Hacker News new | comments | ask | show | jobs | submit login
Yes, I was hacked. Hard. (emptyage.com)
446 points by thibaut_barrere on Aug 4, 2012 | hide | past | web | favorite | 295 comments

Damn, poor dude. The remote wipe was a pretty big asshole move.

I'm pretty curious about the initial break-in on his .mac account. I suspect that either he's misremembering and he has used the password elsewhere (and it was compromised there -- easy to happen over so many years of use), or it wasn't very strong to begin with and it got guessed after a handful of attempts.

There are a handful of takeaways from this:

- Backups, obviously. A lot of people here so far are mentioning online backup services, but those would be just as vulnerable to this kind of attack, since they're accessible online and use an email account for password resets. Online backup services and physical offline backups solve different problems and it's a good idea to use both.

- Since I haven't seen this mentioned anywhere else: I wonder if it's time to consider keeping a "secret" email account that's only used as the password-reset account for all of your services? Something that you never use for communication, never publish anywhere, something with its own entirely separate password.

- Be careful about owning multiple devices from a single vendor that provides remote access and other kinds of control to those devices. Mobile devices are inherently insecure; they shouldn't carry sensitive personal information, ever. There are a lot of really good reasons for going with a single vendor, and remote wipe is a really valuable tool in case of theft, but the downside is ... well, this.

- Use some kind of password storage mechanism. (I prefer something that's not tied in to a publicly-accessible service.) I've made a game out of memorizing horrible passwords, and can recall quite a few without any patterns or mnemonics or the like. Still, I use KeePass every day anyway.

And maybe most of all: I doubt there's a single one of us that has a moral high horse to ride on this. Everybody always has something better to do than set up a new backup system or dick around with something that will only maybe hurt them someday. I'm constantly harping on other people about backups, but only a couple of days ago got my development machine on our network backup system; I'm pretty anal about passwords, but still I'll panic pretty badly if my laptop is ever stolen, because in there, somewhere, is probably a plain text password stored in a file that I've forgotten about, and there'll be a chance that I'll forget to change that particular password if I find myself having to suddenly change every single password for everything I've got access to.

+1 for the moral high horse. Everytime something gets hacked the hacker community blames the victim for using less-than-optimal security. Well guess what? There is no foolproof system. The same reactions are seen when sites go down. 'Oh, but they should have used a distributed, redundant buzzword compliant system in a multitude of nuclear bunkers and this would never have happened'. Every system has weaknesses. And every person or team is imperfect. Sure there are lessons to learn, but lets show some sympathy and ask the persons involved what they would improve, not assume that we understand everything and dictate what they should have done.

Except in this case we're talking about a solved problem. The simple rule - and is really is simple - is 3/2/1: three copies, two local, and one remote. Anything less is "backup", not backup.

Time Machine (a free utility that ships with OSX, not a military-grade absurdity) would have handled the full restoration of the laptop, which could then restore the wiped iPad and iPhone fully. He'd still have the email hacks to contend with, but at least he'd have his tools back.

It's not his fault that he became a target, and blame for the attack should be firmly limited to the agressor. But the severity of the consequence was clearly amplified by substantial incompetence and / or indifference on his part.

I recently tried a full system restore from Time Machine (from the Disk Utility in Recovery) on a zeroed out partition and it kept failing midway giving me a generic error. Ended up installing OS fresh and restoring files selectively inside Time Machine.

I've lost a lot of respect for Time Machine since then.

As a counterpoint, I have an office full of Macs and TimeMachine on a Synology NAS. Everybody lurvs it. I have done 3 full restores and 2 migrations with it (not even going to count the number of "oh, shit!" events). It couldn't be any simpler. As the office Mac expert I have to do very little except boot into recovery mode and get it on the network.

I'm not sure what your error was but it might have been for the best. If there was corruption in the backup image then you'd be complaining about how it restored a corrupt backup.

I would expect that it would check the backup on a regular basis and either repair the issue or warn me that I needed to do something drastic.

Just failing to restore is unacceptable.

I also failed my TM restore but that was back in 2007 - it's since improved a lot, but I still keep a roughly 2-3mo old imaged disk - ie, SuperDuper/CarbonCopyCloner. This restore also takes only minutes, as you can boot from external.

Not having any backup is, for a technically capable user, indefensible.

For a non-technical Mac user, I would hope someone mentioned buying an external hard drive for Time Machine. Seems to work fine for the normal case.

I'm curious how remote wipe acts when a computer has multiple partitions or multiple drives (internal or otherwise); would a remote wipe with a connected USB drive for time machine nuke that too?

Yes. I push this with extended family. Best ~$100 investment a Mac user can make. Windows 7 built in backup works fine too.

Ubuntu uses Deja-Dup for backup, and I've heard it works wonders too.

How is it even possibl? iOS devices back themselves up every time they are plugged into a Mac automatically, and it's really difficult not to have a Mac backup, time machine just does it automatically whenever it feels like it. I find that within the Mac ecosphere, it's hard not to have backups.

I backup gmail with gmvault to a thumb drive, which I suppose is beyond many non technical people, but I'm sure google will figure out how to restore his account without much difficulty.

I wish I knew how this person knew how his password was compromised, it sounds reasonably secure.

I suspect a lot of people ONLY have the devices, and have not spent the extra few hundred on any kind of backup. A Time Capsule? A third-party remote backup service? An external HD? That costs MONEY!

I personally haven't plugged my iPad into my Mac in ages. Then again I've also made damn sure it's backing itself up to the cloud. I'm not sure if this is the default setting. It should be, IMHO.

(And I gotta say, it's really freeing to know that even if all my possessions are destroyed, I will have lost at most a day or so of work.)

Backing up to the cloud isn't going to help in this guys situation. The malicious user had access to his iCloud account to remote wipe his devices, they would (did?) just as easily delete his cloud backups

I have apps in the App Store and have to deal with a certain level of technical support. You'd be amazed how few people still plug their iOS devices into the master computer.

Well, honestly, why should it be necessary?

Gmvault stores your Gmail password locally. An alternative is using an email client which can download your Gmail using POP3. Most clients let you choose whether to store the password. You can set up your own folders and filters if you email client supports it.

Gmvault uses mainly OAuth to authenticate you so there is no need to store any passwords. The token will only allow you to access your Gmail account via IMAP.

As an alternative there is a mode where you can use your Gmail passowrd and it can be saved but this is not recommended.

I had no idea about a Gmail backup solution. I just had a network of duplicate accounts which get copies of mails and password resets if my primary ever got hacked.


Link for the lazy - http://gmvault.org/

> +1 for the moral high horse. Everytime something gets hacked the hacker community blames the victim for using less-than-optimal security. Well guess what? There is no foolproof system. The same reactions are seen when sites go down. 'Oh, but they should have used a distributed, redundant buzzword compliant system in a multitude of nuclear bunkers and this would never have happened'. Every system has weaknesses.

In this case, the guy had ALL his shit wiped. Not a clumsy move at work causing months of extra work, or some dickhead hacker having some fun with your account credentials, no they actually thoroughly deleted a huge chunk of his personal data.

See it's like, if a pyromaniac burns down someone's home, maybe there were ways to prevent that, but you don't go blaming the victim then either. Some times the first thing is sympathy. There's times to be heartless and times to be not.

Remote-wiping all his personal stuff was so unnecessarily malicious, sympathy comes first. And besides, in this case, not having any non-remote-wipeable backups, the only thing you could possibly maybe blame him for is putting all his stuff in the cloud. Yeah no not smart, maybe, but it simply doesn't weigh up to the fact that someone actually went through the trouble of meticulously deleting all of it. Not stealing, or defacing, but deleting.

I bury encrypted backups in my backyard. It's not foolproof but it seems much more secure than depending on an online backup. /highhorse

I tried that, but then my backups got eaten by a high horse, high on horse.

If you hack into my email account, you still can't read any password reset emails that are sent to it: https://grepular.com/Automatically_Encrypting_all_Incoming_E...

OK, so now I know that I need to hack your dns server or your registrar instead - then I'd just publish MX records for your domain and head off to all the "I forgot my password" links I can find.

It's turtles^h^h^h^h^h^h^hsecurity problems all the way down…

Yes. I am aware that there a further attacks, and I mention that in the blog post. There is still significant security value in doing what I'm doing though.

For sure - sorry if I gave the impression that I thought otherwise. There's a big win in making it impossible for me to trawl through all your old mail looking for "interesting" things. It's a very nice idea.

That's all wonderful, really; but it's not exactly practical for everyone to do for themselves.

No it's not, but anyone who runs their own mail server can do it, and anyone who provides a mail service for others could provide it as an option. Hell, even Google could implement it, and add a simple "Upload your public key" option to their preferences page. Maybe doing it as one of their Google Labs things. Obviously, they could implement it in a much more efficient fashion than the implementation I provided.

I really like the idea, but what if someone hacks into your email server and just turns off the encryption step / reads the incoming traffic? I assume they won't have your private key in that case, but crazy-few sites require and check (or even allow?) encrypted emails as validation, so they could still masquerade as you until someone checked the numbers.

This is addressed in the blog post:

"There are obvious caveats to this solution though. If somebody gets root on my server or access to the network, they can sniff the emails on the way in before they're encrypted. This wont help them access historical email which was encrypted before they started though. Also, if somebody installs a trojan on my laptop it's game over; they can grab my private PGP key, and use a keylogger to get the password for the key."

There is no "perfect" solution. There will always be attack vectors. I just removed a few. Specifically, compromising my email account, or compromising one of my clients (in certain ways).

This is a fantastic idea.

I remember this showing up on HN before! It's really cool, and it's been on my to-do list for my mail server ever since.

Two-factor authentication should make it much harder for somebody to break into your email account (secret or otherwise) and reset your passwords.

Instead of memorizing horrible passwords, have you tried making a non-horrible passphrase by rolling dice and picking words out of a dictionary? Arnold Reinhold calls it Diceware:


It isn't easy to develop these habits, but my data is priceless to me. I know that too well because I've lost some of it, and it still hurts. So I've made it a tradition to chip away at it on daylight savings sundays: update clocks, check smoke detectors, work on backups, shame friends into doing same....

While two-factor authentication may be a good idea to gain access to sensitive information, I'm not sure it would be practical to use it for remote wiping devices. Typically the device you would want to wipe is one of the two factors.

(Which underlines the point that you need to do backups...)

Google's 2-factor auth comes with a list of onetime disposable keys one can use in place of not having their smartphone. I've had to use one specifically because I flashed a new Rom onto the Android device I was using before I thought about how I would setup the new Rom as a new device, which required me to log into my Google account. Almost the same idea as having the device get remote wiped unexpectedly. I keep a printed list of these keys in my fire safe at home with other important documents, like my birth certificate and passport.

Google will also call your home phone number and audibly speak a code to you if desired.

(Incidentally, you can backup and restore /data/data/com.google.android.apps.authenticator2/databases/databases via adb pull/adb push and you don't have to do the "painful" restore. It's slightly less secure, but I keep a copy on my SD card.)

Giant-flashing-neon-warning: if your phone's rooted (needs to be to pull /data), an attacker can pull it too. Use a passcode and enable full-device encryption (passcodes don't block recovery) to defend against this. If you're making full-image backups, wherever they're stored (on-device or elsewhere) needs to be secure too.

PS: even if you aren't rooted, if your device can be rooted w/o a wipe, should consider yourself just as vulnerable and enable FDE as well.

Yup, absolutely. I run FDE mostly just out of a personal policy that anything that someone can pick up and walk off with is encrypted, but this is a very good point.

The DB is a Sqlite3 database containing plaintext tokens and the account names they are used with, so while the attacker would still need your password, they can generate new tokens with that data.

Good policy upon losing any device that contains 2FA information is to use one of your backup codes to log into your account, remove the 2FA, and re-add it, thereby invalidating the old token secret. Thus, even if someone has your unprotected DB, they can't generate tokens for your account.

I like diceware a lot. The only drawback is that the pass phrases are too long for some sites.

Any site which has low upper bounds for password lengths is not to be trusted.

Certainly, I agree, but half the web is still that way. Many banking sites even.

I think it's a bit hyperbolic to call it half the web. Only a small handful of sites cap password lengths. They might happen to be sites you use, but it's not nearly as common a practice as you seem to think.

I don't think you're correct. Anyone who's storing a password in plaintext is probably going to use a fixed-width field to do so. I'd bet half the internet stores plaintext passwords. A lot of the web is one-off e-commerce systems that no one should trust anything with.

My bank caps at 12 chars -- silently. I couldn't login until i only typed the first 12 chars.

Are they actually using all that password length, or are they just allowing people to enter long passwords and truncating them?

I've used a system at work that truncates passwords when setting them, but not when checking them. It doesn't fill me with confidence.

The problem is that sites can truncated your password without telling you. Hard to make the call not to use a site if you don't know it is doing that.

I suppose you could attempt to log in while omitting the last character of your password to test against truncating.

True, good point.

> but still I'll panic pretty badly if my laptop is ever stolen, because in there, somewhere, is probably a plain text password stored in a file

You really should consider using using whole disk encryption like FileVault or PGP-WDE. Encrypting a single directory or a home directory is not a good solution.

You should encrypt all PCs, laptops that contain anything valuable with with something like truecrypt.

I use TrueCrypt. I put all the files I create into a single encrypted volume. I copy that encrypted file to a thumb drive and bury it in the backyard. I don't encrypt the entire hard drive, though, something I should probably do to protect the recycle bin and whatnot.

if you lost truecrypt password -> http://16s.us/TCHead/faq/

^ if you used a poor truecrypt password

and remember to use a different password from your iCloud account.

I suspect that either he's misremembering and he has used the password elsewhere (and it was compromised there -- easy to happen over so many years of use), or it wasn't very strong to begin with and it got guessed after a handful of attempts.

This may not be the case. Computers are very fast at checking passwords, and if Apple doesn't deliberately slow the login process for all authentication scenarios it is easy to check a lot of passwords in parallel.

No - turns out Apple let the hacker in.

The secret email account only for password recoveries is a great idea. Same issue cloudflare had back when they were hacked.

I use Google apps for business for email hosting and even setup a secret email account that is used as the admin account (which can setup users and change passwords). I think most people that use google apps set up their primary email address as the admin account, but if that account gets compromised its incredibly easy to reset the password on every account on your domain.

And you could even add 2-factor auth to just this secret email account for added measure.

That's a good idea. This article explains more about the Cloudflare breach, if anyone's interested.


Online backup systems should, generally, be ok even if temporarily compromised since they will keep copies of stuff even if you delete it. (Dropbox does this for FREE accounts.)

The problem is backing up big stuff -- I've got my working docs backed up the wazoo (I can even backup large multimedia/game projects to Dropbox) but my photo and media libraries are unmanageable.

Keep big backups locally.

"The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location..." -- Dennis Huges, FBI.

The same goes for USB disks. I prefer to have one of my backup drives inactive most of the time and out of plain sight (in case of theft from my home).

Because he was a mac user, he should've been using Time Machine. It can be hosted on a network partition at your home so you don't even have to remember to plug in a backup drive. And in OS X 10.8, you can assign multiple disks and it'll keep them all up to date if they're accessible at the time. So one can be on your home network, another at your work network, and yet another on a physical drive that you can keep locked away in a safe or something. Just pull it out once a month to back up all your macs.

