[smbwrs]

You lost me at "bordering on criminal negligence". They gave away a lot of details about how their internal systems are structured, but surprisingly little as far as actual usable data. Passwords can be changed, API keys can be disabled and regenerated, local IP addresses can be switched up. No user data was revealed. How is this even close to criminal, let alone catastrophic? This is pants-down embarrassing, at worst.

[InclinedPlane]

I meant in reference to the analogous hypothetical.

Tumblr isn't guilty of criminal negligence, but they are guilty of a very serious failing of basic security precautions. Luckily there are other layers of security at play preventing this from being a catastrophic disaster for tumblr. However, if a group of thieves break into your bank and drill into your vault you do not go home and rest easy because they only managed to drill through two feet of your vault's hardened steel and there was an entire 3 or 4 inches more. Less so if you'd done something dumb like leave the keys to the vault in a coffeeshop.

[j2d2j2d2]

I think you fail to give them credit for what they're attempting. Security is the focus of many readers of HN, but Tumblr's focus is the user experience.

This isn't to say security isn't important, but they're rushing to make Tumblr as fun to use as possible so they can survive.

Yes, they received money. They also have monstrous growth. Now they can afford to expand the engineering processes beyond, "get it working" to "make it work really well and securely".

Good things are still to come from Tumblr so let's go easy on them when they use duct tape instead an arc welder.

[nettdata]

Security isn't something you just bolt on after the fact, it's part of the design, and involves so much more than just code.

If they failed to take security into account in the early stages, never mind implement it at the beginning of development, then odds are they won't be implementing it effectively any time soon, especially with the rate at which they'll be expected to keep growing and adding functionality.

This kind of issue that they're showing now could (and probably should) have been detected and handled early on, even with a simple third-party code review.

And the fact that they are as big as they are, and growing as quickly as they are, means that they should have an increased sense of responsibility when it comes to security and protecting their users.

[j2d2j2d2]

The existence of one bug doesn't imply complete disaster everywhere. It should be treated as an anecdote. Good science demands it.

Good science would also suggest Tumblr should get some experts to help them discover anything else that might be lingering, which they're planning to do. Much like a peer review process.

Your attitude is important for those in the security industry as it pushes things forward, but remember that not everyone has the time to spend on it that you might. It can either be an asset or the bane of your existence. As an asset, you get paid for the things you understand because others don't. As the bane of your existence, you fight society for not knowing what you know.

Tumblr is hiring. Maybe you should apply and help them fix it?

[nettdata]

To be clear, I didn't suggest a "complete disaster everywhere". That being said, you can tell a lot about the state of the nation by something rather simple and isolated as what they've experienced here. There are some rather simple best practices that probably should be employed that apparently are not, and even a cursory review probably would detected it.

I was, more than anything, responding to the parent's post regarding "they can just add security later" idea.

It's true that I tend to work on projects where security is a huge deal (online banking, government, global video game services including in-game payments, etc). As the architect of these systems, a key part of the design is security, and while other projects don't have to be quite as diligent, that doesn't mean they should just ignore it altogether.

I'd also like to hope that my attitude is not just for those of us in the security industry, but for everyone making web-based applications.

Personally, I think any online service does their current or potential clients a disservice if they don't take security into account early on.

As soon as you take money from someone, I consider that to be a responsibility that has been accepted to not only provide the functionality you offer, but to do it in an appropriately secure manner.

It's the classic techie vs. sales guy argument; we don't want it perfect, we want it on Wednesday.

The problem is that if even simple and effective security is overlooked or not dealt with early on, you'll almost always be forced to accept a compromise rather than take the required time to implement it properly.

As to the job, I'm already quite busy, thanks. Between implementing Oracle clusters and my new startup that's just closing on our financing, I've got my plate full.

Besides, I hate PHP. ;)

[j2d2j2d2]

I think this touches on PHP's real security issue.

It's easy to get going quickly but becomes an issue fast. Smart people tend to move away from PHP, but startups find this difficult.

Hiring is then an issue and the bad practices persist.

[InclinedPlane]

I don't care what they're attempting, if they're hosting user content and storing user information then security needs to be a focus. Gizmodo certainly wasn't attempting security and that turned out quite well for all they're users didn't it? When you provide a service, no matter how trivial, there are basic commitments you sign up for, tumblr hasn't quite failed those commitments yet but they've come unnervingly close.