I recently bought a lenovo ix2 NAS and was having some issues setting up rsync. Decided to go to their forums and found out that they turn on rsync by default and unsecure. So if you have this device connected to your network with default settings (which I presume many people will do), anyone on the internet can see your backups. Here is the comment from one person who made the discovery and according to him, he can scan and see peoples backups.
http://forums.lenovo.com/t5/Iomega-Network-Storage/Security-...
What is interesting is that the rsync daemon is not something typically enabled by default, you have to go in and manually turn it on, and if you don't alter the configuration to add users and passwords, it simply won't allow login at all.
So someone has gone out of their way to set up insecure rsync daemons.
I wonder if all of these open rsync daemons is due to a poorly configured appliances like a NAS or some other "turn-key" vendor supplied kit. But even then it is a strange thing to enable insecurely...
Interesting. I knew it needed to be turned on but didn't realize that you needed to add users. So Rsync doesn't just use the default login info, the way SSH does?
Part of me thinks the best way to bring attention to this is to make your search engine and publish it.
I don't see how this exposes liability for you—is Google liable when people leave their printer's/router's/fax's/whatever's web configuration interfaces on the public internet with no password? I don't believe they are, and I've seen a number of Google searches in the past on the Hacker News front page linking to pages and pages of them.
However, like Google, you probably want to have a quick way for people to remove their site from the index once they've discovered and secured it.
I, for one, would love to see a search engine of public rsync servers.
The law is not an algorithm that can be applied to tell you whether something is legal or not.
Both intent and context come into it heavily. If the majority of rsync shares contain private data, such that your search engine is effectively a private data search engine and can't really be used for anything else without continuously stumbling across more private data, then it could easily be considered radically different from Google's situation.
> The law is not an algorithm that can be applied to tell you whether something is legal or not.
That may be true in practice, but that's what the law is supposed to be -- an unambiguous social signaling system, that applies to all persons equally, without vagueness or the possibility of terminological confusion.
If a given law can be shown to be vague or confusing, it can be declared unconstitutional. Whether it will be declared unconstitutional depends on whether anyone is willing to fight about it in court.
But the principle of public law is -- yes! -- that it is an "algorithm that can be applied to tell you whether something is legal or not." A failure in this role represents a failure in the legal system itself.
> Both intent and context come into it heavily.
Absolutely false. Someone who breaks the law can't argue that their intent or the context makes any difference. That might affect the punishment, but it doesn't affect the question of guilt.
> Absolutely false. Someone who breaks the law can't argue that their intent or the context makes any difference. That might affect the punishment, but it doesn't affect the question of guilt.
How would you explain the difference between murder and manslaughter then? If someone dies on the operating table because the surgeon accidentally nicks an artery that's different from them actively trying to kill someone. The act is identical, only the intent is different.
Intent is, and should be, a deciding factor in whether or not someone is guilty of a crime.
> If someone dies on the operating table because the surgeon accidentally nicks an artery that's different from them actively trying to kill someone. The act is identical, only the intent is different.
In one case, there was a crime, in the other there wasn't.
> Circumstances, which can only affect the punishment, not the judgment that a crime has taken place. But I already said this.
The circumstances which change the crime committed. Not just punishment.
I shouldn't have made my original claim without thinking about the fact that there really are crimes that are defined by what is in a person's mind, apart from their actions. One thought, acceptable. Another thought, crime. Thought crime.
So I was being naive and you are right. And George Orwell was right.
I, uh, don't know about that, but I will say that thought and intent are not the same.
Thinking about murdering someone and not taking any action to that effect, then actually killing that person; VS taking action to do it, strike me as different.
It's possible that they are legally the same, but I doubt the court can do much to prove thought without a confession.
> I, uh, don't know about that, but I will say that thought and intent are not the same.
True, but it's to some extent splitting hairs, because intent is often (but not always) constructed from thoughts.
> Thinking about murdering someone and not taking any action to that effect, then actually killing that person; VS taking action to do it, strike me as different.
Most courtroom battles on these issues revolve around trying to reconstruct intent based on things that actually happened and that can be presented as testimony. Premeditation, for example -- the difference between degrees of murder in many states -- might be inferred by a person's actions leading up to a crime, and afterward.
> It's possible that they are legally the same, but I doubt the court can do much to prove thought without a confession.
It's commonplace for prosecutions to proceed on the basis of a record of actions that are used to infer thoughts and intents.
I agree that this is how the law should be applied, it makes logical sense. But it isn't how it works. I'd like every cop that kills someone to be tried for murder and then let the courts determine if it is justified, not the prosecuting attorney.
But IIUC US Federal law generally ignores intent -- in a bad way for the accused. A lack of bad intent isn't a mitigating factor.
