It’s good to see a whole series of Philip K Dick’s short stories being dramatized for television. Electric Dreams is a multi-director anthology of short films celebrating the imagination of the Paranoiac-in-Chief. But for a writer who spent more time than most worrying about data, there is one data trick that neither he, nor Orwell, nor Huxley (not to mention Wells and Kafka before them) ever really entertained: data theft for purely criminal gain. Instead, all of them imagined data abuse in the hands of controlling elites, not outlaw, hole-in-the-wall geek gangs. Half-time score: 20th Century Paranoia – 0, The Future – 1. And it’s shaping up tobe a fascinating second half.
So maybe we should celebrate the fact that liberal free-market capitalism has democratized the business of data theft and abuse? Surely an occasional infection of privatized data hacking is preferable to Big Brother calling all the shots from a gimongous MPP server somewhere in the Arctic Circle. As it is, anyone with a rig and a copy of the Hacker’s Handbook can go dig, with the modern-day equivalent of the Gold Rush sluice box. Though, as Nic Roeg imagined in Eureka, this particular rush of gold moves fast. The Data Rush is indeed a rush of a different kind.
Through Data Darkly
Gold was for the ‘49ers a natural resource, static, waiting to be found and fashioned and flogged with a bit of added value. Data is really none of these things. Data is what we humans are in the process of becoming. It is important that we don’t allow the process to play itself out to an unanticipated and uncomfortable end-point. We want future generations to grow into something more than a resource whose relative preciousness is evaluated by a commodities exchange algorithm.
Data is also a fluid, but with hard bits in it. The recent cack-handed announcement by Equifax of their July failure in which 143 million US citizens’ personal data was stolen, reminds us once again of the curious substance that data is; almost as curious as the human condition. It’s fluid and is constantly on the move, being transformed into different data types, being indexed in a cascade of useful and pointless ways, being deleted, merged, and updated. Addresses change, names get ditched and adopted, job titles and passwords area Brownian mist of randomness in constant flux. But Social Security Numbers? Now they’re not in flux at all. SSNs are like the white blood cells in your data bloodstream, those DNA-carrying immune system sleuths that check invaders for passports. Similarly, your SSN (or National Insurance Number in the UK) is a permanent ID stamp and ensures you maintain appropriate access to support services. If anything, SSNs are even less likely to mutate than your genome is.
The Scale of the Data Breach Epidemic
The Identity Theft Resource Center is one of many organizations dedicated to tracking and reporting on the ever-increasing volumes of data breaches. Their mid-year report for 2017 showed a nearly 30% increase in breaches over 2016. Their projection is for 1,500 by year’s end. The Breach Level Index is another tracker that estimates over five million data records are stolen every day.
Until we can all catch up with doughty Estonia and get all of our citizens’ private data encrypted in a publicly distributed blockchain, data breaches are not an occasional and annoying infection. They are more like a radically mutated Spanish influenza that puts the health of our digital world at huge risk. The blockchain investment by certain Baltic states is a brilliant pre-emptive strike to protect their citizens’ identities by hiding in plain sight. Maximum shared visibility of the fact of being on the ledger means it’s much, much harder for the fact of your citizenship to be challenged or undermined.
In September, and for the second time this year, a massive ransomware attack was hurled at unsecured instances of the MongoDB document store platform. Attacks quickly spread to a range of other NoSQL platforms including CouchDB and Cassandra, and in October, not for the first time, MySQL was also targeted. Back in January of 2017, when the first big wave of bitcoin ransom demands rolled across the NoSQL data-scape, Victor Gevers and his colleagues at G.D.I. took steps.
Hackers Sans Frontiers
G.D.I is a non-profit organization fighting to protect the freedom of communication across the internet and provide help to victims who need their data back. Hospitals and other health organizations are not more vulnerable than other institutions but the potential damage caused by a data breach is orders of magnitude greater. In conversation with bleepingcomputer.com, Gevers characterized the latest wave of ransomware as a potentially alarming refinement over January:
"The amount of (new) attackers went down compared with the beginning of the year, but the destructive reach (in regards to victims) per attack went up in numbers. So it looks like there are fewer attackers but with a larger impact."
MongoDB has a straight-forward security checklist that can keep your data safe from ransomware attacks. In addition, using a visual MongoDB IDE like Studio 3T to manage your data security, permissions, users, and authentication protocols, makes the process that much more visible and shared. It’s a lot harder to overlook a gaping security hole when it’s staring not just you in the face but everyone on your team.
Thankfully, Gevers and his team have gone the extra mile in making recommendations on improved security for the NoSQL platform, and MongoDB has announced imminent improvements.
"Beginning with development release version 3.5.7, localhost-only binding is implemented directly in the MongoDB server, making it the default behavior for all distributions. This will also be incorporated into our upcoming production-ready 3.6 release." — SecurityWeek’s Ionut Arghire
And then there’s another thing the community as a whole can do to help stem the data bleed. Microsoft MVP Troy Hunt writes and trains globally on several topics, including data security. He makes the valid point that calling out poor corporate responses to a data breach is not sufficient. Equally important is to give public kudos to organizations that get it right. It’s easier to follow a good example than to avoid a bad one.
"We all jumped on the 'Equifax dumpster fire' bandwagon recently and pointed to all the things that went fundamentally wrong with their disclosure process. But it’s equally important that we acknowledge exemplary handling of data breaches when they occur because that’s behavior that should be encouraged." — Disqus demonstrates how to do Breach Disclosure Right
The Community Strikes Back
Philip K Dick’s original Minority Report short story (the Tom Cruise movie version is significantly different) described a Cold War world where data management, precognitive modeling, and subsequent abuse of that data were all in the hands of an authoritarian state. The world as it has actually turned out is thankfully far less authoritarian than Dick predicted. But it’s also far more diverse and complex. Gevers and his G.D.I colleagues do us all a very big service by reminding us that building our shared immunity to data hacks is also a shared obligation. And as the ubiquity of data theft spreads daily, theirs is truly the majority report.