Comment by romanhn
1 day ago
being starved of money for years by advertisers, payment providers, and service providers
Given the language in this announcement that lays blame at everyone else's feet except the people responsible for maintaining the platform, I'm pretty sure that no lessons were learned, and that the security is not likely to improve beyond whatever bandaids that were needed to address this hack.
Even when talking about themselves in the article they mostly focus on some hardware server business.
In software outdated dependencies are vulnerabilities. The tech leadership knew this tradeoff and closed their eyes and hoped they'd get to it before someone else did. They did not and you shouldn't expect to be able to either.
If you do not have the resources to support the continual, ongoing updating of a dep, you do not the resources to add said dep.
Get real. Companies with infinitely more money, staff, and robust security practices are hacked every day. The only difference is they put out a vague generic corpospeak statement whereas this one admitted it was caused by a skeleton crew on a shoestring budget getting caught out. Given the nature of their user base and how many others would love to see 4chan go down, if things were as bad as you imply then hackers would be taking the site down weekly.
Source?
I have never heard of a bank’s core mainframes being hacked in the last decade (outside of pen tests), even for mid size banks outside the global top 100.
https://www.brightdefense.com/resources/recent-data-breaches...
5 replies →
What are you talking about? There are massive breaches of huge companies who should be doing better all the time.
In 2017: > More than 40% of the population of America was potentially impacted by the Equifax data breach.
In 2022: > In September 2022, Optus experienced a major data breach that exposed the personal information of millions of customers
That's just 2 off the top of my head.
1 reply →
How likely is it that the attacker, who now has all of their source code, has already identified several additional vulnerabilities they can use? Seems pretty likely to me.
I don't think advertisers, payment providers, service providers, or hardware vendors told 4chan what version of OpenBSD to run or how often to update packages. Those are tasks that require time and effort, yes, but they're not herculean. They could have been done. I think laziness and disinterest are the more likely reasons.
So…it sounds like typical 4chan?
"We are still standing..." with our pants around our ankles, running around headless, seamless, breathless, brainless.
"I'm pretty sure that no lessons were learned." I would bet that was the case.