I’m not against technology. Appreciate many of the benefits but I’ve never downloaded an app and I don’t sign up for the new greatest thing in sharing information because of cautionary tales like this: How Mat Honan was hacked — hard.
Here’s what happened:
At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. My password was a 7 digit alphanumeric that I didn’t use elsewhere. When I set it up, years and years ago, that seemed pretty secure at the time. But it’s not. Especially given that I’ve been using it for, well, years and years. My guess is they used brute force to get the password (see update) and then reset it to do the damage to my devices.
The backup email address on my Gmail account is that same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed.
At 5:00 PM, they remote wiped my iPhone
At 5:01 PM, they remote wiped my iPad
At 5:05, they remote wiped my MacBook Air.
A few minutes after that, they took over my Twitter. Because, a long time ago, I had linked my Twitter to Gizmodo’s they were then able to gain entry to that as well.
New tech is great, until it isn’t. Catnip for hackers who live to find the latest exploit. Read the whole story. It’s tragic. Days later and he’s still dealing with it. Probably won’t be able to retrieve everything he’s lost.
Citizen Alan
A lot of my lawyer friends are storing important documents in dropbox and I think they’re insane. I said the same thing about ten years ago when the federal court system switched over to electronic filing and case management. Someday, somebody is going to write a program that just eats .pdfs and it’s going to totally demolish our court system which no longer believes in paper copies of anything.
dmsilev
Well, there’s this:
All the technology in the world can’t protect you from human error. Apple’s tech support people’s error in this case.
Wonder what Apple’s liability might be in a case like this?
jwb
The weird thing about this case is that the avoidance of saying anything about the motive. The hacker was in touch with him afterward? wtf?
sb
What legal friends of mine have been saying for a few years now. I mean, they are fucking terrified.
sb
@dmsilev: Confirmed with the hacker? How? Was he tortured?
Not that I”m opposed…
jwb
@dmsilev: I don’t understand having a computer set to remote wipe but not having a back up?
Libby Spencer
And… in a moment of perfect synchronicity, just discovered the blogs at Detroit News have been infected with some kind of worm that set off my virus alarm.
raven
@jwb: Someone got in my FB and Hotmail a couple of years ago. They started posting the “I’m in London and got robbed” messages on my FB and when a friend challenged them the threatened them. I bagged my FB and it took 2 weeks to get my hotmail back. When I did get into my hotmail there were messages laughing at me and telling me they had all my bank info and such. Nothing ever happened and I think it was some kid, not the russkies.
raven
(CNN) — At least two people were wounded, one critically, and one person appeared to have been killed Sunday in an incident at a Sikh temple in the Milwaukee suburb of Oak Creek, Wisconsin.
JScott
Somebody got lucky on a hack.
A different experience.
Ben Franklin
Sounds like the poster really pissed someone off…..
Read the comments from godhatesfags.com (Westboro Baptist Church)
Doc Sportello
This story illustrates the need for a strong back-up routine. Time Machine (if you’re Mac user) is your friend.
Mnemosyne
@jwb:
I’m guessing it’s someone who had a personal grudge against him because of the work he does for Gizmodo, in which case I can see why you wouldn’t post details and piss them off even further since it’s someone who decided it would be fun to wipe out your entire online life.
There’s a reason I try to maintain my anonymity, and it’s not because I’m fearful for my job or anything (my job ain’t that interesting). It’s because assholes you don’t even know think it’s fun to ruin your life just because they can.
dmsilev
@jwb: Yeah, you’d think that.
I’m paranoid about backups, having lost data when a drive committed suicide some years back, so I have three or four copies of everything, including a copy off-site. A malicious actor with access to my machine could corrupt all of that of course, but I’m not too worried about low-probability events of that sort.
VincentN
What’s the alternative then? Going back to paper copies of everything will just contribute to deforestation and global warming. Refusing to go online because of fears of being hacked means accepting a lot of inconvenience when it comes to shopping, banking, and communicating with friends and family. Yeah, people managed to survive the pre-internet age but that’s like saying people managed to survive the pre-automobile age. Doable but not particularly desirable.
Libby is describing a real problem and I don’t want to diminish that but I’m not sure what the solution is aside from the obvious have better security and password habits and maintain backups.
ETA: Okay, I just saw the update that the hacker got in through Apple’s tech support. I guess a good solution here would be better verification protocols.
Ben Franklin
Sounds like the poster really pissed someone off…..
Read the comments from godhates4ags.com (Westboro Baptist Church)
jwb
@raven: According to twitter, kids are being held as hostages in the building. Also number of gunmen varies by account. Haven’t yet been able to verify anything beyond the fact that a shooting took place and a number of people have been killed.
cmorenc
Someday, possibly any day now, someone who has suffered enormous loss and inconvenience due to being hacked is going to find out the identity and physical location of the perp, and vigilante-style track them down and beat the living crap out of them down to a whimpering, suffering heap with just lots of bruises to their body and cajones and a few missing teeth if the perp is lucky to get off that light. It will be very interesting to see how a jury will react to this situation if the vigilante is caught and prosecuted for this assault. Not that this is the way people are supposed to react or take care of stuff in a peaceful, orderly society, but you know it’s going to happen and regardless of legal principle, lots of people will be saying “yes, right on!” to themselves and each other about such revenge in this sort of situation.
sb
@Doc Sportello: Tell me more? Too lazy to google it…
bingbango
Unless he used a dictionary word or easily guessed number (which he said he didn’t) I doubt it was brute force.
Speaking from experience, the first thing to do is google for exploits. They probably got in some other way and can probably do it again if all he did was change his password.
Anyways, he’s an iTard so I have no sympathy for him. iTards by definition of their technology of chose can’t deal with technology and prefer to have the technology tell them what to do.
Villago Delenda Est
If your sole backups are on the cloud, you’re asking for trouble.
You need to have a set of backups under your control, preferably in a fire-resistant container…on or off site, preferably off site.
Know that your cloud backups are not secure, however. They’re out of your control. Sure, you can blame “the vendor” if something goes wrong, but that and $2.50 will get you a latte at Starbuck’s.
James Hare
Like many here I don’t see this as an argument for avoiding security features like remote wipe, but rather an argument for keeping recent backups. That’s also an answer to the “PDF virus” idea — if courts are keeping only a single copy of necessary filings they’re being irresponsible.
If you’re not keeping backups it’s not a hacker’s fault you lost your files. It’s yours.
Libby Spencer
@Citizen Alan: Having worked in the law for 20 years before they went electronic, I remember sending the appeals courts entire banker boxes full of paper copies for a single case. So I thought it was good idea to go electronic on the grounds it saves entire forests of trees.
I’m also terrible about backups on my home computer but always backed up my work product to external storage. Back then it was disks. Would assume the courts must keep off system back-ups as well. Even absent hackers, the equipment fails.
sb
Ugh. No thanks.
tam
@raven:
Just reading about that. Horrible. Shooter was reportedly a white male in his 30s.
InternetDragons
I have a couple of friends who use the same excuse to avoid being engaged with contemporary technologies. It’s their call, but I wish they’d just admit they don’t care much for tech. Stolen checking account and credit card information caused similar disruption to folks’ lives in the pre-social media days.
We didn’t hear about it as much because of…no social media :)
We’ll always have to protect ourselves against this sort of thing, whether we use current technology or not. I just hate to see it used as a reason not to be involved with it.
If people don’t WANT to fiddle with social media or tech in general, that’s cool. I know not everyone is comfortable with it. But exploiters have always been with us.
James Hare
@cmorenc: Said vigilante will rightly be charged and convicted. No jury is going to accept “I took the law into my own hands because I was just so mad” as a defense.
jwb
@Doc Sportello: Time Capsule and then it’s fully automated. I have read that Time Machine backups (well, actually the whole Apple file system) are quite susceptible to slow spreading corruption, so it’s best to have a second backup regime in place.
Villago Delenda Est
@cmorenc:
It’s like the plot of “Rule 34”.
A third of the way through the book, it seems that spammers are being targeted for gruesome deaths. My reaction: “This is bad because…?”
Andrew
It’s not super hard to stop people from doing stuff like this.
Step one get a secure password manager. I use KeePass because it’s multiplatform. Have unique passwords for every site stored in the file. Make them as unique for every site, machine generated, and as long and complex as the site allows (I’m looking at you banks and credit card companies who won’t let me use secure passwords).
Step two is to secure that password file with a hard to crack password that is simple to remember (See this for reasoning http://imgs.xkcd.com/comics/password_strength.png). My password is a unique phrase that I can remember and a machine couldn’t crack in a million years.
Step 3 is to turn on two step identification for your Google accounts. Even if your password was someone leaked, your account can’t be compromised unless someone also has access to your phone.
Step 4 is to use nonsensical security answer/question combinations. If your password manager is good, you should be able to store them in there if you ever need to access them again (and you shouldn’t). If you use the standard question/response you can usually be hacked with a bit of googlefu or social engineering.
Mnemosyne
@cmorenc:
And the reason that’s going to happen is that IIRC there’s basically no legal recourse if someone does shit like this to you. If someone punches you in the face, you can have them charged with battery, but there’s no similar charge if someone decides to remotely wipe all of your electronic devices for giggles.
Villago Delenda Est
@raven:
The Sikh Temple was probably mistaken by a stupid white guy as something “Mooslam”. After all, Sikhs wear turbans. Only “Mooslams” wear turbans, you know.
If you’re a dumbass fundie shithead.
MattF
As noted above, it was a social engineering hack, bypassing Apple’s security. So yes, keep a local copy of everything. Famous quote, fwiw:
“Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench.” — Gene Spafford
It’s not the technology that’s unsafe, it’s us.
burnspbesq
@bingbango:
Which makes you a sanctimonious jackass.
Libby Spencer
@raven: Just saw that on the twitter. Waiting for the initial “rush to report first” to subside before I say anything about it. Expect it will take a few hours to get the actual story. But clearly, it’s going to be another horrible mass shooting.
Mnemosyne
@Villago Delenda Est:
That’s my guess, too. Here in Los Angeles, there were a few post-9/11 murders of Sikh men because turban=Muslim, amirite?
raven
@Villago Delenda Est: Yep
Ceremet
My ex-wife just called to tell me people have been using her SS number to file taxes and collect (improper) refunds. The IRS knew about this for some years and just told her about the activity they have been following for sometime.
I feel sorry for her (despite her giving me the divorce from hell; lost all my belongings, cloths, photo’s, caused me to get deep into debt that took years to clear, and she also caused me to be investigated by most local and federal agencies and we went through more court systems than I care to remember – still, can’t complain: got sole custody of our daughter and the Ex (through her own actions) lost all visitation rights forever (until she can address the courts again.) The system put me through the grinder but I got the only thing that did, and ever will matter – the safety of my daughter. Never was angry about my Ex’s actions – how could I? She had a breakdown through no fault of her own but did refuse treatment so for everyone’s safety, had to divorce her. Some years later, the State forced her into treatment and she is so much better now (strangely, she gave up trying to get visitation for reasons I’ve never asked) – if only that had been possible before the divorce!)
bingbango
@Andrew: Step 5 is to shoot yourself because you like to make your life far too complicated.
News flash, corporations with entire departments of security experts get hacked all the time. I get a kick out of you basement security experts who think making things incredibly complicated is the solution which just shows your incompetence on the subject.
A REAL solution is both secure and simple. You make the usual amateur mistake of only looking at one side of that.
Yes, I know keepass and your (again typical) response that it’s not hard for you. Good for you skippy. If you have all the time in the world to do that and it works for you fill your boots.
MikeJ
@Mnemosyne:
There are at least a dozen different laws under which they could be charged, not to mention civil suits.
I’ve only ever had to deal with one hacker, and I hired him.
Villago Delenda Est
@bingbango:
Security through obscurity.
And complexity.
Hell, if we can’t figure it out, some 14 year old scriptkiddie in Moldova won’t be able to, either!
jwb
@MikeJ: “I’ve only ever had to deal with one hacker, and I hired him.” Before or after the hack?
Chet
It’s actually because people are still calling themselves “semi-Luddites” that this happened. Make a system more secure, and you increase the number of semi-Luddite grandpa types who call up tech support because they forgot a password, didn’t set a useful security question (“what’s this bullshit? Jesus, I just want to get on the Bookface, already!”), and now think it’s completely unacceptable that security won’t “make an exception” to the security rules.
Increase the number of such incidents and you increase the likelihood that an actual hacker can play along, and have the customer service rep turn over the keys to the kingdom to a voice on the phone, as happened in this case. But ask service reps not to do that, and it’s a legion of bad press, because when you tell most people the justification for a security policy – “you could be a hacker trying to steal access to this account” – people think you’re accusing them of something.
Mat Honan calls it “social engineering” but it’s nothing more than “pretending to be one of the semi-Luddites who gets rude when he’s not treated like an obvious exception to important security policies.”
MikeJ
@jwb: After. He got in a secure area, but he was an all right guy who was just looking around to see where he could go.
Libby Spencer
@InternetDragons: Don’t hate technology. Just don’t jump to be the first to use the latest tech. There’s always bugs that aren’t discovered until they’re exploited. Or glitches that aren’t discovered until it’s in wider use. Think they often take these things out of beta too soon. I don’t have the skills to make the repairs so I’m never an early adopter.
BruceJ
@jwb:
The backups were stored in the same place as the remote wipe option. Apples support folks are definitely on the hook for this one.
This is why my iPad is backed up locally and on iCloud. Important stuff is stored in my Dropbox as an encrypted disk image.
BruceJ
@Libby Spencer:
This wasn’t a software hack…it was a social engineering one. The best, most bombproof software in existence couldn’t have prevented this…
BruceJ
@Chet:
That which Chet said , a thousand thousand times!
danah gaz (fka gaz)
@Libby Spencer
Security is security, whether or not infotech is involved.
In the interest of keeping you TOTALLY secure, just follow this simple, step by step plan:
1. Buy a lifetime’s worth of canned goods
2. Withdraw all of your money and investments, and put it into gold.
3. Eliminate all forms of computer technology, and communication devices in your life. This includes telephones, TV, your mail, your PC, your Internet, etc. On the off chance that someone may be beaming fascist thoughts at you through the airwaves, make yourself a foil hat – and a backup foil hat.
4. Make sure you have plenty of guns and ammo, just in case.
5. Dig a large hole somewhere nobody will ever find you, and line it with rebar and cinder block. No need for a door (see #1). Brick yourself inside of it.
Or failing all that, you could just shake your head and move on with your life, getting-the-fuck-over-it.
Villago Delenda Est
@BruceJ:
Social engineering has a long and storied history. For example, and American naval officer during the war of 1812 convinced some Brazilians he was acting in the name of the Royal Navy.
Brachiator
Nope. As noted, they used the simplest method possible. Talked to Apple and guessed easy security question answers.
As other posters have noted, you should use non apparent answers to security questions, for example, Range Rover for “mother’s maiden name.” Companies that use two factor authentication to confirm password changes help as well.
mapaghimagsik
I use keypass too. I’ve also heard good things about lastpass. Keypass does a pretty good job of making it easy to manage multiple passwords on sites.
For things that can really hurt if they were hacked, I use a separate password store, which is ‘off computer’
danah gaz (fka gaz)
@Villago Delenda Est: There’s another famous case of this during wartime. Operation Mincemeat.
This happens to be one of my favorite deceptions during wartime.
Andrew
@bingbango:
It actually is pretty simple. Once you get your password manager set up, just add your accounts as you login. I let Google Chrome store and sync my passwords as well. That’s the one weakness in my system. However I trust Google enough to not worry about it. Once you get to using it, you’ll realize how simple it is. I don’t have to struggle to remember passwords anymore. I don’t have to use any insecure passwords. With the exception of Google no one account can compromise any others. And my Google account has two step authentication.
For me to get hacked multiple things need to go wrong. That’s very unlikely. Or Google would need to get hacked and their multiple levels of encryption would also need to be cracked.
Nutella
Not a Luddite but when I first saw the description of iCloud I knew it would be trouble and won’t have anything to do with it. Anything that can wipe your local device had better be under your own control, not some jamoke at Apple support.
danah gaz (fka gaz)
@Nutella: I wouldn’t trust some monkey at apple to tie his shoes properly.
jwb
@BruceJ: He said he didn’t back up the computer and that recovering it would take extensive forensic work. He also said that he was restoring his iPad and iPhone. I therefore conclude that his iPad and iPhone backups were stored on iCloud, and he was able to access those once things were cleared up by Apple. But he did not use Time Machine (or another backup) on his MacBook Air, so the only hope there is to recover it from the reformatted disk.
danah gaz (fka gaz)
@bingbango: “A REAL solution is both secure and simple.”
This.
Andrew
There is also an advantage to using Google over iCloud. Just try getting a human to help you at Google. It’s generally harder to crack a computer than to social engineer your way in.
danah gaz (fka gaz)
@Andrew: Or you can just apply a simple to calculus to what information you put in the hands of other people.
To paraphrase a statement from Fight Club
Over a long enough timeline, the chances of your information not getting compromised drops to zero.
IOW, assume everything gets compromised.
Therefore, the calculus becomes “Before I give this information to an outside party, what is the damage to me
ifwhen it gets into the wrong hands?”Simple. Timeless. Has nothing to do with technology.
Libby Spencer
@BruceJ: Truthfully, I’m so techno-dumb I don’t understand half of what you guys are talking about. Have no idea how this iCloud works, but assume it was tech support for the iCloud and not just his computer. So, if he hadn’t signed up for iCloud…
That’s my only point. Not really understanding why you guys are pissed off that I don’t want to use it.
danah gaz (fka gaz)
@Libby Spencer: I’ll keep it simple for you.
If you don’t want the wrong people to get a particular piece of information, do not give it to ANYBODY.
If you have something that you need to keep safe, make backups.
