Hacker News new | past | comments | ask | show | jobs | submit | rpadovani's comments login

> "None of the database guides I followed had warned me about the dangers of exposing a docker containerized database to the internet."

This prompts a reflection about, as an industry, we should make a better job in providing solid foundations.

When I check tutorials on how to drill in the wall, there is (almost) no warning about how I could lose a finger doing so. It is expected that I know I should be careful around power tools.

How do we make some information part of the common sense? "Minimize the surface of exposure on the Internet" should be drilled in everyone, but we are clearly not there yet


I don't think it's that unreasonable for a database guide not to mention it. This is more of a general server/docker security thing. Just as I wouldn't expect an application guide to tell me not to use windows xp because it's insecure.

Most general guides on the other hand regarding docker mention not to expose containers directly to the internet and if a container has to be exposed to do so behind a reverse proxy.


> if a container has to be exposed to do so behind a reverse proxy.

I see this mentioned everywhere in the comments here but they seem to miss that the author explicitly wanted it to be exposed, and the compromise would have happened regardless if the traffic went directly to the container or via a reverse proxy.

The proper fix for OP is to learn about private networks, not put a reverse proxy in front and still leave it running on the public internet...


> as an industry, we should make a better job in providing solid foundations.

Here is the fundamental confusion: programming is not an industry, it is a (ubiquitous) type of tooling used by industries.

Software itself is insecure in its tooling and in its deployment. So we now have a security industry struggling to improve software.

Some software companies are trying to improve but software in the $cloud is just as big a mess as software on work devices and personal devices.


> When I check tutorials on how to drill in the wall, there is (almost) no warning about how I could lose a finger doing so. It is expected that I know I should be careful around power tools.

I think the analogy and the example work better when the warning is that you should be careful when drilling in walls because there may be an electrical wire that will be damaged.


To your point, guides don't warn too much about electrical wires because code and practices makes it really hard to do. Code requires metal plates where electrical wires go through studs so you can't drill into them, and every stud finder in existence these days also detects AC behind them.

We didn't make the guides better, we made the tradespeople make it so any novice can't burn down the house by not following a poorly written tutorial.


> We didn't make the guides better

That sucks, because that means anything built not to that standard (which I guess is a US one?) could lead the person to hurt themselves/the house.

One doesn't exclude the other, and most likely both are needed if you're aiming to actually eliminate the problem as well as you can.


> every stud finder in existence these days

Slightly pedantic point of order: you mean to say every stud finder for sale these days, not in existence, for the old stud finders still exist.

Okay, that's all. Carry on.


If we're being pedantic, then I'd say "old stud finders" are still being sold (second hand for example), so "every stud finder for sale these days" isn't correct either.

Best to just say "most" or "some" to cover all corner cases :)


or, if not sealed up properly, provides an avenue for pests to crawl through.


Probably the "we can do everything and anything right now easy peasy, for serious of just just for the heck of it" attitude needs to be dialed down. The industry promises the heavens and devilish charm while releasing not even half cooked unnecessary garbage sometimes, that has bells and whistles to distract from the poor quality and not thought through, rushed illusions, that can chop all your imaginary limbs off in a sidestep or even without complete uninterrupted attention.

Things potentially making big trouble like circular saw tables have prety elaborate protection mechanisms built in. Rails on high places, seatbelt, safety locks come to mind as well of countless unmentioned ones protecting those paying attention and those does not alike. Of course, decades of serious accidents promted these measures and mostly it is regulated now not being a courtesy of the manufacturer, other industries matured to this level. Probably IT industry needs some growing up still and less children playing adults - some kicking in the ass for making so rubishly dangerous solutions. Less magic, more down to earth reliability.


Between MongoDB running without a password by default and quick start guides brushing over anything security related, the industry can use a more security-conscious mindset.

However, security is hard and people will drop interest in your project if it doesn't work automatically within five minutes.

The hard part is at what experience level the warnings can stop. Surely developer documentation doesn't need the "docker exposes ports by default" lesson repeated every single time, but there are a _lot_ of "beginner" tutorials on how to set up software through containers that ignore any security stuff.

