HIV Dating Company Accuses Researchers of Hacking Database

itwbennett writes: Slashdot readers will recall the story posted last week about the misconfiguration of the MongoDB database that powers Hzone, a dating app for the HIV-positive, and the ensuing threat of HIV infection the company hurled at DataBreaches.net, who sent the notification. (Hzone later apologized.) But that's not the end of the story. Among other twists and turns that point to a CEO who was in way over his head, in several emails to Dissent, the admin of DataBreaches.net, Hzone CEO Justin Robert accused Dissent of changing the Hzone user database. But follow-up emails suggest that the company couldn't tell what was accessed or when, as Robert says Hzone doesn't have 'a strong tech team to maintain the site.'

That's a first

[Anonymous Coward]

I know this warning is unnecessary here, but do not follow the second link in the summary (same as the one under the title). This is the first time a /. summary has been better written than the source article.

What content there was to be found between the typos and grammar errors indicated that the immunocompromised dating site owners are incompetent, sue happy, and really bad liars. (A fairly common combination, so nothing unusual there.)

Re:

[ls671]

But, but, I have plenty of requests hitting my web server that have user agent strings matching "*research*", same for some abuse contact addresses for the IP (whois lookup) and they don't even set the evil bit so I thought it was OK to let them through.

Do you mean I should block those requests?

Re:

[DarkOx]

The Hypocrisy of it all is sickening

While I am incline toward agreement with you where exactly is the hypocrisy? Researches in other fields have a long history of being caught doing things that were illegal or determined to be unethical we can and do call them criminals, I am not sure we stop calling them scientists and researches. Its seems very possible to me to be both a criminal and researcher.

Re:

[NatasRevol]

And what if there's a clearly open port that provides unfettered access?

Say port 80 brigs up phpMyAdmin and is configured to allow access without a password?

Is this criminal or just browsing their website?

Failure to properly and fully secure your externally facing computers is your fault and anyone accessing it has every right to. It is NOT synonymous to leaving your door unlocked.

Re:

[Nidi62]

Failure to properly and fully secure your externally facing computers is your fault and anyone accessing it has every right to. It is NOT synonymous to leaving your door unlocked.

Ok, so it's more like walking down the street, seeing a front door someone left open, and going inside and looking around. Still wrong.

Re:

[TWX]

No, it's more like a business or storefront leaving the lights on and the doors unlocked without any staff present and without any sort of door chime or camera. While it's not right for patrons to start looking through the drawers or the paperwork or the receipts, let alone steal any merchandise, it should be expected that some people will do this and it's the obligation of the entity to take steps to prevent it.

Those that do not understand at least the basics of security and do not take steps to learn

Re:

[Anonymous Coward]

And furthering this analogy, this reaction is like trying to crucify the one guy who goes through shit to find a number to call to let someone know "hey, your shit's unlocked."

Re:

[Wootery]

it should be expected that some people will do this

Not relevant to the questions of whether it's moral or legal.

Re:

[TWX]

Immoral and illegal things happen all of the time. You are obligated to prevent them from happening to you. We have attempted to build a society that reduces the number of immoral and illegal things that happen and reduces the number of people victimized, but ultimately the individual is the final line of defense against becoming a victim.

Re:

[NatasRevol]

No, it's like moving your house to the middle of the road, taking the front door off the hinge & expecting no one to walk in.

Re:

[NatasRevol]

open ports = open doors

On the internet = with an invitation to come in.

Deal with it.

Re:

[NatasRevol]

If it's in the middle of the road (internet), those are the rules.

Re:

[NatasRevol]

Clueless idiot threatens people anonymously online.

No one runs away scared.

Re:

[sycodon]

Western Civilization is based on a fairly simple precept...you don't mess with people or their shit. Even if they leave that shit accessible, the door unlocked, etc. It's not yours, so don't fuck with it.

If you DO fuck with either, it's our right to fuck you up, either through the system or personally (certain restrictions apply).

Re:

[NatasRevol]

So web browsing isn't allowed?

Or just maybe it's not the same principal as a house.

Re:

[sycodon]

If I hold an open house, with a sign that says come on in, fine. Otherwise, stay the fuck out.

Re:

[Anonymous Coward]

What do you think listening for connection requestion on port 80 mean?

• client: knock knock
• server: Who is there?
• client: The web browser, want this cookie back?
• server: Whatever. Here is the documents I allow you to access and action you are permitted to perform.

