After the storm - suggestions

[akkakk]

During today there have been various good suggestions about what perhaps should happen afterwards going forwards - and I thought it might be useful to have them in one place...

Just to acknowledge:

• Mumsnet is a commercial operation - so ultimately their decision
• Mumsnet has no value without its users, so their opinion is v. important
• Mumsnet has a really strong role particularly for those who at times are vulnerable / needing help & support etc. - so security is very important.

Random thoughts - so add yours...

Security Audit
After this is all over, MN should bring in an established / expert external company to run a security audit

• software scan for vulnerabilities
• human scan

Penetration Testing
They should then set up a test version of the site / offline version and pay a company to regularly run penetration testing against it... if it has dummy data in it, we could all play and maybe prizes for any successful hacking :)

Software Audit
They should get a company in to run a software audit looking at old code / current code /vulnerabilities / efficiencies / etc. However good coders might be, it is easy to make mistakes - having another company as a sounding board is very helpful

Software Updates
All software updates should be externally audited before going live
All software updates should go via the test site for penetration testing and vulnerability checking before going live

Passwords
When you log in the script sees your clear text password - encrypts it and then checks against the stored password - at that point in the script there could be an analysis on how secure it is - if not secure enough, make the user change it. In theory all should be more secure with the recent change, but security needs will undoubtedly change and this is the place to do it...

Future Hacking
If this happens again, there should be a strict procedure:

• take site offline
• put up message
• use facebook to communicate with users / issues
• test offline
• fix
• back online

online protection
evaluate the need for stronger online protection - using companies like verisign to protect against DDOS etc.

any other thoughts - do add them!

Given that an XSS vulnerability was apparently exploited (per 8chan discussions), I would suggest that if these three further vulnerabilities haven't been addressed (they were made public in January and were unpatched as of the 19th August), then perhaps they should be:

www.xssposed.org/incidents/53475/ (it's a web security site, not a hacking site)

MN's comms have been decidedly better than Ashley Madison's - I heard an audio on the radio this morning of their answer phone messages: when you call their complaints number, it says "we did promise that you would get screwed, there's nothing more we can do now". And the customer service number says something like "we are experiencing exceptionally high volumes of calls right now. If your wife hasn't cut off your dick yet and you still want to speak to someone, please hold - our current wait time is 72 hours" [shocked]

although I strongly suspect MNHQ would like to set a similar autoresponder to all emails and seek oblivion at the bottom of a gin bottle

Agree with itsallfine - I think although this situation has caused a lot of anxiety it is a reminder for people to be aware that whatever they post on the Internet is entirely public.

I've been quite surprised by the panic of people now saying how their private life is private - it's not private at all if you're telling an Internet forum with millions of users!.

Unless you're some kind of technical genius you are never truly anonymous on the Internet. And I'm sure the tech geniuses will tell me that other it's not really possible even if you are a tech genius!.

I think the lesson is don't put anything on the Internet that you wouldn't want to somehow be linked to you in 'real life'. Because there's a possibility it could happen.

And don't be pissed off if you've put a huge amount of info about yourself 'out there' in cyberspace putting responsibility on other organisations to protect that on your behalf.

Because no system is invulnerable and we've seen that in the last few days.

Given the number of people worried about details that have been sent via personal message, I wonder whether there's any objection to MNHQ deleting all PMs completely.

Moving forward, MN users should probably be discouraged from exchanging home addresses via PM when on threads like the clothing exchanges- perhaps it would be better to exchange email addresses, and then swap home addresses via email so it's external to MN?

I suspect that to be a target of those scammers who are prepared to put in the time and effort to ferret in that way, you would have to make it worth their while in some way - eg be very very rich or very very famous. (I except those people who come on MN who are the victims of personal stalking behaviour or DV who have a justifiable anxiety about their personal safety.)

Inertia I think that is more about personal choice / good practice - not necessarily needing to be a MN policy...

my feeling is that MN have the responsibility to make the platform safe and secure - users have the responsibility over information they share and should assume it is never secure

that way a happy future

Absolutely yes to this Invest in sorting out their software, possibly moving across to a commercially available system - which would also allow them to lock threads, have an ignore poster feature, etc. Suggested on another thread is auto deletion of PMs after a period of time, auto-locking of threads after a period of time, perhaps archiving of older threads so that you have to be logged in to search for them.

Definitely agree with this: MNHQ have massively improved their communication over the course of this event - they seemed extremely ill-prepared (and btw behind the scenes you should be doing fire drills on this type of scenario) but have put in a lot of effort to become more responsive. As well as the level of comms, think about tone. Don't treat this as some kind of jokey 'pass the gin' stuff, we now know this is serious shit. Treat your users like grown ups (as MN are now doing).

Use Twitter for comms when the site is offline - no-one needs to have a Twitter account or a Twitter app installed to view this page: twitter.com/MumsnetTowers

Close the site to new registrations whenever an incursion is suspected.

Sort out how to do a forced log out, was that ever actually achieved?

Auto expire passwords. Security experts tend not to favour this but in this case it will stop people being able to use the same one for iTunes as for MN.

Better certificate security for the site itself, which would have chucked a bloody great warning up when Jeffrey's login page appeared, purporting to be MN.

Yes to a webchat.

I agree with Tribpot, while i understand you couldn't and still can't tell us everything, We should have been Told as soon as possible the basic facts of the situation and that it was serious.

The first day the list was made public and MNHQ didn't want to close the site, I understand why this was but there should be a way to close everything but the support sections (So Chat, telly addicts, AIBU, crafts and so on can't be accessed, new members can’t sign up). This would have reduced the amount of reports and activity but left essential sections open for those that needed it.

On the whole although things started off badly I have to say you've all stepped up your game since the first day.

I would like to see forced lockout if you mistype the password five times.

Ideally that thing Facebook does where you get a notification if a new device logs in to your account.

A Web chat on security. My passwords are mostly ok but stupidly I hadn't thought about the fact that, if I was given 25 characters it was best to use most of them. Would also like to understand if those password programmes are recommended or just putting all your eggs in one basket.