How Apple and Amazon Security Flaws Led to My Epic Hacking

wired.com

You need to read @mat’s story about his - yes, it was truly epic - hacking. Fascinating, frightening and educational.

Mat Honan, the Wired reporter who suffered from a hacking incident over the weekend, says that the lax security policies of two companies — Amazon and Apple — led to his accounts getting hacked. He still takes the blame, though.

wired.com

Those security lapses are my fault, and I deeply, deeply regret them.

But what happened to me exposes vital security flaws in several customer service systems, most notably Apple’s and Amazon’s. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.

This isn’t just my problem. Since Friday, Aug. 3, when hackers broke into my accounts, I’ve heard from other users who were compromised in the same way, at least one of whom was targeted by the same group.

While Amazon’s system has flaws, it’s Apple’s — with the remote wipe function exposed by merely having a billing address and the last four digits of a credit card — that leads to real questions. Also, Apple’s support was less than helpful for Honan, as they misunderstood him and thought his last name was Herman, not Honan. This story is enough to make you want reconsider using credit cards on Apple accounts. Read the whole thing. It’s scary.

“Here is a better idea than keeping an encrypted USB disk of passwords taped securely to the underside of your genitals: If a service does not offer you adequate protection, don’t use it. Want to know how to protect your password from hackers? Quit using insecure products. For vital services — like your primary e-mail, or online banking account — you should demand at a minimum a second factor of authentication. That’s typically something you have like a code sent to your phone, or an app, or a token. If you can’t get that protection from the service you entrust with your vital data, don’t use it. I’ll say it again, because it is so important: If you are using e-mail or banking services from a provider that does not offer that second layer of protection in addition to the password, stop now. Today. Archive and delete all your messages. Transfer your money. Close your account. Seriously. Not kidding. Do it right now.”

The New York Times Is Wrong: Strong Passwords Can’t Save Us | Gadget Lab | Wired.com

Generation X: Stop whining. Love, the Millennials

EDIT: It has been brought to my attention that the original post was written in October. I received it today. It changes nothing about my statements below.

To Mr. Mat Honan, who wrote a post today last October lamenting Millenials like me and to all Gen X-ers who read his post and couldn’t agree more:

Allow me to start by offering you a hug. Seriously. You sound like you all need one. Next, I think my Millenial brethen won’t get mad if I think I speak for us all when I say, “Cool story, bro.” The thing that you’re not seeing through the rage, is that we’re going through the same amount of suck you are—except we have you and the Boomers telling us what entitled jerks we are all the live-long day. As far as the “sense of entitlement” is concerned, it’s my guess you’re referring to the fact that we watched our parents (and you, for that record) get canned after following the pre-determined script that was placed in front of you and realized, “Hey, that life path kinda sucks.” So no, we’re not in love with the idea of saddling up to a job that’s gonna throw us out like yesterday’s Tamagotchis whenever they feel the need. We’re starting our own companies like Facebook (you’re welcome!) Pinterest and Tumblr—you know, the platform you used to type this rant? While we’re talking about tech, let us say that we appreciate the technological advancements you brought to us. Here’s the thing though. It’s called “progress” you took basic framework of the web was and built on it (while mailing a bunch of AOL CD’s). We took that, connected the planet and started revolutions from our mobile phones. Our bad.

On the music front, we can’t thank you enough for RUN DMC, Radiohead, Nirvana and Biggie. Also, thanks for spending so much money on crappy artists that the record companies felt comfortable charging $15.99 for a damn Chumbawumba album. We pay for our music too, we just don’t do it en masse anymore unless we REALLY like it. How WAS all that hair metal, by the way?

As far as culture is concerned, we appreciate everything you guys did, from Nirvana to Freaknik. Whether it be the Foo Fighters or popular “reality TV” shows (You guys came up with that one, remember? Word to Eric Nies.) your influence is still being felt. (While we’re at it: You guys had Star Search and the Mickey Mouse Club. We have American Idol. That’s a win for Gen X. We’ll take Ed Mcmahon over Seacrest ANYTIME.)

See, the overall theme of this little rant is that you don’t seem to enjoy getting older. It’s understandable. You were the “slacker generation!” Ben Stiller made that movie about you! But for every talking head you find to back up your claim that we’re entitled and spoiled (what, you didn’t have rich kids when you were our age?), you’re missing that the unemployment rate for 16- to 24-year-olds was around 17.6 percent last year. For those of us lucky enough to have jobs,  we wish we had better health insurance too! Actually, we wish we HAD health insurance. You forgot to mention something though. We’re about community. From social networks to our involvment in volunteer work, (You knew that between 1989 and 2006, teen volunteering doubled to 26.4 percent from 13.4 percent, right?). We take care of our own.

Don’t be too upset, some of us on the older end of the generation see the age rage coming on the horizon. It was all good a week ago, right? Then next thing you know, you aren’t being fawned over any longer by magazines and popular culture isn’t creating products specifically to get in your pockets..err to appeal to you anymore. Your idols are dying or dead and the ones here now to replace them just aren’t up to your arbitrarily ridiculously high standard.  We get that—change sucks. Can you wait to crap on us more though? We’re still picking up the crap from the generation before you! We’re in the same fight and we promise not to forget that when we have to take care of you later on in life.

Oh and needs to be said, thanks for all the left-over coke, we seem to have run fresh out of Adderall these days. Now re-blog THAT shit.

