Hacker News new | ask | show | jobs
by lsaferite 3837 days ago
I think the point is that, after the first bug report those credentials SHOULD NOT WORK because their job should have included revoking ANYTHING that system have access to. How did they know Wes was the first person to find that bug and the linked credentials?

So, the fact that those credentials still worked a month later is a HUGE FUCKING DEAL! Alex, the consummate professional, didn't do his job and instead had a knee jerk reaction to someone slapping that fact in his face.
2 comments
jarek 3837 days ago
It has been incredibly interesting reading through those threads. People are arguing two completely different arguments. tptacek is saying that the dude keeping AWS keys without disclosing this was bad and guy is lucky to not get a early morning wake-up call from men with guns. slewis, comex et al are saying that Facebook not locking down and later disabling AWS keys was bad and Facebook was lucky they didn't get sold on black market. Both sides are correct but it's informative who makes which arguments.
link
slewis 3837 days ago
That's not what I said. I took issue with tptacek's statement that there was only one bug.
link
bambax 3837 days ago
Exactly.

Notwithstanding the fact that AWS credentials should be very narrow in scope.

link