
Evernote’s CTO on Your Biggest Security Worries From 3 to 300 Employees - ca98am79
http://firstround.com/article/Evernotes-CTO-on-Your-Biggest-Security-Worries-From-Three-Employees-to-300
======
gizmo
These sound like really basic security measures any startup that isn't about
sharing cat pictures should take. I disagree completely with the strategy of
using security@ as a cheap way to get other people to do your homework. When
somebody finds an XSS flaw in your system that's a big deal! It can be easily
used to take over entire accounts. Not something you shrug at and put on your
TODO list until a new XSS error is found 2 minutes later. Besides, good
abstractions deal with XSS problems nearly completely, so that vulnerable code
_looks_ wrong.

I also find the view that smaller startups should just get a product out the
door and neglect security completely abhorrent. Waiting until you're at 10
employees before you start hashing passwords? Are you kidding me? Are we
professionals or what?

So based on those observations my confidence in the security of Evernote has
decreased substantially. Their philosophy represents much of what's wrong with
VC-style startups. Imagine a restaurant saying "just forget about hygiene
until you're profitable"!

~~~
bowlofpetunias
Thank you. My first reaction was: start by firing the first 3 employees who
couldn't be arsed to encrypt passwords, and replace them with people you can
trust.

Being aware of the current best practices in password encryption is part of
your job. Checking if your knowledge is still up to date takes 30 minutes,
tops. Implementing it in your stack of choice, provided you've made a sane
choice to start with, is trivial. Hell, you can probably just cut and paste
from one of the articles you've found in the aforementioned 30 minutes.

None of this will slow you down when getting the first alpha release out of
the door.

------
rallison
While the article has some good points, I also have a number of issues with
it.

\- Don't worry about proper password storage until you are at 4-10 employees
and have a prototype out the door? No, proper password storage is one of those
things you deal with at the very beginning.

\- Not worrying about a password safe until 11-30 employees? Using something
like keepass, lastpass, etc, is trivial and should be started from day one as
well. Your developers should already be in the habit of using one anyway.

\- _There should be decent password-locking screensavers on all computers.
That way a smash-and-grab computer theft only amounts to a $1,500 asset loss,
no critical data loss._ There is nothing here about hard drive encryption, so
a password locking screensaver is going to do nothing to prevent loss of
sensitive data in a smash and grab.

I also dislike this attitude, mentioned in the 1-3 employees stage:

 _And from a security standpoint, you shouldn’t be doing very much._

In our industry, we keep on complaining about horribly poor security practices
all over the internet. Attitudes like that just persist the poor state of
affairs.

~~~
madisp
I'm not sure even encryption helps if you only have a locking screensaver.
Both TB and FW devices have DMA so if somebody _really_ wants to get in then
the password-protected screensaver lock isn't going to stop anyone (given that
the encrypted volumes are mounted).

~~~
bigiain
I suspect that's a different threat though – at least to me, "smash and grab"
implies opportunistic steal-laptop-from-car-and-fence-in-nearest-bar type
problems. If you've "lost" a laptop to people capable of and interested in
probing your firewire port for in-memory passphrases, you've got a whole other
level of attacker. (A level of attacker against which I suspect _most_
startups can't and won't attempt to defend themselves against.)

------
dguido
Probably the best article on security I've ever seen come up on Hacker News. I
would take the security@ recommendation and move it up a few notches though.
It costs nothing and you get tremendous benefit if someone is trying to tell
you something.

And the irony about Evernote being hacked
([http://evernote.com/corp/news/password_reset.php](http://evernote.com/corp/news/password_reset.php))...
I'm surprised they were even able to find the compromise and prepare a
coordinated response. Who knows, maybe this event is what caused the CTO to
see the light? Learn from other's mistakes, people.

------
yapcguy
Not sure we should be taking any kind of security advice from a company which
for years only allowed customers to use plain HTTP unless they subscribed.

~~~
amackera
Well, read the article. There's a whole bit in there about just doing the
basic bit of security you need to do in the early days.

I mean, enforcing HTTPS is easy and elementary, but maybe they didn't have
time? Or something.

~~~
yapcguy
HTTPS was only available for paying subscribers.

If you search HN, there has been previous discussion about Evernote's lack of
security across many areas.

Other than that, I don't care either way about the company.

------
spindritf
_If you clicked on it, it went to a reproduction of our Google apps login page
with our logo and everything. The goal was to get the person to enter their
Google Apps credentials. It was a simulation, but that’s the sort of thing
that’s really hard to prevent from a purely technical standpoint._

Is it? I just save the password in the browser. Computers are not fooled by
logos and pretty pages, the manager won't fill in the password on a fake site.

------
thrush
Does anyone have an example of what a spear phishing attack looks like? I've
always thought that it would be easily recognizable, but I've realized that's
a naive view.

~~~
droopyEyelids
The most clever ones I've seen make it look like a PDF of employee comp was
accidentally sent to the wrong recipient from your payroll company or from the
Finance department.

Think about the human element in that for a minute...

------
thebiglebrewski
I think you mean "concatenate" instead of "concentrate", right?

~~~
adanto6840
I'm not usually a grammar / spelling type guy or one to call out those types
of mistakes... But this repeated mis-use, in an article meant for what I
assume to be an engineering-minded audience, really annoyed me.

~~~
nswanberg
Keep in mind that this was written by an uncredited marketing type, so Dave
Engberg's talk was filtered accordingly. And as annoying as that may be it
should not detract from the substance of what he says.

~~~
thebiglebrewski
Well, it certainly made me close the tab

------
semerda
Nice round up and insights from Evernote.

However security should be baked into everything one does. Also using a good
modern framework to enforce security and good practices is a quick win.

Password encryption & SQL injection in 2013 should be a thing of the past. It
has been brought up so many times in the past you'd think people would make
sounds decisions to use solid frameworks and/or best practices to avoid these
common security holes.

------
pg_is_a_butt
"Dave Engberg knows a lot about security. Before he took the CTO spot at
Evernote, he designed and developed credential validation systems for the U.S.
government. If anyone in Silicon Valley knows the value of secure access and
keeping information safe, it’s him."

uhh.... doing IT work for U.S. government seems more like a reason to assume
he's not good at his job. #HEALTHCARE.GOV

and are they really inferring that no one in silicon valley knows anything
about secure access or keeping information safe? i'm done with the article.
dumb.

