Comment by FigurativeVoid

Comment by FigurativeVoid 2 days ago

68 replies

View on Hacker News

At my first gig, I had "god" level access to our production database.

All I learned is that nobody should have this level of access unless it is some sort of temporary break glass situation. It is extremely dangerous and even experienced engineers can cause irreparable data loss or some other bad outcome. In our case, some engineer accidentally sent around 10,000 invoices to customers that shouldn't have gotten them.

There are far better data access patterns. In the case of US gov data, I don't see why the DOGE team would need anything more than a read replica to query. It could even be obfuscated in some way to protect citizens' identities.

r00fus 2 days ago

Ah, I remember a time 30 years ago when I logged accidentally into the PROD database (forgot to add the suffix "1" to the connection ID), thinking it was a Dev instance, and then issued a "truncate table CUSTOMERS"... the reaction came within 75 seconds - and restore from backing took several hours.

Reply View 0 replies
simpaticoder 2 days ago

I've worked with older governmental systems, and chances are they are running a wide variety of systems, some of which, the oldest and most critical, are probably written in COBOL running on IBM mainframe hardware. In those environments, there is no real distinction between "database" and "application". COBOL systems are very file- and batch-oriented, and are "monolithic" in the extremist sense. The technology itself makes it impossible to give read only access to such systems.

Reply View 47 replies
  • skissane a day ago

    > The technology itself makes it impossible to give read only access to such systems.

    This isn't true. Mainframe COBOL systems commonly store data in VSAM files, or DB2, or IMS, or sometimes some more obscure non-IBM database (e.g. CA/Broadcom's Datacom/DB or IDMS, or Software AG's ADABAS). But whichever one they use, there are multiple ways of granting read-only access.

    For example, if it is VSAM, you can configure RACF (or TopSecret or ACF2) to allow an account read (but not write) permission to those VSAM datasets. Or, you can stick DB2 in front of VSAM (on DB2 for z/OS, CREATE TABLE can refer to a pre-existing VSAM file, and make it look like a database table), and then you can have a readonly account in DB2 to give you access to that database schema. Or, there's a lot of other ways to "skin this cat", depending on exactly how the legacy app is designed, and exactly how it stores data. But, probably this is already implemented – most of these apps have read-only access for export into BI systems or whatever – and if it happens for whatever reason not to be, setting it up should only be a modest amount of work, not some multiyear megaproject.

    Reply View 7 replies
    • simpaticoder a day ago

      >Or, there's a lot of other ways to "skin this cat", depending on exactly how the legacy app is designed, and exactly how it stores data. But, probably this is already implemented

      Given that neither of us knows the actual systems in question, what is more likely, that it's a well-designed system or one that has organically accreted over time? It seems like you tend to believe the former, and I the latter. I suppose my view is based on the fact that, like in statmech, you enumerate all possible systems that can do a particular job, the vast majority of those solutions will not have any organizing principle and will not be amenable to surgical analysis or change.

      Reply View 5 replies
      • skissane a day ago

        I think the difference is that I know that getting data out of mainframe COBOL systems is a long-known and long-solved problem, and I can list lots of different ways to do it (I mentioned a few, there's several more I didn't mention). Without knowing the details of the exact system, I'm not sure which one would be the best one to use, but the odds that you'd have a system for which none of these existing solutions is suitable is rather low – and indeed, likely most of these systems are already using one or another – there are whole teams of sales people who have spent the last 20-30 years convincing government agencies (inter alia) to buy these solutions.

        Whereas, you don't seem to know anything about that topic, and are speculating based on parallels with completely different disciplines (such as statistical mechanics).

        We both are speculating due to lack of details about the specific systems under discussion, but wouldn't you expect the person whose speculations are based on greater relevant knowledge to be more likely to be correct?

        Reply View 4 replies
  • kvakerok a day ago

    You can absolutely give read only access in COBOL systems. That's just lazy administration and IT security on a shoestring budget.

    Reply View 0 replies
  • jart a day ago

    [flagged]

    Reply View 37 replies
    • jghn a day ago

      You know that annoying thing where someone joins a new team, looks around, declares all their friction points to be easily solvable, dives in & starts making changes, and turns out to make a big giant mess?

      And the reason is they don't understand the specific domain & context well enough to know what the actual hard problems are. Instead they're just pattern matching to things they do know and extrapolating. And it usually doesn't go well.

      Dealing with a system that's replicating 50 years of regulatory rules is going to be that times infinity.

      Reply View 1 reply
      • jart a day ago

        I don't think that's annoying. If they make a mess, then by the time they're done cleaning it up, they'll be an expert, and you won't even have to train them. That is exactly what you need when the system is broken. The existing people should be encouraging, let them try, and lend their wisdom when they can. Disruption has always helped the tech economy thrive and government should welcome the opportunity to learn this aspect of our culture.

        Reply View 0 replies
    • discreteevent a day ago

      >They don't even know how to build a website that works.

      What percentage of people who know how to make a "website" do you think could make an automated tax system?

      >the tech industry has been the beating heart of this country

      Agriculture? Construction? The heart means something without which you can't function. How did people in the 1950s survive?

      Reply View 1 reply
      • jart a day ago

        The agriculture industry is a skeleton crew for something that's largely been automated by tech: https://justine.lol/tmp/agriculture.jpg There's not much of a construction industry either, since the government doesn't let us build anything except sprawl.

        Reply View 0 replies
    • reciprocity a day ago

      The USG does in fact know how to build a website and it is intellectually lazy (so very lazy) to suggest otherwise. A high profile illustration of this is login.gov, which is SSO used across USG agencies. It's not possible to take a comment like this seriously, at all.

      Elon Musk is also not an auditor. DOGE is not an auditing entity. You bring in accountants to audit. These are 20 y/o something programmers. How DOGE has been operating has been completely opaque and this lack of transparency just plays to the point that what someone says their goals are and what their actual goals are are not mutually exclusive, so no, Elon Musk shouldn't be allowed anywhere near these systems.

      Reply View 4 replies
      • jart a day ago

        Are you familiar with healthcare.gov? It was a disaster. So the government let some people from the tech industry come in and help. Techies saved Obamacare and then founded an agency called USDS, who did other sites like login.gov. DOGE is basically doing what USDS pioneered, except now tech people have earned enough trust to fix the government itself, rather than just being the wiz kid who fixes their website.

        Reply View 3 replies
    • QuantumGood a day ago

      "fixing the government" in this case seems to mean "destroy the government" for somewhat hidden purposes.

      Reply View 12 replies
      • redeeman a day ago

        hidden? I think tearing down government is a pretty damned good fix, and so does many others

        Reply View 11 replies
    • [removed] a day ago
      [deleted]
      Reply View 0 replies
    • mrtesthah a day ago

      DOGE literally took over the agency that competently modernized and integrated US gov technology (United States Digital Service), gutted it, and is now using that agency's pretense of needing access to data to now pilfer citizens' private information and grossly violate the constitutional separation of powers.

      This is the mechanism by which this administrative coup (declared here in https://www.whitehouse.gov/presidential-actions/2025/02/ensu...) is being enacted. None of this is legal or constitutional in any way.

      The rule of law is not a partisan issue nor a matter of "government efficiency". Those who aid this coup should be considered traitors.

      Reply View 0 replies
    • seemaze a day ago

      If it ain’t broke.. move fast and break things?

      Reply View 0 replies
    • averageRoyalty a day ago

      All I've seen about this DOGE stuff is negativity based on hypotheticals, this is the first optimistic hypothetical I've seen so far.

      It's an interesting point. As a thought exercise, tech is absolutely the core of modern America, #1 export (I assume) and a key market. Private sector influence probably can give huge amounts of low hanging fruit.

      I think peoples main concerns stem from not trusting Trump (which seems odd given he's a second term president, he is objectively wanted) and not trusting Musk (which is probably fair, he's publicly and openly an arsehole).

      Speed probably concerns people too, however "move fast and break things" is a pretty fundamental American tech mantra, so entirely unsurprising and usually effective.

      Reply View 5 replies
      • n4r9 a day ago

        Trump winning the election wasn't necessarily because he was "objectively wanted". It could be because he was less disliked than Biden at the time. Plus I wouldn't be surprised if a lot of people voted Trump but then his first couple of weeks made them go "hang on a sec...".

        Reply View 3 replies
      • DiogenesKynikos 18 hours ago

        > not trusting Trump (which seems odd given he's a second term president

        You might recall that at the end of his first term, he tried to overturn the results of the election he lost, calling up the Georgia attorney general to demand the vote total be blatantly altered, and even siccing a mob against the Capitol to physically prevent the certification of the results.

        That's why many people don't trust him.

        Reply View 0 replies
    • Bluestrike2 a day ago

      > That's why all this stuff is backed up to an iron mountain.

      When one of your threat vectors is a massive ball of nuclear fire right on top of the federal government in DC, your offsite backup policy is going to be absurd overkill by the standards of any other organization on this planet. That doesn't mean it's flawed.

      > ...many of the people in charge don't even know how to use a website. Now for the first time, tech industry people have the opportunity to help run these computer systems, and you're afraid they're the ones who'll be incompetent and accidentally break everything?

      Are you honestly suggesting that the people who built these systems, maintained them, and updated them to reflect often significant changes in rules and regulations over the course of decades somehow don't know how those systems work? If they were so damned clueless, those COBOL systems would have sputtered out and died decades ago. The fact that they've continued to run for all this time is practically prima facie evidence that the system works just fine by industry standards for that kind of legacy code.

      No doubt there's plenty of stuff buried in the codebase that bugs the hell out of the developers working on it, but you get that with any complex legacy code. It's the nature of the beast. Do you think there's nothing in Google's monorepo that some of their engineers don't quite like but doesn't rise to a big enough issue to warrant refactoring right now? Any other FAANG company? Or large tech company in general?

      You're writing as though a bunch of junior developers--and that describes pretty much all of the publicly known DOGE employees so far--are wizards who can just waltz right in and magic up a better solution just because they're from the "tech industry."

      Setting aside the unlikely chances that those juniors--no matter how skilled or talented--have any experience with COBOL, mainframes, or even just decades-old legacy code, is anyone going to suggest that something like the federal government's payment system isn't defined by an immense amount of complex business logic so as to comply with legislative requirements? It's not something you just start playing around with.

      I can't think of any tech company that would take a junior developer, toss them overboard in the middle of the freezing Atlantic, grant them sudo access, and tell them to do whatever the hell they want with critical systems before they drown and--somehow--take the ship with them. Worse yet, those juniors were chosen for ideology fervor and/or purity, so what happens when the normal review processes and experienced senior developers are pushed aside because they're in the way and part of the "deep state conspiracy" that doesn't want them to "[fix] the government" as you put it?

      Not only is that a recipe for disaster for the company itself, it's a damned good way to take an otherwise talented junior developer and permanently ruin them. Instead of mentoring them so they can work well as part of a team, you're basically creating a toxic working environment that's going to turn them all feral. By the time they crawl out the other side and the public hears all about what they've been up to, what company is going to be stupid enough to a developer with "DOGE" on their resume? Beyond that, you're conflating a whole bunch of different issues here with federal software contracts and IT, while putting the tech industry on a really peculiar pedestal.

      Besides, if the goal is to discover waste/fraud/abuse, the obvious answer is to hire a bunch of forensic accountants and let them dig into everything. Those are the people who actually find that kind of stuff, and they're incredibly skilled at their job. If it's there, given the time, they'll find it. But it's a slow-going process, so we instead see a bunch of engineers focusing on random transactions so they can ask themselves (1) "do I like that one?" and (2) "do I think it's legitimate?" because it's faster.

