Thoughts on the Posterous "hack"
UPDATE Sachin, cofounder of Posterous, responded to the hole here: http://news.ycombinator.com/item?id=1443139. Apparently there’s even more security to prevent spoofing than I thought.
I published an article about Posterous yesterday that received a lot of attention. In it, I pointed out that users do not need to create an account and can simply start using the service by emailing post@posterous.com. Today, someone forged my email headers and sent a fraudulent post to this blog. There are some interesting discussions on Hacker News about this “hack,” and I have some thoughts I wanted to add in relation to product design philosophy.
A lot of product designers/coders make the mistake of focusing too heavily on security at the expense of user experience. The truth is — and this has been proven by the success of Posterous and the relatively low incidence of this type of hack — except for spammers who have a financial incentive to break your system, mere mortals will not normally have a problem with simple security breaches of this type.
No one wants to post malicious messages to my mom’s posterous blog. As long as the spammers are kept out, most people will never have a problem with fraudulent posts.
The ease of use that Posterous provides by just requiring me to send an email to post@posterous.com is worth the tradeoff of a hacker potentially posting to my blog. As a product designer, I fully understand this tradeoff. As a user, I fully accept it. http://blog.dustincurtis.com has received almost a million pageviews in the past year, and this is the first time this has ever happened. And It happened because I provoked it in an extremely popular article was posted to a community of hackers. To be honest, I expected someone to try this.
Someone suggested that Posterous use a GUID for each blog’s email addresses, such as B566EA61026F474BA8ADB877FF765087@postereous.com. This is exactly the solution other blog platforms have used, and it’s ridiculous. How am I supposed to remember this? It’s so much easier to just email post@posterous.com and forget about it. Even though it would be in my address book and it would probably be fairly easy to find, the cognitive overhead of having to think about this long string of numbers is not worth the tiny increase in security. Most people (mere mortals) would see this string of letters and numbers, see the instructions to “add this to your address book”, and then leave.
There is no problem to solve here. This is not a security breach. Posterous is functioning the way it’s supposed to — it’s still extremely easy to use! Trying to fix this kind of rare security breach by sacrificing customer experience is like McDonalds placing a gigantic poster in each restaurant saying “ONE REFILL PER CUSTOMER” just because a few people abuse the system. Sure, if Posterous can prevent such things from happening without sacrificing the user experience by putting in place some anti-fraud systems — which they have already, and which work often — that’s something they should do.
