- cross-posted to:
- technology@beehaw.org
- nottheonion@lemmy.world
- cross-posted to:
- technology@beehaw.org
- nottheonion@lemmy.world
You must log in or register to comment.
“Basically, doge.gov has its codebase, probably through GitHub or something,” the other developer who noticed the insecurity said. “They’re deploying the website on Cloudflare Pages from their codebase, and doge.gov is a custom domain that their pages.dev URL is set to. So rather than having a physical server or even something like Amazon Web Services, they’re deploying using Cloudflare Pages which supports custom domains.”
Elmo’s a genius you know
I understand several of those words.
Most websites run off of a server. They’re just using a “repeater” (CloudFlare Pages) to serve directly off of their Github or whatever which is sort of top-shelf slapdashery.
Not serious. Not competent.
What’s sloppy about it? Plenty of blogs and other static sites work that way. In fact, that’s largely how we do deployments at my company, we merge to a special branch and it triggers a deployment.
The database being open is completely sloppy, but deploying through a source control platform is fine.
Well, it’s sloppy for a government website. This is not a private enterprise running out of someone’s garage. There’s many reasons why that should not be an acceptable paradigm for posting government information.
If you’re running a sandwich shop or a metal working shop, posting your phone number and address through CloudFlare Pages is probably fine.
This is not a private enterprise running out of someone’s garage
Neither is the company I work for. We’re not Amazon, but we handle billions of revenue, our users have very high risk jobs, and they are using our software more and more to do these high risk jobs. We have a lot of controls about how things get released (QA team, and every change is tested before and after deployment), we just use our source control to handle the actual deployment.
Whether it’s sloppy depends on their processes (i.e. who validates the change?), not the tools they use.
We don’t use Cloudflare Pages, but we do use automatic deployments, and pretty much anyone on the team can submit a change for deployment. It’ll get reviewed before going live, but that’s a limitation we’ve placed on the tools and process.
No doubt your company has more invested in the domain name than a pointer to pages.dev, as well.
Do we think doge.gov has a QA group? Do we think there’s more than two people who review changes? Or that they even review changes at all?
The setup your company has and what this appears to be (it’s true, this is speculation) is probably vastly more than just “we both use git to manage production pushes”. I’d bet you company has spent a fair number of years getting to this point, and doge.gov has not even secured a proper certificate while suggesting they’re competent to handle the entire financial information of the United States Government.
Do we think doge.gov has a QA group? Do we think there’s more than two people who review changes?
Idk, I don’t work there, nor have I looked into how they’re structured. I’m not going to make assumptions though.
I’d bet you company has spent a fair number of years getting to this point
Yeah, we have a bunch of tooling to make all that magic “just work.” It runs tests, check the health of deploys (and has a sane failover if it’s unhealthy), etc. There’s a lot to it, but at the end of the day, if I really want to, I can push and deploy straight to prod w/o anyone else being involved (I’d probably get fired, but I could do it).
The tech stack isn’t nearly as interesting as the processes surrounding it.
proper certificate
I assume you’re talking about the DB and not the website itself, which is protected by a proper certificate, at least as of Tuesday (that’s when the certificate starts being valid). I don’t know when the website was launched, so I can’t comment on anything before that point, though the domain seems to have been registered since the day after inauguration.
the entire financial information of the United States Government
That’s largely public info, no? I don’t know what exactly is exposed, but honestly, pretty much all financial information (aside maybe from the military and intelligence) should be public record. If it’s not, I’d welcome a breach that exposes it so journalists can look it over and find out what they’re trying to hide.
Yeah I think the static page thing was just there to illustrate how the coders reverse engineered the api and saw what was getting called.
I agree static content alone on CF isn’t “bad”. This perfectly illustrates why you have to have your API shit together when you go with this approach.
Still more than Elon himself
Is he perfectly stable, too?
Ohhhh . sssuuure. I mean, when he’s not ketted out to the gills.
So. Regularly. Maybe even often?
Firing the IT people because they cost too much is always a good thing to show you the incompetence.
Bosses when the IT dept is furiously responding to an outage: What do we pay you for?
Bosses when everything is running smoothly: What do we pay you for?
PEDANTRY PAST THIS POINT
This joke would have worked even better (it already works well) if you put the lines in the other order
Edit: I know markdown, I should not struggle with formatting this much lmao
The markdown makes some pedantry points.
“Why do we have all these IT people? All the tech works fine!”
You understand the assignment people.
I do, but say I was… Let’s call it “clueless”, what would a simpleton like me do to exploit such a thing?
It looks like it’s been patched. I couldn’t find solid instructions anyway. But if I do, I’m sure someone will post an easy to use shell script.
Our Database
Please…show this to The Onion. Let The Onion post some updates…it’s their ultimate wet fantasy.
They will fire most of their employees since they’ll get free daily content for the next 4 years.
Someone needs to turn that site into nothing but goatse stat
Doesn’t seem avoidable.
bumping for the 1337 haxorz
1337 |-|4XX0®Z 71/\/\€
deleted by creator
What did you expect from a department named after a memecoin anyways
Remember that if you can see something that obvious, imagine all the quiet changes people are making that aren’t being immediately found. Not only the deliberate horseshit from musk and his facsy tots, but other attempts to distort data from traditional bad actors like China and Russia
I’m torn on this, on one hand I know there must be millions of dollars in contracts for pointless reports and a huge amount of government wasteful spending in general.
On the other hand, musk and trump are absolute morons. And they will cut shit just because they don’t know what the words mean.
They’re not cutting actual waste. Their goal is to cripple the parts of the government that stopped them from doing illegal shit.
deleted by creator
Unwitting? No. They are knowingly and intentionally doing this.
Sure sure, it’s most likely a cover.
Not most likely, is.
Blatantly and obviously is, why the fuck does anyone believe their bullshit?
Stupidity. It’s because stupidity.
The wasteful spending is in defense and ain’t nobody looking into that…
Waste is how you frame it.
Even literal poop has a benefit.
I do client work, sometimes it drives me mad how much time I “waste” making PPT slides that are just prettier BI dashboards, but then the client sees it, sends that one slide to his boss and everyone claps me on the back.
Whoever dismantles the pre-existing structure will be the one who will have the chance to rebuild it. This is the entire reason they are doing it. Great if you share their vision. Not so much if you don’t.
will be the one who will have the chance to rebuild it
Assuming they have any intention of rebuilding it.
will be the one who will have the chance to rebuild it
Assumingbthey have any intention of rebuilding it.
At least someone is doing it.
“Im torn on this, on one hand I know I have an untreated open wound on my leg, on the other hand here’s a 6 year old kid in a “doctor is in” t shirt who wants to smear whipped cream on it as a treatment”.
What’s to be torn by? False dichotomy.
No you don’t know that. You are repeating a trope without substance. Sure there’s probably huge waste at the pentagon but that’s not on the chopping block here.
Ah, I see. That’s the efficiency they’re looking for.
Crowd source your database, what could go wrong?
Hahahahahahaha
Expert at dumbassery
If the trouble shooters are all artless students then what do expect from whoever is running that website?
