In principle, the “network is the system” idea has a lot of merit. The benefits of having all your data stored in some reliable, secure, redundant database that’s centrally managed and hooking into it with whatever device is at hand — be it a desktop machine or a cell phone — has a lot of appeal. Keeping a system available on the net, up to date with fixes and patches, and secure is no trivial job. It’s exactly the sort of thing that should be left to someone who is a professional at it.[Revised: Less than 24 hours after I posted this, I received a phone call from a salesforce.com representative, apologizing for the misuse of my information. My understanding is that one of their partners is to blame; that the misuse originated outside their organization. I was looking forward to receiving more details in an e-mail, but in preparing to let their mail pass my spam defences, I messed up — and all mail has been bounced from late Friday through most of the weekend. Hopefully they will re-send it so I can add more factual information to this. At this point, it’s clear that at least Salesforce takes this sort of misuse very seriously, and I have accepted their apology.]
The big hold back has always been that “secure” part. How reasonable is it to assume that some third party is going to take as much care of sensitive information as its owner would? Somehow I’ve always had this nagging concern that the security of data isn’t really as important to these application hosting companies as they want us to think it is. That might sound a little paranoid, but a little paranoia tends to be healthy when it comes to system security.
This is one of the reasons why I’ve tended to advise clients to save the monthly per-user fees they would pay to an application hosting firm, use it to set up their own secure server and to pay for someone to maintain it. In most cases there’s a free tool available that will exceed the requirements of most small to medium sized enterprises, and the actual amount of time required to keep a system secure makes it cost effective to maintain control of the systems while outsourcing the maintenance.
One of the more popular web applications is contact management. The leader in this field, salesforce.com, has been wildly successful at helping companies spend less energy on the systems that support the sales process and more time on actually selling. Generally speaking this is a good thing. A few years back I did a business analysis of the Salesforce solution versus some low-to-no cost alternatives like SugarCRM.
As part of that analysis, I signed up for a free account at salesforce.com. now when I sign up for something like this, I usually create a unique mail address — so I can trace spam back to the source and beat up whoever failed to protect my data. Over the last few years, there’s been a real drop in the number of companies that will unscrupulously resell a mail address. This has been the result of both a huge backlash against spam and some well placed legislation. These days, when a trace address gets spammed, it’s usually the result of a misdeed; someone deliberately copies the data and sells it without the knowledge or consent of the company who owns it.
Well last week my Salesforce.com trace address got spammed. Here’s part of the headers:
From - Fri Sep 14 07:38:59 2007 >From dealmakermedia_2CD269C9A686B38C3141790CE0B1990652961EAF3BE0B1A3@response.whatcounts.com Fri Sep 14 06:38:12 2007 Received: from common1.wc09.net ([126.96.36.199]) by xxx.yyy.com with esmtp (Exim 4.68) (envelope-from <dealmakermedia_2CD269C9A686B38C3141790CE0B1990652961EAF3BE0B1A3@response.whatcounts.com>) id 1IW9Up-0008L1-Dc for (deleted)@ambitonline.com; Fri, 14 Sep 2007 06:38:12 -0500 Received: from josephine.whatcounts.com (192.168.127.32) by common1.wc09.net (PowerMTA(TM) v3.2r8) id ht9mui0c2qc7 for <(deleted)@ambitonline.com>; Fri, 14 Sep 2007 04:16:37 -0700 (envelope-from <dealmakermedia_2CD269C9A686B38C3141790CE0B1990652961EAF3BE0B1A3@response.whatcounts.com>) From: "Dealmaker Media" <email@example.com> To: (deleted)@ambitonline.com Subject: The Momentum 15: Ladies and Gentlemen, place your bets! Date: 14 Sep 2007 04:47:01 PDT Reply-To: "Dealmaker Media" <dealmakermedia_2CD269C9A686B38C3141790CE0B1990652961EAF3BE0B1A3@response.whatcounts.com> ENVID: WC-1189770421372-F78F7 Message-ID: <2CD269C9A686B38C3141790CE0B1990652961EAF3BE0B1A3@response.whatcounts.com> MIME-version: 1.0 Content-type: text/html X-Mailer: WhatCounts
That caused me to forward the message to a support address at salesforce.com:
Date: Fri, 14 Sep 2007 08:22:10 -0400 From: Alan Langford <redacted at remove_this_nospam ambitonline.com> User-Agent: Thunderbird 188.8.131.52 (Windows/20070728) MIME-Version: 1.0 To: firstname.lastname@example.org Subject: [Fwd: The Momentum 15: Ladies and Gentlemen, place your bets!] As you can see from the headers of the message below, when I provided information to your organization, I used a highly traceable address in order to detect violations of my privacy. I can assure you that the address "(deleted)@ambitonline.com" was provided exclusively to your organization. In my experience, this sort of violation is frequently due to unauthorized use of data, and as such it is probably as serious a matter for you as it is for me. I look forward to a report from you on how this personal and proprietary information wound up in the hands of the group who sent this message, and the actions you are taking to prevent it from happening again. Moreover, given your inability to protect this information, please explain why I should trust your organization with something as sensitive as my own contact database.
After receiving no response, I sent another message to them this morning (September 20, 2007), informing them that I was planning on making their data loss public. Still no response.
The first two possibilities are serious indeed. Serious enough for me to confidently say don’t trust your sales data with salesforce.com, ever! Set up your own system (and most likely save a boatload of money in the process). As for the third possibility, well… just save a boatload of money and get better support in the process.
It turns out I wasn’t so paranoid after all.
I work for salesforce.com, and while I don’t speak in official capacity, I regret that you did not get a response to your email. I took a look at the email address you provided on sign up and a possible explanation suggested itself to me. I get spammed a lot at my domain using targeted dictionary aliases. For example, email@example.com gets the most web hosting junk. The traceable alias that you are using just happens to be the target of much web marketing related junk mail. That seems to me like a more plausible explanation than salesforce.com having a data leak.
You have a good point. Since the dawn of dictionary attacks I have moved toward adding a random seed to my “trace” addresses to prevent this. However, to date every misuse of a trace address has been clearly linked to the original source — typically the subject matter is closely related to the site, instead of the generalized noise common in indiscriminate spam.
As you can see from the revision I added near the beginning of this post, the misuse was due to a third party with legitimate access to the data, not a dictionary based attack.
I think that deliberately trying to find addresses using my old trace technique would offer too little payback for the spam harvesters. Probably the only target that they would be successful with is people like you and I who manage our own domains and have some technical wherewithal. The “admin@” and “sales@’ class of spam is based on both addresses recommended in the Internet RFC, and simply guessing at likely hits, such as “accounts@” or “webmaster@”.
Salesforce.com should be implementing two-factor authentication system, like Salesboom.com and NEtsuite does.
SF.com is junk. never mind this email stuff – try using it. it is one of the worst pieces of online software every. Their interface is pitiful – they havent changed a thing since the early 2000s. their report generator is super inflexible, and any time you customize anything – the system begans to cumbersome and the UI super congested.
There is clearly a lack of talent in this company. it must have all left when going public.