hey uh. did anyone else see that patreon fired all of their security staff. 😐 everyone change passwords, set up 2 factor authentification, and/or take your card info off of the site
It’s really not as alarming as it sounds – there’s a good thread about it all on hackernews I can’t be assed to go find again bc I’m already in bed but it should come up with a Google search. There’s a message in there grabbed from the CEO(I think?) Statement made in a specific discord.
Pretty much boils down to they’re working with another source. We don’t have the details why the team was fired (and it was a small team of 4 or 5 from what folks can find on LinkedIn) but I’m going out in a limb and saying they didn’t part on good terms. It’s pretty fuckin shitty of a security engineer to go on a social media and blast the company is potentially vulnerable. It’s one thing if that simply hurt Patreon, but a breech would significantly impact EVERYONE. That was a huge dick move, which leads me to believe it was done out of anger.
The MOST LIKELY scenario of what’s happening is Patreon is getting ready to go public and in order to do so they need to seriously beef up their security measures to prove to investors they’re airtight and trustworthy with all this money being handled. That means splurging on Very Expensive security firms that are outsourced, or curating a new team of their own with security engineers who are well known, highly trained and skilled, have worked with the big dogs, and are also very pricey. This isn’t too unusual to see when a startup finally gets off the ground. Very likely their current team just didn’t meet the standards expected in a publicly traded company. Probably didn’t break the news to that team in a very good way, or blindsided them.
However, until more details emerge we can only assume. But this isn’t a reason to panic. Patreon would land in some seriously deep shit if they were outright negligent like that. I guarantee you they already had another team – be it one they’re going to work with going forward or a temporary one – locked and loaded and ready to go before the team they let go was even out the door.
That said, thanks to the dick move announcement, people freaking out like they always do, and transitions always being a little sticky, it’s a good idea to at least enable 2FA if you haven’t already. Even in the highly unlikely event they did get breeched and hacked and your password revealed, that will prevent your account from being accessed. Also, card information is like, never stored on any sort of internal database anymore. It’s rarely ever even unencrypted or seen by a human for that matter. Annnd usually handled by a whole different API and sometimes several different payment processors. Not saying it’s impossible to get your card info in the event of a hack, but man the chances are like, ridiculously low to improbable.
It won’t hurt to take some extra precautions as you should anyway these days but until we have some actual facts about what went down, there’s 0 need to make any fuss. Twitter is already kinda doing that, sadly. Cyber security is way, way, WAY more intricate than the average Joe thinks it is, and when you’re working directly with financial institutions it is not something you take lightly, at all.
So this should not be panic-induing but this does NOT look good for Patreon.
You don’t really layoff an entire security team and then outsource if you want any sort of continuity of operations in the near term of the next 18 months or so.
(Some background, I’ve been working in computer security now for about a decade and a half: In research, then operations at an antivirus company, in the operations team of a networking company. If you’re in computers, you’ve heard of them.)
This is PURELY a take from the outside but it looks as if there was no real transition plan from an internal team to the outsourced security team. There’s a lot of institutional knowledge that exists in any sort of IT/SecOps/etc. team; the sort of things that nobody writes down because “everyone knows it.” That goes right out the window when you layoff all, or even large parts, of a team. Even the best of transition plans leave holes in knowledge that have to be re-learned or re-architected (I myself, have been asked for things i KNOW i’ve handed over after I’ve left.) There’s no transition plan that is perfect, but having no transition plan is the worst.
Personally, thats the more concerning of the threat models, especially when PayPal is an available option for paying Patreon.
My concern would be the personal, not public data (addresses, etc) that i keep in Patreon plus any sorts of sensitive DMs or anything in there. If you don’t have the list of your active subscriptions public, its not unreasonable to be concerned about that too in the event of a breach.
But all that being said: Just because a security team being laid off yesterday doesn’t mean its more likely they’re going to be breached today. The concern should be a forward looking one because:
1) The replacement is going to need time to transition, which means there’s a likely lack of oversight in policies and monitoring. 2) Management thought this was a good idea which sets the tone for security decisions being made in the future.
For which he was the first engineer to be called a “steely-eyed missile man”.
The full story is amazing.
So Apollo 12 was struck by lightning 36 seconds after liftoff, which caused a power surge for obvious reasons. Instruments began to malfunction, telemetry was garbled, and the Flight Director was about to order the mission aborted.
However, a year before, Aaron had been observing a test at Kennedy Space Center and noticed some unusual readings during the test. On his own, he dug into the data and equipment, and found that the weird readings came from the little known Signal Conditioning Equipment (SCE) system, and that it could be set to Auxiliary, allowing it to operate in low-power settings.
So he’d seen the readings of Apollo 12 before… and knew what to do. And gave the recommendation, “set SCE to Aux”, which was passed up by the Flight Director and CAPCOM to Apollo 12. They obeyed the order, and what looked like a disaster in the making–the freaking spaceship was HIT BY LIGHTNING!–was averted, as telemetry was restored, and Apollo 12 went to the Moon without incident.
Let me just repeat that:
The spaceship was hit by lightning, and this guy knew exactly which switch to flip to fix it.
There’s a couple of neat things about this:
(and a point of order: The rocket was struck TWICE: once at 36.5 seconds and again at 52 seconds)
1) The ROCKET itself was fine. At this point in the launch, guidance was controlled by the Saturn V’s instrument unit, the Apollo spacecraft is what was affect but it was just shadowing the Saturn V’s guidance system.
2) The Commander (Pete Conrad) had no idea what that switch was, Alan Bean was the Lunar Module Pilot:
000:01:33 Conrad (onboard): We’ve got a short on it of some kind. But I can’t believe the volt… 000:01:36 Carr: Apollo 12, Houston. Try SCE to Auxiliary. Over. 000:01:39 Conrad: Try FCE to Auxiliary. 000:01:41 Conrad (onboard): What the hell is that? 000:01:42 Gordon (onboard): Fuel cell… 000:01:43 Carr: SCE, SCE to auxiliary. [Long pause.] 000:01:45 Conrad (onboard): Try the buses. Get the buses back on the line. 000:01:48 Bean (onboard): It looks – Everything looks good. 000:01:50 Conrad (onboard): SCE to Aux. 000:01:52 Gordon (onboard): The GDC is good.
The thing NASA took away from this:
“Don’t be stupid enough to launch in a thunderstorm!” –Dick Gordon
Back from my hiatus with another drow: my bladesinger wizard, Lothric.
Problematic middle child, aristocratic menace, and posh party boy who took it a step too far and found himself exiled from his safe, protected homeland and into the apocalyptic wastelands of the Endless Night just outside.
By the way, the way that No Child Left Behind impacts the trade worker shortage in the US is because in about 2002 shop classes, home ec classes, auto classes, etc, had their funding diverted into teaching kids how to pass standardized tests so that the schools could continue to pay teachers and keep the library open.
This is one place where I actually WILL do the generational thing and say that Millennials and Gen Z got completely fucked in a way that older generations didn’t.
It’s actually really fucking hard to repair a cabinet when you’ve never had a shop class. It’s really goddamned difficult to learn everything about car maintenance on your own through youtube videos instead of in a semester of auto shop. It’s really goddamned difficult to figure out you want to be a plumber or an electrician or a welder when you are eighteen years old, have been taught to pass tests and cajoled into applying for college, and you’ve never handled an air compressor or used a socket wrench.
ALT
