Sunday, May 8, 2011

     Last week, I received an unexpected mail(not email!) from the US.
     The mail was from a company called GoGrid. GoGrid is one of the early cloud providers. I was one of their beta customers, more than three years ago. At that time, beta customers had to register a credit card with them in order to participate. After I was done with the beta(which I liked!), I never kept track of GoGrid. Hence, was a bit surprised to hear from their corporate office in CA.
     Here are the two scanned pages. The first sentence on the first page tells it all!

     Their euphemism states no other fact than that - they were hacked into! And, the hackers had got access to credit card information(along with other personal data) of GoGrid users.
     IMHO, a cloud vendor itself getting broken into is really a shame! Hardware failure is okay, downtime due to maintenance is fine (if once in a blue moon), insufficient provisioning can be tolerated at times, an SLA breach can be compensated for, but a security lapse is just not done!

     GoGrid has offered credit card fraud monitoring and protection plans to those whose cards they think were exposed. But, whatever they do now, बूंद से गई, वो हौद से नहीं आती! They are not getting back the trust they had!
     I had nothing to worry about the data breach though. As always, I had used a virtual credit card when I signed up at GoGrid :)

Related Content

Sunday, May 1, 2011

On websites storing passwords...

     Many sites, especially the ones with a 'social' angle ask for usernames and passwords of your other accounts like gmail and facebook, so that they can leverage your already formed contacts from those sites. These sites that ask for username/passwords conspicuously mention that they don't store your passwords for the other accounts. However, I have seen no site conspicouosly mention something like 'We do not store passwords you entered on *unsuccessful* login attempts at our site'.
     Of what use would an incorrect password be to a site/organisation ? Well, none, if the the site is 100% professional and ethical. Otherwise an incorrect password can prove to be quite useful. For a user, an incorrect password for one site might be the correct password for some other! Thus, if a site has accumulated enough incorrect passwords entered by a particular user, chances are, that they can successfully log in into other sites using the user's username and one of those incorrect passwords! Now thats bad, isn't it ?
     One of the reasons people use same passwords everywhere or even use simple passwords is because strong passwords are difficult to remember. In addition, there is this innocent looking advice that they are trying to follow - 'Never write your password down'. When in fact, the advice should sound like this - 'Never write your password down where someone could easily find it.' Carrying the list of passwords in one's wallet is worse than having a weak password. However, keeping the list in a decently safe locker is way way better than using weak passwords all over the Internet.

Related Content