Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cache On Delivery — Memcached Opens an Accidental Security Hole

Posted by timothy on from the everything-has-a-downside dept.

jamie spotted this eye-opening presentation (here's a longer explanation) about how easy it is to access sensitive data on many sites using memcached, writing "If you already know what memcached is, skim to slide #17. The jaw-drop will happen around slide #33. Turns out many websites expose their totally-non-protected memcached interface to the Internet, including gowalla, bit.ly, and PBS."

10 of 149 comments (clear)

  1. DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE by Anonymous Coward · · Score: 1, Funny

    DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
    Version 3, August 2010

      Copyright (C) 2010 Anonymous Coward

    Everyone is permitted to copy and distribute verbatim or modified copies of this license document, and changing it is allowed as long as the name is changed.

    DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

        0. You just DO WHAT THE FUCK YOU WANT TO.

  2. Re:More Boiled and Distilled. by pushing-robot · · Score: 4, Funny

    As spokesman for the Justice League, I say yes.

    --
    How can I believe you when you tell me what I don't want to hear?
  3. Re:More Boiled and Distilled. by davester666 · · Score: 4, Funny

    No. Car. Was. Involved.

    --
    Sleep your way to a whiter smile...date a dentist!
  4. Re:More Boiled and Distilled. by outsider007 · · Score: 5, Funny

    That's actually more of a feature.

    --
    If you mod me down the terrorists will have won
  5. Re:More Boiled and Distilled. by Farmer+Tim · · Score: 5, Funny

    That's. Why.

    --
    Blank until /. makes another boneheaded UI decision.
  6. Re:Let me see if I understand this by riskeetee · · Score: 2, Funny

    You don't leave the keys in the Batmobile when it's outside of the cave. That's just asking for trouble.

  7. Re:More Boiled and Distilled. by sjames · · Score: 2, Funny

    Boiled and distilled underwear....Ewwwww.

  8. Re:Let me see if I understand this by Anonymous Coward · · Score: 2, Funny

    Jesus Tapdancing Christ, they explicitly say that in the doc(s) where they discuss design decisions. They can't use stunnel or blah or blah2 or blah3?

    "It does not authenticate a write to the cache? And they didn't see this as a problem when desgining memcache? Really?"

    Yeah, they saw it and they saw their site and their systems and saw that they did not require that feature for themselves - they weren't creating memcache for charity to donate to the world at large - ffs. Say what you want about livejournal but they created a bunch of high performance distributed system tools - gearman, memcache, mogileFS, etc that allowed anyone to build massive social website prior to them, the tools were not there. Now I am sure some smug historical revisionists was come and explain how these things were all built in SNOBOL in the 1950s then reinvented in Java as apache foundation project with simple 12,000 line xml config files that future generations will claim are alien code for time travel devices but those historical revisionists would be dead wrong.

  9. Re:A few clarifications by IAmGarethAdams · · Score: 5, Funny

    Mostly through rouge employees

    Luckily, they often get caught red-handed.

  10. Food Analogy by TimTucker · · Score: 2, Funny

    Think of it like this:

    System that is never intended to be secure: plastic apple with a warning label stating "THIS IS NOT FOOD"

    System that should be secure, but isn't: apple full of worms

    You're not going to have a good experience biting into either apple, but there's definitely a difference in the expectations that someone would have when looking at them.