Digital erasure: how to avoid it happening to you

Mat Honan lost everything. Here's how to ensure you don't.

On Friday night, Mat Honan, a senior reporter for Gizmodo, got hacked. Hard:

At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. . .

The backup email address on my Gmail account is that same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed.

At 5:00 PM, they remote wiped my iPhone

At 5:01 PM, they remote wiped my iPad

At 5:05, they remote wiped my MacBook Air.

A few minutes after that, they took over my Twitter.

The full account of his travails is terrifying for anyone who lives a largely digital life. In fifteen minutes, Honan lost most of his digital property (photos, emails, documents and so on), and most of his ways of communicating with the outside world. Not just email and twitter, but phone calls, and text messages.

How it happened has only become clear since Friday, and presents a worrying picture of security at Apple. The initial breach, in Honan's iCloud account, was done by someone who successfully convinced Apple support to reset the password without knowing the original password, or any security questions associated with the account. Simply put, that should not be possible. From there, however, a series of easily made but unfortunate decisions allowed it to spiral out of control.

What's particularly scary about Honan's situation is that, in a number of ways, he followed best-practices. His iCloud account password was unique, alphanumeric, and never got leaked or cracked. Yet he still lost everything. But there are two things which may – just – have been able to improve the situation.

Back-ups

It sounds really simple, and you have in fact probably been told it before, but back-up. Back-up everything, and preferably back it up more than once. As Marco Arment says, if you can afford a MacBook Air, iPhone and iPad, you can definitely afford an external hard drive.

More importantly, don't confuse what are two separate services: back-up and syncing. If all your precious photos are stored on Dropbox or iCloud, that protects you against some types of data loss – dropping your laptop in the bath, that sort of thing – but not others. And frankly, most data loss these days isn't hardware or software failure but "wetware" – your brain. It's when you delete a file, and empty the trash, and only then realise that you actually really wanted to keep that piece of data (yes, I have done this (with my entire Applications folder (it hurts))). If you are using a backup service which deletes the backup when you delete the original, that's not a huge help. And even worse is that many of them will delete the original if you delete the backup.

This is especially useful if you have a service – like iCloud – which allows remote wiping. If you turn on a switch which allows all your data to be erased, it's probably worth making sure you have a plan in case you have to hit that switch. If you don't keep back-ups, turn that off.

Password resets

If you are sensible – and many people aren't – you'll have different passwords for every service. Honan did. The problem is that although that removes most possibilities for losing multiple accounts, it doesn't take away the weakest link. If Linked.In gets hacked, that password shouldn't be able to gain access to anything else, but if your email account is hacked, you may well be screwed. Most services are designed to allow anyone with a password or access to the registered email account ​to log-on. Making the former secure and then leaving the latter open is not the best move. So what's the best thing to do?

Step one is to make sure that the email address password resets go to is the most secure possible one. For most people who don't have extra-strong security needs, that means a Gmail account with two-step encryption. Every time you try to log-on from a new computer, you get sent a text (or check a special app) with a code to finish the log-in. Unless someone steals that as well, you're safe.

Step two is to remove password resets from that address. There's no point having a secure email address if you can reset the password by requesting it from a less secure one. Step three is to stop​ using it for anything but account registrations. It will be impossible to keep it totally secure, because of the number of services which still identify you by your address, but it's better than handing it out to everyone.

But the question that still remains is whether Apple and iCloud can be trusted at all. Following Honan's story, it certainly seems a bad idea to link any other accounts to your iCloud. Until the company responds, however, we can't know quite how bad it will be.

Update

Mat Honan has now made public just how the hack happened, and it's even scarier than we thought. There are severe security flaws in Amazon and Apple's password reset procedures that allow someone to take over both accounts with just your name, email address and billing address. This is not, by any stretch of the imagination, confidential data – yet until those procedures are changed, it would be best to treat it as such, and to attempt to limit the amount of damage which would happen if those accounts were compromised.

How to trick Amazon:

First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry's published self-check algorithm.) Then you hang up.

Next you call back, and tell Amazon that you've lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account -- not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn't have anything to share by press time.

Delete – even if you don't want to. Photograph: Cari McGee/www.carimcgee.com

Alex Hern is a technology reporter for the Guardian. He was formerly staff writer at the New Statesman. You should follow Alex on Twitter.

