Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Privacy

Ask Slashdot: How Can I Stop Security Firms From Harvesting My Data? 82

Posted by EditorDavid from the creepy-crawlers dept.
Slashdot reader Unpopular Opinions requests suggestions from the Slashdot community: Lately a boom of companies decided to play their "nice guy" card, providing us with a trove of information about our own sites, DNS servers, email servers, pretty much anything about any online service you host.

Which is not anything new... Companies have been doing this for decades, except as paid services you requested. Now the trend is basically anyone can do it over my systems, and they are always more than happy to sell anyone, me included, my data they collected without authorization or consent. It's data they never had the rights to collect and/or compile to begin with, including data collected thru access attempts via known default accounts (Administrator, root, admin, guest) and/or leaked credentials provided by hacked databases when a few elements seemingly match...

"Just block those crawlers"? That's what some of those companies advise, but not only does the site operator have to automate it themself, not all companies offer lists of their source IP addresses or identify them. Some use multiple/different crawler domain names from their commercial product, or use cloud providers such as Google Cloud, AWS and Azure â" so one can't just block access to their company's networks without massive implications. They also change their own information with no warning, and many times, no updates to their own lists. Then, there is the indirect cost: computing cost, network cost, development cost, review cycle cost. It is a cat-and-mice game that has become very boring.

With the raise of concerns and ethical questions about AI harvesting and learning from copyrighted work, how are those security companies any different from AI, and how could one legally put a stop on this?
Block those crawlers? Change your Terms of Service? What's the best fix... Share your own thoughts and suggestions in the comments.

How can you stop security firms from harvesting your data?
This discussion has been archived. No new comments can be posted.

Ask Slashdot: How Can I Stop Security Firms From Harvesting My Data? More

Ask Slashdot: How Can I Stop Security Firms From Harvesting My Data?

Comments Filter:

  • nothing new (Score:3)

    by bloodhawk ( 813939 ) on Sunday February 04, 2024 @06:33PM (#64213658)
    Even this model is not new. Security firms have been doing this combined with Cold calls to spruik their service for decades now. Anything you don't want them to harvest make sure you hide behind firewalls, disable response headers that reveal information about the system, use load balancers and app gateways/proxies etc etc.

  • Take your services offline (Score:5, Insightful)

    by clivedon ( 10477540 ) on Sunday February 04, 2024 @06:35PM (#64213660)
    You don't like people accessing your publicly accessible systems? Don't make them publicly accessible. I get it, you want your cake and to eat it too. You can't control what other people do with the information once they have it. Even if you could stop these legitimate groups from doing this, you couldn't stop the malicious actors.

    • Re: Take your services offline (Score:4)

      by paul_engr ( 6280294 ) on Sunday February 04, 2024 @07:59PM (#64213838)
      The problem with that sentiment is that as time goes on, it becomes impossibly difficult/burdensome to try and proactively close all of the holes as a single operator or small organization. If there's 100 people on the internet trying to poke every known and unknown interface and exploit to get in and accumulate data, how does one person keep up against that? I used to host all of my own shit, and took the time to keep up with the security best practices and everything, but it's far too stressful to think about it these days. I'm sure that the big providers are not muchmot secure, but they at least keep a lid on it. How do they do that? Guys with bags of cash or dynamite? Hire the hackers? I don't rightly know...

      • If your company or your team don't know how to properly secure your web site, you might not be paying enough for your developers. Security these days is not optional, you have to know what you're doing. If you go cheap, you'll get developers who write crappy code that leaks.

      • The bad guys are out there, and they're not going to be sympathetic to your lack of time or motivation. I understand how you feel, but these days you can't afford to be complacent, especially so if you are responsible for securing data relating to or owned by other people. In my personal view, if I don't want to do something right, I don't do it at all.

      • Move all your stuff to a private network and use a VPN to get to the private network. Then only allow the very specific public services you need to expose in.

        Unless you're doing something really weird, you should be able to limit your public exposure to some web services - and even then to just a couple of apps. Keeping that (plus the VPN) patched and updated ought not be too hard. I'd personally stay away from hosting any public SMTP or DNS services - they're ten a penny to have them hosted for you, and it

  • Easy (Score:5, Funny)

    by Waffle Iron ( 339739 ) on Sunday February 04, 2024 @06:38PM (#64213674)

    How Can I Stop Security Firms From Harvesting My Data?

