Technologists are often seen as cynical and disappointed by how poorly much code is written or maybe because an application architecture isn’t well designed. I hear no shortage of complaints over other people’s code, one of the reasons I think we have so many new projects started on Github (or other pubilc repos). Everyone thinks they can build better software than others.
However, we are often quite optimistic when we write our own code. We throw together quick apps or scripts that solve a problem, expecting the best conditions. In general, we don’t think widely about the possible issues with our code. We build and test for the happy path.
I thought about this as I saw this post on twitter. It shows a number of Trello boards that contain passwords. To be fair, as I researched this, most of these items are private boards, though seeing names and passwords in a Google search is worrisome. I suspect most of these boards are places where less than trustworthy individuals are storing data, but I did see no shortage of public Trello boards for various software development teams. No passwords were shown, but plenty of notes, and I didn’t spend a lot of time digging through the various cards, something I suspect a hacker would do.
I think many cloud services are very useful and they help us work in new ways. The thing we should all keep in mind is that the search engines are always probing data, even if hackers aren’t. Perhaps there isn’t a concerted effort by anyone to look for our particular set of data, but you never know. Someone may stumble upon our data and if it’s publicly visible, that’s an issue. Even server names, IPs, and more can provide information that we’d rather not disclose.
If for no other reason, consider that employment has changed in the world. More and more of us change jobs often. Today’s co-worker might be tomorrow’s disgruntled ex-employee that discloses information to anyone, or worse, to specific hackers that might make use of it. I’m not sure how much data from our companies is valuable in a general sense to a large group of hackers, but I know there are plenty of technical vandals that would use the information to cause disruption, because they can.
Whenever you look to setup some new process, especially with secure data, please don’t treat this lightly. Expect that someone will find a way to cause issues. And if you use any service that is connected to the public Internet, I’d be extremely careful of the data that you store there. You might be surprised how much of it is visible in search engines.
The Voice of the DBA Podcast