In this corner, Snapchat: “Snapchat was created by Evan Spiegel and Bobby Murphy – two Stanford guys who love building cool things.”
In this corner, Gibson Security: “Donate! We’re poor students, with no stable source of income.”
Round 1 – August 2013:
- GibSec informs Snapchat of a security vulnerability in their user database
- Snapchat does not respond
Round 2 – December 2013:
- December 24 – GibSec describes how a vulnerability based on the Snapchat API can be exploited to obtain Snapchat usernames and phone numbers
- December 27 – Snapchat responds in their blog Finding Friends with Phone Numbers … riddled with self-righteous spin such as:
- “potential bugs and vulnerabilities”
- “professionals who practice responsible disclosure”
- “a security group posted documentation for our private API”
- “an allegation regarding a possible attack”
- The blog goes on to describe the intended purpose of Snapchat’s Find Friends feature … and goes on to describe the exploit, albeit as “theoretical”
- The blog closes with an attempt to illustrate Snapchat’s past, present, and future attention to the matter: “we’ve implemented various safeguards” … “we recently added additional counter-measures” … “we continue to make improvements”
- December 28 – Snapchat’s Director of Operations sends an email; GibSec replies on the same day with an offer to help; Snapchat does not respond.
Round 3 – January 2013:
- January 1 – 4.6 million Snapchat usernames and matching phone numbers are anonymously published as SnapchatDB
- January 2 – Snapchat responds again in their blog Find Friends Abuse … which takes the self-righteousness to a new level [my own annotations are added for emphasis]:
- “Find Friends is an optional service” [if your phone number was exposed, it’s your fault]
- “We acknowledged in a blog post last Friday that it was possible” [we’re very smart, and we were not surprised]
- Changes are being made “to address future attempts to abuse our service” [this is the third time we’ve used the word “abuse” … waaah … they’re not supposed to do that … waaah]
- When security experts “discover new ways to abuse our service” they should email us “so that we can respond quickly to address those concerns” [although we didn’t respond quickly before now … and did we mention that this is abuse? … waaah …]
- “We’re dedicated to preventing abuse” [there, we used the word “abuse” five times … they’re really not supposed to do that! … waaah]
After three rounds, by unanimous decision of the judges in the court of popular opinion: GibSec 3, Snapchat 0, and 4.6 million Snapchat users lose.
Stepping back from the specific details of the breach, how can we put this in perspective? I recently happened to pick up a book from my RSA Conference 2012 bag that began with an anecdote about a newly-appointed COO, who “had always thought of IT and security operations as being boat anchors to getting things done,”, but was now the executive with the responsibility for IT and information security. In the book, he was described as a “security-obligated executive”.
That’s the lesson here, Evan and Bobby. We all get that you’re Stanford guys, and that you love building cool things. But when you run a business you also have to make grown-up decisions – and these include dealing with issues of security and privacy for your customers. Do it because it makes business sense to take care of the people that are ultimately the reason your business exists and succeeds … do it because it’s required by law … do it because it’s the moral and ethical thing to do … but do it because you are obligated, even though you would rather be building something cool.
Here’s a simple analogy: having our own car is also cool (most of us aren’t fortunate enough to have our Dad lease us a BMW 550i, but let that go). We love the freedoms it brings, and we love the feel of the wind in our hair as we drive in the warm California sunshine. But our car also has to be paid for … licensed … insured … maintained … repaired … and operated within certain well-established parameters. Doing these things isn’t at all why we wanted the car in the first place – but they are now things we are obligated to do.
So we grow up, and we do them.
And yes, sometimes people may steal our car, or scratch it without leaving a note, or cut us off in traffic – or many other kinds of “abuse.” But we grow up, and we deal with these issues too.
Look, I’m not confused here: GibSec is three poor students with no stable source of income; I’m just a guy who researches, writes, speaks, and teaches about information security; you’re a couple of rising stars who just turned down a $3 billion offer from Facebook for the very cool app that you have built. (Although I’m not in your primary demographic, I am a regular Shapchat user … my high school and college age kids use it to keep in touch. They might not visit, call, or write as often as we might like, but nothing says “I’m doing OK” quite like seven seconds of a funny-face selfie with a short annotation and a few squiggles on it.)
I’m really just repeating some pretty ancient advice – e.g., even Paul of Tarsus noted that “When I was a child, I spoke as a child, I understood as a child, I thought as a child; but when I became a man, I put away childish things.” It’s probably time to grow up, and the stakes are higher than you seem to think.
For more research and insights on the topic, visit Aberdeen’s IT Security page.