Yesterday’s mass-login attack on Basecamp is another reminder to protect yourself

Yesterday at 12:45pm central time, our ops team detected a dramatic spike in login requests to Basecamp. More than 30,000 login attempts were made in the hour that followed from a wide array of IP addresses. Our first line of defense was to block the offending addresses, but ultimately we needed to enable captcha to stop the attack.

After the attack was over, we diagnosed that 124 accounts had unauthorized access from the attack. We immediately reset the password for these accounts, logging out any intruders, and emailed the affected account holders with all the relevant information.

All of the unauthorized access was gained using the correct username and password for the account. It’s highly likely that these credentials were obtained from one of the big breaches, like those collected in combos like Collection #1, Anti Public, or Exploit.in. All the affected accounts showed as “owned” on haveibeenpwned.com.

Our preliminary investigation shows that none of the unauthorized access actually performed any actions within the accounts. It seemed like the attack focused on first validating which accounts were vulnerable, perhaps with a plan to later exploit these vulnerable accounts. Thankfully we were able to detect and stop the attack very quickly, and also ensure that any intruders were prevented further access.

Never the less, this is a serious reminder that you should never share the same password between multiple services. Particularly services such as Basecamp that may contain sensitive information. Here’s what we recommend you do to stay safe:

1.) Use a password manager to ensure you’re using different, secure passwords on every service you use. Then if one service is breached, you don’t have to worry about the rest. We use 1Password at Basecamp and recommend it.

2.) Subscribe to a breach notification service, like the one offered by haveibeenpwned.com. Then you’ll be alerted if your credentials are part of hack known to the public.

3.) Turn on two-factor authentication (2FA) wherever you can! We offer 2FA protection for Basecamp using Google Sign-In. Most services that deal with sensitive information offer 2FA these days. It’s especially important that you enable this for critical services, like your email address.

Our ops team will continue to monitor and fight any future attacks. They did an excellent job detecting and addressing this particular attack. But if someone has your username and password, and you don’t have 2FA protection, there are limits to how effective this protection can be.

Protecting yourself against attacks like this is important. Take the time to learn the basics, and take the steps outlined above to limit the risk.

Update: On January 31st, the mass-attack resumed in much greater strength than before. More than 5,000 IP addresses were used to test stolen credentials. 89 proven correct, but no content was accessed on these accounts, and we followed the same procedure of resetting all logins and writing the people affected. We’ve since beefed up our CAPTCHA protection across all applications and all clients, which has been effective at stopping the attack. CAPTCHA isn’t perfect, and some times it’s annoying, but it has provided effective protection against this wave of attack. We continue to work on shoring up defenses, but do follow the steps outlined above to protect yourself!

Kickoffs!

Since our company is itself our most important product, we keep tweaking, experimenting, and – hopefully! – improving the organizational software that makes it run.

Here’s an example of how we refine our process at Basecamp:

Process change posted to our What Works project in Basecamp.

That change then got codified as an update to our How We Work guide in the Basecamp Employee Handbook.

Jane Yang is our new data analyst

We received over 700 applications to the opening for a data analyst at Basecamp last Fall. There were a lot of qualified candidates, but in the end it was Jane Yang who bubbled to the top, and this month we were thrilled to welcome her to the team.

It’s probably not a big secret that we don’t hire often at Basecamp. In fact, we have zero open positions at the moment, and we’re still happy with our self-imposed hiring freeze too. So when we do hire someone, it’s kinda a big deal for us.

That’s also why we’ve put such a dedicated effort into attracting a much broader pool of applicants than we did in the early years of the company. When people of different backgrounds and perspectives work together, we make better decisions and better software.

Jane’s background for the last several years has been in the non-profit sector, doing strategy & research at One Acre Fund and analytics at IFF. She worked for many years in Nairobi, Kenya, but has now returned to the US. Before that, she worked at Deloitte Consulting and graduated from Princeton.

This is a perfect background for us as we’re getting more serious about charity at Basecamp recently. In addition to matching employee donations, we’re also working on a project inspired by Patagonia’s 1% for the Planet pledge. Jane brings a lot of experience from the non-profit world to give us another boost on that account.

Because, as we wrote in the job opening, running the numbers at Basecamp, as Jane will be doing, is not about squeezing every metric until it squeals more, more, MORE. Data informs us, educates us, but it does not run us. We make decisions at Basecamp on a much broader base than just “shareholder value”.

We already have enough. We’re not chasing exponential growth. There’s no quest to dominate, capture, or own everything and everyone. Data analysis is here to help us get better, wiser, kinder. Not greedier, not more extractive.

With all that: Welcome Jane!

Paying tribute to the web with View Source

The web isn’t just another software platform. It’s the greatest software platform the world has ever seen. And yet even in its obvious glory, we’re still learning how to be grateful for all its constituent parts. Take View Source, for example.

I owe much of my career to View Source. It’s what got me started with web development in the first place. Going to sites that I liked, learning how they did what they did. Yes, I also bought a bunch of animal books from O’Reilly, and I read WIRED’s Webmonkey, and the web was full of tutorials even then. But it’s not the same. Seeing how something real is built puts the individual pieces of the puzzle together in a way that sample code or abstract lessons just don’t.

I’m clearly not alone in this story. Jason learned HTML the same way. Lots of people on the internet owe their formative steps to the marvelous wonder that is View Source.

Unfortunately View Source has been receding in recent years. Building stuff for the web has never been more complicated. And few of these new tools, frameworks, or techniques have seemed to prioritize making the web readable through View Source. That’s a real shame, because progress needn’t be the enemy of learning.

Keep reading “Paying tribute to the web with View Source”

Designing for the web ought to mean making HTML and CSS

During the dotcom boom back in the late 90s, I did a bunch of Photoshop-cut jobs. You know, where a designer throws a PSD file over the wall to an HTML monkey to slice and dice. It was miserable.

These mock designs almost always focused on pixel perfectness, which meant trying to bend and twist the web to make it so. Spacer pixels, remember those? We were trying to make the raw materials of the web, particularly HTML, then latter CSS, do things they didn’t want to do. Things they weren’t meant to do.

Then I got the pleasure of working with designers who actually knew HTML and CSS. It was a revelation. Not only would the designs feel like they were of the web, not merely put on the web, but they’d always be better. Less about what it looked like, more about what it worked like.

I attribute this in no small part to the fact that it was real. The feedback loop of working with the actual HTML/CSS, as it was destined to be deployed, gave designers the feedback from the real world to make it better. And the fact that designers had the power to do the work themselves meant that the feedback loop was shorter. It wasn’t make a change, ask someone else to implement the change, ponder its effectiveness, and then repeat. It was change, check, change, repeat.

For a while that felt like it was almost the norm. That web designers confined to the illusions of Photoshop mocks were becoming more rare. And that web designers were getting better at working with their materials.

But as The Great Divide points out, regression is lurking, because the industry is making it too hard to work directly with the web. The towering demands inherent in certain ways of working with JavaScript are rightfully scaring some designers off from implementing their ideas at all. That’s a travesty.

Keep reading “Designing for the web ought to mean making HTML and CSS”

The books I read in 2018

Now a tradition in its third year (see 2016 and 2017). Here are all my extracted answers to our monthly Basecamp check-in question of What are you reading?

Notes from Underground
Fyodor Dostoyevsky was one of those authors I had heard about in school but never really contemplated reading directly. He lived 1821-1881 and wrote such classics as Crime and Punishment that I never considered myself invited to read. What a mistake. This isn’t exactly the first classic that I’ve given myself permission to read that rendered the inhibition to do so silly, but it really nailed home the point.

It’s such a lovely weird book. Partly, it’s Dostoyevsky giving us an account, through the fictional narrator, of his view on the human condition. Just one quote: “But man has such a predilection for systems and abstract deductions that he is ready to distort the truth intentionally, he is ready to deny the evidence of his senses only to justify his logic”. The idea of humans being suckered into living only according to “logic”, and not only the vanity of such a pursuit, but the impossibility of it, is a wonderful antidote to much of contemporary morality and wonkness.

Keep reading “The books I read in 2018”

Imagine a world without ads targeted by personal information

Elephants wouldn’t be killed for their tusks if there wasn’t a demand for ivory. We can do all sorts of things to discourage poachers, but as long as the market is there, the killings will continue.

Likewise, the flood of privacy scandals involving Facebook, ad exchanges, and other privacy poachers all tie back to the same root cause: Personal information is valuable because we use it to target ads.

But what if you couldn’t do that? Then the personal information would cease to have value, and the flood of privacy scandals would stop (or at least greatly diminish).

The world of commerce spun around just fine in the era before ads could be targeted by personal information. When ad buyers would place their spots based on context. Got a new car to sell? Put an ad on a website that talks about cars. Maybe it wasn’t as efficient, or maybe it was. Either way: The societal price we pay for allowing ads to be targeted is far too high.

We’ve placed all sorts of other restrictions on advertisement, so it’s not like this is a new thing. You can’t advertise tobacco products in many places. Some countries restrict advertisement against children. Regulation like this works.

Just try to imagine that world without ad targeting. It’s hard to imagine that it wouldn’t be a better one.

Signal v Noise post from the year 2000. The more things change, the more they stay the same 😂

Signal v Noise exits Medium

Three years ago we embraced an exciting new publishing platform called Medium. It felt like a new start for a writing community, and we benefitted immensely from the boost in reach and readership those early days brought. But alas it was not to last.

When we moved over, Medium was all about attracting big blogs and other publishers. This was going to be a new space for a new time where publishers could find a home. And it was. For a while.

These days Medium is focused on their membership offering, though. Trying to aggregate writing from many sources and sell a broad subscription on top of that. And it’s a neat model, and it’s wonderful to see Medium try something different. But it’s not for us, and it’s not for Signal v Noise.

Keep reading “Signal v Noise exits Medium”

Every little bit helps

Quitting Facebook. Renouncing Uber. Avoiding Amazon. There have never been more or greater reasons for turning your back entirely on much of Big Tech.

The last few years have brought an endless stream of scandals and unflattering revelations. There aren’t many starry-eyed optimists left who still believe that Silicon Valley is just here to build a better world. We’ve almost all come to accept the fact that Big Tech is here less to help the world and more to devour it.

If you’ve reached a similar conclusion, the natural dichotomy is one of apathy vs revolt. And let’s face it, apathy is the far more common out. What am I, in my lonely being, able to do in the face of such power and abuse? Best not to think about it too much, and – will you look at that! – these companies are experts at helping you not think about the structure and stranglehold of their businesses.

Revolt: deleting your accounts, swearing off the services, advocating for alternatives, is draining and even isolating work. No wonder most people can’t fit in such a fight in their daily routines of anxiety. Quitting cold turkey ain’t no feast.

But these aren’t the only options! You don’t have to either resign yourself to your utter insignificance or don a cape while shouting in the wind. There’s power in the margins. Tremendous power.

Keep reading “Every little bit helps”