Put all your eggs in one basket — and watch that basket!
Mark Twain, “The Tragedy of Pudd’nhead Wilson”
It was only a matter of time before the holes in the grand dream of cloud computing and data sharing began to appear. I’ve been a bit concerned about this move towards reliance on the cloud since major companies like Amazon, Apple, and Google started pushing it. These are companies–particularly Google–who love convergence. They want all your accounts and apps and software and devices linked up into one happy communicating network that shares everything. There are benefits to this: it’s easier to synchronize data and files across multiple devices, share them with the others, and access them from anywhere. These are nice features. Not necessary, but nice.
Of course, when you put everything in one spot, it makes it that much easier to steal, so you better damn well watch that spot.
That’s the job of the companies controlling the clouds, and two of the largest–Apple and Amazon–just let Wired’s Mat Honan down bigtime. Honan has been the target of a catastrophic case of identify theft and data destruction:
In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.
The shocking thing is how easy it all was to pull off. It probably took less than an hour, and a passably clever teenager could have done it. Here’s how it went down:
The actual target was Honan’s Twitter account, which they would eventually take over and use to broadcast racist and anti-gay slurs. His Twitter account linked to his personal site, which linked to his Gmail address. The hacker (“Phobia”) was able use the Google account recovery page to find an alternate recovery email address. That address was displayed as “firstname.lastname@example.org.” It’s doesn’t take much to figure out the full address from just that much information, and that information gave Phobia an entry point to Honan’s AppleID account.
In order to crack the AppleID account, he needed Honan’s home address and the last four digits of his credit card. The address was simple to acquire from a whois search, but with enough information on a target it could be pulled from any number of sources. With this data, the hackers called Amazon to add a new credit card number to Honan’s Amazon account. This was done simply by using the email information they already had and fake credit card numbers generated online. They hung up, called Amazon back, and, using the new credit card number as an ID check, added a new email account. With this new email account, they could reset the Amazon password and access account data. It doesn’t show the whole credit card number, but guess how much it does show?
Yeah, you guessed it: the last four digits. With those in hand, Phobia could go back to Apple, confirm his identity with the last four credit card digits, and seize control of Honan’s online life. Using Apple’s “Find My …” services, they were able to wipe his laptop, iPad, and iPhone.
After the attack, Wired was able to test these same methods, and within minutes had enough data to crack open accounts, all without using any special tools or skills.
Honan admits some of the blame is his for not using two step security, but what you really have is two systems working against each other. Now that the exploit is public, it will probably be close, but worse may be on the way. Windows 8 is going to hit soon, and the entire things is heavily dependent on cloud computing. Microsoft is still closing exploits from Windows XP and Office 2003, and PCs are more vulnerable to attack than Macs, so good luck with that one.
Times like this make me glad I write for a much lower profile and less controversial magazine than Wired, but there’s no denying it’s a real concern for all of us in tech media. We routinely tend to tick-off exactly the kinds of people who exploit technology for sport, and almost anything can set them off. A bad review of a videogame can generate unbelievably heated reactions. I’ve gotten “death threats” (the BS online kind, but it’s still always a surprise) for negative game reviews.
The hackers and pirates have won in the exact same way the terrorists have won: they’ve made us change the way we live. I always pause before submitting or posting any piece that might draw the kind of attack leveled at Honan. It’s never stopped me, but it’s there in the back of my mind, as I wonder “Is this story worth a potential attack?” That’s the goal of the people who want to digitally punish people, and they’ve succeeded. They’ve already won, because sometimes you think, “It’s easier to just walk away and leave this subject alone. Look! Over there! New DLC for Skyrim!”
And the final irony is that Honan wasn’t even targeted for anything he wrote. His entire article is fascinating, and recounts his exchanges with the hackers, who admitted to going after him because they liked his Twitter handle and wanted mess around with it. It wasn’t because of Honan, or Wired, or his links to Gizmodo: it was “simply a grab for my three-character Twitter handle. That’s all they wanted. They just wanted to take it, and f*** shit up, and watch it burn. It wasn’t personal.” Cue The Dark Knight:
That’s what we’re dealing with: it’s good sport. It was one thing, 20 years ago, when a bunch of geeks and early adopters made up most of the online world, but now my mother is online. Kids are backing up their iPod Touches to iCloud. Old ladies are on Facebook and have Kindles. When I started in tech, it was kind of a wild west thing: everyone more or less knew there was no law in this arena, and we took good care. We trusted no one. We were paranoid and cautious. Now someone could probably call up your average grandmother with an iPad, say they’re from Apple’s Special Wimyammer Response Force and are concerned about a possible security breach on her flux capacitor, and just ask for her AppleID and password.
So what’s the answer? As everyone pushes you towards the cloud, what should you do?
Here are a few ideas to start:
- Your password sucks. No, really, it sucks. They all do. Don’t get fancy with a lot of weird characters and random letters and numbers: three words that are easy for you to remember and a number: tacocheesesalsa34, or hueydeweylouey608. (Not that obvious, but you get the idea.)
- Use two stage protections wherever possible. Gmail offers them. Activate them.
- Stop putting so much private information out there. Your Facebook profile is probably insecure, and people can scoop up tons of data about you. This is a whole other subject, and I’m not getting into it right now, but it’s easy to find ways into people’s accounts through information they volunteer themselves.
- As far as I know, there has not yet been a massive cloud data breach. There will be. It’s inevitable. Don’t put anything on the cloud that a) you can’t afford to lose, b) is very personal, or c) could be used to damage you further (eg, bank account info, credit card numbers, etc). Right now I use it for Keynotes and pictures.
The cloud isn’t necessarily something to fear. Honan’s problem was more in the breach of his AppleID, which gave the hackers access to his iCloud account, which they could then use to wipe all his devices and take over his life. Cloud file-sharing wasn’t his problem: the tendency of cloud systems to interconnect was the problem. Oh yeah, and super-crappy tech support from Apple and Amazon.
Online attacks are not going away. Modern society has killed any notion of moral standards. Once moral relatively became the default stance of secular society, we were done for. Morality is transcendent, and it does not shift from person to person. One of the dumbest things I hear (and I hear it all the time) is “You can’t dictate morality.” I don’t have to dictate morality: morality dictates itself. It exists. You either recognize and abide by it, or you reject it, but you can’t just make it up as you go along. You can’t say, “Well, that might be what you believe, but I don’t agree.”
There are rules written in the cosmos, and etched in the human heart. There are moral absolutes, such as the very simple notion that you don’t destroy a total stranger for a bit of sport. Once we started rejecting a few of these simple moral absolutes–once we decided that each generation could evaluate their world and their experience and their feelings, and then make up a new set of moral codes to suit them–we were undone. The man who shoots up a theater or a temple is of a piece with the hacker who wipes out a man’s work and attempts to ruin his reputation: they’ve made their own moral code, and all the rest of us are just collateral damage.