    Do not connect any of your systems to the Internet.

  • This is just one of the fine grain settings that needs to be changed. Capitalism is the greed cancer that infects this country and mostly the world now. Until you change that, data harvesting will be just one of many plagues of our society.

    • Re: (Score:2)

      by Anonymous Coward

      Ah, yes. Capitalism. Collecting data is a phenomena unique to market based economies and their governments. The Stasi, for instance: what mighty capitalists they were. Today we see have China and it's Social Credit Score: another expression of the ebil capitalism.

    • That dirty Capitalism! We should definitely replace it with Socialism. Nobody is every greedy under Socialism. The only drawback is that it was proven to be an unworkable disaster that produces only slaughter and suffering on a massive scale. But hey, just because every time it was tried it turned immediately into a brutal totalitarian dictatorship doesn't mean the next time won't be the charm! Maybe your Socialism will be the one that doesn't kill its own citizens by the millions!

      I just hope you do

      • I didn't say shit about Socialism, especially not MY Socialism. I prefer no -isms. You do your thing and I do mine. I don't tell you what that is and you don't tell me what mine is. See? It's fucking simple as flushing a toilet.

      • They don't have Jews in Nicaragua, so they're going for the Catholics instead.

  • at what point do these become DDOS? (Score:4, Insightful)

    by david.emery ( 127135 ) on Sunday February 04, 2024 @06:59PM (#64213728)

    A friend carefully monitors his network, and sees a fair amount of this security scanning. Of course, that sets off the alarms he's added to his systems, clogging up logfiles and generally chewing through both bandwidth and server. At some point, this moves beyond "fair use" into "unfair use," but I don't know where to draw this line. Seems to me that "responsible" security scanning should be infrequent and probably announced ahead of time. But I could see arguments the other way.

    And of course, the only way to distinguish a 'security scan' from a 'vulnerabiity scan' is to look at the originator IP and draw conclusions from that, which we know is not really authoritative.

    • If your logging and alerting is chewing up your bandwidth and server processing you are doing logging and Alerting wrong. every server accessible over the internet will be getting port and vulnerability scans and scripts hitting them throughout the day EVERY day. This is noise and you shouldn't bother with alerting on this stuff.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      And of course, the only way to distinguish a 'security scan' from a 'vulnerabiity scan' is to look at the originator IP and draw conclusions from that, which we know is not really authoritative.

      'Security' or 'vulnerability' scanning implies a contract is in place and therefore are actions/services that someone has requested to be done.

      Otherwise, it doesn't really matter where it originated from. They're unwanted and/or unauthorized.

    • A spotlight is perceived as necessary because there is no light being cast, so each individual shines their own spotlight so they can see. Perhaps it would be better to have each ISP perform full scans and then publish the data openly? Democratize access to the information to reduce wasted resources.

      "But my pants are down!", says the system owner.

      "Your pants were already down, but previously, only the bad guys noticed.", says the ISP.

  • Lots of info about any sites or services you host is by design publicly accessible, as in, the internet would not actually function as it does without it. If this makes you feel insecure it is best you don't even know about all the people looking and not telling you about it.

  • [They are] providing us with a trove of information about our own sites, DNS servers, email servers, pretty much anything about any online service you host.[...] Now the trend is basically anyone can do it over my systems, and they are always more than happy to sell anyone, me included, my data they collected without authorization or consent. It's data they never had the rights to collect and/or compile to begin with

    Put clear Terms of Service on your website (or anywhere else you control the info, I'd sugge

    • Re: (Score:2)

      by sabri ( 584428 )

      Put clear Terms of Service on your website (or anywhere else you control the info, I'd suggest also adding a X-Terms-of-Service-Fees: header in all your webserver's HTTP responses pointing to a relevant link) that you charge a fee (just pull any number out of thin air, like $7500USD) for any info scraped for any sort of commercial purposes, and when they admit to it by cold-calling you (as they just did), inform them of the immediate charge, payable within 30 minutes, with by-the-minute accrual interest of 3% after that time.