Getty
Show Hide image

“Stinking Googles should be killed”: why 4chan is using a search engine as a racist slur

Users of the anonymous forum are targeting Google after the company introduced a programme for censoring abusive language.

Contains examples of racist language and memes.

“You were born a Google, and you are going to die a Google.”

Despite the lack of obscenity and profanity in this sentence, you have probably realised it was intended to be offensive. It is just one of hundreds of similar messages posted by the users of 4chan’s Pol board – an anonymous forum where people go to be politically incorrect. But they haven’t suddenly seen the error of their ways about using the n-word to demean their fellow human beings – instead they are trying to make the word “Google” itself become a racist slur.

In an undertaking known as “Operation Google”, some 4chan users are resisting Google’s latest artificial intelligence program, Conversation AI, by swapping smears for the names of Google products. Conversation AI aims to spot and flag offensive language online, with the eventual possibility that it could automatically delete abusive comments. The famously outspoken forum 4chan, and the similar website 8chan, didn’t like this, and began their campaign which sees them refer to “Jews” as “Skypes”, Muslims as “Skittles”, and black people as “Googles”.

If it weren’t for the utterly abhorrent racism – which includes users conflating Google’s chat tool “Hangouts” with pictures of lynched African-Americans – it would be a genius idea. The group aims to force Google to censor its own name, making its AI redundant. Yet some have acknowledged this might not ultimately work – as the AI will be able to use contextual clues to filter out when “Google” is used positively or pejoratively – and their ultimate aim is now simply to make “Google” a racist slur as revenge.


Posters from 4chan

“If you're posting anything on social media, just casually replace n****rs/blacks with googles. Act as if it's already a thing,” wrote one anonymous user. “Ignore the company, just focus on the word. Casually is the important word here – don't force it. In a month or two, Google will find themselves running a company which is effectively called ‘n****r’. And their entire brand is built on that name, so they can't just change it.”

There is no doubt that Conversation AI is questionable to anyone who values free speech. Although most people desire a nicer internet, it is hard to agree that this should be achieved by blocking out large swathes of people, and putting the power to do so in the hands of one company. Additionally, algorithms can’t yet accurately detect sarcasm and humour, so false-positives are highly likely when a bot tries to identify whether something is offensive. Indeed, Wired journalist Andy Greenberg tested Conversation AI out and discovered it gave “I shit you not” 98 out of 100 on its personal attack scale.

Yet these 4chan users have made it impossible to agree with their fight against Google by combining it with their racism. Google scores the word “moron” 99 out of 100 on its offensiveness scale. Had protestors decided to replace this – or possibly even more offensive words like “bitch” or “motherfucker” – with “Google”, pretty much everyone would be on board.

Some 4chan users are aware of this – and indeed it is important not to consider the site a unanimous entity. “You're just making yourselves look like idiots and ruining any legitimate effort to actually do this properly,” wrote one user, while some discussed their concerns that “normies” – ie. normal people – would never join in. Other 4chan users are against Operation Google as they see it as self-censorship, or simply just stupid.


Memes from 4chan

But anyone who disregards these efforts as the work of morons (or should that be Bings?) clearly does not understand the power of 4chan. The site brought down Microsoft’s AI Tay in a single day, brought the Unicode swastika (卐) to the top of Google’s trends list in 2008, hacked Sarah Palin’s email account, and leaked a large number of celebrity nudes in 2014. If the Ten Commandments were rewritten for the modern age and Moses took to Mount Sinai to wave two 16GB Tablets in the air, then the number one rule would be short and sweet: Thou shalt not mess with 4chan.

It is unclear yet how Google will respond to the attack, and whether this will ultimately affect the AI. Yet despite what ten years of Disney conditioning taught us as children, the world isn’t split into goodies and baddies. While 4chan’s methods are deplorable, their aim of questioning whether one company should have the power to censor the internet is not.

Google also hit headlines this week for its new “YouTube Heroes” program, a system that sees YouTube users rewarded with points when they flag offensive videos. It’s not hard to see how this kind of crowdsourced censorship is undesirable, particularly again as the chance for things to be incorrectly flagged is huge. A few weeks ago, popular YouTubers also hit back at censorship that saw them lose their advertising money from the site, leading #YouTubeIsOverParty to trend on Twitter. Perhaps ultimately, 4chan didn't need to go on a campaign to damage Google's name. It might already have been doing a good enough job of that itself.

Google has been contacted for comment.

Amelia Tait is a technology and digital culture writer at the New Statesman.