While I'm glad no data was leaked and that Samuel is taking the layered defense approach seriously as it was wildly debated on the previous HN thread, I'm still a bit miffed that we only got confirmation that no leak actually occurred now.
As a Newsblur customer, would have really preferred the following course of action: lock down infrastructure, confirmation that no leak occurred, communication of that fact to customers and THEN service recovery. While this was all happening, the only indication that most likely no data was leaked was a single HN commenter that had a similar experience:
https://news.ycombinator.com/item?id=27615708
This is horrific. So the hacker is claiming to have a copy of our data. 0.03 BTC is less than $1000. Regardless of you being able to restore from backups, I assume you're paying the ransom to hopefully avoid the leak, right?
I paid Samuel and entrusted him with my data. Not too much, but enough for it to matter. When faced with a massive leak like this, he downplays everything, calls the hacker a "script kiddie" and calls this "good practice for what will be the first of many sleepless nights", looking at it only from a "service disruption" perspective.
So far we've gotten no indication of what's been leaked, if it contains deleted feeds, or what he's doing to prevent the data from being leaked by the hacker, if anything. He's been solely focused on restoring the service and ignoring the leak. Compared to not having access to an RSS reader for any random period of time, the leak is orders of magnitude more serious to me and I'd wager to most of Newsblur customers.
I honestly don't care if paying a ransom or interacting with the hacker makes him more likely to be targeted in the future, his duty towards his customers was to keep their private data private and not only he failed at that, but he doesn't even seem to register that as his main priority. As far as I'm aware, if he allows the data to leak publicly, then there's no "recovering from there", he's not getting any more of my money.
I'm on the same side of the argument as you and indeed I believe I feel as strongly about it as you. Especially in regards to brushing it off, calling them script kiddies[1], generally being "well aw shucks aren't I great for not deleting my copy of the data, I'm so great"[2] about the whole thing grinds my gears too.
I'm saying whoever is ransoming the data already has the data, the data is out of Newsblur's control, therefore the data is already leaked.
The data leak is past tense. It has already happened, not will happen. No amount of money will undo that. If that means they've lost you as a customer, that's how it is.
What we now need to know is what data was leaked?
[1]: which to be fair Newsblur, they are, but if a script kiddie hacks you using something so basic as a missing firewall rule.. Arguably not knowing Docker's quirks but using it anyway is the same damn thing as what script kiddies do. Sys kiddie if you will.
[2]: Why is that cause for celebration? Do you not have backups?
There is a material difference to users between a single attacker having (and possibly ignoring) a data dump, and that attacker publishing that dump publically, or selling it to someone who plans to exploit its contents.
The attacker has offered to not publish if they are paid. Their word probably isn't worth much, but $1,000 seems like an affordable sum for a business to gamble on them being honest about it. And if Newsblur doesn't fix their security problems they'll be targeted again either way.
As someone who has a decade of data in Newsblur, if there's any chance that an affordable ransom will keep my data from spreading further I want Samuel to take it.
The fact that you believe paying the ransom is even an option shows that you really aren't even qualified to be discussing this topic. People with your mindset are a big part of the reason that ransomware is still going strong. The other big part is people who don't run their systems correctly in the first place.
Giving them $1000 confirms the value, allowing them to list the dump at a higher price than the usual $10-50 spammers would pay (each) for the email addresses alone
Samuel's nonchalant reply to this is highly disturbing to me. I'm a Newsblur customer and as far as I can tell, my feed data is in the hands of some hacker and he doesn't care at all. I am much less concerned about the service being restored, which seems to be all that he's worried about, and more about knowing who has my data.
On top of that, I used to use his "forward newsletters to Newsblur" feature for a long time. I've long stopped using it and deleted all the feeds with newsletters, partly because it never worked very well, but mostly because I more or less had an inkling that something like this would happen and it's just not worth it, too many email newsletters leak personal data all over the place. However, I have no clue if those were really deleted or if they stuck around in MongoDB.
Clarification what exactly the ransom is (did he just dump it locally and encrypt it? or did the hacker download it and is threatening to leak it?) would be very welcome.
> On top of that, I used to use his "forward newsletters to Newsblur" feature for a long time. I've long stopped using it and deleted all the feeds with newsletters, partly because it never worked very well,
Newsblur mangled the formatting of a very large amount of newsletters I forwarded. The grouping per sender was great, but not really worth it if many newsletters end up unreadable.
Considering Newsblur's solution relied on setting up (sender/subject) filters on your email provider, I just kept doing that, but instead of forwarding to Newsblur, I now direct them all to a separate folder.
Lost the grouping per sender, but I honestly didn't explore an alternative too much. Even if Newsblur didn't mess with the newsletters' HTML and displayed them as GMail does, it was just too much of liability to blindly forward emails to a third party service like that: many companies do obnoxious things like send transactional emails from the same address as their newsletters, or blur the line between what is bulk and targeted mail, and I'd rather not have things like emails with flight information and other random tidbits of personal data floating around in someone's MongoDB.
As a Newsblur customer, would have really preferred the following course of action: lock down infrastructure, confirmation that no leak occurred, communication of that fact to customers and THEN service recovery. While this was all happening, the only indication that most likely no data was leaked was a single HN commenter that had a similar experience: https://news.ycombinator.com/item?id=27615708