Here's what the experts do for computer security:
- Hire security experts to implement best-in-class security.
- Follow all the regulations.
- Pass all the audits.
- Spend lots of money.
Then, of course, you get breached, because in spite of doing the above, you have no idea what you're doing...
Here's how you respond:
- Get more experts to find what happened.
- Establish a carefully-thought-out strategy to recover from the breach and minimize damage to your reputation.
- Alert the public and your users about the event and your concerned, respectful response.
Then, of course, you change your website, put lots of money into attractive graphics, while making it hard for users to login or reset their passwords.
The share-your-expertise website Quora is surely in the running for best-in class when it comes to computer security; they have followed the above plan with true excellence.
The Quora Story
I got this email from Quora, of which I'm an occasional user, on December 3, 2018:
|
What a bunch of careful, responsible people, those folks at Quora are! So appropriate for a share-your-expertise site!
After this notice, I kept getting the occasional teaser email from Quora, tempting me to click and answer a question or see an answer someone else gave. For example I got this one a couple weeks before the breach:
I know, it's not click-bait for the general public, but definitely a good one for me.
Yesterday I got the first teaser I'd gotten since the breach email reproduced above. Here's the lead:
Not a killer issue, but I clicked out of mild curiosity about the answer, and also to see whether Quora was up and running normally. What I got was a lesson in how to respond to a security breach by driving your customers off. It's true, after all, that if there aren't any users, there won't be any meaningful security breaches -- problem solved!!
Here's the landing page -- a new thing in itself, because clicking on an email used to be enough to identify you.
The cute graphics are all new. I put in my password and got the box in red above, telling me I had to reset the password by responding to the email they sent. OK.
I got a typical password reset email:
I clicked on the link. I got to see even more wonderful new graphics! These guys are really trying! Then I put in my old password, because I wanted to; it's my password, I should be able to pick any one I want, unless they tell me there are rules.
Can't use my old password, huh? If you're so sensitive and caring, you could just possibly have warned me about that up front. Oh well. Here's a new one:
I put it in. It's new. They match. I click on the Reset Password button. Nothing. I change the password and click again. Nothing. Again. Nothing again.
They just don't want me, it's clear. If I were a normal user, it would have been game over. But I'm not, so I went back to the password reset email and clicked again. This time I put in a brand-new password. Then, clicking worked -- it got me to the login page, where I had to enter my email and new password yet again.
Quora has a big, fat, ugly, super-obvious, BUG in their "we're taking responsibility for this breach and hoping to win back the trust of our users" new entry door to their site, not bothering to perform super-elementary QA on one of the main pathways of the new code. Not some obscure condition. Software QA 1.01.
So just who are these geniuses at Quora? Are they the super-smart, rich, cool kids that have such a track record of excellence at other tech sites? Like Facebook and Twitter and the rest? It takes a bit of looking, but the simple answer is: yes. Super-smart. Beyond cool. Rich. And still can't get the most elementary details right!
Business as usual in software. Whether it's government, big corporation or cool young hip tech company the story is the same: getting stuff to actually, you know, old-fashioned WORK is beneath, beyond, above or whatever for whoever's involved. Not to mention make software that protects customer data.
Comments