1) it’s absolutely terrible that everyone locks up SSO in their enterprise tier. If that feature was illegal to paywall security would be better for everyone.
2) part of snowflakes big success IMO was the database was no longer behind the firewall - it was in the cloud. You could get data in and out without a 2 week process for the network team to adjust the firewall or setup a ssh tunnel. The other part was you signed up for it like any other SaaS app - MFA optional. That’s the part that probably needs to be handled with more secure defaults. Like MFA required unless an admin turns it off… or something like that.
Yeah, I think that’s the complication with the MFA thing. There’s been a lot of reactions that are basically “why on earth wouldn’t they require it, what morons.” But it seems a lot messier than that. Most 3rd party apps just connect over JDBC, and create new connections every time they take some action. If you turn on MFA with those connections, the apps don’t work. So you either need to be able to disable MFA and make those service account connections vulnerable to this sort of hack, or you need to create a new way to connect that’s more secure. The latter option is clearly better, but it’s also basically unworkable given the standards of the current ecosystem. So I’d guess Snowflake knew all this, thought about all of it, and decided it was worth the risk, in part because they assumed they could just say “nuh uh, not our fault” if it blew up.
Ya - MFA via jdbc is the worst. But snowflake allows you to generate a key/pair for auth. Not every tool supports that method - but lots of them do. However generating a key pair doesn’t have a spot in the Snowflake GUI and I think you have to have a certain elevated role and above to do it. So not the most user friendly.
It looks like you win the "coincidentally correct" prize, as Wired is reporting that a hacked Snowflake service partner was storing customer credentials in Jira tickets.
"on the first day of their biggest rival’s annual conference"
it's even better than that! I was in the audience at Summit while Christian Kleinerman was on stage announcing Polaris when I looked at my phone and saw a notification from X about the Tabular purchase, 5 minutes earlier. It was brilliantly petty and very much like the big reveal in a reality tv show.
Oh man, I hope that they really just sitting there with their finger on the publish button, waiting for Snowflake to start talking about Iceberg stuff on stage. It really is this skit (which is the same people as the header image, as it happens) for the nerdiest thing ever. https://www.youtube.com/watch?v=KTbNms5yHgI
Oh man, that's incredible. It had to be someone in the audience saying publish now. Also, I'm assuming that Snowflake had insider information on the purchase and because they went so hands on deck getting Polaris out the door in time for Summit. Which was an impressive pull and is even more that skit!
Yeah, and Snowflake was allegedly trying to buy them too (which, given the price, makes sense, because it seems like you'd only get to a number that big if there was a bidding war). So I'm sure they were either told directly that they were going with Databricks, or put that very easy 2 and 2 together.
As far as the whole snowflake thing:
1) it’s absolutely terrible that everyone locks up SSO in their enterprise tier. If that feature was illegal to paywall security would be better for everyone.
2) part of snowflakes big success IMO was the database was no longer behind the firewall - it was in the cloud. You could get data in and out without a 2 week process for the network team to adjust the firewall or setup a ssh tunnel. The other part was you signed up for it like any other SaaS app - MFA optional. That’s the part that probably needs to be handled with more secure defaults. Like MFA required unless an admin turns it off… or something like that.
Yeah, I think that’s the complication with the MFA thing. There’s been a lot of reactions that are basically “why on earth wouldn’t they require it, what morons.” But it seems a lot messier than that. Most 3rd party apps just connect over JDBC, and create new connections every time they take some action. If you turn on MFA with those connections, the apps don’t work. So you either need to be able to disable MFA and make those service account connections vulnerable to this sort of hack, or you need to create a new way to connect that’s more secure. The latter option is clearly better, but it’s also basically unworkable given the standards of the current ecosystem. So I’d guess Snowflake knew all this, thought about all of it, and decided it was worth the risk, in part because they assumed they could just say “nuh uh, not our fault” if it blew up.
Ya - MFA via jdbc is the worst. But snowflake allows you to generate a key/pair for auth. Not every tool supports that method - but lots of them do. However generating a key pair doesn’t have a spot in the Snowflake GUI and I think you have to have a certain elevated role and above to do it. So not the most user friendly.
I guess a good thing in all of this is maybe stuff like this changes that? It takes a plane crash to change plane regulations, I suppose.
I think so - and the changes aren’t that hard and IMO don’t introduce that much extra friction.
It looks like you win the "coincidentally correct" prize, as Wired is reporting that a hacked Snowflake service partner was storing customer credentials in Jira tickets.
Gah, always is.
"on the first day of their biggest rival’s annual conference"
it's even better than that! I was in the audience at Summit while Christian Kleinerman was on stage announcing Polaris when I looked at my phone and saw a notification from X about the Tabular purchase, 5 minutes earlier. It was brilliantly petty and very much like the big reveal in a reality tv show.
Oh man, I hope that they really just sitting there with their finger on the publish button, waiting for Snowflake to start talking about Iceberg stuff on stage. It really is this skit (which is the same people as the header image, as it happens) for the nerdiest thing ever. https://www.youtube.com/watch?v=KTbNms5yHgI
Oh man, that's incredible. It had to be someone in the audience saying publish now. Also, I'm assuming that Snowflake had insider information on the purchase and because they went so hands on deck getting Polaris out the door in time for Summit. Which was an impressive pull and is even more that skit!
Yeah, and Snowflake was allegedly trying to buy them too (which, given the price, makes sense, because it seems like you'd only get to a number that big if there was a bidding war). So I'm sure they were either told directly that they were going with Databricks, or put that very easy 2 and 2 together.
https://www.forbes.com/sites/rscottraynovich/2024/06/10/why-databricks-tabular-play-has-put-snowflake-on-the-defensive/