[New post] Should You Delete Your Patreon Account After They Laid Off Their Entire Security Team?
Soatok posted: " Last night, the Internet learned that Patreon fired their entire security team, abruptly. https://twitter.com/wbm312/status/1567981004555698176 Archived We also learned that the primary motivation was outsourcing. https://twitter.com/kevincoll" Dhole Moments
People digging into this story have also reported that Patreon has also been cutting their security vendors for months and there was no clear motivation for the layoffs.
"They been cutting our vendors for the past 4 months," the former security employee told me "There is no qualified security personal."
InfoSec Twitter's response to this news was overall measured and appropriate given past experience with dysfunctional companies and the narrative contradictions we've already observe.
>What makes you say that?
Every company considers security to be a cost center that provides no value. While on the surface, that's true, often your security (and IT/Devops) staff are the only thing between the bad guys and everything important in your network.
Not everyone has been calm and focused in their reactions, and I've been asked by several people whether or not they should delete their Patreon accounts in response to this news.
In light of both observations, I'd like to take a moment to explain:
What we actually know, and what the risks are based on that knowledge.
Why I ultimately chose to delete my Patreon account.
Alternative platforms that artists and creators may want to migrate onto.
But before that, let me briefly introduce myself to people who aren't regular readers of my blog. Feel free to skip that section if you don't care.
Who Are You, Soatok?
I'm a furry blogger who also happens to work as a security engineer for the cryptography team at a large technology company.
As a result of both my profession and my hobby, I maintain a modernized fork of the open source PHP library for Patreon's API. My only interest in doing so was to make it easier for artists and technologists to secure their own widgets that integrate with Patreon.
Why Does This Matter?
Through my career (which I try, in almost all circumstances, to keep separate from my hobbies), I've been directly responsible for reviving security teams after total staffing shortages before--albeit notas a result of layoffs, so I still had some institutional knowledge (and limited access to the employees with the relevant undocumented muscle memory; who had transferred to other teams in the same company).
Rebuilding from zero without that? Good luck.
What We Actually Know About Patreon Laying Off Their Entire Security Team
The Facts:
Patreon did actually lay off an entire Security Team
Ellen Satterwhite, Patreon's Interim Head of Communications & US Policy Lead, claims this was a result of a "strategic shift" of a portion of their security program
Ellen also stated that Patreon relies on external organizations to assess their security against industry standards
There is also some speculation in security back-channels that Patreon is in a similar situation to Equifax's in 2017, but that remains to be seen.
More pressingly, a lot of people have expressed concern over the security of payment and/or payment card information.
ahahahaha good thing there's no secure financial information on patreon!!!! good thing there are no independent creators who depend on patreon to survive!!!!!!! https://t.co/3sYRNLR1AV
They are a FINANCIAL INSTITUTION, no matter what they may claim otherwise. Firing their in-house team is the very height of stupid in this day of cyber risks.
I can sympathize where people are coming from, but there's little reason for alarm on this specific point.
Patreon outsources most of their risk to Stripe and PayPal. They don't process payments themselves.
Even if the limited access Patreon has to your financial accounts is leveraged by an attacker, there's sufficient audit trails to reverse any unauthorized transactions.
Our financial systems are designed to tolerate an optimally non-zero amount of fraud. Even if we assume that firing an entire Security Team would result in an overall reduction in security for Patreon, your risk calculus shouldn't change much.
Risk: Supporter Deanonymization
Attackers would, generally speaking, be far more interested in the blackmail potential for subscriber information. After all, a lot of Patreon pledges go to support NSFW and kink content creators.
While there's nothing wrong with kink, sexuality, pornography, or sex work, many people aren't in a position to comfortably and shamelessly live their best lives.
This means threatening to reveal their Patreon pledges to their family, local community, or employer may be sufficient to extort a few cyberbucks out of them. Why even bother with ransomware at that point?
Risk: Foolish Leadership
As stated above, firing an entire Security Team means removing any possibility of retaining critical institutional knowledge and muscle memory necessary for operational and security excellence within the scope of that Team's responsibility.
In plain terms: This is a boneheaded business decision on the best of days.
While it's possible that there are other factors at play that resulted in this decision being the least bad outcome for the company, none of those factors are good to begin with.
Yeah, just about every scenario I can think of falls under A. There are many rationales, but that's still the reason
In the coming months, I'd encourage Patreon users to at least pay careful attention to any news stories about security breaches or ill-advised mergers/acquisitions that pre-date September 8, 2022.
The most valuable currency of any long-term business is trust.
Trust is easy to lose and hard to earn. The primary way companies can earn trust is through transparency, consistency, and fairness.
If you lack transparency, you will always look like you're hiding something.
If you lack consistency, people won't know what to expect, and will default to caution.
If you lack fairness, people will develop a negative opinion of you, which means they will never trust you; even if only out of spite.
There's definitely more to trust than that, but these are essential elements.
Firing an entire Security Team without warning undermines my ability to trust Patreon. This fails all three components I outlined above.
Transparency: It was reportedly unclear to the employees why this happened
Consistency: This isn't typical behavior for Patreon
Fairness: Laying off an entire Security Team is difficult to justify (and none was given, so...)
My other motivation is solidarity with the laid-off employees.
I cannot, in good conscience, financially support a company that treats their security teams this way.
I'm personally less concerned about my financial information (which was scoped down to "granted revocable permission to my PayPal account") or the risk of blackmail attempts (anyone who doesn't know I'm a furry is generally someone whose opinion I won't lose sleep over souring if they find out).
However, my risks are not your risks. If you're likely impacted by either outcome, adjust accordingly.
How Can We Still Support Creators Without Patreon?
Ultimately, the onus will be on the creator to accept recurring donations from more platforms in order to continue your support.
For the furry fandom, at least, most of us already have a Ko-fi account. Did you know Ko-fi has a monthly subscription feature too?
It's not completely straightforward, but it's tractible.
Closing Statements
This blog post, like literally everything else published on this blog, is the sole opinion of a computer nerd that presents as a talking blue cartoon canid on the Internet.
I do not represent any company (especially my employer) in any capacity.
I hope by tackling this topic with balance and nuance, everyone is able to calmly make the best decision for themselves and their personal risk profile.
i cant 
Greg | Disaster Enby Punk
(@Greg_Sideyr) 
No comments:
Post a Comment