

One Born Every Minute (about Backupify) - Maro
http://pl.atyp.us/wordpress/?p=2698

======
tdoggette
If you're going to say something, just say it.

Unless it's not true, in which case you wouldn't want to, because that would
be libel.

~~~
CPlatypus
If _you_ are going to say something, just say it. If you're going to accuse
someone of libel, just accuse them. Don't be all passive-aggressive when
you're accusing others of being passive-aggressive. It looks kind of like
you're projecting a bit, y'know?

In this case, I wasn't making any accusations about Backupify. I was merely
pointing out how their _external behavior_ is indistinguishable from
phishers'. For all I know they're stand-up guys with the best of intentions,
but I object to business models that are based on encouraging bad security
practices. They could do everything they do by providing software that
verifiably keeps passwords and keys on the user's computer, never storing
anything unencrypted in Backupify's AWS cloud. That would be just as useful,
and it would be the responsible thing to do, but offering a service instead of
software is easier - no platform-support issues. If they're using GPL programs
(probably) then they also get to take advantage of the "service provider"
loophole to avoid distributing their modifications, and if Backupify ever
becomes popular then a service model has better revenue-generating potential.
All good for them, so apparently they don't care that it depends on users
doing just about the dumbest possible thing security-wise. They might have no
intention of abusing their access to users' data, but can they guarantee that
every disgruntled employee or contractor will be so noble? Hardly. That's
exactly why giving your password to _anyone_ else is a Bad Idea. Business
models based on encouraging users to do stupid things are IMO worthy of
derision, so I gave them some.

~~~
tdoggette
You're not wrong about the issues involved, but the way you went about it was
attacking Backupify, not directly for bad security practices, but indirectly
through the "Backupiphish" scare-mongering.

And as for your accusations, you started with setting up a hypothetical
company that looks like them and commits massive bank fraud, then saying that
it "has nothing whatsoever to do with Backupify. No sir, not at all. Pure
coincidence." If you want to make those accusations, back them up. If not,
write a post about their bad security practices, instead of a post about a
(hypothetical) web service backup company that's (ahem) entirely unrelated's
crime.

~~~
CPlatypus
Gee, so sorry I didn't write the post you would have, and chose to approach
the issue satirically instead. You do understand satire, don't you? You do
understand how _A Modest Proposal_ was more effective than some dry exposition
of the underlying issue, right? Maybe my "wrong choices" about how to raise
awareness of an issue are the reason that you were reading my blog and not
vice versa. Everybody loves a kibitzer.

~~~
tdoggette
Maybe I wasn't clear: my main issue with the post isn't that it approached the
topic from a non-factual angle, it's that it does so in a way that looks like
an accusation of a very serious crime.

The line at the end isn't subtle, it's clearly sarcasm intended to mean the
opposite of what it says, that is, that this post _is_ about Backupify. Well,
the post is about a company that provides the same service as Backupify but
instead steals bank account details.

