An Adult Cam Site Exposed 10.88 Billion Records (wired.com) 73
CAM4, a popular adult platform that advertises "free live sex cams," misconfigured an ElasticSearch production database so that it was easy to find and view heaps of personally identifiable information, as well as corporate details like fraud and spam detection logs. According to Wired, the database exposed 7 terabytes of names, sexual orientations, payment logs, and email and chat transcripts -- 10.88 billions records in all. From the report: First of all, very important distinction here: There's no evidence that CAM4 was hacked, or that the database was accessed by malicious actors. That doesn't mean it wasn't, but this is not an Ashley Madison-style meltdown. It's the difference between leaving the bank vault door wide open (bad) and robbers actually stealing the money (much worse). [...] The list of data that CAM4 leaked is alarmingly comprehensive. The production logs Safety Detectives found date back to March 16 of this year; in addition to the categories of information mentioned above, they also included country of origin, sign-up dates, device information, language preferences, user names, hashed passwords, and email correspondence between users and the company.
Out of the 10.88 billion records the researchers found, 11 million contained email addresses, while another 26,392,701 had password hashes for both CAM4 users and website systems. A few hundred of the entries included full names, credit card types, and payment amounts. Who's Affected? It's hard to say exactly, but the Safety Detectives analysis suggests that roughly 6.6 million US users of CAM4 were part of the leak, along with 5.4 million in Brazil, 4.9 million in Italy, and 4.2 million in France. It's unclear to what extent the leak impacted both performers and customers. The report says CAM4's parent company, Granity Entertainment, took the server offline within a half hour of being contacted by the researchers.
Out of the 10.88 billion records the researchers found, 11 million contained email addresses, while another 26,392,701 had password hashes for both CAM4 users and website systems. A few hundred of the entries included full names, credit card types, and payment amounts. Who's Affected? It's hard to say exactly, but the Safety Detectives analysis suggests that roughly 6.6 million US users of CAM4 were part of the leak, along with 5.4 million in Brazil, 4.9 million in Italy, and 4.2 million in France. It's unclear to what extent the leak impacted both performers and customers. The report says CAM4's parent company, Granity Entertainment, took the server offline within a half hour of being contacted by the researchers.
Illegal aliens from space... (Score:2)
Re: (Score:3)
Seriously, learn to use a firewall and VPN and this will never be a problem for you. For bonus points, every once in a while do a nmap/port scan of your own hosts.
Re:Illegal aliens from space... (Score:4, Insightful)
Seriously, learn to use a firewall and VPN and this will never be a problem for you.
A far more important one is: Don't log everything in the entire universe ever and keep the records forever. Friend of mine helped run a pr0n site in the 90s and if they'd been compromised the only thing on there was a salted iterated password hash and some encrypted site prefs that even if they were decrypted were meaningless binary blobs unless you had the whole site there to apply them to (I think it was a binary dump of some in-memory data structure).
The problem wasn't the exposure, it was that they were recording and keeping forever a vast mass of crap whose only real practical use was blackmail if/when it got leaked.
Re: (Score:3)
Re: (Score:2)
Seriously, learn to use a firewall and VPN and this will never be a problem for you.
A far more important one is: Don't log everything in the entire universe ever and keep the records forever.
Or just don't go to skeevy camgirl sites. Try, oh, I dunno, talking to real girls.
Re: (Score:3)
Try, oh, I dunno, talking to real girls.
C'mon, this is Slashdot, let's stay within the bounds of meaningful possibility. Where the open source porn?
Re: (Score:1)
Seriously if you think this is ALL YOU NEED TO DO to avoid these problems, you are part of the problem.
The problem here was a misconfigured ElasticSearch instance, that likely DID need to be exposed to the internet.
Firewalls and port scans are basic shit for a network administrator. It's the equivalent of putting your seatbelt on in a Formula 1 c
Re: Illegal aliens from space... (Score:1)
Wtf are you talking about?
Re: Illegal aliens from space... (Score:2)
I repeat: why would you EVER expose your internal database to public net?
It doesn't matter that your database can support browser hits directly. It is stupid, lazy, and bordering on criminally incompetent to do so.
Just because you -can- do something painfully STUPID AS ALL FUCK does not mean you -should-.
And who modded me down for saying so? Some moron who exposes his internal database to public?
Re: (Score:3)
The blame also lies with ElasticSearch for being insecure by design. The vast majority of server software has their own security mechanism so this doesn't happen.
The story says it was misconfigured, which implies someone changed the config to make it that way. But that's probably not what happened here.
