Most active commenters

    ←back to thread

    Writing "/etc/hosts" breaks the Substack editor

    (scalewithlee.substack.com)
    603 points scalewithlee | 16 comments | 25 Apr 25 13:48 UTC | HN request time: 0.001s | source | bottom
    Show context
    Y_Y ◴[25 Apr 25 14:13 UTC] No.43793778[source]
    Does it block `/etc//hosts` or `/etc/./hosts`? This is a ridiculous kind of whack-a-mole that's doomed to failure. The people who wrote these should realize that hackers are smarter and more determined than they are and you should only rely on proven security, like not executing untrusted input.
    replies(6): >>43793862 #>>43793868 #>>43793954 #>>43794072 #>>43794473 #>>43802345 #
    1. jrockway ◴[25 Apr 25 14:21 UTC] No.43793868[source]
    Yeah, and this seems like a common Fortune 500 mandatory checkbox. Gotta have a Web Application Firewall! Doesn't matter what the rules are, as long as there are a few. Once I was told I needed one to prevent SQL injection attacks... against an application that didn't use an SQL database.

    If you push back you'll always get a lecture on "defense in depth", and then they really look at you like you're crazy when you suggest that it's more effective to get up, tap your desk once, and spin around in a circle three times every Thursday morning. I don't know... I do this every Thursday and I've never been hacked. Defense in depth, right? It can't hurt...

    replies(3): >>43793920 #>>43795851 #>>43799653 #
    2. bombcar ◴[25 Apr 25 14:25 UTC] No.43793920[source]
    I love that having a web application firewall set to allow EVERYTHING passes the checkbox requirement ...
    replies(1): >>43794124 #
    3. CoffeeOnWrite ◴[25 Apr 25 14:44 UTC] No.43794124[source]
    (I’m in the anti-WAF camp) That does stand to improve your posture by giving you the ability to quickly apply duct tape to mitigate an active mild denial of service attack. It’s not utterly useless.
    replies(2): >>43794206 #>>43794423 #
    4. elevation ◴[25 Apr 25 14:52 UTC] No.43794206{3}[source]
    Doesn't it also add latency to every request?
    replies(4): >>43794319 #>>43794346 #>>43795846 #>>43796742 #
    5. tough ◴[25 Apr 25 15:05 UTC] No.43794319{4}[source]
    I think the main point is the WAF companies must have lobbied to get that into the checklist

    the main point is you need to pay a third party

    replies(1): >>43795569 #
    6. krferriter ◴[25 Apr 25 15:14 UTC] No.43794423{3}[source]
    Denial of service prevention and throttling of heavy users is a fine use, searching for a list of certain byte strings inside input fields and denying requests that contain them isn't.
    7. CoffeeOnWrite ◴[25 Apr 25 16:30 UTC] No.43795569{5}[source]
    You can call your existing reverse proxy a WAF to check this checklist item. (Your point still stands, on the median companies may opt to purchase a WAF for various reasons.)
    replies(1): >>43800140 #
    8. formerly_proven ◴[25 Apr 25 16:49 UTC] No.43795846{4}[source]
    So does running McAfee on every POST body but some places really wanna do that regardless. (I at least hope the scanner isn't running in the kernel for this one).
    replies(1): >>43796491 #
    9. hnlmorg ◴[25 Apr 25 16:50 UTC] No.43795851[source]
    I’m going through exactly this joy with a client right now.

    “We need SQL injection rules in the WAF”

    “But we don’t have an SQL database”

    “But we need to protect against the possibility of partnering with another company that needs to use the same datasets and wants to import them into a SQL database”

    In fairness, these people are just trying to do their job too. They get told by NIST (et al) and Cloud service providers that WAF is best practice. So it’s no wonder they’d trust these snake oil salesman over the developers who asking not to do something “security” related.

    replies(1): >>43800137 #
    10. jrockway ◴[25 Apr 25 17:42 UTC] No.43796491{5}[source]
    Yeah, we were asked to do this at my last job by some sort of security review. This one doesn't bother me as much. "Display 'network error' whenever a user uploads a file containing 'SELECT *'" is a bad user experience. "Some files in this repository have been flagged as containing a virus and are not visible in the web interface until allowed by an administrator," is OK with me, though.
    11. swyx ◴[25 Apr 25 18:04 UTC] No.43796742{4}[source]
    sure but how much? 3-10ms is fine for the fast protection when shit hits the fan.
    12. vultour ◴[26 Apr 25 00:02 UTC] No.43799653[source]
    A large investment bank I worked for blocked every URL that ended in `.go`. Considering I mostly wrote Golang code it was somewhat frustrating.
    13. zelphirkalt ◴[26 Apr 25 01:34 UTC] No.43800137[source]
    If they want to do their job well, how about adding some thinking into the mix, for good measure? Good would also be,if they actually knew what they are talking about, before trying to tell the engineers what to do.
    replies(2): >>43801628 #>>43802111 #
    14. zelphirkalt ◴[26 Apr 25 01:36 UTC] No.43800140{6}[source]
    Often it is just pushing responsibility.
    15. hnlmorg ◴[26 Apr 25 07:31 UTC] No.43801628{3}[source]
    > If they want to do their job well, how about adding some thinking into the mix, for good measure?

    That’s what the conversation I shared is demonstrating ;)

    > Good would also be,if they actually knew what they are talking about, before trying to tell the engineers what to do.

    Often the people enduring the rules aren’t supposed to be security specialists. Because you’ll have your SMEs (subject matter experts) and your stockholders. The stakeholders will typically be project managers or senior management (for example) who have different skill sets and priorities to the SMEs.

    The problem is that when it comes to security, it’s a complicated field where caution is better than lack of caution. So if a particular project does call on following enhanced secret practices, it becomes a ripe field for snake oil salesman.

    Or to put it another way: no company would get sued for following security theatre but they are held accountable if there is a breach due to not following security best practices.

    So often it doesn’t matter how logical and sensible the counter argument is, it’s automatically a losing argument

    16. immibis ◴[26 Apr 25 09:25 UTC] No.43802111{3}[source]
    They don't want to do their job well. They want to look like they're doing their job well, to people who don't know how to do the job and whose metrics are completely divorced from actual merit.