In today’s paper, Farhad Manjoo talks about boycotting SnapChat to send a message about its lackluster security practices. I agree that the general public can show what it cares about with decisions about what to buy or where to shop. In the case of SnapChat, the company clearly should have fixed the flaw as soon as they knew about it in August 2013, right? (I mean, not just adding rate limiting, but releasing a new version that allows users to remove their number from the “Find Friends” feature.) Maybe the SnapChat folks were too busy in 2013 or maybe they were distracted during the holidays when the private API was released in December. But, likely it was a calculated business decision to accept the risk that someone would actually exploit the flaw. The Find Friends feature of SnapChat is what makes it useful, easy, and popular. It’s probably one of the only reasons we’ve ever even heard of SnapChat. I have to give the SnapChat team the benefit of the doubt that they thought long and hard about what to do regarding the vulnerability. Their blog post on December 27th says that they implemented countermeasures in August to make it difficult. Mostly likely this was just the rate-limiting from a single account. What I’d love to know would be the amount of time and money they estimated in August 2013 that it would take to fix the flaw. It’s at least four days worth, since they promised a new version on January 2nd and today is the 6th. What we may never know is how much business SnapChat loses because of this incident. Like Manjoo mentions, it seems that most folks are not rattled about cyber breaches. Data loss and cyber security incidents are accepted as part of the cost of doing business or using fun apps.

As a security consultant, I’m used to the concept that my data is out there and it will be exposed. It might be in the personnel files of an employer, doctor’s office, or the trove of the data broker giant shops. I’m not sure what to make of Farhad’s rallying cry that “we should not get used to the idea of permanent insecurity.” On top of calling to boycott SnapChat, he proposes that we focus on developing new technology and mechanisms to win back the battle against hackers. That innovation is happening, but maybe not fast enough. He understands that data will always be vulnerable to theft and that there is a balance between security, cost, and functionality. This is especially true for start-ups with limited budgets. Even large companies like Target still balance security costs and accepted risk. Target spends millions on IT security and still might be hit with a zero-day exploit they hadn’t conceived.

I see Mr. Manjoo’s point about making noise so that companies fix known vulnerabilities. Point taken about SnapChat. I assume there was a similar article about Java. I would argue that in addition to technology innovation and customer awareness, we should also revisit the methodology for small and mid-size businesses to prioritize their cyber security spending.

The post The Idea of Permanent Insecurity appeared first on Mosaic Security Research.