Digital erasure: how to avoid it happening to you

Mat Honan lost everything. Here's how to ensure you don't.

On Friday night, Mat Honan, a senior reporter for Gizmodo, got hacked. Hard:

At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. . .

The backup email address on my Gmail account is that same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed.

At 5:00 PM, they remote wiped my iPhone

At 5:01 PM, they remote wiped my iPad

At 5:05, they remote wiped my MacBook Air.

A few minutes after that, they took over my Twitter.

The full account of his travails is terrifying for anyone who lives a largely digital life. In fifteen minutes, Honan lost most of his digital property (photos, emails, documents and so on), and most of his ways of communicating with the outside world. Not just email and twitter, but phone calls, and text messages.

How it happened has only become clear since Friday, and presents a worrying picture of security at Apple. The initial breach, in Honan's iCloud account, was done by someone who successfully convinced Apple support to reset the password without knowing the original password, or any security questions associated with the account. Simply put, that should not be possible. From there, however, a series of easily made but unfortunate decisions allowed it to spiral out of control.

What's particularly scary about Honan's situation is that, in a number of ways, he followed best-practices. His iCloud account password was unique, alphanumeric, and never got leaked or cracked. Yet he still lost everything. But there are two things which may – just – have been able to improve the situation.

Back-ups

It sounds really simple, and you have in fact probably been told it before, but back-up. Back-up everything, and preferably back it up more than once. As Marco Arment says, if you can afford a MacBook Air, iPhone and iPad, you can definitely afford an external hard drive.

More importantly, don't confuse what are two separate services: back-up and syncing. If all your precious photos are stored on Dropbox or iCloud, that protects you against some types of data loss – dropping your laptop in the bath, that sort of thing – but not others. And frankly, most data loss these days isn't hardware or software failure but "wetware" – your brain. It's when you delete a file, and empty the trash, and only then realise that you actually really wanted to keep that piece of data (yes, I have done this (with my entire Applications folder (it hurts))). If you are using a backup service which deletes the backup when you delete the original, that's not a huge help. And even worse is that many of them will delete the original if you delete the backup.

This is especially useful if you have a service – like iCloud – which allows remote wiping. If you turn on a switch which allows all your data to be erased, it's probably worth making sure you have a plan in case you have to hit that switch. If you don't keep back-ups, turn that off.

Password resets

If you are sensible – and many people aren't – you'll have different passwords for every service. Honan did. The problem is that although that removes most possibilities for losing multiple accounts, it doesn't take away the weakest link. If Linked.In gets hacked, that password shouldn't be able to gain access to anything else, but if your email account is hacked, you may well be screwed. Most services are designed to allow anyone with a password or access to the registered email account ​to log-on. Making the former secure and then leaving the latter open is not the best move. So what's the best thing to do?

Step one is to make sure that the email address password resets go to is the most secure possible one. For most people who don't have extra-strong security needs, that means a Gmail account with two-step encryption. Every time you try to log-on from a new computer, you get sent a text (or check a special app) with a code to finish the log-in. Unless someone steals that as well, you're safe.

Step two is to remove password resets from that address. There's no point having a secure email address if you can reset the password by requesting it from a less secure one. Step three is to stop​ using it for anything but account registrations. It will be impossible to keep it totally secure, because of the number of services which still identify you by your address, but it's better than handing it out to everyone.

But the question that still remains is whether Apple and iCloud can be trusted at all. Following Honan's story, it certainly seems a bad idea to link any other accounts to your iCloud. Until the company responds, however, we can't know quite how bad it will be.

Update

Mat Honan has now made public just how the hack happened, and it's even scarier than we thought. There are severe security flaws in Amazon and Apple's password reset procedures that allow someone to take over both accounts with just your name, email address and billing address. This is not, by any stretch of the imagination, confidential data – yet until those procedures are changed, it would be best to treat it as such, and to attempt to limit the amount of damage which would happen if those accounts were compromised.

How to trick Amazon:

First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry's published self-check algorithm.) Then you hang up.

Next you call back, and tell Amazon that you've lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account -- not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn't have anything to share by press time.

Delete – even if you don't want to. Photograph: Cari McGee/www.carimcgee.com

Alex Hern is a technology reporter for the Guardian. He was formerly staff writer at the New Statesman. You should follow Alex on Twitter.

20th Century Fox
Show Hide image

It’s 2016, so why do printers still suck?

Hewlett Packard recently prevented third-party cartridges from working in their printers, but this is just the latest chapter of home printing's dark and twisted history. 

In order to initiate their children into adulthood, the Sateré-Mawé tribe in the Brazilian Amazon weave stinging ants into gloves and ask teenage boys to wear them for a full ten minutes. The British have a similar rite of passage, though men, women, and children alike partake. At one point in their short, brutal little lives, every citizen must weep at the foot of a printer at 2am, alternatively stroking and swearing at it, before falling into a heap and repeating “But there is no paper jam” 21 times.

There are none alive that have escaped this fate, such is the unending crapness of the modern home printer. And against all odds, today printers have hit the news for becoming even worse, as a Hewlett Packard update means their machines now reject non-branded, third-party ink cartridges. Their printers now only work with the company’s own, more expensive ink.

Although it’s surprising that printers have become worse, we’re already very used to them not getting any better. The first personal printers were unleashed in 1981 and they seemingly received the same treatment as the humble umbrella: people looked at them and said, “What? No, this? No way this can be improved.”

It’s not true, of course, that printing technology has stagnated over the last 35 years. But in a world where we can 3D print clitorises, why can’t we reliably get our tax returns, Year 9 History projects, and insurance contracts from our screens onto an A4 piece of paper in less than two hours?

It’s more to do with business than it is technology. Inkjet printers are often sold at a loss, as many companies decide instead to make their money by selling ink cartridges (hence HP’s latest update). This is known as a “razor and blades” business model, whereby the initial item is sold at a low price in order to increase sales of a complementary good. It explains why your ink is so expensive, why it runs out so quickly, and the most common complaint of all: why your cyan cartridge has to be full in order to print in black and white.

But technology is complicit in the crime. HP’s new update utilises the chips on ink cartridges to tell whether a refill is one of their own, and have also previously been used to region-block cartridges so they can’t be sold on in other countries. Those little chips are also the thing that tells the printer when your ink is empty. Very good. Fine. Except in 2008, PC World found that some printers will claim the cartridges are empty when they are actually nearly half-full.

Back to business. Because this profit models means companies sell printers for so little, quality inevitably suffers. If they’re not selling them for much, companies will naturally try to keep the costs of making their printers down, and this is the reason for your “Load paper in tray two”s, your “Paper jam”s and your “Would you like to cancel this print job? Nope, sorry, too late, here are 100 copies.”

So why are printers bad at networking? This isn’t a set up to a lame joke (unless the joke is, of course, your life as you try to get your wireless printer and your PC to connect). There doesn’t seem to be a definitive answer to this, other than the fact that Bluetooth is still fairly patchy anyway. Some errors, just as you suspected, happen for no bloody damn good bloody reason at all.

On a bigger scale, the printers in your office are difficult because they work harder than you ever have. It’s a stressful job, for sure, and this naturally comes with errors and jams. The reason they are so hard to fix after the inevitable, however, again comes back to capitalism. Because printers don’t have a universal design, most companies will protect theirs, meaning you can’t know the specifics in order to fix a device yourself. This way, they also make money by sending out their own personal technicians.

Thankfully, although every personal printer you’ve ever bought seems to be on collaborative quest to drive you to madness, there is an easy fix. Buy a laser printer instead. Though the device and the replacement toner cartridges are more expensive, in the long-run you’ll most likely save money. In the meantime, there's only one solution: PC load letter. 

Amelia Tait is a technology and digital culture writer at the New Statesman.