      I would love to see you argue for this in a court of law.

      The judge will probably laugh harder at you than at a sovereign citizen.

      • Re: (Score:3, Informative)

        by Sebby ( 238625 )

        I would love to see you argue for this in a court of law. The judge will probably laugh harder at you than at a sovereign citizen.

        Why?

        Why is it Big Tech can hit users over the head with their convoluted and lawyered-up ToS in courts, sometimes using the CFAA, but that anyone else can't based on their own ToS of their choosing?

        What's the difference between Unpopular Opinions' business stance vs. Big Tech's?? Are they not entitled to the same equal rights in law?

        Please, enlighten us, by issuing a minimum 1000-word essay detailing your arguments.

        • Why?

          Because to be valid a contract has to have shown clear agreement between two parties and clicking on a button does not generally show such agreement. This is a VERY good thing because, while you might think it would be neat to try this trick on large companies, those large companies will be able to play far meaner similar tricks on all of us if this were legal.

          Why is it Big Tech can hit users over the head with their convoluted and lawyered-up ToS in courts

          They can't in most courts outside the US - they tend to get thrown out for the reasons stated above. This is a good thing.

        • Why is it Big Tech can hit users over the head with their convoluted and lawyered-up ToS in courts, sometimes using the CFAA, but that anyone else can't based on their own ToS of their choosing?

          You're begging the question. The actual answer is much of what Big Tech writes in their ToS is equally unenforceable, and that's despite Big Tech imposing the ToS as a barrier to functionality rather than a note that is ignored and doesn't request specific consent.

          The GP's post is completely unenforceable in court.

          Terms of Service: By having read the above post you implicitly agree to send me $10000000 and change your official name to Sebby.

        • Re: (Score:3)

          by mjwx ( 966435 )

          I would love to see you argue for this in a court of law. The judge will probably laugh harder at you than at a sovereign citizen.

          Why?

          Why is it Big Tech can hit users over the head with their convoluted and lawyered-up ToS in courts, sometimes using the CFAA, but that anyone else can't based on their own ToS of their choosing?

          What's the difference between Unpopular Opinions' business stance vs. Big Tech's?? Are they not entitled to the same equal rights in law?

          Please, enlighten us, by issuing a minimum 1000-word essay detailing your arguments.

          Because shrink-wrap contracts have been literally unenforceable in most civilised countries for decades now. You cannot be held subject to a contract you did not see before purchase, nor are unreasonable terms enforceable. I can say that by reading this post you must donate $5 to the Here For Life charity, there is zero way for me to enforce that and no court in the UK or Australia would even hear it, I wouldn't even have the chance to be laughed out of court.

          TOS's are just CYA's these days, their sole p

        • You said it yourself. They have the convoluted and lawyered-up ToS. By inference, we must conclude that you, on the other hand, do not.

          Ever heard of the Golden Rule? "Whoever has the Gold gets to make the Rule."

          Anything that might be said beyond that is nothing more than argument for argument's sake.

        • I would love to see you argue for this in a court of law. The judge will probably laugh harder at you than at a sovereign citizen.

          Why?

          Because you have no money.

          Why is it Big Tech can hit users over the head with their convoluted and lawyered-up ToS in courts, sometimes using the CFAA, but that anyone else can't based on their own ToS of their choosing?

          Because they have lots of money.

          What's the difference between Unpopular Opinions' business stance vs. Big Tech's??

          Money.

          Are they not entitled to the same equal rights in law?

          In theory, yes. In practice no.

          Please, enlighten us, by issuing a minimum 1000-word essay detailing your arguments.

          WTF? One word will do. Money.

    • Re: (Score:2)

      by AmiMoJo ( 196126 )

      Would any of that stand up in court? I'm not an expert on US contract law, but in the UK sending someone random terms in places they are unlikely to look tends not to go down well in court. The same applies to unreasonable terms designed to heavily favour one party, such as a 30 minute payment deadline and 3%/minute interest rate.

