[arekkas]

Why are developers of popular database solutions so reluctant to write secure-by-design software. You would guess that some basic form of authentication should be implemented in any internet-facing service. But here we are, after the MongoDB fiasko, still left with thousands of vulnerable services because someone didn't bother to implement basic auth.

[harryh]

Because these tools follow the unix philosophy of building single use tools. There are a wide variety of authentication measures that can be composed with databases to secure them. There is really no need to build the authentication into the database itself and it fact doing so would violate a don't repeat yourself ethos.

[petee]

I believe the intention of the feature is for private clusters; why slow things down by doing auth if everyone in that cluster is approved?

The huge mistake was letting UDP be enabled-by-default