Digital erasure: how to avoid it happening to you

Mat Honan lost everything. Here's how to ensure you don't.

On Friday night, Mat Honan, a senior reporter for Gizmodo, got hacked. Hard:

At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. . .

The backup email address on my Gmail account is that same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed.

At 5:00 PM, they remote wiped my iPhone

At 5:01 PM, they remote wiped my iPad

At 5:05, they remote wiped my MacBook Air.

A few minutes after that, they took over my Twitter.

The full account of his travails is terrifying for anyone who lives a largely digital life. In fifteen minutes, Honan lost most of his digital property (photos, emails, documents and so on), and most of his ways of communicating with the outside world. Not just email and twitter, but phone calls, and text messages.

How it happened has only become clear since Friday, and presents a worrying picture of security at Apple. The initial breach, in Honan's iCloud account, was done by someone who successfully convinced Apple support to reset the password without knowing the original password, or any security questions associated with the account. Simply put, that should not be possible. From there, however, a series of easily made but unfortunate decisions allowed it to spiral out of control.

What's particularly scary about Honan's situation is that, in a number of ways, he followed best-practices. His iCloud account password was unique, alphanumeric, and never got leaked or cracked. Yet he still lost everything. But there are two things which may – just – have been able to improve the situation.

Back-ups

It sounds really simple, and you have in fact probably been told it before, but back-up. Back-up everything, and preferably back it up more than once. As Marco Arment says, if you can afford a MacBook Air, iPhone and iPad, you can definitely afford an external hard drive.

More importantly, don't confuse what are two separate services: back-up and syncing. If all your precious photos are stored on Dropbox or iCloud, that protects you against some types of data loss – dropping your laptop in the bath, that sort of thing – but not others. And frankly, most data loss these days isn't hardware or software failure but "wetware" – your brain. It's when you delete a file, and empty the trash, and only then realise that you actually really wanted to keep that piece of data (yes, I have done this (with my entire Applications folder (it hurts))). If you are using a backup service which deletes the backup when you delete the original, that's not a huge help. And even worse is that many of them will delete the original if you delete the backup.

This is especially useful if you have a service – like iCloud – which allows remote wiping. If you turn on a switch which allows all your data to be erased, it's probably worth making sure you have a plan in case you have to hit that switch. If you don't keep back-ups, turn that off.

Password resets

If you are sensible – and many people aren't – you'll have different passwords for every service. Honan did. The problem is that although that removes most possibilities for losing multiple accounts, it doesn't take away the weakest link. If Linked.In gets hacked, that password shouldn't be able to gain access to anything else, but if your email account is hacked, you may well be screwed. Most services are designed to allow anyone with a password or access to the registered email account ​to log-on. Making the former secure and then leaving the latter open is not the best move. So what's the best thing to do?

Step one is to make sure that the email address password resets go to is the most secure possible one. For most people who don't have extra-strong security needs, that means a Gmail account with two-step encryption. Every time you try to log-on from a new computer, you get sent a text (or check a special app) with a code to finish the log-in. Unless someone steals that as well, you're safe.

Step two is to remove password resets from that address. There's no point having a secure email address if you can reset the password by requesting it from a less secure one. Step three is to stop​ using it for anything but account registrations. It will be impossible to keep it totally secure, because of the number of services which still identify you by your address, but it's better than handing it out to everyone.

But the question that still remains is whether Apple and iCloud can be trusted at all. Following Honan's story, it certainly seems a bad idea to link any other accounts to your iCloud. Until the company responds, however, we can't know quite how bad it will be.

Update

Mat Honan has now made public just how the hack happened, and it's even scarier than we thought. There are severe security flaws in Amazon and Apple's password reset procedures that allow someone to take over both accounts with just your name, email address and billing address. This is not, by any stretch of the imagination, confidential data – yet until those procedures are changed, it would be best to treat it as such, and to attempt to limit the amount of damage which would happen if those accounts were compromised.

How to trick Amazon:

First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry's published self-check algorithm.) Then you hang up.

Next you call back, and tell Amazon that you've lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account -- not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn't have anything to share by press time.

Delete – even if you don't want to. Photograph: Cari McGee/www.carimcgee.com

Alex Hern is a technology reporter for the Guardian. He was formerly staff writer at the New Statesman. You should follow Alex on Twitter.

ILONA WELLMANN/MILLENNIUM IMAGES, UK
Show Hide image

How the internet has democratised pornography

With people now free to circumvent the big studios, different bodies, tastes and even pubic hair styles are being represented online.

Our opinions and tastes are influenced by the media we consume: that much is obvious. But although it’s easy to have that conversation if the medium we are discussing is “safe for work”, pornography carries so much stigma that we only engage with it on simple terms. Porn is either “good” or “bad”: a magical tool for ­empowerment or a destructive influence on society. Many “pro-porn” campaigners shy away from nuanced critique, fearing it could lead to censorship. “Anti-porn” campaigners, convinced that porn is harmful by definition, need look no further than the mainstream tube sites – essentially, aggregators of clips from elsewhere – to gather examples that will back them up.

