I’m not going to go into any specifics here, because I’ve learned that “certain” open source projects are extremely sensitive about any criticism and will defend any kind of madness by blaming the user for not fully reading and comprehending the often extremely cryptic and ambiguous manual, while not putting any blame on the software for allowing the insecure configuration in the first place.
You may think I’m joking, but even 15-20 years later, I still have actual nightmares about things which happened, or could have happened, or may have happened without me ever finding out, in the past, due to bad security, either by myself and others (affecting me).
A huge issue with security is not realizing one’s own limitations and having a big ego. You know how it is: you are 15-16 and you are totally an “1337” cracker, aren’t you? Everyone else is stupid and you know everything. You couldn’t possibly misconfigure or misunderstand anything, right? That manual only seems to verify what you already knew… yes, that seems to be correct… yes, now let’s put it live! It’s rock-solid!
… and then it turns out that somebody has been remotely connecting from across the world to your ultra-sensitive database for the last eight months and saved all your private information to blackmail you perpetually. Because it allowed any password as long as they guessed the default admin account. Which was supposed to only be accessible from 127.0.0.1.
The most frustrating part is perhaps that, now that I know about many of these things, I find it utterly impossible to educate others about it. They are just as deaf to my advice as I would’ve been to advice from others back when I thought it was a good idea to enable that stupid mode which bypasses all passwords, because even though I read the manual, I read it horribly wrong!
I actually remember saying to myself: “Well, they can’t mean that ANY password goes, because that would defeat the entire purpose of having passwords in the first place, so I can safely conclude that they didn’t mean this.”
They meant it.
Not one day goes by without me thinking back on all these stupid decisions, and while I know very well that it does me no good, I can’t help but be bombarded with these memories and thoughts. It’s easy to laugh at it now and shake one’s head, but when I saved the config that fateful day and reloaded the service in question, I was 100% convinced that my database was fully locked down and that I was the only person in the world who would ever be able to access it, because I had read the manual as I was always instructed to do.
The above vague story is just one out of many such cases which I’ve experienced or heard of. Somehow, these experiences make me fully understand how there can be almost daily news of major critical databases exposed to the Internet with no password. They were simply set up by people who just didn’t understand what they were doing, and I consider it unfair to put all the blame on them.
I think a lot of software is made with a strange attitude to security, where you are harshly punished for not knowing everything about the software, as the developers (but nobody else) does.