Re: Is Basecamp - risky?

["Jax Lion" <jv4l1n4 () gmail com>]

XSS is a serious concern and my other concern is how customer's
data/information is handled

http://www.basecamphq.com/terms.html

Security does not seems high on their priority list. Based on their
terms and policies, they put the onus on the user on having the rights
and responsibility over their submitted data. You will not be able to
hold them responsible should anything bad happens to your data or your
service by agreeing to their terms.

It seems to be a great tool and excellent for collaboration and
communications.  However, spidey senses are tingling... <almost
deafening>

Thanks for the scary thought Jay - "you are owned and dont even know it"

Does anyone knows of secure alternatives that is not "clunky".


On 9/19/07, Jay <jay.tomas () infosecguru com> wrote:
> <rant>
>
> Ummm their response has stated they will not fix  or worry about their XSS  issues because they feel 
> internal/intranet is their prime audience. I would bet this isnt in their marketing material or their greedy little 
> sales teams presentations.
>
> You dont develop insecure products and then rely on other detective controls to save your proverbial buttocks.
>
> Your statement that you have had not negative issues, no attacks no exploits cane be boiled down to 2 things:
>
> Your lucky or you are owned and dont even know it.
>
> Security Basics = Start with secure products and be wary of such rhetoric or ummm philosophy on development that 
> doesnt include fundamental bug fixing that could lead to compromise.
>
> <endrant>
>
> Jay
>
> ----- Original Message -----
> From: Eric Marden [mailto:security () xentek net]
> To: security-basics () securityfocus com
> Sent: Sat, 15 Sep 2007 12:44:38 -0400
> Subject: Re: Is Basecamp - risky?
>
>  > So the short answer is: Don't use Basecamp if you care about
> security.
>
> But how many products, services, and just about everything on the
> internet can this be said about?
>
> I have used Basecamp for over a year, and have had no negative side
> effects.
>
> No attacks, No exploits, no data loss or leakage.
>
> David's answer may not have satisfied the hardcore security geek in
> Jax, but it goes along with their philosophy of development (look at
> the 37 signals site for their eBook on the subject). Which is not to
> say that their philosophy is inherently secure or insecure - but if
> the people you are giving access to are going to muck about and try
> to break it, then that's more of a social problem, than a technical one.
>
> I for one found it to be a great tool, and highly recommend it.
> ActiveCollab is another one to keep your eye on.
>
>
> -= Eric Marden =-
> http://www.linkedin.com/in/xentek
>
> On Sep 14, 2007, at 3:17 PM, fukami wrote:
>
> > On 14.09.2007, at 16:53, Jax Lion wrote:
> > > http://www.basecamphq.com/index
> > >
> > > Has your company or client use this tool or similar? What are the
> > > risk
> > > of online collaboration tools? What were the steps taken to reduce
> > > the
> > > risk?
> >
> > My old company used Basecamp. It has still a lot of XSS problems. I
> > told David Heinemeier Hansen who answered the following:
> >
> > > You can insert HTML many places in Basecamp by design. That's
> > > because the system is not public and working under the assumption
> > > that you only give access to people you trust. Which is very
> > > different from, say, an online discussion forum where everyone has
> > > access (and where you do need to worry about XSS).
> > > --
> > > David Heinemeier Hansson
> > > Team Basecamp
> >
> > That was more than a year ago. In between DanBUK and me had some
> > fun with an automation POC of time management and I used a (non-
> > public) Basecamp AIR app for demonstrating an account take-over.
> >
> > So the short answer is: Don't use Basecamp if you care about security.
> >
> >
> > Take care,
> >   fukami