31 stories
·
3 followers

How a Docker footgun led to a vandal deleting NewsBlur’s MongoDB database

6 Comments and 13 Shares

tl;dr: A vandal deleted NewsBlur’s MongoDB database during a migration. No data was stolen or lost.

I’m in the process of moving everything on NewsBlur over to Docker containers in prep for a big redesign launching next week. It’s been a great year of maintenance and I’ve enjoyed the fruits of Ansible + Docker for NewsBlur’s 5 database servers (PostgreSQL, MongoDB, Redis, Elasticsearch, and soon ML models). The day was wrapping up and I settled into a new book on how to tame the machines once they’re smarter than us when I received a strange NewsBlur error on my phone.

"query killed during yield: renamed collection 'newsblur.feed_icons' to 'newsblur.system.drop.1624498448i220t-1.feed_icons'"

There is honestly no set of words in that error message that I ever want to see again. What is drop doing in that error message? Better go find out.

Logging into the MongoDB machine to check out what state the DB is in and I come across the following…

nbset:PRIMARY> show dbs
READ__ME_TO_RECOVER_YOUR_DATA   0.000GB
newsblur                        0.718GB

nbset:PRIMARY> use READ__ME_TO_RECOVER_YOUR_DATA
switched to db READ__ME_TO_RECOVER_YOUR_DATA
    
nbset:PRIMARY> db.README.find()
{ 
    "_id" : ObjectId("60d3e112ac48d82047aab95d"), 
    "content" : "All your data is a backed up. You must pay 0.03 BTC to XXXXXXFTHISGUYXXXXXXX 48 hours for recover it. After 48 hours expiration we will leaked and exposed all your data. In case of refusal to pay, we will contact the General Data Protection Regulation, GDPR and notify them that you store user data in an open form and is not safe. Under the rules of the law, you face a heavy fine or arrest and your base dump will be dropped from our server! You can buy bitcoin here, does not take much time to buy https://localbitcoins.com or https://buy.moonpay.io/ After paying write to me in the mail with your DB IP: FTHISGUY@recoverme.one and you will receive a link to download your database dump." 
}

Two thoughts immediately occured:

  1. Thank goodness I have some recently checked backups on hand
  2. No way they have that data without me noticing

Three and a half hours before this happened, I switched the MongoDB cluster over to the new servers. When I did that, I shut down the original primary in order to delete it in a few days when all was well. And thank goodness I did that as it came in handy a few hours later. Knowing this, I realized that the hacker could not have taken all that data in so little time.

With that in mind, I’d like to answer a few questions about what happened here.

  1. Was any data leaked during the hack? How do you know?
  2. How did NewsBlur’s MongoDB server get hacked?
  3. What will happen to ensure this doesn’t happen again?

Let’s start by talking about the most important question of all which is what happened to your data.

1. Was any data leaked during the hack? How do you know?

I can definitively write that no data was leaked during the hack. I know this because of two different sets of logs showing that the automated attacker only issued deletion commands and did not transfer any data off of the MongoDB server.

Below is a snapshot of the bandwidth of the db-mongo1 machine over 24 hours:

You can imagine the stress I experienced in the forty minutes between 9:35p, when the hack began, and 10:15p, when the fresh backup snapshot was identified and put into gear. Let’s breakdown each moment:

  1. 6:10p: The new db-mongo1 server was put into rotation as the MongoDB primary server. This machine was the first of the new, soon-to-be private cloud.
  2. 9:35p: Three hours later an automated hacking attempt opened a connection to the db-mongo1 server and immediately dropped the database. Downtime ensued.
  3. 10:15p: Before the former primary server could be placed into rotation, a snapshot of the server was made to ensure the backup would not delete itself upon reconnection. This cost a few hours of downtime, but saved nearly 18 hours of a day’s data by not forcing me to go into the daily backup archive.
  4. 3:00a: Snapshot completes, replication from original primary server to new db-mongo1 begins. What you see in the next hour and a half is what the transfer of the DB looks like in terms of bandwidth.
  5. 4:30a: Replication, which is inbound from the old primary server, completes, and now replication begins outbound on the new secondaries. NewsBlur is now back up.

