
How Apple and Amazon Security Flaws Led to My Epic Hacking - malachismith
http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/
======
Matt_Cutts
For the people that want to turn on two-factor authentication on their Gmail
account, here's how to do it:
[http://support.google.com/accounts/bin/answer.py?hl=en&t...](http://support.google.com/accounts/bin/answer.py?hl=en&topic=1056283&answer=185839)
I highly recommend it.

Some of the common misperceptions I see:

Myth: But what if my cell phone doesn't have SMS/signal?

Reality: You can install a standalone program called Google Authenticator, so
your cell phone doesn't need a signal.

Myth: Okay, but what about if my cell phone runs out of power (added: or my
phone is stolen)?

Reality: You can print out a small piece of paper with 10 one-time rescue
codes and put that in your wallet.

Myth: Don't I have to fiddle with an extra PIN every time I log in?

Reality: You can tell Google to trust your computer for 30 days and maybe even
longer.

Myth: I heard two-factor authentication doesn't work with POP and IMAP?

Reality: You can still use two-factor authentication even with POP and IMAP.
You create a special "application-specific password" that your mail client can
use instead of your regular password. You can revoke application-specific
passwords at any time.

Myth: Okay, but what if I want to verify how secure Google Authenticator is?

Reality: Google Authenticator is open-source:
<http://code.google.com/p/google-authenticator/>

Hmm. Maybe I should throw this up on my blog too.

~~~
jrockway
Have you encountered any other sites that allow you to use Google
Authenticator to generate OTPs?

Part of the reason I think two-factor authentication is a usability burden is
because each "identity provider" wants to use its own protocol. Google uses an
Android app. PayPal sent me a card. My brokerage has a keychain token
available. Other companies use a "soft" RSA token that runs on Windows. But if
everyone agreed on a protocol, then I could have everything in one place,
which would make two factor authentication significantly more enjoyable to
use. (I know there are standards: the question is, who other than Google
follows them? :)

~~~
dnaquin
Facebook. See
[https://www.facebook.com/settings?tab=security&section=a...](https://www.facebook.com/settings?tab=security&section=approvals&view)

~~~
alexmuller
As far as I can tell, this offers no way to use Google Authenticator. Only the
Facebook for Android app.

------
steve8918
I'm sorry for the journalist who lost all of his digital information, but I
think/hope that this article will have a huge impact in terms of how the
security practices for all large companies with an Internet presence, will
behave.

The fact that they pieced together all this information from multiple sources,
including Amazon's ability to add credit cards over the phone, to getting the
billing address through domain name registration, to hacking into Apple iCloud
really makes me feel... I guess depressed is the word.

We really have no control over our own data security. I've been super paranoid
about things like identity theft, and I got my identity stolen, which is
something I've been dealing with over the past 2 years or so. Somehow, my
birthdate, addresses, etc were all wrong, and I had to jump through hoops to
get it changed. As well, I currently have an unpaid credit card linked to my
account, and the credit agencies and the collection agency won't remove it.
The collection agency required me to submit 3 copies of my signature, a police
record, copies of my identification, etc, before they'll remove it, even
though THEY were the ones who made the mistake. I went to the police station
to file a report, but they needed documentation that I didn't have, since I
had already changed most of the information through the credit agencies. At
this point, I froze all my accounts through the credit agencies, and I've
given up.

The safety of my email, etc, is something that I also take extremely
seriously, and now I'm being told that there's a possibility of being hacked
via clever hackers piecing together information from various sources, each of
which have different security procedures. We literally have no data security
except "security through obscurity", meaning that the likelihood of being
randomly hacked is low, but if someone wants your account, they can and will
get it, pretty easily it seems.

The industry NEEDS to standardize on very rigid set protocols on things like
what information they give out, how accounts are reset, how things like credit
cards are added to accounts, what information they leak, etc. This is
ridiculous.

------
nl
Last time HN discussed this story, I said "turn on 2-factor authentication for
your Google account".

Unsurprisingly, I got the exact reaction I'm seeing here when it has been
suggested: lots of questions about how it works, people who think their
situation is unique so it won't work for them, and people complaining than SMS
is insecure.

1) Don't ask anymore questions. Try it out, if you hate it turn it off.

2) Your situation almost certainly isn't unique. You get 10 codes to print
out, you can have (revokable) application-specific passwords that don't
require the token. Try it!!

3) Use the smartphone application.

Don't ask any more questions - just try it out!

