Ask HN: What are the main reasons why so many systems get hacked? - hoodoof
======
fabulist
The web was built on shaky foundations which cannot support the weight of its
teeming millions.

For instance, a 51% (I cannot seem to find the study, perhaps someone else has
it bookmarked) of compromises result from attacks on passwords; many of those
passwords were simply guessed, because humans are neither skilled at producing
random output nor remembering long, complex strings. Passwords are a poor
solution, and it is the wildest dream of the information security industry to
replace them, but it is a slow venture.

Security is also quite fickle. What is safe in one environment can be
dangerous in another. tar has pretty solid defenses against directory
traversal; you have to invoke it with options that explicitly allow files to
be placed outside of your current directory, if that behavior is desired.
Except wait, is there a symlink to / in that directory? Nevermind then, you
can place files where you'd like. Raise your hand if you knew that.

------
twunde
1.Many companies don't have dedicated security resources. If the choice is
between adding security or getting a new feature out, most companies will
choose the new feature.

2\. Security is a moving target so even if an application was made with best
security standards, if it's not being actively maintained, new security
attacks will get through. New 0-days come out on a regular basis

3\. Security needs to be perfect or close to it. An attacker only needs to
find one critical vulnerability or be able to tie together a handful of medium
and lower-severity bugs

------
Perdition
Companies don't care about security and don't pay for security professionals.

Most big hacks could have either been prevented, or detected and limited, if
the company had a proper security team with the authority to make the changes
needed.

It will take legislation increasing the liability for companies before this
gets fixed. The Internet of Things in particular is going to be a massive
problem unless manufacturers are liable for the security of their products.

------
informatimago
Because they all use the same system, the same software.

This is the Monsanto problem: lack of genetic diversity.

~~~
fabulist
This really isn't true in any common cases. For instance web frameworks are
making SQLi and CSRF, and to a lesser extent XSS, less common. When everyone
was rewriting the same code in their CGIs over and over again, many of them
got it wrong and opened themselves up to these attacks. While it is true that
standardizing on a small number of stacks can increase the effectiveness of
0day exploits, they are not responsible for the majority of break-ins.

