Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Good luck!

I appreciate your transparent account of the situation but what does it say about your company if your database got popped by a “script kiddie”?



Quite often people claim (for example talk talk) that they were attacked by a nation state. It often later transpires that it was a 16 year old from Croydon using a basic SQL injection vulnerability.

At least they’re being honest up front. but yes it does show a naivety and inexperience of basic security.


It says more about Docker than anything else. This is an insane default setting, it's something that should have been fixed when it was first brought to their attention.

Computer security is hard enough without loaded footguns like these lying around.


Debian has no firewall rules by default. Up until recently also home directory permissions that were not good for multi user systems. Both by design.

Defaults are often insecure but maximise interoperability or general usability. Look at Windows !


Yes, Debian - and Ubuntu, for that matter - have some pretty bad defaults in some places. Having users' homedirs UGO rwxr-xr-x is pretty bad.

The defaults should be secure with explicit unlock steps for those that know their environment well enough that they can explicitly relax some restrictions.


Well, Docker CE comes with a huge Disclaimer of Warranty (https://github.com/docker/docker-ce/blob/master/LICENSE). I don't think we can complain. "I should have tested it before deploying to production" it's the right thing to say.


I understand your point but how do you explain the complete absence of database security controls? That part is on Newsblur. Defense in depth is important!


Yes, they absolutely have some culpability, but making a change like this without alerting the administrator of the system is the rough equivalent of any process with 'root' privileges on any one of your servers suddenly executing an iptables command to allow all access. You'd only know about it because you got hacked.

Such drastic changes to the security model should only be one after explicit instruction.

The number of companies that operate without access controls between servers on the same segment is unfortunately quite large, database security controls are - again - more often than not left at their default setting and those too are quite often insecure.

Defense in depth always has limited depth, though I totally agree that running a database without access controls is not the way to go.


Docker is a minor part of the issue.

The main problem is lack of basic security.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: