Awesome software?
"As we learned from the MongoDB experience this is a huge footgun that can be easily removed [from] otherwise awesome software."
I hope he isn't implying that MongoDB is such. etcd arguably is quite good (raft!), but mongrel...
Software called etcd, used for storing data across clusters of containers, has a problem – it does not implement authentication by default and so poses a security risk if deployed without further fiddling. It's also rather widely used because it comes with Kubernetes, the popular container orchestration software. Giovanni …
Any of the following is considered gross misconduct, and grounds for instant dismissal. Tick as appropriate:
- Exposed internal service to Internet? [X]
- Failed to properly secure service? [X]
- Failed to properly secure sensitive information? [X]
The large gentleman over there will see you out. We will prepare your personal belongings for collection at the reception by tomorrow morning, together with your final paycheck.
Seems cloud providers are slightly to blame here to me.
My two providers spin up new vms with interfaces on the internet accessible via any protocol by default. They email you ssh details for each new vm.
By default a new vms interface should be off the Internet accessible via some gateway for config. Individual ip ports should be opened to the Internet by request/api call.
That is even how a home router works.
"it seems as if people may not be using etcd's security capabilities and leaving the ports open, which can be a problem with every database"
Yeah but... CAN IT really? Does EVERY database really come with ports open by default that allow access with zero credentials "unless you enable some feature"?
I'm sure we can collectively come up with at least one or two that don't quite work like that...