Humiliating a company obsessed with not being humiliated
Companies lie, protect and hide information about breaches with every fiber in their being. It’s just not something we have access to. That doesn’t mean we are wrong
Hitchen’s razor is “What can be asserted without evidence can also be dismissed without evidence.” Something difficult for startups to avoid, particularly in information security. Enveloperty’s evidence consists of others data and statements. Making logical assertions based on such. But we are constantly ham stringed by a inability to conduct real research.
Most businesses are secretive under the best of circumstances. Information security is difficult for two reasons. Firstly, a failure in this sector always comes with a significant punishment. Customers cancel accounts, they send hate mail, the company gets bad PR, and may be liable for damages, Secondly and so much more nuanced, is that most security breaches aren’t realized until they are published. If someone is shot, it is usually quite obvious. There is a loud bang. Then someone bleeds and or drops. Conversely, who realizes that their credentials or information has been sold on the black market? Until a extractor tries to convert those credentials into money by doing identity theft or the like, who knows?
All of this contributes to why companies rigorously suppress any information about infosec issues. At the best of times they primarily only communicate with vendors they have already adopted. So imagine our position, as a startup to get that information. Short of dumping money on the problem, it is an issue to be solved at a later time. So do be kind to our conjectures, unless of course you can prove them wrong.