In many of my employers over the years where security mattered, it was rarely important enough to spend much money on. One place (covered by HIPAA's rather toothless laws) I pointed out how insecure all of our servers & databases were (single password, known by all), and the only response I got was "we pass our audits, and anyway we trust all of our employees". Groan.
An earlier employer had a single person in charge of security for a company with 50000+ customer investment accounts. Oh and the one that was there when I started was eventually discovered to have two full time jobs, which worked because he had unlimited vacations. After that person was fired, the replacement did nothing but run a few scripts every day, and our databases did not encrypt anything, and they argued for months on whether to buy disk encryption software instead of the just encrypting credit card numbers (which meant various applications had to be modified and no one wanted to pay for that work).
So if Patreon dumped their entire security team (or just one part, it's not clear) makes me reminisce about stupidities... not much has changed.
I think this was a good and balanced take on the situation. Patreon giving their entire security team the axe without any notice should make anyone step back and rethink using their service.
Unless some major creators that use Patreon begin a very public exodus from the site, I'm not sure too many regular users are going to be leaving though. The blackmail risk of having your subscription history leaked won't even register for a lot of users.
> Patreon giving their entire security team the axe without any notice should make anyone step back and rethink using their service.
It's really hard to get people to take their monthly contributions to a Patreon competitor. The inertia is really hard to overcome. So in a sense its kind of like lock-in - if you move you'll give up some % of your income.
Some thoughts as someone who's built software and product security programs in both cash-strapped and cash-rich organizations. I'm going to drastically oversimplify, but bear with me:
▶ The ability to build an all-in-house or largely-in-house program is a luxury where largely every staffer, even staff-aug over time, can have the necessary institutional context to understand whether a threat is being realized. If you can do it comfortably and with a focus on automation, you probably should.
To analogize: a castle has its own moat, its own hard walls, its own defense team, retractable entrances, traps, labrynth layout, etc. etc.
▶ A fully outsourced program doesn't have the necessary institutional context to catch edge cases or even a substantial number of common or uncommon threats and outcomes. Especially when the services used are multi-tenant, which is where a lot of the cost-savings come from for outsourced programs. So for an outsourced program to succeed, you'll probably still need a few hands to add that missing context or to work together with the service providers to help them automatically understand that context.
To analogize: a house in a gated community shares the same security team and light barriers (fence, wall, whichever) as other houses, but that team might not be as well versed on what to look out for. And the house itself may have alarms, but none of this may be all that great at deterring a common smash-and-grab.
---
Patreon had what, 1%-ish of their staff doing infosec? I'd venture that a lot of them performed functions such as automating appsec, automating integrations with service providers, etc., understanding privacy and security legislation and obligations, and served the role of contextualizing security between their internal product teams and external security service providers.
Without a dedicated in-house team, no matter how small, I'd bet dollars that they'll be compromised again in short order. And I've advised people relying on Patreon to seek alternate services as a result.
Saying everything is ok because there are third-parties handling security is a major red flag.
Technically a tool like Snyk or Dependabot is a third-party security vendor, but would you trust your financial & personal information with a company that says their security posture relies solely on those tools?
Such third parties arent the third parties that you are thinking about. Think of contracted security vendors in finance sector, with experts auditing things etc. Not some subscription-powered bot running some scripts somewhere.
Yeah. Similarly the arguments against Patreon's move are vague enough. Nobody defines what is the objective standard for 'enough security'. Nobody even asks "Why Patreon had a 5-person security team and multiple security vendors up until this point".
The amount of comments talking smack about the post because of its author is really astounding. The article is an okay read, why not judge it based on its own merits?
It did seem a bit gratuitous the way the author mentioned they were a furry; it had nothing to do with whether one should delete their Patreon account.
This post was written primarily for a furry audience, whom has been a bit panicked over yesterday's news that Patreon did such a head-ass move.
After I tweeted that I deleted my Patreon (to which I paid like $700/month to various creators), several people asked me (publicly and privately) whether they should follow suit. I wanted to offer a calmer take.
Since there was discussion on HN about this topic yesterday, I thought the folks here would appreciate the perspective.
More power to the author , or being their own individual, but it made me feel a little uneasy. I dont mind people being a furry or expressing themselves, but I do feel like I was made a witness/part-of someone's kink and I'm not into that. I thought it would be dry infosec blog stuff and unfortunately opened it at work.
It's the same feeling when seeing a leather clad lady hauling someone's granddad on a leash around town. I respect it, just don't make me part of it against my will. I'll make a note to skip this site in the future.
multiple times in that article it's admitted that being a furry is sexual--because everything is. comparing it to Tupperware parties, as if the rate of sex at Tupperware parties is in any way comparable.
If everything is sexual, then the distinction becomes meaningless and only something that is significantly more sexual than the baseline is worth remarking upon.
My argument is that furry isn't inherently any more sexual than anything else. To call it a sex/kink thing is not a meaningful argument.
It is distracting, unappealing, impossible to miss, and doesn't require a lot of thought or explanation to comment on. Of course people are going to comment on it.
When people post websites to Show HN the majority of the comments are usually not more insightful than "I don't like this button, make it a different color."
Its not an ok read. It hypes stuff without any objective basis. Its argument for Patreon firing their security team being bad is that Patreon 'has been cutting on their security vendorS' as well, so security is going to suffer.
What's visible once you are past the hyped language in the article is that Patreon had a 5-person security team, and MULTIPLE security vendors up until this point?
Doesn't that look like too much for a small startup to start with? And if one argues that 'No amount of security is enough', then HOW many security vendors does anyone need?
Is there an objective measure? Like, does the amount of manpower that a security vendor should determine whether that vendor is enough? Or the number of industry-renowned personas that work in that vendor?
What happens if one player buys out all those security vendors and combines them into one single large vendor? Will that be enough?
...
So basically there is no objective criteria for this. The proposition is 'less security is bad', but nobody defines 'the right amount' of security objectively. So even if Patreon or anyone else is using a top-notch competent security vendor that handles all their stuff, it wouldn't be enough because... well, this is a chance to do some hype, obviously.
The proposition of the article in canceling Patreon and 'moving somewhere else' is also very dangerous and it feels like self serving.
Cancel Patreon and go where? Set up a subscription service yourself? And deal with all the chargebacks, fraud, refunds, financial compliance, and gasp sales tax collection and clearing? Or, one of the much smaller Patreon-competitors who have even less backing and organization behind them? So move from Patreon to... 'smaller Patreon'?
Which would easily put someone in hot water regarding actual legal responsibilities that can land one in large fines and even court sentences, by the way. People think that just because they have been making some side money here and there on the Internet and this was not something that the tax agencies and governments would bother to look into, things will stay the same if they start making such regular, noticeable income. It doesn't work like that. Things get serious.
Because now the money that you are making with your creative activity is not occasional 'gig money' that is paid you in cash somewhere, totally unaccountable. Its regular, trackable income that may land you in very hot water if you end up getting called up by your tax authority randomly in a few years. There is always the chance that your government may start a major sweep to weed out tax-dodgers so it may not be even random.
So such propositions like in the article 'Cancel and do something else' feels like random retorts from people who don't actually know what they are dealing with - laws and other people's money.
...
Even the prospect of having to set up and maintain a billing system should make people shudder at such a proposition. Its all fun and games at the start when you are setting up stuff. Not so much when keeping it updated and compliant takes a considerable chunk of time 2 years down the road. Forcing you to do deal with those instead of doing your creative activity.
Important people get fired all the time and no meaningful percentage of Patreon users are going to care. If you stopped using a product every time someone important got fired you could probably use nothing, live nowhere, and would just sit in the dirt until you were dead. The only difference with this is the publicity and people trying to get it to gain traction. I don’t expect it to though and the world will continue to turn.
You might but nobody else will. Another day another breach. Nobody cares about the firings and they surely won’t care about the breach.
I would even guess that for a large breach like the one T mobile had, most of their customers don’t know about it. And if they do the thing they care most about is trying to get their cash payment because “free money.”
I’m not saying that’s how it should be but that’s how it is. Companies make decisions every day that are bad for their customers and everyday unless the customers are majorly inconvenienced they simply don’t care. Or maybe I’m in a bad mood today and casting everything in a negative light. Or both.
You seem to be suffering cognitive bias and projecting a lot of your own personal feelings with the "nobody else will". Well, obviously this is being proven wrong with the public's reaction to this.
Is it a meaningful number of people? I couldn't say at present, but to talk in absolutes is silly.
few days and a bigger layoff later and yup … no one cares. except the 2 people that closed their patroen accounts.
so now i have to think it’s a reasonable guess that a security team member found out early and even possibly leaked it, even if only internally like to their boss. to contain it the whole team had to suddenly be let go.
that’s beside the point. just a random theory. in this context, the point is that there’s been no follow up on the security layoff, no tie in with the larger story, so yeah no one cared
How is a social security number relevant for a Patreon breach? Worst case, they would get your name, password, IP, billing address, subscription list, and, unlikely, your credit card info. I think this is what people are somewhat immune to.
For me, the password is unique, the name and billing address is public record, and my bank protects me from credit card fraud, since using one requires handing the number out multiple times a day. The only thing that bothers me is the IP address, but that was leaked in other breaches, once a few years ago, and twice this year. I think this is the same for most people.
You do have to put in your SSN at some point to get paid. It's stored with Stripe, but a hacker could prompt people to re-enter it for capture citing some issue. How many people are savvy enough to question that?
I consider all online accounts as breached. That is why I use unique passwords.
If my CC is compromised, i'll notice in my monthly statement and report the bad charges (this has happened twice in 10 years). ...once from using the card in eastern Europe and the 2nd time at a hospital recently.
Not using services online because you're afraid of a breach is highly inefficient.
Better to share as little as possible and have consistencies when there are breaches.
I generally do the same but go a little further. I use an anonaddy email address and a virtual card from privacy.com with limit. This way Patreon and their customers do not know who is funding these creators. A breach is also a negligible risk. Unfortunately, I am probably in the 1% of people who take these measures.
There's one CISO school of thought that believes the job is to run every automated scanner they can get their hands on, report results to engineering and job is done. That can certainly all be outsourced.
Another school of thought (where I inhabit) is that sure, you need to do that, but to really have a secure product or service it has to be built ground-up with security as a core requirement. You can't outsource that (ok you could but it means having expensive consultants sitting in with the engineering teams day to day, at which point it's far cheaper to have an in-house security team).
I think fully outsourcing it really abdicates your responsibilities. There has been a long line of companies like Sony that outsourced their security and then discovered that means they have no in-house ability to respond, evaluate or supervise that outsourcing.
And to be painfully honest, it also encourages coverups and lying on reports. As a security engineer at another vendor who has worked with these MSPs and their clients I have seen a lot of things that went sideways and the MSP wants to cover it up and it makes responding to an incident really hard.
It really depends on what the security team was doing. Saying they fired the security team sounds like bad PR, but who knows. Maybe they were just running scanners and couldn't prove value to a VP.
I think it was 5 employees. If each cost $200,000 (salary + benefits + office space + ect,) that means Patreon was spending $1,000,000 / year.
What were they doing?
I worked on a major product that was known for our security benefits, and we didn't have a team of five on "security." We made sure that everyone understood best practices, and eventually had a "head of security" that oversaw our product and other products as well.
What type of info do they have and is it backed up? If it's an account linking your name to your email address then who cares. Is there actually valuable information like CC, bank, or your SSN in there? Maybe your security questions should be deleted.
Most of the comments in that thread are about how layoffs like this happen if there is a major screwup; or how Patreon might be able to outsource security for significantly cheaper.
Well, before it was a cool identity to have, geeks used to go into computing often in order to escape what they perceived as reality that was hostile to them. I guess if you think you are an animal (even if ironically) you would also be more keen to stay in the virtual world.
And infosec is one of those fields where hiding behind an avatar or a nickname is still somewhat accepted.
Possibly the same reason there's an overlap of queer people and furries: motivation to learn, a need for well-paid work to get out of hostile families and geographies, a need for an accepting community while you're working toward getting out.
Maybe in your social circles it is. If you move outside of the social circle of furries you'll find that they're just a small fraction of the queer population, just as they are only a small fraction of the non-queer population.
We might be more accepting of furries than our non-queer counterparts, but that doesn't make us furries ourselves. Claiming furry and queer is anywhere close to a a perfect circle venn diagram is way off base.
I don't know what to do with a response that's completely unbound from anything I said in the thing it's replying to.
I didn't say:
* all queer people are furry. Most A are B is not all B are A.
* that the Venn diagram is anywhere near a perfect circle. In fact, I said that's not the case.
HN's guideline on reading things charitably could have saved both of us some annoyance here. Try again. It's absurd to think I could mean the things you thought I meant.
They aren't objecting to 'all' they are objecting to 'most'. Your post reads as LGTBQ is mostly furries, I suspect you meant that furries are mostly LGTBQ?
>> "Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize. Assume good faith."
It would be absurd to suggest queer people are mostly furries, so that interpretation is implausible. Act as though the person you reply to is rational, and you can discard the absurd.
A strong, good faith reading could reasonably assume I don't know anything about Venn diagrams and didn't realize all the circles are equal when I posted that. I'm assuming good faith, and that's why I didn't just flag their post for trolling. Maybe they're not trolling and just don't practice this principle.
Why aren't you applying that principle to yourself here? You could be far more charitable and seek to bridge some misunderstanding. It feels like you don't understand that this expectation is symmetrical.
Giving someone some small benefit of the doubt when they make a comment like that is about my limit. This isn't my first rodeo. It's on them to demonstrate their absurd, unreasonable, unfair, completely off the rails read of my comment wasn't meant to kick off a hell thread.
There’s a path from “hanging out on a role playing server” to “running the server” to “hey I can fill this Unix admin job” that has only gotten easier as more furries take it, then look to their friends when their company has positions that need filling.
This furry-to-IT pipeline has been running since the beginning of the World Wide Web as a thing people put money into.
You're correct and shouldn't be downvoted for it. Diversity in general is pretty wide in the fandom. We have a much higher percentage of LGBTQ+ people here, because we do accept those people.
Furries on the whole are accepting and welcoming. For people who have faced discrimination in one form or another, the fandom is a place where one can belong and simply be who they are.
Despite what the other commentators on this thread seem to want to believe without evidence, I'm not at all attracted to children, and I'm offended that someone would drop such a gross accusation in a HN thread.
Be offended and then clarify - why are so many furries in the infosec field? Do you have a speculative answer?
By the way a person using a dark market to get drugs and then meeting up with other consenting adults to “cosplay” as animals may very well be an illegal and potentially humiliating event for a person. Maybe just growing up with the subculture created an early need in a person to hide/obfuscate and therefore motivates entry into infosec. I don’t know - that’s why I’m speculating. Going straight to the child angle is too narrow/myopic.
> By the way a person using a dark market to get drugs and then meeting up with other consenting adults to “cosplay” as animals may very well be an illegal and potentially humiliating event for a person.
I have no idea what this means, considering:
1. I don't use dark markets
2. I don't use drugs
3. Being a furry isn't "animal 'cosplay'" in the sense your comment implies
> Maybe just growing up with the subculture created an early need in a person to hide/obfuscate and therefore motivates entry into infosec.
This also motivated a lot of LGBTQ+ and furry people to need to learn security just to exist online. What you're gesturing towards is actually self defense against shitty people.
> I don’t know - that’s why I’m speculating. Going straight to the child angle is too narrow/myopic.
It's probably better to ask questions than to speculate incorrectly, especially when it's a nontechnical matter.
It might be better not to speculate online but come on - this isn’t an in person group where you can see there’s a person waiting in the wings to answer questions.
If my blunt speculation motivated you to give the answer you did then it kinda worked, did it not? Of course that point is moot if you would have taken the time to answer the OP’s question.
And I wasn’t that far off anyways, just wrong on the timing in a persons life. From your answer apparently the motivation for infosec comes from an early need to obfuscate online identity from parents/family because of non-traditional sexuality. Is that humiliating for a person or is it trying to avoid feelings of humiliation that discovery would bring up in a parent. Does it really matter?
> It might be better not to speculate online but come on - this isn’t an in person group where you can see there’s a person waiting in the wings to answer questions.
This observation might have any merit at all if you weren't commenting on an HN thread for an article posted on my furry blog wherein I answer questions about the furry fandom all the damn time.
> If my blunt speculation motivated you to give the answer you did then it kinda worked, did it not? Of course that point is moot if you would have taken the time to answer the OP’s question.
This is a silly justification for assuming incorrect things publicly. This is how misinformation and willful ignorance spreads.
Your above response was very judgmental and not kind. My goal with the question was not to shame the lifestyle, and I don’t think that type of discussion is relevant here.
You may want to keep reading. He's also an information security professional and writes well with good thoughts.
I haven't checked the rest of his blog to verify the guess I'm about to give, but I assume he phrased it that way because most of his blog focuses on furry matters rather than infosec matters and he's explaining to his usual furry audience why he's making a rare infosec post - as well as to people who find his blog from sources like this HN post why most of the context is furry related.
It could also simply be that he defines his identity more by his hobby than by his day job and therefore leads with that when describing who he is, which would be fair enough too.
Soatak doesn't care about reaching the maximum number of infosec people possible. He blogs about what he likes. The previous article on his blog is about fursuiting. [1]
Also from the article being discussed: Anyone who doesn’t know I’m a furry is generally someone whose opinion I won’t lose sleep over souring if they find out.
He's also an infosec professional and gives a lot more thoughtful and nuanced analysis than you're assuming, including distinguishing between what is currently a rumor and what is currently a known fact. And his answer is more a toolkit for making your own decision instead of pretending that everyone should do the same thing.
It's a very good blog post, and well-structured too. I will note the fact that he's a furry blogger doesn't only mean that he's a furry but also that he's a blogger, regardless of topic. That experience applies well to this post related to his career, not only to his other posts related to his hobby.
An earlier employer had a single person in charge of security for a company with 50000+ customer investment accounts. Oh and the one that was there when I started was eventually discovered to have two full time jobs, which worked because he had unlimited vacations. After that person was fired, the replacement did nothing but run a few scripts every day, and our databases did not encrypt anything, and they argued for months on whether to buy disk encryption software instead of the just encrypting credit card numbers (which meant various applications had to be modified and no one wanted to pay for that work).
So if Patreon dumped their entire security team (or just one part, it's not clear) makes me reminisce about stupidities... not much has changed.