SoylentNews is people
SoylentNews
from the who-needs-QA-when-we-can-test-it-on-production dept.
At around 9:15 UTC [17 May] Salesforce pushed a database script update that was intended to add modify all permissions to a specific internal profile used by their Pardot service. Due to a scripting error View and Modify All Objects Permission was granted to all user profiles for all organizations that ever had the Pardot product, including public facing community instances. This was of course a security nightmare for customers, especially those in the Financial and Health sectors, and an emergency change was pushed around 10:00 UTC to revoke all permissions to all profiles except for administrators. No announcement was made on their status sites due to the potential for bad actors to take advantage of the security issue that was introduced until the databases could be locked down. Further action was taken around 11:00 UTC to take down PODS completely, likely to further mitigate access risk which effectively expanded the outage to customers that never used Pardot but shared an instance with customers who did.
Salesforce is holding hourly calls, and recently admitted that the script had run both in their production PODS and also in the Passive Disaster Recovery Instances, complicating the ability to recover from the issue. There is currently no ETA for recovery, though it is still their hope that they will not have any data loss. They are beginning to bring back up instances, but only administrators will have access initially and it will require additional time before administrators will be able to modify permissions and rebuild profiles and there will be a longer wait yet before profile settings can be restored from backup.
Coverage at: Geekwire, The Register, and reddit
(Score: 4, Insightful) by sshelton76 on Sunday May 19 2019, @12:50AM (2 children)
Should read, "but not before forcing them to train their replacements.
Which brings up another question... If a person is made to train their H1B replacement, doesn't that sorta say two things.
First off the H1B didn't already have the skills by virtue of needing to be trained, ergo why was he or she brought over in the first place?
Secondly that the H1B wasn't really needed because there was already someone doing the job and the whole point of an H1B is that there is no one in the US labor pool who has the skills to do the job?
(Score: -1, Offtopic) by Anonymous Coward on Sunday May 19 2019, @02:35AM
Woah, wait? Didn't Trump! Trump! Trump! fix that already? That's why he's resorting to tariffs, concentration camps, and preparing to make use [wsws.org] of the military's Operation Jade Helm training, because not even shutting down the H1B program has been able to stem the barbarian hordes, right?
(Score: 2) by DeVilla on Tuesday May 21 2019, @06:13PM
To be fair, some training will always be needed to take over a non-trivial environment. Things like "we run our builds on Jenkins on this host", "the users ID's are managed in the LDAP server there", "The current diagram of the deployment pipeline is here.", etc.
But of course there are no shortage of stories like