Cache On Delivery — Memcached Opens an Accidental Security Hole 149
jamie spotted this eye-opening presentation (here's a longer explanation) about how easy it is to access sensitive data on many sites using memcached, writing "If you already know what memcached is, skim to slide #17. The jaw-drop will happen around slide #33. Turns out many websites expose their totally-non-protected memcached interface to the Internet, including gowalla, bit.ly, and PBS."
DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE (Score:1, Funny)
DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
Version 3, August 2010
Copyright (C) 2010 Anonymous Coward
Everyone is permitted to copy and distribute verbatim or modified copies of this license document, and changing it is allowed as long as the name is changed.
DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. You just DO WHAT THE FUCK YOU WANT TO.
Re:More Boiled and Distilled. (Score:5, Funny)
As spokesman for the Justice League, I say yes.
Re:More Boiled and Distilled. (Score:4, Funny)
No. Car. Was. Involved.
Re:More Boiled and Distilled. (Score:5, Funny)
That's actually more of a feature.
Re:More Boiled and Distilled. (Score:5, Funny)
That's. Why.
Re:Let me see if I understand this (Score:2, Funny)
Re:More Boiled and Distilled. (Score:3, Funny)
Boiled and distilled underwear....Ewwwww.
Re:Let me see if I understand this (Score:2, Funny)
Jesus Tapdancing Christ, they explicitly say that in the doc(s) where they discuss design decisions. They can't use stunnel or blah or blah2 or blah3?
"It does not authenticate a write to the cache? And they didn't see this as a problem when desgining memcache? Really?"
Yeah, they saw it and they saw their site and their systems and saw that they did not require that feature for themselves - they weren't creating memcache for charity to donate to the world at large - ffs. Say what you want about livejournal but they created a bunch of high performance distributed system tools - gearman, memcache, mogileFS, etc that allowed anyone to build massive social website prior to them, the tools were not there. Now I am sure some smug historical revisionists was come and explain how these things were all built in SNOBOL in the 1950s then reinvented in Java as apache foundation project with simple 12,000 line xml config files that future generations will claim are alien code for time travel devices but those historical revisionists would be dead wrong.
Re:A few clarifications (Score:5, Funny)
Luckily, they often get caught red-handed.
Food Analogy (Score:3, Funny)
Think of it like this:
System that is never intended to be secure: plastic apple with a warning label stating "THIS IS NOT FOOD"
System that should be secure, but isn't: apple full of worms
You're not going to have a good experience biting into either apple, but there's definitely a difference in the expectations that someone would have when looking at them.