←back to thread

Writing "/etc/hosts" breaks the Substack editor

(scalewithlee.substack.com)
600 points scalewithlee | 5 comments | 25 Apr 25 13:48 UTC | HN request time: 0.001s | source
Show context
matt_heimer ◴[25 Apr 25 14:33 UTC] No.43794013[source]
The people configuring WAF rules at CDNs tend to do a poor job understanding sites and services that discuss technical content. It's not just Cloudflare, Akamai has the same problem.

If your site discusses databases then turning on the default SQL injection attack prevention rules will break your site. And there is another ruleset for file inclusion where things like /etc/hosts and /etc/passwd get blocked.

I disagree with other posts here, it is partially a balance between security and usability. You never know what service was implemented with possible security exploits and being able to throw every WAF rule on top of your service does keep it more secure. Its just that those same rulesets are super annoying when you have a securely implemented service which needs to discuss technical concepts.

Fine tuning the rules is time consuming. You often have to just completely turn off the ruleset because when you try to keep the ruleset on and allow the use-case there are a ton of changes you need to get implemented (if its even possible). Page won't load because /etc/hosts was in a query param? Okay, now that you've fixed that, all the XHR included resources won't load because /etc/hosts is included in the referrer. Now that that's fixed things still won't work because some random JS analytics lib put the URL visited in a cookie, etc, etc... There is a temptation to just turn the rules off.

replies(13): >>43794129 #>>43794136 #>>43794174 #>>43794203 #>>43794226 #>>43794234 #>>43794368 #>>43794502 #>>43795948 #>>43796540 #>>43798420 #>>43800243 #>>43804110 #
paxys ◴[25 Apr 25 14:52 UTC] No.43794203[source]
"You never know..." is the worst form of security, and makes systems less secure overall. Passwords must be changed every month, just to be safe. They must be 20 alphanumeric characters (with 5 symbols of course), just to be safe. We must pass every 3-letter compliance standard with hundreds of pages of checklists for each. The server must have WAF enabled, because one of the checklists says so.

Ask the CIO what actual threat all this is preventing, and you'll get blank stares.

As an engineer what incentive is there to put effort into knowing where each form input goes and how to sanitize it in a way that makes sense? You are getting paid to check the box and move on, and every new hire quickly realizes that. Organizations like these aren't focused on improving security, they are focused on covering their ass after the breach happens.

replies(2): >>43794224 #>>43801618 #
chii ◴[25 Apr 25 14:54 UTC] No.43794224[source]
> Ask the CIO what actual threat all this is preventing

the CIO is securing his job.

replies(1): >>43794385 #
1. reaperducer ◴[25 Apr 25 15:10 UTC] No.43794385{3}[source]
the CIO is securing his job.

Every CIO I have worked for (where n=3) has gotten where they are because they're a good manager, even though they have near-zero current technical knowledge.

The fetishizing of "business," in part through MBAs, has been detrimental to actually getting things done.

A century ago, if someone asked you what you do and you replied, "I'm a businessman. I have a degree in business," you'd get a response somewhere between "Yeah, but what to you actually do" and outright laughter.

replies(1): >>43795361 #
2. alabastervlog ◴[25 Apr 25 16:18 UTC] No.43795361[source]
It's a relatively recent change, too. Transition from "the executives and managers mostly came up through 10-25 years of doing 'lower' jobs in the company, and very much know how the business actually works" to "we hire MBAs to those roles directly" was throughout the '70s-'90s.

Finance and business grads have really taken over the economy, not just through technocratic "here's how to do stuff" advice but by personally taking all the reigns of power. They're even hard at work taking over medicine and pushing doctors out of the work-social upper-middle-class. Already did it with professors. Lawyers seem safe, so far.

replies(2): >>43796270 #>>43797163 #
3. tmpz22 ◴[25 Apr 25 17:24 UTC] No.43796270[source]
They're taking over veterinary clinics too! The biggest owner of veterinary clinics is Mars inc. the candy company!
replies(1): >>43797359 #
4. pxc ◴[25 Apr 25 18:42 UTC] No.43797163[source]
> Lawyers seem safe, so far.

Nope, lawyers are fucked too. It's just not as advanced yet: https://www.abajournal.com/web/article/arizona-approves-alte...

5. selimthegrim ◴[25 Apr 25 18:58 UTC] No.43797359{3}[source]
I wonder if Matt Levine has a bit about this