Serving stuff on a internet facing server without password is EXACTLY like holding a sign that invite everyone to come in. Deal with it fucktard. The Internet is no "safe space" for over sensitive millennial.

Re:

[NatasRevol]

Guess what open ports say?

'Come on in'.

Re:

[arth1]

I don't know. How long will morons keep pretending that if we shun and punish those who disclose vulnerabilities, the vulnerabilities won't be exploited by malicious actors?

What are the ratio between (a) criminals using 0-day exploits they've found out through own research or obtaining them from other criminals, and (b) criminals using N-day expoits they have been made aware of by public disclosure?

As a sysadmin, I would have to say the (b) is by far what hammers the systems the most these days, and costs my company quite a lot of work and resources. I'm not saying that is work that shouldn't be done, but that the cumulative cost of disclosure for the sake of disclosure can b

Re:

[dissy]

You are a researcher if you buy the software, install it, and then see what you can do. If you try to get into a system belonging to someone else, you are a fucking criminal.

You are aware the researcher simply saw a "HIV dating site database dump.zip" up on bittorrent and decided to inform the site owner that he may want to check that shit out to see if it is theirs and if so maybe fix their site up, right?

If I found something of yours across town in the middle of the street, that you put your own name and address on, why am I a criminal for returning it to you or informing you where I found it, if I am not the one that took it and put it there?

Normal

[nospam007]

"...point to a CEO who was in way over his head,"

Aren't they all, these days?

Re:

[DarkOx]

What you mean its not possible to completely abstract all management activities and decision making processes. Are you making the radical suggestion there isn't a completely generic way to run a business? Is you assertion you have to understand at least the basic nuts and bolts of what a company does to run it effectively?

Re:

[Buchenskjoll]

"...point to a CEO who was in way over his head,"

He'd better wear a comdom then! (drum roll)

Re:Normal

[jellomizer]

Well with IT security nowadays it is very hard for a small focused business to survive in today's market.

Back in the 1980's and 1990's we had a slew of applications created by non-developers due to easy to learn languages such as Basic/Visual Basic, FoxPro, DBase, Access, etc... Being that these applications ran on a local network via file shares, with a more or less trusted group of employees. Security was never a concern. So the small company can make a custom app with a very small investment and allow them to be agile to adjust their business processes.

However now with hackers who will blindly attack any system that is vulnerable, or worse the hackers who think they have a mission to expose the bad people in the world. Means you need staff that are specialized in IT security. To keep their data safe, and be able to track and report on vulnerabilities.

This is like forcing a Mom and Pop candy shop to have armed guards on the payroll just in case someone breaks in and steals the candy, and exposes all the candy customers in the store. As to shame them for being the cause of obesity in the world.

Re:

[dbIII]

With dotnet that sort of shit is still happening, and just like back in the day it's not only security that suffers from newbie mistakes. It's not really the platform just people who cut and paste their way into getting stuff halfway working instead of knowing how to write things for the platform.
I'm sick of stuff that takes 30 seconds to start due to a huge 24bit background pic and a slow needless text to speech thing saying hello. Can I skip that shit on the hobby inventory list program and actually sta

Systematic attack

[DrYak]

This is like forcing a Mom and Pop candy shop to have armed guards on the payroll just in case someone breaks in and steals the candy, and exposes all the candy customers in the store. As to shame them for being the cause of obesity in the world.

Except the whole things happens in world with Star-Trek like teleporters and replicators. So the case of "some breaks in" are happening on massive scale.

It's not merely one guy deciding to go berserk, and then needs to walk to the (only) nearest Mom and Pop candy shop.
It's a guy deciding to go beserk, and then instantly teleport in front of all Pop and Mom shop of his country and breaking in all of them. Every single one. All in the same hour.
That's the power of Internet.

And amidst all this he also happens

Re:

[KGIII]

I think this thread might actually be the worst analogy thread ever. The sad truth of this is, the "researcher" didn't even *do* the "research* but found their database on a torrent site and informed them because he feared it might belong to them.

So it's like you're trying to make an analogy about a guy who isn't actually the guy who did it and cars, doors, shop keepers, candy stores, and condoms!

Worst Analogy Thread Ever!

