MongoDB Config Error Exposed 93M Mexican Voter Records (csoonline.com) 69
An anonymous reader cites an article on CSOOnline: A 132 GB database, containing the personal information on 93.4 million Mexican voters has finally been taken offline. The database sat exposed to the public for at least eight days after its discovery by researcher Chris Vickery, but originally went public in September 2015. Vickery, who works as a security researcher at Kromtech, discovered the MongoDB instance on April 14, but had difficulty tracking down the person or company responsible for placing the voter data on Amazon's AWS. He first reached out to the U.S. State Department, as well as the Mexican Embassy, but had little success. The database contains all of the information that Mexican citizens need for their government-issued photo IDs that enable them to vote. Along with their municipality, and district information, the database records include the voter's name, address, voter ID number, date of birth, the names of their parents, occupation, and more. [...] Given that the database has been online since September 2015, it isn't clear how many people have accessed the records. Additionally, the actual owner of the account hosting the data remains unknown.
I'm sure the MongoDB devs must be proud (Score:4, Insightful)
Look at all this fail they've enabled with their shitty defaults.
Even mysql demands that I configure a root password when I install it.
Re: (Score:2)
You should have used a US address on those credit card applications. The Mexican government would probably take notice of their registered voters living in the USA and build Trump's wall after all- whether he is elected or not.
Re: (Score:2)
Webscale!
Re:132GB?? (Score:4, Insightful)
For ~ 83 million [idea.int] registered voters, that's 1.57KB per voter. It's a lot, but it's not obscene. You can see a sample redacted db record on the article. They have voter ID laws, so they have a bit more info, including maternal/paternal parents.
You can't even store 1 byte per voter on less than 50 floppy disks.
Turkey... (Score:2)
It's happened with Turkey and now Mexico (although with Turkey that was more malicious).
We haven't had this sense of digital identity that we have today. In the US, our tax numbers are secrete (SSN numbers) but in many other countries, tax ID numbers are considered public or non-identifying (Australian's TFNs and NZ's IRD # come to mind).
Go back 100 years and you didn't have passports or work visas. If you could speak the language in your destination, you could go and attempt to work and survive (and if you
Re: (Score:3)
That not how I would characterise the difference between Australian TFNs and US SSNs (I have both).
In Australia, the TFN is a very sensitive piece of information and the only people who would ever ask for it are those you would expect to ask for a tax number: the tax department, your employer, and your bank/financial institutions. There are strict guidelines governing its use and it is explicitly defined as identifying information: https://www.oaic.gov.au/indivi... [oaic.gov.au]
On the other hand, the US SSN is used for f
Re: So the new Ubuntu with its missing systemd... (Score:1)
systemd is simply a disaster.
Re: (Score:1, Troll)
When that nazi cunt Poettering stops taking bribes from the CIA, or just admits that he's a kiddy-diddler and takes the hit.
Re: (Score:1)
When that nazi cunt Poettering stops taking bribes from the CIA, or just admits that he's a kiddy-diddler and takes the hit.
It almost makes kiddy-diddling look like the least offensive thing he's done.
Re: (Score:2)
Re: (Score:2)
Re: So the new Ubuntu with its missing systemd.. (Score:1)
It's sad to see that "most" things working is now acceptable for Linux. I miss the old days when the quality bar was set much higher.
Re: (Score:3)
Why do you anti systemd trolls keep lying when it's so easy to prove you wrong? All one have to do is look at the File List of the mongodb-server package in Ubuntu 16.04LTS: http://packages.ubuntu.com/xen... [ubuntu.com] and what do we find there:
/lib/systemd/system/mongodb.service
Well I be damned, a systemd unit file, which you now have claimed in several articles does not exist even though it does. Interesting isn't it?
Re: (Score:2)
Re: (Score:2)
Phillipines too-55M records (Score:2)
Hey, Look! (Score:1)
Re: (Score:2)
I have been trying to get a job as a brick layer for the last 2 years. However, because my name is not Hernandez, I am summarily disqualified.
That's funny. When I applied for unemployment benefits a few years ago, I discovered that "C RAMOS" was using my Social Security number. With my Social Security number, he got himself a job. Maybe your problem isn't your last name but your Social Security number (or lack thereof). Employers won't hire anyone off the street without a Social Security number.
Re: (Score:2)
I think your problem goes deeper than your name. I would suggest looking into the use of USAian for starters. It probably branches out near there.
Remember, the interview is there to either select or weed out the idiots.
Re: (Score:1)
What is wrong with USAian? To claim that your are an American when you are really from the USA seems a little non-specific, especially when taken in the context of nationalism (which is what this is about). One might as well just say He is from the Western Hemisphere, or the planet Earth. America is not the USA. The USA is not America. America is two fucking continents and 37 fucking countries.
Re: (Score:1)
Lol.. you can go around calling a screwdriver a confabulator if it makes more sense to you but the acceptable and proper name is still a screwdriver. All it does is make you appear like a moron who thinks they are smarter than they actually are. Not exactly top job candidate material.
Lets ignore your complete misunderstandings like there is no continent called America. They both have north or south within their official names and even geographically descripters use them or central in addition so that doesn
Obligatory (Score:2)
Re: (Score:1)
Mongo only pawn in game of life...
Stop treating Mongo as a real DB (Score:4, Insightful)
... and start treating it as a key-value file system and it all makes sense. Sadly the mongo devs want us to think its a competitor to mySQL or even Oracle. Yeah, right.
Amateur hour DB + amateur hour admins = trouble ahead.
Re: (Score:2, Insightful)
Stop blaming the technology for the idiots who use it. If you make a DB public what do you expect? You can do the exact same thing with any other DBMS.
Re: (Score:2)
Stop blaming the technology for the idiots who use it. If you make a DB public what do you expect? You can do the exact same thing with any other DBMS.
NO, you can't. mySQL requires, yes, requires you to assign a root password upon install.
Face it, the MongoDB defaults are shit. Just admit it and stop blaming the poor fuckers who have to use it. Yes, they should have assigned a password, but the fact of the matter is that MongoDB should have made it impossible not to.
Re: (Score:2)
Not only does it require that you assign a root password, it also requires you to change the config to listen on an ip address other than localhost. You also have to create a new user, as the default root user can only connect from local host.
Beginning to be a common headline (Score:1)
"MongoDB Config Error Exposed..." is the new "Florida Man..."
Wow, 132Gb (Score:2)
Oh my, 132Gb of tasty, tasty user data. It's like an all-you-can-eat hacker buffet.
Re: (Score:2)
That's true. But fortunately, the citizens live in a nice quiet country where there is no risk at all from having all your data publicized. Especially when you're working undercover, or get caught in the crossfire, there is no risk at all from having your adress and that of relatives exposed on the internet.
Now's the chance. (Score:2)
This could be on purpose (Score:1)