An analysis of someones digital life being wiped out.

[sandbender]

An interesting article over on wired analyses how the article author had his digital life wiped out.

It is partly his own fault, he didn't back up his irreplaceable family photos and correspondance to something that was not connected to the internet (a CD or DVD), however the article reveals some glaring errors in the systems used by companies like Google, Apple and Amazon in the way the secure your data from theft, erasure or abuse.

http://www.wired.com/gadgetlab/2012/...n-hacking/all/

It is a long(ish) read, if you skip to the end you will see some of his recommendations, not having a backup email set that uses the same or a similar name to your main one is an obvious one. So in other words don't back up your main email address bushcraftuk56b@gmail.com with bushcraftuk56b@hotmail.com.

If you own a web domain, try not to use the address that your main accounts use as a residence address for your whois registry entry.

If you use an apple computer and make use of 'iCloud' do not set up 'Back to my Mac'.

And if you use Google services set up two-factor authentication for your account.

An interesting read.

[mountainm]

Great article, thanks for sharing.

[mousey]

So the moral of the story = don't have a twitter account ???

[ebt.]

If you own a web domain, try not to use the address that your main accounts use as a residence address for your whois registry entry.

Sadly a lot of UK registrars wont offer domain privacy.

[sandbender]

So the moral of the story = don't have a twitter account ???

I think the moral of the story is don't presume that companies like Apple, Google and Amazon won't simply hand over control of your accounts to anyone who can harvest some fairly straightforward information of the internet.

This wasn't about the strength of his passwords, but flaws that exist in the password recovery systems of those companies.

[mousey]

I think the moral of the story is don't presume that companies like Apple, Google and Amazon won't simply hand over control of your accounts to anyone who can harvest some fairly straightforward information of the internet.

This wasn't about the strength of his passwords, but flaws that exist in the password recovery systems of those companies.

Oh yea that too

[abominable_scouse_monster]

This wasn't a software exploit, it was a meat-ware hack or social engineering attack and lax processes mostly in Apple and Google.

[boatman]

What a fool to have linked accounts etc.

[ged]

The scary thing in all this is that this guy is some kind of a technology journalist, and when he's not writing articles about how dumb he's been he's writing articles about everything else that he can think of on the digital scene that people will read, and, quite possibly, believe.

[chris_irwin]

I'm slightly confused as to how he has lost all the data from his Macbook. If the hackers simply remotely erased all the data, it would still be located on the hard-drive, just not referenced to any particular location or memory. There are a variety of tools that could extract this data fairly easily. I didn't read the whole article, so I'm not sure if he did in fact do this.

Anyway, it's an interesting prospect, perhaps more people will think twice before storing all their data in one location and using insecure password recovery questions. It's easy enough to buy an external hard-drive to back up your data, or use something like drop-box.

[ebt.]

What amazes me is how many sheeple have their date of birth on their facebook pages. Not that anyone would use that as part of a security check....

ps. chris, dropbox got badly compromised about 6 months ago. The basic answer is to assume nothing is totally secure online unless YOU control its encryption. Now if you ran truecrypt too, you'd be safe

[sandbender]

"...I'm slightly confused as to how he has lost all the data from his Macbook. If the hackers simply remotely erased all the data, it would still be located on the hard-drive, just not referenced to any particular location or memory. There are a variety of tools that could extract this data fairly easily. I didn't read the whole article, so I'm not sure if he did in fact do this..."

The 'Back to my Mac' system referred to in the original article allows a Mac owner to remotely lockdown an already encrypted hard drive on a stolen computer. Which probably seemed like a cool idea when he set it up, not so cool when someone can so easily compromise his system and lock him out of all his Apple devices.

His data is still on his machines but now encrypted with a password he doesn't have and will never know.

[mousey]

The scary thing in all this is that this guy is some kind of a technology journalist, and when he's not writing articles about how dumb he's been he's writing articles about everything else that he can think of on the digital scene that people will read, and, quite possibly, believe.

Spot on, most 'experts' are making it up like the rest of us...

Never trust what you read and only trust technology as far as you can throw it

[beachlover]

Would he have been stiffed if he had all his important data / pics / life on an external hard drive?

[sandbender]

Would he have been stiffed if he had all his important data / pics / life on an external hard drive?

No, he'd have been fine. He had an Apple computer the OS of which has an 'idiot proof' backup system for just that purpose. However his emails would still have been lost if he wasn't using some form of desktop mail program to make local copies from his gmail mail.

Of course any data stored on a hard drive is temporary, all hard drives can and will fail. Always back up your irreplaceable data to multiple CDs or DVDs.

[abominable_scouse_monster]

Mail (OSX default mail client) automatically backs up on mac's to the time capsule, thunder bird however dose not so it depends on how clean he liked his inbox. Also the find my mac and secure erase features are also present on the Time capsules so can be remote wiped too.

This kind of thing happens quite alot, but is only really brought to light when a Journalist happens to have it done to them I have lost count of the amount of people who get in touch with me when they have been owned by some one a surprising amount of people have it done by former girlfriends or boyfriends. I am lucky in that I can normally help get most on-line accounts back under control and I do data recovery (forensics grade) on a PC or laptop that's been formatted.

[sandbender]

"...Mail (OSX default mail client) automatically backs up on mac's to the time capsule, thunder bird however dose not so it depends on how clean he liked his inbox. Also the find my mac and secure erase features are also present on the Time capsules so can be remote wiped too..."

I didn't know that a time capsule could be zapped too.

For the PC users, a 'Time Capsule' is a wireless backup drive used by Apple's 'Time Machine' application. However the Application will also work with a hard drive that you only plug in now and then and otherwise keep disconnected in a bag or drawer, in that situation the data would be recoverable.

Mozilla's Thunderbird mail Application will by default store your email locally on your hard drive, and thus would be recoverable if you'd backed either your entire hard drive or at least your home folder to CD/DVD off board hard drive.

However as with OS X's Mail program Thunderbird does not store emails in the commonly used .mbox format, a bit of jiggery pokery is needed to do so with both applications and indeed with many PC based mail programs too.

Backing your emails up to the .mbox format will allow you to import your old emails in other programs or other web based mail providers.

[abominable_scouse_monster]

I always recommend keeping at least two backups one that is easily accessible i.e. a NAS like the time capsule and a 2nd off line, I have DD image of all my drives in a 2nd location taken once a week automatically over night to a set of drives thats only ever used for backups and kept off line when not backing up.

[Wayland]

I now back up my photos once a month or after a particularly productive trip, onto a separate hard drive which is then removed.

But I must confess it's still kept in the same building as I have no easy options there.

[abominable_scouse_monster]

If you want I can post up a automated back up tutorial I wrote a while ago with updates etc,and Wayland can you take a copy on CD, or External HDD and leave it at a Friends or Relatives house?

[sandbender]

I now back up my photos once a month or after a particularly productive trip, onto a separate hard drive which is then removed.

But I must confess it's still kept in the same building as I have no easy options there.

Indeed, a hard drive might well survive a house fire, but maybe not. I usually back up my photos to DVD and store those at the in-laws place, far from perfect and it only happens every month or so.

I read that flickr will store an unlimited number of your photos in a non public gallery however unless you pay them they limit the amount you can upload each month.

Google will also provide non public galleries with unlimited free storage and no upload limits but they will automatically reduce the photograph dimensions to 2048 x 2048 pixels

Neither is perfect.

For shorter term backups I use dropbox, I can upload about 8GB of photos there and delete as I periodically back up my images to DVD or separate hard drive, the process is automatic as the 'import folder' for my camera sits within my dropbox folder.

I use Picasa to organise my photographs and that program has a facility that permits incremental backups to DVD, in other words I do not have to back up 100 GB of photos every month. Picasa will only back up any new (or edited) images that have been added. If it all goes pear shaped I can rebuild my library from all those previous discs.

[abominable_scouse_monster]

Thing is Sandbender if you read the T&C's for the free service you forgo your ownership rights to the image. Lots of the free services do this as they can then either sell your images or make some profit claim from them if they so desire (advertising etc). I hate to use the following buzzword but "The Cloud" is nothing but trouble from a data ownership and security point of view, lost of enterprise already use "The cloud" and lots of business managers are now using that term but it's on there own infrastructure that they own and that they control.

The free options are free for a reason, and as I said you can for the most part kiss your IP ownership goodbye to each an every file you send to one of them.

[sandbender]

"...Thing is Sandbender if you read the T&C's for the free service you forgo your ownership rights to the image..."

No you don't lose ownership of your images and files, that is a an urban myth.

However if you post an image to say your blogger account or a Picasa gallery then you have agreed to allow Google certain rights which they claim are 'only to help them promote their services'. Google will not 'sell your images or make some profit claim from them'. I understand that some folks might be worried about losing ownership of documents of photos they upload and maybe there are firms out there who might do that kind of thing, but google? they make their money harvesting data about what you (and practically everyone else) do and what interests you, that they flog and make piles of money from, they don't need your photos.

To quote google's TOS...

"Some of our Services allow you to submit content. You retain ownership of any intellectual property rights that you hold in that content. In short, what belongs to you stays yours."

But they also say...

"...When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content..."

Which sounds much creepier, but this isn't about a multi billion dollar company nicking your family photos, its about you allowing them to access your files, back them up to their backup servers, to modify them (to create thumbnail images for instance) etc. etc.

However you are quite right to be worried about everyone and their aunt moving all their digital life into the cloud and relying wholly on the cloud to keep their stuff safe, which is why I thought the original post in this thread might be of interest to folks.

I'm not sure about flickr, I have an account with them but it doesn't get out much.

[abominable_scouse_monster]

In legal terms the second quote is giving up your IP without saying it, since Facefarce got away with it a few companies started doing it, nice little IP boost for them. They make any change to anything say change a pixel to a image / resize it that legal counts as a dirivitive work then they own the IP, about the only thing they wont touch because the massive PR mess it would cause is anything GLP licensed, but BSD licensed and a few other licences are fair game when it comes to source code and that is one thing I generate a lot of and only release what I need too and would like to keep Google at arms length.

When Google drive came out I thought interesting, read the T&C's then decided not to use it. They offer it to there business clients too with the same T&C's and most smart places say no to it right away.

[sandbender]

"...In legal terms the second quote is giving up your IP without saying it..."

No, really, it isn't.

Just to be clear, I don't work for Google and they don't pay me anything, although that would be nice, maybe they'd give me a new laptop.

[ebt.]

Thing is Sandbender if you read the T&C's for the free service you forgo your ownership rights to the image.

I'll say it again, Truecrypt. Just host the encrypted volume (drive) on dropbox, cloud, carrier pigeon whatever. Its free, open source, cross platform (mac, pc etc) and its military grade encryption. Whether you want to store bank details, or illicit smutty pictures of your shiny bushcrafting addiction, it'll do the job.

At the end of the day, If you want things to be secure, YOU need to manage the security.....not trust some huge faceless entity who may/may not manage security. Not sure if people follow this sorta stuff, but its a hangover from a previous life of mine. Even RSA got compromised recently, size/reputation is not an indication of reliability.

[sandbender]

"...I'll say it again, Truecrypt...

Thats my choice too.

"...YOU need to manage the security.....not trust some huge faceless entity who may/may not manage security...

Yep, in a nut shell.