r/technology Sep 09 '22

Patreon Cuts Its Security Team Security

https://gizmodo.com/patreon-layoffs-1849516408
611 Upvotes

375

u/Bubbagumpredditor Sep 09 '22

Oh, this will end well. Now, give more money to marketing while cutting the hardware budget.

181

u/psipher Sep 09 '22

This is what always happens- security folks are one of the first groups to go.

It’s so short sighted. Security practices don’t get enough attention because it’s easier to skip a few steps.

People have no idea how much wiggle room there is in security practices. It’s terrible out there.

97

u/Zjoee Sep 10 '22

I've come across it with clients before. They ask why they're paying so much when they hardly ever see us "do anything." We constantly monitor and maintain their systems behind the scenes. If they're hearing from us, it means something is going wrong. A slow day is a good day in IT.

68

u/psipher Sep 10 '22

It’s one of the few jobs where if you do your job well, nothing ever happens. So it’s seen as a big cost sink.

And if you don’t do your job at all, its one of 3 options:

  1. you’ll never know if you got hacked / customer data stolen. Ignorance is bliss.

  2. You find out you got hacked. But it’s likely you don’t know exactly how bad it was. But you’ll do your best to keep it under wraps, or have marketing massage the messaging to avert a crisis.

  3. It’s catastrophic. Really difficult to recover from and/ or the entire company is at risk.

21

u/DecentFart Sep 10 '22

It is also like other jobs where it is hard for layman to know if you are doing a good or bad job. I know some people that work in industrial security and a lot of their job is proving to new and existing customers that their money is being well spent.

2

u/[deleted] Sep 10 '22

How hard can it be to fool the dumb money?

11

u/DrSendy Sep 10 '22

I got my CEO addicted to Darknet Diaries. We have a well funded IT sec team.

2

u/ziek777 Sep 10 '22

this is the way to do it

12

u/TK_TK_ Sep 10 '22

Yep, IT and maintenance are two areas I’m always advocating for “approve whatever budget they propose & hope you don’t hear a peep out of them.”

8

u/[deleted] Sep 10 '22

"When You Do Things Right, People Won’t Be Sure You’ve Done Anything at All" - Futurama of all things.

5

u/imthatguydavid Sep 10 '22

yeah, people don't understand. the fact that you didn't notice anything, means your doing your job....

3

u/eastcoastflava13 Sep 10 '22

Yup, this is the life of a sysadmin too.

1

u/Hexxxer Sep 10 '22

if you are good at your job then people don't know you are doing it

19

u/zeptillian Sep 10 '22

We need to start holding companies legally accountable for horrible security practices. If customers are impacted because you didn't bother to apply a critical security patch more than a month old, you should be directly liable for the damages you cause. There are basic things every company should be doing to protect their customers. Not everyone needs a red team or anything but for fucks sake, at least do the needful.

14

u/Shutterstormphoto Sep 10 '22

It’s not like they don’t understand this. The company is probably fucked financially and they can either keep the marketing team and hope to attract new customers, or they can keep the security team and continue to not have security problems. Security issues take a while to surface and often don’t generate income.

It’s like cutting education funding — people know it’s dumb but it’s the solution that breaks things the slowest. If you cut sewage funding, shit goes bad real fast. Education takes 20 years to cause problems.

5

u/psipher Sep 10 '22

Yeah this is true.

It starts from the top. Investors don’t want to pay the full cost to build something, they’d rather it be done lean and efficiently (translation: cheap and quick), and defer payment of those costs until later. Eg a later investor (for startups).

That translates into the execs, then the leadership and all the way down.

3

u/Shutterstormphoto Sep 10 '22

I mean patreon has been around a while. I doubt the investors are driving this. But yes, that does happen all the time.

19

u/h_grytpype_thynne Sep 09 '22

They value their security team so highly they're giving them a head start on their job searches. The marketing people will have to stick it out to the end.

8

u/GDMFusername Sep 10 '22

I'm not in IT or physical security, but believe me, I'm an advocate for these fields. I've seen the corporate knife come down on both with devastating consequences. It's a problem with the personalities we put in power. Security is definitely that field where, if you're doing it properly, no one will think you've done anything.

2

u/DonQuixBalls Sep 10 '22

"Why are we paying all this money for security if there's never a breach?"

Right, and why spend all this money on toothpaste if I never get cavities?

1

u/bradland Sep 10 '22

Don’t worry, their marketing team is cheaper and better staffed than their security team, so they can afford to publish a really classy looking security incident disclosure package when they get pwnd.

1

u/thatblbc Sep 10 '22

So that’s why my data keeps getting stolen. K good to know

1

u/Pawnsofinovation Sep 10 '22

well you can always sell exploits

1

u/ohyonghao Sep 10 '22

The first group being QA followed by validation, once they’re gone who needs security?

-3

u/Toasted_Waffle99 Sep 10 '22

IT is easily outsourcable.

1

u/kittywrastler Sep 11 '22

It will happen, and we'll have another Huawei situation of stolen tech.

19

u/BisquickNinja Sep 09 '22 edited Sep 10 '22

That was my first thought also, it's going to end so well with this line of reasoning. /s

2

u/Threewisemonkey Sep 10 '22

They see time and time again that no corporation ever faces consequences for security breaches of billions of people, no matter how easily they could have been avoided.

there’s is a thriving market for consumer data, especially that tied to a credit card or linked to a bank account…

1

u/10133960 Sep 10 '22

Promote this guy to upper management!

154

u/monos_muertos Sep 09 '22

I feel bad for creators who built online culture as it is slowly and incrementally being taken away from them by corporate behemoths. I can withdraw from the internet as it gets worse, but to have all your skills and tradecraft invested in platforms that can steal your income and your intellectual property at a moment's notice, or permanently take down your content without ever giving a reason. It sucks. And so does the content that will replace authenticity.

18

u/SeStubble Sep 09 '22

In reality there are quite a few platforms that allow creators to own their IP, give them their own moderation privileges for their own communities, choose who they wish to partner with for advertising, revenue sharing with moderators, etc.

Even with these alternatives its difficult to convince the masses that the majority of these mainstream content creation platforms are just milking its creators dry and are perpetuating bad faith practices. Even when better options exist, people prefer the suboptimal choice that they're familiar with.

7

u/Successful-Depth-235 Sep 10 '22

The problem with most of the pro-creator platforms is they aren't willing to monetize enough, which means they mainly depend on natural growth and end up not being able to compete with the corporate sites. Also when all the creators want to shift from creating as a hobby to full time they're practically forced to switch to a site that will let them earn more.

1

u/Frosty-Play-5283 Sep 10 '22

SubscribeStar has been better than Patreon

-17

u/[deleted] Sep 09 '22

[deleted]

17

u/RilinPlays Sep 09 '22

cleaning boots with your mouth is both ineffective and quite unhygienic

-7

u/flirtmcdudes Sep 09 '22

Where did I defend their current actions ? I just said hate them all they want, they wouldn’t be where they are without them

6

u/DarthBrooks69420 Sep 09 '22

And where would they be without the content creators? Just suits looking for another industry to suck dry of value.

1

u/Away_Swimming_5757 Sep 10 '22

It's as if they both benefit from each other and have a symbiotic relationship. Both can exist alongside each other. Or creators can divert time from their creative pursuits to create their own websites, implement and manage their own payment portal, create and fulfill shipping for all of their merch and products, do their own accounting and back-end management, implement their own search functionality into their content library and many of the other various operational and admin related things while paying for their cloud hosting and computing (or they could stand up, maintain and host their own servers) that creator services/ marketplaces do on their behalf.

Patreon is valid and legit.

3

u/DarthBrooks69420 Sep 10 '22

Ok but that wasn't the point, the point is that it seems like Patreon is compromising their security when content creators are often a target of cyber attacks. All these arguments you make are dancing around the issue is that in an increasingly insecure digital landscape Patreon is taking a step backwards.

-1

u/Away_Swimming_5757 Sep 10 '22

Check out my other comments in this thread for more perspective. Don't feel like typing it out again; but its not a step backwards. It's a wise move. They are outsourcing the responsibility to a compny that actually knows what they're doing and will be able to bring subject matter expertise as opposed to the 5 in-house people they had handling infosec.

1

u/DarthBrooks69420 Sep 10 '22

That remains to be seen but I'll tentatively lower my pitchfork.

But I reserve the right to poke a future reddit thread with it.

1

u/Catzillaneo Sep 10 '22

That's why creators started coming together and working on their own platforms. LTT is a good example where it seems like they saw the writing on the wall of being too dependent on a single platform.

1

u/tnnrk Sep 10 '22

It will just go back to personal websites where you pay the creator directly (maybe an intermediary to handle the transaction, but all your content lives and is hosted by you). Sucks for marketing but if you create a following through the free behemoth avenues then you direct your followers to your own website, not that bad of an option.

15

u/IamMarcJacobs Sep 09 '22

Poor leadership 101

40

u/you90000 Sep 09 '22

Shit, now I want to stop using them

21

u/new_refugee123456789 Sep 09 '22

Likewise. I'm actually going to contact a creator or two to see about alternate arrangements.

1

u/LooseSignificance166 Sep 10 '22

As a creator you should have got out when julian from meta/fb/instagram joined.

73

u/rhyme_traveler Sep 09 '22

First thing I did when I read this was submit an account deletion request. You can do this through the red "Submit a Privacy Request" button on this page:
https://privacy.patreon.com/policies

Not leaving my data on the servers of an organization painting a huge bullseye on its back like this.

28

u/NoMoLerking Sep 09 '22

They laid off 5 people. One of them posted on LinkedIn that the department was eliminated but the company says that’s not the case.

39

u/ryhgoalie37 Sep 09 '22

They laid off 5 people and outsourced their security to a firm that only handles online security. Everyone is freaking out about this but I don't see anyone talking about the second half.

45

u/GhettoDuk Sep 09 '22

Outsourcing is what you do with jobs you don’t care about.

9

u/Greenblanket24 Sep 09 '22

laughs in rust belt

20

u/Away_Swimming_5757 Sep 10 '22 edited Sep 10 '22

Not true at all. Many important, specialized jobs are outsourced. Patreon having their own in-house security team consisting of 5 people probably had its own issues. Outsourcing to a reputable security company who specializes in infosec and has that as their main priority is likely to give better, more robust and up-to-date security practices. Patreon is creator platform, that is their speciality; they are not a cybersecurity/infosec company. Outsurcing the function of infosec to companies that specialize in it is a good move... otherwise you'd have Patreon trying to do it in house trying to staff and maintain their own security team

12

u/dalittle Sep 10 '22

it really really depends on who they outsourced to. I once worked for a company that outsourced their IT and the company promised 5 nines of uptime. When ever we tried to do real work we needed 5 sign-offs from this stupid IT outsourcing to make any changes to servers and we started using laptops and spare computers to host services instead of dealing with them. And not fluff projects, mission critical systems we were building. Outsourcing will always be a red flag for me until they prove they are not just milking it for money and actually adding value, which IMHO they very rarely are.

2

u/sik0fewl Sep 10 '22

They're probably trying to save money, so I doubt they outsourced to a reputable security company.

1

u/caginturtle Sep 11 '22

Many important, specialized jobs are outsourced.

Like janitorial services.

11

u/voidsrus Sep 09 '22

there is not a single firm on the planet that will provide more effective security than 5 FTEs, especially when management is trying to save money

2

u/ryhgoalie37 Sep 10 '22

Not saying it will be better - it almost definitely won't be. But the narrative going around makes it sounds like they laid them off and everyone's credit card information is floating around up for grabs

1

u/TheIronMark Sep 10 '22

It's a matter of risk and value. Patreon believes (perhaps erroneously) that the security provided by 5 FTEs costs more than they stand to lose from an incident. If that's true, then outsourcing the security department makes sense.

1

u/YnotBbrave Sep 10 '22

I should have done my own research, there linkedin lady complaining about layoff forgot to mention that part.

And they might have deduced that their security team is incompetent. To be fair, I’d be suspicious of using patreon, but suspicious of hiring anyone out of that team also, esp. anyone giving the internet misleading spins

3

u/k3bly Sep 10 '22

Maybe in the layoff convo, they didn’t tell her they were outsourcing it now. Let’s not jump to negative conclusions about the team’s performance. My guess is they’re cost cutting and starting with the highest paid team.

