Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I'm not going to say "told you so" because I said nothing and I'm just a layman in this...but when people were pointing out last week that the bug was "overblown" I had wondered if they were underestimating the tendency for such vulnerable patterns to propagate. The mechanisms that let even an edge case in are not always isolated.


Last week's bug is unrelated. Last week's bug was in ActiveRecord dynamic finders. This bug is in parameter and request input parsing.


Oh I'm saying "told you so". Since years and years.

The real problem is the very mentality of the people who downplay security issues, always saying "this is not a serious issue" (or, worse, saying "but language xxx / framework yyy" suffers from issues too, it's how the world works).

That mentality is the reason why such exploits do exist in the first place. Security is nearly always an afterthought.

The most braindead argument being: "My goal is to sell xxx, not to have an unbreakable server".

Once you read that one, you know you have reached the low of the low.


Or maybe some issues are overblown, while others are not.

Also, the message was not "overblown". It was "don't panic, but still upgrade ASAP".




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: