The Twitter hack: Let's not start blaming Google or the cloud
updated below:
Have you been following this controversy surrounding some confidential documents swiped from Twitter and sent to the folks at TechCrunch? The site's editors have been engaging in a discussion over ethics, specifically whether or not to post these "stolen" documents.
For what it's worth, this is a discussion that mainstream news outlets have been having for generations. If I were part of those discussions, I'd skip anything in those documents that has no value - such as a document that does nothing more than embarrass someone. But I would definitely consider posting information about business strategies, revenue projections and so on - after confirming their authenticity.
It's unfortunate that a hacker was able get his hands on these documents and pass them along. But as a journalist, I'm less interested in how these documents were obtained and more interested in their validity. Anonymous sources regularly feed information to news agencies - anyone who reads the Wall Street Journal knows that.
With all of that said, my reason for chiming in here is not about the documents, but rather the blame game. In particular, I take exception with the idea that Google - which was storing the documents on the cloud - is somehow responsible for this hack. In the comments section of his original post on this subject, TechCrunch editor Michael Arrington writes:
the original security hole seems to be Google, via Google Apps for your Domain. Some passwords were guessed and things started to fall apart from there. Most (or all) of these documents were downloaded from Google’s servers.
Then, in a subsequent post, where he tries to justify why he is considering posting some of the documents, he writes:
It’s not our fault that Google has a ridiculously easy way to get access to accounts via their password recovery question. It’s not our fault that Twitter stored all of these documents and sensitive information in the cloud and had easy-to-guess passwords and recovery questions...
hopefully this situation will encourage Google and Google users to consider more robust data security policies in the future.
Hogwash.
Sure, maybe Google could come up with a better password-recovery system - but this isn't Google's fault. Bottom line: Twitter used an easy-to-guess password and recovery question. That's how the hacker was able to get in - not because Google has some sort of security hole.
On my personal accounts, I use a password that's not only easy for me to remember but, more importantly, pretty much impossible for anyone to guess - unless, of course, you have some sort of inside knowledge into details of my childhood that even my own mother probably wouldn't guess. Even with my work accounts, I regularly have to change passwords and follow their rules on the use of numbers, letters, symbols and so on as a means of keeping the network secure. From what I can tell, that process - albeit somewhat inconvenient at time - is effective.
So, let's just leave Google and the cloud out of this debate. The finger of blame points in one direction and one direction only: Twitter.
updated: In a blog post, Twitter co-founder Biz Stone addresses the hack and offers users an explanation as to how this happened. It's worth noting one specific line in his post: "This attack had nothing to do with any vulnerability in Google Apps which we continue to use."
Thanks for the update, Biz. I'm glad you included a line in your post about Google. It was the right thing to do.