Startups Increasingly Targeted With Hacks

ubrgeek writes: Slack, makers of the popular communications software, announced yesterday that they'd suffered a server breach. This follows shortly after a similar compromise of Twitch.tv, and is indicative of a growing problem facing start-up tech companies. As the NY Times reports, "Breaches are becoming a kind of rite of passage for fledgling tech companies. If they gain enough momentum with users, chances are they will also become a target for hackers looking to steal, and monetize, the vast personal information they store on users, like email addresses and passwords."

How is it a "rite of passage"?

[khasim]

They're getting cracked because they're not paying attention to their security.

After resetting users passwords, Twitch initially introduced longer password character requirements, but had to dial back its new 20-character password length requirement to 8 characters after users complained.

Fuck you! If you cannot detect and mitigate a brute force attack then hire someone who can.

Twitch also said it encrypted passwords, but warned that hackers might have been able to capture passwords in the clear as users were logging on.

And make sure you know the difference between encrypted and hashed.

Re: How is it a "rite of passage"?

[Anonymous Coward]

Seems users would rather be insecure than secure. Good for them.

Just because the average job is a retard doesn't mean you have to be. Nothing says you can't use the 20 character password even when everyone else is using an 8 letter one. Their stupidity won't affect you.

However, there's no excuse for a website doing something like storing passwords in plaintext. That's just fucking stupid.

Re:

[gbjbaanb]

like storing passwords in plaintext. That's just fucking stupid

not as stupid as you think. Sure, encrypting your passwords is another layer of security but really, if an attacker gets your password database, then they can (and will) crack them quite easily today. Given that all you're doing is slowing the attacker down, it can be better to store them in plaintext.

Because - if you know your passwords are precious and need to be looked after, you will take many more steps to ensure the attacker doesn't get th

Re:

[Zaelath]

You are dangerously stupid or trolling.

Re:

[s.petry]

However, there's no excuse for a website doing something like storing passwords in plaintext. That's just fucking stupid.

If it comes to a point where a hacker has your password file, it's too late. Sure. The bad practice made it easier for hackers at this point, but you were already compromised so you are really trying to protect "everything else" from that point on.

IMHO it is a culture that needs to change to improve. Some start-ups are security oriented, those tend to have long term success. Some have little concern, and tend to be fly-by-night companies. The latter is due to people playing the economic lottery.

Re:

[Zaelath]

What you say is true, however it doesn't excuse the negligence of storing passwords in plaintext, or even with poor hashing algorithms.

Just because access to the password file is a major loss requiring everyone to change their passwords, that doesn't mean a good hashing algorithm doesn't extend the period people have to change their password, or in the case of people that use good passwords, extend the likely breach of that password outside useful bounds. i.e. just because Alice's password is s3cur1ty! and

Re:How is it a "rite of passage"?

[OzPeter]

They're getting cracked because they're not paying attention to their security.

But start-ups are all about the most buzz you can generate in the shortest time. You need to get that product out the door ASAP because your competitors aren't going to wait for you to build your secure system first. After all, you're not in the business of security, you're in the business of connecting up the most people and building your community. /sacasm*

*Added because even I thought I was starting to sound like a lean-startup advocate

Re:

[s.petry]

Until very recent times the OpenSSL project was maintained by 2 guys who pretty much worked for free, meaning that they had to work full time jobs in addition to maintaining OpenSSL. You may have had a point somewhere, but it seems to have been lost in ignorance.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Zontar The Mindless]

+1, Troll.

Hardly surprising

[ilsaloving]

What's the demographic of the people running these startups? People who have grown up in the Web 2.0 age that think they know better than older folk that have already run into these situations and come up with means to mitigate them. Because it's "old" it's bad and has to be thrown away and discarded.

Having worked with some of these people first hand, my level of contempt for these webscale "developers" knows no bounds. It's like working with 15 year olds who think they know how the world works and complain bitterly that their parents are holding them back. Their a testament to Dunning and Kruger.

I've been pushing back at our company against using all these saas because this sort of situation is just going to keep happening, and undoubtedly escalate, all because webscale developers arrogantly dismiss the lessons of the past.

(eg: I actually had someone tell me that they refused to use port 80 because it was "against modern development practises". I'm pretty sure I physically felt several brain cells shrivel up and die when I heard that. They also refuse to use version control and branching because merges are "too problematic".)

Re:

[fahrbot-bot]

What's the demographic of the people running these startups? ... It's like working with 15 year olds who think they know how the world works ...

On the up side, things will never go to Hell in a handbasket [wikipedia.org] - because they don't know what a "handbasket" is.

Re:

[checkitout]

I hope it was because they want to use port 443 instead.

Re:

[ilsaloving]

Keep hoping. >_

Re:

[Anonymous Coward]

>They also refuse to use version control and branching because merges are "too problematic".
This depresses me. I'm depressed now.

Re:

[sodul]

On port 80 it could be that they want to avoid issues with privilege ports. A good chunk of people will just run everything as root because it fixes the privilege port issue. I simply have our Ops team to configure authbind through Salt so that whatever user need to run the services can have access to the privilege ports required.

In all honesty if your application is not listening to the outside world directly, avoid using the privilege ports indeed. Your firewall/load balancer will get the port 80/443 requ

Re:

[Hognoxious]

Maybe you should explain that this [youtube.com] isn't a training course.

extreme programming

[Anonymous Coward]

Extreme/agile/whatever trendy fucking shit programming gets you what it says, extremely broken code.

These startups in a rush to get something out as these "development methodologies" say you should, shortcuts are taken, code isn't reviewed for security issues. The under 30 crowd think they're so AWESOME with their code, yet they don't know they're reinventing the same mistakes that were made 30 years ago.

The more things changes, the more they stay the same.

"start-ups"

[dnaumov]

I am not sure whether its sad or funny when people are so out of touch with reality as to call companies making massive amounts of money "start-ups".

survival of the fittest

[slashmydots]

Newer companies are more likely to have newer IT infrastructures and newer security. If they have a less secure setup than an established mega-corporation, it's because someone massively messed up and had their priorities wrong or they chose a crap vendor or two after buying into their marketing fluff about how secure they are. I suppose they also could have gone with whoever was cheapest for antivirus, firewall, monitoring, etc and that's an equally dumb mistakes. The good news is, startups that keep ma

Twitch.tv is not a startup.

[diamondmagic]

Twitch.tv was rebranded from Justin.tv, which started in 2007.

Now they're owned by Amazon.

By contrast, Amazon Web Services was started in 2006.

Hardly a start up.

next time hire quality labor

[Anonymous Coward]

instead, these startups hire H1B visa holders, and do whatever it takes to cut corners.

With MVP, security is last feature.

[hsmith]

Startups, especially those going through some sort of silly accelerator target one thing, a Minimally Viable Product. What does this MVP mean? Everything but security. VCs and these companies only worry about security once they 1) become big enough 2) get hacked.