~~~
smackfu
This seems like poor advice. If people have questions, they should be
addressed, not "oh don't worry your pretty little head, smart people came up
with this." Like the discussion about app-specific passwords above was very
informative to me... all it takes is one of those getting sniffed or read off
disk and someone can suck down all your email. Not exactly "fire and forget"
security.

~~~
nl
I'm not arguing that it is perfect.

I'm saying that people should turn it on, and try it. Most of the questions
are the kind of things that would be solved by just trying it!

------
suresk
Given how central (for better or worse) of a role email plays in safeguarding
other accounts, the hassle of 2-factor auth for it is feeling like less and
less of an annoyance.

About a month ago, one of my credit card accounts got hacked and was used to
send money to someone else - the number itself wasn't compromised, it was the
actual account. No doubt, the attackers tried to login and change my email
password, but had to settle on the next best thing - spamming my email address
with hundreds of emails per minute in an attempt to cover up the emails sent
by my CC company.

Fortunately, the spamming wasn't very sophisticated and it only took me 30
seconds to filter it all to trash. I was on the phone with my credit card
company within 10 minutes of the attack, which mitigated some of the damage.

I'm sure at some point weaknesses will be found in the 2-factor auth solution,
but for now, it feels almost mandatory for important email accounts.

~~~
ghshephard
I've been using google two-factor auth for the better part of a year now, and
the annoyance comes down to, once every 30 days or so, having to take 5 extra
seconds during login to enter a code sent to my cell phone.

I can't _think_ of anything less of a hassle.

~~~
landr0id
Google has actually made it even less of a hassle by instead trusting a
computer forever instead of having the session last 30 days [1]. This can be
seen two ways though: less of a hassle for the user, and less secure. I wonder
why Google doesn't give the option for the session lasting 30 days or forever.

[1] <http://i.imgur.com/A9Wu5.png>

~~~
graeme
That's horrible. It was already very easy, I don't see the need.

~~~
rdl
You don't have as many computers as I do, or as long a password as I do, I
suspect. Having to type a random long passphrase with special characters on
the weird keyboards of multiple devices every month was a pain. Even worse,
for devices I infrequently use, I ended up basically having to do this every
single time I wanted to use the device.

~~~
evanmoran
<http://passwordsafe.sourceforge.net/>

Then use dropbox to keep the .safe file synced across machines

~~~
zalew
so if someone wants access to all your passwords, he just needs to compromise
your dropbox.

~~~
rdl
dropbox plus either passphrase brute force (or guessing), or one of
(keylogger, compelled disclosure, shoulder surfing, ...) + dropbox.

I consider the 1Password file sensitive enough that it shouldn't be online,
especially not with dropbox. I'd prefer if there were physical protection for
it somehow, too (like a smartcard or FIPS module, which wouldn't allow bulk-
export normally, and which might impose other rules on use like 5 passwords
per hour when outside my home network, etc.) Same way you handle high-security
private keys.

(Ultimately I'm not going to be happy until I have a trusted tablet of some
kind, but building that either requires being Apple or waiting for WP8
hardware to come out and investing about $5mm in some serious security
upgrades. Maybe worthwhile, though, since it solves the general problem of
trusting client devices.)

~~~
dchest
Now sure if PasswordSafe allows using key file, as sbov mentioned above for
Keepass, but if it's properly implemented, and you didn't put the key file
into Dropbox, it would be pretty much impossible to brute force.

------
brudgers
> _"the very four digits that Amazon considers unimportant enough to display
> in the clear on the web are precisely the same ones that Apple considers
> secure enough to perform identity verification"_

I don't see how this is an Amazon security flaw. The last four digits of my
credit card is printed on receipts from just about every merchant I transact
credit card purchases with. Treating such public information as if it is a PIN
places the flaw clearly in Apple's court.