      That's not exactly how you fix anything, least of all a country.

      Reply View 1 reply
      • jart a day ago

        I'm not questioning the reliability of their systems but the content of their databases.

        The DOGE workers are already legends in their own lifetime, having saved $55 billion, and they haven't even gotten started. That's like 20% of Google's yearly revenue, all in a few weeks, and without needing to write petabytes of code in a monorepo.

        I don't think it's accurate to mentally model these payments as though they were counter intuitive algorithms in a deeply embedded software system. Waste fraud and abuse can be painfully obvious. So it's not the complexity of the problem that has prevented it from being solved. It's the political cost. Senior people have spent a lifetime accruing political capital. They're afraid to lose it. They're only going to spend political capital if they get something in return. They know and have cultivated relationships with the people who will be unhappy if particular instances of waste get solved.

        So it makes sense that Elon is unleashing his crackerjack juniors.

        They're perfect for the job.

        Reply View 0 replies
    • mindslight a day ago

      > For decades the tech industry has been the beating heart of this country that's kept the American dream alive

      By "tech industry" do you mean the consumer surveillance industry? Maybe your vision of the American dream involves inescapable corporate control, but mine certainly doesn't!

      Reply View 2 replies
      • jart a day ago

        I'm talking about the tech industry that invented a self-driving bulletproof truck that looks like a DeLorean and is faster than a Lamborghini which anyone in the middle class can afford. If Elon can make science fiction real for the masses, then he should be able to balance one itsy bitsy tiny little federal budget.

        Reply View 1 reply
        • mindslight a day ago

          There are a lot of baked in assertions to unpack there. But sure, one would think that the skill of inspiring a team to develop self driving might decently translate into leading a country to buy in to various government reforms. But that isn't what's being done, right? Instead he's just autocratic butchering and xitposting inflammatory half-baked "findings" - both completely anti-trustworthy to anybody not already sucking down his xitstream. And it doesn't take any skill to do that. Maybe he could have done the job before his tragic spiral of social media addiction, but that doesn't seem relevant to the current situation.

          And as far as bringing science fiction to the masses, it seems like he's taken all the wrong lessons from the common theme of corporate dystopia.

          Reply View 0 replies
TrackerFF 2 days ago

Never mind the direct risks, if you have "god mode" to basically any government thing, you instantly become the target of foreign intel/military operations. You can bet good money that there are entire teams, if not divisions, working around the clock to exploit this situation.

Reply View 1 reply
  • netsharc a day ago

    I can imagine Chinese and Russian hackers laughing at the DOGE l33t hackers.

    And if I was advising the Ukranians I'd tell them to try to exploit it too, hey, if you're fighting 2 superpowers with another 1 quietly backing the fight against you, you need all the help you can get.

    Reply View 0 replies
godelski 2 days ago

  > It is extremely dangerous and even experienced engineers can cause irreparable data loss or some other bad outcome
It is literally why we never log in as root.

  HERE BE DRAGONS
I don't know an admin who hasn't, on multiple occasions, unintentionally caused irreparable damage. It is easy to do even with the best of intentions and with extreme levels of care. Any one trying to rush through a dragon's den is only going to get burned. Considering how many dragons' dens they are running into, I do not question "if" damage has been done, but "what".
Reply View 1 reply
  • amy214 a day ago

    I remember having some kind of C programming bug where output filenames got scrambled (string memory error probably). And output files in the same folder as the source code.

    That seems innocuous, but remember then some of the output files might have the character "?" or even "*". So imagine trying to remove these files and going an asterisk too far. All gone!

    Reply View 0 replies
manfre a day ago

I've had a company give me full admin access to their cloud account. Thankfully, I learned the lesson earlier in my career and immediately created myself of more mundane user. Break glass access is important, but definitely not as the usual level of access.

> I don't see why the DOGE team would need anything more than a read replica to query.

They shouldn't need more than limited read access. The fact that they have more access, very likely demanded and not accidentally given, is due to their intent to do more than simply query data.

Reply View 0 replies
erulabs a day ago

Ultimately someone has root permissions. Re: federal agencies, in the United States, that someone is clearly, constitutionally, the President. Article II of the constitution vests all power of the executive in the person of the President. The President has authority to appoint agents. That same article _does also_ say the President has to "take Care that the Laws be faithfully executed", but the "Care" there is highly debated. But the idea that the President doesn't have the right to appoint Musk to get root access to federal agencies seems legally incorrect.

I'm not make a value judgement on this, it's just how it is. At a startup, the founder ultimately has root access to the database, no matter what the technical controls.

Now, maybe it's stupid, and maybe it should be some other way, but to my mind the other way is that Congress gets together and writes a law saying "the executive cannot get root access to X, Y, Z". In absence of that law, the executive can do whatever they want.

Not to be THAT GUY, but "an append-only database which cannot be modified by anyone" is something HN has spent the past 10 years saying is completely useless...

Reply View 2 replies
  • Rapzid a day ago

    The power rests with the office. There is an important but nuanced distinction there.

    Reply View 0 replies
  • netsharc a day ago

    And Trump can launch the nukes to blow up the world too... but building a system where he can just click a button to do so would be idiotic. Same idea with giving godmode to the guy who thinks carrying a sink and saying "Let that sink in" is hilariously clever.

    Reply View 0 replies
cratermoon 2 days ago

I loathe working places where they just give you all the permissions because it's "easier". One risk is if something does happen, and they don't have exceptional tracing and logging, (and let's be honest, at an organization sloppy enough to hand out privileges like candy, what's the chance of that?) it's difficult or impossible to pin down the source to any individual. As a result, both responsibility and suspicion is diffuse.

Reply View 9 replies
  • TransAtlToonz 2 days ago

    The appropriate restrictions are relative to the size and momentum of the organization. It's easy to spend months setting up safeguards rather than working on product development that won't proportionally return.

    Of course, this involves being honest with yourself about risk and reward, and we all have implicit incentives to disregard the risk until we get burned and learn to factor that in.

    Reply View 0 replies
  • FigurativeVoid 2 days ago

    I have so many horror stories from there.

    When they did decide to lock down the database, the DB admin only locked in down in the sql server client most people used. If you used some other client, you still had access. _sigh_

    Reply View 2 replies
    • tomrod 2 days ago

      What DB system operates that way, that's nuts.

      Reply View 0 replies
    • cratermoon 2 days ago

      My favorite security anti-pattern! Locking the main doors while leaving all the windows wide open.

      Reply View 0 replies
  • justin66 2 days ago

    It's not just about the risk. It signifies that you're not dealing with an experienced database administration staff. (At a startup that might just mean one guy, but that's better than zero.

    Reply View 0 replies
  • FigurativeVoid 2 days ago

    A second thought. It leads to lazy application development. Whenever you have production intervention that happens more than a few times, you should just make a feature that does it safely via application code.

    Reply View 1 reply
    • Tobani 2 days ago

      I've definitely worked in places where "Move fast and break things" tended to focus on breaking things. There would be bugs that we didn't fix because "We can just fix the database when it happens." It would take 2hours to fix a bug that would cause of 10's of hours of weekly support request, but the focus would always be on building new features, of which 10% got any real usage.

      Reply View 0 replies
  • JohnFen 2 days ago

    I agree. Good access controls and being prevented from accessing things that I don't need access to protect me as an employee just as much as the data itself.

    Reply View 0 replies
  • alsoforgotmypwd 2 days ago

    Meta completely restricted graph data access to requiring a specific business purpose and managerial approval tied an articulable, concrete task need.

    Reply View 0 replies
Zefiroj 2 days ago

There's a good balance between preventing accidents and reducing friction.

One person having "god-mode" access isn't usually that terrible.

Reply View 0 replies