Here is the main story, http://www.techcrunch.com/..

Executive Summary: Hacker finds gmail address of employee. Goes to Gmail’s lost password function. Sees secondary email account is a hotmail account that is deactivated. Creates new hotmail account with that address. Recovers password. Changes password back for stealth. Then has access to Google Apps on the twitter.com domain.

Basically, here is what happened:

A young Frenchman named “Hacker Croll” got interested in web security, social engineering a few years ago. He is unemployed. He wanted to hack into Twitter.

  • He starts doing web searches on Twitter, accumulating vast amounts of names and email addresses of Twitter employees
  • From there he uses the “Forgot Password” on a Twitter employees gmail address.
  • Unable to determine what it is by guessing, he asks for a hint. Gmail balances usability with security by offering users to have a second email account attached to the main email account in case of password resets. Gmail informs Hacker Croll that they sent a password reset to “******@h******.com”
  • Hacker Croll guesses that it is probably a hotmail account, so uses the same username at hotmail.com to check the email address
  • Hotmail recycles old usernames, so the username was deleted.
  • Hacker Croll creates a new hotmail user account with the twitter employees username. Asks for the password reset from the Twitter Employee’s gmail and gets the reset.
  • Hacker Croll then searches through the account and finds what the password was before he changed it, so he could reset it and not alert the Twitter Employee.

Now, he has completely shadowed a twitter employees account and has their ‘main’ reused password. He uses that password to gain access to Google Apps on the Twitter domain. There he hit the goldmine with emails, and email attachments. Then he took control of their personal email, work email, iTunes (iTunes has a security hole that you can see the complete credit card numbers), banking account information, ATT, MobileMe, Amazon, everywhere the person was a customer through the vast amount of emails he had control of.

Then the CEO of Twitter downplayed the attack, so Hacker Croll got offended and sent all of the documents to TechCrunch to prove the severity of the attack. Then, they published a wealth of internal Twitter memos, strategies, and other documents. Here is HC’s apology.

I would like to offer my personal apology to Twitter. I think this company has a great future ahead of it.

I did not do this to profit from the information. Security is an area that fascinated me for many years and I want to do my job. In my everyday life, I help people to guard against the dangers of the Internet. I learned the basic rules .. For example: Be careful where you click the files that you download and what you type on the keyboard. Ensure that the computer is equipped with effective protection against viruses, external attacks, spam, phishing … Upgrading the operating system, software commonly used … Remember to use passwords without any similarity between them. Remember to change them regularly … Never store confidential information on the computer …

I hope that my intervention will be repeated to show how easy it can be for a malicious person to gain access to sensitive information without too much knowledge.

Croll Hacker.

Here is Twitter’s Official Response:

Twitter, Even More Open Than We Wanted

About a month ago, an administrative employee here at Twitter was targeted and her personal email account was hacked. From the personal account, we believe the hacker was able to gain information which allowed access to this employee’s Google Apps account which contained Docs, Calendars, and other Google Apps Twitter relies on for sharing notes, spreadsheets, ideas, financial details and more within the company. Since then, we have performed a security audit and reminded everyone of the importance of personal security guidelines.

That begs to make you think about the balance between usability and security. The security as a whole is only as strong as its weakest link. Better check those secondary email addresses and ensure that they are just as safe and secure as your primary. Which reminds me, I need to go change some stuff… brb. 🙂

Twitter’s Internal strategy, http://www.techcrunch.com/…

The “Peanut Butter Manifesto” internal Yahoo Memo from back in the day, http://online.wsj.com/…

Every week, sometimes a few times a week, I cruise related sites in an interesting way. I try to find an interesting story on one of the mob-media controlled sites, reddit or digg et al, and then from there I try to only click links without using the keyboard. I follow the rabbit hole from story to story in a sort of uncontrolled way. Its a great way to kill a an hour and also to go to sites that you usually wouldn’t find any other way.

The other day while following a design pathway through sites I started hitting nothing but “Interface Designer” websites. I’m not sure where all these people came from. Looking at their resumes it seems that most of them just got out of high school or are coming from unrelated fields. How does someone that has been an oil painter for 5 years now claim to be an interface designer. What sort of training or user experience background do they have? If you look at the examples or the recent projects of their sites, you see a few tiny sites they have designed but without much ‘interface’ involved.

That leads me to believe that “Interface Designer” is now the chic term for web designer. Why not call yourself a web designer? I think thats a pretty cool job title. It has been worn out over the years, granted. Everyone and their brother was a website designer in the late 90s. On asking them what they have done or what tools they use you find out that they are just starting and have bequeathed the title on themselves.

Will Interface Designer will be an ‘uncool’ term in a few years? Maybe.

Come on guys (UX at Myspace), seriously. I have been gone a few years and it seems like you guys are throwing UX to the wind. There is absolutely no way I you tested this, or if you did, you ignored the results. Now, on to the show.

I got a spam/solicitation in my inbox from a random MySpace account. I used to work there and had several accounts, most fake, and most from different countries, language settings, regions. I had all of these when we were testing administration notices and mainly the legalities depending on the municipalities. Certain states don’t allow ______, and others do, etc. The email was the typical “Ron, see what your friends are up to.” It is their way of trying to show off the latest presence features they have implemented. I scroll to the bottom to find the unsubscribe link.

unsubscribe to Myspace emailsSo, I click the link and what do I find? This contraption.

screenshot of MySpace unsubscribe link, clicked from an email

23 Clicks to unsubscribe from emails. No way to uncheck them all… or just to opt-out of everything at once. No, they need to ask for every single detail. The way to think of this is User Intention and User Experience.

User Intention : for some reason the user wants to stop getting atleast one type of email, but maybe all. Studies show that people that click on unsubscribe links REALLY want to get out of it all.

Return Path released a study about unsubscribe experiences and the effect they have on the customer, I’ll mention a few items out of it, because registration is required to view the full report.

  1. Make it easy and painless: Include a link all email messages.  If necessary, make sure an automated message is sent that provides confirmation to the user but asks for nothing in return (unless it was a mistake).  Then – stop sending messages.
  2. Email Confirmation: When users click on the unsubscribe link, they should be directed to a landing page on your web site.  The unsubscribe form should be auto-populated with their email address.  They should be able to change their email address, just in case they clicked through a forwarded message.
  3. Email Change of Address: Occasionally users just want to get the email at a different address.  They may use an alternative address for all of the email subscriptions as a way to filter them from their personal or work messages.  Make it easy for them to change their address.  Include an option on the landing page to change their email instead of unsubscribing.
  4. Stop sending messages: I know, this is repitive, but important.  Sometimes you have messages qued up and ready to go.  Someone may unsubscribe on Tuesday and get a message on Thursday, especially if your email service doesn’t automatically remove them.  If at all possible, create a way to stop this practice.  If not, then your unsubscribe confirmation email and webpage should mention this with the sincerest apologies.
  5. Offer alternatives: Make it easy to unsubscribe.  Provide a link to an unsubscribe landing page that autopopulates their email address.  Then, give them options:
    • Change of Email Address
    • Frequency of future emails (once per month/quarter/year) – better one annual message that they’ve asked for than none at all
    • Types of future emails – only event announcements, surveys, etc.
  6. Learn: Keep the process simple, but learn something about the user before they unsubscribe.  Add a quick survey of 1-3 questions.  Are they less interested in your organization now for some reason?  Were the messages never relevant to them?  Or do they just get too many emails?  All can help you better understand your users in the future.

One question that I get pretty regularly is how do I manage my home systems in regards to backups. Generally speaking I am the geekiest or most up to date on tech stuff when I’m hanging out with other designers. In the many years I have been working with computers I have never lost a file. Granted, I came very close once when I had a WD Harddrive die on me. I did end up recovering the files a few months later though. Well, here is a detailed plan on how I do backups. Its easy, simple to setup, and then I never worry about a thing. I think thats the first priority of doing any sort of maintenance. It should require no effort. It should be timed and work on a schedule. The only time you get involved is if there is a problem.

My existing computer setup

I have 2 desktops at home, 1 at work, and 3 laptops. Two of those are physically at home the other is on campus. I also have a camera and a phone that I want to keep constantly backed up. I have lost my phone about 8 times to date and still havent lost any of the files or pictures I have taken with it.

