undefined | Better HN

0 pointsdspillett2y ago0 comments

> "Denial of service" is never a security bug

That very much depends on what service is being denied. Nginx is _everywhere_. While not a direct security concern for nginx (instead an availablity issue) it could have security or safety implications for wider systems. What if knocking out nginx breaks a service for logging & monitoring security information? Or an ambulance call out management system? Or a payment progressing system for your business at the busiest time if your trading year? There are many other such examples. This sort of thing is why availablity can be considered a security matter and therefore why DoS vulnerabilities, particularly those affecting common software, are handled as security issues of significant severity.

0 comments

arp2422y ago

Almost every bug can be considered a security bug under the wrong set of circumstances.

With fairly cheap ddos services you can "just" order you can knock most servers offline anyway. Internet reachability is rarely safety-critical, and if it is, that's probably a huge design flaw somewhere because there's tons of reasons outside of your control that can make the internet not work for either the server or clients.

Is all of this inconvenient and (potentially) a serious problem? Sure. But not "zomg criminals have credit card records / can spoof random domains / read private data / etc. etc." type serious.

dspillettOP2y ago

> Almost every bug can be considered a security bug [...] With fairly cheap ddos services...

A DoS bug and an DDoS attack are very different things. One is a flaw that can bring a service down, the other is a brute force technique for making a service unusable. You can DDoS services without exploiting bugs.

arp2422y ago

I am aware; my point is that "denying the service" is pretty easy even without the presence of any bugs in the service. Stealing credit cards on the other hand...

manquer2y ago

We could argue that about almost anything though . There are always secondary effects possible and sometimes even likely. I can only think of the proverb/poem - "For want of a nail".

GoblinSlayer2y ago

In those cases you just know that any problem can cause you trouble, so you pay attention to all problems including low severity ones like DoS, performance slowdowns or lack of bells and whistles.

j / k navigate · click thread line to collapse

0 pointsdspillett2y ago0 comments

> "Denial of service" is never a security bug

0 comments

arp2422y ago

Almost every bug can be considered a security bug under the wrong set of circumstances.

Is all of this inconvenient and (potentially) a serious problem? Sure. But not "zomg criminals have credit card records / can spoof random domains / read private data / etc. etc." type serious.

dspillettOP2y ago

> Almost every bug can be considered a security bug [...] With fairly cheap ddos services...

arp2422y ago

I am aware; my point is that "denying the service" is pretty easy even without the presence of any bugs in the service. Stealing credit cards on the other hand...

manquer2y ago

We could argue that about almost anything though . There are always secondary effects possible and sometimes even likely. I can only think of the proverb/poem - "For want of a nail".

GoblinSlayer2y ago

In those cases you just know that any problem can cause you trouble, so you pay attention to all problems including low severity ones like DoS, performance slowdowns or lack of bells and whistles.

j / k navigate · click thread line to collapse