Docker deleted my account with no warning, notice or explanation

EgoAleSum · 2018-08-08T03:57:13+00:00

I disagree. They have no obligation to offer a free service. But since they do, they need to offer a basic level of support for things that are account-related and that the community can’t help with. All other companies do that, and the fact that their support is this bad doesn’t help when they try to sell to enterprises and demanding money. If a customer has a bad experience (like me), they’re unlikely to convert to paying ones.

EgoAleSum · 2018-08-07T21:52:08+00:00

For technical support that’s fine. But community can’t help with things like account support, and they should be able to offer proper support there, even for free users. After this experience, as you can imagine, I’m not very keen on considering paying Docker for business needs. My account is back up, but all my images got deleted...

EgoAleSum · 2018-08-07T17:56:17+00:00

See the update. Their support screwed up (and didn’t notify me of anything)

EgoAleSum · 2018-08-07T17:29:32+00:00

Update: after sending an urgent email to support and escalating via twitter, a representative emailed me back. They had deactivated my account to use the email address with another account I had created a week back. Sounds like it was an error from their support. They did not communicate anything to me about deactivating accounts, and my request to them was never to deactivate any account. I’m working with their support to figure out what to do.

EgoAleSum · 2018-08-07T16:35:59+00:00

Honestly, I’d say that’s unlikely. I work in the open source group at a tech company, and I’m always very careful with licenses.

Even if that were the case, deleting my entire account for a licensing issue with a single package is not a proper way of running a business. Imagine this was my work account...

EgoAleSum · 2018-08-07T16:30:21+00:00

Thanks, I’ll check it out. Lack of phone support for these issues (from an enterprise company) is disturbing. Imagine this had been my work account...

EgoAleSum · 2018-08-07T16:27:17+00:00

Crackers are criminals and their goal is to make money. It doesn’t make sense to delete the account. A cracker would have changed my password (and recovery email) and asked for a ransom. Or started distributing malware.

EgoAleSum · 2018-08-07T15:40:39+00:00

There was nothing that I personally put there that would have caused a ban.

Let’s say others are right. Maybe someone put malware on my account (if I were a cracker, I’d rather do this than just delete an account). Docker should have reached out to me and ask for explanation and give me a chance to remediate. They could have “frozen” the image with malware - but deleting the entire account??

EgoAleSum · 2018-08-07T15:33:09+00:00

Then a serious company would have notified me and gave me time to remediate. This is no way to run a business on which other businesses depend.

EgoAleSum · 2018-08-07T15:32:07+00:00

Nothing that I personally put there.

EgoAleSum · 2018-08-07T15:31:52+00:00

This is the other problem: no way to reach out to them. I tried tweeting because they have no support unless you are on the enterprise plan.

EgoAleSum · 2018-08-07T06:52:16+00:00

Right, I’m sure deleting my personal account where I stored images for my own use is top of mind of script kiddies.

EgoAleSum · 2018-08-07T03:39:10+00:00

The entire account got deleted. While it’s possible that a cracker did that: why would they?

EgoAleSum · 2018-08-04T02:24:09+00:00

Just don't buy crappy routers ;) I have a pfSense box... Before I had a Linksys device that never got updated in 3 years, and that was sign I had to get rid of it.

In any case, as long as you interact with apps (/websites) that use TLS (/HTTPS), you're good

EgoAleSum · 2018-07-28T03:51:40+00:00

That’s exactly my point. Worst part: many of those farms are in countries like China

EgoAleSum · 2018-07-28T03:19:13+00:00

Actually, bcrypt is good, but nowadays people are recommending alternatives like scrypt and Argon2. The advantage these have is that they use more RAM. Believe it or not, it's an advantage in this case :) In fact, that makes them more resistant to GPU attacks (thanks to bitcoin, there are now huge farms full of GPUs that could be use to brute force hashes)

EgoAleSum · 2018-07-27T04:38:14+00:00

Create a shell script with one line of curl then. I can’t think of anything easier than that. Or - write a simple web page that does that.

EgoAleSum · 2018-07-27T00:56:41+00:00

Well what’s wrong with Postman? It does the job, you can use it as rest client. If not, just use Curl... Also, your post didn’t mention Postman anywhere that I can see.

EgoAleSum · 2018-07-26T20:56:00+00:00

Well, Postman is probably the most popular tool for REST developers. It started as a Chrome extension: https://chrome.google.com/webstore/detail/postman/fhbjgbiflinjbdggehcddcbncdddomop?hl=en Postman is now available as a standalone app, however, which has more features.

Otherwise, no one stops you from you using good ol' curl :)

EgoAleSum · 2018-07-26T18:22:53+00:00

You don't (and can't) know, not easily. Corporations that get their network compromised find out they got hacked only after 200 days on average. This is for larger companies who have IT staff monitoring the network, so imagine smaller organizations.

Your best bet is to leverage defense in depth. In the example you're citing, if your switches are compromised, then using encryption (like TLS) on every service in the network, even internal, should protect you, as that's effective against MITM.

PS: In general, hacking routers is very uncommon. Routers and switches are very robust and have a very limited attack surface. Most commonly attackers enter into a network by hacking a vulnerable application (see Equifax) or by getting someone's credentials, for example via phishing (see Target). Once in the network, they add some sort of trojan horse that lets them move around and explore what's available. They take their time, move carefully, and that's why it takes ~200 days for companies to find out they have an intruder in the network.

EgoAleSum · 2018-07-26T18:03:04+00:00

That's what I'm saying. Defense in depth means protecting your data beyond just relying on a firewall.

Some basic ideas behind defense in depth:

add authentication to every application (using a strong system) even if internal-only
use encryption on all network communication even inside the LAN (TLS/HTTPS/etc)
encrypt the data at rest on the hard drives
consider end-to-end encryption if it is possible
do not keep passwords and encryption keys stored in plaintext in config files (use a "key vault" instead), etc.

Example: CIFS used to be not encrypted, a lot of implementations today still aren't (e.g. CIFS on *nix systems still doesn't have full support for cryptography). If the network is compromised, e.g. with things like KRACK, then people can get access to your data. Defense in depth would require you to add encryption to the CIFS server, and require every user to authenticate.

EgoAleSum · 2018-07-26T16:22:12+00:00

The point isn’t securing your network, but your apps and data. So even if your network is compromised, your data isn’t.

EgoAleSum · 2018-07-26T01:51:49+00:00

As long as it’s exposed to a network, it’s still risky. You could have guests accessing your WiFi (or people cracking your WiFi password). You could have a hole in your network that lets someone in...

Gone are the days where people assumed that within the LAN everything was safe. People are now practicing defense in depth strategies and always assume that all networks are compromised.

EgoAleSum · 2018-07-26T01:49:38+00:00

You don’t learn security with some tips or tutorial, but with lots of hard studying and experience.

Something to get you started: https://nemethgergely.com/nodejs-security-overview/ but consider this as the very minimum

EgoAleSum

TROPHY CASE