These sound like really basic security measures any startup that isn't about sharing cat pictures should take. I disagree completely with the strategy of using security@ as a cheap way to get other people to do your homework. When somebody finds an XSS flaw in your system that's a big deal! It can be easily used to take over entire accounts. Not something you shrug at and put on your TODO list until a new XSS error is found 2 minutes later. Besides, good abstractions deal with XSS problems nearly completely, so that vulnerable code looks wrong.
I also find the view that smaller startups should just get a product out the door and neglect security completely abhorrent. Waiting until you're at 10 employees before you start hashing passwords? Are you kidding me? Are we professionals or what?
So based on those observations my confidence in the security of Evernote has decreased substantially. Their philosophy represents much of what's wrong with VC-style startups. Imagine a restaurant saying "just forget about hygiene until you're profitable"!
Thank you. My first reaction was: start by firing the first 3 employees who couldn't be arsed to encrypt passwords, and replace them with people you can trust.
Being aware of the current best practices in password encryption is part of your job. Checking if your knowledge is still up to date takes 30 minutes, tops. Implementing it in your stack of choice, provided you've made a sane choice to start with, is trivial. Hell, you can probably just cut and paste from one of the articles you've found in the aforementioned 30 minutes.
None of this will slow you down when getting the first alpha release out of the door.
While the article has some good points, I also have a number of issues with it.
- Don't worry about proper password storage until you are at 4-10 employees and have a prototype out the door? No, proper password storage is one of those things you deal with at the very beginning.
- Not worrying about a password safe until 11-30 employees? Using something like keepass, lastpass, etc, is trivial and should be started from day one as well. Your developers should already be in the habit of using one anyway.
- There should be decent password-locking screensavers on all computers. That way a smash-and-grab computer theft only amounts to a $1,500 asset loss, no critical data loss. There is nothing here about hard drive encryption, so a password locking screensaver is going to do nothing to prevent loss of sensitive data in a smash and grab.
I also dislike this attitude, mentioned in the 1-3 employees stage:
And from a security standpoint, you shouldn’t be doing very much.
In our industry, we keep on complaining about horribly poor security practices all over the internet. Attitudes like that just persist the poor state of affairs.
I think the author is primarily making an argument that everything scales, including focus on security. Overall I agree with your issues (obviously as I run a password & account management company) though perhaps a lot of this is due to the fact that some of the tools are not that user-friendly. A lot of our customers at Meldium are enthused when they find that non-technical employees enjoy the benefits of a password manager that offers simple automatic sign-in.
I'm not sure even encryption helps if you only have a locking screensaver. Both TB and FW devices have DMA so if somebody really wants to get in then the password-protected screensaver lock isn't going to stop anyone (given that the encrypted volumes are mounted).
I suspect that's a different threat though – at least to me, "smash and grab" implies opportunistic steal-laptop-from-car-and-fence-in-nearest-bar type problems. If you've "lost" a laptop to people capable of and interested in probing your firewire port for in-memory passphrases, you've got a whole other level of attacker. (A level of attacker against which I suspect _most_ startups can't and won't attempt to defend themselves against.)
Probably the best article on security I've ever seen come up on Hacker News. I would take the security@ recommendation and move it up a few notches though. It costs nothing and you get tremendous benefit if someone is trying to tell you something.
And the irony about Evernote being hacked (http://evernote.com/corp/news/password_reset.php)... I'm surprised they were even able to find the compromise and prepare a coordinated response. Who knows, maybe this event is what caused the CTO to see the light? Learn from other's mistakes, people.
Not sure we should be taking any kind of security advice from a company which for years only allowed customers to use plain HTTP unless they subscribed.
> If anyone in Silicon Valley knows the value of secure access and keeping information safe, it’s him.
I can think of, I don't know, 30 people at the top of my head that I would rather be listening to. If you caught me in a drunken stupor I could probably still give you 10-15 of them.
That said, there's nothing really wrong with the article, but it's also pretty basic. Putting stuff behind VPN and installing antivirus can help you, but it's not anywhere near enough if you're actually exposed.
This isn't really security advice. It's advice on how much you should focus on security (instead of focusing on other things) if you want to build a successful company.
If you clicked on it, it went to a reproduction of our Google apps login page with our logo and everything. The goal was to get the person to enter their Google Apps credentials. It was a simulation, but that’s the sort of thing that’s really hard to prevent from a purely technical standpoint.
Is it? I just save the password in the browser. Computers are not fooled by logos and pretty pages, the manager won't fill in the password on a fake site.
Does anyone have an example of what a spear phishing attack looks like? I've always thought that it would be easily recognizable, but I've realized that's a naive view.
The most clever ones I've seen make it look like a PDF of employee comp was accidentally sent to the wrong recipient from your payroll company or from the Finance department.
Think about the human element in that for a minute...
They look like whatever you want them too. Here's a typical defense-oriented phish from China. Obviously it means a lot more to the recipient than it would be to you. Point is, it's been customized. Don't worry, someone in your company will click it, even if the message is stupid.
I'm not usually a grammar / spelling type guy or one to call out those types of mistakes... But this repeated mis-use, in an article meant for what I assume to be an engineering-minded audience, really annoyed me.
Keep in mind that this was written by an uncredited marketing type, so Dave Engberg's talk was filtered accordingly. And as annoying as that may be it should not detract from the substance of what he says.
However security should be baked into everything one does. Also using a good modern framework to enforce security and good practices is a quick win.
Password encryption & SQL injection in 2013 should be a thing of the past. It has been brought up so many times in the past you'd think people would make sounds decisions to use solid frameworks and/or best practices to avoid these common security holes.
"Dave Engberg knows a lot about security. Before he took the CTO spot at Evernote, he designed and developed credential validation systems for the U.S. government. If anyone in Silicon Valley knows the value of secure access and keeping information safe, it’s him."
uhh.... doing IT work for U.S. government seems more like a reason to assume he's not good at his job. #HEALTHCARE.GOV
and are they really inferring that no one in silicon valley knows anything about secure access or keeping information safe? i'm done with the article. dumb.
I also find the view that smaller startups should just get a product out the door and neglect security completely abhorrent. Waiting until you're at 10 employees before you start hashing passwords? Are you kidding me? Are we professionals or what?
So based on those observations my confidence in the security of Evernote has decreased substantially. Their philosophy represents much of what's wrong with VC-style startups. Imagine a restaurant saying "just forget about hygiene until you're profitable"!