~~~
throwaway8675
> _First you call Amazon and tell them you are the account holder, and want to
> add a credit card number to the account. All you need is the name on the
> account, an associated e-mail address, and the billing address. Amazon then
> allows you to input a new credit card. (Wired used a bogus credit card
> number from a website that generates fake card numbers that conform with the
> industry’s published self-check algorithm.) Then you hang up._

> _Next you call back, and tell Amazon that you’ve lost access to your
> account. Upon providing a name, billing address, and the new credit card
> number you gave the company on the prior call, Amazon will allow you to add
> a new e-mail address to the account. From here, you go to the Amazon
> website, and send a password reset to the new e-mail account. This allows
> you to see all the credit cards on file for the account — not the complete
> numbers, just the last four digits. But, as we know, Apple only needs those
> last four digits. We asked Amazon to comment on its security policy, but
> didn’t have anything to share by press time._

> _And it’s also worth noting that one wouldn’t have to call Amazon to pull
> this off. Your pizza guy could do the same thing, for example. If you have
> an AppleID, every time you call Pizza Hut, you’ve giving the 16-year-old on
> the other end of the line all he needs to take over your entire digital
> life._

This part seems relatively bad:

> _Amazon will allow you to add a new e-mail address to the account. From
> here, you go to the Amazon website, and send a password reset to the new
> e-mail account._

~~~
brudgers
What I would say is that Amazon's security is in keeping with the recourse
their customers have in regards to the transactions Amazon conducts - i.e.
credit cards have fraud protection and disputed charges can be challenged and
the money refunded when fraudulent charges are made. Amazon has balanced
costs, risks and benefits for their stockholders.

The wiping of the author's devices was purely due to the level of Apple's
security - a level which Apple established based upon the interests of their
stockholders. To hold Amazon to a standard which protects Apple's customers
(as the article implies) just doesn't hold water - Apple implemented remote
wipe, Amazon didn't.

~~~
throwaway8675
You are absolutely right, the blame here really does fall on Apple. As the
article mentions, the information they got from Amazon could have been
obtained from a local pizza joint as well.

Even so, this seems like a decent way to compromise amazon accounts. Even
though the danger involved when that happens is pretty minimal for the reasons
that you mention, it should nevertheless be something that concerns them. Even
just things like revealing purchase history is an issue, though of course
unlikely to be a lifewrecker like the Apple situation. I can't imagine this
process will work with them in a few days. All I meant to say is that they
have something to fix, not that they share significant blame.

~~~
brudgers
After some additional thought, I suspect that Amazon has an additional layer
of security in the form of algorithms which flag suspicious account activity
just as credit card companies do.

Based on the account, it appears that Apple does not - customer support call +
password recovery + wipe iPhone + wipe iPad + wipe Macbook did not raise a
flag.

------
cubicle67
My bank and a few other companies I deal with require some sort of
pin/password in order to speak to someone over the phone. When I call, the
conversation usually goes something like

    
    
        "Hello Mr 67, before we start I'll need your pin"
          "I have a pin?"
        "Yes, when you set up this account you were given a pin required for phone access"
          "Really? I have no idea what it is..."
        "That's ok. If you can just answer these other few questions.         
         What's your mother's maiden name"
           [redacted]
        "and your birthdate"
           [also redacted]
        "thankyou Mr 67, now how can I help you today? ..."

~~~
dkersten
These "security" questions are usually, IMHO, the weakest link.

~~~
jamesbritt
That's why you make stuff up when initially providing the answers to be used.

~~~
Groxx
and then immediately forget them, and discover that they weren't really
necessary anyway and your <service> lets you in with other questions.

