How Microsoft And Habit Abetted Twitter Hack

Unfortunately, we all know a lot more about Twitter's business plans than we'd like, since TechCrunch made the ill-conceived editorial decision to publish the stolen contents of files it received from a French cybercriminal.

Michael Hickins, Contributor

July 20, 2009

3 Min Read
InformationWeek logo in a gray background | InformationWeek

Unfortunately, we all know a lot more about Twitter's business plans than we'd like, since TechCrunch made the ill-conceived editorial decision to publish the stolen contents of files it received from a French cybercriminal.Early reports on the theft focused on Google's Gmail, and seemed to imply that the very notion of cloud computing was threatened by the success of this attack.

But it turns out that the focus should really be on two very different targets: Microsoft and end user habits in general.

It seems that the French hacker took advantage of lax Hotmail security standards that allowed him to nefariously reset his target's Gmail password.

As Computerworld's Gregg Keizer explains (I'm intentionally not linking to the original article in TechCrunch):

The Hotmail account was inactive… -- a Microsoft practice designed to recycle dormant accounts -- which allowed [Hacker Croll] to register the inactive Hotmail account. He returned to Gmail and again went through the password recovery process, specifying a password of his own. The new password was then sent to the just-hijacked Hotmail account.

The hacker then relied on typical user behavior, as Harry McCracken explains:

Basically, "Croll" didn't do anything particularly brilliant -- and there were no chinks in Twitter's security armor that aren't pretty much universal. Mostly, he took advantage of (a) Twitter's use of other Web-based services to run its business; (b) the fact that every organization has employees who use the same damn password for multiple accounts; and (c) password recovery systems that can make it absurdly easy to break into someone else's account.

The lessons here: first of all, we really should use different passwords for different accounts -- not just for our own protection, but the for the sake of others in our social graph.

We're all promiscuous surfers, so we should protect members of our community as we would our partners if we were being sexually promiscuous.

The second lesson: Microsoft should rethink its practice for reestablishing dormant accounts, and make users jump through much tougher hoops in any case. It might annoy some people, but this is a case where business rules should trump user preferences.

I've already noted how poorly the decision to publish these documents reflects on Michael Arrington's news judgment. To the argument that if he hadn't published this stuff, someone else would have, I'd reply that if a politician argued that he took money from a lobbying group because if he hadn't, someone else would have, we'd still turn him out of office (and hopefully send him to jail).

I'd even argue that this kind of reasoning has afflicted many aspects of American life, from mortgages to health insurance, from steroids in baseball to Ponzi schemes, all of which take advantage of people's need to not be the naïve sap who doesn't make out as well as the next guy because he stuck to his principles.

But that strand of naiveté is precisely our strength. I know it's a generalization, but as with many generalizations, there is some truth to the fact that Americans have been identified with Dudley Do-Right (ironically, a Canadian, but never mind).

I lived in Europe in the 1980s and 90s, where I owned two different businesses, and one of the questions I invariably got from prospective customers or business partners was, "how come Richard Nixon had to resign? Doesn't everyone do what he did?"

We were viewed as hopelessly naïve for having expected more out of our President. But far from being a liability, our reputation as straight shooters was a huge help to me in business. European businesspeople were more likely to give me the benefit of the doubt because I was American.

That is a priceless asset, and one that we're quickly frittering away. So if you can't condemn Arrington for what he did simply because it was wrong, maybe you can condemn him for eroding yet another measure of our national treasure.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like