Linked by Howard Fosdick on Thu 3rd Nov 2011 04:58 UTC
Privacy, Security, Encryption What's it like to be hacked? James Fallows over at the Atlantic Monthly tells us his experience. One night his wife left her computer on when she went to bed. The next morning she discovers her Gmail account is inaccessible!
Order by: Score:
Strong passwords
by wannabe geek on Thu 3rd Nov 2011 15:27 UTC
wannabe geek
Member since:
2006-09-27
RE: Strong passwords
by umccullough on Thu 3rd Nov 2011 15:43 UTC in reply to "Strong passwords"
umccullough Member since:
2006-01-26



Which is pretty much how I've always chosen my *important* passwords - except with some capital letters and numbers thrown in to appease the angry password strength verifiers ;)

I keep a few super-weak passwords for quick access to resources I don't care so much about.

Reply Score: 2

RE: Strong passwords - better option
by jabbotts on Thu 3rd Nov 2011 16:45 UTC in reply to "Strong passwords"
jabbotts Member since:
2007-09-06
Soulbender Member since:
2005-08-18

Steve Gibson......

Reply Score: 2

big_gie Member since:
2006-01-04

Password: 1a%%*iW3EORvrM7V
Offline Fast Attack Scenario: 1.41 hundred billion centuries

hahaha! I'm just amazed by this number... ;)

That just reminded me to check my osnews password. It was pretty weak :S Good thing I just changed it!

Reply Score: 1

RE: Strong passwords
by zima on Thu 3rd Nov 2011 17:11 UTC in reply to "Strong passwords"
zima Member since:
2005-07-06

Also, the code-guessing shots of one Wargames scene http://www.youtube.com/watch?v=NHWjlCaIrQo ;)

Though, @XKCD, combinations of common words can easily find their way into password cracking tools - one might throw in some sparse symbols and/or an uncommon* word.

*as in, ~"private" ...nicknames, local dialects, and such (NOT only such words, I'm not saying that / too meaningful whole passwords is what in turn makes pass guessing by humans relatively easy).
I've actually googled righ now an old ~nickname of sorts of my father - no hits, ZERO (it merely suggested one somewhat-but-not-really similar sounding - and only when pronounced in some Slavic language - word from the region)

PS. Somebody takes computer security in Wargames (in films, overall) a bit too seriously: ;) http://mike.passwall.com/uselesstrivia/wargames.html

Edited 2011-11-03 17:26 UTC

Reply Score: 2

RE: Strong passwords
by AdamW on Thu 3rd Nov 2011 17:14 UTC in reply to "Strong passwords"
AdamW Member since:
2005-07-06

So what you're saying is that 'correct horse battery staple' is a great password, right?

Excuse me while I go and apply it to all my accounts!

Reply Score: 3

RE: Strong passwords
by Piranha on Thu 3rd Nov 2011 18:24 UTC in reply to "Strong passwords"
Piranha Member since:
2008-06-24

You beat me to it.

I have this comic posted on my cubicle at work. Some people get it, while others don't. Guess which ones are probably easiest to get their accounts hacked?

Reply Score: 1

RE: Strong passwords
by marcp on Thu 3rd Nov 2011 19:06 UTC in reply to "Strong passwords"
marcp Member since:
2007-11-23

Steve Gibson. Again. I'm seeing it constantly. I'm kinda tired of this, but anyway ...

I'm also quite angry at these pseudo IT-pros that made us believe we need some utterly useless passwords, while all we need is just a long, plain text password.

Darn you, password nazis! go and fry in hell, yer miserable rats!

P.S combine this "l4tt4rish" crap with S.G's suggestions and you will probobly get quite a good password.

Reply Score: 2

RE[2]: Strong passwords - password manager
by jabbotts on Thu 3rd Nov 2011 19:36 UTC in reply to "RE: Strong passwords"
jabbotts Member since:
2007-09-06

Complexity serves a valuable purpose in password selection. Get yourself a password manager and it's a non-issue.

Reply Score: 2

srsly?
by twitterfire on Thu 3rd Nov 2011 15:36 UTC
twitterfire
Member since:
2008-09-11

People do get accounts hacked out of either lack of knowledge, laziness or stupidity. While I can excuse lack of knowledge, I can't excuse laziness and stupidity.

The accounts and devices I really care about are protected reasonably (some e-mail, facebook, twitter, forums, websites, game, banking, hosting accounts, my computer at work). I use good passwords and use a different one for each account. I don't use builtin security questions, I use my own. Answers to security questions can't be found on web because they are like passwords: just some letters and numbers.

Accounts which I consider not very important may share the same simple password. My home computer and my laptop aren't given too much attention security wise, because I don't care too much about whatever data may be found on them.