> Keep big backups locally.


Echoing this, because it happened to me. And in that case I was very happy I backed up my most important things to some sort of "cloud" (a combination of GMail, creative portfolio stuff on a few webservers, projects I had sent to friends and a couple of those filelocker sites).

Additionally, SD Cards turn out to be some the most resilient data storage media I've personally witnessed. Probably helped it was encased in a camera, which was kaput, but the photos on it were fine, not even data-bent.

And a year later I found in a box of my damaged CDs some more treasures on a couple of really old DVD backups that actually still worked :D (I never bothered to really unpack the boxes of partially blackened and warped CDs--there's no need in the age of MP3, and after a while you've really seen enough boxes of sooty crap smelling like burnt plastic)

My basic lesson from this is: spread your data and risks around.

Though, none of that stuff was encrypted. Just the stuff I kept online was passworded and do friends count as a two-factor auth? :-)

Sorry to hear about your house fire. I wonder, would it be feasible to bury a small portable hard drive in the garden or something, and have a conduit running up near the house? It'd be cute to have a USB port on the wall which you plug your laptop into when you want to make a physical backup. No thief (or house fire) is going to trace down a USB lead that's poking out from the ground or wall.

It's taking Apple's "Time Capsule" branding to the extreme literal sense.

Hahaha! No idea if it'd be feasible (my apt is at 1st floor anyway, I have no garden), but it'd be cool as hell to load your backups onto a USB cable that goes underground :-)

As far as USB plugs sticking out of a wall are concerned, have you heard about the "USB dead drops"? http://images.google.com/images?q=usb+dead+drop

I guess I should've added a "tl;dr" or mentioned putting your backup drive in a safe earlier in the post. And I suppose not all safes are fireproof.

Macs have Time Machine.

I found that grabbing an external HD and plugging it in started time machine right up. I do that every week or so.

(Which reminds me, I should go do that in a few minutes!)

Every week or so a potential client comes to us and describes, in one way or another, this general scenario. They ask "what if someone breaks into my server that I am backing up to you, and then using the SSH key, logs into my rsync.net account and wipes all of that out as well.

So for the last 6 years or so (we've been providing offsite backup since 2001) we have offered "pull backups" to our customers that request it. We give them our public SSH key, and we log in and rsync their data back to us.

Also, RE: the previous comment about not having your data consolidated to a single provider, we run an ad on reddit regularly making the same point:


One additional thing you can do is add a "command=..." parameter to your ssh authorized_keys file to limit what can be done with that key. For example, you can set it to run a script which only allows new files to be added to the backup, but not deleted.

Happy to see someone else not willing or not able to let files disappear in the cloud. For photo and media I keep them on two 500Gb usb drives, one at home and one at office, and keep them in sync with the wonderful tool unison.

I love Unison.

I have redundant backups. Everything's gets backed up locally with Time Machine very regularly. Then nightly (or more, depending on volume) it gets shipped off to Backblaze.

It gives me quick responses if I need to restore something, but if my house blows up, I'm only $100 and a FedEx visit away from having everything back.

Best guess for initial break-in is phishing. I've always thought there should be a "sudo" light/display on the monitor that can only be accessed by the superuser, making attackers unable to completely mimic a dialog requesting secure access.

Decent idea there with the password storage secret email account... Anyone else agree?

One thing that worries me about iCloud is that it puts a lot of data and services behind one single password.

Said password is therefor used a lot, with a lot of chances for interception. But most of all, it's used for trivial matters in which password typing is a nuisance (installing a cheap iPhone app), which pretty much invites people to use a weak, easy to type password.

iCloud should have multiple, completely separate forms of authentication for services like Find My Mac, instead of using the same login for wiping all your Apple hardware as you use to download Angry Birds...

Same reason why I worry about Google Accounts.

Your email, contacts, calendar, location, phone security, documents, files, music, videos, games, apps, credit card details, merchant account, search history, web app hosting, etc., all on one account.

Turn on 2-factor auth.

I thought about it and worried about it and thought about it some more, and finally did it.

And I had no problems at all - it works really well.

Yes. My facebook account got hacked by a someone who pretended to be me, stuck in a foreign country; they asked my friends for money.

After that I turned on 2FA for gmail and facebook.

Sure, it's not perfect - but no security is. But is is definitely better than using passwords alone.

But what if your phone gets stolen? Sure, I've it configured to be erased after 3 failed pin code attempts.

Or, what if my iCloud gets hacked and my iPhone is remotely erased, can I still access my Gmail and Facebook enough to remove my phone from them?

But what if your phone gets stolen?

Google 2 factor authentication needs 3 things: your Google username, your password, and the token number generated by the authentication application. Stealing your phone gets one of those things.

Or, what if my iCloud gets hacked and my iPhone is remotely erased, can I still access my Gmail and Facebook enough to remove my phone from them?

You get 10 single-use codes to print out for this situation. You can revoke these code and generate new ones whenever and as often as you like.

Your concerns were all similar to what I had. Another was that I have programs that need programatic access to my Google account and I don't want to rewrite them to use 2-factor authentication. That is solved by generating a revokable application specific password.

I found that turning it on and trying it out answered a lot of concerns I had.

> Stealing your phone gets one of those things.

2 of those things, if you have an android and they're smart enough to go to Settings > Accounts

And they can get your password if you have your browser remember it.

So, potentially, losing your android could mean losing your account.

You can't access your account settings without retyping your password. I think that password entry is excluded from browser auto entry.

In any case, there is a fairly easy solution here: don't let your phone web browser remember your Google account password.

Not if you have turned on screen lock and encryption.

Remote erase is a minor problem — you have recovery codes printed out.

How many recovery codes can you print out, and how many can you use? My cell provider (Avea, in Turkey) doesn't seem to pass automated SMS messages on, which has stopped me from using two-factor.

There is a Google Authenticator app that generates time-specific codes for you, you don't need SMS at all.

You can print out ten one-use codes at a time, and generate a new list of ten at any point.

lolwut. and you still keep on using their services? Dude, get to Turkcell or Vodafone and use two-factor if you value your data.

edit: downgrade if you want to but it will be the day of my death when I let a provider dictate my needs and wants with its stupid rules and regulations. I pay for their services and barring unreasonable ones they have to provide what I need. And passing automated smsses are something that is not unreasonable.

My guess is you're being downvoted based on style ("lolwut", seriously?) and not because of content.

You can use the two factor phone app. I installed this when we had a phone outage here. Available for Android not sure about iOS.

Google Authenticator is available for iOS, Android and BlackBerry, and there are compatible third-party implementations for Windows Phone 7, Windows Mobile, J2ME, PalmOS and webOS. Just search for OATH - it's the open algorithm that Google Authenticator implements.

Avea does that really? I believe this is the worst thing that Avea could do to it's users. Switch to Turkcell or Vodafone immediately.

One question, does it only block out of country automessages or do they also block 2FA messages of Turkish banks?

I don't have a Turkish bank, so I can't speak to that, and every time I have needed it was an out of country issue.

And not having the bank because I'm still waiting for a residence permit, which means I'm still doing the kontor thing rather than having a plan, something that's much cheaper with AVEA.

Dedicated attackers routinely bypass two-factor auth. If your second factor is your phone, then they simply attack via the phone carrier first.

Don't use texts for the two factor auth, use the Google's app https://play.google.com/store/apps/details?id=com.google.and... and print out the one time codes when prompted (for when your phone is unavailable for whatever reason).

As a bonus, you can also use it for when logging in over ssh with password http://askubuntu.com/questions/159727/how-can-i-use-a-passco...

Anything can be hacked but it's a really solid system, even against a targeted attack and motivated attacker.

Thanks for the link, but could you explain why texts are non-optimal?

Phone companies are often quite stupid about letting phone numbers (with their texts) get redirected. Like you don't have to know any private information, just have a good story stupid.

I'd hardly say people routinely bypass Google's two factor authentication (using the smartphone application), which is what I'm suggesting here.

I'm aware of one incident (the Cloudflare hack), but that seemed to be more a vulnerability in the password reset functionality than the authentication mechanism.

SMS verification is less than ideal, though.

Doesn't Google fall back on SMS or a phone call if you no longer have access to the authenticator app?

I know I have a printed sheet of one-time codes, but I think if an attacker compromises the phone number on my account, I'm screwed.

You can disable that, so that the one-time codes are your only backup method.

whilst this might be true - I get the feeling this is more of a "targeted attacked" - rather than a target of opportunity. 2factor is surely one of the best options we currently have to secure ourselves?

I agree. I think there was deliberate focus on the victim based on everything they accomplished.

My phone is a pay-as-you-go Motorola Razr from 2006. How could they hack that to gain access to my two-factor auth SMS code?

Other than stealing the phone, that is.

They trick your carrier into redirecting your messages

They are gradually adding more options. There are now single use passwords for some services (I have them for Chrome and Android). Plus they support two factor authentication.

Easy, just don't use them.

I have little choice if I want to download Android apps.

You're right, I was trolling a bit.

Personally, I only give as minimum information as possible.

I agree. For years I have believed that "Single Sign On is Single Compromise", but users and auditors love it.

That damn account password kills me. A single password which you have to enter heaps of times on iOS. If having one password meant you only entered it once id cope, but its for email, iCloud, imessage, home sharing music, home sharing video, notes, find my phone, AppStore. It's so slow to set a device up, especially if you have a decent pasword. I wish they would fix it.

You can use a different Apple ID for the App Store that you use for iCloud, on the same device.

I know. But if I could enter it once as some kind of 'log into everything' option it would be great. It's so annoying to do on phone, iPad, laptop, appletv etc that I change my password too rarely as its so painful. Nasty aftershocks too (oh, so I have to find the appletv remote i to enable my account so that I can accept my phone as the remote).

Perhaps it should ask an additional security question or passphrase for 'dangerous' operations like remote wipe.

Two-factor authentication (using say your phone like Google) wouldn't work however because typically it's your phone that is stolen and you are trying to wipe.

You could use something besides a phone for 2-factor authentication--e.g. YubiKey.

Google + Yubikey would be great. Google + 2 step authentication + Yubikey would be a dream (and a bit over-kill?)

It seems to work with some limitations as the yubikey has no time source.


Google + 2 step authentication

Did you mean 2 factor authentication?

Google + 2 step authentication + Yubikey

Is there any reason why you can't do this? It seems like it would work? (I've never used Yubikey so I might be missing something)

Google actually calls it "2-step verification"

source: http://support.google.com/accounts/bin/answer.py?hl=en&a...

That's why google let you use multiple phone numbers to verify.

Lose your main phone? No problem, login to your account using the two factor code from your landline (or partner's phone).

"He and Gawker’s Scott Kidder then got on the phone with contacts at Google and Twitter trying to help me put the brakes on."

Of all the issues surrounding this event, this one concerns me most. Most users would not be able to escalate like this. Hosted services need to be providing this level of support to all customers 24/7/365 - or at least offer it as a premium option.

I have this - and I had reason to call it recently due to a technical issue.

In short: I'd advanced paid for a 1 year Apps account a month before the monthly billing came in to place. My credit card expired with 11 months of the contract left, but they suspended the account as that appears to be policy with new monthly billing system. I received no email asking to update the card prior to suspension. This suspended all the services it was connected to. Call centre couldn't help, account was down for 18h - they just said wait for new card to propagate.

I'm sure if a journalist from Gawker had posted this to HN it would have been resolved with more urgency.

Everyone's focusing on the security of the password and iCloud, but I just wanted to take a second to say: fuck who did this. Yes he should have backups, but erasing someone's things is such a juvenile thing to enjoy.

Edit: Surprised to see Cloudflare is proxying their website. I understand wanting to be impartial, but I think it's fairly easy to draw the line at groups breaking the law.

erasing someone's things is such a juvenile thing to enjoy

I don't know what part of the world you're in, but here (in the UK) it'd actually be a criminal offense carrying a multi-year prison sentence under the Computer Misuse Act.

I'm wondering at what point the police or law enforcement get involved in the US?

Generally if the person is important enough.

This is the only case I can think of where non-classified information leaks were prosecuted: http://en.wikipedia.org/wiki/Sarah_Palin_email_hack (There are probably more, but I can't imagine any would actually disprove my point.)

This isn't solely about an information leak, though -- it's about willful destruction of property (i.e. all the victim's data getting vaped).

Usually the FBI is the agency that you go to with this stuff, and they usually don't help unless you can claim X hundreds of thousands of dollars in losses. Basically, they only care about rich people and corporations. Hackers are given a blank cheque so long as they only do small amounts of financially quantifiable damage.

As with so many other things in the United States, it is de facto only a crime if it happens to someone rich or well-connected. Mr. Honan is probably on the bubble, there. If it happened to me, a no-namer with skimpy assets, the thought of the FBI getting involved would be a punchline.

I'm sure most feel bad for the guy, but although the hacker's actions were malicious, that doesn't allow the victim to just get off the hook for having a silly password - if that was the case.

He didn't "get off the hook". His files got wiped.

If he really hasn't used that password anywhere else and it was not based on a dictionary word, then I highly doubt OP's password was brute-forced.

Brute-forcing the iCloud password is an online attack and would probably (hopefully) be caught by apple.

What is more likely is a keylogger or similar malware at which point even a longer password would not have helped. The days where macs are free of malware are unfortunately over.

Or maybe there's a problem with the iCloud auth protocol, and it was snooped? For example, that in-app purchase hack (which involved a MITM attack after installing a custom SSL CA) revealed passwords were being sent "in the clear" inside the SSL transport.

This is just speculation.

My first impression is that either a session token or password was intercepted from iCloud either via malware or MITM. But the post mentions that the iCloud password was reset, which means the account may have been hacked via Apple ID security questions[1]

When I just did this for my own account, the first security question is your date of birth, which is easy to find for anybody via Facebook. The second was a generic security question.

These are easy to guess or to find out via social media. You could spearfish a user by sending them a free account to a web service and asking them the same security questions on registration.

The security isn't adequate, considering the data that is held behind an Apple ID. I also can't believe they have a delete feature that can not be undone.

For my own account I have done a few things. First I have a secret email address for online accounts that require higher security. These emails are unique for each service and are not published anywhere. I have also removed all of my personal information from my social accounts, such as date of birth, name of school, etc. and my security answers are always random strings.

The other option is that malware was used, or a transparent proxy. If iCloud doesn't verify the server certificate it would be straight forward to proxy the HTTPS requests. iCloud will also always send out connection attempts every x minutes, so if you accidentally connect to a public WiFI hotspot or personal network with an intercepting proxy setup, you can have your password stolen in a matter of minutes.

I am also not super-confident about two-factor auth. I noticed that with Google Apps the verification SMS messages can be read using the web interface for my telco provider. A web interface that is protected by nothing more than an email address and password with the same weak security questions.

I think it is very feasible to hack around second-factor SMS notifications by first hacking the telco provider web interface and reading then deleting the SMS alerts. You are only as secure as the weakest link in the chain.

[1] https://iforgot.apple.com/cgi-bin/WebObjects/DSiForgot.woa/w...

"I am also not super-confident about two-factor auth. I noticed that with Google Apps the verification SMS messages can be read using the web interface for my telco provider. A web interface that is protected by nothing more than an email address and password with the same weak security questions."

While google DOES have an SMS seconds factor, I highly recommend use their Google Authenticator app [1] instead, which generates the code directly on your phone, sans network communication.

[1] support.google.com/accounts/bin/answer.py?hl=en&answer=1066447

Wow, I wonder if people realize just how scary this is. Security Questions are a terrible idea.

The solution is to intentionally answer the security questions wrong. For example, always spell your mother's maiden name backwards.

I like your method of: - Separate, secret accounts for signups - Random strings (i.e. passwords) as answers for security questions

I've always used a pseudo-password (i.e. it's a standard response of mine that isin't related to the question) for security questions given how weak they are.

Very good point. As a reporter of Gizmodo he might have tried the hack.

I do believe though that sending a password "in the clear" over SSL is totally sufficient. SSL was designed exactly for sending sensitive information like passwords.

We can't blame Apple for not designing a protocol (it might be just plain HTTP basic over SSL) with people in mind that turn off SSL security in order to get access to paid content without paying.

I was voicing this exact concern here: https://news.ycombinator.com/item?id=4240124

In this case you are betting on captured SSL traffic never being able to be cracked in the future, offline. (Consider: Someone logs SSL traffic and waits for the next Debian OpenSSL bug (DSA-1571-1) to be revealed)

I think it would be a great improvement to have some kind of challenge-response nonce/timestamp hash thing going. So that even if the plaintext of an SSL connection were to be revealed at some point, you couldn't deduce the password-equivalent.

The application shouldn't have to work around flaws in the underlying protocol, especially when a solution exists (perfect forward secrecy http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-se... provides a good overview)

The problem with challenge/response and nonces is that the server and the client both need to have access to something secret to encrypt the nonce with. This usually means storing the plain text password on the server or at least a hash of it which then would be used to encrypt the nonce.

But this also means that when your user database gets lost, all accounts are instantly compromised without the attacker having to do any kind of brute-forcing.

Unless you notice an intrusion immediately, the damage that can be done in such a configuration is way bigger than if the server gets the secret thing from the client and does the hashing there, because now an attacker has to individually brute-force the various accounts (keeping at least those who chose a strong password safe).

Even if perfect forward secrecy was not doable, I assume it's far less likely for an attacker to brute force my SSL private key than it is for them to acquire my user database - not that I want that to happen of course.

That's a good point. On the other hand, with the ECDHE / PFS scheme, aren't you still at risk for an implementation specific bug like the Debian incident? (I.e. the server or client only ever picks the a/b factors from a very limited range?)

Anyways, your suggestion sounds much better than my initial nonce suggestion. :)

Everybody is betting on captured SSL traffic to remain secure.

See update to story, it wasn't brute forced it seems.

Hi, I'm Mat Honan (the guy who was hacked). I've been in touch with the person who hacked my account. He says it wasn't brute force, or guessed. I'll publish more when I know more.

To be clear, the password was unique. I use 1password as a password manager and even double checked to make sure that I wasn't using it anywhere else.

Have you considered (temporarily) disabling comments on your blog? Many of them are quite hostile, and might as well be deleted.

They're rabid. But I think it's kind of an interesting side note at this point.

What have you done to elicit so much hate (from the hacker and the commenters)?

I genuinely don't know. The hacker said it wasn't personal. My guess is that I was a waypoint to get to Gizmodo.

The commenters are most likely Gizmodo readers who dislike his articles.

That's it, I'm disabling "Find my mac". I guess it wouldn't work anyways if a thief is far away from my home or work wifi. So in essence, it's a remote wipe backdoor for when the device is in my possession, and useless if it's stolen.

FileVault2 should take care of the theft problem anyways.

Too bad you can't partially-enable Find my mac for the location service, while disabling the remote wipe and lock services.

Instead of only disabling Find my Mac, please make sure your backups are functional and enabled. That way, if your machine fails or gets wiped (whether it's by you, a thief or someone with your iCloud password), you can still recover everything.

Sure. But should something like this happen, I'd prefer to not waste time having to sit through a complete reinstall before I can start damage control by changing passwords online, etc.

That's what live CDs are for. If your system gets owned, you can't trust it anymore.

I don't think getting hold of the iCloud password would let anyone "own" my mac. (The only things they should be able to do with that would be messing with my synced address book, notes and photostream - and if "find my mac" was enabled, perform a remote wipe).

Use FileVault 2 and remote wipe is no longer necessary.

On current Macs, a live USB stick might be a better idea than a live CD. Or even better a bootable backup created with Carbon Copy Cloner (CCC) or SuperDuper.

Think of the trade off: what's the likelihood that you won't be able to find a computer...ANY computer...to login to your accounts...versus the likelihood that someone can compromise the stolen computer's entire HD?

(this is less of an issue if you're encrypting everything)

Why do you think it wouldn't work if the thief is far away from your home or work?

How would it connect to the iCloud services? The mac doesn't have a built-in 3G connection, so the only way it can go online is through previously-stored wifi associations.

my solution to this is to have an auto-login non-admin account on the machine that's not my own account.

Give them enough access to get on the internet & use the machine. Keep my files stored in my own account.

I enabled the guest account on my Mac, but auto-login in non-admin account is a good idea.

The hostility towards this guy in the comments is astounding. I already had low expectations for comments on blogs, but this took it to a whole new level.

Impressed by that too. It gives the impression that some of the commenters are involved with the stunt.

Honestly, it gives the impression that some of the commenters are from the internet. As sad as it is, you can kind of expect shit like that from completely disinterested parties who just want to be assholes.

It's not much different than driving - the nicest guy can turn into the worst a-hole on the road.

The internet, like a car, somehow makes people feel like they have an invincibility cloak on that lets them behave badly.

Wandering a bit OT, admittedly, but I feel obliged to push back against this notion. I know you didn't mean it this way, but I see it too often to wave away worse examples of abusive behavior, and it's just not healthy.

The "nicest guy" would not use language like "bitch" or "fag" in comments (to pull the first example I saw in that post's responses), because this implies an assumption that comparing the target to a woman or a gay man should be received as a deeply cutting insult. And this alone acts as enough of a cover for me to judge that book, really.

No, these are in fact rather horrible little people, and it wouldn't surprise me if they were in league with the perps who erased this guy's stuff for teh lulz or whatever.

Yeah, you're right, the behaviour is intensified on the Internet, probably because of a greater perceived sense of anonymity. On the road, you've got license plates, people with cameras, cops, the risk of getting into an accident, etc. to occasionally keep people in check.

But to clarify my earlier point, if the nicest guy can turn into a bad person on the road, imagine what a not-so-nice person can turn into.

He's a writer for Gizmodo who was already widely disliked. That's why so many people are posting such mean comments.

>>7 digit alphanumeric

...could mean anything from myacct1 to iS2xd45

Since the password is no longer in use (only assuming), it would be interesting to know what it was - perhaps the reason that it was hacked was that it simply was easy to brute force due to common dictionary words?

Just throwing an (possibly wrong) idea out there.

That still rasies some questions. You're either implying Apple allow enough login attempts for brute force against their live web services to be possible, or that someon somehow got hold of the password hash.

Without knowing the guy, I strongly suspect a reused password that was exposed somewhere other than Apple/iCloud. Anyone want to bet against this Gizmodo guy's password being in the Gawker password dump?

I guess I owe @mat an apology here - it seems Apple's customer service was at fault, not @mat's password reuse practices…

This is why I use two factor authentication for my email. It's a usability nightmare, but not as much of a nightmare as losing all my accounts everywhere.

Two factor is magnitudes better than password only, but it's not foolproof.

Security is only as strong as the weakest link. CloudFlare was hacked recently because the attacker was able to redirect voicemail to another account, then use the two-factor backup recovery phone option to take control of Google Authenticator.


You can no longer recover a Google account via a voicemail message, and AT&T now allows you to lock changes to your account with a passcode. And, the people that committed this particular attack are now in jail awaiting trial.

Usability nightmare? It requires you reenter a code from your phone once a month.

Google's is pretty easy to use, but the problem is that it doesn't scale to other providers. In addition to my phone, I also have a PayPal credit-card-sized token, and my brokerage only issues key-chain RSA keys. So now I have to have my phone, my wallet, and my keys with me in case I need to use certain websites. It would be better if everyone agreed on a standard algorithm and used it, but that's not what's happened.

Hence, a usability nightmare.

This is one of the reasons why I have different Apple ID for app purchases (with weaker password which I'm more comfortable to type over and over again when purchasing apps) and different for iCloud (which I need to type only once, configuring the device).

I saw many people buying their apps in public and the password input in iOS isn't really secure from bystanders. As a Gizmodo reporter he probably went to dozens of events where he was pitched to try someone's app and maybe even given App Store codes. If he used to download apps on such events that might be the source of his leaked password. Someone could simply see what password is he typing.

As long as Apple requires you to type the password with each purchase, it is wise to separate your sensitive data/services with the App Store credentials.

Never understood Apple's insistence on asking for the password all the time.

For such a customer focused company, it just seems so bad.

If you get the chance to watch a kid playing with an iPhone it's an eye opener. The 15min no auth required again window after an app purchase is the devil's time.

Airplane mode.

Well, if you will put complete remote control of all your devices behind a single, weak password.....

What difference does it make how strong the password is? It was a seven-digit alphanumeric password, right? Is iCloud going to permit up to 36^7-1 failed login attempts in a row without rate-limiting, banning, or launching missiles at the owner of the offending IP address?

Assuming the answer is no, there are only two remaining alternatives: 1) Someone targeted and keylogged him to obtain the password, in which case it doesn't matter how strong the password is; or 2) Someone hacked iCloud itself and stole their (presumably unsalted) password file.

In that case, yeah, a stronger password might've helped. Bad user. No cookie.

But if he thinks he's having a rough night, consider what scenario #2 would mean to Apple. The impact of an iCloud hack would be measured in multiple billions of dollars of market capitalization.

It's a good point actually - does iCloud in any way prevent multiple account logins?

There's another possibility: he re-used his iCloud password on another account, that was compromised, and someone tried that successfully against his iCloud account.

The bigger issue, as someone else has said, is putting so much remote control behind a single point of security.

The strength of the password is relevant in the scenario where the password was actually brute-forced through an interface. If it was jesus01 (or something else common - typically religious), then it may be an easy hack for the hacker.

"Brute-forced" was a bad word choice.

Typing-the-most-common-passwords-with-numbers through the interface style. Basically guessing from the top password list.

But again, why would iCloud allow that many consecutive failed login attempts without locking the account?

iCloud would surely block consecutive, failed login attempts. From the post, reading years and years, opens up the possibility that it may have been something the hacker was following for some time. Therefore, he would have been blocked, but may have come back in 1 week to try again.

The possibility is a bit far-fetched, but it exists. The likelihood that this was actually the case is extremely low.

I _strongly_ suspect the iCloud web login will block brute force attempts. What I do wonder though, is if there's some other place an iCloud/AppleID login can be brute forced without appropriate rate limiting? Maybe an IAP API endpoint? Or an in app advertising endpoint? I wonder if the "check whether an IAP succeeded" API that the "just redirect you dns to my server and add my root cert" "exploit" uses is failing to block brute force attempts?

Even if iCloud allowed 10 failed logins before locking out for an hour, every hour, every day for seven years, that would still only let you crack a 4 digit lowercase-alphanumeric password. I'd be willing to bet that either the attacker took the password from something or that 'alphanumeric' is a misleadingly good description for the password.

Brute-forced through what interface?

The issue I have is that in this case, your AppleID is (normally, by default) the ID you use for everything Apple related - including the iTunes Store. I really have problems typing long 20 character passwords comprised of every kind of symbol on the iPhone keyboard. It was annoying enough trying to type my Twitter and FB passwords correctly the first time. To type that every time I want to update my applications for free, is not a nice experience for me. This means someone could wipe my iPod remotely, but I would note that I don't have (use?) any kind of Apple controlled email, so the impact for me would be limited to my card being charged for iTunes purchases.

With iOS 6 it's not necessary for updates, at least. Still required for installing paid apps though (which arguably it should be).

> Well, if you will put complete remote control of all your devices behind a single, weak password.....

From the post:

> My password was a 7 digit alphanumeric that I didn’t use elsewhere.*

It sucks, but when you've got control of someone's iCloud account (email, and remote wipe of presumably their primary devices), you've put them in a tight spot. One of the many reasons that I use iCloud for my phone and iPad, but certainly not my primary machines (or email).

Rough night.

On your primary machines, you should have at least some form of local backup. I'm using Time Machine with a network drive. If my primary machine fails or gets wiped (whether I did it myself or someone obtained my iCloud password), I can still recover everything from the backup.

Every machine we have has local backup in the form of a sizable external USB drive. Some also backup to a network drive. Windows and Mac. With dozens of machines it is hard to justify paying for remote backup. Although, every time I say or think this I also think: fire, theft, earthquake. I wish there were a reasonably priced multi-machine remote backup service at an affordable price with storage measured in terabytes. One hundred gigs doesn't even begin to scratch the surface.

There is Backblaze[1]. Unlimited backup at $50/year/computer.

[1] http://www.backblaze.com/

My wife recently started using this. She wanted to have another source backing up her photography (being a photographer and all...), and this was highly recommended by all her friends with expensive cameras and even more expensive lenses.

I was shocked, mostly because the price was fairly inexpensive, and her lot love to spend lots of money on small things.

I take pictures with my iPhone. =/

Like was suggested earlier, Crashplan. It can do both local and remote backup, and remote backup to multiple locations if you know other people who also run it and have free space for you to use. Home plan is multi-machine unlimited; however, in practice, I only use about 800GB or so.

I checked out CrashPlan+ and it looks good, except that I am having trouble finding their definition of "personal data". It says that CrashPlan+ is licensed for "personal data" but I am not sure what this means.


My guess is they used brute force to get the password

How can a system allow login attempts so fast and often that a 7 digit word with numbers can be hacked?

That's hundreds of thousands of attempts.

About forty billion attempts, to be specific.

It wasn't brute-forced, unless somebody got their hands on the iCloud password database.

Very well written story and also very educational on the faith peopl put in cloud backups. Even if you have a cloud backup/syncronised it is still worth popping over your mum's or a good freinds with a some burned DVD's or external USB drive (if you have two you can swap them every time you visit). This approach is good as a cheap offsite backup and also social at the same time.

As for linked accounts, that again is another education many of us have probably overlooked and I would say if you do have a 2-factor facility that uses SMS, maybe think about digging out an old phone and getting a PAYG SIM with a token credit and using that number. But security is a never ending drive bordering on paranoia and in that you do what is enough to help you sleep at night after reading the article.

Don't think I have seen a article doing a test on how easiy it is to recover a hacked account and how long it takes. I certainly have never seen any speed comparisions, nor consumer reviews in that area. Anybody know of any at all?

Passwords: Don't try to remember them. Use a service like passpack to generate and store random ones for every account. Two pass authenticate into it.

