[romanhn]

being starved of money for years by advertisers, payment providers, and service providers

Given the language in this announcement that lays blame at everyone else's feet except the people responsible for maintaining the platform, I'm pretty sure that no lessons were learned, and that the security is not likely to improve beyond whatever bandaids that were needed to address this hack.

[bradly]

Even when talking about themselves in the article they mostly focus on some hardware server business.

In software outdated dependencies are vulnerabilities. The tech leadership knew this tradeoff and closed their eyes and hoped they'd get to it before someone else did. They did not and you shouldn't expect to be able to either.

If you do not have the resources to support the continual, ongoing updating of a dep, you do not the resources to add said dep.

[ivraatiems]

How likely is it that the attacker, who now has all of their source code, has already identified several additional vulnerabilities they can use? Seems pretty likely to me.

I don't think advertisers, payment providers, service providers, or hardware vendors told 4chan what version of OpenBSD to run or how often to update packages. Those are tasks that require time and effort, yes, but they're not herculean. They could have been done. I think laziness and disinterest are the more likely reasons.

[transcriptase]

Get real. Companies with infinitely more money, staff, and robust security practices are hacked every day. The only difference is they put out a vague generic corpospeak statement whereas this one admitted it was caused by a skeleton crew on a shoestring budget getting caught out. Given the nature of their user base and how many others would love to see 4chan go down, if things were as bad as you imply then hackers would be taking the site down weekly.

[MichaelZuo]

Source?

I have never heard of a bank’s core mainframes being hacked in the last decade (outside of pen tests), even for mid size banks outside the global top 100.

[transcriptase]

https://www.brightdefense.com/resources/recent-data-breaches...

[MichaelZuo]

These are not the core mainframes… the only parts that actually get what might be called lavish spending on security.

Everything else outside of that… banks obviously have incentives to cut security spending to as low as possible.

[transcriptase]

Nobody is comparing 4chan to bank mainframes except you. I can’t give a source for something I didn’t claim in the first place.

[MichaelZuo]

Are you confused?

The claim was “ Get real. Companies with infinitely more money, staff, and robust security practices are hacked every day. ”

Banking core mainframes are the only thing I know of that gets anwhere near that kind of claim in terms of money, staff, and “robust security practices” 24/7/365.

And even then it’s far from infinite.

[sjdrc]

What are you talking about? There are massive breaches of huge companies who should be doing better all the time.

In 2017: > More than 40% of the population of America was potentially impacted by the Equifax data breach.

In 2022: > In September 2022, Optus experienced a major data breach that exposed the personal information of millions of customers

That's just 2 off the top of my head.

[MichaelZuo]

Did you miss the words “bank” and “core mainframes”?

i.e. what they actually might spend millions of dollars per week on securing.

[meinersbur]

Because only a hacked "core mainframe" (definition please) of a bank can excuse the lack of resources at 4chan? Only accepting overly specific evidence is a neat trick to never lose an argument.

[stego-tech]

So…it sounds like typical 4chan?

[ForOldHack]

"We are still standing..." with our pants around our ankles, running around headless, seamless, breathless, brainless.

"I'm pretty sure that no lessons were learned." I would bet that was the case.