Real world application of this:
Online ordering: Use a prepaid card. If you can’t, use an isolated bank account that only has funds in it when you intend to order.
Never post compromising personal data online. Ever.
Share your passwords with NOBODY. Although this shouldn’t matter nearly as much because of the above rule.
In cases where sharing your information is compulsory, for example with the IRS, make sure you understand your legal recompense, should they fail to keep that information safe.
If some agency requires you share your information and using the service is voluntary , consider not using the service at all.
It’s not that difficult. In the end, even the most complex security questions can be boiled down to this: “Is it worth the risk?”
ETA: The mistake made by the victim of the story you posted made the egregious error of signing over access of his systems to an outside party. Clearly, they didn’t apply the “is it worth the risk?” calculus correctly.
JScott
Oh, and those security questions? Don’t give true answers, especially to things like your mother’s maiden name and where you were born.
Nerull
@Andrew: All good stuff, but won’t stop what happened in this case: Social engineering tech support. He didn’t get in by hacking, he got in by calling up Apple and getting them to give him access.
cmorenc
@James Hare:
Having been on a jury two times (though not in any case quite like this). IMHO it may be a closer case than you think, especially if the whupping administered isn’t severe enough to inflict more than short-term discomfort and temporary welts on the perp, and especially if there are lesser-included relatively minor charges they are able to convict the assailant on rather than any serious felony. Most juries want to do justice within the bounds of the options available to them, and will be torn between fitting whatever seemingly excess amount of violence the vigilante inflicts to the terms of more severe charges, and trying to fit their human understanding of the vigilante as abused victim himself of the cyber-perm to the terms of more minor charges, even if they are unwilling to buy that the vigilante should get off scott-free for his behavior.
Nerull
@bingbango: You’re the sort of person who gets robbed because they’re too lazy to lock their doors, aren’t you?
Tim in SF
@Chet:
Yes, what you said, Chet.
Everyone here should use a password manager like Keepass. They’re easy. It doesn’t take long to get the hang of toggling in and out of it to copy-paste passwords. Once you get the hang of it, you’ll see it’s easier than whatever way you are using now to remember your passwords or, more likely, one password for everything.
And you know those security questions? Each one of them gets an autogenerated string of BS that is also stored in Keepass in the notes for the account. (considering it takes about 2 seconds to generate something like 2wAn>Jy*2_-e;3(o}lBx`! g]ya~ I@,3}(Z_-8VF$2k-Mr1 which is faster than typing out my Favorite Movie or some other ostensibly secure bit of information that is easily guessable if you know me).
Bank websites are the worse. I wrote about chase last year here:
blog.hisnameistimmy.com/chase-bank-online-security-is-scary-bad/1740
but they’ve recently changed from 8 to 22 character passwords, which is great.
danah gaz (fka gaz)
@cmorenc: Regardless of the legal implications, I think it’s safe to say that the hypothetical aggressor is a complete moron. Hypothetically, of course. =)
WaterGirl
@danah gaz (fka gaz): Why do you keep writing these comments that are so condescending? Geez.
danah gaz (fka gaz)
@Nerull: “You’re the sort of person who gets robbed because they’re too lazy to lock their doors, aren’t you?”
Most people wouldn’t consider a deadbolt to be overly complicated. In fact, I’d say that most people would say that a deadbolt falls under the category of “simple and secure”.
Then again, you are not most people.
/shrug
WaterGirl
@Nerull: I may be wrong, but I think you may be corresponding with Derf.
danah gaz (fka gaz)
@WaterGirl: My statement about “I’ll keep it simple for you” is in direct response to this:
“Truthfully, I’m so techno-dumb I don’t understand half of what you guys are talking about”
My earlier response was in reply to dumb implication that somehow the advance of technology was leading to security problems, and that if you want to be safe it’s best not to adopt it. Basically, it was reductio ad absurdum.
If you consider my condescension to be a worse transgression than people continuing to over-complicate things, and thus making stupid choices that get themselves screwed, then guilty as charged.
I suppose a lot of my ire comes from working in infotech for the better part of two decades and watching people consistently run afoul of basic logic and basic security principles, thus screwing themselves, their customers, etc.
Security is a simple concept. It involves simple choices. Those choices boil down to an assessment of risk. It has nothing to do with technology. The vast majority of people, including those that SHOULD know better, don’t understand this. It’s insane.
Tim in SF
@Chet:
Yes, what you said, Chet.
Everyone here should use a password manager like Keepass. They’re easy. It doesn’t take long to get the hang of toggling in and out of it to copy-paste passwords. Once you get the hang of it, you’ll see it’s easier than whatever way you are using now to remember your passwords or, more likely, one password for everything.
And you know those security questions? Each one of them gets an autogenerated string of BS that is also stored in Keepass in the notes for the account. (considering it takes about 2 seconds to generate something like 2wAn>Jy*2_-e;3(o}lBx`! g]ya~ I@,3}(Z_-8VF$2k-Mr1 which is faster than typing out my Favorite Movie or some other ostensibly secure bit of information that is easily guessable if you know me).
Bank websites are the worse. I wrote about chase last year (Google “chase bank security is scary bad”) but they’ve recently changed from 8 to 22 character passwords, which is better. But they still forced me to answer about a dozen “security” questions that got nonsense answers.
You can still be a luddite and use Keepass and be safer online than you are now. Keepass is easier to use than a lot of things you currently do online, like email or bank website interaction.
cmorenc
@danah gaz (fka gaz):
I’m making a prediction of what will happen someday within the foreseeable future and the reaction of a substantial segment of the population to it, and not thereby agreeing that it is a wise course of action for someone to go vigilante on this by physically taking it out on the perp.
danah gaz (fka gaz)
@Tim in SF: Hopefully you never install a Keepass plugin, or otherwise end up with a trojan that compromises keepass.
Adding another layer of software does not change the fundamental security dynamic. As often as not, it just provides yet another avenue for attack.
danah gaz (fka gaz)
@cmorenc: These days, the odds are that that perp lives somewhere in the Eastern Bloc or China.
