Hacker News new | comments | show | ask | jobs | submit login

Mark, it would be helpful if you would disclose if you are a paying customer or not, and if not if having additional security options would convert you into a paying customer.

The reasoning is pretty simple, people want security but they don't want to pay for it. And while we can debate the argument as to whether or not security is part of a MVP or not, I would not be offended if there were additional security capabilities to paid users but not free users.

I think this could work for some things but definitely not others. You're riding a razor-thin line between security (essential) and convenience/peace-of-mind (not terribly essential), with potential ethical implications.

"Authenticate with your voice using our voice recognizer app," for example, could be pretty superfluous, since it's about convenience.

"Keep your password safe by not storing it in plaintext" should definitely be part of the core offering, no matter the price point.

"Use our app through a custom VPN" could be offered for pay, since offering that service costs the provider something.

"Use our app through SSL -- paying customers only!" should again be a core product, especially since it does not cost anything extra.

"Pay us 5ยข and we won't share your internal data with advertisors" etc etc -- you can certainly see where this is going

I think you're, rather cynical, reasoning falls flat. This would not be a good policy for a company to adopt. If I was evaluating software and saw such a policy, it would bring a lot of uneasy feelings, even regarding the supposed security of the paid version. This side steps the bad publicity and general ill-feelings the community at large would have about your service. I don't think it is strategically a good choice to make such a compromise on security. At best, I could see giving separate authentication mechanisms such as two-factor for paid users, but that's as far as I'd go.

So can you say more about that? Specifically

"If I was evaluating software and saw such a policy, it would bring a lot of uneasy feelings, even regarding the supposed security of the paid version."

What if it was explicit? What if Evernote said, "Since it would cause us to lose money if we spent time on both more sophisticated security in the free product. Its basically secure against random threats but dedicated people will be able to break into it. If you want a truly secure product you should sign up for the paid product, part of that fee goes to paying the salaries of the security team we have on staff who are keeping it that way."

We also need to be clear what we mean by "security" here, there is "security" as in we make sure if someone breaks in they cannot easily get your password (they seem to have done that with salted passwords), and their is security as in "Even our operations staff can't get you access to your files if you lose your access token." level of security which takes a lot more work.

I'll admit I was pretty put off by Mark's assertion that Evernote doesn't care about security, his basis for that are three claims, that 2 factor authentication is late, that SSL isn't forced on, and that 64 bit RC2 is used in the free product. What is the purpose of the free product anyway? Is it to prove their security? I don't think it is, I think it is to give you a way to test drive what their product does without risking any money.

Anyway, someone broke in and got access to hashed and salted passwords and Evernote reset those. LinkedIn had the same issue, some Facebook apps grabbed similar data, Google has hosted malware in their App Store which tried to install banking trojans on your phone.

I am not persuaded by the assertion that "Evernote doesn't care about security" any more than "Google doesn't care about security" (and I happen to know they care very deeply and still get compromised now and then).

I defended Evernote because I felt Mark was unfairly maligning them and their CEO. I would be more sympathetic if he was a paying customer, and less sympathetic if he only has a free account.

Where does it say that RC2 is only used for the free product?

AFAIK it's all the time which is ABadThing (tm)

FWIW, if one has to rely on security being a differentiator in 2013, that's IMO a bad sign. Compete on other features but not security.

Fuck your logic; Facebook is free, then why the hell do you expect it to be secure? Because any service whether free or not, that has YOUR personal information is supposed to keep it secure. And your (possibly dumbfuck) argument that paying customers should get more security than free users is like saying it's ok to kill people who have no insurance for themselves, but not ok to kill the ones who have taken insurance.

Are you angry about this?

Basic security is dirt cheap, and it is not at all appropriate to risk user data because you want them to pay.

Security should not be a feature.

Applications are open for YC Winter 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact