This is more akin to a person knowing the basics of driving a car but not which side of the road to use or what to do at a traffic light. They are a danger to themselves and others, the others in this case being the users of whatever services the unsecured databases provide.
My sympathy for people learning the basics of our field and missing a few points stops when others are harmed.
Although the parent's analogy is arguably flawed, there's a very good point in the fact that there are users who are not involved in the implementation of the service - "People with IoT apps for their home". They're not drivers, to follow the driving analogy.
It's unrealistic to expect that the population at large starts to pay a significant attention, in particular because the services/gadgets are a black box. How does one know if a device is safe? A layman surely can't; even somebody who's "just a dev" likely can't.
Given the large-scale nature, probably some form of regulation would be the most realistic mitigation. Following the analogy, such users are taxi clients, and for similar reasons, taxis are regulated.
With that in mind, certainly the engineering side of the equation should be held accountable. But it seems that the market is not punishing it at all.
Yup. My point is some people might not even know that their database is accessible from the web lol. It’s pretty easy to follow a tutorial or get something OOTB that’s not secure, so we shouldn’t be saying we’re glad this happened. Even if it’s big businesses, what if said businesses were storing important data such as health records?
I think the learn by failing is a good mentality but was hoping we can be mindful of the fact that this harms more than just the “big bad man”
Edit: Addendum for a more thoughtful discussion, it would be great if these databases and tools provided some default security OOTB requiring no configuration whatsoever. Example: rather than creating user and password with root, is rather have some CMS site generate a random one!
Legislation is just so far behind. User data is useful, but there should be requirements before you can just accumulate it. Cars are useful too but require a licence and insurance to drive.
> Given the large-scale nature, probably some form of regulation would be the most realistic mitigation.
Rather than regulation, how about trademark-protected certification? I.e., similar to what Underwriter Laboratories ("UL") does for consumer electrical products in the U.S.?
Except rather than the government requiring certification by UL or similar, organizations could simply decide for themselves whether or not to use uncertified products. And perhaps insurance companies could price certification status into relevant policies.
This is my thought - why would an IoT device expose a database publicly? And if so, shouldn't the companies producing those devices not be following such bad practices? Maybe the consumer who bought such a device should go to the manufacturer and complain about being sold an inherently insecure device.
My sympathy for people learning the basics of our field and missing a few points stops when others are harmed.