When we talk about the influence of porn, the emphasis is usually on a particular type of video – hardcore sex scenes featuring mostly slim, pubic-hairless women and faceless men: porn made for men about women. This kind of porn is credited with everything from the pornification of pop music to changing what we actually do in bed. Last year the UK government released a policy note that suggested porn was responsible for a rise in the number of young people trying anal sex. Although the original researcher, Cicely Marston, pointed out that there was no clear link between the two, the note prompted a broad debate about the impact of porn. But in doing so, we have already lost – by accepting a definition of “porn” shaped less by our desires than by the dominant players in the industry.

On the day you read this, one single site, PornHub, will get somewhere between four and five million visits from within the UK. Millions more will visit YouPorn, Tube8, Redtube or similar sites. It’s clear that they’re influential. Perhaps less clear is that they are not unbiased aggregators: they don’t just reflect our tastes, they shape what we think and how we live. We can see this even in simple editorial decisions such as categorisation: PornHub offers 14 categories by default, including anal, threesome and milf (“mum I’d like to f***”), and then “For Women” as a separate category. So standard is it for mainstream sites to assume their audience is straight and male that “point of view” porn has become synonymous with “top-down view of a man getting a blow job”. Tropes that have entered everyday life – such as shaved pubic hair – abound here.

Alongside categories and tags, tube sites also decide what you see at the top of their results and on the home page. Hence the videos you see at the top tend towards escalation to get clicks: biggest gang bang ever. Dirtiest slut. Horniest milf. To find porn that doesn’t fit this mould you must go out of your way to search for it. Few people do, of course, so the clickbait gets promoted more frequently, and this in turn shapes what we click on next time. Is it any wonder we’ve ended up with such a narrow definition of porn? In reality, the front page of PornHub reflects our desires about as accurately as the Daily Mail “sidebar of shame” reflects Kim Kardashian.

Perhaps what we need is more competition? All the sites I have mentioned are owned by the same company – MindGeek. Besides porn tube sites, MindGeek has a stake in other adult websites and production companies: Brazzers, Digital Playground, Twistys, PornMD and many more. Even tube sites not owned by MindGeek, such as Xhamster, usually follow the same model: lots of free content, plus algorithms that chase page views aggressively, so tending towards hardcore clickbait.

Because porn is increasingly defined by these sites, steps taken to tackle its spread often end up doing the opposite of what was intended. For instance, the British government’s Digital Economy Bill aims to reduce the influence of porn on young people by forcing porn sites to age-verify users, but will in fact hand more power to large companies. The big players have the resources to implement age verification easily, and even to use legislation as a way to expand further into the market. MindGeek is already developing age-verification software that can be licensed to other websites; so it’s likely that, when the bill’s rules come in, small porn producers will either go out of business or be compelled to license software from the big players.

There are glimmers of hope for the ethical porn consumer. Tube sites may dominate search results, but the internet has also helped revolutionise porn production. Aspiring producers and performers no longer need a contract with a studio – all that’s required is a camera and a platform to distribute their work. That platform might be their own website, a dedicated cam site, or even something as simple as Snapchat.

This democratisation of porn has had positive effects. There’s more diversity of body shape, sexual taste and even pubic hair style on a cam site than on the home page of PornHub. Pleasure takes a more central role, too: one of the most popular “games” on the webcam site Chaturbate is for performers to hook up sex toys to the website, with users paying to try to give them an orgasm. Crucially, without a studio, performers can set their own boundaries.

Kelly Pierce, a performer who now works mostly on cam, told me that one of the main benefits of working independently is a sense of security. “As long as you put time in you know you are going to make money doing it,” she said. “You don’t spend your time searching for shoots, but actually working towards monetary gain.” She also has more freedom in her work: “You have nobody to answer to but yourself, and obviously your fans. Sometimes politics comes into play when you work for others than yourself.”

Cam sites are also big business, and the next logical step in the trickle-down of power is for performers to have their own distribution platforms. Unfortunately, no matter how well-meaning your indie porn project, the “Adult” label makes it most likely you’ll fail. Mainstream payment providers won’t work with adult businesses, and specialist providers take a huge cut of revenue. Major ad networks avoid porn, so the only advertising option is to sign up to an “adult” network, which is probably owned by a large porn company and will fill your site with bouncing-boob gifs and hot milfs “in your area”: exactly the kind of thing you’re trying to fight against. Those who are trying to take on the might of Big Porn need not just to change what we watch, but challenge what we think porn is, too.

The internet has given the porn industry a huge boost – cheaper production and distribution, the potential for more variety, and an influence that it would be ridiculous to ignore. But in our failure properly to analyse the industry, we are accepting a definition of porn that has been handed to us by the dominant players in the market.

Girl on the Net writes one of the UK’s most popular sex blogs: girlonthenet.com

This article first appeared in the 16 February 2017 issue of the New Statesman, The New Times