They can't really blame google because, as they say, only a minority of users get accounts hacked and it would be much better to direct resources in areas that would benefit more.

Reply Score: 2

Protect & Back up yourself.
by Bill Shooter of Bul on Thu 3rd Nov 2011 15:47 UTC
Bill Shooter of Bul
Member since:
2006-07-14

Google Provides a way to require two factor authentication for your google account. Use it.

http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-fo...

Back up your own dang email, google also provides Pop access.

They give you nice tools and services for the low low cost of your privacy. Its up to you to use them in a secure manor.

Reply Score: 2

RE: Protect & Back up yourself.
by Hiev on Thu 3rd Nov 2011 16:07 UTC in reply to "Protect & Back up yourself. "
Hiev Member since:
2005-09-27

The 2 steps verification is effective but not practical and is nothing but a scam from google to get your real phone number.

Edited 2011-11-03 16:08 UTC

Reply Score: 2

Bill Shooter of Bul Member since:
2006-07-14

You can do two factor without text messages, and hence, without google getting your Real phone number.

Reply Score: 2

Hiev Member since:
2005-09-27

How does it work?

Reply Score: 2

Bill Shooter of Bul Member since:
2006-07-14

Google Authenticator

http://www.google.com/support/accounts/bin/answer.py?answer=1066447



Its an app that generates the code locally. The device need not have a google account attached to it in any way for the app to work. Nor does it need to be a phone or have internet access. I'm not sure the exact algorithm they use to generate the One time password, but there are a few of them out there.

Reply Score: 2

ichi Member since:
2007-03-06

If any of your friends has an Android phone they have probably linked your real name with your phone number and your email address already, anyway. And maybe also your home address, work contact info and a photograph.

Reply Score: 2

Hiev Member since:
2005-09-27

And all that information ends in Google servers?

How is that?

Reply Score: 2

ichi Member since:
2007-03-06

Your Android contacts sync with your Gmail account. It comes handy when you switch phones as you have to do nothing to keep them, but it also means it all ends on Google's servers.

Reply Score: 2

RE: Protect & Back up yourself.
by zima on Thu 3rd Nov 2011 16:10 UTC in reply to "Protect & Back up yourself. "
zima Member since:
2005-07-06

IMAP access, also available, is probably more thorough - however, you still can't really back up Gmail Chat (Gtalk) archive...

Reply Score: 2

RaisedFist Member since:
2005-07-06

In fact you can backup your chats too: just go in Settings > Labels and mark the Chats label as visible for IMAP. Good luck ;)

Reply Score: 1

zima Member since:
2005-07-06

Ahh , good, thanks for pointing it out.

I guess they added it quite recently and/or my account was slow to get that update? ...I think I would notice "show Chats in IMAP" option, I rely quite a lot on labels and manipulate them often.
It was ~inadvertently on at the start of IMAP availability, but with some unpredictable results. Quickly removed and remaining that way for quite some time.

And so, the world is more at peace... ;) For me, it's also about offline searches being much faster - particularly since Gmail search has, for some reason, a bit primitive treatment of diacritics and "part word" searches (invaluable in languages with complex declension and such)

Edited 2011-11-03 20:38 UTC

Reply Score: 2

Comment by joekiser
by joekiser on Thu 3rd Nov 2011 15:50 UTC
joekiser
Member since:
2005-06-30

If the author is wondering how her password was hacked, the first thing that sprung to mind was Firefox's "Show Passwords" field. Any saved password is stored without encryption by default, and is thus visible by anyone. She used a public terminal at an airport...perhaps Firefox had been set to store all passwords and it was accessible that way. Just a first thought.

Reply Score: 2

Rob2011
Member since:
2011-06-02

I guess this is also an example of why regular, archived backups are needed. Relying upon the fact that emails are reliably stored by Google hardware is insufficient, since it doesn't allow for human error (or malicious attacks), or even a major bug in a future version of GMail. Perhaps Google could offer long-term archived storage of emails for those who want it - that way, if your main account is compromised and all emails deleted by the user, then you can still access a backup. However, it would be safer for most businesses to store backups with an independent provider, in case Google messes up. The easiest way most people can avoid this problem is to get an email client and download everything onto your PC, then copy emails onto an external hard-disk or use your regular on-line backup.

Reply Score: 1

Comment by Soulbender
by Soulbender on Thu 3rd Nov 2011 16:12 UTC
Soulbender
Member since:
2005-08-18

One night his wife left her computer on when she went to bed. The next morning she discovers her Gmail account is inaccessible!


Sorry, but what's the cause and effect here? Is he implying that it got hacked because she left her computer on?

But from Google’s engineering perspective, the deleted-mail problem, while dire for those confronting it, affected only a tiny fraction of their users, and also was more complicated to solve than some other mainstream usability issues.


