zlacker

[return to "A story on home server security"]
1. smarx0+P4[view] [source] 2025-01-05 13:38:36
>>todsac+(OP)
Docker has a known security issue with port exposure in that it punches holes through the firewall without asking your permission, see https://github.com/moby/moby/issues/4737

I usually expose ports like `127.0.0.1:1234:1234` instead of `1234:1234`. As far as I understand, it still punches holes this way but to access the container, an attacker would need to get a packet routed to the host with a spoofed IP SRC set to `127.0.0.1`. All other solutions that are better seem to be much more involved.

◧◩
2. bluedi+G5[view] [source] 2025-01-05 13:49:49
>>smarx0+P4
Containers are widely used at our company, by developers who don't understand underlying concepts, and they often expose services on all interfaces, or to all hosts.

You can explain this to them, they don't care, you can even demonstrate how you can access their data without permission, and they don't get it.

Their app "works" and that's the end of it.

Ironically enough even cybersecurity doesn't catch them for it, they are too busy harassing other teams about out of date versions of services that are either not vulnerable, or already patched but their scanning tools don't understand that.

◧◩◪
3. malfis+i8[view] [source] 2025-01-05 14:21:28
>>bluedi+G5
Checklist security at it's finest.

My team where I work is responsible for sending frivolous newsletters via email and sms to over a million employees. We use an OTP for employees to verify they gave us the right email/phone number to send them to. Security sees "email/sms" and "OTP" and therefor, tickets us at the highest "must respond in 15 minutes" priority ticket every time an employee complains about having lost access to an email or phone number.

Doesn't matter that we're not sending anything sensitive. Doesn't matter that we're a team of 4 managing more than a million data points. Every time we push back security either completely ignores us and escalates to higher management, or they send us a policy document about security practices for communication channels that can be used to send OTP codes.

Security wields their checklist like a cudgel.

Meanwhile, our bug bounty program, someone found a dev had opened a globally accessible instance of the dev employee portal with sensitive information and reported it. Security wasn't auditing for those, since it's not on their checklist.

◧◩◪◨
4. throwa+jF1[view] [source] 2025-01-06 04:49:43
>>malfis+i8 

    > My team where I work is responsible for sending frivolous newsletters via email and sms to over a million employees.
"frivolous newsletters" -- Thank you for your honesty!

Real question: One million employees!? Even Foxconn doesn't have one million employees. That leaves only Amazon and Walmart according to this link: https://www.statista.com/statistics/264671/top-50-companies-...

◧◩◪◨⬒
5. joseda+Kc2[view] [source] 2025-01-06 12:01:56
>>throwa+jF1
To a million employees doesn't necessarily mean they're from the same company

They might be a third party service for companies to send mail to _their_ employees

[go to top]