Digital erasure: how to avoid it happening to you

Mat Honan lost everything. Here's how to ensure you don't.

On Friday night, Mat Honan, a senior reporter for Gizmodo, got hacked. Hard:

At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. . .

The backup email address on my Gmail account is that same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed.

At 5:00 PM, they remote wiped my iPhone

At 5:01 PM, they remote wiped my iPad

At 5:05, they remote wiped my MacBook Air.

A few minutes after that, they took over my Twitter.

The full account of his travails is terrifying for anyone who lives a largely digital life. In fifteen minutes, Honan lost most of his digital property (photos, emails, documents and so on), and most of his ways of communicating with the outside world. Not just email and twitter, but phone calls, and text messages.

How it happened has only become clear since Friday, and presents a worrying picture of security at Apple. The initial breach, in Honan's iCloud account, was done by someone who successfully convinced Apple support to reset the password without knowing the original password, or any security questions associated with the account. Simply put, that should not be possible. From there, however, a series of easily made but unfortunate decisions allowed it to spiral out of control.

What's particularly scary about Honan's situation is that, in a number of ways, he followed best-practices. His iCloud account password was unique, alphanumeric, and never got leaked or cracked. Yet he still lost everything. But there are two things which may – just – have been able to improve the situation.

Back-ups

It sounds really simple, and you have in fact probably been told it before, but back-up. Back-up everything, and preferably back it up more than once. As Marco Arment says, if you can afford a MacBook Air, iPhone and iPad, you can definitely afford an external hard drive.

More importantly, don't confuse what are two separate services: back-up and syncing. If all your precious photos are stored on Dropbox or iCloud, that protects you against some types of data loss – dropping your laptop in the bath, that sort of thing – but not others. And frankly, most data loss these days isn't hardware or software failure but "wetware" – your brain. It's when you delete a file, and empty the trash, and only then realise that you actually really wanted to keep that piece of data (yes, I have done this (with my entire Applications folder (it hurts))). If you are using a backup service which deletes the backup when you delete the original, that's not a huge help. And even worse is that many of them will delete the original if you delete the backup.

This is especially useful if you have a service – like iCloud – which allows remote wiping. If you turn on a switch which allows all your data to be erased, it's probably worth making sure you have a plan in case you have to hit that switch. If you don't keep back-ups, turn that off.

Password resets

If you are sensible – and many people aren't – you'll have different passwords for every service. Honan did. The problem is that although that removes most possibilities for losing multiple accounts, it doesn't take away the weakest link. If Linked.In gets hacked, that password shouldn't be able to gain access to anything else, but if your email account is hacked, you may well be screwed. Most services are designed to allow anyone with a password or access to the registered email account ​to log-on. Making the former secure and then leaving the latter open is not the best move. So what's the best thing to do?

Step one is to make sure that the email address password resets go to is the most secure possible one. For most people who don't have extra-strong security needs, that means a Gmail account with two-step encryption. Every time you try to log-on from a new computer, you get sent a text (or check a special app) with a code to finish the log-in. Unless someone steals that as well, you're safe.

Step two is to remove password resets from that address. There's no point having a secure email address if you can reset the password by requesting it from a less secure one. Step three is to stop​ using it for anything but account registrations. It will be impossible to keep it totally secure, because of the number of services which still identify you by your address, but it's better than handing it out to everyone.

But the question that still remains is whether Apple and iCloud can be trusted at all. Following Honan's story, it certainly seems a bad idea to link any other accounts to your iCloud. Until the company responds, however, we can't know quite how bad it will be.

Update

Mat Honan has now made public just how the hack happened, and it's even scarier than we thought. There are severe security flaws in Amazon and Apple's password reset procedures that allow someone to take over both accounts with just your name, email address and billing address. This is not, by any stretch of the imagination, confidential data – yet until those procedures are changed, it would be best to treat it as such, and to attempt to limit the amount of damage which would happen if those accounts were compromised.

How to trick Amazon:

First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry's published self-check algorithm.) Then you hang up.

Next you call back, and tell Amazon that you've lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account -- not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn't have anything to share by press time.

Delete – even if you don't want to. Photograph: Cari McGee/www.carimcgee.com

Alex Hern is a technology reporter for the Guardian. He was formerly staff writer at the New Statesman. You should follow Alex on Twitter.