Re:

[jellomizer]

The locks and security cameras are the equivalent on making sure you have a login and password to sensitive data. For the Mom and Pop shop this is usually enough, however for internet commerce it isn't. The internet is like placing your business in the middle of the worst neighborhood you can find. So you need the security guards (aka an IT Staff with strong security knowledge), who will be more proactive in keeping the site secure.

Re:

[unencode200x]

This is a huge point. The company and therefore the CEO are responsible for their customers' very sensitive information. Saying that they don't have a strong IT team is like a bank saying they don't have a safe. What the hell? Of all places you would think a website that knows you have a highly stigmatic disease would get this and spend appropriately even if it meant charging their clients more. I'm guessing those clients would have been happy to do so.

Re:

[gstoddart]

The company and therefore the CEO are responsible for their customers' very sensitive information.

Show me the case law which says that.

Time and time again companies are utterly inept at security, get hacked, and basically say "gee, we'd like to say we're sorry but we're not really, and since we're not liable we don't care".

CEOs are, in my opinion, largely responsible for being greedy assholes doing PR and sales ... and they don't think they have any such responsibility as protecting your data. At the small

Re:

[unencode200x]

Fair enough. Someone made the point a few posts up that this isn't subject to HIPAA and while I'm no lawyer they're probably right. The longer I work in business the more I see morality thrown out the window for better or for worse. I feel bad for these people but it's true, buyer beware.

The same is true with the CISA act this week. Put all your stuff in the cloud and were under the impression you were protected by warrants and all that? Too bad!

Re:

[gstoddart]

Fair enough. Someone made the point a few posts up that this isn't subject to HIPAA and while I'm no lawyer they're probably right.

Well, think about it ... HIPAA covers medical professionals and hospitals with an expectation of confidentiality.

If you sign up for a private web site which ends up more or less saying you have HIV, then you chose to give that to a private entity. And then what happens to the data they have is entirely legally different. The same way that governments can demand from corporatio

Doubt there would be fines

[Aaden42]

There's no reason they'd be subject to HIPAA nor be fined under it. They're not medical providers. Users of their system willingly disclosed their status to a third party, non-medical provider with the explicit purpose of being placed in contact with other people who had also disclosed their status and the understanding that their status would be disclosed to those other people in the process.

Whether there are any fines related to general personal information breach, I don't know; but I kind of doubt it.

His name isn't Justin Robert, it's Mao JianQiang

[TechFurryFox]

I performed a reverse on the domains when the original controversy set out. This guy isn't HIV positive, he's just a guy in China trying to make a buck off others. He also has an app called SugarD and there are many other domains he has registered in an attempt to have a successful business. The company is pretty much run by him and whatever support he may have hired, which is the reason hzoneapp doesn't have a solid technical team. Check out the self published prweb for hzone, he calls himself "Justin M, CEO." Looks like you made a slip up there with keeping your name consistent Mr. JianQiang.

Re:His name isn't Justin Robert, it's Mao JianQian

[TechFurryFox]

Just to give everyone the FYI, Mr. JianQiang also has the following domains: tophivdatingsites lesbiandatingonline singleparentdatingonline singleparentfish pozty - alas to hzoneapp ubaliaoyn - some chinese site xoiiixaab - some chinesesite He stopped the other site projects when he scored with hzone. He's not a single parent, he's not lesbian(well he may like women) and he's certainly not POZ. He's just a Chinese man screwing everyone over with this charade. So Mr. JianQiang, drop the act.

Irony exposes hackers to organic virus

[Bob_Who]

One way or another, hacker's exploits and malware share attack vectors.

Perhaps they're infectious...

Re:

[unencode200x]

Isn't that a crime? If so is one bound to report it? I mean, if you know there's going to be a serious breach, especially if the governor is on the list, holy crap man.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[unencode200x]

Assuming OP is in the US who would OP report it to? Perhaps it's not too late.

MongoDB

[unencode200x]

http://www.databreaches.net/mi... [databreaches.net]

I hadn't realized it the first time around but this was also a MongoDB database. Not that it really matters, the CEO makes them all sound incompetent.

Re:

[andymadigan]

Worldwide, more straight people have HIV than gay people, by a huge margin. You probably mean the U.S. though, in which case:

"MSM accounted for 54% of all people living with HIV infection in 2011, the most recent year these data are available."

So, straight people would appear to be 46%, hardly a "tiny fraction of a percent".

http://www.cdc.gov/hiv/statistics/overview/ataglance.html