In many of my employers over the years where security mattered, it was rarely important enough to spend much money on. One place (covered by HIPAA's rather toothless laws) I pointed out how insecure all of our servers & databases were (single password, known by all), and the only response I got was "we pass our audits, and anyway we trust all of our employees". Groan.
An earlier employer had a single person in charge of security for a company with 50000+ customer investment accounts. Oh and the one that was there when I started was eventually discovered to have two full time jobs, which worked because he had unlimited vacations. After that person was fired, the replacement did nothing but run a few scripts every day, and our databases did not encrypt anything, and they argued for months on whether to buy disk encryption software instead of the just encrypting credit card numbers (which meant various applications had to be modified and no one wanted to pay for that work).
So if Patreon dumped their entire security team (or just one part, it's not clear) makes me reminisce about stupidities... not much has changed.
I think this was a good and balanced take on the situation. Patreon giving their entire security team the axe without any notice should make anyone step back and rethink using their service.
Unless some major creators that use Patreon begin a very public exodus from the site, I'm not sure too many regular users are going to be leaving though. The blackmail risk of having your subscription history leaked won't even register for a lot of users.
> Patreon giving their entire security team the axe without any notice should make anyone step back and rethink using their service.
It's really hard to get people to take their monthly contributions to a Patreon competitor. The inertia is really hard to overcome. So in a sense its kind of like lock-in - if you move you'll give up some % of your income.
Some thoughts as someone who's built software and product security programs in both cash-strapped and cash-rich organizations. I'm going to drastically oversimplify, but bear with me:
▶ The ability to build an all-in-house or largely-in-house program is a luxury where largely every staffer, even staff-aug over time, can have the necessary institutional context to understand whether a threat is being realized. If you can do it comfortably and with a focus on automation, you probably should.
To analogize: a castle has its own moat, its own hard walls, its own defense team, retractable entrances, traps, labrynth layout, etc. etc.
▶ A fully outsourced program doesn't have the necessary institutional context to catch edge cases or even a substantial number of common or uncommon threats and outcomes. Especially when the services used are multi-tenant, which is where a lot of the cost-savings come from for outsourced programs. So for an outsourced program to succeed, you'll probably still need a few hands to add that missing context or to work together with the service providers to help them automatically understand that context.
To analogize: a house in a gated community shares the same security team and light barriers (fence, wall, whichever) as other houses, but that team might not be as well versed on what to look out for. And the house itself may have alarms, but none of this may be all that great at deterring a common smash-and-grab.
---
Patreon had what, 1%-ish of their staff doing infosec? I'd venture that a lot of them performed functions such as automating appsec, automating integrations with service providers, etc., understanding privacy and security legislation and obligations, and served the role of contextualizing security between their internal product teams and external security service providers.
Without a dedicated in-house team, no matter how small, I'd bet dollars that they'll be compromised again in short order. And I've advised people relying on Patreon to seek alternate services as a result.
Saying everything is ok because there are third-parties handling security is a major red flag.
Technically a tool like Snyk or Dependabot is a third-party security vendor, but would you trust your financial & personal information with a company that says their security posture relies solely on those tools?
Such third parties arent the third parties that you are thinking about. Think of contracted security vendors in finance sector, with experts auditing things etc. Not some subscription-powered bot running some scripts somewhere.
The amount of comments talking smack about the post because of its author is really astounding. The article is an okay read, why not judge it based on its own merits?
It did seem a bit gratuitous the way the author mentioned they were a furry; it had nothing to do with whether one should delete their Patreon account.
This post was written primarily for a furry audience, whom has been a bit panicked over yesterday's news that Patreon did such a head-ass move.
After I tweeted that I deleted my Patreon (to which I paid like $700/month to various creators), several people asked me (publicly and privately) whether they should follow suit. I wanted to offer a calmer take.
Since there was discussion on HN about this topic yesterday, I thought the folks here would appreciate the perspective.
More power to the author , or being their own individual, but it made me feel a little uneasy. I dont mind people being a furry or expressing themselves, but I do feel like I was made a witness/part-of someone's kink and I'm not into that. I thought it would be dry infosec blog stuff and unfortunately opened it at work.
