Digital erasure: how to avoid it happening to you

Mat Honan lost everything. Here's how to ensure you don't.

On Friday night, Mat Honan, a senior reporter for Gizmodo, got hacked. Hard:

At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. . .

The backup email address on my Gmail account is that same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed.

At 5:00 PM, they remote wiped my iPhone

At 5:01 PM, they remote wiped my iPad

At 5:05, they remote wiped my MacBook Air.

A few minutes after that, they took over my Twitter.

The full account of his travails is terrifying for anyone who lives a largely digital life. In fifteen minutes, Honan lost most of his digital property (photos, emails, documents and so on), and most of his ways of communicating with the outside world. Not just email and twitter, but phone calls, and text messages.

How it happened has only become clear since Friday, and presents a worrying picture of security at Apple. The initial breach, in Honan's iCloud account, was done by someone who successfully convinced Apple support to reset the password without knowing the original password, or any security questions associated with the account. Simply put, that should not be possible. From there, however, a series of easily made but unfortunate decisions allowed it to spiral out of control.

What's particularly scary about Honan's situation is that, in a number of ways, he followed best-practices. His iCloud account password was unique, alphanumeric, and never got leaked or cracked. Yet he still lost everything. But there are two things which may – just – have been able to improve the situation.

Back-ups

It sounds really simple, and you have in fact probably been told it before, but back-up. Back-up everything, and preferably back it up more than once. As Marco Arment says, if you can afford a MacBook Air, iPhone and iPad, you can definitely afford an external hard drive.

More importantly, don't confuse what are two separate services: back-up and syncing. If all your precious photos are stored on Dropbox or iCloud, that protects you against some types of data loss – dropping your laptop in the bath, that sort of thing – but not others. And frankly, most data loss these days isn't hardware or software failure but "wetware" – your brain. It's when you delete a file, and empty the trash, and only then realise that you actually really wanted to keep that piece of data (yes, I have done this (with my entire Applications folder (it hurts))). If you are using a backup service which deletes the backup when you delete the original, that's not a huge help. And even worse is that many of them will delete the original if you delete the backup.

This is especially useful if you have a service – like iCloud – which allows remote wiping. If you turn on a switch which allows all your data to be erased, it's probably worth making sure you have a plan in case you have to hit that switch. If you don't keep back-ups, turn that off.

Password resets

If you are sensible – and many people aren't – you'll have different passwords for every service. Honan did. The problem is that although that removes most possibilities for losing multiple accounts, it doesn't take away the weakest link. If Linked.In gets hacked, that password shouldn't be able to gain access to anything else, but if your email account is hacked, you may well be screwed. Most services are designed to allow anyone with a password or access to the registered email account ​to log-on. Making the former secure and then leaving the latter open is not the best move. So what's the best thing to do?

Step one is to make sure that the email address password resets go to is the most secure possible one. For most people who don't have extra-strong security needs, that means a Gmail account with two-step encryption. Every time you try to log-on from a new computer, you get sent a text (or check a special app) with a code to finish the log-in. Unless someone steals that as well, you're safe.

Step two is to remove password resets from that address. There's no point having a secure email address if you can reset the password by requesting it from a less secure one. Step three is to stop​ using it for anything but account registrations. It will be impossible to keep it totally secure, because of the number of services which still identify you by your address, but it's better than handing it out to everyone.

But the question that still remains is whether Apple and iCloud can be trusted at all. Following Honan's story, it certainly seems a bad idea to link any other accounts to your iCloud. Until the company responds, however, we can't know quite how bad it will be.

Update

Mat Honan has now made public just how the hack happened, and it's even scarier than we thought. There are severe security flaws in Amazon and Apple's password reset procedures that allow someone to take over both accounts with just your name, email address and billing address. This is not, by any stretch of the imagination, confidential data – yet until those procedures are changed, it would be best to treat it as such, and to attempt to limit the amount of damage which would happen if those accounts were compromised.

How to trick Amazon:

First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry's published self-check algorithm.) Then you hang up.

Next you call back, and tell Amazon that you've lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account -- not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn't have anything to share by press time.

Delete – even if you don't want to. Photograph: Cari McGee/www.carimcgee.com

Alex Hern is a technology reporter for the Guardian. He was formerly staff writer at the New Statesman. You should follow Alex on Twitter.

YouTube
Show Hide image

"It's just a prank, bro": inside YouTube’s most twisted genre

Despite endless headlines and media scrutiny, catchphrases such as "it was a social experiment" and "block the haters" have allowed YouTube's dangerous pranking culture to continue unregulated. 

A year and five months after the worst prank video ever was uploaded to the internet, its crown has been usurped. In November 2015, YouTuber Sam Pepper made headlines after he filmed a video entitled “KILLING BEST FRIEND PRANK”. In the video, Pepper kidnaps a man before forcing him to watch his friend be “murdered” by a masked figure. Rocking on the chair he has been tied to, the victim sobs and shouts: “We’re just kids”.

Last week, an actual child – aged nine – was victim to a similarly distressing “prank”. Michael and Heather Martin, of the YouTube channel DaddyOFive, poured disappearing ink on to their son Cody’s carpet before – in Heather’s words – “flipping out” on the child.

“What the fuck did you do,” yells Heather to summon Cody to his room. “I swear to God I didn’t do that,” screams and cries Cody as his parents verbally berate him. His face goes red; he falls to his knees.

You won’t find either of these videos on either of their creators’ channels today. After considerable backlash, Pepper deleted his video and DaddyOFive have now made all of their videos (bar one) private. The Martins have faced international scrutiny after being called out by prominent YouTuber Philip DeFranco, who collated a video of clips in which Cody is “pranked” by his family. In one, Cody appears to be pushed face-first into a bookcase by his father. In another, a visibly distressed Cody sobs while his father says: “It’s just a prank bro.”

These five words have been used to justify some of the most heinous pranks in YouTube history. Sam Pepper famously called a video in which he pinched the bottoms of unsuspecting women, a “social experiment”. Usually, though, creators’ excuses follow a pattern. “It was just a prank,” they say. Then, if the heat doesn't subside: “Actually, it was fake.”

Three months after his “KILLING BEST FRIEND” prank, Pepper claimed the video – and all of his other prank videos – were staged. In a video entitled “Family Destroyed Over False Aquisations [sic]” the Martins have now also claimed that their videos are scripted. “We act them out,” says Michael. It seems many on the internet remain sceptical. The Child Protection Services website for Maryland – where the Martins live – has crashed after Redditors encouraged one another to report the family. If the Martins’ videos are indeed staged, Cody is one of the shining child actors of our time.

Though the Martins might yet face severe consequences for their pranks, it wouldn’t be surprising if they didn’t.  The “Just a prank”/“No it’s fake” cycle means that despite multiple headline-grabbing backlashes, YouTube pranking culture continues to thrive. Boyfriends pretend to throw their girlfriend’s cats out windows; fathers pretend to mothers that their sons have died. YouTubers deliberately step on strangers' feet in order to provoke fights. Sometimes, yes, pranksters are arrested for faking robberies, but in the meantime their subscribers continue to grow in their millions.

At present, there is no regulatory body that examines YouTube. Pranksters who break the law are arrested, but children whose daily lives are filmed for the site are not protected by the same regulations that safeguard child actors from being overworked or exploited. Though the communications authority Ofcom has guidelines about wind-up calls and consent, it does not regulate YouTube. The BBC were famously fined £150,000 by the body after Russell Brand and Jonathon Ross prank called Andrew Sachs, yet internet pranks remain out of its jurisdiction.

Though YouTube removes videos that breach its “Community Guidelines”, it seems illogical that we trust the service to police itself. Since the invention of the radio, we have assumed that independent bodies are needed to scrutinise the media – so why you should the largest video-sharing platform on the planet be exempt? No one is truly looking out for either the pranking victims or the children of YouTube. God forbid, like Cody, if you are both.

