Just the Facts
Monday night (for me, I'm in England at the moment), the question/answer site Quora.com
reported a data breach potentially affecting 100 million accounts (for those who read my last article, this is about a 1.5 on the Thriller
scale). According to their release, the following information was obtained by attackers:
- Password (hashed)
- data imported from linked networks
- Public content (upvotes, questions/answers)
- Private comment (DMs, downvotes)
Of particular note in the breach is the fact that many Quora users were unaware that they had accounts on the site, as they were signed up via Facebook when taking a quiz, reading an article, or otherwise engaging with Quora's content. Those who were signed up with linked Facebook accounts potentially had their Facebook information compromised as a result of this attack ("data imported from linked networks").In their release, Quora informed users that they were working to notify all affected users, had logged out all potentially affected users, and were invalidating all compromised passwords. Objectivity Complete. BLUF time.
Before I dive into the pile of semi-coherent rambling that is my writing style, I want to give the bottom-line up front (BLUF).
- Kudos to Quora for reacting quickly, decisively, and transparently.
- Far more kudos to Quora for taking responsibility and acknowledging what they did wrong.
- Kudos deducted for the bit about linked networks. Stop doing that.
There, now on to the ranting. Why I'm Such a Bully
A common complaint I receive from readers of previous articles and posts, coworkers, and table-tennis opponents is "Joe, you're being way more intense than necessary". I have a habit of explanation via hyperbole or, as my wife prefers to put it, "being a relentless pain". There's a reasonable amount of truth in the accusation, and it's due largely to my perspective on fault vs responsibility. When I'm performing a security audit, or testing a network, or writing an exploit against some poorly-designed system, I regularly get the same argument from my
, customers."Well, that isn't my fault."The thing is, and I want every sysadmin, security engineer, and developer to read this carefully I don't care
.If at any time in your professional life you find yourself attempting to claim that you aren't at fault, something has gone terribly, terribly wrong. Fault is not a meaningful or useful concept in the professional world. What matters is responsibility. I don't care if you're at fault for the failure, I care if you were responsible for the success. When companies issue press releases like the one I so gleefully excoriated last week, where the language is carefully worded to avoid even the suggestion of fault -"we regret this incident occurred", "the system was breached", "I have to write like this so that our expensive lawyers don't body-slam me out a 50th-story window" (full disclosure, those were paraphrased)- I tend to become more than slightly irritated. The passivity, the cowardice, and the shifty-eyed childishness of that careful wording all hit me somewhere in the middle of my cerebellum, and I wake up an hour later with a finished article, a half-empty bottle of gin, and a threatening note written on my bathroom mirror in what appears to be silly putty.In order to spread my lyncanthropy-esque curse of rage, I'm going to go ahead and break down just why that sort of language is a terrible way to write press releases. A Reasonably Brief English Lesson
If you ever took a high-school English class, you likely learned, then promptly forgot, about the difference between active and passive voices. Active voice describes events with the perspective that someone acted
"I broke the plate". Passive voice describes events from the perspective that something was acted upon
, "The plate was broken". Active voice assigns responsibility, passive voice avoids it. Passivity Considered Harmful
But the principle of passivity vs activity extends beyond just the voice of a single sentence. In the security world we often talk about passive vs active security, passive security generally revolves around recording while active security is about preventing. Both are valid components of a successful cybersecurity program, and both have their place. After an attack, however, the difference between passivity and activity becomes far more important. A passive response is what we saw from Marriott. They take as much time as possible collecting information, running down all the details, figuring out how to avoid culpability, and generally spend more time thinking "how do we protect ourselves" than "how do we protect our users". It is a fundamentally untrustworthy approach. An active response is what we see here from Quora. They're still figuring out exactly what went wrong, but they've already acknowledged that they made a mistake, and they took several reasonable steps to handle the issue immediately.The final result will probably be similar from an outside perspective; both companies will reset the affected passwords, implement new security measures, and hire a reasonably famous CISO or consultancy firm to "right the ship". However, the PR and user story is substantially different. Users reading the Marriott release lost faith. They saw a corporation being a corporation, concerned only with the interests of its executives and stock-holders. Users reading the Quora release, on the other hand, saw a company acting in good faith. They can now believe that Quora actually cares about their security and about their interests. That may or may not be true, but the public perception is important.Bottom line: Good faith matters to your users. Coda: Seriously, Facebook?
This article has mostly been much more positive than my last, but I'd spend the night twitching if I didn't take a second to yell at everyone. STOP CONNECTING YOUR FACEBOOK TO STUFF.Don't get me wrong, I use Facebook. Probably too much when gin gets involved. I'm not telling you not to use social media, or to lock it down to the point of uselessness, but stop using it as your login service. Facebook gets breached about as often as Apple's terms and conditions, and with about as much organized response from the company. If you want an easy sign-in process, do what I and every security nerd in your life has been ranting about for years and get a password manager. Just stop using Facebook.Seriously. Stop it. This article reflects the opinion of the author and is not necessarily the opinion of Cybrary, they are very insistent I tell you this.