WaterGirl
@danah gaz (fka gaz):
Well put. I am an IT person, too, and I completely agree with that.
What I don’t agree with is the assumption that anyone will actually take in what you are trying to convey when the overarching message is “you’re so stupid, let me make it really simple for you”.
bingbango
@Andrew: Yawn, you will never get it. It’s simple for you and me but it’s not “simple”. I don’t need a lecture on how to use keepass thank you very much.
If it was really “simple” then try get your grandma to do it. Maybe she can teach you something about “simple”
danah gaz (fka gaz)
@WaterGirl: Well then maybe they shouldn’t lead off with the “I’m so techno-dumb” babble.
If you insist you are dumb, I will treat you as dumb. Full Stop.
And I’m not going to even get into the misinformed implications propagated at the top, by Spencer. That was just irresponsible.
bingbango
@Nerull: Your the sort of person who has handguns hidden all over your house and then shoots someone knocking on your door selling newspaper subcriptions because you think they want to murder your family.
Libby Spencer
@Tim in SF: I would never use anything that stores my passwords on the internet. As far as I can see, anything can be hacked. I don’t care about doing it faster. I’m happy to take the few extra seconds to type it in every time.
Tim in SF
@danah gaz (fka gaz): “As often as not, it just provides yet another avenue for attack.”
“As often as not”? Where is your evidence that Keepass users have opened themselves up to security vulnerabilities?
I don’t use a Keepass plugin (or app or an addon), I use the program, alone. I mentioned none of those other things, so go beat your straw man somewhere else.
danah gaz (fka gaz)
@WaterGirl: The problem with the “I’m so techno-dumb” nonsense (as evidenced by the entire history of computer users) is that it abdicates responsibility for thinking. You are essentially saying “I can’t do it, I require hand holding and am incapable”, rather than saying “I don’t understand, can you teach me”. Dumb means unteachable.
Everyone, and this includes people that don’t understand technology would be better served by REMOVING technology from the equation and evaluating an analogous real-world-scenario.
This is why I stress that security has NOTHING to do with technology. The only thing that technology brings to the table is more ways of sharing and storing information. It acts as a safe, the postal service, and a telephone.
It’s 2012. The excuse of “I don’t understand technology, and can’t be expected to” now translates to “I don’t understand life, and can’t be expected to“
Tim in SF
@Libby Spencer: “I would never use anything that stores my passwords on the internet. ”
And I think you would be right not to. That seems rather foolish to me, too. And reckless.
Keepass is a program you use on your local computer. All the passwords are stored, encrypted, on your local machine.
My Keepass keychain is encrypted with a 32-character sentence. It’s highly unlikely someone would be able to guess it, and astronomically unlikely to crack it using conventional means.
I encourage you to google “Keepass” and then click Video and watch a few youtubes about it.
Libby Spencer
@danah gaz (fka gaz): You’re cordially invited to bite me. And you’re wasting your time trolling me. I don’t engage in arguments about things I DIDN’T say.
Also too, @WaterGirl: thanks for the support. Not to worry. Been blogging for too many years to care about pathetic insults from trolls.
Tim in SF
@danah gaz (fka gaz): “This is why I stress that security has NOTHING to do with technology. The only thing that technology brings to the table is more ways of sharing and storing information. It acts as a safe, the postal service, and a telephone.”
Now, this is one of the truest things I’ve read in this thread.
Unfortunately, you’re being such a superior asshole that people are tuning you out.
WaterGirl
@danah gaz (fka gaz): Here’s my summary of this front page post:
This is a cautionary tale; technology is your friend, until it isn’t.
Here are the details in blockquoate.
It’s tragic. A terrible thing happened to this guy.
She seems to be coming at this from the human side, and you are coming at this from the technical side. She’s not stupid for not understanding the technology side, and you’re not a bad person for not acknowledging what a nightmare this whole thing is for the guy it happened to.
I’ll bet that if you stopped 100 people on the street and asked them to define “social engineering”, only the IT folks would know what you’re talking about.
danah gaz (fka gaz)
@WaterGirl: On the human interest end of it, yeah, I think we can all agree that getting compromised sucks.
However, avoiding technology doesn’t keep you safe. Thinking that it does will get you robbed. That’s where it gets irresponsible.
danah gaz (fka gaz)
@WaterGirl: On the human interest end of it, yeah, I think we can all agree that getting compromised sucks.
However, avoiding technology doesn’t keep you safe. Thinking that it does will get you robbed. That’s where it gets irresponsible.
WaterGirl
@Libby Spencer: I know you don’t need defending, but I hate it when people are condescending. And after 25+ years in the IT field, I especially hate it when IT folks are condescending to people who are not.
In this case, I spent 2 very long days this week at a wake and a funeral, and I think my feelings are closer to the surface. Most days I would have thought “what an asshole” and not said a word.
danah gaz (fka gaz)
@Tim in SF: If I were trolling for marks to hack, then that might be considered a win.
Luckily I’m not.
I don’t use software to keep my passwords, and never will. You’re putting all of your keys on a ring, putting that ring in a safe, and hoping that nobody ever comes along and cracks that safe.
Personally, I think keepass is fine if you’re only using it to store slightly sensitive information. IOW, things like passwords for commenting on blogs and such. Things that wouldn’t necessarily damage you. I’d never do that for anything of consequence, so I believe your support of keepass should come with an extremely important qualifier: Don’t expect to make your truly sensitive information more secure.
Consider this: Keepass stores your information in an encrypted database. In order to retrieve the encrypted password, it must at some point, know the key. If I were to do a dll injection attack on a 32-bit windows machine, I could intercept that process and get the master key for all of your passwords. Ooops. That’s why I say I that it doesn’t change the fundamental security dynamic.
Libby Spencer
@Tim in SF: I don’t even want to keep it on my machine. Computers can be remotely hacked too. Only have a couple dozen. Probably not even that secure even though I use obscure phrases but I change them fairly regularly and keep a paper list in a little notebook. That feels the safest to me.
Suppose I could keep it on an external storage unit of some kind, like a flash drive. But I’d probably be more likely to lose one of those than I would the paper notebook.
danah gaz (fka gaz)
@Libby Spencer: “I don’t even want to keep it on my machine.”
This.
For your truly sensitive passwords, like your online banking (should you choose to use it) don’t store them anywhere other than your head. Ever.
Libby Spencer
@WaterGirl: So sorry you’re going through a loss. Know the feeling. I’ve been to way too many funerals in the last two years myself.
Tim in SF
@Libby Spencer:
Only have a couple dozen. Probably not even that secure even though I use obscure phrases but I change them fairly regularly and keep a paper list in a little notebook. That feels the safest to me.
That’s probably pretty safe. If someone is going to break into your house to get your passwords, then you have worse problems than identity theft to worry about.
Just make sure you are using a different password for every single site you visit. I have around 120 sites to manage passwords for, so an electronic means is a must.
Also, I keep my bank, gmail and WoW passwords in my head. And they are long.
Tim in SF
@danah gaz (fka gaz): Consider this: Keepass stores your information in an encrypted database. In order to retrieve the encrypted password, it must at some point, know the key. If I were to do a dll injection attack on a 32-bit windows machine, I could intercept that process and get the master key for all of your passwords. Ooops. That’s why I say I that it doesn’t change the fundamental security dynamic.
Yes, possible, but I think you have to demonstrate that this is commonplace among password manager users for your point to be true. I maintain that it is not. The vast, vast majority of breaches come from people use zero or bad security. Keepass is pretty good. It’s certainly better than nothing.
I don’t use software to keep my passwords, and never will. You’re putting all of your keys on a ring, putting that ring in a safe, and hoping that nobody ever comes along and cracks that safe.
Getting and using Keepass properly is as much sophistication as can be hoped for many a user. Getting someone from security-zero to security-keepass is good thing. Keepass may not be invulnerable, but it is an improvement over the current situation for many, and therefore it is a good thing to recommend.
I think that you are perpetuating what you claim to be against. You are advocating against basic security measures because they are not invulnerable. I think this is a foolish and unrealistic position to take.
Libby Spencer
@Tim in SF: I do use different passwords for everything. And I do keep the bank one in my head only.
MTiffany
This must be a work of pure fiction! Everyobody knows, after all, that Apple products are so much better than PCs. All the fanboys say so.
Haha. An iFail.
Corner Stone
@Tim in SF: 120?
Libby Spencer
@danah gaz (fka gaz): I’m a techno-dope, not a drooling idiot. Just not willing to spend the time learning about every hot new thing that comes down the pike that I don’t need to use for what I do.
Not sure you how you read this post as a diss on technology. Perhaps you want to re-read my first two sentences.
danah gaz (fka gaz)
@Libby Spencer: I’m sorry that I misinterpreted your use of the term Luddite.
Clearly, it was an error on my part.
Adding, I read this
” I don’t sign up for the new greatest thing in sharing information because of cautionary tales like this: How Mat Honan was hacked—hard.”
As an advocacy of avoiding technology due to security pitfalls. A sentiment which (based on my interpretation, of course) I find irresponsible.
I suppose I misinterpreted that as well. I apologize.
Sister Rail Gun of Warm Humanitarianism
@VincentN:
Regular offline backups. I’ve been challenged occasionally at work over the expense, but we backup nightly to an external hard drive, weekly to a different external hard drive, monthly to DVD. The external hard drives are swapped out weekly and taken offsite. There’s also an regular backup to a server in a datacenter in another part of the country.
Our backup routine is intended to save us in case of an office fire or a natural disaster. That it’s also a good defense against malicious intrusion is icing on the cake.
danah gaz (fka gaz)
@Libby Spencer: The takeaway that I get from your cautionary tale is this:
It was unfortunate that the victim decided to share the access to their system with an outside party.
The way I look at it is this: It’d be like giving a copy of a house key to your neighbor. Can you trust them? Even if you can, can you trust that person to protect access to it? What if their own home gets breached?
Sharing access is generally a bad idea. Technology was the means, but the mistake was the act of sharing itself.
danah gaz (fka gaz)
@Tim in SF: “Yes, possible, but I think you have to demonstrate that this is commonplace among password manager users for your point to be true.”
I don’t think so. In fact, the most egregious hacks are usually targeting systems where a new vulnerability was exploited – where people previously thought they were safe. Once hacked, people tend to re-evaluate the security of that previously safe system. The first to fall generally falls hard.
Also, the means – dll-injection, is already quite widespread:
Spyware and trojans are legion, and a plurality of them use dll injection once your system is infected.
It’s not much of a leap to assume that as Keepass gets more popular, it will become a more attractive target. Part of the reason it’s not actively targeted, again is that it’s not widespread. If everyone were to use it, which seems like what you are advocating, the dynamics of that would look much different.
This line of reasoning is based on simple security principles:
1. Keeping all of your eggs in one basket undermines security.
2. Security by obscurity amounts to “Security theatre” as opposed to actual security.
I stand by my conclusion. Your advocacy of keepass deserves a disclaimer. It does not make your truly sensitive passwords fundamentally more secure. What keepass is, is a relatively secure way to store passwords to things that require light-to-moderate* security. In other words, things that could not compromise you dearly. It is NOT a way to make your most secure and sensitive keys even more secure.
What constitutes light to moderate is a judgement call by the user.
Corner Stone
@Sister Rail Gun of Warm Humanitarianism: Good God. What decade are your protocols routed in?
Corner Stone
@Libby Spencer: The word “Luddite” signals its own type of set specific issues.
Just IMO.
Corner Stone
If you choose to put the key aspects of your life into a designated application then it better be isolated.
And it sounds to me like it is not.
danah gaz (fka gaz)
@Tim in SF: I can sum this all up in a very succinct shorter:
Never store your most sensitive passwords on your machine. Keepass doesn’t change that.
mclaren
This is what happens when you surround yourself with Apple products.
Stick with linux.
danah gaz (fka gaz)
@Sister Rail Gun of Warm Humanitarianism: A reasonable whitepaper on off-site backup: http://www.irmi.com/expert/articles/2005/clayton05.aspx
Wherever I can, when engaging in an outside agency for protection, I like it if will indemnify you against damages. In some cases, like offsite backup, this is really difficult to find. Luckily, there are agencies like this
http://www.datainsurance.org/
This is awesome. Although there’s no “silver bullet” for data loss prevention, organizations like this are as good as it’s gets.
Libby Spencer
@danah gaz (fka gaz): I’m sorry your reading comprehension failed you.
danah gaz (fka gaz)
@Libby Spencer: So you were actually saying that sharing access to sensitive things with outside parties is a bad idea?
I wonder how I could have misinterpreted what you wrote.
Mea culpa.
different-church-lady
How the hell do you “remote wipe” a MacBook?
Libby Spencer
@Corner Stone: Hence the qualifier “semi.” And the disclaimer in the opening sentence. Had no idea tech people were so damn sensitive.
different-church-lady
@mclaren: You almost had me going for a second there. Then I realized you know perfectly well that both OS X and Linux are flavors of Unix.
Or perhaps you didn’t know that, and you’re just pulling a Text From Dog.
danah gaz (fka gaz)
@different-church-lady: For the record, back when I was a teenager and had more free-time than sense, Linux users were my favorite target.
The reason is twofold.
1. Linux tends to have a lot of potentially remotely exploitable “surface area”. To put it simply, Linux systems tended to listen on more ports than other PC operating systems, leading to more avenues for attack. This has changed somewhat in recent years.
2. There are a subset of Linux users (and that’s still very much true today) that think that by very virtue of the fact that they run linux it hardens them against attack. This also tends to be the same subset that cannot properly administer a Linux machine. This also tends to be the same subset that spouts that linux is infinity times the most secure EVAH! which makes them easy to identify.
different-church-lady
Just read that posting: ah, the cloud claims another victim.
As Roosta said in the Hitchhiker’s Guide, “If you can’t scratch a window with it, I’m not interested.”
danah gaz (fka gaz)
@different-church-lady: “How the hell do you “remote wipe” a MacBook?”
Scanning the article at the top of the page, I’m guessing you do it by sharing access to your system with some strangers that work at Apple.
different-church-lady
@danah gaz (fka gaz): I admit being a few revs behind the curve, but I’m sitting here wondering if you have to open up that capacity, or if it’s some new feature of the more recent OS’s.
I mean, as far as I know nobody at Apple has any of my administration nor root passwords.
danah gaz (fka gaz)
@different-church-lady: Apparently, in their words “There’s an app for that”. =)
I’d add that again, this is not the fault of technology. It’s an unfortunate consequence of somebody making a poor choice.
I do think that it’s Apple’s shame for making it SO easy to make this poor choice, but in the end, one’s own choices are one’s own responsibility.
I’d never run an app that gives someone else administrative control over my machine. 1000x so if I do not even know that other person personally.
Sister Rail Gun of Warm Humanitarianism
@different-church-lady: Looks like it’s a feature of iCloud, intended to be used if you lose the linked device.
different-church-lady
@danah gaz (fka gaz):
One that, unfortunately, Apple and every other high tech company out there is encouraging everyone to embrace.
QFT.
danah gaz (fka gaz)
@Sister Rail Gun of Warm Humanitarianism: I love the word “feature”. Especially in this case. It’s so bloody subjective. =)
different-church-lady
@Sister Rail Gun of Warm Humanitarianism: Fuck the Cloud. Seriously. Fuck it in the ear, unprotected.
danah gaz (fka gaz)
@different-church-lady: To be fair, not all clouds are about that. But in general, I think we can agree on your point. =)
LanceThruster
Just watched Doug Stanhope “Before I Turn the Gun on Myself” from Salt Kake City (Showtime On Demand) Was toally floored by the clarity of his rants.
Went to his sight to check on more material and was blown away by the first two clicks. Both totally tied into the damaged people topics of the day. Wow.
http://www.dougstanhope.com/
He once thought he could fix the world but got over it. Was hard to argue with his points (doesn’t mean to stop trying though)
danah gaz (fka gaz)
@different-church-lady: “Fuck the Cloud. Seriously. Fuck it in the ear, unprotected.”
Tell us what you really think. =)
different-church-lady
@danah gaz (fka gaz): Okay, what I mean is fuck “The Cloud™”. Not the actual cloud, but the conceptual magic buzzword Cloud that marketing came up with for the things we used to call “remote storage” so that they could sell us bandwidth every time we wanted to type up a shopping list.
Darkrose
There are two takeaways for me from this:
1. Someone in Apple tech support fucked up badly.
2. If someone wants to get into your account badly enough, they will. Account security is primarily about making it difficult enough that the hacker decides to try for an easier target. I don’t have to outrun the bear; I just have to outrun you.
2 is something that I realized 20 years ago when I started hanging out online and in physical space with people who were orders of magnitude smarter and mor technical than I am. As for 1…
I do tech support at a UC. About 75% of my calls involve one or more of the following:
“My password is–”
Please do not finish that sentence. Passphrases are stored on the system in a machine-encrypted format, so I can’t see it. We will never ask you for your passphrase for that reason.
“It’s telling me the answers to my security questions are wrong, and I know they’re right!”
I can’t see your security questions either. Whatever you’re entering doesn’t match what the system thinks you entered when you set them.
“I didn’t set those questions!”
Are you sure? I didn’t, so if you didn’t either, your account has been compromised.
“Can’t you just tell me the answers?”
I CAN’T SEE THE ANSWERS. Also, that would kind of defeat the point of the questions, wouldn’t it?”
“This is too complicated! My bank doesn’t make me go through all this!”
And if your bank account gets compromised, your back will point you to the Terms of Service you agreed to and say, “Sucks to be you.” If your campus account is compromised, you’ll be bitching and moaning to everyone who’ll listen about how those dumb, lazy, overpaid state workers screwed up.
“I don’t have time for this!”