      What you really need to do is lobby your politicians to adopt a GDPR-like law. Then you can force companies to get permission for harvesting, force them to disclose what they have,

  • ... The public ate all the drm tech over the last 26 years since since the rise of the internet in the mid 90's, first with mmos then with steam. The entire industry can use telecom to steal software on an industrial scale from the computer illiterate masses, that means no privacy for you. If you bought windows 10 or have ever purchased anything requiring user names or login accounts your too stupid to be using computers. Everyone knew in 1997 when ultima online was released the average gamer and PC user

    • Re: (Score:2)

      by SirSlud ( 67381 )

      thanks for the good belly laugh

      • thanks for the good belly laugh

        Enjoy the future where valve owns everything and you own nothing because your too stupid and irrational to understand silicon valley tech company history. Why would I listen to someone who enjoys paying money for broken software? AKA steam is malware, mmos were just pc games with the networking multiplayer ripped out and coded fraudulently.

  • my sister (Score:1)

    by Anonymous Coward

    I want guys to stop fingering my sister. But she keeps letting them. How do I get guys to stop fingering my sister?

  • ditch all your other social media accounts.
    Who needs Kim K. to show her ass in order to lure you into handing over all your data?
    Set up your own Tor node and download all the ass for a lifetime completely anonymously.

  • So stop, stop selling your public data publically? (Score:5, Insightful)

    by thesandbender ( 911391 ) on Sunday February 04, 2024 @07:47PM (#64213806)
    All of the information you listed is already public. They're not selling your data, they're selling a convenient way to access it. Some of it they're not even crawling your systems to pick up, because it's public. They're not compromising your security and I doubt they're putting any meaningful load on your system.

    I work on a public, C2B system with about 50 million MAU. The security firms scanning our servers are a drop in the bucket compared to script kiddies and legitimate users trying to do ill advised things (automation, but badly). The worst offenders are the marketing/analytics bots. We found one that has a browser plugin that was feeding the users data back to their servers which were trying to scrap the pages near real-time. Enough users had it installed that it was triggering security alerts because the bot was trying to access pages that required authentication. After repeated attempts to ask them to knock if off we just blocked them. We even debated showing an alert to affected users but decided that would just as easily backfire with people accusing us of invading their privacy (How did you know I had this plugin!?)

    Long story short, the internet is a wretched hive of scum and villainy. If you expose anything to the internet, you have to put up with this crap.

    • the internet is a wretched hive of scum and villainy. If you expose anything to the internet, you have to put up with this crap.

      With that attitude, yes you do.

  • Someone should have bounced this back to the poster for some editing. Don't get me wrong, this is slashdot, the bar is not set super high. But at least have a intelligible thesis for your post.

  • They just look at the public surface, i.e. the stuff _you_ chose to publish. If you do not want others to see, stop publishing. If you just want to, say, email relaying or the like, implement IP restrictions, add port-knocking, requite a VPN log-in or do some of the other, well-known things to not make services generally available. But anything published is fair game, within the restrictions of copyright and intellectual property and, sometimes, privacy laws.

  • "not all companies offer lists of their source IP addresses or identify them"

    By default, deny all traffic to and from your network and only allow what you need to get it working and have all allow rules expire after some amount of time so you don't get too comfortable with anywhere specific.

    And there's a whole class of service providers whose services you should not use. Some of them are extremely popular.

  • If you want them to stop harvesting your data, hire one of them because you clearly don't know what you're doing.

  • It isn't your data. It's data about you. Big difference.

  • Just block those crawlers

    I'll block at the drop of a hat on personal systems - though I can't on production things.
    But really, wouldn't it be more apropos to cause them pain, suffering, and woe?

    A few dittys with tc does the trick to slow down their network traffic down to one packet every 30 seconds.
    Haven't thought about it too much, but some off the cuff build out mile stones:
    Ensure that the setup (adding the qdisk, class) is only done once, then the cascade of tc filter add dev blah blah blah.

    quick ditty (alias or /usr/local/bin

    • Re: (Score:2)

      by alanw ( 1822 )

      The "Tarpit" extension from IPTables add-ons [inai.de] project might be what you are looking for. It

      TARPIT
      Captures and holds incoming TCP connections using no local per-connection re
      sources.

