I've tried to come up with analogies that explain how people can write systems without actually knowing how to program. Something like, just because I know how to make nachos or pancakes doesn't mean I'm a cook. This is the type of stuff I'm talking about though. You can know about if statements, variables and even fancy classes...you can put it all together and build a system and be hugely popular, but it doesn't mean you are any good at programming.
Duct tape programmers indeed.
You left out -- stores passwords in plain text.
At any rate, anyone who has actually used pof can tell its been hacked together by substandard developers. No polish, a bizarre ui, and just general weirdness. This is the kind of shodiness I'd expect.
OKCupid used to use tokens fwiw.
The assumption of course is that they and only they can access the email address specified in their account profile. If that's not the case then this all becomes a bit more problematic.
Developer, not developers.
It started as a part time side project, and until 2007 Marcus Frind was the sole employee.
And it can be significantly better. In a past situation I stored sensitive information using public/private keys. Even if you got complete access to the webservers and database, you still could not decrypt that information. It would only be useful if you had access to the private key, which was much more securely controlled.
Neither way is ideal, but making it easier to login probably helps viral growth.
Between that, and mandating short passwords, which a LOT of banks do. :-(
They (people who don't actully know how to program) can build a large system on a shoestring budget exactly because they don't know how to build it properly, or how hard it is to. No distractions over those pesky little matters like ACID properties, security, accessibility, etc. etc..
Because those are a major part of what slows programs developed by professional developers.
No distractions, no slowdown, until a security consultant mails you a proposition you can't easily refuse. The hackers Mr Chris Russo alleges were exploiting the hole did it quietly (if at all), for obvious reasons. Nobody knew, nobody cared until now. Several years of good business, right? And free publicity now, isn't it?
It's only because some frameworks do 90% of the heavy lifting (and parameterised queries for the 5 extra percent that's not covered) that we don't see SQL injection as much as we used to.
This week it was PoF. Previously it's been Twitter, Facebook, even HN. Are the people behind these Duct tape programmers?
I'm going to touch on how hard security can be in my talk at http://www.meetup.com/HNLondon/ - if there are any London-based HN readers that are going, I look forward to seeing you all there.
For companies that have programmers that work great, but aren't security experts, it's time to hire security experts.
Suggesting that all the work the programmers did is worthless because they aren't security experts is seeing the world as black and white. It's gray my friend.
"Okay I put together this prototype and it's working. I should check it over for SQL injection spots and---"
Yeah, there are lots of mechanics out there who do a fine job. They are just clueless about breaks ;)
Stupid analogy aside: If you as a programmer who develops stuff for production are not aware of rules like "NEVER EVER FUCKING TRUST ANY USER INPUT" then you're just wrong for the job.
Some are programmers who manage the User Database. They deal with all user accounts data. But they aren't the same guys who are responsible for server security.
I'm talking Enterprise Apps that support tens of thousands of users.
POF founder habilities are going to be tested in the media arena and in the technical arena at the same time. Also lets see how he manages the customers & the legal side. Hard!
Thank you for signing up on 10/12/REDACTED 4:08:52 PM.
Remember your password is REDACTED.
The most recent one from had an empty string as my password, as in "Remember your password is ."
More generally: security best practice is not always about enforcing as tightly as you possibly can. Security has real costs and it's a cost-benefit tradeoff against many other factors.
A dating site contains, practically by definition, a fair bit of personal information. It's not online banking, but there's a lot of ugly stuff that an attacker could do if they could break into a large number of user accounts, and particularly if they could de-anonymize those accounts.
POF was pretty clearly sacrificing security -- which in this context means the potential privacy of their users -- in order to get more engagement and build userbase. Bluntly: they were taking risks with their users' data in order to build their business.
That's not terribly cool in my book, even though I can see why they might have made the decision. The fact that it's understandable doesn't mean that it's right.
Nor does it transmit passwords in the clear when you go to recover an account.
Same thing with IP.Board (Invision).
The only one that I know of that has done so is phpBB, and I am not sure if it has been fixed or not because with their security track record I don't even want to try them.
When you provide an online service that gathers consumer information - particularly sensitive consumer information (such as that which you might find on, say, a dating site), it's your responsibility to secure it. If you get hacked, it's your fuck-up, your responsibility, your culpability.
And no, that's not my opinion, it's objective fact - read, for instance, about PCI DSS, and the associated very steep penalties for information leakage.
I think the argentine guy probably searched the website for vulnerabilities as a way to get business. He found one and contacted Marcus. Marcus then freaked out and panicked, leading to this.
I'm going to try and remember that phrase; it sounds like it has 1,001 fun uses. :-)
It's obviously possible to write terrible code in any language, with the aid of any framework. It sounds like POF did just that.
See? This has nothing to do with platforms, and everything to do with realizing your strengths and weaknesses, and improving your platform when hundreds, thousands, or even millions of users trust you with their data. You can't just chalk this up to POF being on a platform you think is somehow inferior to your platform of choice.
The OP posted that he learned ASP.net as if it proved that he's really good at programming.
I'm not saying it takes multiple people to make something secure, but if one person either doesn't have the experience or knowledge to make something secure, and there's only that one person, there's no one else to even determine there's a problem.
But it got worse. Every few days, POF started sending me newsletters with my password in plaintext! "in case you forgot, your password is:...." in addition to whatever else the newetter said. So I knew they were storing passwords in plaintext.
Couple those things with the complete unusability of the site…well I deleted my account (which is unsurprisingly difficult to do as well).
He was probably trying to communicate that he was looking for a consulting position after finding the exploit trying to be helpful
The Russo side does sound "insecure", as he admits himself. Presumably they have not been in business for very long. But that is not the same as infantile, it's just inexperienced.
For what we see now, it is clear that POF people were scared shitless from the report (obviously) and tried to limit the damage and gain time by manipulating Chris whom they thought has downloaded all their users data and is extorting them against the disclosure of this data. I think anyone in their shoes would think the same (at least primarily).
Now wether Chris really intended to extort them or not is another matter we cant judge from what we are seeing. He does seem like a nice guys from his emails, and kind of excited about the "opportunity" but really that is not enough. Nice people sound nice... so do most criminals.
One more thing that is unclear ! Was POF actually hacked (in the sense that data was leaked) or was it just that a vulnerability got exposed? I think this will tell us a lot as well about the real motivation of the "hacker".
POV - point of view
This fellow is either a fool or a terrible liar. If he didn't take the data then he would have said "I didn't steal the data". He instead accuses Markus of a lack of proof.
"I didn't steal the data" == my word against yours
Imagine this scenario, your boss says to you: "20 of our employees are telling me you piss on the toilet seats."
You respond, "You have no proof".
Good luck with that.
there is no burden of proof in the court of public opinion
And you can get your ass sued to stratosphere and lose if you fail to produce reasonable proof when making public accusations.
1. The site makes $10 million/year.
2. He has three employees, all customer service. He does everything else.
3. He pays himself $5 million/year.
This quote is particularly telling: "At other sites, when one thing goes slightly wrong, the reaction is to buy more servers or hire a Ph.D.," he says. "It's almost unbelievable -- it's like people are trying to justify their jobs by spending money. This isn't rocket science."
If Chris wasn't going to post the info publically (ie, extort POF), then he had nothing to worry about.
As an observer this certainly doesn't make Mr Russo seem any better.
Edit: per below, removed work extortion as posting people's private data might be done for other reasons rather than to make money.
I guess it is normal for a security firm to hope to gain some business by exposing security flaws (hey, we found a hole in your site, hire us to fix it). As this incident shows, it is not an easy business to be in...
Either way, the guy who was cracked is saying if the cracker posts the stolen data, he will post the cracker's contact details to every account. Which is completely reasonable.
I don't know whose account is true, but I don't think it is reasonable to threaten somebody who approaches you with information about a security hole, just in case that somebody has evil intentions. In general it seems reasonable in human interactions to not issue death threats upon the first encounter.
Read the post again - the owner of the site is saying he will publish the guys details if he posts the data.
If he doesn't post people's personal data, fine. The site owner won't publish his address.
If he does, then fair enough.
How to explain? Yes, strictly logically speaking it is "OK" (no funny actions, no Russion mob). But psychologically I don't think it would be a good approach to human interaction. It establishes an atmosphere of distrust right from the start. You approach somebody and say "you might be a criminal".
Or imagine you meet somebody on a party and he says "Hi, my name is soandso. By the way, I carry a gun". How would that make you feel?
I imagine we're seeing a small snippet of something larger.
I also see the security company guy doesn't dispute that his revelation the site was cracked began with a push for payment to remedy the situation.
I don't get that impression - I imagine that if he didn't have any data, he'd say so explicitly. If he didn't have data, though, I'd totally agree with your observations.
> I guess time will tell.
If Chris wasn't going to post the info publically (ie, extort POF),
then he had nothing to worry about.
If, in a short period:
* Chris' personal account was used to crack the site
* Chris asked for money and was rejected
* Chris potentially threatened to leak the data
* The data was subsequently leaked anonymously
I'd say that there is also a good chance Chris was directly responsible.
I.e. that data could have already been available to you if you paid the right price since 2 months ago.
Correlation is not causation, and we of all people should realize that.
I'm not defending Chris, it's just that Mark sounded like a jerk in that blog post and gave a more complicated explanation of the events than Chris; which means there's a good chance Mark got really defensive and blamed the person trying to help.
Chris mentioned that this was actively being exploited by malicious hackers. Taking your rage out on the guy trying to help is not appropriate by any means.
To me, the breach is nothing special; the reaction and vitriol from POF, however, is inexcusable.
I guess that'll have to sate my curiosity for now.