By now, most users of Twitter know of what’s come to be called “Twitfail” — French hackers gained access to the personal email accounts and passwords of top executives at Twitter. To prove it, they emailed a large cache of internal strategy documents to the widely-read Silicon Valley blog TechCrunch. After agonizing over it for a bit, and after informing Twitter executives, TechCrunch published some of the documents.
According to a recap of how the hacker (“Hacker Croll”) got it done: “The list of services affected either directly, or indirectly, are some of the most popular web applications and services in use today – Gmail, Google Apps, GoDaddy, MobileMe, AT&T, Amazon, Hotmail, Paypal and iTunes.”
Hacker Croll didn’t crack the main Twitter network first — he cracked the founder’s Gmail password. Once into that playground, he had access to almost everything. Twitter executives shared and interacted on a number of publicly available platforms, just like many people do. For any email user who uses Gmail, Yahoo, Hotmail, or any other public “cloud” service: imagine if you were a high profile person. In other words, a target. Now imagine what damage a dedicated person could do if they got full access to your email. You probably have usernames and passwords in there. You probably have password reminders too (pet names, for instance). On your public profile on Facebook or somewhere else, maybe you’ve mentioned where you were born.
With all this information, it’s possible to to do a lot of damage. According to Nik Cubrilovic of TechCrunch:
Taken individually, most of these services have reasonable security precautions against intrusion. But there are huge weaknesses when they are looked at together, as an ecosystem. Like dominoes, once one fell (Gmail was the first to go), the others all tumbled as well. The end result was chaos, and raises important questions about how private corporate and personal information is managed and secured in a time when the trend is towards more data, applications and entire user identities being hosted on the web and ‘in the cloud’.
It does indeed raise a few questions. The first is, “What can I do to make sure this does not happen to me?” You are probably already doing it — by not being famous. While it is straightforward for a dedicated person to crack another’s accounts, it takes time and energy (unless you do something silly to make it easy like use an obvious word like “password” for your password).
More interesting to me, though, is a question about current online culture in general. The space rewards funky startups with moxie and attitude. Enterprises started on a good idea, Red Bull, and (later) a small tranche of VC capital. This is a culture where even between competitors there is a high degree of trust and everyone is using the same tools (Gmail, Google Apps, etc.). It’s like everyone is locking their front doors, but they leave their cars unlocked and park them in the same lot.
Video producer Loren Feldman has a scathing critique of Twitter’s security (which uses a few bowling words, so you might want to put earphones on if you are at work):
It’s easy to say this has got to change. But a rampant culture of collaboration is part of what makes so much creativity possible. People can work together on new things seamlessly, with very little friction. So it’s a trade off.
In such a situation, if you are the owner of a business — at what point do you realize you need to get serious about your personal security? Sure, the easy answer is “When you form your company.” But that’s not the issue. When do you decide to take the large step, perhaps, of resetting every one of your personal passwords? The inertia against doing that is high. Knowing what you now know, are you going to run out and change all your passwords so each one is different, unique, and unguessable? I didn’t think so.
One answer, I think, is that a few large sites ought to become just a little less user friendly. It should be much harder to regain a lost password or reset a password. (If I know your dog’s name, I might be able to fool the “remind me my password” function of your favorite site just by guessing what your username might be.) But the user-friendliness is what has allowed such comanies to thrive. Again, a trade-off.
How do we secure a system that relies on ease-of-use? That’s the key question. The very thing that has allowed today’s culture is the thing that could be its downfall. This is something we need to pay attention to.
Whoever answers it will become very wealthy.