Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
hsbauauvhabzb 9 hours ago

Sounds like a great way to get sentry to fire off arbitrary requests to IPs you don’t own.

sure hope nobody does that targeting ips (like that blacklist in masscan) that will auto report you to your isp/ans/whatever for your abusive traffic. Repeatedly.

leoc 9 hours ago | parent [-]

Obligatory Bruce Scneier: https://www.schneier.com/blog/archives/2008/03/the_security_...

fc417fc802 an hour ago | parent | next [-]

Good read, but:

> This kind of thinking is not natural for most people. It’s not natural for engineers. Good engineering involves ...

I have to disagree in the strongest terms. It doesn't matter what it is, the only way to do a good job designing something is to imagine the ways in which things could go wrong. You have to poke holes in your own design and then fix them rather than leaving it to the real world to tear your project to shreds after the fact.

The same thing applies to science. Any even half decent scientist is constantly attempting to tear his own theories apart.

I think Schneier is correct about that sort of thinking not being natural for your typical person. But it _is_ natural (or rather a prerequisite) for truly competent engineers and scientists.

bratwurst3000 17 minutes ago | parent [-]

hmmm I am 50% with you. Imho to be an amazing engineer is to see a problem and find a good(whatever good means) solution. Beeing a good scientist is asking precise questions and finding experiments validating them.

I think its more the nuanced difference between safety and security. Engineers build things so they run safe. For example building a roof that doesnt collapse is a safe roof. Is the roof secure? Maybe I can put thermites in the wood...

this is the difference. Safety is no harm done from the thing itself Engineers build and security is securing the thing from harm from outside.

ralferoo an hour ago | parent | prev [-]

Hehe, just reading that.

> The poster described how she was able to retrieve her car after service just by giving the attendant her last name. Now any normal car owner would be happy about how easy it was to get her car back, but someone with a security mindset immediately thinks: “Can I really get a car just by knowing the last name of someone whose car is being serviced?”

Just a couple of hours ago, I picked my car up from having its obligatory annual vehicle check. I walked past it and went into their office, saying "I'm here to pick up my car". "Which one is it?" "The Golf" "Oh, the $MODEL?" (it was the only Golf in their car park) "Yeah". And then after payment of £30, the keys were handed over without checking of anything, not even a confirmation of my surname. This was a different guy to the one who was in there an hour earlier when I dropped the car off.

duxup an hour ago | parent [-]

I feel like that car security situation also is sort of setup to tell us about how folks with a security mindset can go overboard?

Some car dealership who never had a car stolen hires a consultant and they identify this pickup situation as a problem. Then they implement some wild security and now customers who just dropped off their car, just talked to the same customer service person about the weather ... have to go through some extra security to impersonally prove who they are, because someone imagined a problem that has never occurred (or nearly never). But here we go doing the security dance because someone imagined a problem that really has nothing to do with how people actually steal cars...

Computers and the internet are different of course, the volume of possibilities / bad actors you could be exposed to are seemingly endless. Yet even there security mindset can go overboard.

I'm currently trying to recover/move some developer accounts for some services because we had someone leave the company less than gracefully. Often I have my own account, it's part of an organization ... but moving ownership is an arduous and bizarrely different process for each company. I get it, you wouldn't want someone to take over our no name organization, but the process all seem to involve extra steps piled on "for security". The fact that I'm already a customer, have an account in good standing, part of the organization, the organization account holder has been inactive ... doesn't seem to matter at all, I may as well be a stranger from the outside, presumably because of "security".

RcouF1uZ4gsC 31 minutes ago | parent [-]

And then some person realizes that government ids can be faked, so they set up a system of doing a retinal scan of the person dropping off the car and then comparing it to the retinal scan of the person picking it up.

Then they realize that one person may be bribed so they require at least two people to verify at pickup and drop off.

Meanwhile, a car has never ever been stolen this way.

duxup 28 minutes ago | parent [-]

Yup, it's taking me probably 10x longer gathering legitimate documents to send to these companies.

Meanwhile I could fake them all in a fairly short amount of time...