Eh, I didn't read it...so my thoughts. From experience the prob with DNSSEC is latency in verifying PKI of the record. Usually what happens is the timeout per resolver has to be greater than 15 seconds under no load in a private network which is very inconvenient in comparsion to plain DNS that has a default of 5 seconds.
Yes! You could approach a Professor at a public university here in the U.S. (like the University of Colorado at Denver in Denver, Colorado) who mentors PhD candidates and explain the kind of on-the-job experience you have relevant to the industry in lieu of a Bachelors degree and request a formal recommendation letter to be included in your application to the PhD program. You will need between 10-20 years of professional experience, preferably team leadership. Although I heard most people are rejected anyways for things that can't be covered on-the-job like knowing how to write a proper academic research paper.
Edit: I just remembered that the measure of success in addition to writing a thesis is being able to explain your argument in as much detail as you can in front of panel of experts while answering their questions for at least a couple of hours up to several hours. Something you will likely encounter trying to convince a mentor you're ready for the PhD program.
I can't believe people are victim blaming the db admins for not knowing about vulnerability. What good comes of destroying the db instead of talking about the vulnerability to the open source projects? Coincidentally shodan; that I've never heard of.
There's a difference between a vulnerability, and a common misconfiguration that usually comes from a "make it work first, security later" mindset.
The good that comes from destroying the DB is:
a) the data is no longer exposed to the Internet, where more malicious actors could take it, affecting the customers of the incompetent company
b) ignoring it stops being a viable option - leaking your customer's data all over the place often doesn't have sufficiently obvious and severe consequences for the company doing the leaking to discourage it. Disruption that breaks production will get their attention, and they likely will secure their database in the future.
(No moral or legal judgement regarding this action, just answering the "what good comes of it" question.)
Edit: Also, someone commented further below on the difficulty of doing it the right way - it's hard to contact the companies, and it's even harder to get them to actually listen and fix it instead of ignoring it or trying to "shoot the messenger". This approach may be wrong and/or illegal, but it it much likely to actually draw the attention of the right people, and prevent them from simply ignoring the problem.
The companies running those open databases aren't just victims; they're also perpetrators of privacy violations. In many cases, they're even collecting data for a purpose that the data subject receives no benefit from.
You don't need to be a carpenter to know that you should install a lock on the front door of your house. How does anyone get to the point of standing up a production db and is allowing writes from unauthenticated connections?
I am pretty salty since as a sysadmin, I have been getting 'just pipe it to su bash' and 'i need allow any any' and 'bro I need chmod 777 on this directory and all its children' and 'bro this service account has to be a domain admin' from developers my entire professional career. Everything that there is to say has already been said and I am not really sure what to do about it. Nobody is out there peddling these cool fixes as truth and yet they seem to have a cult all the same.
What can we do to make this common knowledge? This needs to be on the same level as washing your hands and not accepting candy from strangers, yet every week we see a new data breach that boils down to 'somebody used the rights as they were designed'.
I think it's wrong to rationalize what YouPlus CEO did to investors by saying he was like so many other people in startup culture; his actions don't represent silicon valley. I wish more people would call out startups like YouPlus when they take money from investors for the business they don't have and for the technology that only exists inside their heads.
Acquisition cost is very high. I spend most of my time selling myself than any other activity. I've been doing consulting since 2015. My network has grown to 5k, yet I still have to come up with new ways of expressing the same things.
