Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
chrisweekly 5 days ago

Re: "npmjs dot help", way too many companies use random domains -- effectively training their users to fall for phishing attacks.

InsideOutSanta 5 days ago | parent | next [-]

This exactly. It's actually wild how much valid emails can look like phishing emails, and how confusing it is that companies use different domains for critical things.

One example that always annoys me is that the website listing all of Proton's apps isn't at an address you'd expect, like apps.proton.me. It's at protonapps.com. Just... why? Why would you train your users to download apps from domains other than your primary one?

It also annoys me when people see this happening and point out how the person who fell for the attack missed some obvious detail they would have noticed. That's completely irrelevant, because everyone is stupid sometimes. Everyone can be stressed out and make bad decisions. It's always a good idea to make it harder to make bad decisions.

OkayPhysicist 4 days ago | parent [-]

I can answer why this is at the company I work at right now:

It's a PITA to coordinate between teams, and my team doesn't control the main domain. If I wanted my team's application to run on the parent domain, I would have to negotiate with the crayon eaters in IT to make a subdomain, point it at whatever server, and then if I want any other changes to be made, I'd have to schedule a followup meeting, which will generate more meetings, etc.

If I want to make any changes to the mycompany.othertld domain, I can just do it, with no approval from anyone.

SoftTalker 4 days ago | parent [-]

Are you arguing that it’s a good idea for random developers to be able to set up new subdomains on the company domain without any oversight?

mdaniel 4 days ago | parent | next [-]

Do they work there or not? I deeply appreciate that everyone's threat model is different, but I'd bet anyone that wants to create a new DNS record also has access to credentials that would do a ton more actual damage to the company if they so chose

Alternatively, yup, SOC2 is a thing: optionally create a ticket tracking the why, then open a PR against the IaC repo citing that ticket, have it ack-ed by someone other than the submitter, audit trail complete, change managed, the end

4 days ago | parent | prev | next [-]
[deleted]
OkayPhysicist 4 days ago | parent | prev [-]

What's your threat model that says they shouldn't? If you don't trust your senior devs, you're already pwned.

0cf8612b2e1e 5 days ago | parent | prev [-]

Too many services will send you 2FA codes from different numbers per request.