Brought to you by the reinvented two thousand twelve Camray. It's ready. Are you get in touch with technology? With tech Stuff from how stuff works dot com. Hello everyone, and welcome to tech Stuff. My name is Chris Paulette and I'm an editor at how stuff works dot com. Sitting across from me, as always, his senior writer, Jonathan Strickland be there. Yes, today we have sort of a sobering topic to discuss. Yes, now, when we're recording this,
it's in August, early August. It's August t actually, and earlier this week there was a news story that broke throughout the Twitter sphere really first and then beyond about a tech journalist named Matt Honan who has written for various UH publications, including Wired, and how he had his essentially his entire digital life hacked over the course of about thirty minutes and UH and to kind of explain what happened, first, we'll sort of talk about the way
he discovered this through his personal experience, and then how the hackers did it, and then what needs to happen so that we protect ourselves against such things happening in the future. So to start, he was he was playing with this kid and he noticed that his iPhone had shut down, so it crashed essentially, and he thought, oh, well, that's annoying. I guess I'll have to go and uh connected to my computer, restore from back up, and just get this thing going again. He didn't really think much
of it, because you know, technology occasionally fails. Yes, So then he goes and he goes over to his computer and tries to start that up, and that also isn't loading up properly. It's asking him for information that he doesn't have and it won't accept his password, and so he's thinking, well, that's weird, but he doesn't again panic yet. Uh. He then thinks about trying his iPad, which also isn't working, and he tries logging into his Google account using a
different computer, and that also gives him a failure. And it's at that point where he's thinking something seriously wrong is happening. And eventually he starts noticing that his own Twitter handle is posting stuff uh, and he's not the one doing it, and so he can't access his Twitter
account anymore either. And there are these horrible Twitter messages with various you know, uh inappropriate tweets going out things that are racist or homophobic, or having lots of foul language in it um and it's just, you know, it's it's just beyond his control. He gets on the phone with Apple trying to find out what's going on, UH to explore Lane that his his account has been hacked, and it takes him quite some time before they were
able to sort this out. Part of the reason is that they for a while, we're looking at the wrong account. They had his name wrong, and so they were looking at an account that had none of the issues he was explaining. And then when the Apple representative repeated his name back to him, that's when he said, wait a minute, that's not who I am. I'm Matt Honan. You've got
the wrong name. And then once they switched their focus, then they started seeing, oh, well, before you called in, and actually I think Honan had to ask about this. They didn't, They didn't um volunteer this information. But before Honan had called in, someone else had called in to regain access. They said, to regain access. Really it was
to gain access for the first time. It was the hackers who had called in too, because they had claimed that they no longer had the password or security question answers, so they could not get the password normally. They were trying to get into his dot me email and the the reason for all of this is probably the craziest part of the story, although the pathway of how the hackers got to the point where they were able to
do all these things. You know, once they got access to his iCloud account, they were able to do things like wipe his devices, which is what happened. They wiped his iPhone, his Mac, and his iPad in part to prevent him from being able to head them off. While they were going down this trail of hacking his digital life. They were also able because of the way he had
interconnected various accounts. They were able to do things like reset his Google password, send the message to the dot Me address, which they already had access to yes, because they had gained it from Apple. Once they got the password for the Google account, then they were able to get the password for Twitter because that's where he had his Twitter account attached to his Google account, So it was kind of a leap frog thing, right he would
they could do a password recovery from one system. It would send the message to one of the email addresses that was already compromised, and then they would get access to the next thing. Turns out what the hackers were interested in from the very beginning was getting hold of his Twitter account and posting these messages. That's really just for laughs. That's all they really wanted to do. They weren't really out to make a big show that you know,
it should be Matt Honan that should suffer for this. Uh. Had nothing to do with Gizmoto, which Honan had written for, and his account was linked to Gizmodo's account. It never been unlinked, even though he no longer wrote for Gizmoto, So they also had access to Gizmoto's Twitter account and hijacked that for a while. Um so, you you know.
It turned out the only reason they wanted to get his Twitter account was because he had one of the most rare things in Twitter, a three letter Twitter handle, you know, because most people had to go with a longer Twitter handle because of course, once one's taken, it's gone.
So people who managed to land one of those three letter accounts are rare, and so they thought, oh, this is that's that's why they targeted this particular Twitter account had nothing to do with him personally, had nothing to do with who he worked for, and had nothing to do with the fact that he was a tech journalist. It was just because his Twitter handle was three letters long.