Re: (Score:3)
Elastic has no password protection by default but only listens on localhost IIRC. If you change the latter and keep the former you might have a bit of a problem.
Re: Illegal aliens from space... (Score:3)
Until recently, it didn't even support authentication.
And it's cluster software. It's not like you can effectively run ES on localhost.
Like all software that treats security as an add-on, ElasticSearch servers will continue to be compromised at alarming rates until everyone wises up and abandons itd
Re: (Score:2)
The blame also lies with ElasticSearch for being insecure by design
The blame also lies with the entire "cloud" industry that has, for unknown reasons, convinced a generation of developers and C-level suits that the "cloud" is inherently secure. Entire dotcom businesses have been created to convince people to move to the cloud rather than hire competent system administrators to manage their incredibly important and vital IT infrastructure. Instead, they migrate to the "cloud," where it's SCALABLE! and SECURE!
When you build your system on somebody else's computer using someb
Re: (Score:2)
At the beginning of my career:
These new-fangled client-server architectures are just a nightmare. Entire shady businesses have been created to convince people to move to Unix systems rather than hire competent mainframe administrators to manage their incredibly important and vital IT infrastructure, Instead they migrate to "servers," where it's SCALABLE! and SECURE!
At the end of my career:
The blame also lies with the entire "cloud" industry ... Entire dotcom businesses have been created to convince people to move to the cloud rather than hire competent system administrators to manage their incredibly important and vital IT infrastructure. Instead, they migrate to the "cloud," where it's SCALABLE! and SECURE!
The world has moved on from your old paradigm. Sorry, buddy, it's not going back. Just learn how to secure the new
Re: (Score:2)
The world hasn't moved on from the old paradigm. It's the same paradigm, only now you pay Amazon monthly fees instead of hiring and training your own team.
Virtualization of resources isn't the problem. Contracting out your critical infrastructure is the problem. It's not like contracting out your grounds maintenence. Once you choose a "cloud" provider, you're pretty much stuck with them. Moving elsewhere is hard and expensive. I'm surprised you don't understand this.
Re: (Score:2)
And yet, back in the day what you're complaining about is how all of IT worked. Oh, it was called "the mainframe" instead of "the cloud", but why would you want your own computer, when terminals are cheap and low-maintenance? That worked well for decades, then everything shifted the other way for decades, now it's shifting back.
I notice you seem to think that "hiring and training your own team" is good. Why would e.g. a tire company want or need that specialty? They don't, which is why it's almost alway
Re: (Score:2)
The blame also lies with ElasticSearch for being insecure by design. The vast majority of server software has their own security mechanism so this doesn't happen.
Databases are not designed to be secure, unfortunately. Their programmers are not focused on that in the same way SSH devs are (for example). If you have your database on the open internet and not behind a VPN, you are at risk for something like this (so basically everyone on Heroku).
Re: Illegal aliens from space... (Score:2)
That depends on the DB. Most support TLS, which is just as good as a VPN. Probably better, given the real-world track record of VPN apps being configured insecurely by default.
Re: Illegal aliens from space... (Score:2)
Re: Illegal aliens from space... (Score:2)
You mean like a VPN does?
Re: Illegal aliens from space... (Score:2)
Re: (Score:3)
Record count != distinct people.
Re: (Score:1)
For comparison of scale, 10B records seems like a lot when you consider there are only 7B people and IPv4 only covers 4B unique IPs (many of them which cannot be allocated).
Just on the size, I think we can infer that each record is not an account, but a visit to the site or maybe even a download of a video. Then 10B seems like a paltry amount, perhaps only a month's worth of "records".
Re: (Score:2)
Also, since some humans apparently get off on tentacle porn, maybe there are sentient alien octopii that get off on human
Re: (Score:2)
Real names? (Score:1)
Who would use their real name to create an account on a sexcam site?
It would be interesting to know the average IQ of people dumb enough to do that.
Of the estimated 20 million accounts, the summary says only a few hundred had records of CC transactions. Even some of those may be the anonymous Visa cards you can buy for cash at Walmart.
Re: (Score:3)
It would be interesting to know the average IQ of people dumb enough to do that.
Several?
Re: (Score:2)
Re: Real names? (Score:4, Informative)
Re: (Score:2)
In the scheme of things paying for some porn with your credit card isn't a bit deal. I mean people have been buying porn mags for decades, often in person. And many more soft porn "lads mags".
The real idiots are the ones who signed up to Ashley Madison after it had already been hacked.
Re: Real names? (Score:3)
Re: (Score:3)
The real idiots are the ones who signed up to Ashley Madison after it had already been hacked.
Are they?