2

u/SIGMA920 Sep 10 '22

And they might have deduced that their security team is incompetent. To be fair, I’d be suspicious of using patreon, but suspicious of hiring anyone out of that team also, esp. anyone giving the internet misleading spins

More likely to have simply realized that by outsourcing they could save what they were spending on the jobs that were cut. Cheap and potentially problematic? Absolutely. Complete and utterly damning? No.

4

u/Koopa_Troop Sep 10 '22

Or realized that having 5 people in-house isn’t always the best solution. I outsource my accounting because paying a team a monthly contract fee to do everything from bookkeeping to providing lawyers in case of an audit is better than paying 1 person a salary to do one thing.

-3

u/10113r114m4 Sep 09 '22

Yea, just canceled my membership. No way in hell I'm going to use any service without a security team

8

u/Koopa_Troop Sep 10 '22

Imagine making a decision based on a headline that’s directly contradicted by the content of its article…

-7

u/10113r114m4 Sep 10 '22 edited Sep 10 '22

I read the article dipshit lol. I mean the contents say Patreon stated they have security engineers, but it's a who says vs who says at this point. Eliminating a team of security engineers seems odd to me and Patreon didn't deny. So that's why I canceled. Also checked the Patreon careers site and saw no security positions which also was odd other than fraud detection

3

u/Digitalcyon Sep 10 '22

Also checked the Patreon careers site and saw no security positions which also was odd other than fraud detection

...why would they lay off staff if they didn't already have other staff in-place? If they already have other staff in-place, they don't need to have job openings. You do not have job openings for positions you are not actively looking for. Your comment doesn't make any sense.

-1

u/voidsrus Sep 09 '22

getting my deletion request in before they start cutting their privacy compliance people too

-1

u/Podosniper Sep 10 '22

Thanks for the idea and link. I submitted my request as well. As an IT Security degree holder, IT company founder, and working in IT for nearly 2 decades I know for a fact that outsourced simply doesn’t cut it for security. Everybody else should do the same. It takes internal AND external security teams to validate security

24

u/DanHassler0 Sep 09 '22

I wouldn't be too worried. For better or worse outsourcing security operations is becoming more popular. There's tons of companies pitching the idea to use them for just about anything security related.

24

u/DrQuantum Sep 10 '22

Outsourcing your security is basically the dumbest concept I can think of. No one cares more about your data than you do. You being the company collectively. And some of the most high profile breaches have been due to vendor failures.

12

u/Dal-Rog Sep 10 '22

Not really. Most larger tech companies Ive worked at run a mix of both internal and outsourced security teams. Outsourced security consultants can be incredibly efficient as they see things that internal staff otherwise might not think of. Just depends who they chose to hire. There's a range of outsourced options with different quality, but almost any large tech company is going to have some outside security consultants hired, even for just an audit or two. Although that doesn't discount the fact internal security teams are also good to have.

6

u/jrabieh Sep 10 '22

You're talking about extremely expensive consultants. I've also seen companies outsource their security to companies that hide the fact they are literal years of work hours behind and will refuse to up their staff under any circumstances.

5

u/Dal-Rog Sep 10 '22

I'm not, I currently work in a smaller firm with 3 guys internal who work on security, and we use a reasonably priced security firm that we get a lot of consltation from. Theyre a reputable company that costs us a hell of a lot less than a lot of the tooling we use. They have done wonders catching odd behavior and helping us setup and maintain the alarms we otherwise wouldnt have thought of, as well as audit our less technical staff for social engineering attacks. Its just nice to have an outside PoV to think of vulnerabilities that we're too close to the product to see. They also give us refresher training each quarter on new vulnerabilities. We still do most of the legwork internally, but the consultation has been invaluable since we work with sensitive data.

As with everything outsourced, theres good, bad, expensive and cheap, but you absolutely can find good help while being a smaller company with a lessor budget. My original point being that outsourcing security isn't always a bad idea, just really need to do your homework first.

4

u/ins4n1ty Sep 10 '22 edited Sep 10 '22

I think the mix of internal and outsourced is the key here. IT security comprises many different verticals that for a large company would mean multiple security teams. So it's common (especially if you're trying to grow your program quickly) to want to outsource some part of that work structure.

For instance, maybe your security team can handle the operational/infrastructural security components like vulnerability management, identity management, device management etc, but maybe you want to outsource something like your network security, compliance or your software development security. These verticals can go very deep so trying to force some of these areas onto the same teams can deliver poor results.

