tbf that's not their fault, as long as they were open about the flaws. Business should not have promoted it to a customer facing product. That's just org failure.
I disagree. If you merge code to main you immediately lose all control over how it will be used later. You shouldn't ever ship something you're not comfortable with, or unprepared to stake your professional reputation on. To do so is profoundly unethical. In a functioning engineering culture individuals who behave that way would be personally legally liable for that decision. Real professions--doctors, engineers, etc.--have a coherent concept of malpractice, and the legal teeth to back it up. We need that for software too, if we're actually engineers.
Profoundly unethical? Ok so wtf is this formatting in your comment. You DARE comment, online where people can see, where you start a new sentence with two dashes "--". What are you thinking? Where's the professionalism? Imagine someone took that sentence and put it on the front of the biggest magazine in the world. You'd LOOK LIKE A FOOL.
OR, perhaps its the case that different contexts have different levels of effort. Running a spike can be an important way to promote new ideas across an org and show how things can be done differently. It can be a political tool that has positive impact, because there's a lot more to a business than simply writing good code. However if your org is horrible then it can backfire in the way that was described. Maybe business are too aggressive and trample on dev, maybe dev doesn't have a spine, maybe nobody spoke up about what a fucking disaster it was going to be, maybe they did and nobody listened. Those are all organisational issues akin to an exploitable code base but embedded into the org instead of the code.
These issues are not the direct fault of the spike, its the fault of the org, just like the idiot that took your poorly formatted comment and put it on the front page of Vogue.
Grammatical errors, formatting mistakes, or bad writing in general aren't something the magazine publisher can be held liable for, it may be embarrassing but it's not illegal or unethical. Publishing outright falsehoods about someone is though--we call that defamation. Knowingly shipping a broken, insecure system isn't all that different. Of course the people who came along later and chucked it into prod without actually reviewing it were also negligent, but that doesn't render the first guy blameless.
If it was only supposed to be a spike then it does render the first guy somewhat blameless. Especially if the org was made aware of the issues, which I imagine they were if someone had raised the issue of the exploits in the code base.
I mean I could take a toddlers tricycle and try to take it onto the motorway. Can we blame the toy company for that? It has wheels, it goes forward, its basically a car, right? In the same way a spike is basically something we can ship right now.
Conversely I've met many folks who come into managed environments and piss away time trying to wrangle the managed system into how they think it should work, instead of accepting that clever people wrote it and guidelines when followed result in acceptable outcomes.
The sort of insane stuff I've seen on the dotnet repo where people are trying to tear apart the entire type system just because they think they've cracked some secret performance code.
It's ridiculed because its no protection on its own when an attacker is motivated. Its fine to add as an additional layer though if you want to make your space mildly custom to protect against broader attacks.
I don't see how its necessarily relevant to this attack though. These guys were storing creds in clear and assuming actors within their network were "safe", weren't they?
TFA cites "env var enumeration", likely implying someone got somewhere they shouldn't and typed 3 characters, as the critical attack that led to customers getting compromised.
My point is sensitive secrets should literally never be exported into the process environment, they should be pulled directly into application memory from a file or secrets manager.
It would still be a bad compromise either way, but you have a fighting chance of limiting the blast radius if you aren't serving secrets to attackers on an env platter, which could be the first three characters they type once establishing access.
The following is based on my interpretation of information that's been made public:
A Vercel user had their Google Workspace compromised.
The attacker used the compromised workspace to connect to Vercel, via Vercel's Google sign-on option.
The attacker, properly logged into the Vercel console as an employee of that company, looked at the company's projects' settings and peeked at the environment variables section, which lists a series of key:value pairs.
The user's company had not marked the relevant environment variables as "sensitive", which would have hidden their values from the logged-in attacker. Instead of
DATABASE_PASSWORD: abcd_1234 [click here to update]
it would have shown:
DATABASE_PASSWORD: ****** [click here to update]
with no way to reveal the previously stored value.
And that's how the attacker enumerated the env vars. They didn't have to compromise a running instance or anything. They used their improperly acquired but valid credentials to log in as a user and look at settings that user had access to.
I don't think that's what the attacker did here. Vercel is a PaaS product where other developers run apps. The enumerated environment variables were the env vars of Vercel's customers, which Vercel likely stores in a long-term data store. Rather than running `env` on a Linux box somewhere, the attacker may have just accessed that data store.
what's to guilt? None of us asked to be born into this. Most of us are only on part of a bell curve and often nowhere near the top. I lived for a while with friends and their commendable eco-mindedness included ideas like not flushing the toilet when it was just piss. Meanwhile the neighbour down the street leaves their hose running while washing their car out back, while popping inside to answer their front door.
While Europe cycles, the US builds bigger and bigger cars requiring more and more fuel to push just to prop up its unimaginative auto industry. While an American drives, Vladimir Putin or Benjamin Netanyahu or Donald Trump level cities of concrete that will need to be repoured one day, combined with all the wasted energy put into making the people who die in those attacks.
One cannot be responsible for this, for all these other people. There's no guilt, just existential angst as we watch ourselves doomspiral. Whenever climate change is discussed internationally the developed world point at current carbon emissions while the developing world points at historic carbon emissions which means no agreement can be made. Those that are made are just torn up at the earliest opportunity by political opponents seeking short term gains. Who could possibly be responsible for all of this?
The only hope is that this investments made through energy use will propel humanity to the point where it can survive the world it has ruined.
You will live to regret your moral cowardice. Specifically, you'll regret the wrong choices it leads you to make. The guilt you feel now is a warning. Don't stay lazy, or that guilt will eventually be augmented by shame.
All we can do is aim to be better, to aim to be perfect is putting obstacles in your own path for your own smug sense of satisfaction, while the world still burns the same.
Unless you can change the many, including those most intransigent, you have to respect that just changing yourself, is something you only do for yourself. I don't see how its "moral cowardice" for me to own a car so I can ferry around my 84 year old father, so he doesn't have to drive, or to flush my toilet after every time I piss.
I mean I don't use that car for any other purpose. My carbon footprint is probably around or below average for someone in Europe. I eat meat maybe with half of my meals and rarely eat beef or pork. The last time I got on a plane was in 2018 for work. Last holiday via a flight was I think in 2012 and was about 3 hours each way.
I think the average American or even maybe Chinese citizen has a much higher footprint than me these days. I could do better, but to do so would impact my life negatively, win me nothing but smug self-indulgence and change nothing in terms of the long term outcomes of this planet.
So yea, what guilt, what "moral cowardice"? I wouldn't sneer at someone with a higher footprint than me (outside of maybe SUV owners because srsly wtf is that shit) because its collectively where we're culpable, not individually.
Its 2026 and like 30% or more of the citizens of the global super power don't believe in global warming. We're fucked and nothing I do or you do is going to stop that outcome. We probably should start seriously thinking about geo-engineering instead of worrying about moral cowardice.
Moral odium inheres, if nowhere else, in that you insist upon the seductive counsel of despair. The more convincing you make that, the less our fellows will feel themselves able in any meaningful way to act at all. What should I call such encouragement to cowardice, if not culpable?
people like hope. In Dickens era the hope was that you'd discover you were a long lost bastard child of some wealthy aristocratic family. These days, its that you win the lottery.
We shouldn't conflate permitting lotteries which give a lot of people precious hope, with enabling the disease of gambling addiction. Gambling addiction transforms its victims into desperate degenerate messes, who will do anything in order to reverse the outcome of their losses. By popularising gambling on reality (instead of a sandbox like sport) we're creating a future where such people will harass journalists, which further threatens our increasingly precarious relationship with truth.
because the long term outcome is that truth will start to be defined by money. There's already been tales of journalists being harassed to change stories in order for over-leveraged betters to win polymarket bets.
I HIGHLY recommend going onto a sports subreddit match thread during a match and seeing what people say, versus the post match thread, a few hours after the match. The difference in tone is striking. While some people are probably just passionate, I'm pretty sure the depths of vitriol (that border on things like death threats) are a consequence of gambling.
> People who are "passionate" about sports have always been the most aggressive and vulgar.
Sure but I can't help but wonder if many of them have money riding on the games which makes their anger much more understandable. Perhaps those you grew up around were also having a bit of a flutter.
Oh, for sure, I don't doubt that at all! My only point is causality. I do not agree that it's betting companies fault (whether they are on-chain or not). If there weren't ways to bet, these people would invent them.
Agreed. I just personally think advertising gambling should be illegal. Obviously there's so much vested money that its hard to shift given that it props up a lot of sports revenue today. However we learned the horrors of tobacco advertising and I can't see why we shouldn't learn the same lessons about gambling. It can never be illegal because the black market would be worse, but we shouldn't encourage it.
Well, i highly recommend reacting to advertising aggressively in order to store the memory along with a feeling of repulsion (e.g. swearing, middle finger) to attempt to dissaude the subconscious from retrieving it without revulsion in the future.
I think the point of the bit though is to aggressively point out that advertising corrupts our world for their benefit and if advertisers or marketers had a soul they'd realise they were actively making the world worse and move to a different industry. Meaning the only ones the message is for are sociopaths that know what they're doing and don't care.
The commenter is referencing a conspiracy that Bill Hicks faked his death and became Alex Jones. This imo was less stupid some years ago when Jones could conceivably be seen as an exaggerated satirical caricature, though it's very hard to imagine Bill Hicks taking the bit this far now
No the cartoon character. It's part of an awful series of AI jokes, maybe don't look it up. There's a (2011? "new") show for 9 year old girls that has most of the characters female, so God (Celestia) is a woman. Or a horse really. I haven't watched it. I don't think Luna or Celestia were in the old show.
To be fair, they're running this with oversight, the blog states they're ensuring the people employed are actually properly employed with the parent company. You know for sure that someone WILL run this experiment without those oversights, so while their "care" is probably more about liability there is still some truth to what they say.
If these guys succeed and this thing blows up, do you think they would not stop all this oversight and whatever “moral” boundaries they have now to make more money?
i mean if you're exploring and you find smth cool then you run with it. But I would imagine the people doing it are exploring, its their financial backers who will be looking to monetise.
I feel more comfortable that the people exploring seem to have their head screwed on and don't appear to be dismissive of the harm they might cause.
reply