------
brown9-2
_It turns out, a billing address and the last four digits of a credit card
number are the only two pieces of information anyone needs to get into your
iCloud account._

This is scary.

~~~
mechanical_fish
I have actual work to do, work that I have been putting off too long, so let's
try crowdsourcing this question on HN:

What _should_ one try to do to protect against this?

Hypothetical actions to take:

Make sure that an email address that's doing double-duty as a login identifier
for a given service is unique to the service and appears nowhere on the web or
in outgoing mail.

Take particular care to have a "recovery" email address that is used for
nothing else. Don't forward it to your regular mail, naturally.

Enable two-factor auth for email if you possibly can.

Have a credit card that is only used for online stuff.

Can one get a second address that is used only as a billing address? How would
one do that? (A P.O. box? Expensive! A friend's house? I fear that credit card
companies will leak this address like a sieve no matter what I do.)

EDIT: Startup wizards, here's a Minimum Viable Product: a credit card that can
only be used for online accounts - which you must whitelist as you add them,
via two-factor auth with your phone - and that features two billing addresses:
The real one where the bills go and a dummy one that still validates. (Is that
even legal under the CC rules? Sigh.)

The other suggestions in the article: Disable Find my Mac, reduce coupling
between your accounts… was there something else?

Alas, nobody who isn't crazy paranoid is going to bother jumping through all
these hoops. (I have tried to fight that paranoia but I think I'm losing that
battle.)

~~~
columbo
The most surprising thing I see out of this isn't the need for more robust
authentication but for services that aren't so damn quick to do whatever you
want.

Website: "Hey Bill, glad to see you today, what do you want to do"

Bill: "Delete _everything_ I've ever done on every system I have"

Website: "Of course! Let's get this started... beep boop bip and done!"

What about this:

1 - Kill request sent

2 - 48 hours is set on the clock so you can choose to cancel

3 - You can choose to pay $50 via credit card to have it happen immediately

4 - You are reimbursed $45 after a couple weeks

That might make it a little harder to have such hacks like this happen in the
future.

~~~
wallywax
I can just imagine the HN article when someone tries to delete his Facebook
account because he disagrees with some new feature, and they won't do it for
48 hours. I've been on the receiving end of "DELETE MY ACCOUNT!!!1!!1"
requests, and I know those people wouldn't respond well to "wait two days or
pay up."

~~~
kmm
Facebook doesn't even allow you to delete your account. If a site were to
remove the account from the public view, but delay the actual deleting by a
few days (I'd prefer a week or more actually), you wouldn't notice the
difference unless you were malicious. But I don't understand what the money is
for actually.

~~~
columbo
> I don't understand what the money is for actually.

I was thinking about remote storage and devices. For example, a backpack is
stolen with your phone/tablet/laptop and you need to issue a wipe to it _NOW_
before they are compromised.

Requiring a credit card at least leaves a paper trail of some sort.

------
shalmanese
I think a lot of people are missing the forest from the trees in this
discussion. The real interesting question is not how he got hacked, it's why
it doesn't happen more often? None of the tricks listed in the article are
particularly time sensitive, the fundamental patterns behind this hack go back
at least several years and they relate to fundamental design interactions
between complex systems that are difficult to impossible to change. So given
all this, why him? why now?

The answer doesn't have anything to do with how he should have set up 8 factor
authentication or how he should have had a Swahili-numeric password. The
answer is that his hacker had _extremely atypical motivations_ and that's the
reason his life got destroyed.

The goal of this hacker was to pwn this guy's short, valuable twitter account.
It's unlikely there's really any other hacker in the world who has that goal
which is why such attacks are so rare. For most hackers, there's some sort of
rational ROI calculation and if the ROI is negative, the hack isn't worth
doing.

Nerds often have a hard time seeing that security is a holistic system. It's
often comprised of many flawed layers that are layered in depth to provide a
statistically secure system. In real life, security comes from being able to
push down the ROI through institutional mechanisms rather than personal ones.
Credit cards are designed to be stolen and recovered from, investigations are
able to target key players in the field and tough penalties means that the
negative effects outweigh the positive gains.

All this has lead to a black market rate of merely $2 - $3 per stolen credit
card, meaning that there's not much motivation to hack in the first place.

Nerds naturally have a libertarian bent which makes them more inclined to
believe encryption and technology is the solution to the problem when, in
reality, it's a beefed up police state and American hegemonic decisions that
can span the globe.

~~~
cbs
>it's why it doesn't happen more often?

It does. It happens _all the time_. Most victims don't have the luxury of
writing a wired article about it and are stuck picking up the pieces on their
own.

------
mike-cardwell
"Moreover, if your computers aren’t already cloud-connected devices, they will
be soon."

I disagree. You can and will (for the foreseeable future) be able to choose a
computer/configuration that doesn't allow some remote third party to run
arbitrary code on it or wipe it.

His devices were all wiped because he let a third party have that level of
access.

------
SCdF
I wonder, do any of these company send defensive communications when people
try to unlock things like this?

Yes, I made that phrase up. So here's what I mean:

\- "Amazon then allows you to input a new credit card." <\-- Amazon should
then send an email confirming this to your email address, a txt to your phone,
and a smoke signal to your Tipi.

\- "Next you call back, and tell Amazon that you’ve lost access to your
account.", email, phone, Tipi. And a waiting period.

\- When you call Apple's tech support, again: email, phone, Tipi.

Maybe I'm missing the obvious flaw in this plan, but since customer support
(humans) seems to be one of the main weak links, it would make sense for
presume that's where people will attack, and to then attempt to reach out with
all communication mediums possible to make sure you're talking to the real
deal.

------
danweber
We need people to be able to regain access after losing a password, and we
need only the right people to have that. This is a very hard problem.

One thing that we should have is a "cool down" period. If you want to regain
access to, say, your GMail account, then it will take 48 hours of waiting, and
phone calls and emails will go out to your contacts before that is completed,
so the real person has a chance to protest.

I don't understand how the MacBook data was permanently lost. Even if the
files were deleted in the OS, they are recoverable by disk utilities. Unless
they were encrypted. Which just goes to say that when you think the solution
to your problem is encryption, you don't understand your problem.

~~~
cheald
If you ever reach the point that your account is so hard to recover that it
requires human customer service intervention, the recovery process needs to be
tedious and thorough.

"Okay, I'll need a notarized copy of a photo ID and once we have that, we'll
give you a call to the number we have on file to confirm the change."

It's not perfect, but it would require an extremely dedicated and targeted
attack to bypass, as opposed to "Hi, I'm your pizza delivery guy. I took a
look at the receipt before I delivered your pie, and now I know the last 4 on
your CC, your billing address, and your name. Let's go iCloud fishing!"

~~~
daigoba66
I agree, if you get locked out and need to regain access it should _as hard as
possible_ to get back in.

On the flip side, we perhaps need to come up with something better than
usernames and password for authentication. There are plenty of services where
I simply cannot remember my password and/or username. I'm getting better about
writing them down inside a password protected master file. But for many of
those services I rely on the account recovery procedures; a vast majority of
which are vulnerable once the attacker has access to my e-mail inbox.

~~~
cheald
The problem is simply that if things are easy enough to remember, they're easy
enough to crack or brute force. If they're too hard to remember, people will
forget them and have to recover them.

I use LastPass and just generate a new random password for every new account.
If I ever forget my LastPass password, I am _boned_ (since it's the encryption
key for my data!), but I don't worry about forgetting passwords anymore, and I
don't worry about RandomSite getting hacked and my password being leaked. It's
not perfect, but it's good enough.

------
gatordan
I don't have a blog and I don't know the proper convention for those "Show/Ask
HN" posts so I suppose a comment here is the next best thing because my
question is related.

After reading the "Yes, I was Hacked. Hard." post I updated several of my
passwords and found that Netflix enforces a 10 character limit on their
passwords. Does anyone have an idea why or how this could be the case? I would
find it very ironic if they did this to save a few bits per user in their
database considering they're a media streaming company.

~~~
damian2000
Very likely its just some sort of limit imposed by a security API or library
call. Definitely not a way to save space. Its really idiotic - they should be
extending it out to longer than that, but there are still some banks around
that impose shorter limits than this (8 chars) so they are in good company.

------
mick_dundee
Two-factor authentication is important for online security (and not just email
accounts), but there are other lessons to be learned from Mat Honan's
misfortune. I'm probably more extreme in my practices than most people, but
I'm OK with the inconviences.

\- You can't rely on companies providing online services to have your best
interests as their best interests. \- Take security seriously because if you
don't you won't know about an attack until it's done. \- Don't use a vendor's
all-in-one services. \- Don't use "the cloud" as a backup source. \- Back up
frequently. \- Don't use one email account for everything. \- Have an email
account that is used for recoveries and nothing else... and keep it obscure.
e.g: x90x90recovx@someotherhost.com \- Don't use personal credit cards for
online purchases. \- If it's an option, don't store credit card details
against your account; choose to manually enter it every time. \- Don't use the
same credit card for multiple sources of online shopping/billing/etc. \- Don't
give real answers to "security questions", such as your mother's maiden name
or the name of your first pet. \- Don't provide real personal information
(address, contact number, etc) to online services when you create an account.
\- Don't use Facebook, Twitter, etc irresponsibly. \- Shutdown if you're not
at your computer. \- Encrypt your data.

~~~
TwoBit
Can somebody explain to me how it is that two-factor authentication would have
prevented the hacker from seeing the author's recovery email address? Why
would Google allow _anybody_ to see your recovery email address without a
password, and why would two-factor authentication prevent it. The author never
explained this.

------
metafunctor
Some banks provide a service which allows you to create unique credit card
numbers without actually having to get separate physical credit cards. Kind of
like application-specific passwords, but for credit cards.

See here: [https://www.citibank.com/us/cards/gen-
content/messages/van/i...](https://www.citibank.com/us/cards/gen-
content/messages/van/index.htm)

Separate credit card numbers for Amazon and Apple would have prevented this
hack.

~~~
raverbashing
This

This would be much more effective than the "Verified by Visa" theatre.
"Virtual credit cards" with a limit and maybe even vendor limited (for
example, create a virtual card and add some sort of vendor id for Amazon)

Too bad it can't be used for anything, for example, some airlines require you
present your CC when traveling (if it's your cc and you're traveling)

------
dendory
Everyone focuses on Gmail 2-factor, but that should be added as an option for
any online service. It's trivial for any web developer to use the Google
Authenticator to offer 2-factor auth for your own service in just a few
minutes. I made a demo a while back in less than an hour, all open source.
<http://dendory.net/twofactors>

------
chmars
Useful advice via [http://notes.kateva.org/2012/08/net-security-is-
completely-b...](http://notes.kateva.org/2012/08/net-security-is-completely-
broken.html):

'We need to give Schneier a few drinks and get him to talk about this again.
Failing that:

Backup for Darwin's sake. Don't enable remote wipe of Mac OS X hardware. Just
encrypt it. Use Google two-factor (two-step verification) if you are a geek
and can stomach it. Fear the Cloud. Keep the data you value most close to you.
Don't use iCloud. Don't trust Apple to get anything right that involves the
Internet and/or Identity.

Not being Schneier my advice isn't worth much, but fwiw I suspect the
"solution" is:

Get rid of the secret security question. Strictly limit password resets. If
someone lost last access, charge them $50 to go to bank, post office or notary
to establish their identity. Incorporate biometrics (thumb print and speech
probably).'

~~~
rmc
Some regions have data protection laws. This means in some places the standard
security questions (like "What's your mother's maiden name?") are not enough
to protect people's personal data. (Which is good).

However such laws also include access. You cannot use disproportionate means
to require access. Biometrics would probably not be legal to protect things
like photos etc.

------
btb
The scariest part of this article IMO is how there now is a recipe posted for
getting into any amazon account. Imagine all the damage/harassment they could
do once in there, buy all kinds of stuff and have it sent to you. Spin up 20
EC2 instances and use them to perform illegal activites etc, while burning up
cash on your credit card.

That to me seems much worse than having an imac wiped.

------
cookiecaper
The fact is that Apple and Amazon have far more confused customers than
targets for social engineering attacks. They are _always_ going to have an "I
forgot everything about myself and my account, please let me in!" option. All
cloud service providers are going to have this.

With this in mind, it may not be wise to remotely link your MacBook such that
it can be wiped by Apple Central Command. Do people seriously do that? A phone
is maybe kind of reasonable for this kind of thing (only kind of), but your
actual laptop? Is this a requirement of new versions of OS X or something? I
don't know who would set this up willingly.

Any local data that you want to keep from attackers should be stored as
ciphertext. Your secret key should be encrypted with a strong passphrase. Most
thieves, even high-level corporate espionage-type thieves, won't know how to
use GPG in the first place, but if they do, if you've done it right they won't
be able to get in.

From the perspective of keeping ourselves safe in a world where all data is
kept on (or hooked up to a remote control at) the server of a big faceless
corporation, all plaintext should be considered public info. Just because they
haven't published or leaked it yet doesn't mean they won't, and it doesn't
mean that anyone with an interest can't go in and take it, or that they won't
wreak havoc for an ultimately minor goal (like access to Twitter).

Encryption and backup. The two constantly repeated, never honored mantras
whose inconveniences have plagued computer users for decades now. If people
did these things correctly, hacks would rarely matter or jeopardize
significant amounts of data. This is a field that is ripe for system-level
disruption; Time Machine kind of helped with the backup, but we still don't
have anything decent for layman's crypto (perhaps because the business models
of companies are now so dependent on reading our information and selling it
back to interested parties).