Personally I don't love the idea of outsourcing big-risk type areas and risking losing all that knowledge if your relationship goes tits up, so it's that balance between internal/external that is huge when you're talking about who is doing what. Plenty of companies have gotten hacked that were relying on shoddy outsourced talent that clearly just wasn't managed properly.

2

u/Dal-Rog Sep 10 '22

Yeah, well put, I'd definitely agree with you there, the mix is very important. Outsourcing all security operations would be anxiety inducing to say the least. I cant imagine how that would really work from an implementation level either.

What you mention is what I've seen work best. A really solid core team internally to handle implementation, monitoring and maintainence, and a solid outside team that helps take some of the load off and focus more on proactive research and flagging new possible vulnerabilities as well as offering up ideas on the best ways to approach them.

3

u/Away_Swimming_5757 Sep 10 '22

Thank god I'm seeing well informed opinions in here. I was getting pissed reading the higher upvted comments that were acting like this is some stupid decision by Patreon.

Reputable company who specializes in infosec > 5 in-house security team who likely have no one in the executive level who even knows what they should or shouldn't be doing and having to hope that the 5 person in-house team is up to date on the latest and is properly auditing cloud configuration, roles, permissions and adhereing to hardening best practices

3

u/RoboNerdOK Sep 10 '22

Nah. It’s an easy way to get a big company that will make up fancy checklists to prove due diligence was done when the inevitable breach happens because you outsourced your security.

1

u/SpaceTabs Sep 10 '22

Common practice. SecureWorks in Romania. It depends on the company. If it's like a bank, probably not. If it is a low margin company that has a lot of churn, they will.

1

u/Bahariasaurus Sep 10 '22

As someone who has done this, out sourcing a security operations function is not unusual at all and fairly straight forward to pawn off on an MSSP. Granted they're not usually as good as in house folks, as they're juggling a dozen customers and don't know your environment as well. But for a small company it can make sense. I've also seen compliance folks outsourced, since smaller companies don't necessarily need the staffing until audit time.

However, outsourcing _all_ security seems a bit fucking weird. It's good for example to have AppSec people who understand your code base and can help review PR's and validate and help design new features/architectures. This sort of shit costs a fortune if you try to outsource it. Though it could be they had no such role, and just use Bug Bounty/Pen Testers with third party triage?

3

u/photoguy423 Sep 10 '22

I tried joining the site and it deleted my account and blocked me before I even managed to verify the account. So I haven't bothered with it since. Which is a shame because there are some artists I really wanted to support.

3

u/Trick_Mushroom5825 Sep 10 '22

Yeah, we’ll, they fixed security, nothing to see here…

17

u/yourwitchergeralt Sep 09 '22

If they only had 5 employees for that, they might as well just hire a company to handle this for them..

20

u/hunterkll Sep 09 '22

That's.... actually what they did apparently. Outsourced those positions to a company that exclusively handles online security/security functionality.

4

u/yourwitchergeralt Sep 10 '22

Probably the better move for the end user, that tends to be safer nowadays... This sub is definitely over reacting.

2

u/zeptillian Sep 10 '22

That's fine. It's not like the deal with payment information or hold money for people.....LOL.

2

u/Newbe2019a Sep 10 '22

It really depends on what the security team actually do. I worked at companies where the security team(s) actually help product engineering and IT teams do technical work to improve security. I worked at others where the security team is just a team of checklist checkers, who often are a few years behind in technical knowledge or are not technical at all.

2

u/plebbitier Sep 10 '22

SubscribeStar is better

2

u/Mobilematt1 Sep 10 '22

So the article doesn’t say they are giving up on security. It starts out saying 5 employees were let go. Then one of the laid off says it was everyone. Then the company says they won’t say how many were laid off. This is a dumb article.

4

u/All_The_Nolloway Sep 09 '22

"“The changes made this week will have no impact on our ability to continue providing a secure and safe platform for our creators and patrons.”"

They'll get hacked probably by the end of the year and do the "well you can wait 3 years for this lawsuit and get 15 cents from the settlement or 1 year of credit protection..." It's the same every time it happens. No one gives a crap about our info but apparently, it's important enough for everyone to require it.