For instance, when I Google "how to set up postgres on docker", this article was returned, clearly aimed at beginners: https://medium.com/@jewelski/quickly-set-up-a-local-postgres... This will setup a simply-guessable password on both postgres and pgadmin, open from the wider network without warning. Not so bad when run on a VM or Linux computer, quite terrible when used for a small project on a public cloud host.

The problems caused by these missing warnings are almost always the result of lacking knowledge about how Docker configures it networks, or how (Linux) firewalls in general work. However, most developers I've met don't know or care about these details. Networking is complicated beyond the bare basics and security gets in the way.

With absolutely minimal impact on usability, all those guides that open ports to the entire internet can just prepend 127.0.0.1 to their port definitions. Everyone who knows what they're doing will remove them when necessary, and the beginners need to read and figure out how to open ports if they do want them exposed to the internet.


That's an interesting take away, I just quoted the exact same line from the blob to a friend with my response being

> why didn't somebody stop me?!

I'm not sure if "the industry" has a problem with relaying the reality that: the internet is full of malicious people that will try to hack you.

My take away was closer to. The author knew better but thought some mix of 1) no one would provide incomplete information 2) I'm not a target 3) containers are magic, and are safe. I say that because they admit as much immediately following.

> Ofcourse I password protected it, but seeing as it was meant to be temporary, I didn't dive into securing it properly.


Just like people shouldn't just buy industrial welding machines, SCUBA equipment or a parachute and "wing it" I think the same can be said here.

As a society we already have the structures setup: The author had been more than welcome to attend a course or a study programme in server administration that would prepare them to run their own server.

I myself even wouldn't venture into exposing a server to the internet to maintain it in my freetime, and that is with a post graduate degree in an engineering field and more than 20 years of experience.


> Just like people shouldn't just buy industrial welding machines, SCUBA equipment or a parachute and "wing it" I think the same can be said here.

I find this to be extremely sad.

Unlike welding or diving, there is no inherent physical risk to life and limb to running a server. I should be able to stand up a server and leaving it running, unattended and unadministered, and then come back to it 20 years later to find it happily humming along unpwned. The fact that this isn't true isn't due to any sort of physical inevitability, it's just because we, the collective technologists, are shit at what we do.


No. It's not so easy because in most cases you have to choose between security, flexibility and usability. Obviously it's not a 100% accurate example but generally speaking, it tends to be true. Sum it up over several decades of development and you get why we cannot have something that it's really really easy to use, flexible and secure by default.


We do, it's called FreeBSD. In my experience, many Linux distributions also qualify. To keep a modern *nix secure and up to date is simple.


Which would help exactly 0 in this scenario, where someone is exposing a port directly on the Internet. Also, FreeBSD is even more niche than Linux, I doubt it would stand the average user stress test.


Absolutely it would because jails doesn't do weird shit like this from the get go. With FreeBSD, you have to deliberately open ports, not the other away around. I don't understand your second sentence. "average user stress test"??


> With FreeBSD, you have to deliberately open ports

The issue outlined in the article happened because the author deliberately open their service to the public internet. Replacing Linux with FreeBSD wouldn't have prevented the compromise.


What motivates this attitude? Software, like anything else, needs to be actively maintained. This is a positive sign of technology evolution and improvement over time. To expect to run some software for 20 years without needing to apply a single security patch is ridiculous, and probably exactly the attitude that caused the author to get himself in this situation.


> To expect to run some software for 20 years without needing to apply a single security patch is ridiculous

The whole point of my comment is that it's only "ridiculous" because of path dependency and the choices that we have made. There's no inherent need for this to be true, and to think otherwise is just learned helplessness.


Has there ever been any production software ever written that didn’t suffer from some kind of bug or exploit?

I don’t think imperfection is a choice we’ve made. I think imperfection is part of our nature.

That said, the current state of software development is absolutely a choice, and a shockingly poor one in my opinion.


Better security design fixes this. Sandstorm fixed this for self-hosters ten years ago (Sandstorm is designed to run unmaintained or actively malicious apps relatively safely), but people are still choosing the quick and easy path over the secure one.


This is so true.

Sandstorm has been part of my selfhosted stack since it was a start-up, and it has worked for a decade with virtually zero attention, and no exploits I am aware of.

If there are other hosted apps that want a really easy on-ramp for new users: packaging for sandstorm is an easy way to create one.


>Unlike welding or diving, there is no inherent physical risk to life and limb to running a server.

good news! there is no inherent risk to life or limb because you left your server exposed. As OP discovered, you might come back to find it running a crypto miner. and that's just really not that big of a deal. maybe we're not all shit at what we do, but rather we have appropriately valued the seriousness of the risks involved, and made the decision that locking everything down to be impossible to hack isn't actually worth the trade-offs to usability, convenience, and freedom.

you can leave your iPad running, unattended, and unadministered for 20 years if that's what you wanted, and come back to find it un-pwned.


There is quite a distance from

> stand up a server and leaving it running, unattended and unadministered

to, what was my proposition, maintain a server with active access from the internet.

Just what you describe I do myself: I have several home server running, but none accept incoming connections from the internet and the sec surface is much smaller.


You can't just click a few buttons and have industrial machinery - and when you DO get it there's a ton of safety warnings on and around it. And I don't agree with your fundamental premise; self owned computing should be for everyone. It shouldn't be - at least for some subset of basics - arcane or onerous.


Like you sibling I think you also misunderstand my statement: I do run local servers, but none a connected to the internet.

I definitely believe it is for all to have a NAS server, a home assistant, or a NUC setup to run some docker containers.

Just don't let them accept connections from the internet.

For most normal home setups it is actually super hard to make them accept incoming requests as you need to setup port forwarding or put the server in front of your router.

The default is that the server is not reachable from the internet.


You absolutely can. Have you a credit card and a web browser? You can buy all sorts of heavy machinery and have it shipped to your door!


You've introduced a new element here - the credit card. And if you did have the money and whimsy it'd still show up with (regulated, mandatory, industry-standardized) safety documentation.


The credit card (or rather, money) was required to purchase the computer, much like it’s required to purchase other power tools or industrial machinery


I guess that depends where you order from. You can get some crazy machines from Alibaba/Aliexpress and the “documentation” they come with is usually… well it leaves a lot to be desired.


Most computing people habe at home is some locked down cloud crap which neither you nor an attacker can do anything with.

It's not hackable though in the original sense of the word, so not interesting the crowd at HN. Docker is, for everybody, good and bad.


I guess we have different risk tolerances.

The best way to learn is to do. Sure, you might make some mistakes along the way, but fuck it. That’s how you learn.


And yet, OP here seems very comfortable with computer stuff. Can’t imagine about the regular joe buying a nas from synology and all the promesses made by the company.


These are not, per default, exposed to the internet.


It is widely known not to expose anything to the public internet unless it's hardened an/or sandboxed. A random service you use for playing around definitely does not meet this description and most people do know that, just like what a power tool can do with your fingers.


Because English is not the mother tongue for the majority of the people, and correctors fix typos, but not swapped words, unless you use something like Grammarly.

Pointing out mistakes is fine, being emphatic while doing it would be great


Loads of native speakers get the lose/loose thing wrong too.


I read emphatic as empathetic, also proving your point I suppose


They still do switches, what remotes are you referring to?



Yeah, but with the ability to change the colour as well, and stuff like that. i.e. basically do everything you can, except without an app.

Something like this: https://ae01.alicdn.com/kf/HTB1bweoSVXXXXbHXFXXq6xXFXXXG/New...

Maybe I missed it, but from the material that was available to me without actually buying one of these things, this seemed impossible: the boxes and stores didn't have any remotes, and I couldn't find anything on the website. If it is possible, then it's hidden pretty well and people are steered towards that app pretty strongly.


Probably color control?


Beginning 2013, there is the semester tickets for students, which is twenty euros per month.

Before that, 70 euros? Where were you living, Freising?

Two external rings were around 50 euros at the time, and many students rent inside the (old) 4 inner rings, or the first external one if you study in Garching


Munich. And TUM is at Garching. And I paid 70. I know what I paid. It was 70 every month, year after year.


I believe you paid 70 euros. I just wanted to highlight that, beginning 2013, that's not a problem anymore thanks to the semesterticket.


Uhm, what?

If you live with your parents, and the university is free, where does that number come from?

And if you don't live with your parents, you live with others students, spending 600-1000 euro month for living, how do you reach that numbers?


Bachelor + Masters is 10 semesters usually. 1000 * 12 * 5 = 60.000. Well in the range that I quoted. And depending on the city the actual costs can be more.


Ah, but then your first comment is highly misleading, because when you talk number, readers assume cost per year.

You are basically saying that living in Europe in a university city cost anything between 6000 and 20000 euros each year.

Maybe a bit high, but I think I can agree.

But living is a cost all around the world, and universities in Europe add a very low overhead on top of it, while universities in US can easily triple your cost of living, so I still don't see your point


Really? I never thought that could possibly be interpreted as cost per year. I can clarify that.

My point is that the statement that salaries can be low because university has no cost is wrong. The cost is significant even without tuition and therefore salaries absolutely matter.

And without even a shred of doubt, a US tech salary of supposedly around 150k compared to perhaps 80k in Germany more than balances the extra costs for university over a time of 20 years that the kids grow up.


>Really? I never thought that could possibly be interpreted as cost per year. I can clarify that

Well, 30k-100k is about right for the annual cost of undergrad in the US and school costs are much more commonly discussed as per year than in total around here.

>My point is that the statement that salaries can be low because university has no cost is wrong. The cost is significant even without tuition and therefore salaries absolutely matter.

That seems a bit misleading as well. Almost all of that cost is unrelated to university attendance. People incur costs for food and rent regardless of whether they're university students.


I count 10 European companies on this list, and 20 US.

Maybe is not as bad as you think?

https://en.wikipedia.org/wiki/List_of_largest_companies_by_r...


I only count 6. Switzerland and the UK are not part of the EU. (The article is about the EU, not Europe)


> The article is about the EU, not Europe

The thread you're commenting in is about whether workers can still do good things even if they get breaks, not whether they're currently a member state.

A cursory googling says that Swiss workers get 4 weeks and UK workers get 5.6.


You know that you _choose_ to be a policeman, right? Is not that you are born a policeman.

I can definitely say all killers are rotten inside, and it's a blanket statement.


Do you have any sources? According to Wikipedia, this regulation applies only in Australia, UK, and Taiwan.

Germany and Italy have the latches for sure.


I do not, I just thought I read it somewhere years ago that it was an EU regulation... as you're saying it's allowed in parts of the EU I guess it can't be!


I'm not sure if this was exaggerated on our side of the straight, but here we read quite a lot about Brexit politicians (including Boris Johnson) complaining about made up EU regulations they'd have to follow (a famous example was the ban on curved bananas)


I don't think this was one of them, this was my error/misremembering, as we've never had those latches on our fuel pumps.

And don't get me started on Brexit and BoJo the clown... I'm still angry about that to this day


I am curious on how this will reflect on the Ukraine invasion: as far as I understand, Wagner was a huge source of soldiers on the front lines.

I am sure this coup, however it will ends, is a major source of distraction from the war. Meanwhile, Ukraine is pushing east: will they be able to use this coup to liberate some territories?


Surely at least part of the regular Russian army will have to be pulled back to defend Moscow.


The big question, the only question that really matters at this point, is will the Russian military remain loyal?

If they don't then it's all over for Putin.


An additional qiestin would be is : how many experienced groups do they have vs new conscripts with minimal training?


CWA was using the Exposure Notifications from Apple and Google[0].

Exposure Notifications is not an app, but a framework and a protocol, and CWA was an implementation of it, hooking in the features developed by Apple and Google for iOs and Android

[0]: https://github.com/corona-warn-app/cwa-documentation/blob/ma...


Ah, I was under the impression Google and Apple had created their own separate apps and these third-party apps merely worked on the same principle. It's interesting that the document you linked indicates the interoperability between different countries' apps was down to an EU-wide standard. I guess this meant the apps of different EU countries were compatible but only with each other.


Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: