
Hacked - grellas
http://www.theatlantic.com/magazine/archive/2011/10/hacked/8673/
======
Timothee
I'd be curious to read what people on HN think of one particular aspect of the
story: she's not planning on using her old Gmail address anymore, which made
me think of the longevity of one's email address and what one can do to keep
control of it.

In particular, I'm thinking that backups of all your "cloud" data mostly takes
care of the fear of losing it like written in the OP. However, to not lose
your email address itself, you have to have your own domain, but is that
really sufficient? In the end, you mostly lease it rather than owning it, so
can it just be assumed that a .com address won't be messed with (as long as
there aren't any trademark issue)? (as opposed to, say, a .ly)

Do you use your own domain for email? Do you think that email addresses have
some inherent risks that make them _potentially_ disposable after 5-10 years?

A bigger question is how could anyone (that is: people who have currently no
idea what a domain really is and how to get one) take control of their
addresses in a similar way?

As far as I'm concerned, I haven't used my own domain yet for emails but my
alumni association gives me a lifelong forwarding address. I haven't been
super strict with using it everywhere though, so it's a bit all over the
place. The truth is too that my Gmail address is much easier to type and give
away than either my alumni one or my own domain…

~~~
guelo
I think it's dangerous to rely on some corporate owned address as your long
term identity. Even a company as big as Google or Microsoft could disappear in
20 years. It is much better to own your domain and be able to switch out the
underlying service provider as needed. Though DNS wasn't really designed for
that and it is probably beyond the capability of the average user, I do
recommend it for the technically inclined.

~~~
eli
Namecheap will let you set up forwarding email addresses for free if you
register the domain there. No need to screw with DNS. I'm sure others do too.

------
0x12
Painful. Great they got their stuff back but apparently it takes knowing
people at google to get stuff done beyond the 'sorry we can not answer further
emails about this'.

I understand that there are limits to what technical support you can offer
your end users but the fact that someone is a reporter with 'access' should
not be the determining factor in who does and does not get back their email
after a hack (which is a large word, account compromised would be a better
description) like this.

~~~
01Michael10
I think it's incredible anyone would think a free service should be expected
to recover six years of email. I would rather Google delete my email
permanently when I empty my trash and do my own backups.

~~~
tsycho
I agree with you, but I think that this was within the 30-day permanent-
delete-from-trash window. If you are saying that the the 30-day window is too
long, that's a reasonable opinion. Maybe Gmail could offer a user-settable
window length, with the default at 30, while more savvy users who trust their
own email management could set it to zero.

Update: I would even be willing to pay Google for extra features such as the
above, and more importantly, for guaranteed/quicker support from them if
anything goes wrong.

~~~
alttag
But the problem with a user-settable window is that a supposed hacker could
set it to zero, then delete--which is exactly one of the use cases the
"undelete project" desires to handle.

~~~
carussell
Don't allow the new window to take effect until the length of the old window
has lapsed. I.e., make the window apply not just to deletion, but also to the
window setting itself.

------
RockyMcNuts
good article on how to fix insecure passwords -

[http://www.slate.com/articles/technology/technology/2009/07/...](http://www.slate.com/articles/technology/technology/2009/07/fix_your_terrible_insecure_passwords_in_five_minutes.html)

take a phrase - ask not what you can do for your country -> Anwycd4yc

for each site mix in some letters from the domain, ie 2nd two letters of
amazon -> maAnwycd4yc

bingo \- easy to remember \- strong \- unique for each site

password safe like keypass is also good. occasionally you get services with
silly password rules where your generator function doesn't return a valid
password.

still important to have 2 factor on that one email account that has your banks
etc., otherwise one encounter with one of these bad boys and it's all over -

[http://www.google.com/search?q=usb+keylogger&tbm=isch](http://www.google.com/search?q=usb+keylogger&tbm=isch)

~~~
RyanMcGreal
Why not just make your password 'AskNotWhatYouCanDoForYourCountry'? That seems
pretty strong to me.

~~~
corin_
If someone gets hold of your password from one source, the goal is that they
won't be able to use it in other places, hence the "ma" from Amazon in his
example.

If I have _maAskNotWhatYouCanDoForYourCountry_ then someone seeing it could
possible guess the relevance of the _ma_ , and try _ew_ or _hn_ , etc. on this
site.

Woth maAnwycd4yc on the other hand, without being told, are you going to guess
that maybe it's a generic password with a small site-specific portion?

------
ChuckMcM
As it turns out my father-in-law had the same thing happen to him (and the
same mugged-in-madrid form letter). It is a tragedy, and soon email will cease
to be viable for a large portion of the community.

That being said, I've pushed off and on some development for a network
identity device. Not the big 'Identity' problem that most people run away
screaming from but a much reduced (and tractable) part of the problem. A
device which can prove that the person making a request is in physical
possession of the identity device they had when they created the account.

Such a unit prevents people in Lagos from exploiting your password even if
they get it as they don't have the device.

~~~
simoncion
Isn't Google already doing this?
[http://googleblog.blogspot.com/2011/02/advanced-sign-in-
secu...](http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-
your.html)

~~~
ChuckMcM
No, if they were then you wouldn't have to type extra numbers into your
browser.

That seems kind of like a 'nit', I know, but if we learned anything from Steve
Jobs it is that there is a difference between providing an answer and
providing a solution.

The elements that will be present in a solution include;

1) You won't have to type anything else, a program will have an API which can
definitively tell it you are making this request or you are not.

2) The 'key' won't be anything else, it won't be an app on your phone or a
plug-in to your browser.

3) It will work with any service you care to use it with and if it has not
been implemented there will be no legal/enumberance/techincal barriers to
doing so.

4) It will not degrade your privacy options.

Google's two factor authentication fails on a number of these, not the least
of which that it requires that you own a 'smart phone' which is something my
father in law will never do before he dies.

So no, Google doesn't do this yet.

~~~
joebadmo
Are you serious?

As I said elsewhere in this thread, some countries in Europe require you to
use a fob that generates another key for your second authorization factor. But
you still have to type in extra numbers. How would you get around that? How
does the service know that you're in possession of the key unless you give it
some kind of input about the key that's unique to the key and to the current
time?

Personally, I much prefer having it on my smartphone, and this seems like a
good approach considering smartphone adoption rate. But Google's 2-factor will
sms your dumb phone, too.

~~~
ChuckMcM
Of course I'm serious.

 _How does the service know that you're in possession of the key unless you
give it some kind of input about the key that's unique to the key and to the
current time?_

Lets say you've got a 'fob' which is plugged into a USB port. Application
sends the fob a challenge, fob responds. Application validates the response
and proceeds. Perhaps the key uses 2.4mhz wireless, perhaps it uses bluetooh
(a protocoled 2.4mhz wireless solution :-). The benefit is that these things
can only occur when you're key is present. No key, no transaction.

We don't worry about Nigerians stealing our cars, but we should consider what
they might do with our self-driving cars if we don't have some durable way to
say we're in the car right now.

I appreciate that you prefer having something like this on your smart phone,
but such a solution fails for the larger internet population. And while SMS
works for 'dumb' phones you cannot have it validate on every send, every post,
every tweet, every page view.

You may not share my urgency on this as a threat but I invite you to start to
watch more closely. In the Atlantic article a Google representative said
_"Thousands per day"_ this is big business for folks. I was talking with a
senior executive at Wells Fargo who mentioned hundreds of millions of dollars
'lost' every year. This is a growing problem, its getting more expensive, and
like some digital herpes my expectation is that it is going to pop out
suddenly in boils of financial putritude dripping pain, financial suffering,
and expense for everyone involved. With luck we'll fix it before then but most
folks who are getting burned are more interested in covering it up rather than
addressing it sadly.

I think it would be wonderful to have a possible solution prototyped and
demonstrable for people in pain. Your passwords will be compromised, and if
you do anything financial online you will have money vanish and you will
experience arguing with a bank as to why they should give it back to you and
take the loss. This isn't a 1 in 10, or 3 out of 5 type statistic, I'm pretty
confident that every single person who has an online account which can tranfer
funds (whether its an iTunes account or a checking account) will experience
this. 100%.

~~~
cjfont
The problem I see with this solution is that it would require a plugin to be
installed on your browser in order for the browser to have access to the fob.
This alone is enough to discourage a lot of people from using it.

Also, you wouldn't be able to log into a public terminal.

~~~
ChuckMcM
In the ideal world, the spec would be open and anyone could implement it in
their service (be it a browser or other). For most operating systems we're
talking about something that looks like a device connected over a serial port.
The Android service is pretty straight forward and I've played a bit with
ideas on an old G1 which had a serial port hidden in the USB port, not sure
about iOS. Computers like laptops etc its very straight forward (for both
wireless and wired solutions).