6

u/Informal-Lead-4324 Sep 09 '22

Did you read the article?

4

u/Smoothstiltskin Sep 09 '22

Signalling the end. I've never seen a company come back once they cut critical IT.

2

u/ArtisticFromVaccines Sep 09 '22

If a group of hackers would go for the servers and lock out all the service accounts running them and tomb-stone the domain controllers costing them a shit load of cash. Then they would care cause it’s their money. Then the hackers could just work for them and demand high pay lol. Shit has to get fucked up for anyone to pay for cybersecurity

1

u/Bleusilences Sep 10 '22

Cybersecurity is mostly make sure that server are not getting overloaded by things like DDoS attack and making sure that everything stay up to date. It's mostly maintenance and monitoring.

2

u/ArtisticFromVaccines Sep 10 '22

I know lol but patching and scanning is pretty important from a defensive stand point.

1

u/Bleusilences Sep 10 '22

I not saying the contrary, maintenance is often ignore because it's not a "value generator" or whatever.

2

u/ArtisticFromVaccines Sep 10 '22

Yeah it’s sad honestly I agree with you tho.

1

u/TXWayne Sep 10 '22

You obviously have not worked cyber in a large organization and certainly not one in a regulated industry.

1

u/Remote_Candle_3238 Sep 09 '22

Cutting their security team on a platform who's (not sole, yet rather large), income is supplemented by models?

Yeah. That is not a smart idea....at all....

Not saying the rest of our security (or non-models) doesn't matter at all.

But this could start some pretty dark shit.

0

u/YnotBbrave Sep 10 '22

On a related news tomorrow, patreon losses use data in an attack. “There was nothing we could do” says founder

1

u/SactoGamer Sep 10 '22

I’m looking forward to the class action lawsuit because there was a compromising data hack.

1

u/dudeonrails Sep 10 '22

Yeah, internet security isn’t THAT important. It’s probably fine.

1

u/Right_Hour Sep 10 '22

Absolutely, I don’t see why any platform dealing with P2P money transfers needs a security team.

/s (is it really necessary?)

1

u/IcyNefariousness8987 Sep 10 '22

Never a good sign.

1

u/ty4nothing Sep 10 '22

Well you can see what is going to happen in the next few months.

Paterson hacked thousands of people's information stolen.

1

u/Rynox2000 Sep 10 '22

Probably outsourcing.

1

u/Johnothy_Cumquat Sep 10 '22

Security doesn't bring money in but if you take shortcuts you'll really wish you hadn't.

1

u/bowlingdoughnuts Sep 10 '22

We've hadn't gotten any security problems therefore they can go first is like saying our anti mosquito spray isn't needed since we don't got any mosquitos near us anyways.

1

u/Mundane_Road828 Sep 10 '22

Ah, soon … ‘Patreon was hacked and user data was stolen’. Patreon: ‘We didn’t see this coming’

1

u/WhatTheZuck420 Sep 10 '22

I believe Emily's versions of the 'parting ways' of the Great Strategic Shift.

I don't believe Ellen's version of anything, including the claim that the sky is blue.

1

u/LooseSignificance166 Sep 10 '22

Company has been dying for years. They are stuck waiting for meta to buy them but the worlds treating zuck like shit.

Bunch of senior meta folks are in control now in patreon and have been for a year

1

u/Leiryn Sep 10 '22

Whelp I'm deleting my data and cancelling subscriptions. It sucks for the creators but my personal security comes first

1

u/HandjobOfVecna Sep 10 '22

This is like saving money by never changing the oil in your car.

1

u/browndog03 Sep 10 '22

Maybe they’re looking for a sale? Making themselves attractive to a buyer who already has such infrastructure in place?

Or maybe it truly is just shortsighted

1

u/dip_ak Sep 10 '22

inviting hackers to test and improve their security 😏

1

u/HappenstanceHappened Sep 11 '22

So they outsourced the security to an msp.. it's not an uncommon practice and it definitely saves a shitload of money.

1

u/Nuxxy9 Sep 12 '22 Starry

Honestly curious, has anone seen the Glassdoor review an apparent security employee left?

According to the review, the security team was strickly told by management to ignore questionable images/content and they had had enough. Unfortunately, I can't find the review anymore or any other info on this. Thoughts?