Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
zrobotics 2 days ago

I do dev & IT for a <25 person company in ecommerce. If we had even half of the issues that were pointed out in this post, I'd be telling the owner that he should be looking to replace me. I get that they're not a software company, but these are super basic issues. These issues, coupled with no response to the reported issues, leads me to suspect that the c-suite deprioritized IT to the point that it's a skeleton staff and they can't hire or retain anyone that's even halfway competent. You don't end up with these kind of issues, as a company of their size, unless there are serious management problems. They are big enough that they should definitely have the budget to do basic stuff like auth properly, or at least not make so many 101-level errors.

That said, the author also comes across as a complete d-bag as well. I have about as much love for marketing people as the average software developer, but their description of their average consumer was pretty normal. The author got super-catty about what's a fairly basic description of their average consumer and a stock photo. They aren't saying the only people who drink monster are young white males, just that that is their largest market and the consumer group they are targeting. It does make sense for them to say internally "hey, FYI this is the group of consumers we intend to target with our marketing efforts", and I've definitely read very similar stuff in every marketing proposal I've read, just with different groups.

gnarlouse 2 days ago | parent | next [-]

Yeah I did feel slightly less sorry for Monster after finding out they have a $63B market cap.

dzhiurgis 2 days ago | parent | prev [-]

How you are confident you don’t have these issues?

zrobotics a day ago | parent [-]

I'm not at all confident we don't have any security issues, that would be an impossible statement to make no matter what company I work for. I am confident we don't have issues like baking API secrets into our shipped javascript, or just not doing auth at all and not validating account registration endpoints. Again, these are literally 101 level errors that any level of testing should have caught. PCI compliance isn't what I would call the highest bar for software security, and this stuff would fail an audit (at least the ones I've been involved in, I'm sure there are people who rubber stamp them). So while I can't say we don't have security vulnerabilities, I am very confident we don't have the types of vulnerabilities that anyone with even a passing knowledge of pentesting would be looking for.

dzhiurgis a day ago | parent [-]

So you must be confident to post url’s you are working on?

IMO what op posted is hilarious but really nothing burger. Access to some analytics, some training material and list of filenames is worthless. Yes pretty amateur mistakes but ultimately has 0 impact.

phil-martin a day ago | parent [-]

The major issue was the trajectory of impact, particularly when the ClickUp access was attained. If the person doing it was malicious, participating on that platform could have quickly led to some social engineering that led to accessing private business critical intellectual property, staff names, contact information, and accessing more systems.””

Definitely not a nothing burger.