This week, while a fascinating story plays out in the cloud between cloud-based Twitter, journalists on TechCrunch, and a hacker named Hacker Croll, I ponder the future. A password can be usably convenient if easy to remember, but can also be easily hacked — which apparently kicks off this whole story, which led to TechCrunch publishing sensitive Twitter information including revenue forecasts and downright inspirational business plans.
As a result, I not only ponder, but dream about a truly fictional fantasy future in which all business plans are open-sourced, nobody has any reason to hide in secrecy and fear, and competition-of-the-fittest has evolved into a new kind of collaboration in general.
Ah, but then I wake up. In the meantime, I recount this story in three phases (each phase has its own particular set of idosyncracies), then frame what I think are some highly relevant resultant questions below.
Part I: Breach — Hackers: So understood, they’re almost rendered blameless?
April 29: Hacker Croll boasts how he/she hacked Twitter on an online forum
April 30: Twitter reports unauthorized access and talks about updated security
May 1: PC World reports on this and first names Hacker Croll:
Hacker Croll claimed to have accessed Goldman’s Twitter password by first gaining access to his Yahoo account. “One of the admins has a yahoo account, i’ve reset the password by answering to the secret question. Then, in the mailbox, i have found her [sic] twitter password,” Hacker Croll said Wednesday in a posting to an online discussion forum. “I’ve used social engineering only, no exploit, no xss vulnerability, no backdoor, np sql injection.”
Part II: Publication — A question of ethics?
July 14: TechCrunch gets into the game with a report on the hacking. As Twitter co-founder Evan reported to TechCrunch:
– He did not actually gain access to my @ev Twitter account (or any Twitter accounts) nor any administrative functions of the site.
– There is also no evidence that he gained access to my email. There was one administrative employee who’s email was compromised, as was my wife’s Gmail account, which is where he got access to some of my credit cards and other information.
– He also successfully targeted a couple other employees personal accounts (Amazon, AT&T, Paypal…)
July 14: TechCrunch Michael Arrington discloses that Hacker Croll has sent them the stolen information. Seemingly finding himself in a dilemma, he admits spending most of the evening reading through the various docs – including personal emails, business plans, and floorplans, and apparently trying to figure out whether it’s ethical to publish them.
Despite his apparent dilemma, he decides:
There is clearly an ethical line here that we don’t want to cross, and the vast majority of these documents aren’t going to be published, at least by us. But a few of the documents have so much news value that we think it’s appropriate to publish them.
July 14: TechCrunch publishes its first expose, unveiling plans for a Twitter Reality TV Show
The whole pitch deck is published, with Arrington dismissing his ethical dilemma thusly:
I can’t imagine even Twitter cares that we’re posting this pitch deck from Through Eyes Productions that outlines the idea for a reality television show called Final Tweet.
July 15: TechCrunch publishes the big bomb: Twitter’s financial forecast including revenue and growth. Twitter (of course) and the rest of the blogosphere goes wild with the news.
Arrington opens this post apparently in concert with Twitter’s lawyers:
Our negotiations with Twitter (or rather Twitter’s lawyers) over our intention to publish a small subset of the 310 hacked confidential documents continue. We published the first document, a pitch for a reality television show called Final Tweet, earlier this morning.
July 15: TechCrunch dings Twitter for using an obviously guessed password (“password”).
The author deduces that this is an indication of Twitter’s lax security in general:
Twitter co-founder Biz Stone, responding to our email, said “this bug allowed access to the search product interface only. No personally identifiable user information is accessible on that site.” Although no user accounts were compromised or accessible, the vulnerability speaks to a greater culture of lax security at the startup, and may be indicative of how earlier breaches possibly occurred.
Part III: Aftermath — What really happened here? Where do we go next?
July 15: Arrington reacts to the rapidly trending response.
Calling it “Ethics 101,” the rationale goes like this:
Let’s put aside the highly sensitive documents that we aren’t going to publish, but which will likely end up on the Internet anyway. We’re not going to post that information whether we have the legal right to or not. No discussion is needed.
Other key and intriguing excerpts :
We publish confidential information almost every day on TechCrunch. This is stuff that is also “stolen,” usually leaked by an employee or someone else close to the company, and the company is very much opposed to its publication. In the past we’ve received comments that this is unethical. And it certainly was unethical, or at least illegal or tortious, for the person who gave us the information and violated confidentiality and/or nondisclosure agreements. But on our end, it’s simply news.