Yu Ji/University of Cambridge NanoPhotonics
Show Hide image

Nanoengine evolution: researchers have built the world’s smallest machine

The engine could form the basis of futuristic tiny robots with real-world applications.

Richard P Feynman, winner of the Nobel Prize in Physics in 1965, once remarked in a now-seminal lecture that a time would come where we would “swallow the doctor”. What he meant, of course, was the actualisation of a science-fiction dream – not one in which a universal cure-all prescriptive drug would be available, but one in which society would flourish through the uses of tiny devices, or more specifically, nanotechnology. 

First, a quick primer on the field is necessary. Nanoscience involves the study and application of technologies at an extremely tiny scale. How tiny, you ask? Given that one nanometre is a billionth of a metre, the scale of work taking place in the field is atomic in nature, far beyond the observational powers of the naked human eye.

Techno-optimists have long promoted potential uses of nano-sized objects, promising increases in efficiency and capabilities of processes across the board as a result. The quintessential “swallow the doctor” example is one which suggests that the fully-realised potential of nanotechnology could be applied to medicine. The idea is that nanobots could circulate our bodily systems in order to reverse-engineer the vast array of health problems that threaten us.

It’s natural to be sceptical of such wild aspirations from a relatively young field of study (nanoscience unofficially began in 1959 following Feynman’s lecture “There’s Plenty of Room at the Bottom”), but associated research seems to be gaining widespread endorsement among prominent scientists and enthusiasts. Ray Kurzweil, Director of Engineering at Google, thinks a booming nanotechnology industry is crucial in the creation of a technological singularity, while futurist and viral video philosopher Jason Silva believes the technology will help us cure ageing.

The high-profile intrigue surrounding nanotechnology means that word of any significant developments is certain to stimulate heightened interest – which is why researchers’ achievement in building the world’s tiniest engine this month is so significant.

Reporting their results in the journal Proceedings of the National Academy of Sciences, the University of Cambridge researchers explained how the nanoengine was formed and why it represented a key step forward in the transition of the technology from theory to practice.

The prototype nanoengine is essentially composed of charged particles of gold, bound by polymers responsive to temperature in the form of a gel. The engine is then exposed to a laser which beams and heats the device, causing it to expel all water from the polymeric gel. The consequence of this is a collapsing of the gold particles into an amalgamated, tightened cluster. Following a period of cooling, the polymer then begins to reabsorb the water molecules it lost in the heating process, resulting in a spring-like expansion that pushes apart the gold particles from their clustered state.

"It's like an explosion," said Dr Tao Ding from Cambridge's Cavendish Laboratory. "We have hundreds of gold balls flying apart in a millionth of a second when water molecules inflate the polymers around them."

The process involved takes advantage of the phenomenon of Van der Waals forces – the attraction between atoms and molecules. The energy from these forces is converted into elastic energy, which in turn is rapidly released from the polymer. "The whole process is like a nano-spring," said Professor Jeremy Baumberg, who led the research.

Scientists have been tirelessly working towards the creation of a functional nanomachine – one which can effortlessly swim through water, gauge its surroundings and communicate. Prior to the research, there was a difficulty in generating powerful forces at a nanometre scale. These newly devised engines, however, generate forces far larger than any previously produced.

They have been named “ANTs”, or actuating nano-transducers. "Like real ants, they produce large forces for their weight. The challenge we now face is how to control that force for nano-machinery applications," said Baumberg.

In an email exchange with New Statesman about the short-term and long-term goals in bringing this engine closer to a practical reality, Baumberg said: “It allows us for the first time, the prospect of making nano-machines and nanobots. The earliest stage applications we can see are to make pumps and valves in microfluidic systems. Microfluidic chips are really interesting for synthesising pharmaceuticals, biomedical sensing and separation, as well as many other biochemical processes.

“But all pumps and valves currently need to be made with hydraulics, so you need a pipe onto the chip for each one, limiting strongly the complexity of anything you do with them. We believe we can now make pumps and valves from the ANTs which are each controlled by a beam of light, and we can have thousands on a single chip. Beyond this, we are looking at making tiny nanomachines that can walk around, controlled by beams of light.”

The embedding of nanobots into all facets of culture is still a long way off, and researchers will need to find a way of harnessing the energy of nanoengines. However, the prospect of one day seeing the fruition of nanorobotics is worth all the patience you can get. The tiniest robot revolution has just begun.