Records of Nearly 57 Million US Citizens Exposed by ElasticSearch

Hatriot said:
I promise that I know more about Elasticsearch and PCI compliance than you. I actually have it open in another window, and know the fines for violating the compliance. Your reply just expands the ignorance. You state when you decide to keep a bunch of information you should 100% take ownership of it. This is the head slapper. The company Elasticsearch did not "keep" the data. Another company, potentially Data & Leads, used Elasticsearch's product to store the data and the fool who put the data into the system then exposed that system on public facing servers. How you can attempt to blame the developer of the software for the incompetence of its users is mind boggling to me. In your example of running a database which gets compromised, in your logic the developer of the database should be held accountable and not you for not enabling security. Do you not see the idiocy of this?
Click to expand...

I promise you I know more about this than you ever will. See how that works?

Though I do see how this does need investigated, but my point is that the theif cannot be the only one to blame otherwise you let people and companies handle sensitive data either storing or accessing without liability.
 
Darunion said:
I promise you I know more about this than you ever will. See how that works?

Though I do see how this does need investigated, but my point is that the theif cannot be the only one to blame otherwise you let people and companies handle sensitive data either storing or accessing without liability.
Click to expand...

No one said that the company shouldn't be investigated. However Elasticsearch is not the company that should be investigated -- Data & Leads Inc should be investigated. They are the company that stood up this service, didn't enable or add any security and then just left it accessible via the internet.

That is like blaming Microsoft because :insert your company: decided to make everything Password1 as the password.
 
Gunnerwolf said:
No one said that the company shouldn't be investigated. However Elasticsearch is not the company that should be investigated -- Data & Leads Inc should be investigated. They are the company that stood up this service, didn't enable or add any security and then just left it accessible via the internet.

That is like blaming Microsoft because :insert your company: decided to make everything Password1 as the password.
Click to expand...

Agreed.
 
  • Like
Reactions: Rahh
like this
Darunion said:
I promise you I know more about this than you ever will. See how that works?

Though I do see how this does need investigated, but my point is that the theif cannot be the only one to blame otherwise you let people and companies handle sensitive data either storing or accessing without liability.
Click to expand...

Difference is I just proved my assertion.
 
Hatriot said:
Difference is I just proved my assertion.
Click to expand...

Explain how this line of bs text is any kind of 'proof'

I promise that I know more about Elasticsearch and PCI compliance than you. I actually have it open in another window, and know the fines for violating the compliance.

Is it because you pinky promised at the start or because you said you had a window open?

When someone starts off with "i know more than you", 10 of out 10 times what comes after is bullshit and just the same as talking louder makes you right.
 
Nothing will change until some important dude in DC gets effected by a data breach in a very bad way. That makes him look really to the public. Then they'll be all over databraches. Till then don't expect anything to change.
 
We need to start seeing executives hanging for this shit because clearly security still isn't taken seriously enough.
 
Someone didn't pay for an Xpack license...

Who stands up publicly facing indexing without enabling the security/authentication module.
 
The thing is, PCI auditing should catch shit like this, as well as other forms of auditing. So the fact this wasn't shored-up in the first place is incredibly damaging to whomever actually ran it.

Zarathustra[H] said:
True, but this can be limited by making the default settings hardened, and putting warnings in place whenever they are changed. People will still do stupid things, but at least this way it can be minimized.
Click to expand...
 
That's what things like PCI compliance is for, as well as other auditing services. They evaluate things like this and advise them to fix it. If they ignore it, or aren't properly getting audits like that, then the company is liable due to wilful negligence.

TordanGow said:
The problem is that you don't know which companies are properly securing their infrastructure/data and which ones aren't.

Go ahead, head on over to your local Walmart (one of the companies that uses elastic search) and ask the cashier about the security protocols used to safeguard your data, is it stored encrypted, what algorithms are used, is it transferred encrypted over the network connections, what password security protocols do they use, do they use 2FA? etc... Good luck with that one. I bet there wouldn't be a single person in the store from the top of management down that could provide an answer.

In my view the only reasonable approach is to do everything in my power to limit their data collection. They can't lose what they don't have.
Click to expand...
 
You must log in or register to reply here.
Back
Top