 

“CORRECTION: The article about Yahoo and Flickr was written by Gizmodo’s Mat Honan. An earlier version of this article incorrectly said Honan was with Engadget and misspelled the author’s first name as Matt and last name as Honen. Also, an earlier version of this correction incorrectly spelled the author’s last name and didn’t specify both names were misspelled in the article.”

—The WSJ gives bad BJs.

“Mutton Hambone wrote: Baaaa! Mort Honohan wrote: Let’s get things straight; Flockr is a social network for birdwatchers. Melt Hamon wrote: You won’t take credit for misspelling my last name? Met Honizmodo wrote: Surely you Pantech Jest sir! uɐuoɥ ʇɐɯ wrote: G’day, mates! Just finished a Fosters and realize the WSJ has buggered up my name.”

—Part of an epic comment thread on the WSJ piece that misspelled Mat Honan’s name. 53 joke comments.
Play

Rise of The Hacker Journalist

 Mat Honan — Milly Dowler vanished in 2002. It set off a huge sensation in the UK, similar to the Natalee Holloway case in the United States. Now, reports have surfaced that News of the World hacked into her voicemail. According to the New York Times:

[T]he newspaper not only intercepted messages left at the cellphone number of the girl, Milly Dowler, 13, by her increasingly frantic family after her disappearance, but also deleted some of those messages when her voice mailbox became full - thus making room for new ones and listening to those in turn. This confused investigators and gave false hope to Milly’s relatives, who believed it showed she was still alive and deleting the messages herself.

The News had already been busted for hacking into the voicemail boxes of the UK’s elite. Royals and celebrities and political leaders. But this time the subject was a missing 13 year old girl. And its actions actively hampered the investigation.

I think we can all agree this was reprehensible. But it won’t be the last time. The age of the hacker journalist is upon us. We’ve heard so much about programmer journalists in the last few years, who use programming skills to crunch and present data, that we forget about reverse side of an era of reporters who know their way around a computer: hacking.

The journalist has long been a gatekeeper who passes along information, which is sometimes illegally procured (see: the Wikileaks cables, or the Pentagon Papers). But we’re entering an era when many journalists have the necessary skills to actively purloin that information themselves. Careers will be made and undone by hacker journalism.

Sometimes the information that comes out of these will be for the public good. You’ll see corporate and government malfeasance exposed. But it’s certainly also going to be abused. We’re going to be reading celebrity’s emails and viewing top-secret products under development. (And of course, the reverse is true as well. HP famously hacked into reporters’ data to try and figure out where internal leaks were coming from.)

Yet when laws are broken, we’ll rarely know it. It has taken almost a decade for the Milly Dowler scandal to emerge from the time her voicemail was hacked. Hacking is easily covered up. It’s easy to place blame on a source. After all, if a reporter is willing to break the law, why not go one step further and hide behind a non-existant anonymous source? (See, for example, Michael Gallagher, who did just that with Chiquita’s voicemails.)

In short, this is the new normal. A new tool in the reporter’s arsenal, albeit one we’ll only hear about when someone gets busted.

“Electronics are our talismans that ward off the spiritual vacuum of modernity; gilt in Gorilla Glass and cadmium. An in them we find entertainment in lieu of happiness, and exchanges in lieu of actual connections.”

Fever Dream of a Guilt-Ridden Gadget Reporter

Mat is getting existential at CES. It’s amazing. 

And sponsored by Radio Shack?

“If the Internet really were a series of tubes, Yahoo would be the leaking sewage pipe, covering everything it comes in contact with in watered-down shit.”

—Mat Honan

“Your email. Your bank account. Your address and credit card number. Photos of your kids or, worse, of yourself, naked. The precise location where you’re sitting right now as you read these words. Since the dawn of the information age, we’ve bought into the idea that a password, so long as it’s elaborate enough, is an adequate means of protecting all this precious data. But in 2012 that’s a fallacy, a fantasy, an outdated sales pitch. And anyone who still mouths it is a sucker—or someone who takes you for one.”

Kill the Password: Why a String of Characters Can’t Protect Us Anymore | Gadget Lab | Wired.com

What would you miss most if all your data were hacked?

I’ve been thinking about this since reading this article a bit ago. I’d miss a lot of the normal stuff, like:

  • My Flickr photos
  • Google Docs
  • Old e-mails, contacts, phone numbers
  • Poems, illustrations, articles, and other random stuff on my computer

Some of these border on precious, while for others, I have backup copies, or they’re in multiple places — or they’re just not that important.

I’ve realized that the most difficult thing to replicate would (will?) be the folder on my desktop of the screen captures I’m constantly snapping. These are typically moments in social media which are mostly insignificant, but which, to me, indicate some sign of the times; little flags on the emerging landscapes of communication.

It’s kind of silly, but I guess I should make something of this project, in case I lose it. I am also making a few other backups here and there. If only I could make a back-up cloud-based account for all of my other cloud-based data! Ha!

So, what would you miss?

How to find happiness in a world of password madness

PCWorld / Dan Tynan / Sept. 18, 2012

In early August, Wired reporter Mat Honan had his most precious passwords hackedvia a complex series of social engineering exploits. The breach made headlines because it exposed security flaws in Apple and Amazon customer service policies; but let’s not forget that the Honan saga capped a long summer full of server invasions that exposed millions of user passwords en masse.

In June, hackers stole some 6.5 million LinkedIn passwords and posted them online. That same month, intruders compromised about 1.5 million eHarmony passwords in a security breach, and in July hackers grabbed 450,000 Yahoo Voice passwords. Among the most common passwords used by those Yahoo members: “123456,” “welcome,” and the ever-popular “password.”

Loading more posts...