Hacker News new | ask | show | jobs
by jhartmann 3474 days ago
Actually, there are some ways to make this very secure that don't take much effort that in are common use around facebook. It is quite easy to build secure thrift services, and to design a thrift api it is just creating a text file with the necessary idl. You can then access the service from most any language by generating the right client. I'm sure same thing goes for gRPC and Stubby on the google side (more familiar with the fbthrift, folly, wangle, proxygen tech stack myself, but I'm sure its just as easy.)
1 comments
dimino 3474 days ago
Ah yes, the "security is quite easy" argument.

As long as people like you think security is easy, people like me will continue to have a job, unfortunately.

link
jhartmann 3474 days ago
I'm not saying its easy, I'm saying a developer using the tools and processes available at a large internet corporation building something small need not be insecure. Basically until we look at the code and the security processes in place, or do pentesting, we have no clue one way or the other. I'm mostly just saying we shouldn't discount something like this automatically as insecure. It might be terrible, it might be very well thought out and have security be one of the most important considerations that was top of mind when he coded it.
link
dimino 3474 days ago
I didn't mean to sound like I'm "discounting" this, though I guess I "discount" everything that hasn't had a cycle of security focused QA, let alone zero QA at all.

I bet, with no information other than what's supplied, that this system is insecure. It's not really a knock on Zuckerberg, just a statement based on my experience. I am totally open to being wrong, I just think we know more than nothing about hobby projects and their propensity to consider security secondary, tertiary, or not at all.

Admittedly, this is Mark Zuckerberg, so who knows, it might have been meticulously coded to be perfect. The guy's a bit of an obsessive, based on what I've read, so I would also not be surprised to find it's tightly locked down and very high quality code. I don't the guy, just the general situation.

link