Revisiting Security and the Cloud
July 15th, 2009
A “hacker” gained access to a Twitter employee’s Google Docs account, and sent some sensitive corporate information to TechCrunch, which is now debating whether or not to publish the information.
The ethics of TechCrunch I’ll pass on for now, but one worthy message: we should be more careful with our logins and passwords, what we share online, and remain distrustful of the “cloud.” Even in today’s world of social sharing everything and mobile computing, I still follow the old adage: if you want to keep stuff private, don’t put it on the web, period. Since there is no such thing as a secure system, the best place for data you want to keep secure – is outside said system.
That said, there are obviously a lot of conveniences to be had with using some services online – online bill pay and banking come to mind. But I use such services sparingly and as carefully as possible.
Here are some steps I’ve taken to keep those accounts secure:
- Every account has a unique, complex password (Google has some great suggestions).
- Change passwords periodically.
- Set up a separate email solely for these services.
- Logins and passwords are not stored digitally on any computer.
- Clear cookies on browser quit.
- Laptop has no important documents on it (both in case of theft or hard drive failure, which happens more often on portables). All documents are backed up to the desktop regularly.
- Desktop accesses the Internet using Ethernet, not WiFi.
- Regular backups.
- Computers have logins and passwords.
- Computers are Macs which have less viruses, trojans, and keystroke loggers.
As I write this, I already see some places where I could take things further:
- Unique, complex logins for every account.
- Copy backups and store in another secure location, away from the computer.
- Change logins and passwords even more often than I do now.
This all may sound drastic, but I’ve had an email account broken into, received form letters from banks regarding data breaches at data centers, and a company I worked for had an employee laptop stolen which contained data affecting several thousand employees.
So I fall on the cautious side, which explains why I won’t sign up for a financial service like Mint or put online banking on my iPhone. I am willing to give up convenience (having logins and passwords stored in cookies for example) for security.
The tug of war between convenience and security is made more complex by the influence of social media, which encourages everyone to share so much of our personal lives online (some answers to security questions could be broken for some through a simple Google search), and mobile computing which drives desire for access to our data wherever we are. The end result is people being far too cavalier with their data in the name of convenience and then backpedaling, calling for more privacy, once security has been compromised.
But the Twitter situation is playing out as expected: it’s not Google or TechCrunch’s fault; it comes back to personal responsibility, the Twitter employee who was targeted and whose account was hacked. So if you have data you want to keep private, do what you can to protect it, because if it’s ever compromised, most of the blame will – fair or not – fall on yourself.
Anyhow, what sort of strategies do you take to manage your online accounts? Any tips are welcome.