Maybe a blog post saying "Yes, we acknowledge that we deliberately ignored major portions of security practices and just did whatever got us market share fastest. We can't change the past, but we're going to clean house and do privacy and security for real from now on, and we hope you'll stick with us, or come back after we've fixed <pointing to all of this>."
That's pretty much what this blog post is, with just a little bit more PR speak.
And I'm honestly surprised that it is not totally watered down, it's not just PR speak and user blaming, but makes some clear points. The base defense is bad - that it was for less users and contexts before changes nothing - but it at least includes the "we will focus on that now, honestly". That's not bad already.
We could read the PR blurb from the company that engineered for security and privacy before getting features in place users wanted, but we can't. They're not making a blog post because they ran out of runway money, having failed to get a product in user's hands in time for anyone to care about their existence.
Maybe the only way to get useful code that starts off secure is to start it open source? That way, even if it takes "forever", there's no profit motive or need to rush into adoption...
I'm trusting for-profit software less and less and less by the decade.
There are open-source videoconferencing solutions floating around on the Internet.
But they don't have the traction of the videochat-as-a-service options because those options have financial incentive to set up servers, configure them, solve those parts of the puzzle for users, make onboarding frictionless, etc.
I'm afraid I don't think open source would be a panacea for this problem, because if there's one thing we've observed from the world of open-source and online software, it's that most users adopting an open-source solution have to become their own sysadmin too, and a lot of otherwise-competent hackers are profoundly bad at the ever-moving arms race that is "hosting a secure software service online." Distributing the security maintenance burden doesn't make it easier to solve.
We could get there if, hypothetically, companies cared enough about security to demand that all the software running on (at least) the client machines and (ideally) the service-provider's servers was open-source so they could trust the security model via an audit by their own eyeballs. Then closed-source operations would lose out in the marketplace to open-source outfits because enterprise would only do business with the open-source ones.
Very much agree. Look at email, a system with far fewer real-time performance demands, excellent fault and outage tolerance, and many excellent open-source mail transfer agents.
What percent of the internet user base runs their own email server? What percent of even news.yc readers do?