The most important bit of information the above chart shows us is what a full database transfer looks like in terms of bandwidth. From 6p to 9:30p, the amount of data was the expected amount from a working primary server with multiple secondaries syncing to it. At 3a, you’ll see an enormous amount of data transfered.

This tells us that the hacker was an automated digital vandal rather than a concerted hacking attempt. And if we were to pay the ransom, it wouldn’t do anything because the vandals don’t have the data and have nothing to release.

We can also reason that the vandal was not able to access any files that were on the server outside of MongoDB due to using a recent version of MongoDB in a Docker container. Unless the attacker had access to a 0-day to both MongoDB and Docker, it is highly unlikely they were able to break out of the MongoDB server connection.

While the server was being snapshot, I used that time to figure out how the hacker got in.

2. How did NewsBlur’s MongoDB server get hacked?

Turns out the ufw firewall I enabled and diligently kept on a strict allowlist with only my internal servers didn’t work on a new server because of Docker. When I containerized MongoDB, Docker helpfully inserted an allow rule into iptables, opening up MongoDB to the world. So while my firewall was “active”, doing a sudo iptables -L | grep 27017 showed that MongoDB was open the world. This has been a Docker footgun since 2014.

To be honest, I’m a bit surprised it took over 3 hours from when I flipped the switch to when a hacker/vandal dropped NewsBlur’s MongoDB collections and pretended to ransom about 250GB of data. This is the work of an automated hack and one that I was prepared for. NewsBlur was back online a few hours later once the backups were restored and the Docker-made hole was patched.

It would make for a much more dramatic read if I was hit through a vulnerability in Docker instead of a footgun. By having Docker silently override the firewall, Docker has made it easier for developers who want to open up ports on their containers at the expense of security. Better would be for Docker to issue a warning when it detects that the most popular firewall on Linux is active and filtering traffic to a port that Docker is about to open.

The second reason we know that no data was taken comes from looking through the MongoDB access logs. With these rich and verbose logging sources we can invoke a pretty neat command to find everybody who is not one of the 100 known NewsBlur machines that has accessed MongoDB.


$ cat /var/log/mongodb/mongod.log | egrep -v "159.65.XX.XX|161.89.XX.XX|<< SNIP: A hundred more servers >>"

