Just because you cannot see how a vulnerability can be exploited does not mean that others can. As you describe, people seem to assume that the only way the config file ends up on the server is «physically» editing it.
An anecdote: I have been struggling with exploiting a product that relies on MongoDb, I can replace the configuration file, but gaining RCE is not supported «functionality» in the embedded version as the __exec option came in a newer version.
It is strange how EVs are measured by how far they can go full charge when this is a metric I never have seen for fossile cars. It tells a story how inconvenient EVs or the charging network really is
It also tells the story that the energy price per mile is insignificant. Vehicles that use gas advertise miles per gallon because it significantly affects costs. They also advertise range (or maybe fuel tank capacity), but not as prominently.
An electric car's miles per energy is not as relevant, because current electricity prices are sufficiently low such that people won't really care whether it's 3 miles per kWh or 5 miles per kWh. They will care about how far they can go on a single charge, hence range is a metric that is often advertised.
You are actually more likely to buy a car just after you have bought a car than the 10 years you did not need to buy a car. Maybe not cars, but I’ve heard this argument for kitchen appliances. If you for some reason return the item you just bought, you may buy what you get ads for. Maybe you regret you did not get the premium one, especially when they shove it in your face afterwards…
Appliances, sure, because having bought a new blender I might be tempted to look at replacing that old toaster as well. I'm clearly in an appliance-buying mood, and if I'm not, maybe I can be persuaded in that direction.
Cars? People who just bought a car are generally upside-down, and will not be looking to trade or buy another anytime soon.
I feel like I'm far too eager to accept whatever I bought, and reluctant to return it. Maybe I should play their game and return more stuff when it's not quite perfect.
Skyfall have had awareness of this issue for months. If you're running a teaching service for kids, allowing this to hit the wall months later while telling the kids it's all someone else's fault is disingenuous and a poor example to set.
No I haven't, I literally learned about this 30 minutes before starting the blog post. I don't think it's an unreasonable assumption that your service provider will not 40x your bill with a week's notice!
How long have you had the bill alluded to in the top comment on this post? For how long have you been in communication with Slack? The top level comment suggests it might have been months, but at the very least it's been 3 weeks (since 29th Aug).
I'm not defending Slack here, but allowing this to hit the wall and then raising a stink online does everyone a disservice.
Edit: by "you", I mean "the organisation of Skyfall". It's already pretty clear from the number of people chiming in on behalf of the company that this problem has been handed out piecemeal.
> Then this spring they changed the terms to every single user without telling us or sending a new contract, and then ignored our outreach and delayed us and *told us to ignore the bill and not to pay* as late as Aug 29
From the top comment, if Hack Club was told to ignore it and not pay, I don't feel they are to blame.
"Blame" is a strong word, but I think it was a mistake to not plan a migration strategy as soon as Slack/Salesforce sent a $200k bill. Even if you have some agent telling you not to pay it, it's clear something is about to go very sideways.
It wasn’t slack, but I’ve had multiple vendors that I was in regular touch with, surprise me with pricing changes in the week(s) leading up to a contract renewal. Never quite this short notice, but definitely as little as 8 business days before the renewal was due.
Both times I’ve paid the new price for 1 year and cancelled. Both times our sales rep was surprised the next year when we didn’t renew.
In this case, it looks like Hack Club sat on a gargantuan bill for at least weeks and maybe months (see top comment on this post).
I'm not denying that what you describe happens, but in this case - ignoring the warning signs, letting the issue crash into a wall and then complaining online about it doesn't help anyone.
I get that regardless there were warning signs, but it honestly seems like slack either miscommunicated or flat out lied to them about the ability to address pricing. While in retrospect they should have started preparing to migrate away, it's human nature to assume good intentions and hope that things will work out well.
There's a couple of interpretations here.
1. The sales rep really thought they would be able to retain good pricing for them and it fell through, and at the last minute hackclub was blindsided by their inability to retain the pricing.
2. The sales rep thought that hackclub was likely to jump ship if they had time to plan based on the new pricing, and lied to them about the possibility of retaining pricing. And thought that by doing so they could force at least one year of higher cost.
3. Hack Club is misrepresenting their communications with Slack to drum up public approval.
My guess is that option 1 is the most likely, and the optimism of the sales rep ended up being a net negative, and human nature being what it is, Hack Club thought things would work out, and everyone is already busy so why borrow trouble.
As for complaining online, sadly it seems that bad press is the only lever that most people have as a forcing factor for companies these days. I honestly only had a Twitter account for a long time, just so I could complain about companies in public to get them to do the right thing, so unfortunately complaining online does actually help.
After thinking of it for a while, I do not think it is such a big issue. The threat actor was probably an adversary to existing huntress customers and the EDR probably reacted to his tooling and mistakes.
When doing red team engagements, we do the same, install same security solutions as the customer and work around it. It could be what happened here?
That the analysts spotted him and were able to connect it to existing cases is just good craftsmanship.
I no longer feel that it’s relevant to discuss a red line here. Huntress just did their job.
reply