You could be convinced that a 2nd hack is less likely and more importantly - less interesting. The first AD data was certainly spread widely. If you came a year later saying that you basically have the same thing plus a few updates... well, yeah... take a number.
Re: (Score:2)
I don't do banking on a computer that had malware once in its life, I apply a similar rule to websites.
Re: (Score:2)
Ok, you need to read "General Semantics" by Alfred Korzybski, because you're mixing so many things there that are at different levels of abstraction.
Malware and data leaks are not the same thing when it comes to persistence. And a website and a physical device are not the same thing, either. My personal website, for example, has been on the same domain for over 20 years. Some of its content is nearly as old. However, it has changed the physical hardware it runs on and the geographic location that hardware c
Re: (Score:2)
For their cam models it is mandatory to provide a photo ID with age to prevent lawsuits (potentially underage models). Also required to process payments from users to the models.
Re: (Score:3)
How else will a porn star find them in real life?
Re: (Score:2)
Who would use their real name to create an account on a sexcam site?
Why not? They are a legitimate business provider who has to comply with the same laws any other business in Canada does.
And let's face it, having someone know that you watched someone else masturbate doesn't come with the same kind of stigma as say declaring yourself a member of the republican party.
Re: (Score:1)
Granite that is a hard choice to make though!
Re:Meh (Score:4, Funny)
Re: (Score:2)
Only boys with no social skills look at anime porn. The actual men are too busy interacting with real women. /s ;-)
Re: (Score:2, Insightful)
Re: (Score:2)
You just offended 95% of ./ users.
Where is this "./" that you mention on /.?
Re: (Score:2)
"No True Scotsman" argument in the brew right there.
Re: (Score:2)
You mean the alphabet soup that considers "I'm sexually attracted to people I've formed a relationship with" to be an orientation?
Re: (Score:1)
Only boys with no social skills look at anime porn. The actual men are too busy interacting with real women. /s ;-)
You're just offended 90% of the male democrat supporters /s
Re: (Score:3, Funny)
I have no idea how you get off on that.
He goes by the name sexconker, so it's probably better than whatever the hell he is doing to horse chestnuts.
Death Move (Score:3)
If you are based in California, check your firewall tonight.
Will this be added to https://haveibeenpwned.com/ (Score:1)
Re: (Score:2)
If that's the site I'm thinking of, they send their results to the email address being checked.
Re: (Score:2)
There's 10.88 billions records for cam porn? (Score:2)
That's my only question here.
Seriously, is there really 10.88 billions records for cam porn?
Re: (Score:2)
Seriously, is there really 10.88 billions records for cam porn?
It says it includes the chat scripts, which will mean these records contain all the messages people left there while watching the videos.
Why do you think the net was born? (Score:2)
for horn, for horn, for horn:
https://www.youtube.com/watch?... [youtube.com]
10 TB -> Amateurs ofc
Actually, archive.org will have a "hard" time archiving all live streams from the various platforms.
count them (Score:1)
Cultral dissonence. (Score:3)
Part of the problem, is nearly everyone has sexual ambitions. However our cultures make it seem like this is a really bad thing. However nearly everyone alive (Ok there are some artificial methods that came up in the last few decades) today is because their biological parents had sex at least once.
If someone is caught watching porn on their personal time, then it should be treated like when someone makes a smelly poo in the bathroom. Just realizes that it happens and try not to embarrass the person and mostly just ignore it.
I know those sex hostile people (Score:2)
It's like fine dining for me. I'll go to a nice restaurant and enjoy it, but it's normally just anxiety for me...the dress code
Re: (Score:3)
It's not conservatism, it's puritanism. Americans followed the Puritanical path to the New Colonies way back when, which included stuff like no sex, no alcohol, basically nothing pleasurable. Life should be about hard work and toil. Enjoyment is bad.
You'll find that shapes American culture far more than anything else - it's why the rest of the world really has no problems with it, red light districts and all that
Of course, the Puritans didn't have anything to say about arms, so it's also why the world tends
that's the point (Score:3)
Re: (Score:2)
Yes but only of one of the parties involved.
10 billion people 7 billion people (Score:2, Flamebait)
2.8 billion records returned.
It could be worse (Score:1)
It's not like millions of records of license-plate cameras were compromised.
Oh wait [slashdot.org].
8008 8008 (Score:4, Funny)
Well thank god I never signed up, so they can't find my penchant for women whose breasts hang down to their bellybutton.
Oop, almost forgot to check the anon box, lol! Can you imagine?
TFA didn't mention... (Score:1)
Which records were 78s, 33s, or 45s.