Scott Lowe explains why two recent incidents involving corporate ethics can be teachable moments for IT pros everywhere and, in particular, system administrators.
Twitter attacked! Content stolen from the Kindle? Yes and sort of. In both cases, ethics were compromised at a very high level, resulting in a crisis of faith in some of the companies involved. I think that IT pros everywhere — and particularly system administrators, who have high-level access to an organization's information systems — can learn lessons from these stories and think in a different way about their impact on the people they serve.
The Twitter hack
By now, you've probably heard that the Google Apps accounts of Twitter employees were hacked and that hundreds of confidential documents were stolen and then offered to various Web sites to publish at will.
I admit that I have not read every post on "another Web site" regarding its release of hundreds of documents stolen from Twitter's Google-based archives. Why haven't I read all the posts? Well, right or wrong, I'm taking a stand, and I won't be visiting that site again, which is disappointing because it's releasing a pretty cool new hardware device soon that I wanted to buy. However, some situations are simply so unethical that one must take a moral stand, and I believe that this is one such incident.
A lot of things went wrong in this case. Apparently, a hacker was able to guess or reset the password for one of the accounts and, from there, gathering documents from all over the place was relatively easy. Modern social engineering could have been at play in this hacking effort as well. Many applications include password reset features that ask users to verify what often turns out to be easily identifiable information that can be easily gathered from other sources. For example, suppose you create a security question that asks you to provide your spouse's name for verification; someone would simply need to look at your Facebook profile page to obtain this information. You see what I'm getting at here.
The Twitter hack underscores the need to make sure that strong security systems are in place, regardless of where data is hosted. Further, users should be instructed to choose security verification questions that are, well, secure and to be careful who they friend on Facebook. Remember, the more personal information that people can find out, the easier it is to create problems.
To recap, the first thing that went wrong was the compromising of a password that appears to have been weak. But that's not where this story ends, and this is where I go on a little bit of a rant.
From there, the hacker started approaching various sites offering the stolen goods for public dissemination. One site bowed to the pageview gods, sold out, and started releasing the information. Sure, the site promised not to release personal information about individuals, such as addresses and credit cards numbers, but it did not promise to withhold information that could embarrass Twitter.
This brings me to the second item that went wrong and another lesson to learn: System administrators have incredible levels of access to information. Of course, most people in these roles wouldn't begin to dream of stealing this information and releasing it to the public, but that is what happened in this case. There comes a point at which the golden rule (do unto others) should enter the consciousness.
Be careful before you throw your data to the cloud. While, in the case, other security measures, such as firewalls, would probably not have been effective in blocking this particular hack, make sure that the security measures put into place by your cloud provider match or exceed what you would do locally.
Amazon's PR fiasco of Orwellian proportions
Last week, Amazon did something that can only be described as incredibly stupid. After learning that the individual who uploaded content for which he did not hold the rights, Amazon proactively and without notice deleted said works from the Kindles of customers who purchased and downloaded the works.
To say that affected customers, as well as those just watching from the sidelines, were outraged would be the understatement of the century. People were indignant that a company from which goods were legally purchased could virtually walk into people's homes without consent and simply take back the goods. To its credit, Amazon did refund customers their money, but for a lot of people, that still didn't make it right. This may have done damage to Amazon's long-term Kindle plans. Only time will tell.
I don't think Amazon's actions were appropriate, but I can understand how it happened, and I am hopeful that the company lives up to its promise to never do it again. As far as I know, this is the first time that Amazon faced the particular situation at hand, and it's obvious that its disastrous deletion decision was not well thought out. I'd be willing to bet a lot of money that the company has spent some time considering what to do in the future!
On this one, I'm willing to give Amazon a pass. I am a Kindle owner, but I was not affected by the deletion since I didn't purchase and download the problem copy of George Orwell's 1984 (an interesting title for this situation, to be sure). Obviously, the situation does raise questions about the future of the content purchased from Amazon, so we'll see if the company sticks to its pledge to "never do this again."
On the other hand, bear in mind that Amazon was selling content that should not have made its way into its store. The rights holder was likely not pleased that the situation took place, either. That said, if a similar situation took place with physical goods as opposed to virtual goods, the rights holder would have little recourse.
What lessons can system administrators and IT pros in general take from the Amazon incident? As is the case with the Twitter records release, just because you can do something doesn't mean you should. You already know this, but it's worth reiterating. With high levels of access into user files and other company information, make sure to keep lines of communication open with users, especially when it comes to making changes that can impact them.
Although taking back purchased goods is very different than, say, moving or deleting a user's files without any notice, the user would probably still feel violated. Communication ahead of time regarding the what and the why can go a long way toward making sure that the relationship between the user base and the people responsible for the organization's data and servers remain strong and based on trust.
Even though it's been a less-than-stellar week for new media and new business models, there are numerous lessons that system administrators can learn from these incidents to help them in their daily activities. User trust dictates what IT can and can't do, so take these lessons to heart.
While I was at the TechRepublic Community Event, Jason Hiner and Rick Vanover talked me into using Twitter. Want to follow me and know when new posts are added to IT Leadership and Servers & Storage? Look for me on Twitter http://twitter.com/scottdlowe.