It's the same feeling when seeing a leather clad lady hauling someone's granddad on a leash around town. I respect it, just don't make me part of it against my will. I'll make a note to skip this site in the future.
It is distracting, unappealing, impossible to miss, and doesn't require a lot of thought or explanation to comment on. Of course people are going to comment on it.
When people post websites to Show HN the majority of the comments are usually not more insightful than "I don't like this button, make it a different color."
Its not an ok read. It hypes stuff without any objective basis. Its argument for Patreon firing their security team being bad is that Patreon 'has been cutting on their security vendorS' as well, so security is going to suffer.
What's visible once you are past the hyped language in the article is that Patreon had a 5-person security team, and MULTIPLE security vendors up until this point?
Doesn't that look like too much for a small startup to start with? And if one argues that 'No amount of security is enough', then HOW many security vendors does anyone need?
Is there an objective measure? Like, does the amount of manpower that a security vendor should determine whether that vendor is enough? Or the number of industry-renowned personas that work in that vendor?
What happens if one player buys out all those security vendors and combines them into one single large vendor? Will that be enough?
...
So basically there is no objective criteria for this. The proposition is 'less security is bad', but nobody defines 'the right amount' of security objectively. So even if Patreon or anyone else is using a top-notch competent security vendor that handles all their stuff, it wouldn't be enough because... well, this is a chance to do some hype, obviously.
The proposition of the article in canceling Patreon and 'moving somewhere else' is also very dangerous and it feels like self serving.
Cancel Patreon and go where? Set up a subscription service yourself? And deal with all the chargebacks, fraud, refunds, financial compliance, and gasp sales tax collection and clearing? Or, one of the much smaller Patreon-competitors who have even less backing and organization behind them? So move from Patreon to... 'smaller Patreon'?
Which would easily put someone in hot water regarding actual legal responsibilities that can land one in large fines and even court sentences, by the way. People think that just because they have been making some side money here and there on the Internet and this was not something that the tax agencies and governments would bother to look into, things will stay the same if they start making such regular, noticeable income. It doesn't work like that. Things get serious.
Because now the money that you are making with your creative activity is not occasional 'gig money' that is paid you in cash somewhere, totally unaccountable. Its regular, trackable income that may land you in very hot water if you end up getting called up by your tax authority randomly in a few years. There is always the chance that your government may start a major sweep to weed out tax-dodgers so it may not be even random.
So such propositions like in the article 'Cancel and do something else' feels like random retorts from people who don't actually know what they are dealing with - laws and other people's money.
...
Even the prospect of having to set up and maintain a billing system should make people shudder at such a proposition. Its all fun and games at the start when you are setting up stuff. Not so much when keeping it updated and compliant takes a considerable chunk of time 2 years down the road. Forcing you to do deal with those instead of doing your creative activity.
Important people get fired all the time and no meaningful percentage of Patreon users are going to care. If you stopped using a product every time someone important got fired you could probably use nothing, live nowhere, and would just sit in the dirt until you were dead. The only difference with this is the publicity and people trying to get it to gain traction. I don’t expect it to though and the world will continue to turn.
You might but nobody else will. Another day another breach. Nobody cares about the firings and they surely won’t care about the breach.
I would even guess that for a large breach like the one T mobile had, most of their customers don’t know about it. And if they do the thing they care most about is trying to get their cash payment because “free money.”
I’m not saying that’s how it should be but that’s how it is. Companies make decisions every day that are bad for their customers and everyday unless the customers are majorly inconvenienced they simply don’t care. Or maybe I’m in a bad mood today and casting everything in a negative light. Or both.
I consider all online accounts as breached. That is why I use unique passwords.
If my CC is compromised, i'll notice in my monthly statement and report the bad charges (this has happened twice in 10 years). ...once from using the card in eastern Europe and the 2nd time at a hospital recently.
Not using services online because you're afraid of a breach is highly inefficient.
Better to share as little as possible and have consistencies when there are breaches.
There's one CISO school of thought that believes the job is to run every automated scanner they can get their hands on, report results to engineering and job is done. That can certainly all be outsourced.
