Hacker News new | comments | show | ask | jobs | submit login

I first started using Mongo in 2013/4, when I deployed my app, first thing I did was to change the default port and add authentication, as the manual recommended. I'm an accountant who's a hobbyist developer. I knew very little about security then, but I read the manual.

The insecure defaults were an issue sure, but anyone installing a piece of software in production without at least reading up on config options needs to find another job.

Meanwhile, the FTC sued D-Link over insecure defaults in their cameras.

We need good and consistent rules about this, and "well I was giving it away for free" isn't as clear a boundary as people will think it is.

The FTC sued over insecure defaults because it said "secure" on the box.

IP Cameras from China have a number of issues of `calling home` adhoc. Granted to say even looking at their kernel's I tend to keep them completely on their own sub-net away from the net.

So MongoDB should state 'insecure out of the box' on their home page ? Just kidding sorry.

I don't think it's far fetched. I'd prefer a disclaimer "For the convenience of easy testing the defaults are NOT secure. If you intend to use it productively read the manual about secure configuration".

I'll comment without knowledge about the D-Link issue that you mention.

I would imagine that if someone were to sue MongoDB Inc. today about the issue in the article, their first defence would be clear documentation that explained/recommended production guidelines.

I don't know if D-Link had similar, but then again legal systems sometimes produce weird results that don't seem rational.

I agree that we need good and consistent rules, in addition to that, we need DevOps/SysAdmins/SRE's that are responsible enough to know what they are doing. Carefully read documentation instead of "quickly deploy" only to come back a year later writing soppy "don't use MongoDB or XYZ because we didn't read the manual". :)

MongoDB is on 3.4 now, so I would rhetorically wonder why some people/companies are still on <=2.6. If the data that is being ransomed is that important, it'll be a good lesson to those DB maintainers to upgrade and secure their stack.

There is a huge difference between consumer facing and developer facing products when it comes to needing security out of the box. This isn't even close to a real issue.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact