Hacker News new | ask | show | jobs
by DyslexicAtheist 3448 days ago
"hack" is the wrong word considering we're talking about DB instances exposed to the Internet without access controls.

Please don't say "hack" when you've been auto-pwned by something that uses an OWASP TOP-10 to get you. It's carelessness, inexperience, possibly negligence or anything in between. But for sure it is not a hack!
1 comments
koolba 3448 days ago
Using "hack" to refer to this is like leaving your front door wide open and referring to being robbed as an Ocean's 11 style escapade.
link
simonw 3448 days ago
I'd argue this metaphor is why it IS appropriate to use the word "hack" here.

If you left your door unlocked and someone stole your stuff, that's still a robbery.

If you left your database accidentally midconfigured and someone stole your data and left you an extortion notice, that's still a "hack".

Is misconfiguring MongoDB really that different from e.g. installing a Wordpress plugin with a security flaw and getting hacked via that?

link
koolba 3448 days ago
> If you left your door unlocked and someone stole your stuff, that's still a robbery.

True but hack in this context would be metaphorically closer to "breaking and entering". If your door is open, you've only got the latter half (from an english, not legal definition).

> If you left your database accidentally midconfigured and someone stole your data and left you an extortion notice, that's still a "hack".

I suppose it's a matter of semantics for me. If I use the word "hack" I'd expect a bare level of finesse to get past some defense or prevention system.

> Is misconfiguring MongoDB really that different from e.g. installing a Wordpress plugin with a security flaw and getting hacked via that?

Not in my book. They're all terrible decisions but then again anything that involves "Using X without understanding the implications of the default set up of X" tends to be a terrible decision.

link
Veratyr 3448 days ago
I don't think you quite understand the comment you're replying to. By my reading at least, it's saying "hack" = "heist" and that "heist" is being used somewhere where "robbery" is more appropriate.

I agree that if you leave your door unlocked, it's a robbery but it's not a heist. Likewise, if you leave your database publicly accessible, it's extortion through technical means but it's not hacking.

> Is misconfiguring MongoDB really that different from e.g. installing a Wordpress plugin with a security flaw and getting hacked via that?

Yes. A service that is configured to be publicly accessible is very different to a service that requires active exploitation. Misconfiguring MongoDB is more like making your Wordpress admin page the home page and removing all login requirements.

link