
They do take security seriously - lvh
https://www.lvh.io/posts/they-do-take-security-seriously.html
======
Mithaldu
> I think this article doesn't just blame the victims of those attacks

That's a grossly uncalled for rewriting of the reality involved.

The victims are NOT the company whose servers are compromised. The victims are
the customers of the company, whose data has been lost to the wilds.

Edit:

> It is far more probable that all of the companies cited in the article have
> expended massive efforts to protect themselves

Another misunderstanding of reality. I've worked with and in quite a few
companies of tiny and impressively large size, and in all instances so far
security has been a non-topic, or at best a bullet point on a slide. In all
cases so far has it been utterly trivial for literally anyone inside the
company, and mildly trivial for people outside the company to create data loss
scenarious of disasterous scale for many many customers.

Maybe he has worked exclusively with companies who have crack security teams
and never even thought of using md5 to hash passwords. In my, and many
other's, experience, such companies are as rare as unicorns though.

~~~
sneak
Thank you.

Also from the article:

    
    
        > These commentators have presumably not been the victims of a breach
        > themselves. I have trouble swallowing that anyone who's been through the
        > terrifying experience of being breached, seeing a breach up close or
        > even just witnessing a hairy situation being defused could air those thoughts.
    

I do emergency incident response for companies that get breached, and this is
off the mark. Without going into detail, an ounce of prevention is worth a
pound of cure.

It is _entirely_ standard operating procedure in the startup industry to play
fast and loose with customer data, ignore best practices, get breached, make a
blog post about how "we take security seriously", fix one or two things, and
continue like nothing happened. It's the users that suffer, not the startups
that get breached.

It's bullshit, and Troy is precisely on the mark for calling it out.

~~~
lvh
I don't think we disagree. I'm certainly in full agreement that companies
_should_ take it seriously and often don't. However, being breached does not
mean that you did not take action. The article I was responding to doesn't
distinguish between a breach after an ounce of prevention, or no prevention at
all. Is it realistic to expect a health company to have prevented a breach if
that breach is a consequence of an Exchange 0-day?

~~~
wglb
If you are hiring security professionals, it might be helpful for you to keep
in mind for your new hire folks and for your customers that there is a new
metric underscoring the thesis of Troy Hunt, who is quite experienced in this
industry: MTBCA -- mean time before CEO apology:
[http://blogs.forrester.com/rick_holland/15-05-20-introducing...](http://blogs.forrester.com/rick_holland/15-05-20-introducing_a_new_incident_response_metric_mean_time_before_ceo_apologizes_mtbca)

 _Is it realistic to expect a health company to have prevented a breach if
that breach is a consequence of an Exchange 0-day?_ The topic of the article
is that the breaches have gone on for a significant fraction of a year. If
that is the case, that there are intruders waltzing in your network, it is
hardly appropriate to say that you take security seriously.

------
ryandrake
It takes zero effort to have your public relations department issue a press
release claiming that your company "takes something seriously". That claim
rings hollow when it comes right after you demonstrate the opposite. As I said
in the other thread, these companies falling all over themselves to say how
seriously they take security after they've been compromised are like companies
gushing about how seriously they take quality--after issuing a major recall
(or getting sued) over faulty parts. The proof is in the pudding.

~~~
lvh
I'm certainly not trying to defend them. I'm just saying that a serious
commitment to security doesn't preclude breaches any more than a serious
commitment to quality precludes recalls. You only need to screw a minute
detail up to get in trouble, and so far no distinction has been made between
companies that have actually been incompetent/irresponsible and others.

~~~
ryandrake
How about instead of just saying "We take security seriously," disclose some
evidence. What specific things do we normally do to keep customer data secure
and prepare for attacks? How did that preparation fail this time? What was
this particular attack vector? What exactly was compromised, and when? What
specific, verifiable steps are we taking to make the victims (customers)
whole? What specific, verifiable corrective action are we taking in order to
prevent this kind and other kinds of breaches going forward?

Just saying "We take security seriously" is like saying (to quote Chris Rock)
"I take CARE of my kids!" What do you want, a cookie? That's what you're
supposed to do.

------
forgottenpass
_Firstly, there 's one thing all of the victims being ostracized have in
common: they disclosed the details of the breach. That is exactly what they
should have done; punishing them creates a perverse incentive for victims to
hide breaches in the future, a decidedly worse end-user outcome._

Then how do users ask for anything better than the status quo?

~~~
lvh
Pick services that practice transparency and are actively trying to fix their
software; e.g. through a bug bounty program.

------
sarciszewski
No, Troy Hunt is right to call them out.

> How can the security industry build deep relationships with clients when we
> publicly ridicule them when the inevitable happens?

Simple: Call out the competitors of the clients you seek. There, now it's
positive PR for your clients and security researchers aren't practicing self-
censorship. Win-win.

------
zzzcpan
> The explicit assumption is that these companies wouldn't have gotten in
> trouble if only they had taken security more seriously.

They didn't care about security at all. That's the assumption. And it seems
I'm not the only one to think that, because that's how thing are generally.

------
SCHiM
Hmm.

Although I don't agree with all that is said in the article. I find that it
makes a nuanced and well structured point.

Depending on what the security industry wants to achieve, they can either
ridicule (punish) or ignore (reward) companies that at least publicize they've
been breached. Keeping in mind that companies have a certain tendency to work
short-term angles over longer-term alternatives. I think the carrot is more
likely to achieve better security than the stick.

But that's just my 2c.

~~~
neaanopri
The security industry can could praise companies' transparency a bit more...

------
blazespin
Wow, as someone who sells proactive security software and has to constantly
explain why we are hampering user experience, I have to say this post is
deeply unhelpful. Troy is just pointing out what we all understand - these
people simply don't take security seriously and need to WAKE UP. If public
ridicule helps, great, all I can really say is nothing else has...even the
parade of compromises that has occurred.

~~~
lvh
This is precisely the issue I'm referring to. The assumption is made that if
you got breached, you must not have known what you were doing, and that's
bullshit.

------
TheEnder8
> I think this article doesn't just blame the victims of those attacks, but
> subjects them to public ridicule. Neither helps anyone, least of all end
> users.

I think public ridicule is necessary as basically the only way users have to
encourage security. Users are being harmed by a company penny pinching on
security and virtually never receive any compensation.

------
logicrime
This sure smells like misdirection!

I've no pity for devs that end up getting ruined because they didn't know what
to do. It's like going too fast on a freeway you don't normally take, getting
pulled over and trying to explain that you didn't know. You knew better.
Ignorance is no excuse.

Ridicule is absolutely an effective response to companies who have put
MILLIONS, literally _MILLIONS_ of people in fiscal and possibly even physical
danger. There's absolutely no room for error when it comes to safety for the
users, and a tweet saying "Oh yeah, well uh we take opsec real real serious"
doesn't cut it.

Of course they take security seriously, I mean obviously. But the point of the
article that this article is responding too is that it doesn't matter if
apologize after something that could've been prevented, it's too late.

~~~
lvh
You're assuming that all security issues are obvious known ahead of time, and
that's clearly not true. You can't compare your average remote code execution
vulnerability with a speed limit. Speed limits are posted; RCEs typically
aren't as clearly documented ;)

~~~
logicrime
I'm assuming that a hundred million users aren't made vulnerable by sheer
wizardry. In all of the cases that the original article listed, I'd bet my
salary that there was oversight in terms of the critical components or the
architecture. RCE should not be enough to make that kind of dent, there should
be more security there.

