Web 2.0 Security: Are You Worried?


We’ve looked at DivShare, an online file sharing and storage service, several times, and generally liked it. Yesterday, though, an ominous notice showed up on their blog:

Late last night we were alerted of a security breach that allowed a malicious user to access our database, which included user e-mail addresses and other basic profile information. No financial information has been accessed by any unauthorized parties….

I’m not picking on DivShare. Indeed, they did all the right things: notified users, took the site down while they fixed things, apologized, and tightened their security. But this does raise the question of how well we’re all protecting our own identity information in this world of shifting Web 2.0 services.If you’re a web worker who regularly tries new things, then you probably have personally-identifiable information scattered around dozens of web sites: usernames, email addresses, snail mail addresses, phone numbers, passwords, and more – not to mention whatever billing information you have provided to sites you decided were worth paying for. But what do you know about the security of this information? The answer is likely, “not much.” The Web 2.0 equation includes a large amount of trust that service providers will do the right thing.

Unfortunately, as the DivShare example demonstrates, it’s not that simple. If you have put information out there in fifty places, there are fifty different places where it could be hacked, stolen, or misused. Though there is plenty of information out there for developers who need to implement secure web sites, there’s no guarantee that the developers of any particular site have read it – or made use of it.

Faced with this situation, the sensible thing to do is to protect your own information as well as you can. The first and most important step is to use some sort of password manager so that you are not sharing passwords between sites. While that won’t protect you from any given site being hacked, it does mean that information harvested from one place won’t let Bad People log on as you in another place. For maximum security, use different user names wherever you can.

The more you spread your identity around, the more you ought to keep an eye on it. At the very least, you ought to check your credit report annually; if your credit card info is in many places, you might want to consider one of the paid services that will monitor your credit report on an ongoing basis.

Ultimately, I’d like to see some standards emerge among Web 2.0 services in this area. One huge help would be automatic account sunsetting – if I haven’t logged on to your service in six months or a year, delete my information (obviously, there would need to be a way for users who don’t want this service to opt out). Failing that, you can try to keep track of your own registrations and delete the ones you aren’t using – though many sites make it tough to even do this.

What have you done to protect your own registration info online? Any tips for other readers?


hands-on generalist

Of course I prefer a service to have good security implemented, but since web workers are using multiple services, the problem is in essence uncontrollable. The issues run a bit deeper than can be judged from the occasional data-breach story.

Most applications that service providers offer do something with your data, which, still, you have to commit to their systems, and henceforth put your ‘life’ in their hands.

But we live in an internet era, so why not have the service providers fetch your data from the web. This way, we, the people, are free to choose a storage provider we trust.

What we need is a standard which allows ‘them’ to define what data they need for their application to run (note that an application is usually just a nice way of interacting and displaying plain data), and for you to tell them where to get it, and to allow them to see it.

This way you can choose a storage provider with good security, and allow various application providers to fetch that data. For the application providers this means they don’t have to be responsible for storage and safekeeping.

Decouple the data (which belongs to you) from the applications (which are great, so you want to use them with your data) and a lot of problems disappear.

One of them would be duplication of effort, just think about how many times you have entered your ‘profile’ into various systems, instead of pointing them to one fixed place where you store your profile. more…

Personal Projects

Customers are in weakest side of mobile banking security, users have to make sure that bank & credit card details will not land on wrong hands.
-Deepa (dooyt.com)

Tim Haughton

Identity management and protection is becoming an increasingly important skill. It seems that people who drink too much Web 2.0 koolaid seem to spew out their personal information to any site that will allow them to enter it. Weird.


Kendra from Box.net here – I wanted to chime in and send our best to DivShare and their users – what happened there over the weekend is unfortunate for all involved.

I also wanted to re-state that our members’ security is the top priority here at Box.net. If you are interested, please check out our security policy (http://www.box.net/shared/w31wi7688c)and feel free to contact me directly with any questions or concerns.

Take good care,

Comments are closed.