 _"Also, you wouldn't be able to log into a public terminal."_

Actually depending on capability (no pun intended) I could easily see 'read'
access being usable without the key but recognize the issue there. The real
'issue' if you will is universal appeal/buy-in which is to say if anyone can
use it then you will get some early adopters who will provide support as a
differentiating factor and that can drive adoption into more slowly changing
markets. Because it has to be everywhere to be effective it won't be a big
money maker (this is where a lot of VCs stop listening :-) basically the
barrier to implementing it has to be 0 and the value to the implementor has to
be non-zero. Given how thinly marginallize 'security' fixes are, this margin
won't leave anything for the manufacturer in terms of on going revenue so the
key itself has to define the value for the company. (I've actually thought a
lot about this :-)

So to your point, for early adopters the experience would be to get a 'key'
and to install a plug-in and then enabled sites and services would be secured.
Pretty easy sell to an enterprise if their only cost is the 'fob cost' and
there isn't some giant consulting revenue stream attached to it. For big
companies it has to be completely implementable (once the key infrastructure
is set up) in a way that is custom (and probably private) that enterprise.
That gives their IT folks confidence and it makes the risk low.

For more general engagements like PayPal or Facebook its a bit different. On
things that are appifyable (if that makes sense) there is a potential for
differentiation (look at how the World of Warcraft Authenticator stuff was
worth it for them to implement).

The key for me is that the existing way of doing things is under attack and it
will eventually succumb, when it does there is a tremendous opportunity there.

~~~
joebadmo
This sounds like a lot of necessary infrastructure. Widespread smartphone
adoption seems more likely to me.

------
mixmax
_For reasons too complex to explain here, even some systems, like Gmail’s,
that don’t allow intruders to make millions of random guesses at a password
can still be vulnerable to brute-force attacks._

I'm curios as to what the reasons are? How do you bruteforce a gmail account?
Surely Google will not allow you millions of tries?

~~~
rdl
Password reuse by end users puts even a relatively well secured site like
gmail at risk of user passwords being brute forced.

Break into a less-well-secured site, steal the password file, which may use
something like md5. Brute force offline. Then, try that password and username
on a more secure site like gmail.

~~~
ajross
This. I continue to be saddened at the extent to which "DON'T REUSE PASSWORDS
EVER" isn't the first sentence and summary to any discussion of this stuff.
Even people who should know better (c.f. posters right here on this site)
don't, and those who do get distracted talking about more "interesting" stuff
like GPU hashing algorithms instead.

Just don't do it. And tell all your friends.

~~~
jaylevitt
I'm kinda shocked that of all the "experts" the reporter talked to, nobody
used more than a dozen passwords. I'm no crypto geek, I don't force SSL
everywhere, I've never used TOR or anonymous VPNs or anything - but I have a
few different password _systems_ that allow me to use and remember semi-
unique, word-free passwords on any site I care about. If you were targeting me
personally, and you obtained the plaintext of a few dozen passwords, you could
probably figure one of them out; if you're running a typical automated attack,
you're going to miss me.

I can't possibly be the fastest runner from this bear.

~~~
itsnotvalid
What password _systems_ are you using?

~~~
jaylevitt
1\. Stick non-alpha characters in the _middle_ of words. Not 31337
substitutions; additions. Now your dictionary word isn't a dictionary word
anymore.

2\. Use the first letter of each word in a phrase. Again, now it's easy to
remember but not a dictionary word.

3\. Find a way to customize the password for each site in such a way that you
can remember the pattern. Use letters from the stock symbol, the dominant
color, the domain name, or some other word you associate with that site. Boom
- now your password is unique per site.

------
sunsu
Just another example of why you should enable 2 step authentication on your
Google account. Seriously...do it today!

~~~
cheald
For real. Unique, strong password and two factor auth. Your email account is
the master key to everything you do online. Protect it accordingly.

~~~
itsnotvalid
Unless you don't use the same email account for password recovery, your email
address is as important as it seems.

However many sites won't allow you to have a different email account just for
password recovery, that is insecure, as people would then know where to go
for.

------
DevX101
Today's security model is broken. And most people, included readers here at HN
equate safety with a low probability of being hacked. I've signed up for at
least 50 sites, probably more. The chances are good that not all of these
sites have great security. And if anyone gets my password from that weak link,
many of my other account are at risk.

Worse is if someone manages to get malicious software directly to my computer.
At that point I'm screwed, and everything including email/bank accounts are an
open book.

I don't know what the answer is but I sure hope someone would fix it.

~~~
Simucal
I've started using two-factor authentication with my Google account and it
isn't that bad. The mild pain of having to type in my authentiation number
occasionally is offset by my increase peace of mind. It does require you to
use an authenticator app on your smartphone though, so for some it might not
be an option.

~~~
graeme
Two-factor authentication is nice. I know many of my different logins are
vulnerable, but they're also for sites that aren't very important, even if
comprimised.

Gmail is a different story. Anyone with access to that gets access to most
other things. So the inconvenience of inputing a text message code once a
month pales in comparison to the hurdle it adds to accessing my account.

------
Uchikoma
Can anybody explain how this makes sense:

"The account had seemed sluggish earlier that morning because my wife had
tried to use it at just the moment a hacker was taking it over and changing
its settings [...]"

It does not sense to me that GMail is sluggish when someone else changes the
settings.

~~~
Pahalial
More likely it was in the midst of the mass-deletion later referred to -
deleting 6 years' worth of email could certainly make gmail sluggish.

------
tsycho
>> On Google’s side, one explanation involved complexities of the law. My wife
and I might think that Google had a “duty” to be able to find her messages
after some hacker had erased them. But according to Google’s legal department,
its higher and more stringent duty is to ensure that messages are erased, if
whoever is in charge of an account wants them gone.

That is a good reason. Moral of the story: make your own personal backups of
everything that you wouldn't want to lose.

------
Shenglong
Has anyone ever wondered why spammers don't use proper grammar? Is it because
the majority of people they target can't type with proper grammar, or because
they're foreign?

~~~
hugh3
Almost certainly because they're not native English speakers.

~~~
ehsanu1
I seem to remember spammers doing this in order to evade naive spam filters.
For example, substitute "v1agra" for "viagra", and get through to the inbox.
Though once you use a trick like that and it gets marked as spam a few times,
you can't use it again. So yeah, perhaps your reason is more sensible.

------
tlrobinson
Expecting average users to use unique sufficiently complex passwords, or even
just a few "tiers" of passwords, will never work because users just don't
care... until it's too late.

Single sign-on systems are the only reasonable solution. Of course that
introduces a single point of failure, so they need to be extremely secure, but
at least it's easier to secure one system with two factor authentication,
advanced monitoring, etc than every site on the web.

------
beej71
_The first thing I did was to back them all up onto her hard disk, with
Thunderbird—and then back up those archives elsewhere, just in case._

If you care about your mail, you should be doing some kind of personal backup
with any service like this. I just fire up Thunderbird, like the author, but
I'm sure there must be a lot of scripts and programs out there to do local
gmail backup.

~~~
mknod
I use getmail on linux. All it really does is backup the mail in mbox format,
but it'll be really handy one day I'm sure.

This person's tale should be a warning to those who have not done a backup
recently. Harddrives have never been cheaper in terms of price per byte. It
only takes a couple of steps to set it up so that it's done automatically.

------
rsanheim
Does anyone have any suggestions for backing up 6 GB of gmail data to
somewhere easily?

I have my own personal domain I could sync it all to, somehow, I suppose. Then
I need a linode box, scripts, etc, etc...

I don't really want maintain or worry about a local backup of 6 GB (and
growing) of mail grom gmail...

~~~
RockyMcNuts
Get Thunderbird (or any email client), on local or hosted box. Or hosted mail
service that can fetch POP. Set it to download Gmail via POP, leave copy on
server.

------
josephcooney
A friend of mine got his gmail hacked - he believes through POP password brute
forcing vulnerability. The person or persons who stole it used it to steal his
domain. Fortunately he was able to get it back. I turned on 2-factor auth for
gmail soon afterwards.

<http://secretgeek.net/sg_hijack_1.asp>
<http://secretgeek.net/sg_hijack_2.asp>

------
muratmutlu
Sounds like this is becoming a bit of a problem, another article from someone
at the Guardian who experienced the same thing
[http://www.guardian.co.uk/technology/2011/oct/16/email-
hacke...](http://www.guardian.co.uk/technology/2011/oct/16/email-hacker-
identity-rowenna-davis)

------
pbreit
OT: is it me or has The Atlantic made a concerted effort to use HN to expose
its move into tech news?

~~~
michael_dorfman
It's you. James Fallows has been writing tech stuff for the Atlantic for
_decades._

------
lapost1979
Ever hear of two-factor authentication???

------
geekytenny
no one is speaking about how we can get this hacker..

