Hacker News new | past | comments | ask | show | jobs | submit login

It's 2011. Why are people still surprised when some blatant hole is found in a site? Does everyone just delude themselves into thinking "oh, they HAVE to be secure"? That old cliche 'nothing is totally secure' is almost right: the reality is, everything is mostly-not secure.

Tips on never getting caught with your pants down by a 3rd party service:

1. Never ever rely on a service maintained by a 3rd party to remain secure. Just assume they will be compromised in the near future (including your password).

2. Make your password strong but don't reuse it; save it in your browser password cache or keyring. Use a memorized really-freaking-difficult master password for the browser cache/keyring.

3. Use NoScript and updated browsers to help prevent XSS and other simple attacks from compromising your cached cookies.

4. Encrypt all sensitive stored information yourself using a well-vetted tool such as gpg, openssl, etc and store the encrypted files on the 3rd party service.

5. Keep hard copies of your secure files, keys, etc in a secure location. 'The Cloud' is not a backup, it's a trap.

> That old cliche 'nothing is totally secure' is almost right: the reality is, everything is mostly-not secure.

A security hole is one thing, but something like being able to log into anyone's account with whatever you'd like as the password? Or changing a digit in a URL and accessing someone else's account? Come on, that's like the guards at Fort Knox leaving all of the doors open directly to the gold, or the Secret Service collectively going out for a smoke break during a presidential parade.

If you're relying on a cloud-hosted startup to secure gold or the president, you're doing it very, very, very wrong.

The level of complexity of an attack and the ridiculousness of a hole are almost completely arbitrary in terms of compromising the security of a service. The biggest attacks of the past 6 months were performed either using social engineered credentials or extremely common web application vulnerabilities (so common that probably every hole used is on OWASP's Top 10 security holes).

The only reason Fort Knox or the Secret Service works is because it relies on humans spending 100% of their time actively focusing on security, 24 hours a day, every day. No web service I have ever heard of has that level of security.

As far as this particular hole: it's probably a bug somebody left in some code by accident and nobody foresaw the consequences. There are bugs like this in every system. The only reason you don't see more of these holes is because either nobody's looking for them or somebody found it and is keeping it very secret.

_Because I pay for a secure service_. Sure, I'm not stupid and I realize that it conceivably could be hacked, but I expect the company to respond appropriately and deal with security proactively. I ask this of all aspects of my computer (including PGP, etc.)

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact