What’s it like to be hacked? James Fallows over at the Atlantic Monthly tells us his experience. One night his wife left her computer on when she went to bed. The next morning she discovers her Gmail account is inaccessible!
What’s it like to be hacked? James Fallows over at the Atlantic Monthly tells us his experience. One night his wife left her computer on when she went to bed. The next morning she discovers her Gmail account is inaccessible! She couldn’t log in because a hacker had swiped her account and altered her password.
Fallows figures, no problem, just follow Google’s simple procedures to re-establish control of his wife’s account. But when she is finally able to log into her Gmail, she finds her six years of correspondence — 4 gigabyte of data — gone.
Fallows is a professional writer, not a computer expert, but he knows enough about computers to keep his cool. With millions of Gmail users, obviously there has to be an easy way for Google to retrieve his wife’s email from backup. Right?
Fallows sends in Google’s standard data recovery request form. He then finds that email has been recovered only back to the beginning of the year. The previous six years of email? Missing. Gone. Nada.
Here’s where the story gets interesting (read: frightening). The email Google sends to Fallows tells him that recovering any more of the email is not possible. Plus, there’s this happy summary in the form-letter email he receives from The Google Team: “We unfortunately will not be able to respond to any further emails on this case.”
Compared to the rest of us, Fallows is a lucky guy. He’s a famous writer, so he has the pull to contact people on the inside at Google.
As he does he discovers quite a difference in perspective between The Google Team and its millions of users. “What a surprise, that people would want to recover from catastrophe! But from Google’s engineering perspective, the deleted-mail problem, while dire for those confronting it, affected only a tiny fraction of their users, and also was more complicated to solve than some other mainstream usability issues.”
For Fallows, the result was that “…our attitude toward Google got much worse before it got better.” He did, by the way, get all his wife’s emails back, but only after pulling strings unavailable to we the unwashed masses.
The article concludes by telling what you can do to harden your own accounts from hacking:
- Use very tough gibberish passwords
- Use different passwords for different accounts
- Change passwords frequently
What Fallows learned the hard way is that the online services we assume will protect us look for us to protect ourselves.
http://xkcd.com/936/
Which is pretty much how I’ve always chosen my *important* passwords – except with some capital letters and numbers thrown in to appease the angry password strength verifiers
I keep a few super-weak passwords for quick access to resources I don’t care so much about.
https://www.grc.com/haystack.htm
Steve Gibson……
Password: 1a%%*iW3EORvrM7V
Offline Fast Attack Scenario: 1.41 hundred billion centuries
hahaha! I’m just amazed by this number…
That just reminded me to check my osnews password. It was pretty weak :S Good thing I just changed it!
Also, the code-guessing shots of one Wargames scene http://www.youtube.com/watch?v=NHWjlCaIrQo
Though, @XKCD, combinations of common words can easily find their way into password cracking tools – one might throw in some sparse symbols and/or an uncommon* word.
*as in, ~”private” …nicknames, local dialects, and such (NOT only such words, I’m not saying that / too meaningful whole passwords is what in turn makes pass guessing by humans relatively easy).
I’ve actually googled righ now an old ~nickname of sorts of my father – no hits, ZERO (it merely suggested one somewhat-but-not-really similar sounding – and only when pronounced in some Slavic language – word from the region)
PS. Somebody takes computer security in Wargames (in films, overall) a bit too seriously: http://mike.passwall.com/uselesstrivia/wargames.html
Edited 2011-11-03 17:26 UTC
So what you’re saying is that ‘correct horse battery staple’ is a great password, right?
Excuse me while I go and apply it to all my accounts!
You beat me to it.
I have this comic posted on my cubicle at work. Some people get it, while others don’t. Guess which ones are probably easiest to get their accounts hacked?
Steve Gibson. Again. I’m seeing it constantly. I’m kinda tired of this, but anyway …
I’m also quite angry at these pseudo IT-pros that made us believe we need some utterly useless passwords, while all we need is just a long, plain text password.
Darn you, password nazis! go and fry in hell, yer miserable rats!
P.S combine this “l4tt4rish” crap with S.G’s suggestions and you will probobly get quite a good password.
Complexity serves a valuable purpose in password selection. Get yourself a password manager and it’s a non-issue.
People do get accounts hacked out of either lack of knowledge, laziness or stupidity. While I can excuse lack of knowledge, I can’t excuse laziness and stupidity.
The accounts and devices I really care about are protected reasonably (some e-mail, facebook, twitter, forums, websites, game, banking, hosting accounts, my computer at work). I use good passwords and use a different one for each account. I don’t use builtin security questions, I use my own. Answers to security questions can’t be found on web because they are like passwords: just some letters and numbers.
Accounts which I consider not very important may share the same simple password. My home computer and my laptop aren’t given too much attention security wise, because I don’t care too much about whatever data may be found on them.
They can’t really blame google because, as they say, only a minority of users get accounts hacked and it would be much better to direct resources in areas that would benefit more.
Google Provides a way to require two factor authentication for your google account. Use it.
http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-fo…
Back up your own dang email, google also provides Pop access.
They give you nice tools and services for the low low cost of your privacy. Its up to you to use them in a secure manor.
The 2 steps verification is effective but not practical and is nothing but a scam from google to get your real phone number.
Edited 2011-11-03 16:08 UTC
You can do two factor without text messages, and hence, without google getting your Real phone number.
How does it work?
Google Authenticator
http://www.google.com/support/accounts/bin/answer.py?answer=1066447
Its an app that generates the code locally. The device need not have a google account attached to it in any way for the app to work. Nor does it need to be a phone or have internet access. I’m not sure the exact algorithm they use to generate the One time password, but there are a few of them out there.
If any of your friends has an Android phone they have probably linked your real name with your phone number and your email address already, anyway. And maybe also your home address, work contact info and a photograph.
And all that information ends in Google servers?
How is that?
Your Android contacts sync with your Gmail account. It comes handy when you switch phones as you have to do nothing to keep them, but it also means it all ends on Google’s servers.
IMAP access, also available, is probably more thorough – however, you still can’t really back up Gmail Chat (Gtalk) archive…
In fact you can backup your chats too: just go in Settings > Labels and mark the Chats label as visible for IMAP. Good luck
Ahh , good, thanks for pointing it out.
I guess they added it quite recently and/or my account was slow to get that update? …I think I would notice “show Chats in IMAP” option, I rely quite a lot on labels and manipulate them often.
It was ~inadvertently on at the start of IMAP availability, but with some unpredictable results. Quickly removed and remaining that way for quite some time.
And so, the world is more at peace… For me, it’s also about offline searches being much faster – particularly since Gmail search has, for some reason, a bit primitive treatment of diacritics and “part word” searches (invaluable in languages with complex declension and such)
Edited 2011-11-03 20:38 UTC
If the author is wondering how her password was hacked, the first thing that sprung to mind was Firefox’s “Show Passwords” field. Any saved password is stored without encryption by default, and is thus visible by anyone. She used a public terminal at an airport…perhaps Firefox had been set to store all passwords and it was accessible that way. Just a first thought.
I guess this is also an example of why regular, archived backups are needed. Relying upon the fact that emails are reliably stored by Google hardware is insufficient, since it doesn’t allow for human error (or malicious attacks), or even a major bug in a future version of GMail. Perhaps Google could offer long-term archived storage of emails for those who want it – that way, if your main account is compromised and all emails deleted by the user, then you can still access a backup. However, it would be safer for most businesses to store backups with an independent provider, in case Google messes up. The easiest way most people can avoid this problem is to get an email client and download everything onto your PC, then copy emails onto an external hard-disk or use your regular on-line backup.
Sorry, but what’s the cause and effect here? Is he implying that it got hacked because she left her computer on?
I doubt this is the perspective of the engineering team. This is a business decision, not en engineering decision. Obviously someone in management decided it was more important with lean interface than spending time and money creating a solution that few users will ever need.
Why would you even assume that at all?
This is why I dislike those services which do not allow you to keep a copy of your data at hand (wordpress.com, hotmail, steam…). I wish I could avoid relying on them altogether.
Also, who needs to keep several years of archived mails at hand ?
Most of that will be useless, sure – over your lifetime, there might be perhaps only, say, 100 cases when you will be really glad you could find that old email.
But the thing is: you don’t really know in advance which of all emails those will be (other than gradually getting rid of obvious junk mail, of course)
(and Steam allowed to make DVD backups, last time I tried? …nless you mean DRM – yeah, that could potentially be a problem; OTOH, I think Valve said they would unlock it if ever going under)
So if you make a DVD backup of a steam game, then your steam account is wiped for some reason, you can still play your game ? I believed it was not possible because it would allow – shock, horror – letting relatives use your copies of the game.
Edited 2011-11-03 18:06 UTC
I didn’t say that / sure, now that you describe specifics, this would be a problem… (what is “copy of your data at hand” for Steam, anyway, when it’s all about periodic online authentication)
Alright. I guess I overestimated the impact of these DVD backups you mentioned, then. I believed that they did more than avoiding long downloads when a gaming computer’s hard drive dies. If not, I don’t see the point in making them if you have broadband and regular PC backups.
The problem I see with Steam (and other application stores) is that if, for some reason (bug, Valve diktat, compromised account), you lose your usage rights on a piece of software, it’s gone. You cannot use it anymore, and there is little chance you will recover the right to use it. There is no way you can make a backup of your right to play a Steam game, if you see what I mean.
Edited 2011-11-03 21:22 UTC
me.
it’s like the classic ‘throwing out old junk’ problem: every time I archive off my old mail, the next day I find I need to refer to something in it…
Thanks for the answers !
You can download copies of your e-mail in Hotmail and backup your WordPress database. How are these kept from you?
Can you easily download all your mail from hotmail, through a standard protocol such as POP or IMAP, or do you have to use a hotmail-specific workaround to do that ? Last time I checked, it was the latter, but that was arguably a long time ago.
Same for wordpress.com (which is different from a self-hosted WordPress blog). I’m honestly interested if there is a simple way to download the database of a blog that is hosted there. I believe I have carefully checked the dashboard for this without finding anything.
EDIT : Nevermind for wordpress.com. Tools->Export->Export. Guess I did not look hard enough, I was pretty sure I had checked everything…
Edited 2011-11-03 18:16 UTC
Yes, Hotmail does have pop3 access, I use it all the time. Most of the email clients I have used including Thunderbird, Outlook/Express and Evolution set up the account automatically when you enter Hotmail as an account in settings.
My bad… Sorry for posting outdated and/or incorrect information there !
This wasn’t the case last time I used Hotmail (a few years ago now), so it must be a relatively recent upgrade, perhaps around the time their inboxes suddenly got huge… I even asked their helpdesk at the time, only to be helpfully told that the only way to use Hotmail offline was to download Outlook Express and use that, even though I’d told them I was using Linux…
I have no idea why you were told that, unless it’s to discourage the use of pop3 access. I have used Hotmail with pop3 since about 1998/99 and never had problems with it at all.
Obviously the butler did it!
I had my gmail account stolen by a homonymous guy. He just used the “Someone else is using my account” procedure. I know for sure, because I’ve been able to talk to that guy afterwards. Even the guy was somewhat surprised the procedure worked so easily.
I got my account back using the same procedure, in a matter of hours, just to discover that all my email was gone.
I tried to contact Google about the issue, but even after finding a way to, maybe, contact them via email, I received no answer at all. I tried to contact Google about the easiness for someone else to steal an account too, but didn’t get an answer.
All my previous email was gone. Now I perform regular backups myself, using IMAP, and this is for a simple reason: I don’t trust Google and its services. Their services are usually not bad, they’re cheap too and I don’t hate them at all.
However, after that issue with them, I learnt that they don’t provide any easy way to contact them beyond web forms for usual (and usually trivial) problems. They keep users at a distance. They don’t care about their users and their users’ data, unless their image (thus their business) would get hurt. In my experience, they’re the most careless company in IT.
I think they’re not evil, as they like to remember all the time. But they’re not good either, they’re just as any other company in the business. Just a bit more careless than direct competitors in my opinion…
I think you’ve hit on a HUGE problem. The trend in the cyber-world we’ve created is that the LAST thing big companies want is to be bothered by their customers. So they deal with them only by email and keep them at arm’s length.
Maybe it was this guy’s fault he got hacked, or maybe not, but what kind of “service” has Google provided to help him? Hardly anything. You can argue that Gmail is free, but this sort of attitude is prevalent even when you pay for services.
It is unreasonable to expect the average user to handle this unless you provide very easy ways for them to backup and/or recover their data themselves. Google doesn’t. It’s not part of the business model. One issue is that most users quite naturally assume it is. If Google publicly said this they’d be off the hook, but I’ve sure never heard them mention this in their self-promotional infomercials.
This article could be sub-titled a la “What it’s like to be hacked – or why you should never store important data (without your own an offline backup) using SaaS controlled by a third-party, ESPECIALLY if it’s a free service where the provider isn’t accountable to you in any way”.
Excellent point. The problem is that so many people naively assume that companies offering free services like Gmail or Facebook or whatever always have the best interests of the consumer at mind. People on this board are smart and know this but I feel sorry for the average consumer guy who has no clue. And nobody’s telling him either. Hope all those literary people who know nothing about the computers they depend on for their jobs read that guy’s experience at the Atlantic.