to go is an understatement.
Breaches like this should be impossible as there should be designs against it.
> Breaches like this should be impossible as there should be designs against it.
I see it the other way around. Privacy is equal to security, it is only as strong as its weakest link, and there are many many “links” (attack vectors) and the amount of data you can breach with asymmetric attacks is unprecedented. By way of ergodicity, everything’s going to be leaked eventually, no matter how good our intentions are to protect it.
If you take everything to its logical conclusion, it is inevitable that the concept of privacy is going to be absolutely destroyed in the future, and everyone will know everything about everyone at all times. The latest privacy laws are futile attempts to put the finger in the dike before it explodes; too little, too late.
Totally agree, and I am on record as saying that this will happen sooner than people think. Given the rate at which large-scale data breeches keep happening and the lack of ANY kind of consequences for companies and institutions who fail to protect data, I firmly believe that pretty much all personal data belonging to everyone will be either publicly accessible or available for sale by 2025 at the latest.
For most people their address history, phone numbers, medical history, financial transaction history, account- and other ID numbers, browser/search history and every email they ever sent or received will be available for search or purchase.
2. My home has security systems which can either stop a crime from occurring (security lights, security doors, dogs, alarms, me) or will result in those perpetrators being caught (alarms which contact police, cameras).
3. I don't have the voter details of 6.5M Israelis in my house.
Furthermore, how much time do these breaches steal in lost productivity, or in diminished free time, for all of us? Quite a bit, but the only time you hear about that metric is when management is complaining about employees talking to each other in the hallway.
Protections not established early become harder to impose later, which is why the companies and lawmakers to which they donate downplay the severity of these breaches via pittances of penalties, 30min of revenues or something. Fines should be $1000 per individual exfiltrated, or a year of revenues (at last year's number), or other figure that would be actually effective...and with strict liability.
Recently in Washington State, a small research group at WSU lost a couple of hard drives that had PII data on them on order of 1 M people. They even had them in a safe; the safe was stolen and no real evidence of the data being the target of the theft was found.
Nonetheless, being good civil servants they scrupulously reported what happened and carried out required notification procedures to the million folks.
Their reward was to be sued for basically the maximum that their insurance would pay out.
How many thousands of times per year do similar things happen in private industry? Nobody knows. You don't even have to posit malice or a coverup; just think about how many times a year a hard drive backup of a database with a mere million records gets accidentally thrown away or sold off with surplus.
If the liability had been $50MM or $500MM, you can bet their storage practices would reflect it (not to mention actually telling people you're collecting their data). "Eh, whaddya gonna do?" is absolutely a normalization and a devaluing well out of proportion to the damage that is done.
The scale of this dataset is probably on the two/three digit MB scale. It's 6.5 million people and everyone adds probably less than 500 bytes to the dataset.
Let's say it's 500 MB. This isn't "big data", but it's still highly sensitive. It's still "only" a file on your Computer and deleting it still doesn't delete it safely.
The issue is the effectivity of our data handling devices. As the file is so small, it fits onto current USB sticks cheaply. People can put those USB sticks anywhere and smuggle them out of their jobs. Snowden claims to have gotten the NSA data out this way and even if he lies, it's certainly a plausible method.
The more effective our data handling devices get, the more data can be leaked.
I'm a bit of a pessimist and think we won't be able to stop such leaks in every domain. They'll just get worse and worse over time, the larger the data sets get that are being accumulated about people.
Former Google CEO Schmidt has famously said that there won't be privacy in the future. Maybe he's right. Maybe he's wrong and we figure out a way to preserve it. But doing that is super hard.
Maybe society is just ever changing and the "stable" state will be some form of singularity where a concept like "living on a planet" is regarded as outdated because we live in emulated environments in free orbit around a sun and the planets are better off being dismantled to build more emulated environments, and all our thoughts, dreams, plans, our entire existence is accessible to the environment's operators who claim to be "fair" like Google, Twitter or Facebook claim today.
Given the history of obvious, obliviously bad flaws in elections machines everywhere, how can one not come to the conclusion that the rigging of the game is just being swept inside the box with the blinkenlights? Where no one can see or audit the process because this is SECURE code, no can see...
Investigations to see exactly who is funding the election tech companies, board members, prime investors, etc etc etc.
The flow of money will tell the story.
Its almost like you were asking for it. I dont even keep plain text password on my local machine.
It feels suspicious that someone could be capable of building this app (requires some level of knowledge) and creating a publicly exposed endpoint that is almost designed for malicious purposes.
Either way, they wrote the functionality and it is shoddy work.
I tend to think that if - everyone had access to military grade weaponry, and - their actions were close to anonymous, and - it was so obvious they were killing people by acting
then a lot more planes and elevators would be a lot less safe.
I think plane and elevator technology has had a long time to becomes more robust, and there's a lot less players in the field, with a lot more regulations, and a LOT less people actively trying to sabotage them.
All things being equal, I don't think the people designing them are much more skilled than the people writing software for some of the better firms.