Just a quick commentary on the hack into Twitter's corporate records on Google (GOOG) Apps, that were recently published on Tech Crunch. I don't think they used any unique hacking skills, they just guessed someone's password and got access to all corporate documents (salary info, competitive threats like facebook, Yahoo, deals with Google, Microsoft etc). They also have financial projections, cap tables pretty much bad bad stuff to have public.
Pretty much a catastrophic loss of security. That's got to be a super grumpy board right about now. The CEO tried to get Arrington to not post this stuff and some of the exchange can be found on Twitter in real time as Techcrunch revealed it had all the documents and a publishing event was imminent.
The last time Twitter made a boo boo, it was a bit less harmful. They had a job opening and sent out the rejection letters via email with the names in the "To" field. That is bad news for folks who maybe didn't want their boss to know they were looking for a job. The CEO did a good job of covering for it though, with a "Hey some of those folks didn't even apply". Which is pretty much the best cover story you could use. (kinda the only one).
In any event, the great thing about cloud computing is your documents are accessible anywhere but that can also be a big security problem.
One idea for a workaround is to have some "widget" running in the background that is downloadable from anywhere so you are still technically cloud computing. It would have at least a few main features to protect from password fishing:
Got a couple of ideas around location based security for the "cloud":
1) It could restrict some documents from being viewed outside the company headquarters without certain permissions. Even if permission is granted it could send a password notification of who is reading it and a geo location of where they are. That could be a feature that actually makes the security greater than what you find in Microsoft Office (MSFT).
2) It is only required to run if a user selectable option is designated. Most people don't need this extra layer that corporate users do.
3) It's another password layer of protection. If the widget isn't running, even if you enter in your correct password, it won't log you in. It will just look like you entered in a bad password. It should also track and report password guess attempts to the IT administrator. It should report where the password attempt is going for if the location is available.
4) It has to be easy to use and run in the background.
5) the ability to add additional viewable locations to certain documents. The CEOs house etc. Basically using a physical address or geolocation that can easily be entered in and defined by groups. i.e. Let the user come up with security definition and assign sets of locations that make the document viewable.
Big qualifications--Cloud Computing Security has not been a big area of investment let alone experience. This just seemed like a logical idea to me.
Another easier short term option would be to activate access from a given computer you have to activate it somehow through a separate portal that generates a unique "cookie" that runs on the computer. At the very least some option for extra passwords is needed.
I love Google Docs but they gotta do something and I'm surprised they don't already have some sort to method to add security (maybe they have one and I'm just not aware of it).
Here is a summary of what Tech Crunch got it's mitts on. They said they have some info on Microsoft and others that they won't publish:
On Tuesday evening more than 300 confidential Twitter documents and screenshots landed in our inbox. We said we were going to post a handful of them only, and we’ve spent much of the last 36 hours talking directly to Twitter about the right way to go about doing that. We’ll have more to say on that process in a couple of days.
The documents include employment agreements, calendars of the founders, new employee interview schedules, phone logs and bills, alarm settings, a financial forecast, a pitch for a Twitter TV show, confidentiality agreements with companies such as AOL, Dell, Ericsson, and Nokia, a list of employee dietary restrictions, credit card numbers, Paypal and Gmail screen shots, and much more.
These are the last two documents we are going to share: a subset of the detailed notes from a set of executive meetings that took place between February 12 and June 9, 2009. Much of the information in these notes is either personal in nature (new hires, etc.) or too sensitive to share. What’s interesting of the rest we are posting here with our commentary. These notes include never-before revealed discussions between Twitter and Google, Microsoft, and others, as well as details of product planning, company goals, employee retention, and new proposed terms of service and APIs. Even acquisition targets such as CoTweet and Twitpic are discussed (and sometimes dismissed). It’s important to note that we have been given the green light by Twitter to post this information - They aren’t happy about it, but they are able to live with it, they say (more on why they did that in our later post).
One other caveat - as we’ve said before, these documents are rough meeting notes, not polished documents meant for broad consumption. There are lots of typos and outdated information. But on the plus side, the rawness of it shows the dedication and deep commitment of this team to making Twitter into a world-class company.
Finally, there are some details about partner discussions, particularly around Google and Microsoft, that we are just not going to publish. Twitter has been in negotiations with both companies around a broad set of transactions for months. But we aren’t going to go into great detail about exactly what has been discussed, or Twitter’s strategies toward those negotiations. So while it looks like there is a lot of detail around those discussions below, the most sensitive stuff has been removed.
