Tag Archive for 'Twitter'

Is the Cloud a safe place for your children ?

July 24th, 2009 by fays

Internet security

With the recent events around the Twitter information leaked by a hacker, the cloud computing security topic has become a most discussed trend on the web.

Just like any other hot topic, this one carries its lot of confusion among the interesting point of views that are being brought by each party.
The first source of error is that noone seems to agree on a definition of Cloud Computing. This almost resembles the SOA debate, surprisingly (or not), you will find the same players behind.
So what is the Cloud Computing ? Answers are various: Platform, services, applications, technical resources, combination of all of these. This debate alone deserves a specific post. For the sake of this article, I shall propose a simplified view. We will define Cloud Computing as a platform allowing to provide a service (aka: through an application, which is not necessarily SaaS), allowing it to dynamically adapt to the usage (in terms of resources, composition of services, platform evolution).
Many services are hosted on a cloud. Whether you’re using Gmail or Google docs, Twitter, Amazon’s AWS or Otherinbox, you’ll end up crawling in the cloud even if you’re not really aware of it. While several companies are outsourcing their infrastructure to public clouds, many questions get arised on the liability of these kind of applications. Is it safe to use them ? Is it safe to host anything on a cloud ?
For any enterprise, security is a primary stake she needs to deal with. Security comes at several levels:
  • Infrastructure security (Network, Firewalls)
  • Data security (access rights, encryption)
  • Application security (access rights, logic, implementation flaws)
These top level areas will dig deeper holes when it comes to their implementation, especially if you’re looking forward an ISO 27002 (and possible SOX) compliance.
Any company that is designing/implementing an application should take a thorough testing process to ensure that there is no compromising possible. But, as we all know that zero-fault application are just fantasy of a lured mind, hence there’s always a level of exposure at some point of time.
Now is the Cloud more secure than another platform ? I would say that being on a cloud would only make a difference if your application is being used internally on a local LAN (or only accessible through a VPN), hence it is not exposed to the world.
So let us come back to the Twitter case. At no point of time, there had been a compromising of the Twitter application nor infrastructure security, nor was the case for Google Mail (Gmail). The hacker only used the “forgot your password” feature to guess the answer to the security question. That was basically the same as doing social engineering. The problem is rather at the user level. Making the answer too easily guessable by anyone.
Of course, the process of simply guessing the answer to a question, on a one word basis, is a huge flaw, but this is an application design issue. Whether you host it on a dedicated server at your favorite ISP, or you host it on your own datacenter and have it exposed to the world, won’t make any difference. The hacker would still be able to retrieve the password and from there gain access to other services.
Now, as we are all using application on clouds, a lot of data gets potentially exposed. But again the exposition is only bigger than the one for applications used internally. This is a prime reason why enterprises are still reluctant to host/use Business Apps (Financials, CRM, HR) on Clouds. They will want to have a full control on their platform, from network access to data storage.
Having this level of exposition, the security framework for applications must be reinforced in order to minimize any possibility of gaining non authorized access and compromise user data. This exposition, should also come with a proper training of the users with all the basic requirements for security usage (Password policies, Social engineering). Currently, there are no security standards that will ensure the safety of your data. Ideally, you would have to combine password authentication with some kind physical check, like a token generator (eg: RSA SecurIDs), which would be the only way to make sure the person getting logged is the rightful owner of this account. At subscription time, if you own a SecurID for example, you’d be able to provide your card info to allow you authenticating to the site using it.
So is the cloud a totally safe place for your children ? I would say no. But it is not any more dangerous than any other kind of hosting or application. All you have to do is trust your providers will do their best to ensure your safety.
Tags: , , . Tech Spot 2 Comments

Facebook is going Facetwit

June 29th, 2009 by fays

facebook-small-logo

Facebook has reinvented the social networking, beating in popularity all its predecessors (MySpace and Bebo). It has long lived as the poppy cheery Social Media company and then came Twitter. Micro-blogging. Follwers and not friends. Search. Live stream. Easy access URLs.

Facebook didn’t see the threat coming until it was there. Even since, Facebook has made a huge work trying to catch up with Twitter. It changed its (long controversed) new home page to include live stream, it then included Vanity URLs. Recently, Facebook introduced the universal status, allowing people outside Facebook to see your status.

Now the new feature Facebook has come up with is… Followers. Yeah, highly innovative feature, it’s been there since 3 years on Twitter but anyway.

It is now activated by default and allows people to add you not as a friend and access your complete profile, but as a person to follow including your status updates into their new stream, as an opt-in system.

For privacy reasons, you can either choose to keep it on or de-activate it (Settings -> Notifications).

Facebook notifications

Let us analyze this new feature introduction and how it has been introduced.

Facebook has made no announcement to the introduction to this feature, hence users are not notified that their streams are public by default and that anyone can subscribe to them (understand by this: your boss, unwanted public). This is a major issue especially when several UE agencies have asked all major social networks to have a better control on default privacy options.

Second, I barely see users subscribe to other people’s feeds. The whole Facebook architecture is not meant for that. Profiles are heavy and full loaded with pictures, applications and other things. People are barely solely interested in incognito’s status updates within the whole flow of information they are already getting. Either be friends or wander away. Hence, I seriously doubt there will be a serious adoption of this feature by Facebook users. This is highly unlike Twitter where the Following/Follower system is as the essence of the service, and where you have applications that allow you to manage your stream, which is not Facebook’s case.

Furtherly, how do you decide wether you want to subscribe to someone or not ? Will you be provided with a history of the statuses ? Can you make a profile search based on criterias just as Twitter does ? Will the friend suggestion engine take into account subscriptions as a fan on the base of people you are following and not just those you are friend with ?

On the contact list level, how do you manage your fans ? Can you see them and search through them ? Can you block them ? Are you notified when someone adds you as a fan ? Ideally if Facebook wanted this thing working right, as soon as you have fans, you’d have a spin-off of your profile into a real fan page to which people subscribe. Your statuses would then be broadcasted to the fan page and hence to your fans.

Facebook is most probably driving a bad strategy right now. Instead of pursuing the innovation quest, just as it successfully did during the last years, it is now plunging into the catch-up competition, which means you’re already second to introduce the feature. These guys should step to the next running field and have lead the competition instead of trying to imitate their fellow entrepreneurs.

Tags: , , . Social Medias 1 Comment