Digital erasure: how to avoid it happening to you

Mat Honan lost everything. Here's how to ensure you don't.

On Friday night, Mat Honan, a senior reporter for Gizmodo, got hacked. Hard:

At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. . .

The backup email address on my Gmail account is that same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed.

At 5:00 PM, they remote wiped my iPhone

At 5:01 PM, they remote wiped my iPad

At 5:05, they remote wiped my MacBook Air.

A few minutes after that, they took over my Twitter.

The full account of his travails is terrifying for anyone who lives a largely digital life. In fifteen minutes, Honan lost most of his digital property (photos, emails, documents and so on), and most of his ways of communicating with the outside world. Not just email and twitter, but phone calls, and text messages.

How it happened has only become clear since Friday, and presents a worrying picture of security at Apple. The initial breach, in Honan's iCloud account, was done by someone who successfully convinced Apple support to reset the password without knowing the original password, or any security questions associated with the account. Simply put, that should not be possible. From there, however, a series of easily made but unfortunate decisions allowed it to spiral out of control.

What's particularly scary about Honan's situation is that, in a number of ways, he followed best-practices. His iCloud account password was unique, alphanumeric, and never got leaked or cracked. Yet he still lost everything. But there are two things which may – just – have been able to improve the situation.

Back-ups

It sounds really simple, and you have in fact probably been told it before, but back-up. Back-up everything, and preferably back it up more than once. As Marco Arment says, if you can afford a MacBook Air, iPhone and iPad, you can definitely afford an external hard drive.

More importantly, don't confuse what are two separate services: back-up and syncing. If all your precious photos are stored on Dropbox or iCloud, that protects you against some types of data loss – dropping your laptop in the bath, that sort of thing – but not others. And frankly, most data loss these days isn't hardware or software failure but "wetware" – your brain. It's when you delete a file, and empty the trash, and only then realise that you actually really wanted to keep that piece of data (yes, I have done this (with my entire Applications folder (it hurts))). If you are using a backup service which deletes the backup when you delete the original, that's not a huge help. And even worse is that many of them will delete the original if you delete the backup.

This is especially useful if you have a service – like iCloud – which allows remote wiping. If you turn on a switch which allows all your data to be erased, it's probably worth making sure you have a plan in case you have to hit that switch. If you don't keep back-ups, turn that off.

Password resets

If you are sensible – and many people aren't – you'll have different passwords for every service. Honan did. The problem is that although that removes most possibilities for losing multiple accounts, it doesn't take away the weakest link. If Linked.In gets hacked, that password shouldn't be able to gain access to anything else, but if your email account is hacked, you may well be screwed. Most services are designed to allow anyone with a password or access to the registered email account ​to log-on. Making the former secure and then leaving the latter open is not the best move. So what's the best thing to do?

Step one is to make sure that the email address password resets go to is the most secure possible one. For most people who don't have extra-strong security needs, that means a Gmail account with two-step encryption. Every time you try to log-on from a new computer, you get sent a text (or check a special app) with a code to finish the log-in. Unless someone steals that as well, you're safe.

Step two is to remove password resets from that address. There's no point having a secure email address if you can reset the password by requesting it from a less secure one. Step three is to stop​ using it for anything but account registrations. It will be impossible to keep it totally secure, because of the number of services which still identify you by your address, but it's better than handing it out to everyone.

But the question that still remains is whether Apple and iCloud can be trusted at all. Following Honan's story, it certainly seems a bad idea to link any other accounts to your iCloud. Until the company responds, however, we can't know quite how bad it will be.

Update

Mat Honan has now made public just how the hack happened, and it's even scarier than we thought. There are severe security flaws in Amazon and Apple's password reset procedures that allow someone to take over both accounts with just your name, email address and billing address. This is not, by any stretch of the imagination, confidential data – yet until those procedures are changed, it would be best to treat it as such, and to attempt to limit the amount of damage which would happen if those accounts were compromised.

How to trick Amazon:

First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry's published self-check algorithm.) Then you hang up.

Next you call back, and tell Amazon that you've lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account -- not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn't have anything to share by press time.

Delete – even if you don't want to. Photograph: Cari McGee/www.carimcgee.com

Alex Hern is a technology reporter for the Guardian. He was formerly staff writer at the New Statesman. You should follow Alex on Twitter.

Getty
Show Hide image

From Darwin to Damore - the ancient art of using "science" to mask prejudice

Charles Darwin, working at a time when women had little legal rights, declared “woman is a kind of adult child”.

