Digital erasure: how to avoid it happening to you

Mat Honan lost everything. Here's how to ensure you don't.

On Friday night, Mat Honan, a senior reporter for Gizmodo, got hacked. Hard:

At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. . .

The backup email address on my Gmail account is that same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed.

At 5:00 PM, they remote wiped my iPhone

At 5:01 PM, they remote wiped my iPad

At 5:05, they remote wiped my MacBook Air.

A few minutes after that, they took over my Twitter.

The full account of his travails is terrifying for anyone who lives a largely digital life. In fifteen minutes, Honan lost most of his digital property (photos, emails, documents and so on), and most of his ways of communicating with the outside world. Not just email and twitter, but phone calls, and text messages.

How it happened has only become clear since Friday, and presents a worrying picture of security at Apple. The initial breach, in Honan's iCloud account, was done by someone who successfully convinced Apple support to reset the password without knowing the original password, or any security questions associated with the account. Simply put, that should not be possible. From there, however, a series of easily made but unfortunate decisions allowed it to spiral out of control.

What's particularly scary about Honan's situation is that, in a number of ways, he followed best-practices. His iCloud account password was unique, alphanumeric, and never got leaked or cracked. Yet he still lost everything. But there are two things which may – just – have been able to improve the situation.

Back-ups

It sounds really simple, and you have in fact probably been told it before, but back-up. Back-up everything, and preferably back it up more than once. As Marco Arment says, if you can afford a MacBook Air, iPhone and iPad, you can definitely afford an external hard drive.

More importantly, don't confuse what are two separate services: back-up and syncing. If all your precious photos are stored on Dropbox or iCloud, that protects you against some types of data loss – dropping your laptop in the bath, that sort of thing – but not others. And frankly, most data loss these days isn't hardware or software failure but "wetware" – your brain. It's when you delete a file, and empty the trash, and only then realise that you actually really wanted to keep that piece of data (yes, I have done this (with my entire Applications folder (it hurts))). If you are using a backup service which deletes the backup when you delete the original, that's not a huge help. And even worse is that many of them will delete the original if you delete the backup.

This is especially useful if you have a service – like iCloud – which allows remote wiping. If you turn on a switch which allows all your data to be erased, it's probably worth making sure you have a plan in case you have to hit that switch. If you don't keep back-ups, turn that off.

Password resets

If you are sensible – and many people aren't – you'll have different passwords for every service. Honan did. The problem is that although that removes most possibilities for losing multiple accounts, it doesn't take away the weakest link. If Linked.In gets hacked, that password shouldn't be able to gain access to anything else, but if your email account is hacked, you may well be screwed. Most services are designed to allow anyone with a password or access to the registered email account ​to log-on. Making the former secure and then leaving the latter open is not the best move. So what's the best thing to do?

Step one is to make sure that the email address password resets go to is the most secure possible one. For most people who don't have extra-strong security needs, that means a Gmail account with two-step encryption. Every time you try to log-on from a new computer, you get sent a text (or check a special app) with a code to finish the log-in. Unless someone steals that as well, you're safe.

Step two is to remove password resets from that address. There's no point having a secure email address if you can reset the password by requesting it from a less secure one. Step three is to stop​ using it for anything but account registrations. It will be impossible to keep it totally secure, because of the number of services which still identify you by your address, but it's better than handing it out to everyone.

But the question that still remains is whether Apple and iCloud can be trusted at all. Following Honan's story, it certainly seems a bad idea to link any other accounts to your iCloud. Until the company responds, however, we can't know quite how bad it will be.

Update

Mat Honan has now made public just how the hack happened, and it's even scarier than we thought. There are severe security flaws in Amazon and Apple's password reset procedures that allow someone to take over both accounts with just your name, email address and billing address. This is not, by any stretch of the imagination, confidential data – yet until those procedures are changed, it would be best to treat it as such, and to attempt to limit the amount of damage which would happen if those accounts were compromised.

How to trick Amazon:

First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry's published self-check algorithm.) Then you hang up.

Next you call back, and tell Amazon that you've lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account -- not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn't have anything to share by press time.

Delete – even if you don't want to. Photograph: Cari McGee/www.carimcgee.com

Alex Hern is a technology reporter for the Guardian. He was formerly staff writer at the New Statesman. You should follow Alex on Twitter.

Artie Limmer/Texas Tech University
Show Hide image

Meet the evangelical Christian persuading believers that climate change is real

Katharine Hayhoe's Canadian missionary parents told her science and God were compatible. Then she moved to Texas. 

During Donald Trump’s presidential campaign, alarm rose with each mention of climate change. Denial, dismissal and repeated chants of “hoax” left no doubt as to his position.

Now President Trump’s withdrawal from the Paris Agreement has been seen as a seminal moment in the fight against climate change - one which many fear could lose the battle ahead of humanity.

But one scientist has been fighting a war of her own on the ground, against those who typically doubt the facts about global warming more than most - the evangelical Christian population of America.

And to make matters even more unusual, Katharine Hayhoe herself is an evangelical Christian who lives in the indisputably "bible belt" of Lubbock, Texas.

The atmospheric scientist has been named one of Time magazine's 100 most influential people and one of Politico’s 50 thinkers transforming American politics. Now she is using her considerable heft to speak to those who are hardest to convince that there is a manmade problem that threatens the Earth’s future.

I meet her at the science and music festival Starmus in Trondheim, Norway, where she is to address the attendees on Thursday in a talk entitled "Climate Change: Facts and Fictions".

Hayhoe was born in Canada, to missionary parents. Her father, a former science educator, showed her that there was no conflict between the ideas of God and science. However, it was something of a surprise to her when she discovered her pastor husband, whom she married in 2000, did not feel the same about climate change. It took her two years to convince him.

What started as a conversation became an organised project when she moved to America's South in the mid 2000s. 

“Moving to Lubbock was a culture shock," she tells me. "When I moved there I wasn’t doing much outreach, but it moved me in that direction.

“Lubbock is very conservative. It’s small and isolated.

“I would say the majority of people in Lubbock are either dismissive or doubtful about climate change. I was surrounded by people - neighbours, parents of friends, people at church, colleagues down the hall in the university - who weren’t convinced.”

So Hayhoe, who works as an associate professor and director of the Climate Science Centre at Texas Tech University, set to work. She began to collect the responses she was seeing to the climate change discussion and prepare her counter-argument.

“When I talk to people who are doubtful, I try to connect with the values they already have," she says. “The greatest myth is the myth of complacency - that ‘it doesn’t really matter to me’.

"But I would say that the second most insidious myth is that you only care about this issue if you’re a certain type of person. If you’re a green person, or a liberal person, or a granola person."

The stereotypes mean that people outside that demographic feel "I can't be that kind of person because that's not who I am", as she puts it.

Hayhoe convinced her husband using data, but rather than repeating a formula, she tries to find out what will resonate with different people: "For many groups, faith is a core value that people share.”

Whether she’s speaking to city planners, water company managers, school kids or Bible believers, Hayhoe says her hook is not the facts, but the feelings.

“I recently talked to arborists," she says. "For them, trees and plants are important, so I connect with them on that, and say ‘because we care about trees, or because we care about water or what the Bible says then let me share with you from the heart why I can about these issues because it affects something that you already care about’.

“My angle is to show people that they don’t need to be a different person at all - exactly who they already are is the kind of person who can care about climate change.”

Hayhoe came to public attention in the United States after appearing in a Showtime series on climate change. She has appeared on panels with Barack Obama and Leonardo DiCaprio, and launched a web series. As well as plaudits, this level of fame has also earned her daily threats and online abuse. 

“My critics think they’re coming from a position of religion, but they aren’t," she says. "They’re actually coming from a very specific political ideology which believes that the government should not have control over people’s lives in any way shape or form - very libertarian, free market, free economy, Tea Party."

She believes that in the United States, faith and politics has been conflated to the point "people can no longer tell the difference". 

“Now it’s conservatism that informs religion," she elaborates. "If the two are in conflict - like the Bible says God has given us responsibility over everything on this earth - then people say ‘oh, we can’t affect something as big as this Earth, God will take care of it anyway’."

Around half of those who attack her on social media identify themselves as Christians, she notes, but almost all call themselves conservatives. 

As a scientist, she’s been preparing data herself - naturally - on her online attackers, with depressingly familiar results.

“As soon as you stick your head out of the trench, you get it. There have been papers published showing that white men disproportionately form up that small group of dismissives. They’re almost all men. When I track my social media comments, I would say that 99.5 per cent of them are white men.

“Out of 1,000 negative comments, I have maybe five from women.”

After the climate change argument moved up a gear - following the Paris withdrawal - Hayhoe admits that she and her fellow scientists are concerned, although she pays tribute to the businesses, cities and states from the US that have committed to following the Paris agreement themselves.

On the subject of the chief white male denier, Trump himself, Hayhoe says she has a discussion point which she feels may convince him to think carefully about his role in the fight against global warming’s impact on humanity.

“I would attempt to connect with the values that he has and show him how acting on this would be in his best interests," she says.

“One guess would be ‘what do you want your legacy to be? What do you want to be known as, the man who destroyed the world, or the man who saved it?’”

Katharine Hayhoe is speaking at Starmus on Thursday June 22. For more details, visit Starmus.

Kirstie McCrum is a freelance journalist. Follow her @kirstiemccrum.

0800 7318496