Remember when Danger lost all their backups? At that time I wrote about Expensify’s massively redundant, multi-tiered backup system (to two remote locations in realtime, and to two more remote locations nightly) in a passionate appeal to sanity. Soon after that I turned off my Sidekick for the last time, and turned on my shiny new Palm Pre. (And I ain’t going back!)
But now I read that RockYou has compromised the usernames and logins to 32 million social networking accounts because they didn’t encrypt a damn thing? Come on people! Encryption is so… I don’t know, 1942?
At Expensify, we take security incredibly seriously. We spent pretty much the entire first year building a geo-redundant, PCI compliant datacenter that achieves… actually, now that I think about it pretty amazingly high uptime, while simultaneously remaining super secure. It wasn’t easy. But that’s our job. It’s not an optional thing. Either you do it secure, or you don’t do it at all.
In our case, we use a type of encryption called “split knowledge, dual control”. It’s more complex than this, but we basically split our master encryption key in half, and store each half in a different safe deposit box (Witold controls one, I control the other) such that nobody ever knows the whole thing. This means nobody can decrypt our data alone, not even me.
Additionally, this key is assembled in memory on our servers using a type of “turn two keys simultaneously” system (akin to a nuclear launch panel) and never written to disk. So even if you physically stole the servers out of our hardened datacenters (something you’d be a fool to try), they’d be little more than really expensive paperweights.
Anyway, I understand social networking data isn’t as sensitive as financial data. And I understand most web developers don’t know how to deploy and maintain realtime distributed transaction layers.
But I don’t find those very satisfying excuses, and I doubt you do either.