undefined | Better HN

0 points9999000009991y ago0 comments

I don't know what exactly happened here, but Firebase has two defaults. Test access rules which auto expire and are insecure, or production rules which require auth.

If you do something stupid, like keep ignoring the insecure warning and updating them so they don't expire, that's your fault.

In no other industry do workers blame their tools.

0 comments

prophesi1y ago

The issue usually lies in there not being enough security rules in place, not in keeping insecure rules active. For instance, for the Arc incident which we were given more information on, it was due to not having a security rule in place to prevent unauthorized users from updating the user_id on Arc Boosts in the Firestore.

Go into any other industry and hear when they say, "shoot yourself in the foot", and you've likely stumbled upon a situation where they blame their tools for making it too easy to do the wrong thing.

999900000999OP1y ago

If you don't setup any access rules in Firebase, by default it'll deny access.

This means someone setup these rules improperly. Even if, you're responsible for the tools you use. We're a bunch of people getting paid 150k+ to type. It's not out of the question to read documentation and at a minimum understand how things work.

That said I don't completely disagree with you, if Firebase enables reckless behavior maybe it's not a good tool for production...

prophesi1y ago

And I don't necessarily disagree either; good callout that it _was_ about improperly configured ACL's, I meant more that it wasn't related to keeping test rules alive.

For 150k+ salaries, frontend dev salaries are generally a lot less than their backend counterparts. And scrappy startups might not have cash for competitive salaries or senior engineers. I think these are a few of the reasons why Firebase becomes dangerous.

1 more reply

j / k navigate · click thread line to collapse

0 points9999000009991y ago0 comments

I don't know what exactly happened here, but Firebase has two defaults. Test access rules which auto expire and are insecure, or production rules which require auth.

If you do something stupid, like keep ignoring the insecure warning and updating them so they don't expire, that's your fault.

In no other industry do workers blame their tools.

0 comments

prophesi1y ago

Go into any other industry and hear when they say, "shoot yourself in the foot", and you've likely stumbled upon a situation where they blame their tools for making it too easy to do the wrong thing.

999900000999OP1y ago

If you don't setup any access rules in Firebase, by default it'll deny access.

That said I don't completely disagree with you, if Firebase enables reckless behavior maybe it's not a good tool for production...

prophesi1y ago

And I don't necessarily disagree either; good callout that it _was_ about improperly configured ACL's, I meant more that it wasn't related to keeping test rules alive.

1 more reply

j / k navigate · click thread line to collapse