Salsa Scoop A Few Notes on Security
A Few Notes on SecuritySubmitted Fri Nov 16 2007 12:05:36 GMT-0500 (EST)
DIA competitor Convio suffered a major security breach that unfolded publicly last week, as many readers may know. This post is well past its immediate news cycle, but we've quite understandably been asked in light of that event about our own security procedures as well, and wanted to put them on the record. For anyone unfamiliar with the story, the thumbnail version is that a compromised password enabled an intruder to download scores of Convio clients' lists ... and that those downloads included hundreds of thousands or millions of plain text (rather than encrypted) versions of ordinary users' passwords. The NTEN blog summarizes the affair here. Allan Benamer's initial alert -- and accompanying comment thread -- have a lot more. Any system could be hacked or compromised, of course; this is a risk all online providers face and strive to minimize -- we're doing the reflexive sympathetic wince over here that you do when someone on TV gets clobbered in a sensitive spot. But beyond the initial intrusion, the compromised passwords are the real problem. Since many users re-use the same passwords across many different systems -- including financial presences such as online banking, PayPal, amazon.com and the like -- it's potentially hugely damaging. So, most importantly for users of DemocracyInAction's Salsa platform: this particular aspect of the breach has not happened and could not happen in our system. We use, and always have used, industry-standard one-way encryption algorithms to protect passwords for all users and campaign managers. Neither intruders nor organization administrators nor users themselves can ever actually see even their own password. It's an uncomfortable affair for everyone, to be sure: Convio for having to own up to the attack; nonprofits who are themselves victims for having to play the heel by telling their own supporters about it (and just about the time of year they'll be asking those same supporters to entrust their credit card numbers to them); consultants who might have oiled the relationship. Perhaps that accounts for the odd cone of silence that's descended over the matter. Even when chatter broke on the invaluable Progressive Exchange e-mail list, there was a note of insistence -- and not at all pushed by Convio itself -- about closing the conversation. But to the contrary, there's a great need for that conversation. The aforementioned Allan Benamer, who has been all over this incident, gave a discouraging account of nonprofit inaction (along with useful guidelines for what an organization affected by a breach -- this or any other -- should do).
Don't sweep security breaches under the rug. By not disclosing publicly that your site has been breached and relying instead on [only] e-mail to notify your constituents, it shows that you're more worried about the effect on your organization instead of your constituents.It's horrible to have to give this news to supporters -- to say something that many will hear as, "I've been careless with your private information" even if the organization hasn't been careless at all, and to impose a burden adding up to countless person-hours of manually changing passwords. But if we're in this space to do good by our fellow-beings, there's no way around the fact that you can't do them good by soft-pedaling the potential wholesale violation of their privacy by malefactors unknown. In fact, though I'm not a lawyer, I'd be concerned about legal exposure for insufficient diligence given the potential for financial injury. And in the interest of following my own advice, DIA administrators who log into Salsa with passwords that they also use for other web properties should consider the possibility that those passwords have also been compromised. If it's been used to create a run-of-the-mill supporter account for an organization using Convio or GetActive, it would be a wise precaution to change Salsa passwords as well.