Trello! It is me... you locked the door? User warns of single sign-on risk after barring self from own account

comparison

You hand your money to a bank - These have independant global and national oversight bodies with power to enforce a large set of laws, regulations and punitive penalties. - you can be fairly certain your money is safe.

You hand your data to a cloud company - These have ever changing T&Cs, more money than you & almost nothing to lose if anything goes bad - what's their incentive to give a flying one?

Decide how much of a PIA losing your data will be, then keep an up to date local backup.

Personal IP rights?

He could sue (or threaten to sue) because the old company has no right to his personal IP.

If the tables were turned and Atlassian gave him access to ACME's code, you bet yer pants ACME would sue.

Still, not keeping local backups is 100% his fault.

Hence the reason I have personal devices and work devices. I also won’t use personal credentials to log into any work services (not that I have a job at the moment)

Would this come under GDPR or similar rules?

Assuming the personal Trello contained actual personal data, the sort that GDPR would cover (or similar laws in other locations), and the person involved lived in the EU (or location covered by those similar rules), could they not report Trello/Atlassian for breach of GDPR, due to handing over access of said personal data to a 3rd party that had no right to it? (i.e ACME in this case).

After all, GDPR and law in general, trumps any Ts&Cs a company might try to enforce.

The same could then possibly be true for any 3rd party trying to do the same thing on other services.

Just a thought anyway!

Old e-mail

The question in my mind is why he didn't remove the AQCME e-mail when he stopped working for them.

A simple bit of sanitisation and housekeeping on his part could have saved all this hassle

Yet another reason....

...to keep your professional and private accounts/data separate. I don't have much sympathy for people suffering from this....what did you expect?

AFAIK most employment contracts have a clause in them that says anything done with employer's resources is the property of said employer....so if you get terminated you will probably loose it - especially if you are fired and immediately frog-marched off site*.

Plan ahead, people, and plan for the worst:-) You are still (just about) the master of your own data's destiny.

*Never suffered this myself though - employer's have always been 'polite' and reasonable.

Cloud data is wispy

Yes, cloud is great for flexing capacity or, at a personal level, giving access to devices and friends, but local sync and then proper backup is your friend - rclone, gyb and lots of automated scripts followed by veeam, restic, borg.....

SSO is flawed

The concept of SSO in a business environment works fine.

As a personal choice, it fails. The basic flaw is if you link a bunch of external accounts to Facebook, Google, Microsoft or whatever is that if you lose that account for some reason, you have lost all your accounts.

There is a story about someone losing their Google account because they posted a bunch of smiley's in a Youtube comment. Exactly what was posted is up for debate, but the damage caused way outweighs the supposed crime.

I've been unpicking my personal accounts from my work e-mail for a long time. It was convenient in the dialup days as it was hard to check the personal e-mail in the office. However in the modern age its much better to keep the two separate.

I don't mind using cloud services like github but I only them to make life easier or as a secondary store. As others have said in most cases my primary copy is stored locally and backed up regularly.

Unless the Atlassian UI makes it easy to delete an e-mail address you have lost access to then they have to shoulder some of the blame for this.

Remember the guy who pissed someone off as a reporter, so they social-engineered into his cloud photo storage and destroyed his life?

You can tell I'm old. I keep an LTO tape drive and SAS Card from way back.

I trust spinning metal more than flash but, it's not backed up unless it's on tape (about $6k in CAD training videos I would have to buy again.)

just have to keep a spare working LTO-4 drive.

Yours / Theirs

And using the company laptop.

The cloud reaches all your files and puts them on the cloud.

I used my own (bought and paid) software for work when they wouldn't pay for their own software.

I uninstalled my apps, but they still have copies.

Apart from all their other pirated software they have now pirated my software.

Interesting user situation.

Looking at the probable employer, I can certainly see why they might be a bit tetchy about security (critical energy/infrastructure, major global player, working in some very sensitive global locations). Although frankly I'm slightly surprised they use Trello...

I laughed and thought "would never happen to me!" and then I realised, that for really stupid reasons (understandable IT fuckups) I think several of my accounts have a backup linked to my employer, it is not impossible that something similar could happen. Hell, one of my food delivery logins is my employers (it rejected my personal email due to "existing account", then said no such account exists!".

In this case.. The ultimate confusion is ownership, the user opened the account, but settings were enforced by others. Tbfh, he fixed his own problem anyway.

I was never entirely sure how much "business data" to put in a free Trello account. Sure, it's probably OK, but WHO can snoop? I'm talking, Chinese/Russian/Korean/USA software engineers, who could theoretically have data slurps from bad actors looking for company Intel /R&D and secrets?

Atlassian make it hard to avoid this

Atlassian have a history of merging accounts between personal and work - it's not that easy to avoid. I nearly lost all my personal Bitbucket content when leaving an employer because Atlassian had managed to combine my personal account with my work account despite me trying to keep them separate. I think it happened when they converted standalone Bitbucket accounts into Atlassian accounts, just as they're currently doing with Trello. Luckily I had a good relationship with the account manager at that company and managed to get it sorted out, but it took a while between us to figure out what we had to do.

All the people saying "don't mix work and personal" - it really isn't that straightforward to avoid with Atlassian, they link stuff up behind the scenes without being explicit about it.

Work and Pleasure

Why would anyone use their personal email for anything to do with work? Or vice-versa?

I've worked at places where that would get you a very stern talking to. Plus, it's good for your health (mental, mainly) never to mix the two.

Sorry, no sympathy for this guy. Needs to address his work-life balance.

I find your lack of empathy disturbing

I'm surprised at how many commentards think this guy deserves no sympathy for his situation. He attempted to remove his former employer from his Trello account, but the second email couldn't be removed. That's particularly bad in this case, when the ability to work through multiple emails is touted as a feature of the service - the onus lies entirely on the operator to enable the user to manage their account fully.

Sure, he shouldn't have mixed work and personal data, but life is rarely that simple and few people are capable of achieving the levels of anally retentive pedantry on which many top Reg commentards pride themselves. The superiority you feel might just be hubris waiting to bite you where it hurts.

So easy to say

So hard to do.

"The obvious conclusion is: first, to back up data stored with external services..."

Most cloud services like Trello don't offer any easy way to make a backup of your data, or if they do, it's normally in a way that loses the structure or uses some impenetrable proprietary format which only works on the cloud service in question.

A fine example of the "no backup at all" is Photobucket. They make it very easy to put all your photos on their service, but the only way to download your own data from them is to go through each picture, one at a time, and manually download each one.

I believe it's called "lock in by design".

I understand this problem for some services. However, it makes no sense for Trello. As the subject of the article pointed out, the boards are associated with an email address (not just with the account) so it should be trivial for Trello to separate which ones are personal vs work.