There's is a fundamental issue here that comes up with lots of small organizations around security: If your process for prioritizing work is based on which issues people complain about the most, you will never prioritize security issues until its too late. Security problems are never obvious until the horse bolts.
It is very easy to accidentally add egregious security vulnerabilities to products if you don't know what you're doing. In fact, accruing small security issues (like this SSH password problem) is the default state of the world.
As a user, I pay the cost when products I use have bad security. If I get hacked via your product, it might be embarrassing for you, but its my device and my data that gets compromised. And because of that, I expect most small companies will not care about their product's security as much as I do as a consumer.
Of course, once a company grows large enough they'll hire a person or a team to look into their software security. At that point they'll fix all the obvious security issues. The database will gain a password. The root AWS account will stop being shared out amongst employees. Work laptops will have full disk encryption turned on to protect against theft, etc.
But until then, as a customer, I should be really nervous. How can you tell the secure products apart from the insecure ones? Well, one of the most obvious signs is that secure products will have already fixed the obvious mistakes. Things like connecting to backend services using unencrypted HTTP. Things like a backdoor-by-default SSH password published on the website.
That is why we (security wonks) make a big deal out of small security problems when they're obvious. They're a sign that nobody has even taken a look at the security situation, and for every obvious problem there's probably 10 more that aren't obvious. This issue might get fixed, but thats why your reply doesn't make me less nervous.
---
And thats a shame, because your project seems super cool and I really want you to succeed! This has come across much more negative than I intended, and I'm more frustrated at the startup industry over this than I am frustrated with you or what you're doing. Hopefully you can get a security review done at some point to make sure there aren't any other simple problems that need to be dealt with. I'm looking forward to seeing where it goes.
Well, if you see the issue where this was enabled, the author had it originally disabled for security reasons so it's not that he's unfamiliar with the reasons why one shouldn't have it enabled. He did it on request from a user while knowing the security risk so that means it's less likely that he's made mistakes so much as yielded to users. And the latter thing is a lot easier to solve.
It is very easy to accidentally add egregious security vulnerabilities to products if you don't know what you're doing. In fact, accruing small security issues (like this SSH password problem) is the default state of the world.
As a user, I pay the cost when products I use have bad security. If I get hacked via your product, it might be embarrassing for you, but its my device and my data that gets compromised. And because of that, I expect most small companies will not care about their product's security as much as I do as a consumer.
Of course, once a company grows large enough they'll hire a person or a team to look into their software security. At that point they'll fix all the obvious security issues. The database will gain a password. The root AWS account will stop being shared out amongst employees. Work laptops will have full disk encryption turned on to protect against theft, etc.
But until then, as a customer, I should be really nervous. How can you tell the secure products apart from the insecure ones? Well, one of the most obvious signs is that secure products will have already fixed the obvious mistakes. Things like connecting to backend services using unencrypted HTTP. Things like a backdoor-by-default SSH password published on the website.
That is why we (security wonks) make a big deal out of small security problems when they're obvious. They're a sign that nobody has even taken a look at the security situation, and for every obvious problem there's probably 10 more that aren't obvious. This issue might get fixed, but thats why your reply doesn't make me less nervous.
---
And thats a shame, because your project seems super cool and I really want you to succeed! This has come across much more negative than I intended, and I'm more frustrated at the startup industry over this than I am frustrated with you or what you're doing. Hopefully you can get a security review done at some point to make sure there aren't any other simple problems that need to be dealt with. I'm looking forward to seeing where it goes.