Another school of thought (where I inhabit) is that sure, you need to do that, but to really have a secure product or service it has to be built ground-up with security as a core requirement. You can't outsource that (ok you could but it means having expensive consultants sitting in with the engineering teams day to day, at which point it's far cheaper to have an in-house security team).
I think fully outsourcing it really abdicates your responsibilities. There has been a long line of companies like Sony that outsourced their security and then discovered that means they have no in-house ability to respond, evaluate or supervise that outsourcing.
And to be painfully honest, it also encourages coverups and lying on reports. As a security engineer at another vendor who has worked with these MSPs and their clients I have seen a lot of things that went sideways and the MSP wants to cover it up and it makes responding to an incident really hard.
It really depends on what the security team was doing. Saying they fired the security team sounds like bad PR, but who knows. Maybe they were just running scanners and couldn't prove value to a VP.
I think it was 5 employees. If each cost $200,000 (salary + benefits + office space + ect,) that means Patreon was spending $1,000,000 / year.
What were they doing?
I worked on a major product that was known for our security benefits, and we didn't have a team of five on "security." We made sure that everyone understood best practices, and eventually had a "head of security" that oversaw our product and other products as well.
Readit News
An earlier employer had a single person in charge of security for a company with 50000+ customer investment accounts. Oh and the one that was there when I started was eventually discovered to have two full time jobs, which worked because he had unlimited vacations. After that person was fired, the replacement did nothing but run a few scripts every day, and our databases did not encrypt anything, and they argued for months on whether to buy disk encryption software instead of the just encrypting credit card numbers (which meant various applications had to be modified and no one wanted to pay for that work).
So if Patreon dumped their entire security team (or just one part, it's not clear) makes me reminisce about stupidities... not much has changed.
Unless some major creators that use Patreon begin a very public exodus from the site, I'm not sure too many regular users are going to be leaving though. The blackmail risk of having your subscription history leaked won't even register for a lot of users.
It's really hard to get people to take their monthly contributions to a Patreon competitor. The inertia is really hard to overcome. So in a sense its kind of like lock-in - if you move you'll give up some % of your income.
▶ The ability to build an all-in-house or largely-in-house program is a luxury where largely every staffer, even staff-aug over time, can have the necessary institutional context to understand whether a threat is being realized. If you can do it comfortably and with a focus on automation, you probably should.
To analogize: a castle has its own moat, its own hard walls, its own defense team, retractable entrances, traps, labrynth layout, etc. etc.
▶ A fully outsourced program doesn't have the necessary institutional context to catch edge cases or even a substantial number of common or uncommon threats and outcomes. Especially when the services used are multi-tenant, which is where a lot of the cost-savings come from for outsourced programs. So for an outsourced program to succeed, you'll probably still need a few hands to add that missing context or to work together with the service providers to help them automatically understand that context.
To analogize: a house in a gated community shares the same security team and light barriers (fence, wall, whichever) as other houses, but that team might not be as well versed on what to look out for. And the house itself may have alarms, but none of this may be all that great at deterring a common smash-and-grab.
---
Patreon had what, 1%-ish of their staff doing infosec? I'd venture that a lot of them performed functions such as automating appsec, automating integrations with service providers, etc., understanding privacy and security legislation and obligations, and served the role of contextualizing security between their internal product teams and external security service providers.
Without a dedicated in-house team, no matter how small, I'd bet dollars that they'll be compromised again in short order. And I've advised people relying on Patreon to seek alternate services as a result.
Technically a tool like Snyk or Dependabot is a third-party security vendor, but would you trust your financial & personal information with a company that says their security posture relies solely on those tools?
After I tweeted that I deleted my Patreon (to which I paid like $700/month to various creators), several people asked me (publicly and privately) whether they should follow suit. I wanted to offer a calmer take.
Since there was discussion on HN about this topic yesterday, I thought the folks here would appreciate the perspective.
It's the same feeling when seeing a leather clad lady hauling someone's granddad on a leash around town. I respect it, just don't make me part of it against my will. I'll make a note to skip this site in the future.
>The website you’re reading is a furry blog before it’s anything else.
I don't think anyone should hate him for that. But neutral commentary I feel is okay. Otherwise yeah some people are proud of their identity
When people post websites to Show HN the majority of the comments are usually not more insightful than "I don't like this button, make it a different color."
