There's something about the way that this is written that rubs me the wrong way. There's a lot of emphasis on how unlikely the attack would be - that the collision would take "significant resources", that many conditions must be true at the same time, that Pulse Security's proof was unrealistically simple.
All of this can be true, but rhetorically, it sends the wrong message to put so much emphasis on this. The message I'd like to see would be more like this:
"We got notified of this security problem. We immediately worked on mitigation and to find out if any customers were affected. We couldn't find any, and we have patched the problem. We have a patch for you to apply to fully prevent the problem.
The problem depended upon an identity collision. We think the probability of this is remote, but we always take this stuff very seriously."
In other words, I want to see platforms like this emphasize their response, rather than try to convince me that the problem is minor. The way these things are phrased matters a lot!
As a network admin I think my primary concern on first reading is actually the severity of the problem and how much I should worry about it. Then it’s good to see that the response was prompt and transparent. Probably can’t satisfy everybody no matter how you write it.
Yeah, that makes a lot of sense too, and you've convinced me that I'm probably being a bit too uncharitable. I totally agree that these things are very hard to write in a way that makes everyone happy.
I’m giving them the benefit of the doubt. Sounds like they had some audits / penetration testing done, the security firm found a real weakness, but it’s just unlikely to happen.
They disclosed the issue pretty well, but at the same time, are afraid of the response; they decided to overcommunicate that they attack vector has likely never been exploited, and I can see why they did that.
I’m not sure I see a big difference between what you wrote and what the article said since you also minimize the likelihood of the attack and the article also talked about their response.
To me it's fair to say it's not a likely scenerio, it's just that they continously say "this would be difficult" at every step. I appreciate the breakdown, but it comes off as trying to convince you it was a near-complete impossibility. I understand it was unlikely, but it was possible, and that makes it severe either way.
Right - I wanted to try to phrase it in a way that replicates the content, but changes the emphasis. Definitely true that they cover all of the same things.
I certainly agree with you. I just posted a few days ago saying I would never trust this company.
In fact, I would never trust a company that didn't explicitly state that the company having a central server facilitating operations (Signal, et all) is a huge risk.
Every time someone specifically states "we take security very seriously" or "we take your privacy very seriously", or even "you're in control of your data" it makes me think otherwise.
All of this can be true, but rhetorically, it sends the wrong message to put so much emphasis on this. The message I'd like to see would be more like this:
"We got notified of this security problem. We immediately worked on mitigation and to find out if any customers were affected. We couldn't find any, and we have patched the problem. We have a patch for you to apply to fully prevent the problem.
The problem depended upon an identity collision. We think the probability of this is remote, but we always take this stuff very seriously."
In other words, I want to see platforms like this emphasize their response, rather than try to convince me that the problem is minor. The way these things are phrased matters a lot!