Thursday, July 16, 2009

TechCrunch: Skating on Thin Ice

Back in the day I used to do naughty things to computers that I could access via dial-up modems, packet switching or the nascent Internet. Nothing that caused any damage, but it made me realize how insecure most systems are.

I don't do that stuff anymore (although I can't help noticing security holes that turn out to be exploitable) and yet it amuses me greatly when I see someone bleating about a third party's security troubles.

Take for example TechCrunch. Today they made fun of Twitter for using the password password for access to an administration web site. Yep, that's a really bad idea.

But if you're TechCrunch and you are going to publish that sort of gloating article you'd better be damn sure that your own security is solid. And your security envelope can be very large. It encompasses all the services you use like your domain registrar, DNS provider, hosting provider, mail service and the software used to run your site.

Any one of these elements could be a vector for an attack.

You really wouldn't want it to be the case that someone like me could trivially discover that one of those services was vulnerable because I could guess in 30 seconds what your username was likely to be, and then find that I could order a password reset using three pieces of personal information that were easy to find out.

You wouldn't want that to happen.

Because if someone like me did that they'd be able to mess with your web site, play with your email, and generally create havoc.

Happily, I've got better things to do.

PS Personal information like "the name of your first dog" or "your brother's middle name" needs to be phased out. Google allows you to set your own security question; if you don't have that choice do as I do: lie. Whenever I'm asked for the name of my first girlfriend I make the answer up.

PPS Some people have asked me if this post is a threat to TechCrunch. No, No, No. I'm not interested in threatening them. Why would I? It's also not an incitement to attack them. It's meant as a warning to them that spouting your mouth off about the security of other people's systems is waving a red flag to a bunch of people who'd like nothing better than to mess with your systems. Don't be silly like that.

UPDATE: TechCrunch got in contact and we had a quick back and forth. They confirmed that the security vulnerability I was pointing out was something they had worried about already and taken action to mitigate.

They also said "We have had thousands of breakin attempts over the past few days". No surprise really.

And they are planning some posts pointing out the vulnerable nature of apps in the cloud.


If you enjoyed this blog post, you might enjoy my travel book for people interested in science and technology: The Geek Atlas. Signed copies of The Geek Atlas are available.


<$BlogCommentDateTime$> <$BlogCommentDeleteIcon$>

Post a Comment

Links to this post:

<$BlogBacklinkControl$> <$BlogBacklinkTitle$> <$BlogBacklinkDeleteIcon$>
Create a Link

<< Home