(blogs.cisco.com)

166 points rldjbpin | 1 comments | 03 Sep 25 08:18 UTC | HN request time: 0s | source

Show context

ekianjo ◴[03 Sep 25 10:02 UTC] No.45114004[source]▶

>>45113418 (OP) #

Ollama has no auth mechanism by default... You have to wonder why they never focused on that

replies(6): >>45114024 #>>45114056 #>>45114140 #>>45114531 #>>45115062 #>>45116572 #

47282847 ◴[03 Sep 25 10:25 UTC] No.45114140[source]▶

>>45114004 #

Separation of concerns?

If you deploy a power plug outside your house, is it the fault of the power plug designer if people steal your power?

Put it behind a webserver with basic auth or whatever you fancy, done.

replies(1): >>45114194 #

ekianjo ◴[03 Sep 25 10:36 UTC] No.45114194[source]▶

>>45114140 #

Bad analogies are bad analogies. ollama is a server system, it should expect to connect with more than one client and they know very well by now that this also means networked clients. If you create a server client protocol, implementing security is your job.

replies(5): >>45114234 #>>45114298 #>>45116601 #>>45116716 #>>45117190 #

1. graemep ◴[03 Sep 25 10:53 UTC] No.45114298[source]▶

>>45114194 #

Lots of servers do not, Redis for instance does not have auth by default, and IIRC did not have auth at all for a long time.

↑

Finding thousands of exposed Ollama instances using Shodan