I doubt this is the perspective of the engineering team. This is a business decision, not en engineering decision. Obviously someone in management decided it was more important with lean interface than spending time and money creating a solution that few users will ever need.

What Fallows learned the hard way is that the online services we assume will protect us look for us to protect ourselves.


Why would you even assume that at all?

Reply Score: 3

Backups are gold
by Neolander on Thu 3rd Nov 2011 16:54 UTC
Neolander
Member since:
2010-03-08

This is why I dislike those services which do not allow you to keep a copy of your data at hand (wordpress.com, hotmail, steam...). I wish I could avoid relying on them altogether.

Also, who needs to keep several years of archived mails at hand ?

Reply Score: 1

RE: Backups are gold
by zima on Thu 3rd Nov 2011 17:01 UTC in reply to "Backups are gold"
zima Member since:
2005-07-06

Also, who needs to keep several years of archived mails at hand ?

Most of that will be useless, sure - over your lifetime, there might be perhaps only, say, 100 cases when you will be really glad you could find that old email.

But the thing is: you don't really know in advance which of all emails those will be (other than gradually getting rid of obvious junk mail, of course)

(and Steam allowed to make DVD backups, last time I tried? ...nless you mean DRM - yeah, that could potentially be a problem; OTOH, I think Valve said they would unlock it if ever going under)

Reply Score: 2

RE[2]: Backups are gold
by Neolander on Thu 3rd Nov 2011 18:01 UTC in reply to "RE: Backups are gold"
Neolander Member since:
2010-03-08

(and Steam allowed to make DVD backups, last time I tried? ...nless you mean DRM - yeah, that could potentially be a problem; OTOH, I think Valve said they would unlock it if ever going under)

So if you make a DVD backup of a steam game, then your steam account is wiped for some reason, you can still play your game ? I believed it was not possible because it would allow - shock, horror - letting relatives use your copies of the game.

Edited 2011-11-03 18:06 UTC

Reply Score: 1

RE[3]: Backups are gold
by zima on Thu 3rd Nov 2011 20:54 UTC in reply to "RE[2]: Backups are gold"
zima Member since:
2005-07-06

I didn't say that / sure, now that you describe specifics, this would be a problem... (what is "copy of your data at hand" for Steam, anyway, when it's all about periodic online authentication)

Reply Score: 2

RE[4]: Backups are gold
by Neolander on Thu 3rd Nov 2011 21:20 UTC in reply to "RE[3]: Backups are gold"
Neolander Member since:
2010-03-08

Alright. I guess I overestimated the impact of these DVD backups you mentioned, then. I believed that they did more than avoiding long downloads when a gaming computer's hard drive dies. If not, I don't see the point in making them if you have broadband and regular PC backups.

The problem I see with Steam (and other application stores) is that if, for some reason (bug, Valve diktat, compromised account), you lose your usage rights on a piece of software, it's gone. You cannot use it anymore, and there is little chance you will recover the right to use it. There is no way you can make a backup of your right to play a Steam game, if you see what I mean.

Edited 2011-11-03 21:22 UTC

Reply Score: 1

RE: Backups are gold
by AdamW on Thu 3rd Nov 2011 17:16 UTC in reply to "Backups are gold"
AdamW Member since:
2005-07-06

me.

it's like the classic 'throwing out old junk' problem: every time I archive off my old mail, the next day I find I need to refer to something in it...

Reply Score: 2

RE[2]: Backups are gold
by Neolander on Thu 3rd Nov 2011 17:20 UTC in reply to "RE: Backups are gold"
Neolander Member since:
2010-03-08

Thanks for the answers !

Reply Score: 1

RE: Backups are gold
by jessesmith on Thu 3rd Nov 2011 17:58 UTC in reply to "Backups are gold"
jessesmith Member since:
2010-03-11

You can download copies of your e-mail in Hotmail and backup your Wordpress database. How are these kept from you?

Reply Score: 1

RE[2]: Backups are gold
by Neolander on Thu 3rd Nov 2011 18:05 UTC in reply to "RE: Backups are gold"
Neolander Member since:
2010-03-08

Can you easily download all your mail from hotmail, through a standard protocol such as POP or IMAP, or do you have to use a hotmail-specific workaround to do that ? Last time I checked, it was the latter, but that was arguably a long time ago.

Same for wordpress.com (which is different from a self-hosted Wordpress blog). I'm honestly interested if there is a simple way to download the database of a blog that is hosted there. I believe I have carefully checked the dashboard for this without finding anything.

EDIT : Nevermind for wordpress.com. Tools->Export->Export. Guess I did not look hard enough, I was pretty sure I had checked everything...

Edited 2011-11-03 18:16 UTC

Reply Score: 1

RE[3]: Backups are gold
by Sauron on Fri 4th Nov 2011 05:03 UTC in reply to "RE[2]: Backups are gold"
Sauron Member since:
2005-08-02

Yes, Hotmail does have pop3 access, I use it all the time. Most of the email clients I have used including Thunderbird, Outlook/Express and Evolution set up the account automatically when you enter Hotmail as an account in settings.

Reply Score: 1

RE[4]: Backups are gold
by Neolander on Fri 4th Nov 2011 07:18 UTC in reply to "RE[3]: Backups are gold"
Neolander Member since:
2010-03-08

My bad... Sorry for posting outdated and/or incorrect information there !

Reply Score: 1

RE[5]: Backups are gold
by daedalus on Fri 4th Nov 2011 08:46 UTC in reply to "RE[4]: Backups are gold"
daedalus Member since:
2011-01-14

This wasn't the case last time I used Hotmail (a few years ago now), so it must be a relatively recent upgrade, perhaps around the time their inboxes suddenly got huge... I even asked their helpdesk at the time, only to be helpfully told that the only way to use Hotmail offline was to download Outlook Express and use that, even though I'd told them I was using Linux...

Reply Score: 1

RE[6]: Backups are gold
by Sauron on Fri 4th Nov 2011 11:25 UTC in reply to "RE[5]: Backups are gold"
Sauron Member since:
2005-08-02

I have no idea why you were told that, unless it's to discourage the use of pop3 access. I have used Hotmail with pop3 since about 1998/99 and never had problems with it at all.

Reply Score: 2

Perp!
by Brunis on Thu 3rd Nov 2011 17:39 UTC
Brunis
Member since:
2005-11-01

Obviously the butler did it!

Reply Score: 1

Why focus on password?
by jaco on Thu 3rd Nov 2011 18:01 UTC
jaco
Member since:
2009-12-27

I had my gmail account stolen by a homonymous guy. He just used the "Someone else is using my account" procedure. I know for sure, because I've been able to talk to that guy afterwards. Even the guy was somewhat surprised the procedure worked so easily.

I got my account back using the same procedure, in a matter of hours, just to discover that all my email was gone.

I tried to contact Google about the issue, but even after finding a way to, maybe, contact them via email, I received no answer at all. I tried to contact Google about the easiness for someone else to steal an account too, but didn't get an answer.

All my previous email was gone. Now I perform regular backups myself, using IMAP, and this is for a simple reason: I don't trust Google and its services. Their services are usually not bad, they're cheap too and I don't hate them at all.

However, after that issue with them, I learnt that they don't provide any easy way to contact them beyond web forms for usual (and usually trivial) problems. They keep users at a distance. They don't care about their users and their users' data, unless their image (thus their business) would get hurt. In my experience, they're the most careless company in IT.

I think they're not evil, as they like to remember all the time. But they're not good either, they're just as any other company in the business. Just a bit more careless than direct competitors in my opinion...

Reply Score: 3

RE: Why focus on password?
by benali72 on Thu 3rd Nov 2011 20:14 UTC in reply to "Why focus on password?"
benali72 Member since:
2008-05-03

I think you've hit on a HUGE problem. The trend in the cyber-world we've created is that the LAST thing big companies want is to be bothered by their customers. So they deal with them only by email and keep them at arm's length.

Maybe it was this guy's fault he got hacked, or maybe not, but what kind of "service" has Google provided to help him? Hardly anything. You can argue that Gmail is free, but this sort of attitude is prevalent even when you pay for services.

It is unreasonable to expect the average user to handle this unless you provide very easy ways for them to backup and/or recover their data themselves. Google doesn't. It's not part of the business model. One issue is that most users quite naturally assume it is. If Google publicly said this they'd be off the hook, but I've sure never heard them mention this in their self-promotional infomercials.

Reply Score: 1

And the lesson is
by StephenBeDoper on Fri 4th Nov 2011 13:57 UTC
StephenBeDoper
Member since:
2005-07-06

This article could be sub-titled a la "What it's like to be hacked - or why you should never store important data (without your own an offline backup) using SaaS controlled by a third-party, ESPECIALLY if it's a free service where the provider isn't accountable to you in any way".

Reply Score: 2

RE: And the lesson is
by kateline on Tue 8th Nov 2011 17:13 UTC in reply to "And the lesson is"
kateline Member since:
2011-05-19

Excellent point. The problem is that so many people naively assume that companies offering free services like Gmail or Facebook or whatever always have the best interests of the consumer at mind. People on this board are smart and know this but I feel sorry for the average consumer guy who has no clue. And nobody's telling him either. Hope all those literary people who know nothing about the computers they depend on for their jobs read that guy's experience at the Atlantic.

Reply Score: 1