Prosecutorial discretion is tricky enough to begin with. But also mix in disregarding intent, and season with charging people multiple times for the same act? Federal prosecutors can be little Putins.
What the law "should" be is very little comfort if you land in jail anyway. Makes it worse, in fact. I agree with you on what the law should be, but it doesn't matter here, unless you're prepared for an enormous fight.
By the way, have you heard of "hate crimes"? Those are a real thing, according to the law, anyway.
seriously? I thought most laws literally have "intent" as a requirement written into them.
With the OP's service dedicated to explicitly revealing unintentionally insecure rsync servers, I can only imagine the plethora of horrid cyber security laws he would be vulnerable to.
I know bringing things from the real world into the digital realm often results in badly overstretched metaphors. Allow me this one; are your belongings really yours if you forget to lock the door?
It's not about ownership, it's about privacy. Yes, people are allowed to look at your stuff if you leave it in a public place.
Edit: it's even stronger in this case, because it's your own equipment that is providing the data to anyone who asks politely (using industry-standard requests and no impersonation or other fraud).
But you're not in the living room. You asked for the data politely and the server sent the data to you. It even put your address on it to deliver it over the public internet.
> Allow me this one; are your belongings really yours if you forget to lock the door?
Practically, it depends on where you live. In major urban areas: no they're gone and they probably aren't coming back. Insurance might replace some of them.
In the sticks? Most people don't lock their doors, even if they shut them.
> I know bringing things from the real world into the digital realm often results in badly overstretched metaphors.
Except this metaphor is already stretched beyond breaking. An index isn't even a copy.
Copying a set of publicly available read-only files is not theft (you still have your copy I haven't deprived you of it).
But we're not even talking about copying your files, just the names you've assigned to them. And in his proposed form, even allowing you to remove the names from our index.
Pretty kind treatment for a copy that you've given me when I asked for it.
Your belongings are really only yours to the extent that social contract (ie the law) defines them as such or you are able to prevent other people from taking them. Everything else is an illusion.
Creating an index of these files seems more like driving down the street taking pictures of all the houses with their front doors left open. Something Google seems to get away with on a regular basis.
Trespassing is not a good example. Let's say your private home is (for some reason) in the middle of some downtown area, where every neighbor is a public shop (IE, the expectation is that everything is welcome to the public). Not only that, it's pretty much indistinguishable from the outside from all the other public shops around it. In this scenario, if you leave your door wide open in the middle of the day then no one would take your cries of trespassing seriously.
So no, I don't think trespassing is necessarily still trespassing, even if you leave the front door open. Like most things in life, it depends on context.
The expectation and the norm of this situation is that data published on public ports is for public consumption. You can't blame someone for accessing data that you put out there in a public manner, even unintentionally.
TPB indexes content and gives a link to access the content, same as Google. TPB does not actually host any of the copyright infringing content they link to, same as Google.
There is a minor difference in that people upload to TPB and Google spiders out for content but that doesn't seem relevant here.
You may be on to something; I'm just wary that actually downloading from an unsecured share would be "unauthorized access", and there have been too many cases where linking to torrents is equivalent to performing copyright infringement yourself.
(I do own the rsync.io domain, so I have the perfect place to host it ..)
You have good reason to be afraid too. Remember the Weev case (like him or not) set things in motion.
What would likely be best is contacting the owners (of possible). Have a 90 day period where you aren't listed but alerted privately. Then if noncompliance is maintained you to public.
Too often though it is hard to determine who to contact - e.g. you have a random IP, you look it up in whois and you find it belongs to a cable-provider.
You can't map to that to an individual, unless you mail "abuse@isp" and hope they pass along the message.
The alternative is to download all the private data, looking for email addresses and hoping for the best - i.e. They don't send a mail to "abuse@fbi.gov" about a hacker stealing their data and similar.
The problem is rarely at installation time. The problem is three years later, when you know that you've got rsync because it's so useful, but you don't remember that you left rsyncd running.
Internal and external nmap sweeps: always a good idea*
*If you don't own the network, get permission first.
If you have system monitoring tools, then you could make on of the things it monitors a script that does netstat -plan | grep -v 127.0.0.1 | grep -v ::1 | grep -v ssh | grep -v <anything you know should be running> | wc -l
Please do see the comment later down, about the "hosts allow" setting for the rsync-daemon.
But in short you either need to restricted access by IP, configure a password, or disable the daemon and run rsync via SSH which avoids the problem entirely.
Using ssh as a transport has been my solution and it has been working very well. The sample command to do this is listed under the Troubleshooting section of this page: http://troy.jdmz.net/rsync/index.html
