The time for playing around is over. It's not 1999 any more. Web brands have to get serious about the services they're delivering and the support they put behind them. Every time there's a Twitter hack, every time there's a Google privacy snafu, it hurts the credibility of cloud providers that are trying to build the confidence of the business world and the cloud-surfing public at large.
"Timing was key: on the west coast of the US, where Twitter is sited, it was the middle of the night, so nobody would have been watching for security flaws."
I'm sorry, what was that again? Does management at Twitter believe that running a global Web brand is a 9-5 job? The official account just released says that Twitter "was notified" at 2:54 am PDT and "immediately went to work on fixing it" so Charles Arthur at The Guardian was extrapolating somewhat creatively from the facts known when he wrote his blog post. But it was another four hours before Twitter posted any public acknowledgement of the problem, so the rest of his account still seems like a fair assessment:
"While all this was going on, Twitter was only just waking up. At 2.35pm BST — or 6.35am at Twitter HQ — it put out its first warnings. 25 minutes later, it had solved the problem."
In this day and age, I wonder how difficult is it to have an escalation process in place that can properly deal with security flaws through the night? — especially knowing how often exploits often surface first in the Far East or in Russia. I am flabbergasted to learn that an organization of the size and stature of Twitter has not got better nighttime cover.
I was equally aghast at Google's handling of the episode that surfaced last week over an engineer who had abused his position by accessing Google accounts belonging to people he knew, including four minors. According to the original Gawker story, this behavior went on "for months" without any action being taken, and he was "quietly fired by the company" only after complaints had been lodged on behalf of some of those affected. This was in July, and it was not until September that the story became public. In the meantime, emails from Google reproduced in the Gawker report made it clear that management tried to cover up the incident. It also came to light that this is the second time Google has fired an engineer for abusing his position in this way.
What horrified me about the Google case was the message its 'quietly-quietly' approach (since reiterated to Danny Sullivan) sends to the rest of its engineers. It's setting up a 'don't get caught' culture in which engineers and their managers are effectively encouraged to sweep such incidents under the carpet. That's not going to clear it up. Michael Arrington says they should automatically be prosecuted, and it might have to come to that, but first of all Google needs to make clear that any abuse of privacy by its staff will not be tolerated and will always result in instant, automatic and public dismissal.
If brand leaders won't set the highest standards, then the whole industry risks being brought into disrepute.