Digital erasure: how to avoid it happening to you

Mat Honan lost everything. Here's how to ensure you don't.

On Friday night, Mat Honan, a senior reporter for Gizmodo, got hacked. Hard:

At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. . .

The backup email address on my Gmail account is that same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed.

At 5:00 PM, they remote wiped my iPhone

At 5:01 PM, they remote wiped my iPad

At 5:05, they remote wiped my MacBook Air.

A few minutes after that, they took over my Twitter.

The full account of his travails is terrifying for anyone who lives a largely digital life. In fifteen minutes, Honan lost most of his digital property (photos, emails, documents and so on), and most of his ways of communicating with the outside world. Not just email and twitter, but phone calls, and text messages.

How it happened has only become clear since Friday, and presents a worrying picture of security at Apple. The initial breach, in Honan's iCloud account, was done by someone who successfully convinced Apple support to reset the password without knowing the original password, or any security questions associated with the account. Simply put, that should not be possible. From there, however, a series of easily made but unfortunate decisions allowed it to spiral out of control.

What's particularly scary about Honan's situation is that, in a number of ways, he followed best-practices. His iCloud account password was unique, alphanumeric, and never got leaked or cracked. Yet he still lost everything. But there are two things which may – just – have been able to improve the situation.

Back-ups

It sounds really simple, and you have in fact probably been told it before, but back-up. Back-up everything, and preferably back it up more than once. As Marco Arment says, if you can afford a MacBook Air, iPhone and iPad, you can definitely afford an external hard drive.

More importantly, don't confuse what are two separate services: back-up and syncing. If all your precious photos are stored on Dropbox or iCloud, that protects you against some types of data loss – dropping your laptop in the bath, that sort of thing – but not others. And frankly, most data loss these days isn't hardware or software failure but "wetware" – your brain. It's when you delete a file, and empty the trash, and only then realise that you actually really wanted to keep that piece of data (yes, I have done this (with my entire Applications folder (it hurts))). If you are using a backup service which deletes the backup when you delete the original, that's not a huge help. And even worse is that many of them will delete the original if you delete the backup.

This is especially useful if you have a service – like iCloud – which allows remote wiping. If you turn on a switch which allows all your data to be erased, it's probably worth making sure you have a plan in case you have to hit that switch. If you don't keep back-ups, turn that off.

Password resets

If you are sensible – and many people aren't – you'll have different passwords for every service. Honan did. The problem is that although that removes most possibilities for losing multiple accounts, it doesn't take away the weakest link. If Linked.In gets hacked, that password shouldn't be able to gain access to anything else, but if your email account is hacked, you may well be screwed. Most services are designed to allow anyone with a password or access to the registered email account ​to log-on. Making the former secure and then leaving the latter open is not the best move. So what's the best thing to do?

Step one is to make sure that the email address password resets go to is the most secure possible one. For most people who don't have extra-strong security needs, that means a Gmail account with two-step encryption. Every time you try to log-on from a new computer, you get sent a text (or check a special app) with a code to finish the log-in. Unless someone steals that as well, you're safe.

Step two is to remove password resets from that address. There's no point having a secure email address if you can reset the password by requesting it from a less secure one. Step three is to stop​ using it for anything but account registrations. It will be impossible to keep it totally secure, because of the number of services which still identify you by your address, but it's better than handing it out to everyone.

But the question that still remains is whether Apple and iCloud can be trusted at all. Following Honan's story, it certainly seems a bad idea to link any other accounts to your iCloud. Until the company responds, however, we can't know quite how bad it will be.

Update

Mat Honan has now made public just how the hack happened, and it's even scarier than we thought. There are severe security flaws in Amazon and Apple's password reset procedures that allow someone to take over both accounts with just your name, email address and billing address. This is not, by any stretch of the imagination, confidential data – yet until those procedures are changed, it would be best to treat it as such, and to attempt to limit the amount of damage which would happen if those accounts were compromised.

How to trick Amazon:

First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry's published self-check algorithm.) Then you hang up.

Next you call back, and tell Amazon that you've lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account -- not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn't have anything to share by press time.

Delete – even if you don't want to. Photograph: Cari McGee/www.carimcgee.com

Alex Hern is a technology reporter for the Guardian. He was formerly staff writer at the New Statesman. You should follow Alex on Twitter.

Photo: Getty
Show Hide image

How Labour activists are already building a digital strategy to win the next election

Momentum volunteers are developing, coding and designing online tools to get Jeremy Corbyn elected.

Part way through Momentum’s launch of its digital hub, participants join in with a “Clivestream” – a Google Hangout with the Labour MP Clive Lewis – projected on to a wall, calling in from a field at Tolpuddle Festival.

The stunt is intended to fuse the future of socialism with its deep historical roots. The festival is held annually to remember the 19th century Tolpuddle Martyrs, early trade union activists whose harsh treatment sparked massive protests. “[Tolpuddle] is often seen as a turning-point in the rights of working people,” says Lewis, before the call is briefly gate-crashed by an animal rights campaigner approaching from behind in a “Spanish Civil War Ale” T-shirt.

