Digital erasure: how to avoid it happening to you

Mat Honan lost everything. Here's how to ensure you don't.

On Friday night, Mat Honan, a senior reporter for Gizmodo, got hacked. Hard:

At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. . .

The backup email address on my Gmail account is that same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed.

At 5:00 PM, they remote wiped my iPhone

At 5:01 PM, they remote wiped my iPad

At 5:05, they remote wiped my MacBook Air.

A few minutes after that, they took over my Twitter.

The full account of his travails is terrifying for anyone who lives a largely digital life. In fifteen minutes, Honan lost most of his digital property (photos, emails, documents and so on), and most of his ways of communicating with the outside world. Not just email and twitter, but phone calls, and text messages.

How it happened has only become clear since Friday, and presents a worrying picture of security at Apple. The initial breach, in Honan's iCloud account, was done by someone who successfully convinced Apple support to reset the password without knowing the original password, or any security questions associated with the account. Simply put, that should not be possible. From there, however, a series of easily made but unfortunate decisions allowed it to spiral out of control.

What's particularly scary about Honan's situation is that, in a number of ways, he followed best-practices. His iCloud account password was unique, alphanumeric, and never got leaked or cracked. Yet he still lost everything. But there are two things which may – just – have been able to improve the situation.

Back-ups

It sounds really simple, and you have in fact probably been told it before, but back-up. Back-up everything, and preferably back it up more than once. As Marco Arment says, if you can afford a MacBook Air, iPhone and iPad, you can definitely afford an external hard drive.

More importantly, don't confuse what are two separate services: back-up and syncing. If all your precious photos are stored on Dropbox or iCloud, that protects you against some types of data loss – dropping your laptop in the bath, that sort of thing – but not others. And frankly, most data loss these days isn't hardware or software failure but "wetware" – your brain. It's when you delete a file, and empty the trash, and only then realise that you actually really wanted to keep that piece of data (yes, I have done this (with my entire Applications folder (it hurts))). If you are using a backup service which deletes the backup when you delete the original, that's not a huge help. And even worse is that many of them will delete the original if you delete the backup.

This is especially useful if you have a service – like iCloud – which allows remote wiping. If you turn on a switch which allows all your data to be erased, it's probably worth making sure you have a plan in case you have to hit that switch. If you don't keep back-ups, turn that off.

Password resets

If you are sensible – and many people aren't – you'll have different passwords for every service. Honan did. The problem is that although that removes most possibilities for losing multiple accounts, it doesn't take away the weakest link. If Linked.In gets hacked, that password shouldn't be able to gain access to anything else, but if your email account is hacked, you may well be screwed. Most services are designed to allow anyone with a password or access to the registered email account ​to log-on. Making the former secure and then leaving the latter open is not the best move. So what's the best thing to do?

Step one is to make sure that the email address password resets go to is the most secure possible one. For most people who don't have extra-strong security needs, that means a Gmail account with two-step encryption. Every time you try to log-on from a new computer, you get sent a text (or check a special app) with a code to finish the log-in. Unless someone steals that as well, you're safe.

Step two is to remove password resets from that address. There's no point having a secure email address if you can reset the password by requesting it from a less secure one. Step three is to stop​ using it for anything but account registrations. It will be impossible to keep it totally secure, because of the number of services which still identify you by your address, but it's better than handing it out to everyone.

But the question that still remains is whether Apple and iCloud can be trusted at all. Following Honan's story, it certainly seems a bad idea to link any other accounts to your iCloud. Until the company responds, however, we can't know quite how bad it will be.

Update

Mat Honan has now made public just how the hack happened, and it's even scarier than we thought. There are severe security flaws in Amazon and Apple's password reset procedures that allow someone to take over both accounts with just your name, email address and billing address. This is not, by any stretch of the imagination, confidential data – yet until those procedures are changed, it would be best to treat it as such, and to attempt to limit the amount of damage which would happen if those accounts were compromised.

How to trick Amazon:

First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry's published self-check algorithm.) Then you hang up.

Next you call back, and tell Amazon that you've lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account -- not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn't have anything to share by press time.

Delete – even if you don't want to. Photograph: Cari McGee/www.carimcgee.com

Alex Hern is a technology reporter for the Guardian. He was formerly staff writer at the New Statesman. You should follow Alex on Twitter.

Getty.
Show Hide image

Forget fake news on Facebook – the real filter bubble is you

If people want to receive all their news from a single feed that reinforces their beliefs, there is little that can be done.