2021-06-24T01:33:45.531+0000 I NETWORK  [listener] connection accepted from 171.25.193.78:26003 #63455699 (1189 connections now open)
2021-06-24T01:33:45.635+0000 I NETWORK  [conn63455699] received client metadata from 171.25.193.78:26003 conn63455699: { driver: { name: "PyMongo", version: "3.11.4" }, os: { type: "Linux", name: "Linux", architecture: "x86_64", version: "5.4.0-74-generic" }, platform: "CPython 3.8.5.final.0" }
2021-06-24T01:33:46.010+0000 I NETWORK  [listener] connection accepted from 171.25.193.78:26557 #63455724 (1189 connections now open)
2021-06-24T01:33:46.092+0000 I NETWORK  [conn63455724] received client metadata from 171.25.193.78:26557 conn63455724: { driver: { name: "PyMongo", version: "3.11.4" }, os: { type: "Linux", name: "Linux", architecture: "x86_64", version: "5.4.0-74-generic" }, platform: "CPython 3.8.5.final.0" }
2021-06-24T01:33:46.500+0000 I NETWORK  [conn63455724] end connection 171.25.193.78:26557 (1198 connections now open)
2021-06-24T01:33:46.533+0000 I NETWORK  [conn63455699] end connection 171.25.193.78:26003 (1200 connections now open)
2021-06-24T01:34:06.533+0000 I NETWORK  [listener] connection accepted from 185.220.101.6:10056 #63456621 (1266 connections now open)
2021-06-24T01:34:06.627+0000 I NETWORK  [conn63456621] received client metadata from 185.220.101.6:10056 conn63456621: { driver: { name: "PyMongo", version: "3.11.4" }, os: { type: "Linux", name: "Linux", architecture: "x86_64", version: "5.4.0-74-generic" }, platform: "CPython 3.8.5.final.0" }
2021-06-24T01:34:06.890+0000 I NETWORK  [listener] connection accepted from 185.220.101.6:21642 #63456637 (1264 connections now open)
2021-06-24T01:34:06.962+0000 I NETWORK  [conn63456637] received client metadata from 185.220.101.6:21642 conn63456637: { driver: { name: "PyMongo", version: "3.11.4" }, os: { type: "Linux", name: "Linux", architecture: "x86_64", version: "5.4.0-74-generic" }, platform: "CPython 3.8.5.final.0" }
2021-06-24T01:34:08.018+0000 I COMMAND  [conn63456637] dropDatabase config - starting
2021-06-24T01:34:08.018+0000 I COMMAND  [conn63456637] dropDatabase config - dropping 1 collections
2021-06-24T01:34:08.018+0000 I COMMAND  [conn63456637] dropDatabase config - dropping collection: config.transactions
2021-06-24T01:34:08.020+0000 I STORAGE  [conn63456637] dropCollection: config.transactions (no UUID) - renaming to drop-pending collection: config.system.drop.1624498448i1t-1.transactions with drop optime { ts: Timestamp(1624498448, 1), t: -1 }
2021-06-24T01:34:08.029+0000 I REPL     [replication-14545] Completing collection drop for config.system.drop.1624498448i1t-1.transactions with drop optime { ts: Timestamp(1624498448, 1), t: -1 } (notification optime: { ts: Timestamp(1624498448, 1), t: -1 })
2021-06-24T01:34:08.030+0000 I STORAGE  [replication-14545] Finishing collection drop for config.system.drop.1624498448i1t-1.transactions (no UUID).
2021-06-24T01:34:08.030+0000 I COMMAND  [conn63456637] dropDatabase config - successfully dropped 1 collections (most recent drop optime: { ts: Timestamp(1624498448, 1), t: -1 }) after 7ms. dropping database
2021-06-24T01:34:08.032+0000 I REPL     [replication-14546] Completing collection drop for config.system.drop.1624498448i1t-1.transactions with drop optime { ts: Timestamp(1624498448, 1), t: -1 } (notification optime: { ts: Timestamp(1624498448, 5), t: -1 })
2021-06-24T01:34:08.041+0000 I COMMAND  [conn63456637] dropDatabase config - finished
2021-06-24T01:34:08.398+0000 I COMMAND  [conn63456637] dropDatabase newsblur - starting
2021-06-24T01:34:08.398+0000 I COMMAND  [conn63456637] dropDatabase newsblur - dropping 37 collections

<< SNIP: It goes on for a while... >>

2021-06-24T01:35:18.840+0000 I COMMAND  [conn63456637] dropDatabase newsblur - finished

The above is a lot, but the important bit of information to take from it is that by using a subtractive filter, capturing everything that doesn’t match a known IP, I was able to find the two connections that were made a few seconds apart. Both connections from these unknown IPs occured only moments before the database-wide deletion. By following the connection ID, it became easy to see the hacker come into the server only to delete it seconds later.

Interestingly, when I visited the IP address of the two connections above, I found a Tor exit router:

This means that it is virtually impossible to track down who is responsible due to the anonymity-preserving quality of Tor exit routers. Tor exit nodes have poor reputations due to the havoc they wreak. Site owners are split on whether to block Tor entirely, but some see the value of allowing anonymous traffic to hit their servers. In NewsBlur’s case, because NewsBlur is a home of free speech, allowing users in countries with censored news outlets to bypass restrictions and get access to the world at large, the continuing risk of supporting anonymous Internet traffic is worth the cost.