It is also arguable that YouTube pranks need more regulation than those broadcast on TV. Britain’s favourite pranking shows revolve around humiliating comedians themselves – Trigger Happy TV, Balls of Steel, Jackass – or are very soft (think a man pretending to be both a mime and a policeman) in nature. When someone is outright humiliated on TV, it’s because they are seen to be “fair game”, such as in Comedy Central’s Fameless Prankers, where people desperate to be famous are forced into increasingly humiliating situations. On YouTube, there are no consent forms or waivers to ensure filming remains ethical, and YouTube pranksters often target more vulnerable people.

“There’s an element of power here with the parents and it seems this is very top-down,” says Jonathan Wynn, a sociology professor at the University of Massachusetts who has written on pranks in the past. Wynn explains that traditionally pranks mock status and hierarchy, such as when court jesters taunted kings. When pranks come from the top down, Wynn says they allow a group to bond emotionally – arguably something the Martins are attempting as a family. Nonetheless, Wynn notes this would work better if the children also pranked their parents equally. “In this case the status differential is quite high, when you have children and parents.”

Traditionally, the mainstream media has had little room for this type of content. In 2012, two radio DJs attempted to prank the Duchess of Cambridge Kate Middleton by calling the hospital she was staying at, but instead tricked two nurses. When one of these nurses, Jacintha Saldanha, died by suicide days later, the episode seemed the ultimate illustration of the recklessness of pranks that “punch down”.

Conversely, status differentials are a large part of YouTube prank culture. Rather than attacking people in power, YouTube pranks are often played by those in power (the YouTube famous) on those who have lower social status. Frequently, boyfriends prank girlfriends, for example, and since 2014, white pranksters have filmed “in the hood” pranks provoking young black men. In “The N Word Prank!!” famous internet prankster Roman Atwood goes around saying “What’s up my neighbour” to people of colour, knowing that it will be misheard as a racial slur. In the context of this pranking culture, a parent pranking a child to the point of tears seems almost inevitable.

Perhaps, then, it is easy to understand why Michael and Heather Martin “prank” their children – it is harder to understand why anyone is watching. The DaddyOFive channel has over 750,000 subscribers, with over 7,000 of these subscribing after Philip DeFranco’s video accused the family of “abusing” their children. In order to defend themselves, the Martins initially employed another YouTube rhetoric, on top of “just a prank bro”. In a since deleted video, they invited their fans to “block the haters”.

This phrase is ingrained in online culture, and has allowed internet celebrities to dismiss criticism for years. By painting anyone who is critical as “jealous” or a “hater”, YouTubers can ensure their fans ignore their words and therefore stay loyal. In a video response to Philip DeFranco, the Martins riffed off a popular meme and placed spoons over their eyes to symbolise this mentality, and now fans as young as 12 are copying this action to show their support. When I search the hashtag used by the family’s supporters to see if anyone might be willing to explain why they still love the channel, I am faced with the reality that most of DaddyOFive’s fans are children. Though YouTube’s minimum sign-up age is 13, there is nothing really stopping children from watching – and normalising – harmful content, particularly when it is disguised as a “prank”.

In this context, it doesn’t matter in the slightest whether a prank is faked. Sam Pepper might have asked his friend's permission before he fake-kidnapped him, and perhaps Michael Martin was only pretending when he pushed his son into a bookcase. Neither of these facts will prevent children – 19 percent of whom have a desire to be famous – from copying these actions in order to promote their own YouTube channels. Even if a YouTuber is punished for a dangerous pranking video, there are thousands of other pranksters ready and willing to take their place. 

It remains to be seen whether the Martins will continue with their YouTube channel. At the end of their now infamous invisible ink prank, Michael asks Cody to “do the outro” – the concluding section of a YouTube video. Wiping his nose and still red in the face, Cody rattles off his script at alarming speed.“Thank you guys for watching this video if you like this video and want to see more videos like this one leave a comment down the section below and don’t forget to follow us on Twitter, Instagram, Facebook, Snapchat… and don’t forget to… Like and Subscribe.” 

Since the backlash, Michael has added a new line into the “About” section of the DaddyOFive YouTube channel. After reiterating that the videos are fake, he writes: “no child was harmed in the making of our videos”. 

Amelia Tait is a technology and digital culture writer at the New Statesman.

0800 7318496