• ray10k (unregistered)

    The only excuse I can think of is that they were under pressure. A lot of pressure. Other than that, inexcusable.

  • ray10k (unregistered) in reply to ray10k

    And for the record, I mean that in a "cool motive, still ~~murder~~ inexcusably bad code" way.

  • Dave (unregistered)

    The RW permissions appear to be write-only, which is another unusual feature.

  • schulz (unregistered)

    Outsourced to cheap developers.

  • Church (unregistered)

    This right here is why people hate on PHP.

  • franqulin btchtts (unregistered)

    TRWTF is having typos in every single article in the year 2018. "Essentiallythis"?

  • (nodebb) in reply to Dave

    The RW permissions appear to be write-only, which is another unusual feature.

    Not unusual at all. Everybody knows that when you write there is no reason to read and verify the result. That's soooo DOS on 5-1/4". This is the almighty CLOUD here. No mistakes are possible!

  • Devil's advocate (unregistered) in reply to Church

    It's not really php that's at fault here. You could have done the same kind of wtfery with any other server-side language. That developer, though, deserves a stern talking to.

  • guest (unregistered)

    This one was so stupid I think it killed me. A PHP script with root access to a machine that can read/write your whole storage system? Yeesh.

  • (nodebb) in reply to Devil's advocate

    I think it's more because PHP enables too many people who shouldn't be doing this to ... do this.

    Addendum 2018-09-17 17:56: Like, it lets you go a long way even if you haven't got a real clue about what you're doing.

  • Duke of New York (unregistered)

    Oh well, at least the servers were patched for shellshock, right? right??

  • Lacey Tech Solutions (unregistered)

    Even if they were under pressure they could have maintained security to some degree. I mean they could have passed the url parameter of RW or RO and then in the code load the relevant access token.

    This really is a WTF!

  • (nodebb)

    Wow. Like, wow. That cloud is about to be vaporized.

  • Erwin (unregistered)

    It is totally secure, we have determined the secret key in a guaranteed random way!

    https://xkcd.com/221/
  • not a robot (unregistered) in reply to Devil's advocate

    It's not really php that's at fault here.

    you must be now here?

  • (nodebb)

    Guys, guys GUYS!

    Seriously - I think there's a culture of "PHP bad" regardless of what is in front of you. If it mentions PHP, it must be bad. And that, folks, is just was WTF as the actual WTF in this article. This could just have easily been done in any other language: C, C++, C#, Java, Go, Python, Ruby or whatever else you think is cool.

    This is an architectural WTF and has nothing, whatsoever, to do with PHP.

  • ichbinkeinroboter (unregistered) in reply to Lacey Tech Solutions

    is that you, Ben? waves

  • also a guest (unregistered)

    Is the cloud provider's API actually sane & accessible? It's totally possible that 'learn the API' wasn't a solution. Of course, this definitely wasn't better - the remote SSH thing could have been done with a lot more security, etcetc.

Leave a comment on “The Secure Cloud API”

Log In or post as a guest

Replying to comment #:

Log Out

« Return to Article