3. What will happen to ensure this doesn’t happen again?

Of course, being in support of free speech and providing enhanced ways to access speech comes at a cost. So for NewsBlur to continue serving traffic to all of its worldwide readers, several changes have to be made.

The first change is the one that, ironically, we were in the process of moving to. A VPC, a virtual private cloud, keeps critical servers only accessible from others servers in a private network. But in moving to a private network, I need to migrate all of the data off of the publicly accessible machines. And this was the first step in that process.

The second change is to use database user authentication on all of the databases. We had been relying on the firewall to provide protection against threats, but when the firewall silently failed, we were left exposed. Now who’s to say that this would have been caught if the firewall failed but authentication was in place. I suspect the password needs to be long enough to not be brute-forced, because eventually, knowing that an open but password protected DB is there, it could very possibly end up on a list.

Lastly, a change needs to be made as to which database users have permission to drop the database. Most database users only need read and write privileges. The ideal would be a localhost-only user being allowed to perform potentially destructive actions. If a rogue database user starts deleting stories, it would get noticed a whole lot faster than a database being dropped all at once.

But each of these is only one piece of a defense strategy. As this well-attended Hacker News thread from the day of the hack made clear, a proper defense strategy can never rely on only one well-setup layer. And for NewsBlur that layer was a allowlist-only firewall that worked perfectly up until it didn’t.

As usual the real heros are backups. Regular, well-tested backups are a necessary component to any web service. And with that, I’ll prepare to launch the big NewsBlur redesign later this week.

Read the whole story
BLueSS
80 days ago
reply
Thanks, Samuel, for your hard work and efforts keeping NewsBlur alive!
popular
80 days ago
reply
Share this story
Delete
5 public comments
seriousben
78 days ago
reply
Great root cause analysis of a security incident.
Canada
chrisrosa
80 days ago
reply
Great write up Samuel. And kudos for your swift and effective response.
San Francisco, CA
jshoq
80 days ago
reply
This is a great account on how to recover a service from a major outage. In this case, NewsBlur was attacked by a scripter that used a well known hole to attack the system. In this case, a well planned and validated backup setup helped NewsBlur to get their service back online quickly. This is a great read of a blameless post mortem executed well.
JS
Seattle, WA
jqlive
80 days ago
reply
Thanks for the write up, it was interesting to read and very transparent of you. It would be an interesting read to know how you'll be applying ML Models to Newsblur.
CN/MX
samuel
80 days ago
reply
What a week. In other news, new blog design launched!
Cambridge, Massachusetts
deezil
80 days ago
Thanks for being above-board with all this! The HackerNews comment section was a little brutal towards you about some things, but I like that you've been transparent about everything.
samuel
80 days ago
HN only knows how to be brutal, which I always appreciate.
acdha
79 days ago
Thanks for writing this up. That foot-gun really needs fixing.

Welcome to Our Modern Hospital Where If You Want to Know a Price You Can Go Fuck Yourself

5 Comments and 16 Shares

Welcome to America General Hospital! Seems you have an oozing head injury there. Let’s check your insurance. Okay, quick “heads up” — ha! — that your plan may not cover everything today. What’s that? You want a reasonable price quote, upfront, for our services? Sorry, let me explain a hospital to you: we give you medical care, then we charge whatever the hell we want for it.

If you don’t like that, go fuck yourself and die.

Honestly, there’s no telling what you’ll pay today. Maybe $700. Maybe $70,000. It’s a fun surprise! Maybe you’ll go to the ER for five minutes, get no treatment, then we’ll charge you $5,000 for an ice pack and a bandage. Then your insurance company will be like, “This is nuts. We’re not paying this.” Who knows how hard you’ll get screwed? You will, in three months.

Fun story: This one time we charged two parents $18,000 for some baby formula. LOL! We pull that shit all the time. Don’t like it? Don’t bring a baby, asshole.