What's visible once you are past the hyped language in the article is that Patreon had a 5-person security team, and MULTIPLE security vendors up until this point?
Doesn't that look like too much for a small startup to start with? And if one argues that 'No amount of security is enough', then HOW many security vendors does anyone need?
Is there an objective measure? Like, does the amount of manpower that a security vendor should determine whether that vendor is enough? Or the number of industry-renowned personas that work in that vendor?
What happens if one player buys out all those security vendors and combines them into one single large vendor? Will that be enough?
...
So basically there is no objective criteria for this. The proposition is 'less security is bad', but nobody defines 'the right amount' of security objectively. So even if Patreon or anyone else is using a top-notch competent security vendor that handles all their stuff, it wouldn't be enough because... well, this is a chance to do some hype, obviously.
The proposition of the article in canceling Patreon and 'moving somewhere else' is also very dangerous and it feels like self serving.
Cancel Patreon and go where? Set up a subscription service yourself? And deal with all the chargebacks, fraud, refunds, financial compliance, and gasp sales tax collection and clearing? Or, one of the much smaller Patreon-competitors who have even less backing and organization behind them? So move from Patreon to... 'smaller Patreon'?
Which would easily put someone in hot water regarding actual legal responsibilities that can land one in large fines and even court sentences, by the way. People think that just because they have been making some side money here and there on the Internet and this was not something that the tax agencies and governments would bother to look into, things will stay the same if they start making such regular, noticeable income. It doesn't work like that. Things get serious.
Because now the money that you are making with your creative activity is not occasional 'gig money' that is paid you in cash somewhere, totally unaccountable. Its regular, trackable income that may land you in very hot water if you end up getting called up by your tax authority randomly in a few years. There is always the chance that your government may start a major sweep to weed out tax-dodgers so it may not be even random.
So such propositions like in the article 'Cancel and do something else' feels like random retorts from people who don't actually know what they are dealing with - laws and other people's money.
...
Even the prospect of having to set up and maintain a billing system should make people shudder at such a proposition. Its all fun and games at the start when you are setting up stuff. Not so much when keeping it updated and compliant takes a considerable chunk of time 2 years down the road. Forcing you to do deal with those instead of doing your creative activity.
I was not criticizing people for their take on the subject, but rather for coming after the author instead of discussing the article he wrote.
Dead Comment
Dead Comment
I'm going to export all my files and drop the account i think. Need to tighten the belt anyway.
I would even guess that for a large breach like the one T mobile had, most of their customers don’t know about it. And if they do the thing they care most about is trying to get their cash payment because “free money.”
I’m not saying that’s how it should be but that’s how it is. Companies make decisions every day that are bad for their customers and everyday unless the customers are majorly inconvenienced they simply don’t care. Or maybe I’m in a bad mood today and casting everything in a negative light. Or both.
If my CC is compromised, i'll notice in my monthly statement and report the bad charges (this has happened twice in 10 years). ...once from using the card in eastern Europe and the 2nd time at a hospital recently.
Not using services online because you're afraid of a breach is highly inefficient.
Better to share as little as possible and have consistencies when there are breaches.
There's one CISO school of thought that believes the job is to run every automated scanner they can get their hands on, report results to engineering and job is done. That can certainly all be outsourced.
Another school of thought (where I inhabit) is that sure, you need to do that, but to really have a secure product or service it has to be built ground-up with security as a core requirement. You can't outsource that (ok you could but it means having expensive consultants sitting in with the engineering teams day to day, at which point it's far cheaper to have an in-house security team).
And to be painfully honest, it also encourages coverups and lying on reports. As a security engineer at another vendor who has worked with these MSPs and their clients I have seen a lot of things that went sideways and the MSP wants to cover it up and it makes responding to an incident really hard.
If outsourcing credit card processing to Stripe and Paypal is not abdicating your responsibilities, that also isnt.
What were they doing?
I worked on a major product that was known for our security benefits, and we didn't have a team of five on "security." We made sure that everyone understood best practices, and eventually had a "head of security" that oversaw our product and other products as well.
So, what was the security team really doing?