[gnarbarian]

"hackers have now hit around 10,500 MongoDB servers. That's about 25% of all MongoDB databases accessible via the Internet. The attacks don't target all MongoDB databases, but only those left accessible via the Internet and without a password on the administrator account."

25% of mongodb installs externally accessible lack a fucking password on the admin account.

They deserve it. Maybe it will teach them something.

[iagooar]

I agree with you, but to me it is a problem that goes back to the people who made the decision of allowing admin accounts without a password. In a world where software stacks have multiple applications, programming languages and databases, it happens that people are not experts in everything. They make mistakes. Then there is a huge pool of companies who have poorly skilled devs coming from the Wordpress/Drupal/Prestashop/Etc background who many times don't actually know anything about security.

Then there is the fact that MongoDB is known for having a very bad reputation among software engineers. I could personally write down many horror stories that I experienced myself, plus all the things you get to hear from friends and tech blogs.

Maybe after this attack some companies ban it from their software stacks. I really hope they do so. The world would be a better place without MongoDB.

[mdekkers]

> it is a problem that goes back to the people who made the decision of allowing admin accounts without a password.

No. Just.. no.... Security of YOUR system is YOUR responsibility.

> In a world where software stacks have multiple applications, programming languages and databases, it happens that people are not experts in everything.

Hire one.

> Maybe after this attack some companies ban it from their software stacks.

Or maybe decision makers realise that yes, you do need to pay for skills.

[iagooar]

>> it is a problem that goes back to the people who made the decision of allowing admin accounts without a password. > No. Just.. no.... Security of YOUR system is YOUR responsibility.

I agree. But what you are saying has nothing to do with whether a database should have sane defaults or not.

>> In a world where software stacks have multiple applications, programming languages and databases, it happens that people are not experts in everything. > Hire one.

You seem not to know much about the real world out there. Companies are struggling A LOT to find ANY people at all.

>> Maybe after this attack some companies ban it from their software stacks. > Or maybe decision makers realise that yes, you do need to pay for skills.

More money is not going to magically increase the pool of skilled software engineers around the world. If all the companies in the world increased what they pay, nothing would change, besides the fact that they would spend more money.

[mdekkers]

> [...] sane defaults [...]

Defaults - sane or not - lead to exactly these types of situations. It encourages "it's good enough" thinking, and dilutes the feeling of responsibility.

> You seem not to know much about the real world out there.

yeah, yeah... yawn.

> Companies are struggling A LOT to find ANY people at all.

Uhm, not companies that are willing to pay good money for good devs/devops/sysadmins.

> More money is not going to magically increase the pool of skilled software engineers around the world.

I would argue that it is the software developers' job to develop software. It would be a sysadmin/devops type person to look after the infrastructure, and make sure it is properly secured. I see so many job ads for a single role (developer, engineer, CTO, whatever) and then a jobdescription for "must be able to do everything related to any aspect of all our IT". Hilarious.

[sgt101]

Could you please write down your horror stories - I am constantly battling to stop MDB being used at work for a variety of reasons (the main one is architectural consistency to drive down legacy costs) so any ammo is much appreciated.

[mdekkers]

> They deserve it. Maybe it will teach them something.

My thoughts exactly.

[ubersoldat2k7]

So it's a problem that Mongo can't handle dumb ass admins? Yeah Mongo, you suck!

[iagooar]

There is a thing in software that is called "sane defaults". Some of the best software tools in existence are a mix of a solid base AND sane defaults. If you have a crappy base and dubious defaults, your software probably sucks.