This blog is highly personal, makes no attempt at being politically correct, will occasionaly offend your sensibility, and certainly does not represent the opinions of the people I work with or for.
How Security Flaws (and His very own Stupidity) Led to His Epic Hacking
avatar

Mat Honan. Got Hacked. Hard. Like really hard, even thought it could be worse (nobody died). He wants to share his story. To alert people. He is becoming famous. Because he is stupid. And negligent.

Story is here: http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/ [wired.com], and very worth reading as a perfect reminder of the dangers of the digital era.

I personally really liked the part where he eventually discuss with the hacker. And also, if the following doesn't make you ponder as much as I did, think harder...

"By wiping my MacBook and deleting my Google account, they now not only had the ability to control my account, but were able to prevent me from regaining access. And crazily, in ways that I don't and never will understand, those deletions were just collateral damage. My MacBook data -- including those irreplaceable pictures of my family, of my child's first year and relatives who have now passed from this life -- weren't the target. Nor were the eight years of messages in my Gmail account. The target was always Twitter. My MacBook data was torched simply to prevent me from getting back in."

But I repeat that this guy is stupid because of all people, he should have known better. I mean, I almost chocked at the line I read that he doesn't have a backup of his data. Seriously !!? Don't have time this morning to enter into details, but here is what (only) few years of experience taught me

  • I use a *different* username and password for each service/website I subscribe to (and sometimes I push the envelop into using a unique temporary email address just to receive the "follow this link to confirm your email address" message).
  • My usernames and passwords are always *randomly generated*
  • When I can, I avoid using a "recovery" email addresses or "security questions"
  • My answers to security questions are *randomly generated* (I know, I know, this sort of defeat the purpose of a security question, but the town I was born in ?, or where I first kissed a girl ? or the name of my first pet ?, Come on, Everybody knows that ! So until those people come up with security questions that are actually secure, my answers will remain random strings)
  • I have all my usernames and passwords in an encrypted disk image that nobody else than me knows the password to. I keep everything (in archive folders), including past username passwords pairs that I don't use anymore.
  • More generally, every single sensitive piece of data on my computer is encrypted (you would not believe the amount of damages somebody having access to the admins passwords I collected during years of freelancing could do...).
  • Two factor authentication works (most of the time). Use it.
  • I do a backup of my computer *every day*, using both Time Machine and Synk. Then, I backup the entire external hard drive on another one (to avoid hard drives mechanical failures -- happened to me once). And then I have another drive at another location (to survive fires and meteorite impacts)
  • If you are the kind of people to use online backup services (DropBox etc), do yourself a favour and work with a simple assumption: everybody can read your data. So do not store there any non encrypted data if it is confidential.
  • Use SSL
  • I don't use Apple's Address Book.app (now known as Contacts.app) and in fact I don't even have it on my laptop.
  • I don't use any online service for which the cost of seeing it compromised would be higher than the cost of not using it.
  • Last but not least, who needs iCloud anyway ?

Seriously people. How hard can it be ?

So now, don't get me wrong. I am not against the Cloud, I am thrilled about the idea of not having one day to do my own backups and synchronisations, but I also think its not ready yet. Companies are pushing us using cloud based services at a time we still haven't solved more important problems, notably the fact that password based authentication (or relying on information that once was private but can now be found on a Google query) just doesn't work. Mat Honan is experiencing the so called "growing pain" of our computing technology. You don't want to be the next one.

[ add a comment ]

Archives