~~~
Someone
_"Encryption and backup. [...] If people did these things correctly, hacks
would rarely matter [...] This is a field that is ripe for system-level
disruption"_

Encryption and backups set in stone. An attacker may not be able to read your
encrypted backups, but if he can delete them, you still won't be happy.

I think the only feasible solution is that of online, write-only backups. They
need to be online so that devices can backup themselves when they deem that
necessary; you cannot trust users to do any manual backup task. They need to
be write-only because, otherwise, with online backups, an attacker could wipe
all your backups. Semi-write only, in the form of "deleting backups older than
a year" or "delay any deletes by a month" (to give the user time to report his
phone to be stolen) or "delete only after three-factor authentication"
probably is acceptable.

 _"perhaps because the business models of companies are now so dependent on
reading our information and selling it back to interested parties"_

I think it is because online backup looks too pricey. People keep comparing
the price of online storage to that of hard disks. For example Dropbox is
about $1 per GB of storage per year. You can buy a SSD disk or a laptop for
less than $1 per GB of storage. As this example shows, current solutions also
do not protect well against attacks.

I am not sure that the options of having your own cloud, or of making a cloud
with others (peer-to-peer backups) will make sense to Joe consumer. Users may
not want yet another device at home, likely will not have the upload bandwidth
(yet), and are a risk factor with respect to operations on such a device. A
home device probably would have to be a custom device, not a PC. Users cannot
be trusted to operate it in ways that keeps their data secure, so you must
make it impossible for them to operate it.

------
donohoe
"Epic Hacking"?

A whole lot of damage was done, yes - but a "epic hack"? Don't think so.

    
    
      epic: heroic; majestic; impressively great

------
forcer
"The disconnect exposes flaws in data management policies endemic to the
entire technology industry, and points to a looming nightmare as we enter the
era of cloud computing and connected devices."

This disconnect is unfortunately not limited only to tech industry. Every
receipt you get while you pay with your credit card offline, will display some
part of your credit card number. The crazy thing is that there is no standard
for it and everyone picks different numbers! If you collect your receipts and
then throw them all at once without destroying them - anybody can put the
numbers together.

I would say this is a much bigger problem and has been around here for ages!