Data: Back it up. Backup your backups. Stop fucking around. If you don't get hacked, your storage will fail.

Software: Don't install shit you don't trust. Don't trust shit you can't verify.

Passwords: Don't try to remember them!!

It's 2012, not following these simple rules is inexcusable.

Unfortunately, my AppleID password is one I _do_ need to remember - I need to use it often, and in places that 1Password won't auto fill. At least: the iCloud website login, various iDevices when using app store, and iTunes on several machines (all on the home sharing network). The alternative seems to be to have all those devices "remember" my AppleID password, which seems like a security lose.

Unfortunately, my AppleID password is one I _do_ need to remember - I need to use it often, and in places that 1Password won't auto fill.

Write it down on a piece of paper (or use a password manager that will show your password).

Back in the 1990's "writing down passwords" was considered a huge security hole.

Now day's attack vectors have changed and it is probably more safe than using a memorable password.

The alternative seems to be to have all those devices "remember" my AppleID password, which seems like a security lose.

If your devices are physically safe, and iCloud has remote log-out (does it?) then this may be more safe too.

Not disagreeing with you but think of all the times you need your appleID on the go. Carrying around a piece of paper may not be feasible or ideal

The strong password has value. Credit cards and cash have value.

Write the strong password on a credit card sized bit of paper, and keep it in your wallet.

People tend to keep their wallets safe.

Most people can learn complicated passwords after a few days or weeks of use, so you can keep the paper in a safe place at home once you've learnt it.

Worst advice ever. Now you only need to lose your wallet and you're in the same situation as the article's. The old advice is still sound.

A random string of characters in a wallet doesn't have a lot of value. Of course, don't write down what that string is for, and make sure you have another copy at home. If you are really concerned, leave off the first character of your password and remember that.

The truth is that 2-factor authentication is the real solution. But one has to make do with imperfect solutions


Writing your password / passphrase down allows you to chose a good, strong password. You do not give anything that links that password to a particular service.

Most people will only need to refer to the written password for a week or so, and then they will remember it.

You put the piece of paper in the wallet because you want people to treat it like a 50 dollar bill. People leave bits of paper anywhere, but they don't leave 50 dollar bills everywhere.

Not writing down the password? Yeah, we see how well that works. (https://www.google.co.uk/search?q=most+popular+passwords)

It is baffling to me that authenticating to computers, software, and services is still so weirdly broken. Especially since there is now billions of dollars involved in it.

You don't need to link it to any particular service. There is a 99% chance the person has a gmail/facebook/twitter/live account.

I know that you're not suggesting that people should reuse one password across multiple services. In your model:

1) I have to lose my wallet and

2) Not change my password and

3) You have to know my login email address and

4) You have to find which service the email and password work for

...and all of these have to happen in the time between setting a new strong password and learning that strong password. Because when you've learnt the pass you stop carrying it around.

If you lose your wallet there's a bunch of stuff you need to do. You need to cancel your cards, for example. Keeping a single password in there (for the short time it takes you to remember it) means that there is one more step added - you need to change that password.

You're also failing to do a sensible risk analysis. The threat model for passwords is "hackers, anywhere in the world". The venn diagram of that very big set has a teeny tiny intersection with the much smaller set of "people who have access to my wallet if I happen to lose it".

Writing down a good password means that you get to use a good password. You get to choose a properly strong password, with many characters of mixed case including numbers and specials; or a 6 word passphrase.

If you label the passwords you're probably doing it wrong. If someone pulls out a piece of paper that says "QWhXnLv0qzi1h1m" out of my wallet, how are they going to use it?

If you're worried about someone stealing it, just shift the password over, so it's now "mQWhXnLv0qzi1h1 > 1" on paper.

Any tech savy person knows that has a strong possibility of being a password. Grab an ID, google "your name gmail", log in.

The kind of weak encrypting scheme you can remember is easily defeatable, this is still very vulnerable even if you leave one or two letters off (which you'll have to remember in addition to the scheme). So, going back to the parent, no, this isn't safer than a password in your head.

but this isn't the password for gmail. This is the password for the password manager account. So you need to know the password manager they are using and the username to match with the password. They have to find this out within the time that we've realised we have lost our wallet and are changing the password.

Obviously this is still less secure than no password in the wallet at all, but I don't think it's "very vulnerable" as you are claiming.

There are strong/long passwords that are easy to remember:



having a 20-30 character long password is fairly easy, it may not be 100% random, but (correct me if i'm wrong) a password that long with just a handful of random extra letters and numbers is going to be rather easy to remember and probably going to be just as had to brute-force.

You have to be careful when adding some random characters, because most cracking software includes dictionary mangling options.

Thus, option 0ption opt1on etc all get mangled into a wordlist, while )*&HD@IHU don't. Yes, it still increases difficulty, and they are much easier to remember, but people need to be careful.

Software: Don't install shit you don't trust. Don't trust shit you can't verify.

This one is pretty tricky. There's a lot of little tools out there that I find invaluable, and haven't screwed me over yet (as far as I know), but fall firmly in the "downloaded it off someone's little personal website" category.

I'd say we need better fine-grained permission systems for software, so people can install programs without needing to trust them, safe in the knowledge that they'll get the opportunity to deny any malicious behaviour before it actually happens.

That's what the Mac App Store is starting to do, but unfortunately, it's "completely sandboxed in the store" or "not in the store". I'd like a model that started completely sandboxed but let me choose if I want to let it out of the sandbox in certain, well-monitored cases.

let me choose if I want to let it out of the sandbox in certain, well-monitored cases

That's exactly what I mean. I envisage something kinda like Windows 7's UAC dialogs, but more specific than "this program wants root! [allow] [deny]" -- more along the lines of "this program wants to install a driver / write to such-and-such protected files (its own program folder/anywhere in Program Files/the Windows folder/...) / low-level disk access / to run at startup / etcetc [allow] [deny]".

Actually, I'd specifically forbid "all permissions" as an option; an enumeration of every permission a program wants would make the user more likely to notice unreasonable requests than a single item would, even if that single item's actually "everything". I get the impression, from seeing ordinary users dealing with UAC, that they don't usually appreciate quite how much power they're giving programs when they hit "allow".

I believe that's similer to what SELinux does, although I've never used it beyond observing its presence on university-owned computers.

That's what Apple's shooting for with the App Store's sandboxing requirements, but I'm sure the typical HNer will continue to have a few programs that need to operate outside the limited entitlements that the App Store allows. Still, it'll be better to have a single digit count of those on your computer instead of anything being able to erase your home folder without asking.

Hate to repurpose a cliche, but never put all of your eggs in one basket.

On the contrary.

Put all your eggs in one basket and then watch that basket.

No backup? Seriously? Wow.

What do people like for backups these days? Crashplan seems pretty damn good to me.

CrashPlan has swooped in and knocked every cloud backup system I previously used to use out of contention.

They've made an awesome product and they provide it at an awesome price.

Previously, I was a user and big proponent of Jungle Disk, but that product has become all but completely abandoned since being gobbled up by Rackspace. (I love how their solution to comments about going radio silent and not updating their blog in over a year was to just take the blog down and put up a "The Jungle Disk blog is currently unavailable" message, as if the blog were just temporarily offline. One of their last blog posts was a "Future of JungleDisk" post, outlining tons of features that, 16 months later, were nowhere to be seen).

I had been recommending Carbonite to friends and family for an easy-for-normal-people backup solution, but their performance falls short of CrashPlan, and their heinous near-silent default exclusion of video files from backups would have led to serious tears if we had ever actually needed to restore from backup. (Automatic backing up of video files is reserved as a feature for the new $150/yr HomePremier plan - which at least now makes this fact somewhat visible. Previously, there was damn little to indicate that this exclusion was happening). That made Carbonite something much less than the "set it and forget it" backup for my non-technical friends and family that it was supposed to be.

