[HN Gopher] Tesla.com/.gitignore
___________________________________________________________________
Tesla.com/.gitignore
Author : nateb2022
Score : 332 points
Date : 2022-11-25 19:26 UTC (3 hours ago)
(HTM) web link (www.tesla.com)
(TXT) w3m dump (www.tesla.com)
| djegod wrote:
| Ask myself what other files will be exposed?
| mlindner wrote:
| I think a lot of people in here are overreacting a bit. This is
| an interesting curiosity that doesn't really have any baring on
| any of Tesla's internal software.
| [deleted]
| jbverschoor wrote:
| So basically you run an endless script to fetch
| https://www.tesla.com/sites/default/settings.php and hope that
| some day there will be a minor nginx config error which lets you
| download the php source instead of executing it.
|
| This will happen some day, so invest 5 bucks per month to exploit
| Tesla at a certain point, so maybe you can be first in line for
| the Cybertruck :-)
| TechBro8615 wrote:
| This comment transported me back to 2010 or thereabouts when
| this happened to Facebook. I remember being surprised at the
| simplicity of the code and making a lot of jokes about "build a
| facebook clone" ads on freelance websites.
| rvnx wrote:
| This seems to be a too sophisticated attack, sometimes
| simplicity is better: https://samcurry.net/cracking-my-
| windshield-and-earning-1000...
| j-bos wrote:
| Great read
| grumple wrote:
| Pretty sure every site on IPv4 gets probed multiple times a day
| for common config leaks and other misconfigurations. Happens to
| all of mine.
| jbverschoor wrote:
| Yeah, but if a gitignore tells you where to look for, and it
| isn't even blocked by a WAF / rule, it makes an interesting
| target, esp. one of the largest companies out there.
|
| You shouldn't even be able to execute settings.php
| TechBro8615 wrote:
| It's a good sign there might be an exploitable file upload
| vulnerability, if you can find an endpoint that uploads
| files to a directory that's served by Apache with the same
| configurarion as the directory of the executable
| settings.php
| retrocryptid wrote:
| Except that you'll find that error long before the cybertruck
| ships. Heck, you'll probably see the rebirth of NFTs and BTC
| over US$40000 before the cybertruck ships.
| KevinBenSmith wrote:
| Can't access it...
| [deleted]
| [deleted]
| jjgreen wrote:
| # Ignore configuration files that may contain sensitive
| information. sites/*/settings*.php #
| Ignore paths that contain user-generated content.
| sites/*/files sites/*/private
| [deleted]
| codetrotter wrote:
| Archived copy for reference https://archive.ph/C6qJ4
| datalopers wrote:
| They've got something a bit more fucked up than just an exposed
| .gitignore $ curl -si https://www.tesla.com/ |
| grep generator x-generator: Drupal 9
| (https://www.drupal.org) $ curl -si
| https://www.tesla.com/authorize.php | grep generator
| x-generator: Drupal 7 (http://drupal.org)
|
| So they have at least two versions running at the same time. The
| /authorize.php [1] uri also yields a 500 (instead of a 403 like
| most of the other resources), which implies Apache is most likely
| passing the request off to PHP and the script has a fatal or
| unhandled error.
|
| The webroot appears to be a Drupal 7.x installation and Apache is
| serving that content directly (e.g.
| https://www.tesla.com/MAINTAINERS.txt same as [2]) and trying to
| run some of it (authorize.php), while happy-path requests are
| being reverse-proxied to a Drupal 9.x installation.
|
| [1] https://github.com/drupal/drupal/blob/7.x/authorize.php
|
| [2] https://github.com/drupal/drupal/blob/7.x/MAINTAINERS.txt
| deathanatos wrote:
| My knee-jerk reaction is that this looks like a marketing/eng
| split, or even just marketing/marketing. The main "corp"
| website of every org I've ever worked for is managed by
| marketing, not by engineering, and it usually shows in the
| quality. Usually drives someone in engineering (like me)
| slightly crazy, but honestly there are a million other larger
| fish driving me more crazy.
|
| IME they're almost always completely separated from the "real"
| systems that engineers are working on / managing. A compromise
| wouldn't go far, in the backend. Something like XSS would be
| worse.
|
| Always seems to come from some push to "running a website isn't
| our 'core focus' so we should vendor that" ... or something.
| I've also encountered immense push-back on eng-managed corp
| websites: all those pesky best practices get in the way of just
| shoveling "content" (i.e., PR) out. And so it ends up separated
| from eng.
| ec109685 wrote:
| They likely have layer 7 load balancing sending different paths
| to different servers.
| diamondo25 wrote:
| Guess Elon should go and reduce some Tesla services like he
| did with Twitter. Having different major versions of software
| running must take up a lot of maintenance...
| koonsolo wrote:
| Maybe he should bring in some Twitter developers to review
| the code at Tesla.
| keyle wrote:
| I usually don't engage in silly comments but this made me
| belly laugh loud, ta.
| hdjjhhvvhga wrote:
| I believe this is the whole point of this submission.
| [deleted]
| frereubu wrote:
| "Support migration from existing Drupal 7 to the new Drupal 9
| site"
|
| https://www.tesla.com/careers/search/job/sr-software-enginee...
| justinjlynn wrote:
| _polite chuckling_
| hackGAWDpremium wrote:
| Drupalgeddon 7 exploit. Infinitesimal chance it's a vulnerable
| version. Unless we live in a sitcom simulation
| dhritzkiv wrote:
| FWIW, a 500 doesn't imply the server is crashing. More likely
| just throwing a generic error, e.g. unexpected input -probably
| because it's expecting some form/data parameters- and failing
| the request early. It'd more correct to return a 400 in this
| case, but the /authorize.php endpoint may only be used by
| tesla.com frontend, so they don't care if it's used in
| unexpected ways.
| anamexis wrote:
| What's the distinction between the server crashing and the
| server throwing an error?
| dhritzkiv wrote:
| Usually, a server throwing an error would mean that it is
| aware there was an unexpected state, and is itself
| consciously not fulfilling the request by returning a 500
| error, for example. It remains available to handle the next
| incoming request.
|
| A server crashing implies that the server program or
| process itself has terminated, and is not able to handle
| further requests. This usually manifests as a 503 error by
| an upstream proxy server (nginx/apache/CDN/etc.).
| [deleted]
| sam_lowry_ wrote:
| bri3d wrote:
| Not to defend the Twitter situation, which is foolhardy by almost
| any measure, but it's extremely uncommon for any company's main
| landing page to relate in any way to their software engineering
| team.
|
| Usually these marketing sites are running a CMS (this one looks
| like Drupal) which is owned and operated by either an internal
| team who report to the CIO / IT department (vs the
| Product/Engineering group) or a totally external third-party
| marketing firm.
|
| As long as the "real" product uses different subdomains,
| certificates, proper HSTS, cross-origin protection, and secure
| cookies (a tall order, yes, but something that would be an issue
| no matter what the marketing site is doing), security issues in
| the "marketing" site aren't as bad. Of course a marketing site
| takeover is still worrying, as it's a prime entry point for
| spearphishing and horizontal movement through social engineering,
| but these usually aren't the same engineers or security team at
| all.
| cmeacham98 wrote:
| Nobody (sane) is saying this is a security vulnerability or the
| like (especially as it seems to be a default Drupal gitignore).
| It's just a funny mistake from a "software first" company.
| shudza wrote:
| So what is gonna be your opinion when it gets fixed?
| cmeacham98 wrote:
| "It used to be a funny mistake by Tesla but now it's
| fixed"?
|
| What are you expecting here?
| mlindner wrote:
| There's several people in the comments saying exactly that
| kind of thing in this thread including people asking if it
| leads to vehicle code exploits.
| cmeacham98 wrote:
| I never claimed everybody on HN was sane /shrug
| [deleted]
| [deleted]
| ackatz wrote:
| Getting 403 Forbidden now
| Hormold wrote:
| Check this: https://cdn-design.tesla.com/tds-fonts/
|
| Saved version:
|
| TypeError: Cannot read property '0' of null at
| forceFontAssetSource
| (/app/routes/middleware/moduleVersion.js:89:32) at
| Layer.handle [as handle_request]
| (/app/node_modules/@tesla/design-system-
| tools/node_modules/express/lib/router/layer.js:95:5) at
| trim_prefix (/app/node_modules/@tesla/design-system-
| tools/node_modules/express/lib/router/index.js:317:13) at
| /app/node_modules/@tesla/design-system-
| tools/node_modules/express/lib/router/index.js:284:7 at
| Function.process_params (/app/node_modules/@tesla/design-system-
| tools/node_modules/express/lib/router/index.js:335:12) at
| next (/app/node_modules/@tesla/design-system-
| tools/node_modules/express/lib/router/index.js:275:10) at
| cors (/app/node_modules/cors/lib/index.js:188:7) at
| /app/node_modules/cors/lib/index.js:224:17 at
| originCallback (/app/node_modules/cors/lib/index.js:214:15)
| at /app/node_modules/cors/lib/index.js:219:13
| [deleted]
| ericmcer wrote:
| A companies marketing website and their actual products have
| little in common. I would be surprised if any engineers even work
| on the marketing website and blown away if it is co-located with
| something sensitive.
| behnamoh wrote:
| Can someone explain why this is leaky and how it can be exploited
| by malicious actors?
| mlindner wrote:
| It's not really leaky and can't be exploited by anyone. It's an
| interesting curiosity at best.
| bobthepanda wrote:
| The gitignore explicitly called out where the sensitive
| settings file is, so presumably that makes it a lot easier to
| figure out where to start injecting bad code
| Alupis wrote:
| Sure, but this appears like some very standard directories
| for popular website CMS platforms like Drupal.
|
| So, not very surprising and probably doesn't really tip
| anyone towards anything particularly special.
| m00x wrote:
| It's probably caused by an incorrect nginx configuration, which
| means other static files may be exposed.
|
| Otherwise, it's not much of a leak.
| rvnx wrote:
| This shows that the teams in charge of code deployment have
| relatively weak quality control.
|
| In practice, it means that if the gitignore file is leaked,
| that there is a substantial risk that they accidentally leak
| the .git folder someday.
|
| The .git folder indirectly contains downloadable copies of the
| source-code of the website, which could very likely lead to
| credentials leak or compromised services.
|
| Your life can depend on Tesla.com services.
|
| Even if you are the pedestrian side.
| extheat wrote:
| What makes you think that there is some "substantial risk"?
| You seem to be mixing together git repos and site deployment
| rules. I don't see the big deal here with some CMS leftovers
| being deployed, but yes from a perspective of correctness
| this is not something that needs to be deployed.
| drexlspivey wrote:
| So basically everyone's life is at risk because the
| .gitignore got leaked. That sounds reasonable.
| bpodgursky wrote:
| I'd be pretty surprised if the marketing / landing site was
| remotely connected to the user portal. Most companies have a
| marketing-friendly CMS for public content, disconnected from
| the actual customer-facing portal.
| rvnx wrote:
| Tesla.com seems to be more than marketing, at least
| customers can sign-in there to do cars operations,.
|
| If you can grab credentials from there you can do quite
| some things already.
|
| See https://www.teslaapi.io/authentication/oauth (and this
| is in the case you don't trick an employee).
|
| But I agree, that normally at some point they would catch
| it.
| mlindner wrote:
| > This shows that the teams in charge of _website_ code
| deployment have relatively weak quality control.
|
| FTFY. Little of Tesla's software is whatever they're using on
| the website. That'd be like judging Apple OS software by
| their website source.
| rvnx wrote:
| This is customer control panel, which directly leads to car
| APIs behind that are using the same credentials.
|
| On the same domain there is also the Tesla SSO.
|
| It would be bad if this gets compromised as there would be
| direct impact in the physical world, not just a static
| landing somewhere.
| anonym29 wrote:
| It's leaky because it's globally accessible and provides
| information that isn't otherwise readily apparent.
|
| There is no guarantee that an exposed .gitignore (or other
| exposed files, like .htaccess, robots.txt, etc) will be
| exploitable, but they aid in the discovery process and may help
| adversaries uncover exploitable vulnerabilities they might have
| otherwise missed.
|
| At the extreme, I've seen paths of backups of the production
| database listed in a publicly readable .gitignore, and that
| database backup was publicly accessible, too.
|
| Most of the time, nothing sensitive is revealed, but defense in
| depth suggests it's better to not upload files like these to
| your web server unless they're being used by the webserver
| (like .htaccess) or crawlers (like robots.txt), and if you do,
| they ought to not be publicly readable (unless intended, like
| robots.txt), but even then, you'd want to make sure nothing
| sensitive is in any file like that which is publicly readable.
| Even if there's nothing sensitive in them now, there's no
| guarantee that nothing sensitive will ever be added.
| oceanplexian wrote:
| I'm gonna give my counter take. Information disclosure is
| something that the DevSecOps(tm) crowd spends a
| disproportionate amount of time on for little benefit. The
| number of security professionals who don't know how to code,
| but learned Nessus or CrowdStrike and criticize others is too
| damn high.
|
| I had to work with a security team in a FAANG for several
| years. They were so high and mighty with their low sev
| vulnerabilities, but they never improved security, and
| refused to acknowledge recommendations from the engineers
| working on systems that needed to be rearchitected due to a
| fundamental problems with networking, security boundaries,
| root of trust, etc. Unsurprisingly, their "automated scanner"
| failed to catch something a SRE would have spotted in 5
| minutes, and the place got owned in a very public and
| humiliating way.
|
| When I see things like this it brings back memories of that
| security culture. Frankly I think Infosec is deeply broken
| and gawking over a wild .gitignore is a perfect example of
| that.
| Fnoord wrote:
| There's no need to minimize or explode this; We need to put
| this into proportion. An information leak by itself is
| nothing, but it must be reported and taken seriously (by
| default, it should be fixed).
|
| I'm not disappointed this happens at tesla.com; I expect as
| much. But to many people, this is a top-notch brand. You
| don't expect this on google.com or nsa.gov or fbi.gov
| either, do you?
| acdha wrote:
| I work in .gov so I have a lot of experience with that kind
| of security "engineer" but I'd take a more moderate
| position. This stuff is super-easy to resolve so you should
| spend a couple of minutes closing it and then focus on more
| complex things, with the reason being that when something
| like log4j happens you aren't making it so easy for
| attackers to know whether you're vulnerable - passively
| telling them makes it easier to avoid things like WAF
| blocking rules which will block IPs which actively prove.
| anonym29 wrote:
| I'm a professional red teamer at a FAANG company, for
| reference. There are plenty of times where I find several
| low severity vulnerabilities, none of which are exploitable
| alone, but which can be chained together to produce a
| functional exploit with real impact.
|
| There's no guarantee any of your testers will find every
| issue, and there's no guarantee that a seemingly innocuous
| finding can't have a greater impact than might readily be
| apparent.
|
| That said, there are a ton of charlatans in security
| exactly like you describe - folks who can't read code (let
| alone write it) who just know how to click "scan" on their
| GUI tools and export the report to a PDF. A lot orgs have a
| QA-level team running those automated scans, which get
| passed on to a penetration testing team, who have more
| experience, but a limited time window for testing, and then
| finally on to red teams, who, along with some appsec /
| product security folks who are embedded directly on product
| teams, tend to have the most expertise, and the most time
| to really dive deeply into a service or application.
|
| Also, keep in mind that those gawking over this probably
| aren't security folks, and the competent security folks
| here may not be gawking at the file itself (or others) -
| just taking part in the discussion.
| shudza wrote:
| It's not an arbitrary thing, and any kind of vulnerability
| (including this one) is potentially a step in a chained
| exploit. I wouldn't be suprised if we see a hack before
| Tesla fixes this. And yes, they will fix it because it's a
| security issue.
| [deleted]
| kadoban wrote:
| It's a bit of an information leak, but probably not a
| particularly serious one. It just gives some information about
| what tech stack they're using, which isn't really public but
| also not that hard to find out, and maybe a bit about where an
| attacker would want to look for other sensitive stuff. Pretty
| minor really, on its own.
|
| It is a bit embarrassing because most web servers (and
| deployment setups) shouldn't be publishing/serving dot files
| anyway (files with names beginning with dot). But it's not
| necessarily a problem as long as they have some protection to
| avoid the _really_ sensitive stuff leaking, it's just kind of
| funny.
| tomjakubowski wrote:
| Interesting, the exclude file (actually, everything under
| .git/info) 403s, while .git/index is a 404.
|
| - https://www.tesla.com/.git/info/exclude
|
| - https://www.tesla.com/.git/index
|
| README.txt 403s too. https://www.tesla.com/README.txt
|
| edit: just going to add files I've found here:
|
| - https://www.tesla.com/.editorconfig
|
| - https://www.tesla.com/profiles/README.txt
| retrocryptid wrote:
| _sigh_
| TechTechTech wrote:
| https://cdn-design.tesla.com/.git/ this url says 'No.'
| sschueller wrote:
| At least https://www.tesla.com/.git/config is not accessible but
| still. This should never happen to a company that considers
| itself a software company first and a car company second.
| tomjakubowski wrote:
| One place I worked for exposed .git on a PHP site to the world.
| Infra was ho-hum about the report until they got a PoC which
| cloned the repo.
| [deleted]
| [deleted]
| v0idzer0 wrote:
| It's not leaky at all.
| newbieuser wrote:
| universal galactic extreme programming requires it
| nr2x wrote:
| Good thing these are the people who helped fire Twitter's
| security team. Sure that's going to work out great.
| [deleted]
| [deleted]
| revskill wrote:
| So, should we just add .gitignore to .gitignore and problem
| solved ?
| agumonkey wrote:
| the classic https://news.ycombinator.com/item?id=31420268
|
| > Git ignores .gitignore with .gitignore in .gitignore
| alvis wrote:
| No. You never checkout a site directly from git to begin with.
| You don't let other people know what files are ignored from git
| doesn't mean people cannot access them. :/
| teknopaul wrote:
| Nonsense.
|
| Everyone uses git for source control, of course you check out
| a site with git.
|
| All you are telling people with a .gitingore is what is _not_
| available.
|
| It means exactly that people can not access them if your site
| is a checkout, because they aren't there.
| NateEag wrote:
| Many of us have a build process that converts the contents
| of a checkout into a deployable site (a.k.a. "build
| artifact").
|
| The build process can trivially skip .gitignore files (and
| all other files that are strictly for dev environments).
|
| You then deploy the build artifact to production, with
| exactly the set of files which ought to be there.
| noselasd wrote:
| There's cases where you don't need a build process for a
| site.
| manojlds wrote:
| .gitignore to Dockerignore
|
| (Partly joking)
| kadoban wrote:
| You're joking of course, but that likely won't do anything
| useful.
|
| If it's tracked, then ignore has no effect. If it's not
| tracked, then you might as well use .git/info/excludes which is
| pretty much the same thing but not tracked, or you can use a
| global excludes file, like ~/.gitignore is common (you have to
| configure git to point at it, iirc).
|
| It _could_ make sense to ignore the .gitignore if some other
| tool is parsing and using that file, but that pattern
| is...troublesome so I hope not.
| vbezhenar wrote:
| ~/.config/git/ignore
| kadoban wrote:
| Hm, did not know that had a default, thanks.
| alvis wrote:
| There is a `cron.php` lol
| MH15 wrote:
| behind auth as of 4pm ET though
| sassy_quat wrote:
| Hilariously most people are unable to program in a secure
| fashion. https://www.zdnet.com/article/over-100000-github-repos-
| have-...
|
| News about Tesla's security seems vaguely wanting, I do not know
| what this .gitignore file is about, but it is quite alarming
| enough to draw conclusions from.
| athesyn wrote:
| It's just their landing page, but still embarrassing nonetheless.
| kalium-xyz wrote:
| My dear American friends. What if this is a psyop from tesla
| marketing to get your attention?
| noncoml wrote:
| "Never attribute to malice that which can be adequately
| explained by stupidity"
| paulryanrogers wrote:
| Very well could be a honeypot. Though neglect and accretion is
| more likely
| dopeboy wrote:
| Along with the acquisition of Twitter.
| ashirviskas wrote:
| So Tesla is free software: https://www.tesla.com/LICENSE.txt
| [deleted]
| hankchinaski wrote:
| I like the simplicity and pragmatism of using drupal. I wouldn't
| work with it myself but it was probably the cheapest/fastest way
| to get a similar site up and running
| soheil wrote:
| > sites/ _/ settings_.php
|
| Yes PHP is still relevant!
| dpcan wrote:
| Yeah. WordPress, Drupal, Joomla, Laravel, vanilla php. Together
| they power almost 45-50% of the web. So PHP is still extremely
| relevant. The most relevant you might be able to say.
| dergachev wrote:
| Drupal
| snapetom wrote:
| There was a posting just this week on a job site for a "Sr.
| Software Engineer, Backend Drupal" at Tesla. Putting together
| pieces like a leaked .gitignore file, job postings, etc. is
| social engineering in action.
| [deleted]
| viraptor wrote:
| That's not social engineering. You're not convincing anyone
| to do anything or share anything with you. This is OSINT.
| [deleted]
| arcturus17 wrote:
| Does this not come as a surprise to anyone?
|
| I'd have figured that they would have rolled out their own
| custom headless CMS or something really complex. I mean, not
| that it doesn't make sense for them to use a bog-standard CMS
| tool, but my biases (halo effect?) would have made me think
| that they use something more more unique.
| rabuse wrote:
| Why over-engineer something that just doesn't bring much
| value to their company?
| ElijahLynn wrote:
| Drupal is pretty powerful and there is a large talent pool
| for it, so it can probably handle all their CMS needs just
| fine. And that would be smart not to roll their own.
| RobertWHurst wrote:
| You all are cringe. Anyone working in tech knows that most
| marketing sites are made by third parties, likely some WordPress
| shop. The hatred for Elon on this site is ridiculous.
| misiti3780 wrote:
| it's very weird. someone responded once that hacker news is a
| bunch of smart dorks that are basically jealous because they
| have not achieved anywhere near as much as elon has. i think
| there is some truth to this.
| akomtu wrote:
| elleven wrote:
| https://www.tesla.com/LICENSE.txt Tesla opensource confirmed?
| antman wrote:
| I think this site's code repository needs to be reviewed. Maybe
| should call some twitter engineers
| [deleted]
| alvis wrote:
| One of the best technology companies (let's assume it's) cannot
| maintain its site with modern technology. How can I trust them?
| hutzlibu wrote:
| I do not trust Tesla because of the apparent instability of its
| owner, but not because its website does not use the most
| bleeding edge web technology. The website works and I see no
| information of any security flaws. This is what matters.
| dingosity wrote:
| The reason people think this is bad form is it indicates the site
| operators did something they did not need to do. It is an
| artifact of carelessness at best or misunderstanding of how their
| web server software works at worst. You do not need to serve a
| .gitignore file for a site to perform its basic function. But the
| obverse is also true. Serving .gitignore does not detract from
| the function of the site.
|
| But among people who do this kind of thing for a living, there's
| a belief that every action you take (like copy a .gitignore file
| to the directory from which static files are served) should have
| an intent which can be traced to a specific requirement.
|
| It's crazy to believe some product manager sat down and put
| "serve up a .gitignore file" in their PRD. Some people are
| therefore taking the existence of the .gitignore file in Tesla's
| public webspace to demonstrate a lack of care when it comes to
| matching requirements with behaviour.
|
| But as people have pointed out, maybe this isn't a Tesla failing
| as much as it is a failing for one of their providers. And sure,
| on the list of failures, this is pretty minor. And if you can
| find a web host that ties behaviour to explicit requirements, I
| would _LOVE_ to hear about it. Web hosting is a low margin
| business which doesn 't pay premiums for detail oriented staff.
| To be sure, there are some AMAZING people working for web hosting
| outfits, but my point is they are working at web hosting firms in
| spite of their technical capabilities, not because of them.
|
| To say Tesla is a crap-fest because they left a .gitignore in
| their public web-space is laughable. Tesla is a crap-fest because
| their stock is in the toilet, they often blow past promised
| delivery dates (cybertruck, anyone?) and are extracting cash from
| the rubes who believe "full self driving" means your car will
| drive itself in more than the most contrived of contexts.
|
| Elon Musk is not an idiot because you can read a .gitignore from
| tesla.com. Having done business w/ Mr. Musk, I can assure you he
| is not an idiot. But he's also did not impress me as the super-
| genius many seem to make him out to be. He is not playing 4D
| chess. He's a reasonably intelligent guy who won the lottery
| (rich parents, older brother who cut him in for a percentage, met
| the right people just as the USG wanted to buy more launch
| capability and state and federal governments subsidizing electric
| cars.) If anything, he's uncanny in his ability to identify
| opportunity. Maybe that's even better than the Sili Valley execs
| whose skills extend to being white, pretty and GSB educated. (If
| you downvote me, please downvote me for the slight on the Haas
| School this last comment was intended to be.)
|
| To recap... serving a .gitignore in your public web-space doesn't
| mean you're a dolt. It also means you're probably taking less
| care than you could. But maybe we don't need to take such care on
| a static web-site. But it does make me wistful for the days when
| competence was more obviously exhibited.
|
| Elon Musk is considered a jerk because of his behaviour, not
| because someone in one of his companies left tesla.com/.gitignore
| in the public web-space. Tesla is not god's gift to American
| industry. It _is_ a bit of a goose up the backside of entrenched
| incumbents, and for that I will always have a soft spot for it.
| Except for the bits where they seem to be a lightning rod for
| controversy which always seem to be unforced errors.
|
| Good Day To You, Sir!
| retrocryptid wrote:
| John Steven has a quote I quite like: "QA is making sure your
| software does what it's supposed to. Security is making sure
| your software _only_ does what it 's supposed to."
|
| I think this is the lens the OP wanted readers to view this
| post through.
| [deleted]
| formerly_proven wrote:
| jstx1 wrote:
| Maybe the other way around - his ignore file has "Tesla" in it?
| jamesy0ung wrote:
| Getting a 403 Forbidden error.
| jongjong wrote:
| outside1234 wrote:
| "Hardcore Engineering"
| x86x87 wrote:
| all the engineers that have not modified at least 50 lines in
| the .gitignore file in the last 60 days have been not
| terminated
| rsynnott wrote:
| I mean, in fairness, if you're not getting enough rest (which
| seems to be what "hardcore engineering" means) then maybe
| you're more likely to screw up the nginx config.
| anonym29 wrote:
| If you think .gitignore leaks too much info, you're going to love
| https://www.tesla.com/robots.txt
| AtNightWeCode wrote:
| Wow, top score for uniqueness, in the field of being stupid...
| jongjong wrote:
| If that's all the dirt that thousands of vengeful fired Twitter
| ex-employees could find, then Tesla must have excellent
| security.
| bakugo wrote:
| Yeah this screams complete and utter desperation. Like, I get
| that hating Elon is what all the cool kids at school are
| doing this month but do we really need this immature garbage
| on the front page of HN all day?
| extheat wrote:
| Yep, it seems like most of the posters here in this thread
| don't do much software engineering from the looks of it. Or
| are being purposely obtuse here. There is no security
| vulnerability here in any of the links we've seen so far
| minus some unnecessarily deployed boilerplate. The
| gitignore file is not the same file your deployment tool
| uses when publishing a website. If there's an API endpoint
| that is public opposed to some static asset, that would be
| a problem. Nothing we've seen here indicates that.
| bfgoodrich wrote:
| Hamuko wrote:
| Well, I'd personally at least find some hilarity in being a
| Twitter engineer fired by one of those 10x Tesla engineers
| while they're publishing their .gitignore files via HTTPS
| (which probably means that their Nginx configuration is
| fucked).
| [deleted]
| jongjong wrote:
| It's barely a vulnerability. Many open source projects have
| theirs public. It might be a problem if the company's
| system was terrible and relied on security through
| obscurity; but maybe they don't care. The engineers who
| think it's a big deal may have tunnel vision. That can
| happen if you spend years in a very narrow area.
| sofixa wrote:
| It's standard practice not to serve any hidden files
| (starting with .) over HTTP. The fact that .gitignore is
| served can indicate they don't block .paths, so lots of
| other things could slip through (.aws for instance).
| naniwaduni wrote:
| Is that a standard now? Who's going to tell the guys
| using .well-known?
| sofixa wrote:
| It has always been standard, it was the #1 thing to do
| when setting up Apache back when Apache was the standard
| and nginx was still this obscure Russian porn web server.
|
| .well-known is much more recent and an exception. Can you
| think of any other .file or .folder which is wise to be
| exposed publicly?
| prepend wrote:
| This is not an issue and just means that their wwwroot
| probably comes from a repo. Anyone who judges an engineer
| who made this decision poorly is silly.
|
| I'd say it's closer to good thing than bad thing due to
| simplicity.
| soneil wrote:
| The start/stop at the bottom makes that look like it's come
| canned with a CMS and they've just tacked on what they needed
| to. It's 90% boilerplate.
| Neil44 wrote:
| And the bumph at the top - crawlers run by Yahoo! and Google
| - lol
| judge2020 wrote:
| It's the default drupal robots.txt it seems.
| https://api.drupal.org/api/drupal/robots.txt/5.x
| chx wrote:
| It's hardly a secret tesla.com is Drupal -- both that
| gitignore and the robots.txt shouts it quite loudly, to be
| fair. One of the larger Drupal agencies, Lullabot includes
| them in their clients list: https://www.lullabot.com/our-work
| and they are looking for a sr backend Drupal engineer
| https://www.tesla.com/careers/search/job/sr-software-
| enginee... which I would take if the company were not lead by
| Musk.
| ughitsaaron wrote:
| More to that point, see
| https://www.tesla.com/MAINTAINERS.txt
| ughitsaaron wrote:
| You can compare it to the current version of the same
| file in the most recent Drupal release https://github.com
| /drupal/drupal/blob/9.5.x/core/MAINTAINERS...
| stefan_ wrote:
| Is this a normal Drupal practice? You just deploy the Git
| repo?
| extheat wrote:
| Do you deploy confidential information into the repo ?
| That would be the root problem.
| mynameisvlad wrote:
| Things don't have to be confidential to be an issue.
| Leaking the actual maintainer's names (as opposed to the
| Drupal list), for instance, would not necessarily be
| considered confidential, but still an issue if it showed
| up.
| chrismeller wrote:
| I think, generally speaking, it's a PHP standard practice
| and more broadly a scripting language practice, though it
| doesn't really apply to Node.
|
| No pre-compiling is required, so you just ship the files.
| Especially true for anything that offers an Apache module
| (like mod_php).
| remram wrote:
| Ship the files sure, ship the top-level folder not
| really. Most sites will have a "public" subfolder or
| equivalent, so the READMEs, scripts, sources etc don't
| get served. Either way, a professional would remove those
| files or block them at the HTTP server level.
| chrismeller wrote:
| Ehhh, I don't know if I agree that most will have
| anything.
| capableweb wrote:
| Not to mention a lot of the subsequent requests when
| loading https://www.tesla.com/ contains the HTTP
| header+value "x-generator: Drupal 9
| (https://www.drupal.org)"
|
| So yeah, not exactly a secret.
| andirk wrote:
| And for the lay man: https://builtwith.com/tesla.com .
|
| Haven't seen Drupal in the wild for years. Good on them!
| [deleted]
| capableweb wrote:
| Probably you have, lots of websites still using Drupal,
| heavily customised of course. Search for "websites made
| with Drupal" and have your jaw dropped, as probably a
| website or two you visited recently will show up :)
| marginalia_nu wrote:
| Did an inventory based on my crawler data a while back.
|
| Relatively common to find sensitive or embarassing links
| singled out in robots.txt
|
| Especially in old large organizations, like universities.
| m00x wrote:
| Really doesn't leak much, and robot.txt is supposed to be
| accessible from the internet.
| anonym29 wrote:
| Yes, it's meant to be public, but you need not disclose all
| of what is contained inside of it. I've been on many pentests
| where paths provided by robots.txt, that I wouldn't have
| obtained any other way, led to exploitable vulnerabilities.
|
| For some reason, a considerable number of people don't seem
| to think twice about adding sensitive paths to robots.
| teknopaul wrote:
| Not the case here tho is it
| anonym29 wrote:
| Well, we don't really know. Maybe there's some easy-to-
| guess text file in /misc/ that contains a password for
| something. We don't know what we don't know. We do know
| that there's considerably more information exposed here
| than zero - the question is whether any of that
| information could lead to sensitive information, not
| whether or not it constitutes sensitive information by
| itself.
| belltaco wrote:
| How does someone on pentests not know it's the default
| robots.txt that comes with Drupal and hence does not leak
| anything except that it's Drupal?
| anonym29 wrote:
| Comparing it to Drupal's default robots.txt
| slim wrote:
| that's defense in depth, right ? /s
|
| also sometimes what's in robots.txt becomes invisible to
| the corporation as well and abviously bugs creep in
| cuteboy19 wrote:
| I would rather that the paths be secure themselves.
| Security by obscurity is not a good idea. Anyways there are
| not that combinations of paths even when you consider all
| the different cms defaults
| anonym29 wrote:
| You're correct that the resources themselves should be
| secured and that security through obscurity is a bad
| practice (and an oxymoron, as obscurity doesn't actually
| provide security).
|
| That said, avoiding security through obscurity doesn't
| preclude you from giving away less information than is
| being given away here, nor does it make the act of
| removing that information entirely pointless. While this
| isn't the only way that the Drupal version can be
| identified, it is one, and there's no guarantee your
| adversary will find it via other avenues. Also keep in
| mind that with absolutely nothing changing on Tesla's
| end, this may go from secure to vulnerable, should, for
| instance, a remotely exploitable vulnerability in the
| running version of Drupal be discovered and published in
| the future.
| [deleted]
| AtNightWeCode wrote:
| LOL, why, just wow.
| threatripper wrote:
| This looks like a default file from a Drupal installation:
| https://api.drupal.org/api/drupal/robots.txt/7.x
| slaymaker1907 wrote:
| Apparently Tesla is FOSS, see https://www.Tesla.com.
| Ptchd wrote:
| Where can I get the FSD (Fake Self Driving) source code?
| anonym29 wrote:
| edited to hide my horrific lack of HN text formatting
| skills
| abdusco wrote:
| you forgot to from autopilot import *
| [deleted]
| ChrisClark wrote:
| What makes it fake? Just today my car drove me from my
| house to the grocery store with no intervention.
| mynameisvlad wrote:
| Cool, meanwhile my car feels like it's an unstable
| toddler whenever FSD has to turn. It feels like if I
| don't intervene, I'll crash.
|
| It's _far_ from "full" self driving.
| Ptchd wrote:
| Is that a route that you do often and it happened to have
| no unpredictable events today?
| 1attice wrote:
| A leaked .gitignore means the company needs to be taken over, 75%
| of its workers fired, and its debt tripled.
|
| I want everyone to work extremely hardcore on a breakthrough
| Tesla 2.0
| jerkstate wrote:
| if only someone would offer to take it private for 3x its
| value!
| sylware wrote:
| you forgot 1 figure: 30x
| eastbound wrote:
| I wonder whether he's just taking revenge upon the employees
| for mocking him buying it for 3x its revenue. "SEC wants me
| to buy it whole because I have 9%? Employees and board are
| happy to force my hand? Ok."
|
| Being suicidal and ready to lose everything to make a point,
| is probably another facet of the same character trait.
| ignoramous wrote:
| Time for a TeslaDAO. The cryptonomics are in the favour of us
| plebs, and I reckon we'd meme up a100z billions in no time.
| [deleted]
| edgyquant wrote:
| This is not Reddit, please don't treat it as such
| DoctorOW wrote:
| I think it's okay to criticize a company on Hacker News even
| if the leadership is particularly popular here.
| rvnx wrote:
| [deleted]
| nr2x wrote:
| yes, but *which* verification? original flavor? scammer's
| friend? or simp badge?
| rvnx wrote:
| 80 USD / month to verify that you have a bank card with
| active money.
|
| 2500 USD / month to verify your organisation existence.
|
| Verified users can be added to an organisation and get a
| special organisation-badge.
|
| Also, everybody should have the right to pay:
|
| Communists and anti-capitalists are going to be unbanned
| from Hacker News.
|
| Vox Populi, Vox Dei.
| nr2x wrote:
| Use the full quote.
|
| Nec audiendi qui solent dicere, Vox populi, vox Dei, quum
| tumultuositas vulgi semper insaniae proxima sit.
|
| And those people should not be listened to who keep
| saying the voice of the people is the voice of God, since
| the riotousness of the crowd is always very close to
| madness.
| Zigurd wrote:
| We seem to have bottomed-out reply depth, but, to answer
| if there are other examples, the commonly misquoted "the
| proof is in the pudding" is the opposite of the correct
| one: "The proof _of_ the pudding is _in the eating._ "
| nr2x wrote:
| My favorite "a few bad apples" is not a problem, which
| leaves out the second half: "ruin the bunch".
|
| Especially when applied to police - the fact that the
| "boys in blue" turn a blind eye to the bad apples is what
| ruins the bunch. It's unintentionally accurate.
| ben_w wrote:
| Huh. Is there a name for when a widely quoted sentence
| fragment is used for the rhetorical opposite of the full
| original sentence? I feel like I've seen this happen
| before, but I can't place where.
|
| (Also, my favourite Latin to quote at anyone who quotes
| Latin: quin tu istanc orationem hinc veterem atque
| antiquam amoves?)
| rsynnott wrote:
| I'm almost certain that TVTropes has a trope for the more
| general case of quote use without considering the
| context, but I can't find it now.
|
| My favourite is "neither a lender nor a borrower be",
| which gets trotted out as sage advice. It's a quote from
| Polonius in Hamlet, who is depicted as being an idiot.
| denton-scratch wrote:
| That full quote seems remarkably apposite, in the Twitter
| context. The fragment Musk quoted seems to mean the
| opposite, taken in isolation.
| nr2x wrote:
| It's almost as if he's a world-class grifter who
| continually lies and whose entire net worth is predicated
| on keeping up an illusion of his own competence. The dude
| doesn't even have a physics degree, it's pure bullshit.
| pvg wrote:
| Criticizing is fine, musty tropes less so.
| 1attice wrote:
| *musky, but ok
| fortyseven wrote:
| Relax, Francis.
| preommr wrote:
| Agreed, what would HN be without it's pretension at being
| above plebs and their "humour".
| kulahan wrote:
| I come here to get away from the Reddit crowd. The last
| thing I want to see is for this site to turn into... _that_
| dumpster fire. It 's not about being above anyone, it's
| about setting a tone for a community.
| nr2x wrote:
| not edgy enough for you?
| fnordpiglet wrote:
| It's ok. Elon code reviewed it.
| kobalsky wrote:
| this isn't reddit
___________________________________________________________________
(page generated 2022-11-25 23:00 UTC)