It’s not our fault that Google has a ridiculously easy way to get access to accounts via their password recovery question. It’s not our fault that Twitter stored all of these documents and sensitive information in the cloud and had easy-to-guess passwords and recovery questions. We’ve been sitting in the office for eight hours now debating what the right thing to do is in this situation. We’ve spoken with our lawyers. We’ve spoken with Twitter. And we’ve heard what our readers have to say. All of that factors in to our decision on what to post or not to post.
Arrington’s bottom line:
Hopefully the embarrassing and sensitive stuff about individual employees will never see the light of day. And hopefully this situation will encourage Google and Google users to consider more robust data security policies in the future.
July 15: Word from Twitter: “Twitter, Even More Open Than We Wanted.”
From Twitter’s side of the story:
This attack had nothing to do with any vulnerability in Google Apps which we continue to use. This is more about Twitter being in enough of a spotlight that folks who work here can become targets. In fact, around the same time, Evan’s wife’s personal email was hacked and from there, the hacker was able to gain access to some of Evan’s personal accounts such as Amazon and PayPal but not email. This isn’t about any flaw in web apps, it speaks to the importance of following good personal security guidelines such as choosing strong passwords.
And finally, though hardly the last word in this story, two from today, July 16: TechCrunch: Twitter’s Internal Strategy Laid Bare: To Be “The Pulse Of The Planet” – in which the story gets really interesting and the business plan sees some startling, and even inspiring — despite its origins — light of day, and from Twitter: Someone Call Security, in which Twitter once again reiterates how this happened and talks about their commitment to security.
Most important in the aftermath is the opportunity for questions — and for addressing these questions — this has offered us. This bears a lot of relevance for any kind of online interaction (and thus rapidly just about any business model) going forward. Among the questions in my mind, none of which are clearly settled, about which I welcome your opinions:
- What does it mean for the cloud?
I’d address this first with a sub-question: Does the cloud actually have the most to do with this? Yes, Twitter is hosted on the Amazon cloud. But I’ve also heard a lot about the Google cloud in this and I wonder what exactly people mean when talking about the two. As far as I understand, no Amazon cloud-based services were breached in this scenario. Passwords were guessed, and then subsequently stolen via hacking into a Yahoo (and later a Google) email account. Does this indicate a security issue specifically with Twitter, and furthermore, with the cloud?
- What does it mean for ethics and rule of law on the Internet?
I was tempted at least at first glance to frame this as the more important question. Is it as simple as this? Private information was at least violated – and perhaps “stolen.” If you come across stolen goods, do you resell them? Is that what TechCrunch did?
- What does it mean for Internet identity?
This is the greater overriding theme, I think. This is how it started out, in my understanding. Let’s just say for fun that I lived on Sesame Street growing up. When I sign up for a Yahoo email account, I choose a password and congratulate myself for not being so risky as using my childhood street name (or the name of my dog, my goldfish, or my mother’s maiden name) as my password. However, I get to answer a security question in case I forget my password – and what do I perhaps use as the answer to my security question? Sesame Street. More importantly, is that answer easily ascertainable on the Web, via clever Internet searching? Probably yes, if I ever blogged about where I grew up. There’s the rub.
So what’s the bottom line? Do we need to all be more careful and not choose “easy” passwords and security answers (in other words, those we can possibly remember – which are also therefore easily guessed)? Or do we need to rethink passwords, online IDs, and, at the least, password recovery systems to respect privacy in a different way? Or should we never use something like Twitter “seriously”? Or all, neither, or something else entirely?
Or is there reality in my dream world, moving forward, of a totally transparent world through likewise transparent, cooperative and open clouds?
One clear answer: in any case, these are questions we’ll need to address going forward.
here’s a long follow-up from TechCrunch with a good concise takeaway:
“What’s the takeaway from all this? Cloud services are convenient and cheap, and can help a company grow more quickly. But security infrastructure is still nascent. And while any single service can be fairly secure, the important thing is that the ecosystem most certainly is not. Combine the fact that so much personal information about individuals is so easily findable on the web with the reality that most people have merged their work and personal identities and you’ve got the seed of a problem. A single Gmail account falls, and soon the security integrity of an entire startup crumbles. So for a start, reset those passwords and don’t use the same passwords for different services. Don’t use password recovery questions that can easily be answered with a simple web search (an easy solution is to answer those questions falsely). And just in general be paranoid about data security. You may be happy you were.”