In the time you’ve spent arguing with me about why I won’t violate policy and allow you to reset your passphrase without any way for me to verify your identity, you could have gone to a computer lab, found your department proxy, or faxed me the damn form and gotten a reset token and been off doing whatever you need to do.
I’m guessing that in this case, the Apple technician finally said, “All right, fuck it–here’s your password”. That’s on the technician, and on the culture that says that the customer is always right–not on the technology itself.
danah gaz (fka gaz)
@Darkrose: “All right, fuck it—here’s your password”
If that’s what happened than Apple has some serious ‘splainin to do.
It should be impossible for anyone at Apple to recall somebody’s password. Passwords are either stored using one-way encryption, or you’ve got drunken chimpanzees setting security policy. There is no middle ground there.
I don’t necessarily think that’s what happened though, fully admitting that I don’t know. In the face of an accusation of such egregious violation of a basic security tenet, I’d tend to want to give Apple the benefit of the doubt in that regard. However, when I consider the fact that the iCloud app seems to allow Apple access to your machine to perform administrative functions, maybe I shouldn’t be so charitable.
Sister Rail Gun of Warm Humanitarianism
@different-church-lady: I finally decided that a cloud is just an FTP site with a fancy client and a new name. And should be treated just as gingerly as you would any outside vendor you’re trusting your data to.
danah gaz (fka gaz)
@Sister Rail Gun of Warm Humanitarianism: Generally speaking, that’s precisely correct. (Not all clouds are like the Cloud(TM) that different-church-lady speaks of)
To be fair, I think different-church-lady is railing against the idea that companies are falling all over the Cloud(TM) like it’s Jesus, Buddha, and a herd of unicorns for all of your computing needs. DCL is correct to point out the risk inherent to such a philosophy.
As for me, I think the Cloud(TM) push (as DCL characterizes it) is diabolically, and cleverly evil in a sort of PT Barnum/BOFH sort of way.
I’ll keep my private data, you know private thanks very much. In an environment where I control it. That said, I’ll use a cloud when it makes sense to.
Sister Rail Gun of Warm Humanitarianism
@danah gaz (fka gaz): The Apple tech didn’t have to retrieve the password, just reset it. Most tech support systems can do that.
danah gaz (fka gaz)
@Sister Rail Gun of Warm Humanitarianism: Generally speaking, I totally agree with you there. Not all clouds are like the Cloud(TM) that different-church-lady speaks of.
On the other hand, I think different-church-lady is railing against the idea that companies are falling all over the Cloud(TM) like it’s Jesus, Buddha, and a herd of unicorns for all of your computing needs. DCL is correct to point out the risk inherent to such a philosophy.
As for me, I think the Cloud(TM) push (as DCL characterizes it) is diabolically, and cleverly evil in a sort of PT Barnum/BOFH sort of way.
I’ll keep my private data, you know private thanks very much. In an environment where I control it. That said, I’ll use a cloud when it makes sense to.
danah gaz (fka gaz)
@Sister Rail Gun of Warm Humanitarianism: Generally speaking, I totally agree with you there. Not all clouds are like the Cloud(TM) that different-church-lady speaks of.
On the other hand, I think different-church-lady is railing against the idea that companies are falling all over the Cloud(TM) like it’s Jesus, Buddha, and a herd of unicorns for all of your computing needs. DCL is correct to point out the risk inherent to such a philosophy.
As for me, I think the Cloud(TM) push (as DCL characterizes it) is diabolically, and cleverly evil in a sort of PT Barnum/BOFH sort of way.
I’ll keep my private data, you know private thanks very much. In an environment where I control it. That said, I’ll use a cloud when it makes sense to.
danah gaz (fka gaz)
FYWP. Meh, what a disaster. Hijack unintentional, i swear. Sorry!
danah gaz (fka gaz)
@Sister Rail Gun of Warm Humanitarianism: I know that. I was responding to Darkrose’s specific hypothetical.
Darkrose
@danah gaz (fka gaz): Probably not “here’s your password”, but maybe, “here’s a reset token even though you couldn’t answer all of your security questions.” I’ve been tempted to do that just to get an irate caller off the phone, but I like my job, and I know that my manager will back me up if I say no.
With Apple, from both what I’ve heard and personal experience, the tech support people will sometimes bend the rules to avoid having a negative survey.
danah gaz (fka gaz)
@Darkrose: That doesn’t surprise me. It also doesn’t encourage me. Bending the rules is precisely how people get socially engineered.
Still, in the end, giving admin access to your computer to an outside party is a bad move. I won’t blame Apple primarily for that, mostly just the poor sod in question.
I will say however, that Apple is doing their customers NO favors by making it terribly easy to make such a bad decision.
In my experience from working in IT, I’ve found that the best thing to do, wherever possible is to make doing the RIGHT thing easiest thing to do. I’d add that the lower the technical savvy of your target user base, the more important this is.
iCloud apparently makes it frightfully easy to do the WRONG thing. That’s Apple’s mistake. Therefore, while the user was ultimately responsible for getting themselves burned, Apple can share some of the blame for making it so easy to do.
Sister Rail Gun of Warm Humanitarianism
@danah gaz (fka gaz): Wow. You know, you really should warn people that you’re going to parse their words that closely. I read her theoretical Apple tech as meaning “Here’s your password reset.”
Since I’m much too tired to watch my words as though I’m on a witness stand, I think I’ll bow out here.
danah gaz (fka gaz)
@Sister Rail Gun of Warm Humanitarianism: Had I interpreted it broadly, I’d have been left with the question of how a password reset lead to a system wipe, and down the rabbit hole we’d go.
Reading the top of the page again, I guess I’m guilty of forgetting the specifics about that password reset in the story. That said, I still find it curious as to how one would draw a line between that password reset and an unauthorized account breach. There’s a big question mark there. I guess if Darkrose is correct, than somebody at Apple REALLY screwed up.
At any rate, if you read my response to Darkrose as offensive it wasn’t intended to be. It was just continuing along the hypothetical – which I quoted. I don’t see why you’ve gotten twisted in such a knot over it.
HEY YOU
I wonder if there might be a way to store one’s junk that can’t be hacked? ROFLMAO