Previous month:
October 2007
Next month:
December 2007


A few startups ago I was involved with a secure email company.  We competed against a company called Hushmail.    Their claim to fame is:

With Hushmail, users need only create and remember their own passphrases, and the secure Hushmail server does the rest. Encryption and decryption are transparent to the user, making Hushmail the most user-friendly secure mail solution available.

Unless of course Hushmail decrypts your email and gives it to the government.Betrayed_2

A court document in a drug smuggling case has shown that the private email service Hushmail has been cooperating with police in handing over user emails..

I've always thought it is more important to prove who you are by actions rather than proclaim.

Salesforce "Do as I say, not as I do."

Because of a security breach at, my contact information got into the hands of a phisher. Salesforce sent out an email explaining it everyone.  Some nice spinning here:

this intrusion did not stem from a security flaw in our application or database

No, it resulted from a security flaw in their policies and procedures.   Social engineering attacks are just as real as breeching a fire wall.  But later they advise me:Scold_2

Modify your Salesforce implementation to activate IP range restrictions. This will allow users to access Salesforce only from your corporate network or VPN, thus providing a second factor of authentication.

If they had done that, this wouldn't have happened.  But, they can sure advise me.  Hmmm, that Sugar CRM run on my own site is beginning to look better and better.

Am I the only one who sees the irony in this?