Hacker News new | past | comments | ask | show | jobs | submit login

Indeed. The level of security failure was pretty incredible. They named media serially (So, pics/1.jpg, pics/2.jpg, etc.) and did not have any validation that you were allowed to access what you were grabbing so it was literally as easy as possible to grab everything. Oh, and did I mention that private messages were also fully accessible?



So Gab's strategy (fork Mastodon) looks solid for security but they hit performance issue because Mastodon isn't made for such scale.


Mastodon scales horizontally until PostgreSQL becomes the bottleneck:

https://docs.joinmastodon.org/admin/scaling/


they needed a platform that would not need to scale before the database server becomes a bottleneck


I am convinced this was an inside job. There is simply no way someone can be this incompetent without willful intent.


Ever worked for a startup? This is what "move fast, break things" does.


This happens at established firms as often as startups.


I have but only at competent ones. Nothing this flagrantly bad.


I’ve seen not quite this bad but definitely in the same order of magnitude


I disagree, incompetance is rampant. I worked for a healthcare company who kept it's data at a Dell security center. One of their people ran a SQL script that deleted millions of billing records. They informed us later that they could not recover the data because every 24 hours they were writing over the one backup they kept. We had missed the window by a few hours.


You take shortcuts. Saying you’ll fix it later. Which never happens because you’re busy on the next feature that is riddled with the next set of shortcuts.

It happens.


Let me introduce you to every early stage startup in the world. Plenty of mature companies also have completely abysmal security practices


I wish I could disclose some of the incompetence I’ve encountered to persuade you otherwise. The reason there aren’t breaches like this of nearly all systems isn’t because most systems are better protected, it’s because no one’s interest (or they’re not interested for the purposes of sharing).


You'd be surprised how incompetent people can be when it comes to security. Nothing i have heard so far would really surprise me for a small startup with very rapid growth.


A career in looking at the guts of companies later I can assure that is very much possible.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: