How often do you go for a stroll around your systems? What I mean is, you’re not there to add a feature or fix a bug or make sure the documentation has stayed in sync with reality. Those are all important things to do, but there’s value to be had from just wandering around once in a while to see what pops up.

What kind of things constitute a stroll? How about looking at the process list on a server and trying to account for everything that’s running? Do you know why things are there, and what they’re doing? Does that thing really need to be running as root? Or does it need to be running at all?

Do these things do anything strange when they start up? Do they “dial out” to somewhere needlessly? Do they have terrible implementations that are just asking to be exploded by the perfect blob of stack-smashing gunk? Are they running with far too many privileges at the same time?

Or, for another view of things, how about listening sockets? What’s out there on the box? What’s listening in the realm of TCP? How about UDP? How about Unix domain sockets? Those can expose vulnerable things, too.

Of course, for any of this to work, a bunch of things have to come together.

This kind of stuff has to be valued by the management types. If all they care about is “lines of code”, you’re screwed.

Someone has to care about doing this sort of thing in the first place. If everyone you hire is cut from the same type of cloth and it doesn’t include this kind of wide-ranging view of things, it’ll never happen.

Whoever’s doing it has to have enough context to know what belongs and what’s probably out of place. This goes both for the general case of “hmm, Linux boxes don’t really work like this”, and for the special case of whatever random wackiness that company has decided to build into their own “stack”.

Maybe those 100,000+ machines actually need portmapper and a bunch of NFS-related daemons on them. Or maybe they don’t. Nobody’s going to know unless someone does the work to understand why, and then follows up to make sure it reaches a satisfying conclusion.

One possible ending is “oh, we’re not using it, so let’s turn it off slowly and safely, and keep it off”. Another ending is “it turns out we’re actually using it, so let’s put up a note in the system configs that explain why this is here so the next like-minded individual doesn’t waste time on investigating it”.

Having said all that, I can understand why people might not give a shit about quality at this specific moment in time. Burn it all down.

Now, your personal stuff? Sure, keep it tidy and protected. But everything else? Not so much.

It’s an interesting position relative to how I’ve felt previously.

Welcome to 2026.

From Writing - rachelbythebay via this RSS feed