Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
esikich 2 hours ago

How bad are your security practices that these tiny obscure things matter? None of these findings that show up here on HN should even make you flinch. The alarmist takes on this stuff is fucking exhausting and I'm tired of security teams bugging me about it. Do your job and this shit doesn't matter AT ALL.

grayhatter an hour ago | parent [-]

I said "doesn't matter" to someone once... the resulting lesson came in the form of a reply from the whitehat researcher (waves, hi brian!) a 16step exploit chain resulting in a one click full account takeover.

I'm equally annoyed and over the alarmist takes. But I don't think it's fair to group mine into it. I'm annoyed at seeing discard respect for others into the same void everyone is happy to toss quality.

Do these tiny things matter? No, not to the default-panic-level everyone adopts when they see 0day, or CVE... but duh, I'm now just repeating exactly what you already said. That no, for the record is mostly because I don't use any of these, not just because they're boring exploits. While I always look, I default assume anything CVE is boring/pointless. But I still read them.

But then, I'm not trying to convince the owner of the repo. I'm trying to discourage the theme among researchers that "no one cares", because I have seen researchers disclose bugs publicly, that we'd be eager to pay out on, because they disagreed with the decision on their last report.

I've fixed bugs being actively exploited against our users, that was found/fixed only after a whitehat report for something adjacent (we pay on those btw, and you should too). I don't wanna live in the world where it's easier for the bad guys, the only way we get there is once "everyone knows", you gotta report the all bugs that you can turn into an exploit. I don't want "the whitehat researcher culture" to move towards, who cares' dump the PoC on github, screw anyone that could be hurt by the bad guys, they deserve to be punished for the incompetence of others. SWE's are shit at security, security researchers are shit at SWE, the only way we get the good outcome, is if they're willing (and encouraged) to work together.

esikich an hour ago | parent | next [-]

No one is doing 16 step exploits unless you're a huge target in some way. 0.0000001% of companies fit that bill. And even then, ok, what did they get? An account login? What are they doing to do? Read email? Then what? "Use it for social engineering"? Who cares, you have MFA right? You have a firewall? You don't allow people to randomly jump from box to box via RDP? You have basic security and auditing on your fileshares? EVEN THEN, what, they get a spreadsheet from your last town hall meeting? I'm also tired of pretending that 99.999% of the data in a company even matters. Unless they have some way to cryptolock your whole company, AND you don't have backups/snapshots without any basic access security, there isn't a lot of value to be taken. Security "teams" are a bunch of fucking busybodies with nothing to do. Pay for a competent admin team and the security dept is completely redundant and useless.

DANmode an hour ago | parent | prev [-]

That’s a whole lot of “we” to not mention which company you’re at that supposedly plays well with security researchers/has a proper bug bounty.

cubefox 36 minutes ago | parent [-]

Even if the company doesn't have a big bounty publishing exploit code without warning them is unethical. Moreover, a lot of these projects are FOSS without a company which could pay bug bounties.