------
sschueller
How can he not press charges against 'Phobia' and any of his stupid script
kiddy friends? Maybe the police is too stupid to do anything and the FBI has
too much other shit do to but isn't there any legal way to get these bastards?

~~~
mike-cardwell
He probably doesn't want to risk further attacks. If he did want to get the
police involved, I bet the attacker wouldn't be too difficult to find with all
the services they logged into and phone calls they made. I mean, they could
have used Tor for all of their Internet activity, but I bet they still used
their home land line to make the phone calls.

------
stuff4ben
it boils down to "who do you trust?" Ultimately you have to take some
responsibility in ensuring the safety of your data and be cognizant of the
weaknesses of each link. I backup my data onto an external HD. In the event of
fire or that HD being lost or stolen, I have online backups of everything but
video. I also have an older external HD backup stored at my parents house 2
hours away. I trust myself to an extent and the cloud to an extent, but never
either absolutely. My life is not Google or iCloud or Dropbox or Drobo.

------
tjoff
_When you perform a remote hard drive wipe on Find my Mac, the system asks you
to create a four-digit PIN so that the process can be reversed. But here’s the
thing: If someone else performs that wipe — someone who gained access to your
iCloud account through malicious means — there’s no way for you to enter that
PIN._

That sounds more like remote encryption to me. And a four digit PIN is easy to
brute force (assuming that it isn't asking apple for the decryption key once
entered (which means you need internet access do reverse it)).

------
ksolanki
Most of the "security questions" can be answered by looking at the Facebook
profile (of the person or his/her friends -- at least some have the info
public). A motivated hacker can possibly crack even bank accounts using the
facebook profile. The account/security is indeed in a big mess.

------
macspoofing
>If I had some other account aside from an Apple e-mail address, or had used
two-factor authentication for Gmail, everything would have stopped here.

Are you sure? Do you trust the minimum wage customer service reps of your
phone company to not be susceptible to social engineering?

------
sriramk
The scary bit (well, one of many) is how easy it is to get access to someone's
Amazon account by just knowing their email address and billing address. That
lets you buy anything, see their entire order history and probably gives you
access to all of AWS.

~~~
AlwaysWatching
If they try to add a new address, Amazon will ask for the payment method to be
re-entered.

------
kunil
Can someone explain reasoning behind the implementation of those "remote
wipes"? If Apple pulls a trigger, everything on my laptop erased when it is
next online? I can't see any practical application for that.

~~~
peejaybee
It's to keep sensitive information from falling into the wrong hands.

------
mike-cardwell
Just logged into Amazon account and removed all of the cards I have on record.
Suggest everyone else does the same.

~~~
infinite8s
That doesn't matter for the purposes of the crack. With your name, billing
address and email the cracker was able to add a new credit card number

------
setandbma
Does this scare you?

------
rogerchucker
Somebody else found out an iCloud flaw... [http://m.smh.com.au/digital-
life/consumer-security/aussie-ex...](http://m.smh.com.au/digital-
life/consumer-security/aussie-exposes-icloud-flaw-but-apple-stays-
silent-20120806-23pmx.html)

------
rogerchucker
<http://whois.domaintools.com/emptyage.com> reveals way too much about Mat
Honan!

~~~
thaumaturgy
All the major registrars I know of offer free whois privacy services.

~~~
rogerchucker
What does such a privacy service entail?

~~~
thaumaturgy
As far as setting it up, usually just a checkbox somewhere on the registrar's
admin panel.

As far as the results, all of the contact information in the public whois
record is replaced with the registrar's contact information. They will forward
information on to you if absolutely necessary.

I keep whois privacy turned on for all my clients just to protect them from
that damned Domain Registry of America scam.

------
rogerchucker
Most important lesson as far as reducing vulnerability to social engineering
is concerned: whatever service we subscribe to - we should always find out
about their account retrieval process.

In other words, we should always ask "what is the password retrieval process
for the new account you just opened?" This sounds like a big task and one
where not all scenarios can be covered. But I think this is a good first step
- as long as we are still dealing with passwords, federated identity, half-
masked credit card #'s and security questions.

I think this exercise would help us be careful about our choice of passwords,
answers, email ids.

What would be the most obvious downsides to this approach?

------
modularunit
Can we please get the entire internet to agree to stop using email addresses
as usernames. It's not a user, its an email address!

~~~
pizza
With every platform, there is compromise between convenience and security;
when your platform has to reach many, many non-tech-y people, convenience is
preferred.

~~~
eupharis
There are easy trade-offs one can make between convenience and security. For
example, identity verification on the phone with the last four digits of a
credit card (Apple).

But then there are policies and technology that increase BOTH convenience and
security. Say the difference between using SSH these days versus using, say,
paper and an Enigma machine.

The inconvenience of Google Authenticator is minimal and the security provided
is huge.