It’s Google that vaunts the absurdly optimistic motto “Don’t be evil”, but there are others of Silicon Valley’s techno-nabobs who have equally high-flown moral agendas. Step forward, Mark Zuckerberg of Facebook, who responded this week to the brouhaha surrounding his social media platform’s influence on the US presidential election thus: “We are all blessed to have the ability to make the world better, and we have the responsibility to do it. Let’s go work even harder.”

To which the only possible response – if you’re me – is: “No we aren’t, no we don’t, and I’m going back to my flowery bed to cultivate my garden of inanition.” I mean, where does this guy get off? It’s estimated that a single message from Facebook caused about 340,000 extra voters to pitch up at the polls for the 2010 US congressional elections – while the tech giant actually performed an “experiment”: showing either positive or negative news stories to hundreds of thousands of their members, and so rendering them happier or sadder.

In the past, Facebook employees curating the site’s “trending news” section were apparently told to squash stories that right-wingers might “like”, but in the run-up to the US election the brakes came off and all sorts of fraudulent clickbait was fed to the denizens of the virtual underworld, much – but not all of it – generated by spurious alt-right “news sites”.

Why? Because Facebook doesn’t view itself as a conventional news provider and has no rubric for fact-checking its news content: it can take up to 13 hours for stories about Hillary Clinton eating babies barbecued for her by Barack Obama to be taken down – and in that time Christ knows how many people will have not only given them credence, but also liked or shared them, so passing on the contagion. The result has been something digital analysts describe as a “filter bubble”, a sort of virtual helmet that drops down over your head and ensures that you receive only the sort of news you’re already fit to be imprinted with. Back in the days when everyone read the print edition of the New York Times this sort of manipulation was, it is argued, quite impossible; after all, the US media historically made a fetish of fact-checking, an editorial process that is pretty much unknown in our own press. Why, I’ve published short stories in American magazines and newspapers and had fact-checkers call me up to confirm the veracity of my flights of fancy. No, really.

In psychology, the process by which any given individual colludes in the creation of a personalised “filter bubble” is known as confirmation bias: we’re more inclined to believe the sort of things that validate what we want to believe – and by extension, surely, these are likely to be the sorts of beliefs we want to share with others. It seems to me that the big social media sites, while perhaps blowing up more and bigger filter bubbles, can scarcely be blamed for the confirmation bias. Nor – as yet – have they wreaked the sort of destruction on the world that has burst from the filter bubble known as “Western civilisation” – one that was blown into being by the New York Times, the BBC and all sorts of highly respected media outlets over many decades.

Societies that are both dominant and in the ascendant always imagine their belief systems and the values they enshrine are the best ones. You have only to switch on the radio and hear our politicians blithering on about how they’re going to get both bloodthirsty sides in the Syrian Civil War to behave like pacifist vegetarians in order to see the confirmation bias hard at work.

The Western belief – which has its roots in imperialism, but has bodied forth in the form of liberal humanism – that all is for the best in the world best described by the New York Times’s fact-checkers, is also a sort of filter bubble, haloing almost all of us in its shiny and translucent truth.

Religion? Obviously a good-news feed that many billions of the credulous rely on entirely. Science? Possibly the biggest filter bubble there is in the universe, and one that – if you believe Stephen Hawking – has been inflating since shortly before the Big Bang. After all, any scientific theory is just that: a series of observable (and potentially repeatable) regularities, a bubble of consistency we wander around in, perfectly at ease despite its obvious vulnerability to those little pricks, the unforeseen and the contingent. Let’s face it, what lies behind most people’s beliefs is not facts, but prejudices, and all this carping about algorithms is really the howling of a liberal elite whose own filter bubble has indeed been popped.

A television producer I know once joked that she was considering pitching a reality show to the networks to be called Daily Mail Hate Island. The conceit was that a group of ordinary Britons would be marooned on a desert island where the only news they’d have of the outside world would come in the form of the Daily Mail; viewers would find themselves riveted by watching these benighted folk descend into the barbarism of bigotry as they absorbed ever more factitious twaddle. But as I pointed out to this media innovator, we’re already marooned on Daily Mail Hate Island: it’s called Britain.

If people want to receive all their news from a single feed that constantly and consistently reinforces their beliefs, what are you going to do about it? The current argument is that Facebook’s algorithms reinforce political polarisation, but does anyone really believe better editing on the site will return our troubled present to some prelap­sarian past, let alone carry us forward into a brave new factual future? No, we’re all condemned to collude in the inflation of our own filter bubbles unless we actively seek to challenge every piece of received information, theory, or opinion. And what an exhausting business that would be . . . without the internet.

Will Self is an author and journalist. His books include Umbrella, Shark, The Book of Dave and The Butt. He writes the Madness of Crowds and Real Meals columns for the New Statesman.

This article first appeared in the 24 November 2016 issue of the New Statesman, Blair: out of exile