“In terms of what you guys are doing, you’re basically on the cutting-edge of 21st century socialism,” Lewis continues. “And its ability to be able to connect through to hundreds and thousands and millions of people. You’ve seen in the last election, how powerful the technology [is] and the growing impact it’s having on our democracy.”

The symbolism of the video link is not lost on those present.

“I think it’s really significant to have an MP livestream in from Tolpuddle, which is obviously a traditional left-wing event to commemorate the Tolpuddle Martyrs, livestreaming into an East London hackathon done by Momentum,” says Joe Todd, Momentum’s press and communications officer.

At the launch, a young and diverse group of around 60 volunteer coders, developers, and designers, meet at Newspeak House in Shoreditch – a “community space for political technologists”. Most are Londoners, but some have come from as far afield as Yorkshire, and even Paris. Momentum hopes to replicate this at regular events in different cities across the UK, as it aims to develop the technological tools to help Labour win the next election.

Although this officially isn’t until 2022, Momentum doesn’t want to be taken by surprise again if a general election is called early. The group built its carpool site to help activists know where to canvass, called My Nearest Marginal, in about a week when the last election was called. “No one slept, basically, for the whole of the campaign,” recalls Todd. "We went on an absolute bare-bones budget.”

***

By planning a long-term digital strategy, Momentum hopes to improve on Labour’s 2017 election performance. Its social media team is developing tools to analyse the success of videos and posts among each demographic (one in three people on Facebook viewed its videos during the campaign), in order to expand its reach further.

The team is also building its own online payments system – it had been using PayPal, which charges a fixed fee, meaning “losing about a quarter of our donations to the one per cent”, according to digital officer and former Bernie Sanders staff member Erika Uyterhoeven. 

She is not the only former Sanders campaign worker interested in Corbynism. Supporters of the two left-wing politicians built a fruitful relationship during the election campaign, with activists coming over from the US to help train canvassers. Ben Packer, who helped code during the campaign, says: “I’m just trying to help people steal our stuff… Even though the issues are somewhat country specific, they’re analogous – you want a better National Health Service, we want some national health service; the tech is the same.”

He’s currently trying to build an app for Momentum that allows anyone to create an event, which will then appear to other members in the area.

Much of the technology being developed is used for internal Labour Party votes as well as external election campaigning – the phone bank app, for example.

Momentum members are currently being canvassed to vote in potentially crucial conference committee elections. Yet activists at the digital hub launch said such internal party organising won’t lead to deselection attempts.

Todd dismissed recent stories about a “deselection list” of MPs floated on a local Momentum branch’s Facebook group, saying it was “patently not a deselection plot”, and the story “really lowers journalistic standards”.

***

Momentum’s membership is up to 27,500, from 5,000 before the leadership challenge to Corbyn last year. Add in Labour’s polling lead – the most recent YouGov survey put it eight points ahead of the Tories – and “momentum” is a feeling as well as a name.

The group thinks it has the Tories on the run, and finds the idea of the Conservatives copying its strategy laughable. “If you don’t have the political programme or the vision that mobilises people and makes them enthusiastic and passionate, the technology’s useless. So the Tories can steal it all they want,” says Todd.

However, he sees no prospect of this happening any time soon. Looking at Theresa May’s potential successors, he says: “Their most inspired choice seems to be David Davis, which is a real indictment of the party” (perhaps Davis could make “Momentum’s most inspired choice” his leadership election slogan).

The activists recognise criticisms as well. While the enthusiasm and expertise represented by the digital hub may well attract more young people, it seems less apparent that it would win over older working-class voters in the Midlands and North.

“There was a swing against Labour in some places, and I don’t think the strategy should be to replace those seats with seats in the South, it needs to be a coalition,” Todd acknowledges. Yet he argues that “Momentum’s a lot more than what you see today”, referring to members across the country who are “embedded in all sorts of communities”.

How closely this central structure of Momentum is linked with its members across the country is up for debate, especially after controversial constitutional changes earlier this year. Rida Vaquas – who wasn’t at the event but is a member of Momentum’s governing National Coordinating Group – argues: “There is very little way, if any, that local branches can co-ordinate Momentum’s national activity in line with their own work, as local branches are no longer represented in Momentum’s democratic structures.”

When asked whether they do a good job co-ordinating national social media activity with local branches, Harry from the social media team admits: “Not really, that’s something we need to work on”. Ruth Berry, digital officer, sees the Hub as a promising way for “communicating with our membership across the country”, as “local groups can now use this digital hub to feed into us what their problems are, and how they can be best fixed”.

In a recent article, Tony Blair panned the electoral offerings put forward by both sides in June – particularly as far as Brexit strategies were concerned – calling them “two competing visions of the 1960s”.

Still, the campaign being built at Momentum’s digital hub appears as innovative as it was electorally useful at the election. However, Berry is adamant that Momentum has no cause to be complacent now: “We haven’t won a general election yet, so our work isn’t done.”

Thomas Zagoria is a Danson Scholar studying History and Politics at St Anne's College Oxford. 

Rudy Schulkind is a Danson scholar who recently graduated in philosophy and politics from St Anne's College Oxford.