To be forthright, I work in technology, maybe that colors my opinion.
I see this being similar to Microsoft's Windows operating system. Embedded inside the windows code is as much security as you want to use. You can configure your OS to lock your PC if it senses no activity for a set interval, you can configure it so you have to enter as complex a password as you want before it grants you access to your system. It implements network access file security and many other security features.
If you, as a user, create a text file and add your bank account numbers and username/ passwords to it, then walk away from your machine without locking it, and a house guest just happens to walk by your machine and notices the file and contents on the screen, and steals that information and drains your accounts, would you, in that case, believe Microsoft to be culpable for the theft of your information?
Building web sites is similar in some respects where instead of creating a file as in my above example, you are creating a lot of files, and it is up to you as a developer to secure access to those files, you can be as liberal or as restrictive as you want with your security. There are industry standards and best practices that define the least amount of security that a web site should have, but it is up to a company to enforce those standards on their site. There really isn't a policing organization that monitors the internet for adherence to security standards. However, information has value, and since it has value, it becomes a target for theft. This being the case, a company absolutely
must be obsessively protective of their data while simultaneously being obsessively rigorous in their enforcement of security practices. This continuous analysis and application of practices encompasses the software (website), the data, the database the data resides in, the server the database resides on, the server the website is hosted on, physical access to those hardware devices, local access to that hardware and so on ad nauseum.
Back to the FAF breach. If I understand the situation properly, what the developer(s) did was lazy and/or negligent. I'll use this site for contrast.
You can send someone a link to a particular thread, forum or even to a specific post by building up a URL to that piece of content. This is done in different ways depending on language/ web framework etc...
Here on this site, a link to a particular thread looks like this:
http://professionalsoldiers.com/foru...ad.php?t=54312
And a link to a particular post looks like this:
http://professionalsoldiers.com/foru...56&postcount=3
You can even use this URL format to build up a link to a particular attachment:
http://professionalsoldiers.com/foru...8&d=1483130105
I know these links look like gobeldy gook, but they are informative if you know how to read them. Looking at any of these urls, I can make a pretty accurate guess that professionalsoldiers.com is going to get routed to a DNS server and translated to an ip address that belongs to a particular piece of hardware (server) most likely sitting behind 3 feet of concrete in the Team Sergeants basement
So now we can look at that URL again and see something different:
169.61.48.158:80/forums/showthread.php?t=54312
The DNS server has taken professionalsoldiers.com and mapped it to that web servers actual IP address, now we know
where the site actually is. Now we can start ascertaining what the web site looks like.
/forums/showthread.php?t=54312 gives us an idea of what the navigation structure of the website looks like.
We can start guessing that threads exist in a database or file structure and that each thread has an id, in this case 54312. Now that we know all this, we can put the full URL into our browser and manipulate the ids by hand
http://professionalsoldiers.com/foru...ad.php?t=54312
http://professionalsoldiers.com/foru...ad.php?t=54311
http://professionalsoldiers.com/foru...ad.php?t=54310
etc...
Now here is the point I typed all this to make. You can play around with URLs here on this particular site and get to the content because you are
logged in and are
authorized to see that content via forum authorization rules. But if you log out (hopefully) you can manipulate URL's all day long and every single one will simply redirect you to the log in page, and after more than a few of these unauthenticated request for pages that require authentication, I'm sure the forum can put you on a black list and simply deny any of your request.
Back to FAF - they did not implement this absolutely required piece of authorization code. So they may have a main page that requires you to log in, but they don't check to see i
f you are logged in when handling requests for resources. Once somebody (read hackers) figure that out, they can slap together a very short script that iterates from 0 to 1000000000 or whatever, and makes a request for
FAF.com/peoplesDataFolder/pdf_1
FAF.com/peoplesDataFolder/pdf_2
FAF.com/peoplesDataFolder/pdf_3
FAF.com/peoplesDataFolder/pdf_...
and lickety split, all FAF's data is now in a hackers possession.
If this web site did not implement request base authorization, then someone could do the exact same thing and publish a professionalsoldiers2 web site with all of the content from this web site.
FAF chose to use the cloud to host their site. But this breach is not specific to a cloud hosted site, this breach is 100% site based, 100% FAF's fault and negligence.
A cloud based breach would be something like a company that shared database servers escalated their SQL permissions and crossed database boundaries and stole their data or a company on a shared web server did something illegal and hacked across security boundaries and stole their physical files. If something like that had happened, then I would agree that Microsoft should share some level of responsibility.
I attempted to add enough technical details to make this informative on how the internet works in general, while laying out the particularities of the FAF breach at the same time. If this extremely long post has caused anyone to drool on themselves or bang their head on something flat and hard, I apologize.
Golf1Echo, hopefully I have answered your question. I would appreciate reading your justification for Microsoft's culpability. As you can see, my vision is probably a bit too narrowly focused on the technical aspects.
Linear Mode