The process all starts with Hardware

I use one piece of software and one online service that is free. I also will note that the software can be interchanged for a free alternative that works pretty well. So the expense of this process is in hardware.

The first thing you need to do is buy a RAID 1 Harddrive. The RAID 1 part is important because that is a pair of harddrives in one container that mirror onto each other. When you write a file to it, it then copies the same exact file onto the other drive. So if you buy a 1 TB RAID 1 Enclosure, you will only get 500 Gigs of space. The other thing to note is that because it is writing to both drives, they are rather slow.

Here is one of the drives that I bought from Newegg. It is a 1 TB RAID external HD that was $209.99, so it only effectively has 500 gigs of space.  It has Firewire and SATA, which is much faster than USB, and it just connects to your computer.

So, what I did was connect that external HD to one of my home systems, I’ll call it Home System 1 because I am creative. That is going to be my base system that will collect all the files from everywhere else and process them and send them to the Backup Drive. I picked my gaming system, because I am rarely on it but its still rather fast. My home ‘work’ system, Home System 2,  is much faster, but I use it more and dont want it to slow down while I am doing things at home.

Hardware needed

How to start in a cloud

The first part of my process is using Live Mesh which is a free service from Microsoft that offers syncronization and cloud storage for 5 gigs.

So what you do is set Live Mesh up and organize it with a few folders. I use a folder for Mobile, to keep each of my laptops up to date, and a folder for work. I use all sorts of other smaller folders as well, but those are the big ones. Now each of your systems has the same folders on it. So, then all you need to do is copy the files into the folders at a specific time.

Copying the Files

I use a piece of software called Second Copy which I think is around $29.00. Second Copy is a great little utility because it knows what it does, and thats all it does. It copies files from one place to another with many other little features in it. You can automatically zip them, rename them by date, use small scripts, and other tidbits if you want. I like its simplicity. I also like that fact that it keeps copies of deleted files, if you happen to delete them or if you overwrite them with a new version, it will keep up to 25 copies of it in a seperate folder. Thats great if you happen to delete a big layer in a photoshop file and save it on accident. There will always be a copy of it somewhere. With second copy you set up profiles of what to copy and where to copy it to, but the most important thing is scheduling the processes so they happen while you are in bed.

Live Mesh doesnt use a schedule, so you run Second Copy in front of it. Then as soon as Second Copy delivers the files to your Live Mesh folder, it instantly updates all the other computers on your account. This is important because if you update any file or folder in Mesh it will bog down your connection trying to send it all over to your other systems.

Work files to the cloud

Mobile and Portables

Consolidation

Massive Copy

Let’s break it down

Our first mission is to get files from where they sit normally to Live Mesh if they are outside of the house, either work or mobile, but on a schedule. So I set up Second Copy profiles on each computer to pull files from my working folders and put them into Live Mesh. I schedule them to go at a time when I am away from the system.

After all of the files are assembled onto Home System 1, then its just time for a late night copy session. I just copy everything over and let Second Copy deal with any deletions. If you deleted something, it will move it to the deleted folder and let it sit. Nothing gets lost.

Mobiles and portables will sync whenever they are connected. Those folders are all under the umbrella folder of being copied over to the main system as well. Then when its time, everything is copied over to the RAID drive. It’s like a team of ants all marching to the RAID drive one jump at a time.

Some Cool Benefits:

True Cloud Computing : Having everything synced allows me to turn off my laptop at any given time and not have to open it to grab a file. Everything is on all of my systems. I can write on my laptop, then shut it down and continue writing on my home systems. If you go to work and your system is down for whatever reason, you can jump on any other system and get your files from Live Mesh. It always has a copy of your files in the cloud. Your files will follow you.

Some Alternatives:

WD Studio Edition RAIDThis drive from Newegg, the 2 TB Studio Edition is pretty slick. The reason it is called the Studio Edition, and costs more than the other same size drive is because it also has Firewire which is faster and meant more for Designers.

The alternative to Second Copy is Cobian Backup, which is freeware and open source as well. I have used this several times and can tell you it works very well. I like a lot of the features of it. I also like how it isnt bogged down with unneeded items that may confuse someone just getting into using Second Copy. The author refuses to put anything into the program that may delete something, so it is a pure backup solution.

If there are any questions about this, just give me a shout.