CrashPlan is nice and friendly, has no hidden "gotchas" that I have found yet, and has a great PRO service as well. The client GUI can even be made to connect to the daemon on a headless server through an SSH tunnel, just with a simple change in port number in the config and forwarding the remote port through the tunnel.

I absolutely love CrashPlan, but it is only friendly if you never need to change the backup selection. It gets tough when you want to deselect just the right folders to avoid spamming your backup destinations with useless crap like Xcode docsets and Safari caches.

...Wait, you mean, an online backup service that sends emails (and password reset requests) to an email account that can be compromised?


Crashplan does not require you to use its cloud storage, FWIW.

And after you've logged in to Crashplan, it's not clear to me that you can do a whole lot of damage via the website; the password used to encrypt your data is specified on the client side, and there is no reset mechanism for it. I mean, they could update the credit card settings, or modify the configuration options like excluded directories or send rates, but not a whole lot else.

But, but, it must be in the CLOUD, don't you know?

You can configure CrashPlan to encrypt your archives such that you must have your password to decrypt them. There's a big warning that if you lose your password you're screwed.

Also, you can just specify your own encryption key. Everything is encrypted locally.

Question: could an attacked delete my CrashPlan backup via the website?

It seems like they should be holding on to files for 30 days period or something. Does anyone know?

Doesn't look like they hold on to the data if you remove a computer from your CrashPlan account: http://support.crashplan.com/doku.php/how_to/remove_a_comput...

(I do like CrashPlan, but this seems to be common practice with data storage services.)

Removing the computers associated with a CrashPlan account and then cancelling the account looks like it'll cause a pretty big headache.

I haven't tried Crashplan, but I recommend either Backblaze or SpiderOak. I used SpiderOak in the past when I had both a Windows and a Linux PC I needed to keep backed up, but now that I have one Windows PC I use Backblaze.

Backblaze really shines if you have a single Windows or OS X PC with a lot of data. For $50/year, it will allow you to backup unlimited data for a single computer. As far as I know there is no student discount.

SpiderOak really shines if you have multiple Windows, OS X or Linux PCs with a small amount of data between them. For $100/year, it will allow you to store up to 100GB of data between as many computers as you want to back up. If you're a student, it will only cost $50/year.

Crashplan has a home plan that lets you back up unlimited data for all your machines. It works on Windows, OS X, Linux and Solaris, which is great for me; I back up all my machines to both the cloud and my Nexenta/Solaris NAS, as well as backing up the NAS. In fact, if you know other people who have lots of storage, you don't have to pay for Crashplan at all; you can back up to them, with encrypted data.

Custom backups using Duplicity+GPG to multiple clouds. Wuala[1] if you want something working out of the box. I have 18.5 GB of free storage just from coupons found with little Googling[2].

[1] https://www.wuala.com/

[2] http://static.deno.pl/pub/wuala-storage.png

Looked into Wuala. I like this part:

"Wuala is completely private and secure. When you store a file in Wuala, the file [..]gets encrypted before it leaves your computer. [..]Your own password is very important here: it never leaves your computer, so we do not know it. Hence, not even we can access your data."

- https://www.wuala.com/en/support/faq

But it seems pointless in light of:

"Do you plan to open the source code?

Currently not. Opening the source code of Wuala would consume quite some time and effort, and commitment to maintain it. If you are a software engineer and would like to see how Wuala works, feel free to apply for a job at Wuala."

- https://www.wuala.com/en/support/faq/c/21

It would be trivially easy for them to hide a backdoor and/or leak data in their closed-source code. So at the end of the day, the message is "Trust us." So what purpose does the client-side encryption serve? Empty marketing. At best, it makes it _slightly_ harder for them to read your files.

Tarsnap (www.tarsnap.com), which does have client source code available, doesn't suffer from this problem. Unfortunately it's a fair bit more expensive.

I'm Luzius Meisser, cofounder of Wuala. Yes, some trust in Wuala is still required, namely trusting us that we won't put a backdoor into the client. Much more trust is required in services without client-side encryption. Adding a backdoor would ruin our reputation once someone found out, while companies like Dropbox won't suffer much when they hand over data to a government agency as it is known that they can and will do it. Also, bugs like accidentally disabling the password verification can be ruled by design with client-side encryption.

Also, please note that laws are often constructed such that companies can be forced to hand over data they possess, however not to collect data they do not possess yet. E.g. there are many laws in many jurisdictions that could be used to force Google to hand over data you have stored in Google Drive, but the same laws cannot be used to force us to add a backdoor to Wuala. So legally, it is much much easier to obtain data stored in Google Drive than to obtain data stored in Wuala (or another service that uses client-side encryption). Noone has ever asked us to add a backdoor to Wuala and we would fight against it if someone did.

I agree that it would be nicer to open the source code so our security would be independently verifiable, but claiming that what we do is "empty marketing" is clearly wrong.

Thanks for the reply. I see what you mean and agree there is some difference. Let me put it this way: I would feel confident my Wuala backup is secure from my boss or ex-girlfriend, but not from a hostile government. If I were an activist or otherwise doing something very controversial, I wouldn't trust it. And honestly, that's the same way I feel about Dropbox. It's not the most secure thing around, but as long as I'm just another J. Random Hacker, who cares? So to me there isn't a distinction.

For why not to trust a closed-source system's claims of security, see Skype. If I remember correctly what I have read, they boasted about using "end-to-end encryption", strongly implying that your Skype calls could not be wiretapped. The catch? The encryption keys were stored on the server! And there was a story where someone (a drug smuggler, I think) was busted seemingly as a result of intercepted Skype calls. The misleading claims of security didn't ruin Skype's reputation - people still use it.

I'm glad you replied to my comment as it shows you're at least thinking about these things. I hope you will consider opening your source code in the future. At that point Wuala might be of interest to me.

EU laws give you some protection. Still, this is why I don’t use it for backups myself. Their technology is quite good though, it uses similar snapshot based model that Tarsnap does and has very small footprint, considering. Hopefully they will be able opensource it at some point.

Wuala is great but not recommendable for backups if you care for Mac metadata and an app running silently in the background. I have no idea why Wuala has not implemented these features after all the years. Crashplan is Java-based too and has both features.

I recommend BackBlaze to my friends for the simple reason that it's saved my bacon once, after a laptop theft. I'd have lost years of data otherwise. It also helped me give the police information that resulted in my laptop's physical recovery.

Full story, from last fall: http://prog.livejournal.com/983354.html

I use a mixture of Crashplan (but only locally between machines because our DSL connection is waaay too slow) and DropBox.

I'd be curious to hear more about other people's solutions.

Been using Crashplan for couple of years now. For a couple days pay you can backup so much.

Is there some background concerning the author that I'm not aware of? Asking because some comments (at Emptyage, not here) seem unusually hostile.

So via your iCloud account someone can remote wipe all your Apple devices? That seems like a questionable design. Does anyone know the rationale behind this? I guess it would be useful to deny access to your data in the case where your device is physically stolen.

Maybe there should be a significant time period (hours?) after a password change where this functionality (and any other data-destruction functionality) is disabled. Or maybe a password change should require you to re-auth every device before data remote deletion features can be used on it.

It's so that you can remote wipe your own devices if you lose them, in case you have sensitive data on them. For example, my employer requires that you enable this feature if you want to get your work email on your phone.

For this one reason alone, I have a pain-in-the-ass long AppleID password - 100+ bits entropy. It's a right pain to setup a new device (or even app) that can't be imaged off an existing backup, but it's worth it.


Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact