[HN Gopher] Rookie coding mistake prior to Gab hack came from si...
___________________________________________________________________
Rookie coding mistake prior to Gab hack came from site's CTO
Author : minimaxir
Score : 127 points
Date : 2021-03-02 19:50 UTC (3 hours ago)
(HTM) web link (arstechnica.com)
(TXT) w3m dump (arstechnica.com)
| GongOfFour wrote:
| All of this query is safely accomplishable via composable query
| building in AREL going back to Rails 4.2 (though it's much nice
| in 5+). Silly stuff.
| NotPavlovsDog wrote:
| This leaves a bad taste as to what the "forensics" could uncover
| just due to the open development model. It's nice to be the
| prophet of evident mistakes when the trail is easy to follow,
| even if you can't exactly master the lingo.
|
| From the article: >The change, which in the
| parlance of software development is known as a "git commit,"
|
| It was a change. Parlance commit. Parlance, per tool used, "git
| commit" (and then check as to tool standard parlance). My point
| being, what do we routinely hide thanks to not coding in public?
| What do engineers routinely hide, when possible?
|
| I would rather, as an engineer, discuss core issues we can
| fundamentally address: compromising on inadequate workflows
| (including core architecture and paradigms), commitment to over-
| delivery, and the ever-dooming deadlines. What victories of the
| CTO went ignored, as part of "the job"?
|
| It's nice to be smart when you have regular 8 hours of sleep.
| I've had enough stress to remember just how idiotic many of my
| decisions were, as a "leader". Most of them went ignored just
| because we were covered by being invisible, by design. Morally, I
| can't judge this CTO. If you look at your coding history, can
| you?
| bosswipe wrote:
| I can 100% judge him. It is the CTO's job to put in place
| processes and safeguards that reduce the possibility of one of
| the most common widely known security vulnerabilities. Either
| he didn't put in the safeguards or he bypassed them, either way
| it's a fireable offense that put the whole business in danger.
| NotPavlovsDog wrote:
| Do you have your commit history available in a public
| repository? I don't. Honestly, i'm paid for being a
| professional fuck-up. I just fix things quickly and support
| my team enough for us to bear the mutual guilt in silence.
| spamizbad wrote:
| There are SQL injection fuzzing tools that will have no
| problem catching this. This is not the kind of security
| defect that would depend on "white box" testing.
| bosswipe wrote:
| If you're suggesting that the obscurity of closed source
| would have prevented the hack then I very much disagree.
| There are countless examples of sql injection attacks in
| closed source software.
| NotPavlovsDog wrote:
| I am commenting on the core foundation of the "article",
| to quote: > "A quick review of Gab's
| open source code shows that the critical vulnerability--
| or at least one very much like it--was introduced by the
| company's chief technology officer."
|
| What would the writer have without the open source?
| bosswipe wrote:
| Ok that's true. With a closed source process the company
| gets to more carefully control the narrative. That might
| be better for the company and for protecting reputations,
| but it's not better for the public at large.
| NotPavlovsDog wrote:
| Further, with a closed model, one can always peruse the
| emergency clause, force majeure, the ever popular "state
| actor".
|
| "Independent experts indicate (fee undisclosed), a
| powerful malevolent actor was involved in the recent
| malicious attack on our infrastructure. This aligns with
| the recent series of threats identified by the State
| Department and other US government agencies as enemy
| state activity to undermine Democracy! They hate our
| Freedom!"
| cwhiz wrote:
| The CTO has only been there since November. No idea what type
| of situation he or she may have inherited.
|
| However, it looks like the CTO pushed this directly, no PR.
| minimaxir wrote:
| There's a difference between commiting hacky-but-working code
| during an Agile sprint and commiting code that allows
| unsanitized input to a SQL query.
| NotPavlovsDog wrote:
| Yes, but then, really, the fundamental popular software
| paradigm is not just unsanitized but unsanitary. The models
| for sanitary-by-design are there. It's just math.
| The core leadership behind inadequate decisions, often above
| the CTO, are frequently of the "don't care about the math,
| just the numbers" type.
|
| Perhaps the CTO raised concerns. Maybe, not. But if we want
| an open engineering culture in software, unlike "applied
| engineering" in other industries, we should actively oppose
| punishing those that embrace open-to-peer-review models, even
| when the openness backfires and the history gets removed by
| the open workflow participants.
|
| We may still have a fragile and unique culture in software,
| that perhaps contradicts past history such as engineering in
| construction (look up "corruption construction") or the
| unique corruption of medicine ("sugar lobby", "food
| pyramid").
|
| Despite bad decisions and the fumbled cover-up, the attempt
| to perform in public on their part is valuable to me. We
| don't have easy access to which of the doctors took money to
| publish "research" that "calories are the same", pushing for
| more carbohydrates in diets. This may translate to multiple
| people, people you might personally know, dying of diabetes.
|
| With open software, we get the names. This should not reward
| click-bait media witch-hunting.
| an_opabinia wrote:
| > commitment to over-delivery, and the ever-dooming deadlines.
|
| Surely the difficulty in recruiting people to work for their
| shitty website with shitty politics should illuminate for you
| and everyone also in denial that politics is also engineering.
| Lukas_Skywalker wrote:
| > ,, Specifically, line 23 strips the code of "reject" and
| "filter," which are API functions that implement a programming
| idiom that protects against SQL injection attacks."
|
| This is not correct. The mistake was to use ,find_by_sql' without
| parametrizing the query. The mentioned reject and filter methods
| are merely skipping some of the data the query returns.
| Delk wrote:
| The previous code that used those functions probably did
| prevent a SQL injection as a side effect, as using them avoided
| making a direct SQL query at all.
|
| But you're of course correct that it's not the replacement of
| an ORM call with SQL that's the problem.
| orblivion wrote:
| No surprise to me. At one point when they had an API, I could
| follow and see posts from "locked" accounts that I couldn't see
| from the website. I reported it and they said something like "oh
| yeah we're making a lot of changes right now" and of course never
| fixed it (until they decommed their API which effectively fixes
| it).
|
| They're up against the world, and they're spreading themselves
| _very_ thin, aiming to replace all of the "big tech" use cases,
| for better or for worse. They hate Silicon Valley but they "move
| fast and break things" more than anybody, arguably by necessity.
| I'll cut them some slack if their public platforms have some
| bugs, but they shouldn't do anything with sensitive user data.
| yrgulation wrote:
| The cto should focus on strategic thinking and have one or two
| devs that lead daily work - and code review for such basic
| issues (or use a code analyser) to detect sql, xss, xsrf,
| session management, password based user data encryption,
| message encryption, and other trivialities. Not that i like
| gab, but i wonder how many rookie mistakes like this one are
| then blamed on "foreign agents" and other media bollox.
| claytongulick wrote:
| I'm of the general mindset that the CTO should be the most
| technical.
|
| I think we see a lot of tech company failures when the CTO is
| just a manager type that doesn't understand the technology
| and doesn't have the ability to contribute to it.
| yikesshescute wrote:
| > The cto should focus on strategic thinking and have one or
| two devs that lead daily work
|
| Your comment is complete nonsense. With good reasons
| (personnel, external demands, goals), the working dynamic
| varies widely from company to company. Presumably, you've
| never worked there and don't have any clue why they were
| structured as such. You're just repeating crap you've seen
| other people write about CTOs.
|
| > Not that i like gab, but i wonder how many rookie mistakes
| like this one are then blamed on "foreign agents" and other
| media bollox.
|
| And I'm not defending someone else's coding mistakes, too
| busy worrying about my own.
|
| > (or use a code analyser)
|
| Also, lol, you might as well have said "or use voodoo".
| gkoberger wrote:
| You're right in general, however I think you're over-
| estimating the size of Gab.
|
| In this case, it's more of a "everyone gets a CxO title
| because there's fewer than 26 of us" type thing.
| [deleted]
| federona wrote:
| With cancel culture security of all personal and public
| communication is now a matter of making a living. Especially in
| this domain. This is a fact, if you wish it censored you are a
| liar.
| orblivion wrote:
| I can't quite parse exactly what your point is, but if people
| want to communicate securely they should use Signal or
| something.
| federona wrote:
| My point is that if someone hacks and steals all the data
| on your social media site then they can expose random
| people by doing analysis on the site's data and make
| individuals lose their job. Whether that is something good
| or bad depends on your point of view. Should the
| consequences of having opinions against mainstream views
| and venting about them in public make you liable for those
| views to your employer? Sometimes the venting is honestly
| stating your feeling about the subject which causes gasps,
| the firing of the recent Mandalorian star comes to mind.
| 8note wrote:
| The Disney example doesn't really square?
|
| She posted in public purposefully, and under her own
| name, whilst having a job where she's representing Disney
| with her name
|
| That's a very different case from some private individual
| speaking privately in a situation where they don't
| represent their employer
|
| For a more generic case, during your interview, you tell
| your prospective employer that you agree with their
| values and want to work together, then after getting
| hired, you tell them you disagree with their values.
| Should they still have to work with you?
|
| Eg. You become a teacher at a Catholic school, but you
| only pretended to be a Catholic in the interview
| federona wrote:
| What are corporate values? The only thing you are
| legitimately saying to your employer is you pay me and I
| do the work and we both make money. That is all. Anything
| more than that infringes on your personal rights outside
| of your employment, as these comments are my own. The
| fact that we have the reach of corporations way outside
| of work in public life is not right in my opinion, it's
| akin to slavery. This corporation employs people with
| these sorts of thoughts??? That does not really register
| in my mind as any sort of sound reasoning for dismissal,
| for having the wrong thoughts and saying them in public.
| andrewzah wrote:
| There is no right to a job. There is no right to immunity
| from consequences from saying things online. The end.
|
| If you don't like how Disney operates, then vote with
| your wallet. That's literally the only thing companies
| care about, and is the only reason why she was let go in
| the first place.
|
| Saying we should force companies to retain hires despite
| what they say online, is ridiculous.
| federona wrote:
| If you were to make a general rule, it's saying if you
| want employment then don't say anything online, period.
| So it is in fact depriving any employee the right to
| speak about things publicly all the time. It's like
| putting a muzzle on a dog so he does not bark. If that's
| not slavery I don't know what is.
|
| As for right to employment, well how far can you push it.
| And how does that not violate white privilege principles
| or corporate privilege principles. We have a corporate
| class which holds most of the wealth and if you say
| anything you will lose the right to make a living. That
| smacks of privilege, in fact white privilege.
|
| Only the corporate class may speak. It's not sound in any
| way.
| andrewzah wrote:
| You are always free to choose another employer. She
| literally already found work with another employer.
|
| If enough people speak with their wallets, then disney
| will follow that. It's really that simple.
|
| You are suggesting that corporations are one monolithic
| entity, which is simply not true.
|
| I have no idea what you mean here by white privilege or
| corporate privilege. Nobody has the right to a job.
| Saying dumb things online and getting consequences is
| applicable to everyone, because corporations only follow
| the money.
| kstrauser wrote:
| Yes, absolutely, some of those views should cost you your
| job. I don't want to work with people who want to
| eradicate Jews, or think black people are subhuman, or
| believe women are beneath men. If I found out someone on
| my team held those beliefs, I would definitely act to
| remove them. That's just not compatible with the type of
| environment I try to create at work.
|
| I haven't seen a single example of someone who was fired
| because it turned out that they were a fan of trickle-
| down economics or opposed Obamacare. Those aren't the
| kind of opinions people are being "oppressed" (insert
| eyeroll here) for.
| orblivion wrote:
| Should these people go broke and starve to death? Or is
| there a class of job they should be allowed to work?
| badRNG wrote:
| I do think the moderate conservatives to have a little
| bit of work to do as far as political theory goes in this
| area, specifically the synthesis of the positions
| "companies should not be allowed to fire employees for
| far-right beliefs" and "companies should be able to hire
| and fire employees for _nearly_ any reason* and at any
| time. "
|
| *save for a Civil Rights Act violation, which is usually
| recognized as a harm across the board
| ryguytilidie wrote:
| "why on earth should my actions have consequences!?!?
| this is cancel culture" is easily the most disingenuous
| cringe thing in the last year, and that is saying a lot.
| andrewzah wrote:
| Anything and everything is apparently cancel culture now.
| There are no "consequences" anymore, it's all just
| "cancel culture".
|
| This phenomenon is not new to humanity. There is no
| immunity from the consequences that can occur from saying
| things online. If one doesn't like Disney's behavior,
| then I suggest speaking with one's wallet.
| federona wrote:
| Exactly. Especially when your actions are your own right
| to say what you think. It's akin to blasphemy and the
| problem is that the doctrine that you are violating has
| not been taught to anyone for them to even know that you
| are not allowed to say that.
| nicoffeine wrote:
| > Gab had long provided commits at https://code.gab.com/. Then,
| on Monday, the site suddenly removed all commits--including the
| ones that created and then fixed the critical SQL injection
| vulnerability. In their place, Gab provided source code in the
| form of a Zip archive file that was protected by the password
| "JesusChristIsKingTrumpWonTheElection" (minus the quotation
| marks).
|
| Hopefully this eliminates any doubt on Gab's real mission. It
| isn't free speech.
| eznzt wrote:
| I don't understand how someone removing the contents they
| themselves posted goes against free speech?
| Malp wrote:
| I believe the parent is commenting on the archive's password
| and where the company leans ideologically
| kevingadd wrote:
| It is always interesting when people complaining about having
| their speech suppressed turn out to hold (in the former case)
| extremely orthodox, standard views or (in the latter case)
| fairly common views, instead of obscure or actively unpopular
| points of view. (I'd certainly appreciate it if the latter
| weren't common, but it polls shockingly well in the US right
| now)
| mmastrac wrote:
| Is their source tree under AGPL3? From a mirrored copy of what
| purports to be a clone from before it was pulled down.
|
| https://git.rip/gab/gab-social/-/blob/develop/LICENSE
|
| This will make things interesting for them going forward.
| yrgulation wrote:
| Ok so if in 2021 a "cto" or developer, let alone former facebook
| developer, doesn't use bound and escaped parameters as a minimum
| then that developer needs to take a break and catch up on things.
| [deleted]
| hn_throwaway_99 wrote:
| On a related note, I've become a gigantic fan of Slonik,
| https://github.com/gajus/slonik, which simultaneously (a) makes
| it extremely difficult to expose SQL injection attacks while (b)
| still letting you write SQL in a very "natural" way using
| template literals.
|
| It takes advantage of a somewhat-not-well-known feature of
| Javascript template literals in that you can apply functions to
| them, e.g. sql`SELECT foo FROM bar WHERE id =
| ${userEnteredValue}`. No need to manually escape
| userEnteredValue, the sql template literal function does it for
| you.
| wwww4all wrote:
| Look up gell-mann amnesia effect. The article doesn't know much
| about OWASP practices.
|
| SQL injection bugs are not rookie mistakes, it's prevalent in
| many current and future applications. Look into Vtech sql
| injection hack, a large company with lots of resources had
| similar bug.
|
| Look at previous hacks, solar winds hack, Sony hack, were all
| preventable common hacks.
| outworlder wrote:
| > a large company with lots of resources had similar bug.
|
| Large companies are even more likely to run into this sort of
| issue.
|
| It's still a rookie mistake. Any given well established company
| will contain a large number of 'rookies'. It's up to the
| company and everyone involved to make sure these are caught
| before going into production.
| jahabrewer wrote:
| A mistake can be both "rookie" and widely prevalent. That's
| exactly how I'd describe SQL injection.
| rsynnott wrote:
| > SQL injection bugs are not rookie mistakes
|
| SQL injection bugs of this fairly trivial type are. This is
| literally what web tutorials were pleading with PHP developers
| not to do 20 years ago, and they weren't new then.
| xtracto wrote:
| You would be amazed at the number of "developers" that have no
| idea what an SQL injection is when I ask them as part of my
| Full Stack developer interview.
| tomc1985 wrote:
| > "Sadly Rails documentation doesn't warn you about this pitfall,
| [...]" said Dmitry Borodaenko, a former production engineer at
| Facebook who brought the commit to my attention wrote in an
| email.
|
| This is completely and utterly untrue.
|
| https://guides.rubyonrails.org/security.html#sql-injection shows
| examples that are _exactly_ like the code in question in that
| commit
|
| Bound parameters were a new thing like 15 years ago.
| btilly wrote:
| _Bound parameters were a new thing like 15 years ago._
|
| When they were new depends on what language and database
| library you use.
|
| Perl's DBI had them 25 years ago.
| AdamN wrote:
| Dear lord I'm getting old ... :-)
| FanaHOVA wrote:
| It's like Twitter calling Rails LEGO because they weren't able
| to scale it :)
| kstrauser wrote:
| Maybe they were new 15 years ago in Rails, but I was using them
| in Perl in the mid-90s.
|
| There is _no_ excuse for writing an SQL injection in 2021.
| Zero. None. And if you 're in the position to write code
| that'll be deployed to production, you darn well better have it
| reviewed by peers before it's merged.
|
| If the CTO did this and worked around the developers, he's a
| freaking idiot. If the engineers saw this and signed off
| because he's the CTO, they're freaking idiots. I wouldn't
| ordinarily be this harsh about it, but come on. SQL injections
| in 2021? That's astoundingly bad.
| rsynnott wrote:
| > Maybe they were new 15 years ago in Rails
|
| That's when Rails came out :)
|
| I'm fairly sure ActiveRecord has always supported them.
| dragonwriter wrote:
| > Maybe they were new 15 years ago in Rails,
|
| Well, Rails was < 2 years old then, so _everything_ was new
| in Rails.
| stickfigure wrote:
| > Developers: Sanitize user input
|
| No, don't sanitize user input. Don't _trust_ it, which is a big
| difference. Use bound parameters and this problem goes away.
| acdha wrote:
| A better answer is both not trusting it and validating it:
| parameters prevent data from being interpreted as code but
| validation is also important because allowing unexpected inputs
| could lead to other vulnerabilities (e.g. XSS in an error
| message or a partially-generated page) or complications when
| making changes in the future if you learn that common clients
| have come to rely on your sanitization logic cleaning up their
| requests.
| abvdasker wrote:
| This is bad code and it's a little surprising to me that a former
| Facebook engineer wrote it (and subsequently became the CTO).
|
| It's been a while since I wrote any Rails but the offenses that
| jump out just from a cursory inspection:
|
| - large raw SQL query which could almost certainly be
| accomplished in a more idiomatic way with AREL or ActiveRecord
|
| - no user input sanitizing
|
| - using a regular string literal for a large text block instead
| of a Ruby here document
|
| - leaving a mess of commented-out code at the bottom of the
| method
|
| Apparently Gab isn't exactly hiring the best and brightest.
| forgotmypw17 wrote:
| I've been pretty sure for a while that Parler and Gab were both
| honeypots. This makes it seem even more likely.
| McGlockenshire wrote:
| Never attribute to malice that which can equally be explained
| by incompetence, or something like that.
| adolph wrote:
| Never assume xor among different interpretations.
| forgotmypw17 wrote:
| .
| McGlockenshire wrote:
| I think you're encountering Poe's Law here - at some point
| it becomes difficult to tell the difference between a troll
| and someone genuinely expressing an extremist point of
| view.
|
| Are there trolls on Gab and Parler? For sure. Are there
| purestrain rabid culture warriors on Gab and Parler? Yup.
| Are Gab and Parler honeypots? I don't think so, but that
| also depends how you define "honeypot."
|
| Both exist because other social networks cracked down on
| distasteful content. Gab erupted during the era of cracking
| down on ethnonationalists and is full of wannabe nazis and
| 4chan-grown edgelords. Parler erupted during the era of
| cracking down on dangerous misinformation (QAnon, COVID
| denialism, the things that we now know lead to election
| denialism, etc etc) and if full of people that choose to
| believe that nonsense rather than reality. Parler was also
| signal boosted by political voices that intentionally
| framed crackdowns on distasteful content as an aspect of
| the ongoing culture war.
|
| Both _naturally_ courted their respective audiences.
|
| The guy running Gab is a True Believer. Check out Gab's
| Twitter (heh) for some pretty questionable recent posts
| that blame the hack on "mentally ill trans hackers," only
| with a slur instead of trans, because of course there's a
| slur.
|
| The Mercer family bankrolls Parler. They have a long
| history of throwing money at causes that follow their
| political viewpoints. We don't have a reason to doubt that
| their board and and management are True Believers in their
| own cause as well.
|
| So, is it really a honeypot if it's honest by design?
| new_guy wrote:
| >The guy running Gab is a True Believer
|
| He's definitely not but he knows how to play to his
| audience. Instead of owning it and saying 'we messed up'
| it's easier to blame the 'mentally ill trans hackers'!
|
| But the 'hack' was almost certainly intentional, it's the
| exact same play Parler did a few weeks ago. They're both
| honeypots, this is the easiest way to get the data out
| there.
| firebaze wrote:
| Maybe they are spinoffs of reddit/facebook/twitter etc. to
| contain moderation cost :)
| cmeacham98 wrote:
| > My opinion is that it's more likely than not that these
| sites are little more than honeypots to troll the gullible
| into making asses of themselves so that we have another
| subject for our Two Minutes of Hate.
|
| Or maybe, instead, some people really do hold extremist
| views and post them on the internet? I don't understand
| your theory here - the majority of Gab content is public
| already (well, behind an authwall, but otherwise public).
| The hack achieves nothing for these masterminds that just
| want to make fun of people being bigoted on the internet
| because they already could.
|
| > Now that data can be used against the most ferverent
| Republican supporters and there's no one to blame,
| officially, because they were "hacked". Oops! Maybe you
| should think twice before publicly supporting Republicans
| online, I guess!
|
| Do you seriously think the problem people had with some of
| the content on Gab is that users were "supporting
| Republicans"????
|
| GP has edited their comment like 10 times so here's the
| version I'm replying to:
|
| > I'm one of the world's biggest fans of Hanlon's razor,
| and I've done so much damage to it with Gab and Parler that
| it looks like a hairbrush now.
|
| > My opinion is that it's more likely than not that these
| sites are little more than honeypots to troll the gullible
| into making asses of themselves so that we have another
| subject for our Two Minutes of Hate.
|
| > I do a lot of research on social media mechanics, and
| I've used both of them. I can't quite put my finger on it,
| but they performed and felt differently from any other
| sites I've used over the past 20+ years. For one thing, you
| could not read or see ANY comments without registering
| first.
|
| > I could just as easily be imagining it, of course. And
| they did paint a huge target on themselves. But they also
| made it easy to steal the data.
|
| > Now that data can be used against the most ferverent
| Republican supporters and there's no one to blame,
| officially, because they were "hacked". Oops! Maybe you
| should think twice before publicly supporting Republicans
| online, I guess!
|
| > (Not affiliated with any political party, apolitical,
| have friends and family who are into all different flavors.
| Just think it's fucked up to throw thousands of people
| under the bus like that, if it's true.)
| hddu wrote:
| I do like your theory that it was a honeypot from the left
| created to produce people to attack.
|
| I would be surprised if our intelligence agencies and law
| enforcement didn't have a role in creating/running
| extremist sites. Seeing as the FBI likes to run child porn
| sites and infiltrate political groups that could cause
| instability, they are the most obvious perpetrators.
| endymi0n wrote:
| Occam's razor would disagree. While it's certainly
| thinkable that it's a honeypot of the FBI, set up from
| the left (just like it's possible that it was Antifa who
| stormed the capitol posing as Trump supporters), it's far
| more likely this was a job done by nutjobs, for nutjobs.
|
| If you also think the earth is flat or the election was
| stolen despite literal mountains of evidence, how are you
| supposed to properly weigh any other rational evidence
| like the existence of SQL injections?
| orblivion wrote:
| FWIW Gab very proudly proclaims that they report things
| to law enforcement if they cross a legal line. I could be
| wrong but I would think that if the FBI was trying to
| entrap people they would not want to give such a warning.
| neltnerb wrote:
| I think you are wrong, stating it prominently and
| repeatedly makes the warning disappear into noise for
| users so there's little downside and a lot of upside if
| it were in fact being operated by the FBI.
|
| I doubt it is though, I don't think the FBI has the
| capability to be frank, but even more if the FBI were
| operating it as a honeypot somehow I doubt that the
| websites would have been banned from AWS and such.
|
| I'm sure that if it were true the FBI could have easily
| just told AWS that the presence of extremist content was
| being allowed by law enforcement specifically to identify
| terrorists.
|
| I think the idea that it's a honeypot is a very poor fit
| to the available information.
| wrycoder wrote:
| The leader of the supposedly white supremecist Proud
| Boys, Enrique Tarrio, is an Afro-Cuban who turned out to
| be an FBI informer.
|
| Wheels within wheels.
|
| https://www.theguardian.com/us-news/2021/jan/27/proud-
| boys-l...
| GVIrish wrote:
| Or maybe they just didn't build a strong enough engineering
| team and quickly ran into the limits of their experience and
| skills levels.
|
| There are numerous examples of start ups and even mature
| companies making basic mistakes. This is easily explainable
| without resorting to conspiracy theories.
| btmcnellis wrote:
| "solarwinds123" comes to mind.
| eternalban wrote:
| > maybe they just didn't build a strong enough engineering
| team and quickly ran into the limits of their experience and
| skills levels.
|
| "Free Speech platform Gab has announced Fosco Marotto as the
| company's new Chief Technical Officer (CTO). According to a
| blog post from the company, Marotto was formerly a software
| engineer, production engineer, and developer advocate during
| a seven-year career at Facebook.
|
| Marotto reportedly brings 23 years of industry experience to
| the platform along with extensive knowledge in backend
| infrastructure and insight that will help Gab scale as it
| becomes increasingly popular."
|
| CTO: https://github.com/gfosco
|
| Parse Server: https://github.com/parse-community/parse-server
|
| Parse Server API doc snippet:
|
| "If your app is compromised, it's not only you as the
| developer who suffers, but potentially the users of your app
| as well. Continue reading for our suggestions for sensible
| defaults and precautions to take before releasing your app
| into the wild."
|
| https://docs.parseplatform.org/rest/guide/#security
|
| Per Ars, he _removed_ security code.
| rsynnott wrote:
| I mean, "worked at Facebook for a while" isn't a guarantee
| of competence. And some security boilerplate text isn't a
| guarantee of being good at security.
___________________________________________________________________
(page generated 2021-03-02 23:01 UTC)