The hack itself is alarmingly simple. In versions >= 2.6.0, MongoDB includes a default configuration file that binds MongoDB to 127.0.0.1 by default. As a result, the database will only listen to local connections.
Before version 2.6.0, that wasn’t true. By default, MongoDB was left open to remote connections. Authentication is also not required by default, which means that out of the box installs of MongoDB before version 2.6.0 happily accept unauthenticated remote connections.
Users could still restrict access to local connections if they took the time to configure the install but that meant manually adding a line to their mongodb.conf file. Since that wasn’t the default configuration, many existing installs never included this critical step.
Making matters worse is that it’s easy to identify potential MongoDB attack candidates. MongoDB’s default port is 27017. Using a search engine such as ZoomEye, you can query for MongoDB installs, see what port they’re available over, and find around 100,000 vulnerable candidates.
The vulnerability itself is hardly new. The issue was first raised back in 2012 and released somewhere around 2015. Also, in early 2015, John Matherly made some noise when he reported finding around 30,000 insecure installs of MongoDB. In other words, this is something that everyone could have known about for a while.
That's not a vulnerability, that is STILL a half configured system AND no firewall on the server. And MongoDB 2.6 is relatively old, we are on 3.3 these days. This is a database cluster component, not a complete database piece on its own. Whatever "security" professional is writing this piece clearly isn't aware of what they are writing about. What they write is half true, 27017 is listening on 0.0.0.0, but it does so for a reason and is only vulnerable in places where someone did not finish setting up their database AND their server. It's not a vulnerability in the product.
I wonder how long before they add voice identification. Knowing who is placing orders is pretty important.
There is a voice training that can be done. I have not tried it yet. That may help with recognition.
I don't think it's about training to a voice, it's more for just better understanding you specifically.
Isn't that two ways of stating the same thing?
huh.. yeah I guess I hear what you are saying - but I more specifically meant to say I don't believe that Amazon is trying to lock onto a specific voice from a specific user, at least not yet. I think the training you provide to the Echo would be applied globally to their entire network of Echos - making you easier to understand at any Echo you talk to in the world, but not with the intent (today) of allowing your echo in your home to only allow purchases from your voice.
Oh, I see. I didn't think that it was doing that, but it might be.
We recently had to set up an L2TP tunnel for our apple devices, since the last iOS 10 update took PPTP out of the picture. It was a huge PITA too, because I didn't figure out for a while that the secondary tunnel wouldn't let me reuse existing user accounts in our Watchguard.... that was some fun trial and error. And the WG how-tos never specified anything about needing different user accounts. It sucks to do all the steps right and then get login errors... makes ya feel like an amateur.
Agree. In addition, I have my Hue Lights connected and when I come home at night, I can simply tell Alexa before I turn into my driveway to turn on the lights. Hue has a geo fence that isn't very reliable.
Balloons, even those with propulsion of some sort, are still slow. I'm guessing that's why they are also doing the drone thing. The big balloon thing in the sky has all the things, while the smaller/faster drones actually deliver things.
Well the entire airship isn't going to dock at your house to deliver a toothbrush. That would be crazy. Even if it moved twice as fast as a normal drone it wouldn't work.
I'm completely onboard with emails being blocked to your account while you are on vacation - that part I completely agree with for the reasons you mentioned - it also ensure that your boss is taking care of things that are emergent while you are away.
I think that that is what they mean by deleted.
lol the use of the term deleted just seems weird. Deleted to me means that it came in and was then removed.
Well, it kinda is. It exists in transit, and then is dropped. So it's deleted from memory and the server, but there was never deliver to the end user in the first place. So it's a little odd, but it's accurate. Any email that is refused deliver is deleted in a sense.