The other day I read a piece that claims Dropbox security fell under a bus for a few hours. I and many colleagues regularly use this service. I hate having to write about these things because it makes the industry look plain, freakin’ stupid, juvenile almost. It makes my life very difficult. OK – so accidents happen, stuff goes wonky and all the rest but how on earth can you possibly gloss over this:
Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions.
We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we’ll immediately notify the account owner. If you’re concerned about any activity that has occurred in your account, you can contact us at firstname.lastname@example.org.
This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.
The CTO tries to reassure by saying:
Arash Ferdowsi, Jun-19 06:08 pm (PDT):
there was a very brief glitch and this should never happen/be possible again. thanks for the email.
Do those sound like throwaway lines to you? And this for a company that some think might have a valuation of $1.5 BILLION. It’s beyond nutty. It’s out with the fairies in La-La Land. But just to throttle back a moment, every time I give a talk on the benefits of SaaS there will always be those that pipe up with questions about security issues. This kind of crap fuels those fears and understandably so.
I’ve come to the conclusion there are two types of SaaS/cloud vendors: those that are in very short trousers and those that are grown up. The gap between the two represents a yawning chasm. So the next time someone tries batting me over the head with innovation coming from snot nosed but bright developers there’s a fair chance I’ll tell them to take a hike and get into the real world where security matters and where serious vendors pay close attention to the topic.
Forget the VC fueled bollox about driving usage numbers. Screw valuations that line the pockets of those who think they know tech but only truly understand money. Tell me what real resources the business has to deal with this topic. That’s highly skilled people who get out of bed every day thinking about how to break systems and the ways to defeat the bandits. Nothing else will do.