←back to thread

Writing "/etc/hosts" breaks the Substack editor

(scalewithlee.substack.com)
642 points scalewithlee | 1 comments | 25 Apr 25 13:48 UTC | HN request time: 0.204s | source
Show context
Y_Y ◴[25 Apr 25 14:13 UTC] No.43793778[source]
Does it block `/etc//hosts` or `/etc/./hosts`? This is a ridiculous kind of whack-a-mole that's doomed to failure. The people who wrote these should realize that hackers are smarter and more determined than they are and you should only rely on proven security, like not executing untrusted input.
replies(6): >>43793862 #>>43793868 #>>43793954 #>>43794072 #>>43794473 #>>43802345 #
jrockway ◴[25 Apr 25 14:21 UTC] No.43793868[source]
Yeah, and this seems like a common Fortune 500 mandatory checkbox. Gotta have a Web Application Firewall! Doesn't matter what the rules are, as long as there are a few. Once I was told I needed one to prevent SQL injection attacks... against an application that didn't use an SQL database.

If you push back you'll always get a lecture on "defense in depth", and then they really look at you like you're crazy when you suggest that it's more effective to get up, tap your desk once, and spin around in a circle three times every Thursday morning. I don't know... I do this every Thursday and I've never been hacked. Defense in depth, right? It can't hurt...

replies(3): >>43793920 #>>43795851 #>>43799653 #
hnlmorg ◴[25 Apr 25 16:50 UTC] No.43795851[source]
I’m going through exactly this joy with a client right now.

“We need SQL injection rules in the WAF”

“But we don’t have an SQL database”

“But we need to protect against the possibility of partnering with another company that needs to use the same datasets and wants to import them into a SQL database”

In fairness, these people are just trying to do their job too. They get told by NIST (et al) and Cloud service providers that WAF is best practice. So it’s no wonder they’d trust these snake oil salesman over the developers who asking not to do something “security” related.

replies(1): >>43800137 #
zelphirkalt ◴[26 Apr 25 01:34 UTC] No.43800137[source]
If they want to do their job well, how about adding some thinking into the mix, for good measure? Good would also be,if they actually knew what they are talking about, before trying to tell the engineers what to do.
replies(2): >>43801628 #>>43802111 #
immibis ◴[26 Apr 25 09:25 UTC] No.43802111[source]
They don't want to do their job well. They want to look like they're doing their job well, to people who don't know how to do the job and whose metrics are completely divorced from actual merit.
replies(1): >>43855174 #
1. hnlmorg ◴[01 May 25 08:57 UTC] No.43855174[source]
That’s a common misconception taken from an engineers perspective but you have to understand their job isn’t about engineering, it’s about risk mitigation. And when viewed from that perspective, they are doing their job.

The real problem is that the domain has gotten so complicated that a traditional risk mitigation approach to is an outdated role and is now better fulfilled by technical staff who specialise in security. But that’s an organisation problem caused by senior management (C-suite and above) rather than a particular individual in that specific role not doing their job well.