I agree. It is interesting how much they focus the hardware servers in the article.
I'd be more interested knowing which package was vulnerable?, was it a known exploit?, and what systems were/are in place to alert on vulnerable dependencies?. Instead they are focused on the new servers just taking too long and not enough money because of advertiser pressures.
They do mention their OS being out of date. One possible interpretation is they are using packages provided by a Linux distro, and getting up to date may have required a full OS update.
If that's were case, it would be easy to see how they might want to tie their OS upgrade to a hardware refresh rather than taking servers offline for a reinstall.
I agree. It is interesting how much they focus the hardware servers in the article.
I'd be more interested knowing which package was vulnerable?, was it a known exploit?, and what systems were/are in place to alert on vulnerable dependencies?. Instead they are focused on the new servers just taking too long and not enough money because of advertiser pressures.
They do mention their OS being out of date. One possible interpretation is they are using packages provided by a Linux distro, and getting up to date may have required a full OS update.
If that's were case, it would be easy to see how they might want to tie their OS upgrade to a hardware refresh rather than taking servers offline for a reinstall.
According to a Firebase video [0], the outdated and exploited package was called GhostScript.
[0] https://youtu.be/XNratwOrSiY?si=dxfD8Y7-wfOi0XcJ
Fireship is the channel name - firebase is the product he initially had based his channel off
1 reply →
Probably didn't even need to change their code, just get on current versions.