My thoughts on Torba's response to Gab's security breach

Gab was hit with an embarrassing security breach last week.  I initially had some concerns about how it happened, and how the response was handled, but at this point Torba seems to have it under control and I'm not too worried.

Luckily for Torba, most of us Gab users are in it for the long haul, so we're willing to put up with a lot.

Parler was hit before Amazon flushed them, but they didn't respond.  They just ignored it and didn't confirm nor deny anything (that I saw, if they did, please let me know and I'll update this article).  Matze was fired shortly thereafter, and Bongino has sort of adopted a "I hardly knew them" position.

Gab's breach from what I've gathered was particularly embarrassing.  I've always been understanding of human errors and mistakes with my developers over the years, but there are a few exceptions that are worthy of termination.  Torba's developer would be gone if I were in charge.

Apparently he (the developer) committed two unforgivable sins from what I've gathered.  I didn't get into the code, but this article gives a highlight of what happened.

First, you ALWAYS clean user input, no exceptions.  If I had a dev who rolled code into production that receives user input but neglects to validate and clean the data, that would not be good for them.

Even if I had a weak moment of mercy and kept the developer, if that mistake was compounded by not using parameters to build a query, that would be a double-wammy.    Every developer who knows how to turn on a computer knows to ALWAYS pass values as parameters to the database engine, as it deals with the data types and additional security checking.

The only exception I'd be OK with in terms of building an SQL string by hand is if it's a short "where id=" select, like (in Ruby's equivalent):

sprintf('select * from genders where id=%d', GENDER_ID_UNKNOWN);

..and the "id" is named hard-coded constant, e.g.:

#define GENDER_ID_UNKNOWN 3

Anything beyond that, bind your values to query parameters.  The Gab developer made a mistake that no experienced dev should ever make.  What's really maddening is the developer has addressed this in the past:

Ironically, Fosco in 2012 warned fellow programmers to use parameterized queries to prevent SQL injection vulnerabilities. Marotto didn’t respond to an email seeking comment for this post. Attempts to contact Gab directly didn't succeed.

We haven't heard from the developer to confirm if what appears to have happened did indeed happen, but if it is then I hope Torba shows leadership and fires him.  All of us developers have had a lazy moment, but for a project like this when every genderless commie in the world with skills is coming at you, there's no room for sloppiness.

From Torba's response, no payment info was compromised:

Gab does not store customer banking data so customer bank information was not impacted by this breach. Our Gab Shop and GabPRO upgrade service are separate systems on separate code that show no signs of any breach.

They're working with a security firm to perform a security audit:

Over the past few days our team has been working with the top rapid response security firm in the country to fully audit Gab’s infrastructure to get a better picture of what happened, what specifically was accessed, and why.

This had to have been a humbling move for Torba and his team.  It shows Gab doesn't have the security sophistication in-house, but I do have confidence this was a wake-up call.  This paragraph was a little cagey:

Gab collects as little data as possible because we know how important privacy is for people to speak freely. Gab is an extremely public forum by design. From what has been reported and from what we know thus far, the overwhelming majority of the data in this breach is already public on the website for anyone to see. We will continue to update you as we learn more.

"Overwhelming majority of the data...".  OK, but what about the rest?  It's safe to say emails and passwords were compromised, but I'd like to know what else.

Finally, this breach is case-in-point as to why Jared Kushner has likely been steering GEOTUS away from Gab and other alt social media platforms.  I love Gab and they've come a long, long way, but they're not ready for the Boss, and this breach validates Kushner.

Trump's account was compromised and he wasn't even on the platform.  That in itself is embarrassing.  Frankly, I'm a little miffed at Torba for even pushing for Trump to join while taking swipes at Kushner while his platform was running sloppy, insecure code.  If he didn't know, then that's even worse.  Gab is a ways away from hosting an account that will bring over 100mm members.  This is the hard truth, and it would be nice for Torba to admit this.

Overall, I think Torba is handling it well, assuming he's going to fire the developer.  If he doesn't, it will show weakness.  This was a wake-up call for him and the team, and this will only make them stronger.

UPDATE 3/3 23:40 - Analysis by Troy Hunt -- h/t SaltyProgTweets

 

Kushner

 

 

Remember what you're fighting for