Oh, I get it: you’re used to knowing a clear price for products and services. The difference is that medicine is complicated and scary — unlike, say, flying hundreds of people in a steel tube across an ocean, or selling them a six-ounce hand-held computer that plays movies and talks to satellites. Anyway, no need to think this through rationally while you’re vulnerable, right? Your head is really gushing, ma’am.

Sure we could start posting prices and discussing our costs, but then it turns into a public debate about transparency, and people get all huffy and self-righteous about $15 pills of Tylenol, $93 to turn on a single goddamned light, or $5,000 worth of sanitary gloves. We’d rather just mail you a bill later for $97,000, full of obscure medical codes you can’t understand. Oh, you like understanding things? Here, maybe this will help:

Hit your head, and talk to a doctor for one minute? $2,500, you idiot.

Want your pesky appendix out? That’ll probably be $33,611. Or it could be $180,000. Shrug. Don’t know. Don’t care.

Need an hour in the ER? How does $15,000-$50,000, sound? Hint: we don’t give a piss how it sounds you stupid fucking helpless human wallet.

Our medical system strikes you as “insane?” Well, you can’t do much about that now. Except of course to go fuck yourself. Yes, ma’am, as a matter of fact, we do have a special room where you can go fuck yourself. Yes, it does cost money to use the room, and no I cannot tell you how much. Want a hint? It’s between $1 and $35,000 per minute. Will you be reserving the go fuck yourself room?

Oh, you think you think we’re cruel and illogical? Well, no one forced you to come here. It’s your decision, you head-injured meatball. Feel free to go out into the parking lot and just die. I suggest you do that out in section F. Try to lean your corpse against a light pole. Our dead body disposal fee is $3.75 and is not covered by your shitty, confusing, out-of-network medical plan.

So, will you be dying in our parking lot today, you pathetic, impotent, walking insurance code? Okay, great! Your husband will get a bill for that soon, and if he doesn’t like it, he can fuck himself too.

Read the whole story
BLueSS
1015 days ago
reply
Thankfully, dental procedures are the opposite, in my experience. I usually get provided my out of pocket expenses when I'm being told about the work that should be done.

If only medical could catch up to what's done on the dental side...
popular
1015 days ago
reply
Share this story
Delete
4 public comments
sarcozona
1014 days ago
reply
I am never ever going back
735 days ago
https://keramatzade.com/Earn-wealth-with-amazing-business-ideals https://keramatzade.com/Law-of-Attraction-of-Wealth https://keramatzade.com/Ways-to-make-money https://modirebimeh.ir/online-calculation-of-iranian-life-insurance/ https://modirebimeh.ir/engineers-professional-liability-insurance/ https://modirebimeh.ir/third-party-insurance-calculation/ https://modirebimeh.ir/iran-liability-insurance-have-you-not-yet-insured-your-business-with-iran-liability-insurance/ https://modirebimeh.ir/iran-life-insurance-ganji-for-the-future-of-children-and-families/ https://modirebimeh.ir/iran-car-body-insurance-the-best-and-most-prestigious-in-the-iranian-insurance-industry/ https://modirebimeh.ir/the-most-reliable-and-unrivaled-third-party-car-insurance-in-iran/ https://keramatzade.com/14-ways-to-increase-revenue https://keramatzade.com/8-ways-to-increase-revenue https://keramatzade.com/25-jobs-with-which-you-can-earn-up-to-a-million-dollars
ChrisDL
1015 days ago
reply
number one reason i might move away from the US.
New York
freeAgent
1015 days ago
My wife is having a procedure done that isn't covered by insurance. She was referred to a place that was going to charge $1,600. She shopped around and found a different place that will do it for $4-500. She had to go back to her referring physician to have a second referral for the procedure sent to the other location. On top of that, my wife and her referring physician are coworkers, so it is not as though her doctor was trying to screw her over. Doctors just aren't aware of the costs for procedures or the differences in cost between facilities. That there can be a 3x cost difference between providers, even in the same region, for the exact same procedure is ridiculous.
ChrisDL
1015 days ago
thanks for sharing that. I feel like we all have some version of these stories at this point. a dentist that gives you a bunch of care you don't really need. Or an insurance company rep that says something is covered but then it isn't, and there just doesn't seem to be any real recourse unless you feel like litigating. The other thing that surprised me is that it seems a lot of americans don't realize it doesn't have to be like this, plenty (arguably most?) other countries don't have these issues.
diannemharris
1015 days ago
reply
The only thing that is wrong about this piece is that a lot of the time people don't have a choice and are taken against thier will, unconscious or not, and they still get the bill.
deezil
1016 days ago
reply
Yet again, McSweeney's hits it on the head. (no pun intended)
Louisville, Kentucky
jhamill
1016 days ago
That'll be $150 or $15,000. Don't know. Don't care.

Things that happen in Silicon Valley and also the Soviet Union

jwz
4 Comments and 14 Shares
Anton Troynikov:

  • Waiting years to receive a car you ordered, to find that it's of poor workmanship and quality.
  • Promises of colonizing the solar system while you toil in drudgery day in, day out.
  • Living five adults to a two room apartment.
  • Being told you are constructing utopia while the system crumbles around you.
  • 'Totally not illegal taxi' taxis by private citizens moonlighting to make ends meet.
  • Everything slaved to the needs of the military-industrial complex.
  • Mandatory workplace political education.
  • Productivity largely falsified to satisfy appearance of sponsoring elites.
  • Deviation from mainstream narrative carries heavy social and political consequences.
  • Networked computers exist but they're really bad.
  • Henry Kissinger visits sometimes for some reason.
  • Elite power struggles result in massive collateral damage, sometimes purges.
  • Failures are bizarrely upheld as triumphs.
  • Otherwise extremely intelligent people just turning the crank because it's the only way to get ahead.
  • The plight of the working class is discussed mainly by people who do no work.
  • The United States as a whole is depicted as evil by default.
  • The currency most people are talking about is fake and worthless.
  • The economy is centrally planned, using opaque algorithms not fully understood by their users.

Previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously.

Read the whole story
BLueSS
1167 days ago
reply
Good thing silicon valley isn't influencing US elections... Oh wait.
popular
1168 days ago
reply
Share this story
Delete
3 public comments
freeAgent
1167 days ago
reply
Genius
Los Angeles, CA
laza
1167 days ago
reply
So great!!!
Belgrade, Serbia
kbrint
1168 days ago
reply
Kinda!

Backpack Decisions

6 Comments and 12 Shares
"This one is perfect in every way, except that for some reason it's woven from a tungsten mesh, so it weighs 85 pounds and I'll need to carry it around on a hand cart." "That seems like a bad--" "BUT IT HAS THE PERFECT POCKET ARRANGEMENT!"
Read the whole story
BLueSS
1318 days ago
reply
This is me, except swap backpack and phone.
codersquid
1318 days ago
it me, except swap backpack with jackets with the right pockets. ....currently in winter I have a scottevest impulsively bought after reading a blog post by charlie stross. there is nothing like it for the summer here. SIGH
codersquid
1318 days ago
AND THE SCOTTEVEST IS OLD and should be replaced because I lost the sleeves. it is not replaced yet so my bar graph is unfinished
Share this story
Delete
5 public comments
kazriko
1300 days ago
reply
It's served me fairly well to just buy whatever backpack Meh is selling.
Colorado Plateau
ameel
1317 days ago
reply
OMG yes!
Melbourne, Australia
stefanetal
1307 days ago
Worst part is once you find a good knapsack, it gets discontinued.
alt_text_at_your_service
1317 days ago
reply
"This one is perfect in every way, except that for some reason it's woven from a tungsten mesh, so it weighs 85 pounds and I'll need to carry it around on a hand cart." "That seems like a bad--" "BUT IT HAS THE PERFECT POCKET ARRANGEMENT!"
mburch42
1318 days ago
reply
This is me, but for outerwear generally.
smarkwell
1318 days ago
reply
For those looking to go deep on this topic, I suggest looking at these brands

