Yahoo is in the midst of sorting through the wreckage of a massive hack. Over half a billion accounts may have had their info stolen. The verdict is still out on Yahoo’s culpability: could they have prevented this, who was ultimately responsible, etc. No matter the case, Yahoo and its users will be experiencing a lot of pain!
Yahoo is even being sued for gross negligence.
I run a firm that builds websites and web tools. The repercussions for Yahoo scare me, but seem just.
The Parapet Principle
There is an wonderful, age-old, Judeo-Christian principle found in Deuteronomy 22:8called the “Parapet Principle”.
The idea is if you’re building a house you should make sure the roof has a parapet (railing) so that if you have a visitor they don’t accidentally fall due to your negligence. If they do fall because you neglected to build a parapet you are held responsible!
Organizations need to think of their websites, visitors, and data in the same way.
- A website visitor submits a form with identifying information. As the host, you must protect that information!
- A website visitor’s contact data and account login are stored on your servers; you better make sure you’ve taken every sensible precaution to secure that information!
Like it or not, people reuse passwords. If your database gets breached, it could mean your users’ bank accounts. Access is gained to an email account and the hackers have a treasure trove of mineable nuggets.
The Yahoo hack supposedly didn’t include passwords. It should also be noted that properly algorithmically hashed and salted storage of passwords means they are not easily decipherable even in the event of a breach.
Hackers can cleverly piece information together and build a profile on someone that results in devastating identity theft. This is very serious.
Everyone Should be Concerned About the Parapet
The individuals building the website should have a great deal of concern for the security of the tool they’re building.
The owner of the website should be very concerned. They should not sleep well at night if their “roof is missing a railing”.
The user should be cautious about what “houses” they visit, but they can only be so cautious. One would think a big reputable brand like Yahoo wouldn’t be a concern…
Building the Parapet is Really Hard
…especially the larger and more complicated the system. Security is built around layers that assume other layers may fail or be neglected.
The NSA spends a higher ratio of security-to-features than any other organization, and yet look at how Snowden was able to elevate privileges and steal data. If even the NSA, with all of the incredibly smart security staff and money invested could not prevent compromise, we should be somewhat understanding that breaches WILL happen.
We can’t make systems perfect, but the NSA’s saga and other big failures highlight how important it is that we spend more and care more about security.
Some might react fatalistically and say we need to spend LESS on security because even the NSA couldn’t prevent a type of breach, but that would be giving up.
Final Plea to Build the Parapet
There are plenty of great things the builders, owners, and users can do to decrease the risk of falling off the proverbial web roof: use (and force) strong passwords, encrypt your site traffic, properly secure data, have whitelists / blacklists, monitoring, etc.
The list of things that could possibly be done is never-ending. In fact, there are specialists, firms, and an entire industry that revolves around security.
What this might mean for you may be very different to the next guy.
One thing is certain…
We MUST all start caring about the parapet!
Blake Imeson runs the WordPress web firm, LimeCuda. They build strategic web presences for clients all over the world. Blake resides in East Lansing, Michigan, USA with his wife and son.