| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by Morg 5126 days ago

First, I don't believe I need real security, that protects me from most of the worries you cited.

I know it's not safe, and I don't care.

It's like mail or gmail or anything, I know someone has access to my data, and I don't care because it's unavoidable/ not an issue.

You have to trust, but actively try to prove wrong, that weeds out most of the crappy software, like MySQL, MSSQL (lolwut 32 trigger chain?lets cut it here silently) or others.

You have to base your decision on stuff that really works rather than the latest fad, so fck ruby and all that crap, write in C, that's safe, proof is even the chinese and the military have their OS written in C.

Proprietary/closed source, you remain paranoid, test it yourself for what you can think, never think it cannot be the cause.

Hardware you cannot trust, have to learn where the limitations are, remain paranoid as well, question the status quo (is ECC really doing its job or am I just trusting my enterprise data to magic).

Poor decisions that you realize later ? everyone makes mistakes, who cares ?

IMO the main thing is, don't trust anyone to do it right, especially in IT, sometimes you come to trust a specific group, like linux kernel or pgsql because they're proven right time and again - and imo you have to leave it there, I don't want to write an OS at the moment.

Most poor security decisions are related to trivial things like: -using windows -not updating your OS / kernel / tart -using testing tech, like the latest release of ruby, node.js, mongolianDB, etc. -not researching tech before using it (i.e. google mysql ACID, you'll read a few of my posts from when I was pissed off to discover it was in fact just a toy db with half-implemented features) -not actively trying to hack/destroy your own creation -not spending a few K on a honeypot session -not actually knowing anything about hacking -not reading about standard hacking tactics, like SQLi for nubs, XSS, MitM HTTPS, tomato launchers and many more

etc. I'm no security pro and I wouldn't pretend being one before winning several honeypots.