undefined | Better HN

0 pointsjeffbee5y ago0 comments

If there is such a level of privilege in Twitter's stack, that says a great deal about their technology. Insiders must not be able to act as users except in prescribed ways requiring two-person control, logged and 100% audited. Glass-breaking privilege escalation should set off every pager in the company.

0 comments

8 comments · 3 top-level

somehnguy5y ago· 4 in thread

Sorry, but would you mind expanding slightly on how you would implement such a system?

In my understanding once you remove all the layers of abstraction as some point it's a bunch of databases and data stores. Someone has to manage them. Why wouldn't a breach of those users be able to do whatever they want?

And a higher level, someone is writing the code to implement such a stringent access system. Why wouldn't a breach of those users (or a rogue employee) be able to accomplish bad things?

jeffbeeOP5y ago

Glad you asked. "There is a database and some guy is the DBA" is a very outdated architecture that can get you passing grades as an undergraduate and that's about all its good for. You should not take as a given that the right to modify datastores falls ultimately upon some individual. It is possible to permanently discard this ability, and organizations should strive for that.

mlinsey5y ago

I'm guessing you work/have recently worked at a big tech company (FANG or one of the ~5 other companies of comparable size) and are seriously overestimating how common their best practices are. Unless by "passing grades as an undergraduate" you mean "bonuses and promotions at a majority of the companies that handle your data every day"

1 more reply

somehnguy5y ago

Thats not what I meant, sorry. How do you implement such a system? So theres a team to manage the datastores, but that changes nothing that on some level someone somewhere has root passwords and/or filesystem access and/or ability to modify the fleet.

We all know access controls and multiple operators are good, yeah. But at the heart of it is still a bunch of linux machines that have to be managed and deployed to. Which as far as I know has no mechanism for check with operator x before running command from operator 0.

4 more replies

dahfizz5y ago

Okay... but there is a database, right? And this database is managed in some fashion?

Presumably this database runs on some machine? And this machine was logged into in order to install and setup the database?

2 more replies

shakezula5y ago· 1 in thread

this assumes two things: that there is a security model that would prevent this attack that they should have implemented, and that alarms _weren't_ set off. Both of those are weak assumptions.

GVIrish5y ago

I don't think parent was assuming those measures are implemented. They were saying that they should be implemented and if they are not, it betrays seriously poor security posture at Twitter.

belorn5y ago

> requiring two-person control, logged and 100% audited

That would be good from a security perspective, but it would cost additional training, require more support staff, increase response time between request and resolve, make the system more complex and possible fragile, and take development resources away from profit centers.

Most companies has likely, at best, the same security at their internal support center as their accounting department, and given how common CEO fraud is, it mean social engineering will likely continue to be a major attack vector for a long time.

j / k navigate · click thread line to collapse