      TARPIT only works at the TCP level, and is totally application agnostic. This
      module will answer a

      • TC doesn't require patching which to my mind is more elegant and sustainable across servers. (TARPIT last I looked required patches)
        Granted I don't use it in production but my mindset is by default set for "at scale" and I didn't remove my lazy thinking. Those that "just want results" would likely be happier with your choice than mine.

  • My list of blocked User-Agents grows daily, from obvious bots to ancient browser versions. Can't just block the IPs because lots of useful services are using the cloud too, like getting certs from Let's Encrypt. Scientology is now hiding behind the Amazon veil, when they send mail they use somerandombullshit@aws or whatever as the envelope sender so I have to scan the DATA headers in order to block their intergalactic propaganda at the server level.
    Years ago I started watching the internet static, the rando

  • Simple answer (Score:3)

    by vadim_t ( 324782 ) on Monday February 05, 2024 @03:50AM (#64214594) Homepage

    You can't.

    Even if you could obtain some compliance within a given country, the Internet is international and people from various less liked jurisdictions couldn't care less about what rules you might have.

    Once the data is out there, it's out there. You can't ever have any confidence that nobody will notice that a given port is open or a given service is buggy, and that this fact won't spread through various parties, including things like underground forums most people don't know even exist.

    • You people really don't like history, but you could learn a thing or two. The "wild west" doesn't exist anymore. People do not stand for lawless freedom, because it's inefficient and tyrannical. If you want to have any say in the way the internet will be, you have to acknowledge that this free-for-all exploit-anything-public isn't acceptable and will cease to be one way or another.

      "Oh, nevermind me, I was just checking that your front door is locked, to put that information in a searchable database that any

      • Re: (Score:2)

        by MobyDisk ( 75490 )

        Your post makes absolutely no sense and does not reflect reality. vadim_t's point is that the "wild west" does exist through much of the world. You can call it inefficient and tyrannical all you like, but that doesn't make it go away. There is nothing we can do to stop script kiddies all over the world from probing systems. Security is the only solution.

        You are crazy if you think you can argue the problem out of existence.

        • The story is not about underground forums in foreign countries. It's about this: "a boom of companies decided to play their "nice guy" card, providing us with a trove of information about our own sites, DNS servers, email servers, pretty much anything about any online service you host". Shodan.io for example is a Seattle, WA, company. Step one: legislate.

          • Re: (Score:2)

            by MobyDisk ( 75490 )

            Legislate it in what country? Even if the answer is "every country" that won't stop the bad actors from doing it. How many of these unsolicited offers are from legit security companies anyway?

      • Re: (Score:2)

        by vadim_t ( 324782 )

        The Internet is less of a wild west than it used to be, but it's still pretty wild.

        There's plenty big countries like Russia where the authorities won't care at all about any of your local rules. That may not be fun, but it's a fact. If somebody from Russia runs a scan on you, and then distributes information in Russian forums, there's pretty much nothing you can do about that.

        Even less now with the Ukraine situation, where Russia is heavily sanctioned and even less inclined to be friendly to other countries

  • By security companies, does the author mean search engines?

  • There is not, and never has been, such a thing as "privacy" online. Any and all interactions, by anyone, with any online service or function, may be intercepted, reviewed, catalogued...and monetized.

    This will be on the midterm.

  • "How can I stop certain elements of the public from using the resources I've made available to the public?"
  • You don't get to put a stop to it. Get off the internet, you're crying is contrary to the reason the internet was built. If you haven't noticed, HTML5 made it EASIER to parse a website. It clearly defines tags for articles. This is for SEO and... yup, crawlers. The internet is made to be scraped, that's the whole point of a captcha, but even for that there is a market to bypass them. On top of that, proxy services exist that will provide you with thousands of proxies to roll through when scraping. The on
  • You don't get to put a stop to it. Get off the internet, you're crying is contrary to the reason the internet was built.

    If you haven't noticed, HTML5 made it EASIER to parse a website. It clearly defines tags for articles. This is for SEO and... yup, crawlers.

    The internet is made to be scraped, that's the whole point of a captcha, but even for that there is a market to bypass them. On top of that, proxy services exist that will provide you with thousands of proxies to roll through when scraping. The o

Slashdot Top Deals

Make sure your code does nothing gracefully.

Close