Yeah, from a rando this would be just bad vagueposting but Rachel is absolutely someone who could know about a very good reason why we should uninstall atop but be unable to legally say why. I would heed her warning.
I would disagree and still say that this is bad vagueposting. It doesn't matter how reputable the source is: if you say "don't do X" but don't give a reason why, I'm not inclined to listen. Granted I don't use atop anyways, but I don't think a vague blog post - even one from a respected person - is sufficient justification to change what software one uses.
This seems completely backwards... if someone says to do something but doesn't give a reason, then the ONLY thing to base your decision on whether to listen is their reputation and your trust in them.
If someone I trust tells me to trust them, I will.
First, I decided I am going to avoid atop. Even if Rachel would be wrong, it doesn't hurt not to use some specific software I don't depend on.
> If someone I trust tells me to trust them, I will.
Huh? When I trust someone, then I trust already and there's no need being told to trust. When I don't trust someone, then I run away when being told to trust. Hell, if someone tells me to trust them, it's a red flag and I drop the trust.
Your believe seems to hinge on the idea that there are zero situations where someone could need you to trust them but don't have the ability to tell you why.
I think there ARE some situations like that, especially when the conversation is public like this. It is pretty easy to think of a lot of good reasons why Rachel can't explain why you need to trust them in this situation. I think saying, "I can't tell you why, please trust me" is a perfectly reasonable thing for someone you trust to say, and I would absolutely listen to them if they say that.
That seems.. whatever the opposite of pragmatic is, but not in a good way, as in “principled”. There are very good reasons one would be required to be vague in a situation like this, but still know about a very serious issue.
It’s like seeing a road sign that says “danger ahead” and ignoring it because it wasn’t very specific. It’s just.. not a sensible move.
Yeah, this is the behavior of the stuffy administrator in an 80's sci-fi comedy, minutes before the horror the heroes are trying to warn him from is unleashed.
The only question left is "who is going to deliver the quippy one-liner afterwards?"
"Don't go down 6th street now" means very different things depending on whether it comes from your buddy, or the bomb squad.
> if you say "don't do X" but don't give a reason why, I'm not inclined to listen.
I hear ya, but, there are sometimes valid reasons people can't say things; and this may well be one of those times. You have every right to do as you like, but it's not necessarily smart now that you've been warned by a respected professional.
Lol, this is going over my head a bit, but in case I was misunderstood, I had a role once that was secops adjacent but not strictly "security," just ended up doing a lot of favors for a security team. There was a recommendation that was super low hanging with extremely high impact, but the sec team determined it was "too low risk to action on without better reasoning" or something, they got hit pretty hard by it and I was involved in some triage, shaking my head the entire time. Very similar reasoning. "I need a bulletproof reason to update or change something" is like, to me, not a productive attitude.
Ha ha, "too low risk to action ..." When I was younger I would fight those valiant fights, now only if actual end users would suffer irreparable harm, I give me people my advice, but when the pedantically push back and MAKE YOU MAKE THEM UNDERSTAND, Nawww, I told you what I think and why, I am done.
My comment condensed an exchange that has happened enough times to be a trope. You try to discretely get someones attention to alert them about an opsec issue, you then whisper and they basically look right at the target and then yell back at you WHY ARE YOU WHISPERING. Nawww, you are on your own now.
I get this a lot with AI now, I tell people what is a current capability and what the curve looks like, I send them a gist of those capabilities and they want to get into some goal post moving debate. I don't engage. I don't care about being right, or being taken seriously. The funny thing is, sometimes when they come back months later with a, "hey it turns out ..." that they want me to say I told you so, or glad you turned around. I literally don't care.
I and the world have suffered so many fools, we have to stop giving them the time of day, for ourselves. They don't realize that they have truly lost when people stop giving them advice or criticism. You know the relationship is over when the other party has zero interest in even engaging in any capacity.
Being a system administrator isn't a scientific endeavour where the goal is to seek truth. It's a practical endeavour where the goal is to reduce risk of bad things happening. Sometimes, that means blindly following the advice of reputable people who hint at severe vulnerabilities in a piece of software, even though they can't disclose enough to prove that a vulnerability exists yet.
Keep having atop installed until you get absolute proof that it can be exploited, if that's what you want. But the organization whose systems you're administering might not like the fact that you were forewarned and didn't act.
Skimming through the code (particularly from past issues and PRs) highlights a number of things that look sketchy to me at first glance (in a coding practices way, not in a malicious way) - my gut feeling is that someone smarter than me going through much of this with a fine-toothed-comb would likely find something exploitable.
It could also be any number of other things too, like it's severe enough that the author feels its responsible to wait for mitigation efforts before disclosing anything about the issue that could lead to it being exploited.
"screams NDA" is not the same as "might be covered under an NDA". And in any case, very likely the said company has already taken mitigative action like removing atop already.
I wonder how long/old the problem is in atop?