After the storm - suggestions

[akkakk]

During today there have been various good suggestions about what perhaps should happen afterwards going forwards - and I thought it might be useful to have them in one place...

Just to acknowledge:

• Mumsnet is a commercial operation - so ultimately their decision
• Mumsnet has no value without its users, so their opinion is v. important
• Mumsnet has a really strong role particularly for those who at times are vulnerable / needing help & support etc. - so security is very important.

Random thoughts - so add yours...

Security Audit
After this is all over, MN should bring in an established / expert external company to run a security audit

• software scan for vulnerabilities
• human scan

Penetration Testing
They should then set up a test version of the site / offline version and pay a company to regularly run penetration testing against it... if it has dummy data in it, we could all play and maybe prizes for any successful hacking :)

Software Audit
They should get a company in to run a software audit looking at old code / current code /vulnerabilities / efficiencies / etc. However good coders might be, it is easy to make mistakes - having another company as a sounding board is very helpful

Software Updates
All software updates should be externally audited before going live
All software updates should go via the test site for penetration testing and vulnerability checking before going live

Passwords
When you log in the script sees your clear text password - encrypts it and then checks against the stored password - at that point in the script there could be an analysis on how secure it is - if not secure enough, make the user change it. In theory all should be more secure with the recent change, but security needs will undoubtedly change and this is the place to do it...

Future Hacking
If this happens again, there should be a strict procedure:

• take site offline
• put up message
• use facebook to communicate with users / issues
• test offline
• fix
• back online

online protection
evaluate the need for stronger online protection - using companies like verisign to protect against DDOS etc.

any other thoughts - do add them!

And monetary donations people wish to make should be sent to me

staffing
-Employ Akaka?

Or even akkakk
-sort my autocorrect

Remember that you cannot over communicate (I'm still seeing posters on threads asking "what is this list, should I worry if I'm on it?").

If you don't have in-house capacity for emergency comms, get a specialist agency on the books. There's been no sense of a clear comms strategy (key messages, call to action etc), and some of the messaging has been either disingenuous, misleading or potentially dangerous (eg advising posters to go onto the hacker's website to check whether they are on the list...). This is expert territory, don't be afraid to admit you need assistance in a crisis

Make proper use of the comms channels that you do have (why are you tweeting about flannels and campaigns? Why isn't the most recent tweet a "we are open for business again but please re-set your password"?)

Penetration testing - sorry, can't stop giggling. Sometimes it's as if I'm 12.

Still think a ignore poster button should be added

Haiwai? Where the fuck is that?

I appear to have misplaced an i

How embarrassing.

In fact Haiwai appears to be a Japanese expat site based in San Francisco.

It has such interesting page titles as:
Jewish Wealth Education
Deal with leftover bread coup
American baby learning to teach Chinese
US Green Card science
Shaoxing Prime Razor
Restaurant to find someone to sell

Blimey, sounds fun Maybe I'll come too!

I still can't believe I missed that .... Although Brrties now explained why autocorrect didn't help either, it's a existing place

Ban "Interesting first post OP" as a comment for the next few months....

Oh it's not, but that was the only google result which wasn't also a misspelling.

I'd like to keep alive the notion of eg a webchat on personal computer security which was mentioned a few times by others posters on threads in the last few days. Yes, MN's own security and integrity should be reviewed continuously and necessary changes implemented but I think there would have been much less trouble - and MN would therefore present a less attractive target - if people's personal IT security was a little less fragile than it currently seems.

There are probably a lot of users out there who are feeling quite anxious and uninformed at the moment so anything to raise awareness could be a good idea. (Even if it might generate some awkward questions for MNHQ. Even then. )

akkakk

These are great suggestions.

Fixing the mixed more (HTTPS/HTTP) issues on the main Login page would be a good start in lieu of a security review's findings.

Cheers

Webchat - yes. I think Justine acknowledged that.

Facebook if site is offline - no. Not all of us use FB.

Use akkakk to help when things go skew-whiff - yes.

Get rid of the bloody annoying drop-down menus, deranged spaghetti dog & deranged pregnant plait woman & all their deranged looking children/babies. - yes yes yes*

*Just sneaking that one in. Again.

And yes I know MNHQ have more important things to do this week but anyone who has (involuntarily) hovered over "Life & Style" and "Work" knows what I mean. That's without the fecking dog.

Justine has said that there is already an external security company testing the site at the moment.

It's the 'at the moment' that worries me, Repeat. A big internet site like this should be under continuous review surely?

Who was it who said something like 'If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked.' ?

Just a thought for the future.

Who was it who said something like 'If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked.

• Hercule Poirot

Ahhh I see what you mean, Cosie. Yes, it would be standard to do this regularly to avoid new issues being undetected.

Hopefully the cyber security team will advise MNHQ of that though. It's probably worth the additional cost to see the site stable.

"It's the 'at the moment' that worries me, Repeat. A big internet site like this should be under continuous review surely?"

Continuous/frequent internal review, definitely, I can't imagine people paying an external security consultant to audit them on a daily basis (not least because I'd imagine it would be ruinously expensive).

But yes, I'd imagine regular external audits would be a good idea.

Someone else suggested this:

An ability to see what devices you are logged in with, and an ability to log them off through your account settings (useful when you forget to logout in airport, or if unauthorised access of account)

This may already exist, but it shouldnt be possible to simply change your email address from within your account - it should require some sort of confirmation link sent to original email address - this stops accounts being easily taken over.

Some people seemed to be horrified that what they were posting was now out there on the internet with their username attached - perhaps a gentle reminder next to posting box that whatever you post is out there for anyone to see.

MNHQ have massively improved their communication over the course of this event , I would hope they would continue to work on this.

Invest in better protection against DDOS attacks?

Invest in sorting out their software, possibly moving across to a commercially available system. As far as I know this is a custom site, one of a kind, which makes it harder for them to stay ahead of the script kiddies. Something like wordpress as an example continually releases new patches etc to stay ahead - does/can MN?

Sort out their mass emailing - yes they have zillions of subscribers, and yes they have to send out in batches, but it was still very slow. Surely they could have eg sent out emails to those logged in first? As part of this they could automatically "hibernate" accounts that have not been posted on or logged into for x months. This would mean they have active users and inactive users which could speed up responses.