Digital erasure: how to avoid it happening to you

Mat Honan lost everything. Here's how to ensure you don't.

On Friday night, Mat Honan, a senior reporter for Gizmodo, got hacked. Hard:

At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. . .

The backup email address on my Gmail account is that same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed.

At 5:00 PM, they remote wiped my iPhone

At 5:01 PM, they remote wiped my iPad

At 5:05, they remote wiped my MacBook Air.

A few minutes after that, they took over my Twitter.

The full account of his travails is terrifying for anyone who lives a largely digital life. In fifteen minutes, Honan lost most of his digital property (photos, emails, documents and so on), and most of his ways of communicating with the outside world. Not just email and twitter, but phone calls, and text messages.

How it happened has only become clear since Friday, and presents a worrying picture of security at Apple. The initial breach, in Honan's iCloud account, was done by someone who successfully convinced Apple support to reset the password without knowing the original password, or any security questions associated with the account. Simply put, that should not be possible. From there, however, a series of easily made but unfortunate decisions allowed it to spiral out of control.

What's particularly scary about Honan's situation is that, in a number of ways, he followed best-practices. His iCloud account password was unique, alphanumeric, and never got leaked or cracked. Yet he still lost everything. But there are two things which may – just – have been able to improve the situation.

Back-ups

It sounds really simple, and you have in fact probably been told it before, but back-up. Back-up everything, and preferably back it up more than once. As Marco Arment says, if you can afford a MacBook Air, iPhone and iPad, you can definitely afford an external hard drive.

More importantly, don't confuse what are two separate services: back-up and syncing. If all your precious photos are stored on Dropbox or iCloud, that protects you against some types of data loss – dropping your laptop in the bath, that sort of thing – but not others. And frankly, most data loss these days isn't hardware or software failure but "wetware" – your brain. It's when you delete a file, and empty the trash, and only then realise that you actually really wanted to keep that piece of data (yes, I have done this (with my entire Applications folder (it hurts))). If you are using a backup service which deletes the backup when you delete the original, that's not a huge help. And even worse is that many of them will delete the original if you delete the backup.

This is especially useful if you have a service – like iCloud – which allows remote wiping. If you turn on a switch which allows all your data to be erased, it's probably worth making sure you have a plan in case you have to hit that switch. If you don't keep back-ups, turn that off.

Password resets

If you are sensible – and many people aren't – you'll have different passwords for every service. Honan did. The problem is that although that removes most possibilities for losing multiple accounts, it doesn't take away the weakest link. If Linked.In gets hacked, that password shouldn't be able to gain access to anything else, but if your email account is hacked, you may well be screwed. Most services are designed to allow anyone with a password or access to the registered email account ​to log-on. Making the former secure and then leaving the latter open is not the best move. So what's the best thing to do?

Step one is to make sure that the email address password resets go to is the most secure possible one. For most people who don't have extra-strong security needs, that means a Gmail account with two-step encryption. Every time you try to log-on from a new computer, you get sent a text (or check a special app) with a code to finish the log-in. Unless someone steals that as well, you're safe.

Step two is to remove password resets from that address. There's no point having a secure email address if you can reset the password by requesting it from a less secure one. Step three is to stop​ using it for anything but account registrations. It will be impossible to keep it totally secure, because of the number of services which still identify you by your address, but it's better than handing it out to everyone.

But the question that still remains is whether Apple and iCloud can be trusted at all. Following Honan's story, it certainly seems a bad idea to link any other accounts to your iCloud. Until the company responds, however, we can't know quite how bad it will be.

Update

Mat Honan has now made public just how the hack happened, and it's even scarier than we thought. There are severe security flaws in Amazon and Apple's password reset procedures that allow someone to take over both accounts with just your name, email address and billing address. This is not, by any stretch of the imagination, confidential data – yet until those procedures are changed, it would be best to treat it as such, and to attempt to limit the amount of damage which would happen if those accounts were compromised.

How to trick Amazon:

First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry's published self-check algorithm.) Then you hang up.

Next you call back, and tell Amazon that you've lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account -- not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn't have anything to share by press time.

Delete – even if you don't want to. Photograph: Cari McGee/www.carimcgee.com

Alex Hern is a technology reporter for the Guardian. He was formerly staff writer at the New Statesman. You should follow Alex on Twitter.

Show Hide image

Age verification rules won't just affect porn sites – they'll harm our ability to discuss sex

Relying on censorship to avoid talking about sex lets children down.

The British have a long history of censoring sex. In 1580, politician William Lambarde drafted the first bill to ban "licentious" and "hurtful... books, pamphlets, ditties, songs, and other works that promote the art of lascivious ungodly love". Last week, the UK government decided to have another crack at censorship, formally announcing that age verification for all online pornographic content will be mandatory from April 2018.

It is unclear at this point what this mandatory check will entail, but it's expected that you will need to submit your credit card details to a site before being allowed to access adult content (credit cards can’t be issued to under-18s).

The appointed regulator will almost certainly be the British Board of Film Classification who will have the authority to levy fines of up to £250,000 or shut down sites that do not comply. These measures are being directly linked to research conducted by the NSPCC, the Children’s Commissioner and the University of Middlesex in 2016, which surveyed more than 1,000 11 to 16-year-olds about viewing online pornography and found over half had accessed it. 

Digital minister Matt Hancock said age verification "means that while we can enjoy the freedom of the web, the UK will have the most robust internet child protection measures of any country in the world". And who can argue with that? No sane adult would think that it’s a good idea for children to watch hardcore pornography. And because we all agree kids should be watching Peppa Pig rather than The Poonies, the act has been waved through virtually unchallenged.

So, let’s put the issue of hardcore pornography to one side, because surely we are all in agreement. I’m asking you to look at the bigger picture. It’s not just children who will be censored and it’s not just Pornhub and Redtube which will be forced to age check UK viewers. This act will potentially censor any UK site that carries adult content, which is broadly defined by the BBFC as "that it was produced solely or principally for the purposes of sexual arousal".

I am a UK academic and research the history of sexuality. I curate the online research project www.thewhoresofyore.com, where academics, activists, artists and sex workers contribute articles on all aspects of sexuality in the hope of joining up conversations around sex that affect everyone. The site also archives many historical images; from the erotic brothel frescoes of Pompeii to early Victorian daguerreotypes of couples having sex. And yet, I do not consider myself to be a porn baron. These are fascinating and important historical documents that can teach us a great deal about our own attitudes to sex and beauty.

The site clearly signposts the content and asks viewers to click to confirm they are over 18, but under the Digital Economy Act this will not be enough. Although the site is not for profit and educational in purpose, some of the historical artefacts fit the definition of  "pornographic’" and are thereby liable to fall foul of the new laws.

And I’m not the only one; erotic artists, photographers, nude models, writers, sex shops, sex education sites, burlesque sites, BDSM sites, archivists of vintage erotica, and (of course) anyone in the adult industry who markets their business with a website, can all be termed pornographic and forced to buy expensive software to screen their users or risk being shut down or fined. I have contacted the BBFC to ask if my research will be criminalised and blocked, but was told "work in this area has not yet begun and so we are not in a position to advice [sic] you on your website". No one is able to tell me what software will need to be purchased if I am to collect viewers' credit card details, how I would keep them safe, or how much this would all cost. The BBFC suggested I contact my MP for further details. But, she doesn’t know either.

Before we even get into the ethical issues around adults having to enter their credit card details into a government database in order to look at legal content, we need to ask: will this work? Will blocking research projects like mine make children any safer? Well, no. The laws will have no power over social media sites such as Twitter, Snapchat and Periscope which allow users to share pornographic images. Messenger apps will still allow users to sext, as well as stream, send and receiving pornographic images and videos. Any tech savvy teenager knows that Virtual Private Network (VPN) software will circumvent UK age verification restrictions, and the less tech savvy can always steal their parents' credit card details.

The proposed censorship is unworkable and many sites containing nudity will be caught in the crossfire. If we want to keep our children "safe" from online pornography, we need to do something we British aren’t very good at doing; we need to talk openly and honestly about sex and porn. This is a conversation I hope projects like mine can help facilitate. Last year, Pornhub (the biggest porn site in the world) revealed ten years of user data. In 2016, Brits visited Pornhub over 111 million times and 20 per cent of those UK viewers are women. We are watching porn and we need to be open about this. We need to talk to each other and we need to talk to our kids. If you’re relying on government censorship to get you out of that tricky conversation, you are letting your children down.

The NSPCC report into children watching online pornography directly asked the participants about the effectiveness of age verification, and said the children "pointed out its limitations". When asked what intervention would most benefit them, this was the overwhelming response: "Whether provided in the classroom, or digitally, young people wanted to be able to find out about sex and relationships and about pornography in ways that were safe, private and credible." I suggest we listen to the very people we are trying to protect and educate, rather than eliminate. 

Dr Kate Lister researches the history of sexuality at Leeds Trinity University