“In addition to the Left’s affinity for those it sees as weak, humans are generally biased towards protecting females,” wrote James Damore, in his now infamous anti-diversity Google memo. “As mentioned before, this likely evolved because males are biologically disposable and because women are generally more co-operative and agreeable than men.” Since the memo was published, hordes of women have come forward to say that views like these – where individuals justify bias on the basis of science – are not uncommon in their traditionally male-dominated fields. Damore’s controversial screed set off discussions about the age old debate: do biological differences justify discrimination?  

Modern science developed in a society which assumed that man was superior over women. Charles Darwin, the father of modern evolutionary biology, who died before women got the right to vote, argued that young children of both genders resembled adult women more than they did adult men; as a result, “woman is a kind of adult child”.

Racial inequality wasn’t immune from this kind of theorising either. As fields such as psychology and genetics developed a greater understanding about the fundamental building blocks of humanity, many prominent researchers such as Francis Galton, Darwin’s cousin, argued that there were biological differences between races which explained the ability of the European race to prosper and gather wealth, while other races fell far behind. The same kind of reasoning fuelled the Nazi eugenics and continues to fuel the alt-right in their many guises today.

Once scorned as blasphemy, today "science" is approached by many non-practitioners with a cult-like reverence. Attributing the differences between races and gender to scientific research carries the allure of empiricism. Opponents of "diversity" would have you believe that scientific research validates racism and sexism, even though one's bleeding heart might wish otherwise. 

The problem is that current scientific research just doesn’t agree. Some branches of science, such as physics, are concerned with irrefutable laws of nature. But the reality, as evidenced by the growing convergence of social sciences like sociology, and life sciences, such as biology, is that science as a whole will, and should change. The research coming out of fields like genetics and psychology paint an increasingly complex picture of humanity. Saying (and proving) that gravity exists isn't factually equivalent to saying, and trying to prove, that women are somehow less capable at their jobs because of presumed inherent traits like submissiveness. 

When it comes to matters of race, the argument against racial realism, as it’s often referred to, is unequivocal. A study in 2002, authored by Neil Risch and others, built on the work of the Human Genome Project to examine the long standing and popular myth of seven distinct races. Researchers found that  “62 per cent of Ethiopians belong to the same cluster as Norwegians, together with 21 per cent of the Afro-Caribbeans, and the ethnic label ‘Asian’ inaccurately describes Chinese and Papuans who were placed almost entirely in separate clusters.” All that means is that white supremacists are wrong, and always have been.

Even the researcher Damore cites in his memo, Bradley Schmitt of Bradley University in Illinois, doesn’t agree with Damore’s conclusions.  Schmitt pointed out, in correspondence with Wired, that biological difference only accounts for about 10 per cent of the variance between men and women in what Damore characterises as female traits, such as neuroticism. In addition, nebulous traits such as being “people-oriented” are difficult to define and have led to wildly contradictory research from people who are experts in the fields. Suggesting that women are bad engineers because they’re neurotic is not only mildly ridiculous, but even unsubstantiated by Damore’s own research.  As many have done before him, Damore couched his own worldview - and what he was trying to convince others of - in the language of rationalism, but ultimately didn't pay attention to the facts.

And, even if you did buy into Damore's memo, a true scientist would retort - so what? It's a fallacy to argue that just because a certain state of affairs prevails, that that is the way that it ought to be. If that was the case, why does humanity march on in the direction of technological and industrial progress?

Humans weren’t meant to travel large distances, or we would possess the ability to do so intrinsically. Boats, cars, airplanes, trains, according to the Damore mindset, would be a perversion of nature. As a species, we consider overcoming biology to be a sign of success. 

Of course, the damage done by these kinds of views is not only that they’re hard to counteract, but that they have real consequences. Throughout history, appeals to the supposed rationalism of scientific research have justified moral atrocities such as ethnic sterilisation, apartheid, the creation of the slave trade, and state-sanctioned genocide.

If those in positions of power genuinely think that black and Hispanic communities are genetically predisposed to crime and murder, they’re very unlikely to invest in education, housing and community centres for those groups. Cycles of poverty then continue, and the myth, dressed up in pseudo-science, is entrenched. 

Damore and those like him will certainly maintain that the evidence for gender differences are on their side. Since he was fired from Google, Damore has become somewhat of an icon to some parts of society, giving interviews to right-wing Youtubers and posing in a dubious shirt parodying the Google logo (it now says Goolag). Never mind that Damore’s beloved science has already proved them wrong.