I was a huge doubter on day one - the initial video and manifesto seemed confusing and too abstract to fly - but seeing Dalton handle intensive negativity (even some from me, I'm a bit ashamed to admit) with such aplomb won me over. Seeing his frequent updates with progress, even before the $500k mark, was a great confidence booster.
Every cent well deserved. I was a supporter, and I look forward to helping build app.net in to something amazing.
This is very much how my experience with App.net has been. I was a non-believer, but seeing how Dalton handled things has turned me into a major fan of his.
I was complaining a couple weeks ago about how someone needed to open an alternative to the Mac App Store for legit apps that don't work with sandboxing, desire demos or paid upgrades, etc. Never thought of Steam as a possibility, even though I use it weekly for gaming. I have high hopes; if anyone can pull it off, it's Valve.
My current laptop is a Dell C510 running Arch Linux, rocking a massive 384MB of RAM and LXDE. It's relatively (surprisingly) snappy as is, but any improvement is going to make a huge difference. Great work.
Bostonian here. The lady and I have been convinced that this winter was significantly worse than usual, and wondered why no one else seemed to think it was so weirdly awful. Glad we're not alone, and that we weren't wrong. Wow, did it suck. Excellent article and research by Mr. Dobres.
I knew moving to Boston that I could expect lots of snow, but the way it can affect your lifestyle for four months (especially if you walk everywhere) was something I didn't think too much about.
The harshness of this winter is not an insignificant part of my decision to skip town and move to San Francisco :)
As an expat Swede, I was disappointed with last years' snowfall. I had high hopes for cross country skiing, but that didn't work well at all. This winter was better, but still pretty weak. Maybe I should move to New Hampshire... ;-)
If you're in Boston, Maine is pretty close. If you want a good winter hike, the top of the Appalachian Trail is Mt Katahdin, about 100 miles north of Bangor ME.
My building's snow removal costs alone were sufficient to demonstrate that this was a particularly bad winter. They were more than twice last year's (last year being pretty typical).
As a fellow Bostonian, I completely agree. I mostly came to the same conclusions (three straight weeks of snow with no melt days), but it's good to see it written out in numbers.
Golf, soda, cigarettes, newspapers, and beer. Seriously? I've never felt so disconnected from the typical "American Male", nor have I ever been so proud to feel that disconnected.
Maybe if "soda", "cigarettes", "beer", and "bars" were a bit farther down the list, "gyms" wouldn't need to be so high?
For Golf there's large costs involved to get going and then continue, hence not that many people could be playing it, but still it has a high cost. Off the top of my head the costs would be something like: course/club membership fees, round fees, golf equipment (clubs, bag, clothes). So you can easily end up spending $1000's per year on the activity.
They "simply took thermodynamics" and created a useful, beautiful product that solves a common problem and doesn't (as far as I know) exist yet. I don't understand what your issue is.
You lost me at "bordering on criminal negligence". They gave away a lot of details about how their internal systems are structured, but surprisingly little as far as actual usable data. Passwords can be changed, API keys can be disabled and regenerated, local IP addresses can be switched up. No user data was revealed. How is this even close to criminal, let alone catastrophic? This is pants-down embarrassing, at worst.
I meant in reference to the analogous hypothetical.
Tumblr isn't guilty of criminal negligence, but they are guilty of a very serious failing of basic security precautions. Luckily there are other layers of security at play preventing this from being a catastrophic disaster for tumblr. However, if a group of thieves break into your bank and drill into your vault you do not go home and rest easy because they only managed to drill through two feet of your vault's hardened steel and there was an entire 3 or 4 inches more. Less so if you'd done something dumb like leave the keys to the vault in a coffeeshop.
I think you fail to give them credit for what they're attempting. Security is the focus of many readers of HN, but Tumblr's focus is the user experience.
This isn't to say security isn't important, but they're rushing to make Tumblr as fun to use as possible so they can survive.
Yes, they received money. They also have monstrous growth. Now they can afford to expand the engineering processes beyond, "get it working" to "make it work really well and securely".
Good things are still to come from Tumblr so let's go easy on them when they use duct tape instead an arc welder.
Security isn't something you just bolt on after the fact, it's part of the design, and involves so much more than just code.
If they failed to take security into account in the early stages, never mind implement it at the beginning of development, then odds are they won't be implementing it effectively any time soon, especially with the rate at which they'll be expected to keep growing and adding functionality.
This kind of issue that they're showing now could (and probably should) have been detected and handled early on, even with a simple third-party code review.
And the fact that they are as big as they are, and growing as quickly as they are, means that they should have an increased sense of responsibility when it comes to security and protecting their users.
The existence of one bug doesn't imply complete disaster everywhere. It should be treated as an anecdote. Good science demands it.
Good science would also suggest Tumblr should get some experts to help them discover anything else that might be lingering, which they're planning to do. Much like a peer review process.
Your attitude is important for those in the security industry as it pushes things forward, but remember that not everyone has the time to spend on it that you might. It can either be an asset or the bane of your existence. As an asset, you get paid for the things you understand because others don't. As the bane of your existence, you fight society for not knowing what you know.
Tumblr is hiring. Maybe you should apply and help them fix it?
To be clear, I didn't suggest a "complete disaster everywhere". That being said, you can tell a lot about the state of the nation by something rather simple and isolated as what they've experienced here. There are some rather simple best practices that probably should be employed that apparently are not, and even a cursory review probably would detected it.
I was, more than anything, responding to the parent's post regarding "they can just add security later" idea.
It's true that I tend to work on projects where security is a huge deal (online banking, government, global video game services including in-game payments, etc). As the architect of these systems, a key part of the design is security, and while other projects don't have to be quite as diligent, that doesn't mean they should just ignore it altogether.
I'd also like to hope that my attitude is not just for those of us in the security industry, but for everyone making web-based applications.
Personally, I think any online service does their current or potential clients a disservice if they don't take security into account early on.
As soon as you take money from someone, I consider that to be a responsibility that has been accepted to not only provide the functionality you offer, but to do it in an appropriately secure manner.
It's the classic techie vs. sales guy argument; we don't want it perfect, we want it on Wednesday.
The problem is that if even simple and effective security is overlooked or not dealt with early on, you'll almost always be forced to accept a compromise rather than take the required time to implement it properly.
As to the job, I'm already quite busy, thanks. Between implementing Oracle clusters and my new startup that's just closing on our financing, I've got my plate full.
With all due respect, I'm not sure I buy that "hiring is an issue" argument.
You don't need someone full-time to help develop best practices, help design or architect code/systems, or to do code reviews.
Any startup that gets funding should, in my opinion, get a short-term consultant to come in, take a look around and offer suggestions and advice. Even if it's just for a day. These are resources that have been there, done that, and wouldn't be interested in a full-time gig with the company to begin with. Even if the company could afford them.
Hopefully this isn't too far off topic, but it's something that I see missing from a lot of clients that I get called into. (Not saying these guys haven't done this, either.)
I think there's a lot of value for a startup to validate their work with outside help, especially if they're relatively new to the game. Even if it's just pointing them to some articles or reading for them to follow up on, or just mentioning ideas of things they should look into; it can prove to be huge.
For instance, I'm currently mentoring a few developers/teams on a part-time, couple hours a week basis. Some of it is just being available on MSN to answer a quick question every now and then, other times it's doing a couple code reviews. Other times it's grabbing lunch/beer with them to discuss the concepts of things like how to implement continuous integrated testing, or managing other processes, or discussing new tech that they've heard of. For the most part, they're not paid gigs either. I enjoy helping people do stuff well, and the little bit of good faith help usually leads to some good future work.
Sometimes all it takes is asking the right question to get them to think about things in a different manner.
The last gig I got was for a major video game company. The job involved a .NET stack, which I knew nothing about and had never worked with, not even a little bit. I got the job despite that fact because in the interview I asked them general (admiteddly leading) questions, such as "how are you handling _____, or what is your plan for _____". Even though all of my experience had been in non-MS tech stacks, the technical director that was interviewing me was furiously taking notes. It was clear that they hadn't planned for some of the things I was mentioning, never mind thought of them. But once they heard the question, it was painfully obvious they should have. As a result, a 3-day consulting engagement turned into full-time for two years.
In my case right now, I've sought a mentor in some new tech I'm working with in my current startup. It's allowed me to hit the ground running, and take advantage of their experience. A half day one-on-one made all the difference for me, and will drastically improve the quality of what I'm doing.
I don't care what they're attempting, if they're hosting user content and storing user information then security needs to be a focus. Gizmodo certainly wasn't attempting security and that turned out quite well for all they're users didn't it? When you provide a service, no matter how trivial, there are basic commitments you sign up for, tumblr hasn't quite failed those commitments yet but they've come unnervingly close.
If they're clever, that password isn't the actual password, it's a salted hash that the Database class breaks down to the real password before connecting. In theory, that hash alone shouldn't be enough for a breach, unless someone is able to figure out how it's encrypted and salted.
If you can "break down" something to real password, it's not hashing but rather encryption. Anyways, I don't see how it helps if the actual php code is exposed. Adding layers of super-duper-secret php code (Database class) is not going to help if you display them in browser.
My point is more that there's at least one layer of protection between that page and the actual password, which I'd say is more important than displaying some code. It would take more than one mistake to really do damage, which is better than nothing.
Every cent well deserved. I was a supporter, and I look forward to helping build app.net in to something amazing.