https://www.sfbags.com/
https://www.tombihn.com/
https://www.manfrotto.us/products/camera-bags
https://www.lowepro.com/
paulconstant
1318 days ago
Love Tom Bihn! If you live in Seattle, you should go to their factory showroom, try out some bags, and watch them get handmade on site!
JayM
1317 days ago
Love my Tom Bihn Brain Bag...
WorldMaker
1317 days ago
I love everything I've bought from SF Bags (Waterfield), but the interesting irony that for the most part I've bought every bag from them to be inside some other bag (mostly an LL Bean backpack I've had since late college). Just noticed their "Pro Backpack" project, which sounds fascinating.
tedder
1317 days ago
I'm a lover of timbuk2.
amijangos
1316 days ago
Thanks for the links, love bags!
ScottInPDX
1316 days ago
I'm on year 10 of my Tom Bihn Empire Builder bag. It's probably got another 30 left in it.
endlessmike
1313 days ago
I've been using a Chrome messenger for several years and it's in great shape. It's not perfect (there's very few pockets other than the main compartment and a strap to put on a roller bag would be nice), but I really like it. You do occasionally run into someone who thinks it's funny to press the seatbelt button, though.

Reaching people on the internet

5 Comments and 10 Shares
Reaching people on the internet

View
Read the whole story
BLueSS
1421 days ago
reply
The Oatmeal is about 3 years behind the times on this one.
popular
1421 days ago
reply
gglockner
1421 days ago
You missed the best part: https://twitter.com/Oatmeal/status/923250055540219904
Share this story
Delete
3 public comments
vfxGer
1421 days ago
reply
Glad I still use RSS
Gregidon
1421 days ago
Indeed, no algorithm to decide what I want to see
cygnoir
1421 days ago
reply
I miss the old days.
Portland, OR, USA
pdp68
1422 days ago
reply
We brought it on ourselves
Belgium

Google Has Dropped Ban on Personally Identifiable Web Tracking

5 Comments and 12 Shares

Julia Angwin, reporting for ProPublica:

When Google bought the advertising network DoubleClick in 2007, Google founder Sergey Brin said that privacy would be the company’s “number one priority when we contemplate new kinds of advertising products.”

And, for nearly a decade, Google did in fact keep DoubleClick’s massive database of web-browsing records separate by default from the names and other personally identifiable information Google has collected from Gmail and its other login accounts.

But this summer, Google quietly erased that last privacy line in the sand — literally crossing out the lines in its privacy policy that promised to keep the two pots of data separate by default. In its place, Google substituted new language that says browsing habits “may be” combined with what the company learns from the use Gmail and other tools. […]

The practical result of the change is that the DoubleClick ads that follow people around on the web may now be customized to them based on the keywords they used in their Gmail. It also means that Google could now, if it wished to, build a complete portrait of a user by name, based on everything they write in email, every website they visit and the searches they conduct.

My question is simple. Why is Google doing this? To make even more money? Or because they need to do this to keep making the same amount of money? Either way it’s gross.

Read the whole story
BLueSS
1790 days ago
reply
popular
1790 days ago
reply
Share this story
Delete
4 public comments
superiphi
1789 days ago
reply
The last google login thing I use is the calendar. Time to stop
All that spying & the ads I get are still pathetic
Idle, Bradford, United Kingdom
fxer
1791 days ago
reply
Daily reminder why you should feel no shame running a content blocker, things are so massively stacked against you it's unbelievable
Bend, Oregon
shrike
1791 days ago
reply
What happened to #donoevil?
Finland
evaryont
1790 days ago
You may or may not be aware, but that hasn't been any part of Google's (or Alphabet's now?) corporate slogan for years now. I think more than a decade. And this is particuarly evil, in my book.
sirshannon
1791 days ago
reply
Damn it.
Next Page of Stories