View Single Post
Old 08-11-2012, 04:48 PM   #5
Andrew H.
Grand Master of Flowers
Andrew H. ought to be getting tired of karma fortunes by now.Andrew H. ought to be getting tired of karma fortunes by now.Andrew H. ought to be getting tired of karma fortunes by now.Andrew H. ought to be getting tired of karma fortunes by now.Andrew H. ought to be getting tired of karma fortunes by now.Andrew H. ought to be getting tired of karma fortunes by now.Andrew H. ought to be getting tired of karma fortunes by now.Andrew H. ought to be getting tired of karma fortunes by now.Andrew H. ought to be getting tired of karma fortunes by now.Andrew H. ought to be getting tired of karma fortunes by now.Andrew H. ought to be getting tired of karma fortunes by now.
Posts: 2,201
Karma: 8389072
Join Date: Oct 2010
Location: Naptown
Device: Kindle PW, Kindle 3 (aka Keyboard), iPhone, iPad 3 (not for reading)
Originally Posted by wizwor View Post
Someone at work forwarded this to me. Mat's problem is that he offended someone who is smarter than he is. That's easy to do on the internet. It's even possible when posting about things as benign as e-readers.
He didn't offend the hacker.

I asked him why. Was I targeted specifically? Was this just to get to Gizmodo’s Twitter account? No, Phobia said they hadn’t even been aware that my account was linked to Gizmodo’s, that the Gizmodo linkage was just gravy. He said the hack was simply a grab for my three-character Twitter handle. That’s all they wanted. They just wanted to take it, and fuck shit up, and watch it burn. It wasn’t personal.

“I honestly didn’t have any heat towards you before this. i just liked your username like I said before” he told me via Twitter Direct Message.
I don't particularly think that the hacker was "smarter" than Honan, any more than a burglar who convinces a neighbor to give him your house key is smarter than you.

[snip of irrelevant stuff]


Second, be smart. You should have at least three email accounts. One account should be for business -- important business like banking and bill paying. One account should be for shopping. One account should be for trivial communication. Use this account for social sites and commenting on things. If your post about chick-fil-a offends people, they should not be able to run up your credit card or empty your bank account. Rule 2: separate business from pleasure.
Again, Honan didn't offend anyone. Multiple e-mail addresses *may* have helped, though. Using Google's two-factor authorization definitely would have helped.

Finally, be discreet. If you are required to provide personal information to participate in a service, make it up. No one needs your home address or phone number. No one needs to know your politics or hobbies. Create a unique, disconnected profile for each service you belong to. It's OK to have a professional facebook or twitter account with contact information. It should include basic professional information. It should not include sexual preference, social activities, a photo, or even your date of birth. Employers are not allowed to ask for these things, so do not provide them voluntarily. Do not 'link' your alter egos with common information. If you google wizwor, you should not find my home address, phone number, or place of employment. If use of the resource requires some of this information, disassociate it from the rest. IOW, if has your address, use a different userid on that forum. Do not allow cookies to be stored on your computer. Rule 3: don't leave breadcrumbs.
None of this is really helpful if your job is being a blogger, though. I'm not sure how disabling cookies would have helped either - if anything, it would make it more difficult for you to use something like KeePass or another password locker that makes it easier to use multiple passwords.

PS, be thoughtful. Use different passwords for each email account. Passwords are stored somewhere and are unencripted by computer programs. If someone gets, say, a list of linkedin accounts with passwords and emails, using the same password on linked in as gmail and having gmail listed as your email account will allow the hacker to visit your mailbox. With this access, the hacker will likely be able to get in your mailbox and will be able to learn about your business and reset passwords. Also a good idea to not store too much information in your online mailbox. It's also a good idea not to leave too much information on a computer always connected to the internet. If you have to do this, use truecrypt to create a safe place for your data on the pc. (I have moved my financial/tax info to a thumb drive which i read/edit on a computer that is rarely connected to anything.)

If you're nice, use separate accounts for business and pleasure, and take care not to link the two, whatever hacking happens will be incidental, damage will be limited, and responsbility will be shared with an institution with the resources to help clean things up.
It's possible that this would have helped Honan, although, again, it's not clear. As a columnist for Wired, there is going to be more information out there about him than most other people, and anonymity is going to be impossible because it's his job to be public. (It's also not going to be possible to not annoy some people with his opinions, no matter how "nice" he is...although that was not at all the reason for this hack.)

The biggest mistake Honan made was in not backing up his stuff; the next biggest was probably not realizing that a hacker could remote wipe his laptop. But these mistakes didn't enable the actual hacking; they just made the damage much worse. WRT the actual hacking, Apple (and to a lesser extent Amazon) were much more responsible than Honan - they reset his password *even though* the hackers couldn't even answer the security questions (which are often a weak spot anyway).
Disclosure: I don't do all of these things. I do more today than I used to (separate accounts, unique passwords, limited personal information), but the internet houses a lot of my personally identifiable information.
Yeah, at some point it's impossible to do everything you "ought" to do and still function. I like two-factor authorization plus a password vault program (which makes it much easier to use different passwords for different sites) - but if an important site will give out your password if you call them up and give them information that's not hard to find, having different, cryptic passwords for each site won't help much.

Although I do think that companies are going to be much more reluctant to do this now, so that's a good thing.

Realistically, of course, the problem is that the traditional username/password scheme, which was developed when people would have *one* account, and which still worked okay when people had a couple of accounts, is almost completely unworkable when people need 100+ different username/password combinations for various sites.
Andrew H. is offline   Reply With Quote