Tsunami Warning San Francisco, and other dirges in the dark

A peek at “local media” during a disaster in the dead of night

Disasters – natural or otherwise – don’t always strike at reasonable hours – and when an insistent pounding on the front door woke me from a deep sleep early in the morning of Friday, March 11, it wasn’t a reasonable hour.

It was 1:30am and our neighbor had woken us to tell us about the hugely incomprehensible 8.9 (later revised to 9.0) earthquake in Japan — and to warn us of the massive tsunami headed our way.

I then proceeded to try to figure out what was really going on — and what, if anything, to do about it. I pored over the tweets for credible news, first relieved that our good friends in Japan were safe, second reading about terrible devastation, in-between baffled by regular life apparently continuing with #ipad2 and #sxsw, and finally trying to parse the warnings about the West Coast of the USA, where I lay awake all night.

tsunami warning san francisco bay area - from http://www.wrh.noaa.gov/mtr/

Tsunami warning San Francisco Bay Area - from National Weather Service at http://www.wrh.noaa.gov/mtr/

On the Web beyond the tweets, I gaped at incredible maps with great red bands all up and down the coast of Northern California – red meaning “warning” – and “warning” apparently meaning, according to the automatically generated Tsunami information I could find, evacuate.

While I tried to parse this information to figure out whether I did, in fact, need to pack my family up and ship out, the official word from San Francisco’s Department of Emergency Management was to “monitor local media for updates.” “Which local media would that be?” said SF friend @jamiedsongs. Good question.

At SFGate, the Web site that backs San Francisco’s major newspaper the San Francisco Chronicle, the lights were on but there appeared to be nobody home.

SFGate in the early morning on March 11, 2011

SFGate in the early morning on March 11, 2011

Though it had apparently been (automatically?) alerted to the major quake and tsunami, the front page was obviously stale to say the least, advising “no warning for CA coast” when the National Weather Service had already stuck us in the red “Tsunami Warning” category. Featured feeds were truly strange (live TV from Al Jazeera? Live blog from WSJ?) or virtually irrelevant (a quake details page leading to California earthquakes).

Automatic news is often worse than no news at all. I desperately wished for the “local media” to wake up and interpret all of this.

The only live person I found anywhere close to SFGate was featured columnist Jeanne Cooper, @Hawaii_Insider, who was putting out actual analysis in real-time and for whom I felt immensely thankful.

There was also sign of life at a site I had never previously relied on for news, California Beat, but this wasn’t entirely reassuring when a masthead mistakenly read “Tsunami evacuations issued for Bay Area.”

Tsunami evacuations on California Beat -- later retracted

Tsunami evacuations on California Beat -- later retracted



At 4:49am San Francisco Mayor Ed Lee tweeted with a welcome voice of official authority, at last saying that although San Francisco had activated the Emergency Operations center, there was no evacuation ordered.

But still the giant wave was coming. BART indicated they might close down entirely between peak Friday morning commute hours of 7-9am (or they might not), while waiting to see the extent of the hit on Hawaii (which was thankfully minimal) and then later Crescent City — which was not spared.

At the exact moment of tsunami impact in Crescent City, local newspaper the Daily Triplicate was apparently automatically chirping birth announcements (several weeks late), while thetriplicate.com Web site was down.

Crescent City Daily Triplicate, around 7:30am on March 11, 2011

Crescent City Daily Triplicate, around 7:30am on March 11, 2011

In this age of information overload, I realized I knew where to go for tons information and in real time, but not where to go for the right, local information. It was a bizarre world online throughout the night, but bizarre was trivial compared to the real tragedies unfolding across the Pacific in Japan.

The current big problem of information during disasters is that these places we rely on for local, up-to-date news, like all-too-often the cities themselves, are suffering economic woes. I don’t know much about Crescent City’s Daily Triplicate, but it’s likely to be in as much financial peril at the moment as its devastated harbor city itself.

Aside from wishing the very best and holding out hope for Japan and the global community, I only hope existing news channels can materialize the real opportunities that exist here and survive and evolve, not necessarily in that order. Until then, we have each other, in the middle of the night, on Twitter…

And while Lenin read a book on Marx
The quartet practiced in the park
And we sang dirges in the dark
The day the music died

Don McLean – American Pie

Twitter, TechCrunch, and Hacker Croll: No Sacred Clouds?

TechCrunch: Twitter Confidential

Twitter Confidential: Image from TechCrunch

This week, while a fascinating story plays out in the cloud between cloud-based Twitter, journalists on TechCrunch, and a hacker named Hacker Croll, I ponder the future. A password can be usably convenient if easy to remember, but can also be easily hacked — which apparently kicks off this whole story, which led to TechCrunch publishing sensitive Twitter information including revenue forecasts and downright inspirational business plans.

As a result, I not only ponder, but dream about a truly fictional fantasy future in which all business plans are open-sourced, nobody has any reason to hide in secrecy and fear, and competition-of-the-fittest has evolved into a new kind of collaboration in general.

Ah, but then I wake up. In the meantime, I recount this story in three phases (each phase has its own particular set of idosyncracies), then frame what I think are some highly relevant resultant questions below.

Part I: Breach — Hackers: So understood, they’re almost rendered blameless?

April 29: Hacker Croll boasts how he/she hacked Twitter on an online forum

April 30: Twitter reports unauthorized access and talks about updated security

May 1: PC World reports on this and first names Hacker Croll:

Hacker Croll claimed to have accessed Goldman’s Twitter password by first gaining access to his Yahoo account. “One of the admins has a yahoo account, i’ve reset the password by answering to the secret question. Then, in the mailbox, i have found her [sic] twitter password,” Hacker Croll said Wednesday in a posting to an online discussion forum. “I’ve used social engineering only, no exploit, no xss vulnerability, no backdoor, np sql injection.”

Part II: Publication — A question of ethics?

July 14: TechCrunch gets into the game with a report on the hacking. As Twitter co-founder Evan reported to TechCrunch:

Some notes:
– He did not actually gain access to my @ev Twitter account (or any Twitter accounts) nor any administrative functions of the site.
– There is also no evidence that he gained access to my email. There was one administrative employee who’s email was compromised, as was my wife’s Gmail account, which is where he got access to some of my credit cards and other information.
– He also successfully targeted a couple other employees personal accounts (Amazon, AT&T, Paypal…)

July 14: TechCrunch Michael Arrington discloses that Hacker Croll has sent them the stolen information. Seemingly finding himself in a dilemma, he admits spending most of the evening reading through the various docs – including personal emails, business plans, and floorplans, and apparently trying to figure out whether it’s ethical to publish them.

Despite his apparent dilemma, he decides:

There is clearly an ethical line here that we don’t want to cross, and the vast majority of these documents aren’t going to be published, at least by us. But a few of the documents have so much news value that we think it’s appropriate to publish them.

July 14: TechCrunch publishes its first expose, unveiling plans for a Twitter Reality TV Show

The whole pitch deck is published, with Arrington dismissing his ethical dilemma thusly:

I can’t imagine even Twitter cares that we’re posting this pitch deck from Through Eyes Productions that outlines the idea for a reality television show called Final Tweet.

July 15: TechCrunch publishes the big bomb: Twitter’s financial forecast including revenue and growth. Twitter (of course) and the rest of the blogosphere goes wild with the news.

Arrington opens this post apparently in concert with Twitter’s lawyers:

Our negotiations with Twitter (or rather Twitter’s lawyers) over our intention to publish a small subset of the 310 hacked confidential documents continue. We published the first document, a pitch for a reality television show called Final Tweet, earlier this morning.

July 15: TechCrunch dings Twitter for using an obviously guessed password (“password”).

The author deduces that this is an indication of Twitter’s lax security in general:

Twitter co-founder Biz Stone, responding to our email, said “this bug allowed access to the search product interface only. No personally identifiable user information is accessible on that site.” Although no user accounts were compromised or accessible, the vulnerability speaks to a greater culture of lax security at the startup, and may be indicative of how earlier breaches possibly occurred.

Part III: Aftermath — What really happened here? Where do we go next?

July 15: Arrington reacts to the rapidly trending response.

Calling it “Ethics 101,” the rationale goes like this:

Let’s put aside the highly sensitive documents that we aren’t going to publish, but which will likely end up on the Internet anyway. We’re not going to post that information whether we have the legal right to or not. No discussion is needed.

Other key and intriguing excerpts :

We publish confidential information almost every day on TechCrunch. This is stuff that is also “stolen,” usually leaked by an employee or someone else close to the company, and the company is very much opposed to its publication. In the past we’ve received comments that this is unethical. And it certainly was unethical, or at least illegal or tortious, for the person who gave us the information and violated confidentiality and/or nondisclosure agreements. But on our end, it’s simply news.

It’s not our fault that Google has a ridiculously easy way to get access to accounts via their password recovery question. It’s not our fault that Twitter stored all of these documents and sensitive information in the cloud and had easy-to-guess passwords and recovery questions. We’ve been sitting in the office for eight hours now debating what the right thing to do is in this situation. We’ve spoken with our lawyers. We’ve spoken with Twitter. And we’ve heard what our readers have to say. All of that factors in to our decision on what to post or not to post.

Arrington’s bottom line:

Hopefully the embarrassing and sensitive stuff about individual employees will never see the light of day. And hopefully this situation will encourage Google and Google users to consider more robust data security policies in the future.

July 15: Word from Twitter: “Twitter, Even More Open Than We Wanted.”

From Twitter’s side of the story:

This attack had nothing to do with any vulnerability in Google Apps which we continue to use. This is more about Twitter being in enough of a spotlight that folks who work here can become targets. In fact, around the same time, Evan’s wife’s personal email was hacked and from there, the hacker was able to gain access to some of Evan’s personal accounts such as Amazon and PayPal but not email. This isn’t about any flaw in web apps, it speaks to the importance of following good personal security guidelines such as choosing strong passwords.

And finally, though hardly the last word in this story, two from today, July 16:  TechCrunch: Twitter’s Internal Strategy Laid Bare: To Be “The Pulse Of The Planet” – in which the story gets really interesting and the business plan sees some startling, and even inspiring — despite its origins — light of day, and from Twitter: Someone Call Security, in which Twitter once again reiterates how this happened and talks about their commitment to security.

Most important in the aftermath is the opportunity for questions — and for addressing these questions — this has offered us. This bears a lot of relevance for any kind of online interaction (and thus rapidly just about any business model) going forward. Among the questions in my mind, none of which are clearly settled, about which I welcome your opinions:

  • What does it mean for the cloud?
    I’d address this first with a sub-question: Does the cloud actually have the most to do with this? Yes, Twitter is hosted on the Amazon cloud. But I’ve also heard a lot about the Google cloud in this and I wonder what exactly people mean when talking about the two. As far as I understand, no Amazon cloud-based services were breached in this scenario. Passwords were guessed, and then subsequently stolen via hacking into a Yahoo (and later a Google) email account. Does this indicate a security issue specifically with Twitter, and furthermore, with the cloud?
  • What does it mean for ethics and rule of law on the Internet?
    I was tempted at least at first glance to frame this as the more important question. Is it as simple as this? Private information was at least violated – and perhaps “stolen.” If you come across stolen goods, do you resell them? Is that what TechCrunch did?
  • What does it mean for Internet identity?
    This is the greater overriding theme, I think. This is how it started out, in my understanding. Let’s just say for fun that I lived on Sesame Street growing up. When I sign up for a Yahoo email account, I choose a password and congratulate myself for not being so risky as using my childhood street name (or the name of my dog, my goldfish, or my mother’s maiden name) as my password. However, I get to answer a security question in case I forget my password – and what do I perhaps use as the answer to my security question? Sesame Street. More importantly, is that answer easily ascertainable on the Web, via clever Internet searching? Probably yes, if I ever blogged about where I grew up.  There’s the rub.

So what’s the bottom line? Do we need to all be more careful and not choose “easy” passwords and security answers (in other words, those we can possibly remember – which are also therefore easily guessed)? Or do we need to rethink passwords, online IDs, and, at the least, password recovery systems to respect privacy in a different way? Or should we never use something like Twitter “seriously”? Or all, neither, or something else entirely?

Or is there reality in my dream world, moving forward, of a totally transparent world through likewise transparent, cooperative and open clouds?

One clear answer: in any case, these are questions we’ll need to address going forward.

The Curious and Somewhat Awkward Case of Social Networking Inside the Enterprise

Ross Mayfield

Ross Mayfield - Socialtext

Thanks to a great internal team at my company called SAP Research, we’ve been treated to a series of visits at SAP in Palo Alto from prominent Silicon Valley social media figures. Last week, we saw Ross Mayfield (Chairman, President & Co-founder of Socialtext — “The first wiki company and leading provider of Enterprise 2.0 solutions”) talk about “Putting Web 2.0 to Work; Social Software in the Enterprise.”

