undefined | Better HN

0 pointsyupper324y ago0 comments

I disagree. Locking down and logging access to raw data like password hashes or payout information to only those who absolutely need it doesn't cause much annoyance and is very useful.

It protects the company against rogue employees (not even strictly malicious, but also curious employees who want to see more than they should). It limits exposure if an employee's account gets hacked (my pet theory for this Twitch hack). And if something does go wrong, logs help track down the issue/leak.

And at the end of the day, there should be a lightweight way to request access. Many times I've seen people request access that they didn't actually need. And most other times they have access pretty quickly.

0 comments

AshamedCaptain4y ago

Note that it was code that was leaked. Preventing developers from leaking the codebase they are working with is outright impossible. Now combine that with a "monorepo" and even the most junior developer has access to practically the entire company codebase and version control history.

And you can try to prevent them from accessing live/real customer data, but the cost is that they will never be able to debug issues in production. Most companies, even very large ones, are just not able to pay that cost. Not to mention that once you have access to the codebase there are a million ways to leak customer data anyway -- it is a lost battle.

yupper32OP4y ago

Of course, some stuff you can't avoid, especially code leaking. Luckily code isn't usually that interesting or useful to external parties which is the only reason it isn't leaked more.

For the rest of the stuff, there's a sliding scale. In no universe does your average twitch developer need raw access to password hashes, for example.

1 more reply

lrem4y ago

Nope, it was code AND data, including the sensitive type (e.g. user payouts).

1 more reply

xmprt4y ago

Adding to your pet theory I think that WFH has led to a lot of people being casual about their workplace security. For example, leaving a laptop unattended at a Starbucks.

This is just a guess but I wouldn't be surprised if companies have to start taking stricter precautions with their security in a WFH world.

j / k navigate · click thread line to collapse

0 comments

AshamedCaptain4y ago

yupper32OP4y ago

Of course, some stuff you can't avoid, especially code leaking. Luckily code isn't usually that interesting or useful to external parties which is the only reason it isn't leaked more.

For the rest of the stuff, there's a sliding scale. In no universe does your average twitch developer need raw access to password hashes, for example.

1 more reply

lrem4y ago

Nope, it was code AND data, including the sensitive type (e.g. user payouts).

1 more reply

xmprt4y ago

Adding to your pet theory I think that WFH has led to a lot of people being casual about their workplace security. For example, leaving a laptop unattended at a Starbucks.

This is just a guess but I wouldn't be surprised if companies have to start taking stricter precautions with their security in a WFH world.

j / k navigate · click thread line to collapse