There's an awful symmetry about the strategic plans of the Twitter team being published on TechCrunch today: using password discovery techniques 'Hacker Croll' was able to access Google and other accounts.
I literally just saw on Twitter as I write this the 'ethical line' TechCrunch have invented for themselves questioned by Twitter founder @ev:
@TechCrunch @arrington "we have been given the green light by Twitter to post this information" What?! By whom? That's not our understanding
The ethics of the choices TechCrunch have made in exposing these sensitive documents are highly questionable but the reality is the valuable content would have shown up online somewhere given they were being offered by the hacker.
I've been prepping a post about security for the last few days - there are several new reports I've been digesting - but the symmetry of Twitter, with tinyurl links and paradigm shifting knowledge share which sometimes reveals too much being undermined by this type of information mining of an obviously sloppy security setup internally is perfect.
Lots of people in large companies suffer regular password changes to sensitive systems which constrain the ability for single sign on to multiple web applications. This is a huge example of why security should be taken very seriously, particularly since TechCrunch is essentially eating its own by publishing Twitter's secrets.
With friends like that who needs enemies...
Cloud computing and software as a Service offer significant new challenges for security which always seems like a massive annoyance until your intellectual property is exposed to unknown criminals or revealed online.
My sympathies are with Twitter here - they are struggling as a company on multiple levels from managing user growth to living with the tsunami of hype and cash ins to dealing with users masquerading as celebrities.
The fact is however they only implemented OAuth (which makes their API authorizable and secure) a few months ago, and have been remarkably uninterested in security ...hopefully until now.
I'm hoping that this will be a wake up call not just for Twitter but for the entire cloud community of just how fundamentally important protecting data is. This is in some ways an SaaS failure, or at least I suspect it will be seen in the security community that way. That it is their poster child for insecurity Twitter that is the victim is beyond ironic...