If you haven’t already noticed, “the old notion of the workplace is changing,” says Mayfield.

Employees aren’t punching time clocks anymore. Today, more employees are spending more time working remotely, and many of today’s companies have employees working together on the same projects from different corners of the globe in separate time zones. This creates changes to the way people work. …
Ultimately, the more effortlessly employees can communicate, collaborate and share new insights with one another, the faster an organization can respond to changing customer expectations and business conditions.

This “new world of the workplace” has ramifications that reach far beyond just how you gossip with your colleagues. For example, according to some, instant-messaging-like activity streams such as what we see in microblogs like Twitter have the potential to disrupt or even replace what we know of today as the supply chain. “Web 2.0 technologies re-shape the way Enterprises do business,” underscores Mayfield, “including how their employees communicate and collaborate and how these businesses interact with their partners, suppliers and customers. ” My Twitter-stream tells me this is also a point espoused by Twitterer Steve Gillmor –  in his http://www.techcrunchit.com/ blog.

While Mayfield makes a strong, easy-to-understand case for how transformative these technologies are to the Enterprise, he also expresses understanding for the common issue of Enterprise-internal social media adoption. Not only is it tricky to “keep your work identity separate from your personal identity,” it also can be seen as hard to open up YET ANOTHER channel when you’re already overloaded with your email inbox.

One key to this — especially internally — is to “use your own social network as the filter.” You may not have called it “social networking” before, but you have already been working this way since your first day on the job — and here I don’t just refer to engineer-hackers who have been wielding the backchannel for a number of years already through IRC and other chat functionality. “The way people solve exceptions is by turning to their internal network inside their company,” Mayfield continues. In some ways, the new media are merely underscoring the importance of the old notions such as influence and popularity. While that’s hardly news, never before has it been as easy to interact with — and add to — your social network, despite company, physical, and even geo-political boundaries.

Evan Prodromou - Laconica, Identi.ca

Evan Prodromou - Laconica, Identi.ca

As a case in point, in the same SAP Research series, a couple weeks ago, we got to watch another prominent social media figure, Evan Prodromou (the developer and entrepreneur behind microblogging site Identi.ca and its software foundation, Laconica) also hold forth about the point of this newish phenomenon of “Enterprise microblogging.” Prodromou’s bottom line seems to be that while microblogging is here to stay, Twitter may be a passing fancy, and the key is in opening up the infrastructure and providing the foundational tools. Drawing an analogy between how Apache was instrumental in pushing the Web forward, his open source Identi.ca / Laconica platform paints a future of “a different microblog universe” in which “the future is a federated microblogging world” involving “thousands to millions of microblogging services, all interconnected by an open protocol.” Calling Laconica “the WordPress of microblogging,” Prodromou says he hopes it will play the same kind of role “that Sendmail and Apache have played in their respective digital media.”

But Prodromou openly pondered whether the notions of influence, so key to external social networks, would be as relevant inside an Enterprise. While who’s “important” and who’s an influencer inside of your company may hardly be who you’re having cocktails with on Saturday night, who you “follow” and connect with via your internal social networks is going to be a growing trend to watch. Is everyone going to automatically be following everyone, or do you follow the “right” people? Are you yourself considered “an influencer” at your company?

One bottom-line of clarity for microblogging in the Enterprise upon which people agree is the ease of adoption. The biggest impediment to the use of social media (not just inside the Enterprise) is to ramp up users to the software. “Getting users to use social media is very difficult,” says Prodromou, but “microblogging makes this MUCH easier. If you can get people to use short status updates, you get a lot of the benefits of the Enterprise 2.0 idea without a lot of pain from end-users.” Concepts of networking, of groups, of following and followers and of influence – they’re all there as much as on a more intensive application such as Facebook or Cubetree, but all you need to do is write 140 characters every now and then about what you’re doing. “The training time will be about 10-15 minutes” to use microblogging.

In the end, whether online or offline, internally or externally, micro- or macro-blogging, it’s the “combination of people and tools that make up how this is going to work.”  The people — YOU — are the key to the transformation of any Enterprise.

Partially abridged from an Enterprise-internal blog post.