Thursday, July 16, 2009

TechCrunch: Skating on Thin Ice

Back in the day I used to do naughty things to computers that I could access via dial-up modems, packet switching or the nascent Internet. Nothing that caused any damage, but it made me realize how insecure most systems are.

I don't do that stuff anymore (although I can't help noticing security holes that turn out to be exploitable) and yet it amuses me greatly when I see someone bleating about a third party's security troubles.

Take for example TechCrunch. Today they made fun of Twitter for using the password password for access to an administration web site. Yep, that's a really bad idea.

But if you're TechCrunch and you are going to publish that sort of gloating article you'd better be damn sure that your own security is solid. And your security envelope can be very large. It encompasses all the services you use like your domain registrar, DNS provider, hosting provider, mail service and the software used to run your site.

Any one of these elements could be a vector for an attack.

You really wouldn't want it to be the case that someone like me could trivially discover that one of those services was vulnerable because I could guess in 30 seconds what your username was likely to be, and then find that I could order a password reset using three pieces of personal information that were easy to find out.

You wouldn't want that to happen.

Because if someone like me did that they'd be able to mess with your web site, play with your email, and generally create havoc.

Happily, I've got better things to do.

PS Personal information like "the name of your first dog" or "your brother's middle name" needs to be phased out. Google allows you to set your own security question; if you don't have that choice do as I do: lie. Whenever I'm asked for the name of my first girlfriend I make the answer up.

PPS Some people have asked me if this post is a threat to TechCrunch. No, No, No. I'm not interested in threatening them. Why would I? It's also not an incitement to attack them. It's meant as a warning to them that spouting your mouth off about the security of other people's systems is waving a red flag to a bunch of people who'd like nothing better than to mess with your systems. Don't be silly like that.

UPDATE: TechCrunch got in contact and we had a quick back and forth. They confirmed that the security vulnerability I was pointing out was something they had worried about already and taken action to mitigate.

They also said "We have had thousands of breakin attempts over the past few days". No surprise really.

And they are planning some posts pointing out the vulnerable nature of apps in the cloud.



Blogger die schnalle said...

come on, do something to teach them a lesson! a little defacing here (nothing serious, just a lolcat or similar), a small fake-article there or a mail from the boss to the employee mailing list: "new management rule: every restroom break has to be reported to the chief-editor", etc).

hurts nobody at techcrunch (would even generate lots of nelson-ha-ha-publicity for them).

doit doit doit!

11:23 AM  
Blogger John Graham-Cumming said...

@die schnalle

Sorry, I'm not going to break into any systems for you. When I was messing with public systems the penalties were small. The legal landscape has changed and messing with a US-based system could get you into serious, serious trouble even if you damage nothing.

11:32 AM  
Blogger kbob said...

What's wrong with personal questions? Just tell them that your dog's name was QHniDevAMBhsxnV24WnmfBz1KSdoYcib4NieShoK, your mom's maiden name was PEhqVcjQhDDDL8YHUfRmBieeuS5jqb, and you were born in vNwPn3nCdPxyhHXURcxU0emxPq2I0rNM8eiNaXfr.

Then remember those "facts" the same way you remember all your other strong passwords.

2:50 PM  
Blogger TechCrunch said...

hey, thanks for this. we are contacting you now.

- Mike Arrington

4:54 PM  

Post a Comment

Links to this post:

Create a Link

<< Home