undefined | Better HN

0 pointsCanada7y ago0 comments

It's simple. If it's a couple of years old and I haven't accessed it then it gets archived offline. Metadata about it is kept hot so I can track what I have. I might be a bit sloppy personally and have a limited amount of 4 year old stuff still internet connected but certainly not anything approaching 10 years and it's sure as hell not large archives of other people's data I have a duty to protect.

There is just no excuse for that, it serves no business purpose, ancient backups that have no recovery value should not be online if they are kept at all. This incident shows an appalling lack of care by reddit technical leadership. Obviously they are not systematically tracking and reviewing the data they keep. Given this incident I would not be the least bit surprised if they have copies of this and that all over the place with no awareness or oversight.

0 comments

3 comments · 1 top-level

ajross7y ago· 2 in thread

> It's simple. If it's a couple of years old and I haven't accessed it then it gets archived offline

How is that remotely simple? This is a medium size company. They have thousands or tens of thousands of storage devices mounted "online" in some way. How do you purport to audit every single one of them to determine when the "last access" time was for all the relevant data?

I suspect, as mentioned earlier, that your answer is going to involve a time machine to go back to 2007 and make sure reddit was doing things "right".

CanadaOP7y ago

It's one thing to get owned by 0 day and lose the stuff you were working on last month. If you lose stuff from 10 years ago you absolutely had it coming.

The way you protect old data is by routinely auditing what you have. You make sure each department is on top of organizing its data. If you're not sure what it is, you offline it. It can always be brought back online if necessary. Even lowest-common-denominator schemes like ISO 27001, a system designed to allow management that doesn't even know how to turn on a computer to manage information security, covers this basic idea. It would be one thing if a non-technical department had leaked some ancient folder full of reports containing some sensitive data, but this is a database dump of one of the most highly trafficked sites on the net. Reasonable people should expect the custodians of those sorts of things to know better. To anyone with technical knowledge, minimizing your data exposure should be as natural as breathing.

And yet again this time we get the usual "the attack was so sophisticated" refrain. Oh, the defenders were so careful, and tried to take every precaution for sure! The attackers hacked the 2FA! If that's true why didn't the attackers get the 2018 data? Frankly I don't believe the Reddit management. They probably left that old database dump on some old system they forgot about that tons of people had access to.

How many breaches to we need to remind us to be aware of what data we are managing and take precautions? How many more is it going to take before we collectively stop being so careless?

ajross7y ago

> If you're not sure what it is, you offline it

I've literally never worked at nor heard of an employer that tried this. You have a case study example? You seriously think IT departments are in the business of finding an archiving the contents of every random PC on the network?

1 more reply

j / k navigate · click thread line to collapse