And that's crazy to me. First of all, that you know that that was the that they were They were willing to go through the steps that they had to go through in order to get this one Twitter account. Well, that's true, although it only took them a little less than an hour to accomplish. Once they had, once they had determined their route of attack, it was all over.
So the way they did this was not through any kind of crazy sit down at the computer, type in the password three times and then you may to get in type thing. And it certainly wasn't a Hollywood style hacker brute force attack where there was uh, you know, some group of of hackers trying everything they could to brute force their way in. Yeah, it wasn't like a computer program that was just running password after password and you see the little like digits flip up each time
you hit one. That's correct, that wasn't what happened. What happened was much more simple really in a way, because I had nothing to do with using code. It has everything to do with manipulating systems. But from a person perspective,
not or or a policy perspective, not from a technological one. Yeah, and it's it's also clear that although Apple's security procedures are in part to at fault, um, they are not the only ones the hackers targeted to get more information on hone and and that Um, it just so happened that uh, the information they needed coincided across multiple companies with his accounts, and once they got some information from a couple of places, they were easily able to go
in and fiddle with other stuff. There are really three parties that are I don't want to say at fault you don't blame the victim. There are three party There are three parties that made this possible for the hackers to get the access to to the accounts. One of those is Honing himself. Yeah, and he greatly admits that. Yes, if you he has written an incredible uh article that that documents this entire process and what he went through. He blogged about it when it happened, but then he
wrote up a much more comprehensive account of it. For Wired and UH and it's a very interesting read. I highly recommend you read it, especially if you're concerned with your own potential security computer security. So he was at fault and not at fault, he was he some of his choices made this possible. Uh, the Amazon Amazon dot Com also its policies made this possible. And Apple's policies
made this possible. So those three parties together made it possible for the hackers to achieve this and UH, and it's kind of interesting how how they came about it. Yeah, and and some of the irony as we get into this is that some of the very things that made this possible are in place specifically to make it more difficult for someone to steal identities. So it actually UH some of these some of these procedures actually worked in exactly the opposite way in which they weren't intended when
they were implemented. So the way this started off was it was fairly clever. So they they first they started to the hackers did a little recon work, and they wanted to find out, um about how they would get uh the access to the Twitter account. And then they were able to find out Honan's UH email address because he has a website. They went to the website, they did a who is look up on Honan, which gave them two things, like two things they needed. They needed
the email address and they needed his physical address. Yeah. Now, if you register a domain name, you are required to have contact information available. Um, and that information is publicly available now um some well we could talk about that too, but anyway, the the who is record for the domain had his information in it. Yeah. So once they had that information the Google account and the just the email address,
they didn't have access to the account yet. Um. They figured out that the Twitter account was linked to the personal website. That's what That's where they found the Gmail address. That's where they on the physical address. And then they started to look at the account recovery for a Google and without actually sending in a recovery request, they saw that the address, which was only partially obscured per Google's policy, wasn't at me dot com email address. That was the
recovery address. Well that's an Apple thing, right, So that's where they said, ah, now we know how to get at him because it's because his Google address will go back if we did a password recovery. Because that will go to an Apple address, and because we know how to manipulate the system so that we can get access to his Apple account, it's all over. And the way
they got access to the Apple account was kind of interesting. Now, they did not have the password, they did not have the answer to security questions, So calling up Apple and getting access to to this account would require that they have some other information. What Apple requires is that you have to have the building address and the last four digits of the credit card you used to establish that account.
So what the hackers did was they said, well, there's a good chance that the same credit card this guy used to establish his iCloud account is the one that he uses for Amazon. And so instead of calling Apple first, they called Amazon first, and they said that they wanted to add a credit card number to the existing Amazon account, So they weren't trying to get the credit card number. They wanted to add a credit card number, right, So then they add a credit card number to the Amazon account.
Then they hang up. Then they call Amazon back and they say that they have lost access to their account and that they will provide the name the billing address, which they already have from the who Is look up of the website and then the credit card number they gave at the at the call they made earlier. So there's now this credit card number that is legit because they provided it. It's not the same one that was
used to establish the account in the first place. So then Amazon says, oh, all right, well, we'll send you the password to the account. Here's which email I addressed you wanted to go to. So they hackers give their email address or an email address that they have created
for the purposes of this hack. So now Amazon sends the log in information to UH to Amazon dot Com, to that account, to the email they log into the Amazon dot Com account, and then they look for the other credit card number, the one that was actually used to establish that account. So this is Honan's actual final four digits because those are unmasked in the Amazon dot Com system. Yes, they masked the rest of it, right, Yeah,
the rest of the numbers are masked. So it's not that the hackers ever had access to the credit card, other than they could have bought a whole bunch of stuff on Amazon and had it sent somewhere. But that's all that's. Yeah, that's what they could have done if they had wanted to, but they could not actually pull the credit card number itself other than the last four digits.
But those last four digits are what Apple needs for account verification, right, So they take those four digits, they've got the building address, They give a call to Apple. They give that information, and because Honan used the same billing address and the same credit card for both services, Apple said, oh, well then you're clearly this guy. We will send you the account retrieval information to your email address. So then they now have the way to log into
Honan's iCloud account. They do that. That's where they then disable his devices. They wipe them to help slow things down so they can continue to do this stuff. Now they have access to his Apple email, they have access to his Amazon account. That's when they go to the Google password recovery asked for the recovery information so that they can access his Google account. Well, that goes to
his Apple address, which they already have access to. The information comes to the Apple address, they go into the Google account. They immediately delete the password recovery UH email out of his account so that if he has any other devices that would alert him that his password had been changed. That he would not be aware of it, so they they hide that, they change the password so that now they've locked him out, they have access to his Google account. They then were able to go and
get access to the Twitter account. Um, this is kind of scary. And again it has nothing to do with sitting down encoding stuff. It is hacking. You're hacking a system, but you're doing it more through social engineering and manipulating policies and systems. Right, So if you guys remember we had that discussion and I think it was episode three D ninety nine where we interviewed Brian Brushwood and we
talked about social engineering. Now with Brushwood, his approach to social engineering is more about you know, having fun and uh, like, you're in a social situation where you you know, you never have to buy a drink because you're doing these cool things and convincing other people to buy drinks for you, or you know, you're doing something so that you can get the phone number of someone you're interested in. So you're still social engineering people, but it's not necessarily this
as nefarious as uh as what these hackers were doing. Yeah, and it's not typically what one thinks of when one thinks of identity theft. I mean again, UM, a lot of us would look at the specifically maybe the Amazon portion of this or an online retail portion of this, and say, oh, well, they got access to his credit card number, they can buy stuff. Well yeah, and in a lot of cases that maybe what a hacker might
try to do. After all, we have talked about uh online systems being hacked for financial information and financial gain, but that's not the point of this. Um, the system that I was speaking of a few minutes ago, when I was saying that ironically, some of these things were turned against him tools that would be used to protect him. Um, if you're not in an Apple customer, you may not be aware. There's a there's a uh an I cloud system uh called find my and there're a couple of
them like find my iPhone. Yeah. Um, so let's say, uh, you know, we're talking completely behind here. Let's say you have an iPhone and your kid has run off with it and stuffed it somewhere in some piece of furniture or dropped it and or you left it in a cab or you left it in a cab. Well, if you're if you're Natalie Dell Conti well yeah, um, well, I was gonna start with the the easy one. You can make it. You can make your phone make a noise so you know it's in the house, but you
can't figure out where it went. I'd like to have one of these for my keys and maybe the remote. But you know you can. You can make it make a noise, or if you've left it in a cab,
you can have it tell you roughly where it is. Uh. This is especially useful if you can't remember if you left it in a cab, or if you at a restaurant whatever, or you know, you were at a bar and you had a prototype version of the newest iPhone and it was sitting on the stool next to you when you were sitting there at the bar, but then when you turned around it was gone, and then it ends up at some tech blog. Yeah, well that could happen. Yeah,
they're they're Twitter feed could be hacked to um. But yeah, I mean, so you can find out where it is. You can have it make a noise so that if it is in the same location as you are, Uh, you know you can you can track it down. Um. If you don't know where it is, let's say you did leave it in a in a bar somewhere and uh, you say, oh, well, you know it's not I don't know where that is. And you could see a location it shows you on the map where where it might be. Oh,
it's no longer in my control. It's somewhere where I don't know where it is. I'm I have sensitive information on there. My my calendars on there, my contacts are on there. Um as as Honan himself said, you know he had um information from many other tech journalists. Um, so he might just let's say he was still in control of his accounts, but no longer in control of the device. He could say, wipe this device. I don't
want anything on it anymore. You know, I want to wipe it clean so that nobody else gains information in my personal stuff. It's only a matter of time before they figure out my my pass code. Wipe it clean. You know, you can tell it to do that and it will remotely do that. Apple has added that for the Mac to find my mac. So in that case, let's say he had corporate information. Many companies have have this policy in place. Yes, you can check your corporate
email on your personal device, but if you do that. Um, we retain the right to wipe the information on the device if it should fall into somebody else's hands, or let's say that you were to, uh, you were to to either be fired or you you know, you left or whatever. They might retain that right so that they can protect themselves as a corporate entity. Yeah, so there there are positive reasons to be able to do this
in this case. Once the hackers gained information about his account and we're able to get access to his account and lock him out, Um, they also chose to completely wipe his phone, his iPad, and his Mac laptop. And in doing so, they not only wiped out any you know, corporate in formation. He's he's a freelance writer, so any articles he might have been working on that were on his hard drive gone. He also lost a year's worth or more, I guess the photos of personal photos, personal
stuff that that he had created. And Yeah, Liz leads us to the the thing that we have said a billion times on this podcast that is an exaggeration, but back up your data. Yeah, and he admits, he admits he was not regularly backing up his hard drive. This is not to to pick on him or anything else. It's something that he wishes in retrospect he had been doing on a regular basis because, um, oddly enough, this is where this this is where this story takes an
unusual turn. He has been in contact with his hackers and has agreed not to put in in return. They were telling him how they did it. Yes, and uh, I think first of all, the first thing we can agree on easily is that Amazon has to change its policy. Well yeah, because because that's the first step that means that anyone could access anyone else's Amazon account. Well, um,
I wasn't gonna get there quite yet. I wanted to make the point that this is where it kind of gets a little weird, because they they shared all this information with him, and this is how he was able to write such a comprehensive, uh post on on Wired about it was they they told him what they were doing, what the point of it was. Um, they admitted, look, you know, we weren't trying to to steal your your stuff. We weren't really trying to wipe out your your personal life.
We have nothing against you personally. We wanted your Twitter account. Um. The guy that that that he talked to primarily um was saying, essentially, hey, uh, you know, my partner was the one who wiped out your computer. And now that you tell me all your personal files, your your the pictures of your your kid were on here, I'm really sorry. Yeah, I'm actually really sorry. I didn't mean to to cause
you personal harm as a result of this. And they say, now, I don't know, you know, I don't know whether their motives are are as pure as they say. You know, they say part of it was that they wanted to point out that it really is this easy to hack into your personal account, and they wanted to draw attention to that. Now, I took her say that all the time. I suspect, based upon the messages that they posted on Twitter, that that's something they they that's covering their tracks. I
think they were doing it for the kicks. Yes, well, if you're looking at again, if you're reading the Twitter, the Twitter posts that that we're posted under his name, and there were a lot that he left there. He says, I wanted to keep a record of it. He did delete some because they were overly hurtful, patently offensive, and he said, you know, these could actually cause people to
feel badly about themselves, and I don't want that. I do want there to be a record of what had happened, but not at that, not that, not at the expense of someone else's feelings, um, other than my own obviously. So then he went out and he deleted the ones they felt were particularly offensive, and then the rest he left up. If you read those, I think it's it's pretty hard to defend yourself with I'm just showing how
the system can be hacked. It's more than that. It's also hey, you know, ha ha, we did it, you know, And and it's so it goes beyond that. And I think it's very telling the the hacker he got in touch with, assuming that the what he the information he gave was accurate about himself, about the hacker himself as a young guy nineteen years old, might not quite really get be mature enough to realize, you know, what the consequences are of those actions and what how they could
affect the target beyond on justus. Oh, you know, they're thinking, we have a goal, we want to get hold of this Twitter account. They're not thinking of what consequences are going to be felt by the target beyond just the fact that our Twitter handle has been taken over, and so some of that may just be that they were very narrowly focused on what they wanted to do and they didn't really consider what could happen or how it would feel for that sort of stuff to happen to
a person. Um. So that's that's something there too, And we see that a lot. I mean, there are a lot of hackers out there who because they can do something, they'll do it and they don't realize or they don't care what the consequences of that action are going to be to the people who are also involved in that
whatever that situation is. Um. So maybe maybe now this, you know, according to the article, it sounds like this guy is at least a little remorseful, Yes, that he's feeling some remorse for this, and you know, we don't know if really like he was at all culpable in the the actual deletion. He claims that it was the other guy who did it, but you know, you never know. So, yeah,
it's it's interesting to look at that. And you know, if if you kind of put yourself in the shoes of the the hacker, um, you know, especially if you're thinking of somebody who is doing it for for fun, to mess with somebody, and and the person says, hey, look, I'm not going to press charges against you, but I want to know how how you did it. He started thinking, hey,
this guy is working with me. You know, the heat of the moment's off, the sense of accomplishment you get from uh hacking in and and gaining access to all this information. You know, after the fact, you've had a chance to cool down, they've had a chance to cool down. You start thinking about it, like, well, you know what, this guy is not angry enough with me to to press charges with the cops. You know, we kind of damaged this guy, and he's willing to talk to us
about it and share the story online. And you know, they kind of got something out of it too. They kind of got a little anonymity anonymous press, so they get to point to themselves and say, hey, look he's talking about us. He doesn't seem like such a bad guy. I guess we kind of, you know, burned a lot of stuff of his online. That kind of stinks. You know, we were really kind of doing it for the fun of it, and now it's not so much fun. You like a decent guy now you know that there's a
real person on the other end of that account. That's the other thing is there's a dehumanizing effect sometimes with the whole you know, you don't really identify the fact that there's a person on the other end of these accounts. Sometimes you don't. It doesn't the concept isn't fully formed. Yeah, for for a lot of us, we would have gone out and if we had found out who did it, we would have pressed charges. We would have wanted to take them. Now some of us would have re enacted
the film taken. But well, but yeah, that that's that's what makes this story more are interesting than other hacking stories I think, is that that it's got a humanizing character for both parties, the person who or people who took advantage of of honing and honing himself. And it does point to security issues. Now these are legitimate for um,
you think about your Amazon account. For example, Let's say you don't have anything else except an email account in an Amazon account, by and large, you probably wouldn't have a lot of these security issues. The security issues that Amazon would have in place would make it very difficult for them for someone else to get that information from them. But then you start sharing. You start using this um email address with Amazon and every other company that you
do business with online. That makes your email address a a key to getting information from other companies. And then you start doing business with other pieces. You've got the same credit card number across these different companies, and once you have the last four digits of your social Security number or a credit card number, that makes it possible to use that information as a key across multiple entities.
And all of a sudden, if you do business with a whole bunch of places, they get something like your physical address, your name, your email address, a credit card number, any of that stuff, and they've got the keys to open lots and lots of accounts for for them to get more information. And once they've hacked one, they can get information that will let them into lots and lots of other places. Oh, they have an Amazon account, I wonder if they have a Barnes and Noble account. We
could find out in about ten minutes. So Honan admits that his password was not the strongest. It was a seven seven digit alpha numeric password, but that it was one he had used for many years. But they haven't They didn't really right right. So that's that's the point of this thing, is that even if he had had the strongest password in the world, it would not have mattered because they circumvented that. They didn't they weren't attacking
through that direction. And this this demonstrates why security is so tough, because you think about the most obvious point of entry, which would be the log in right your user name and your password. That's the most obvious point
because that's the way we access our information. Hackers are looking at a system and saying, what's the best vulnerable spot to go in at And if the front door is heavily locked, you look for a window or a backdoor, you look for something else it's gonna let you get into there, and not even you just bypass the place where you've got all the security and you go in
through a different entrance. So when I said that Amazon really needs to work on its policy, mainly, the reason for that is that the only thing you need in order to get that that lug and recovery information was the credit card number that's associated with the account, which they did by adding in one the building address and an email address, and that's it. Um uh and in order to add the credit card number, all you need is the building address and the email address that is
associated with the account. So you know, using some guesswork, thinking that Okay, well he's got an Amazon account, He's probably got an Amazon account. He's probably using this address for that Amazon account. We know his address because we looked it up from his website. We can fabricate a a a credit card using a generator that creates a realistic but not actually activated credit card number and assigned that to the Amazon account and then use that to
get the entry point. So obviously Amazon needs to fix that, because if all you have is a person's address and you have a good guess at what email address they use for that Amazon account, then you could do the same thing. And so that's that's a that's number one. Number two would be the fact that Apple uses the last four digits of the credit card, the building and the building address as a security recovery method. Clearly that
needs to to change in some way. Yeah, I think I think this is a uh, they're there are a couple of things. Now, if you read uh, there's an account on Honan's tumbler, and if you want to read some truly hurtful comments. I would suggest reading that um, because some people blame him for owning Apple devices, which is ridiculous. In fact, of the one that that bugged me probably the most was the one that said, serves
him right for owning I crap. And I'm going you know this, this really could have happened with pretty much any manufacturer or Yeah, it's just I mean Apple had policies that they were able to leverage. That's not to say that other companies don't have those same policies, And it's just that Apples were well known to them, so that's how they once they saw the me dot com addresses that all right, we know how to do this. Yeah.
And the thing is, I would say the vast majority of online retailers or or companies that have that offer services online um, I mean they knew how to get into a Google account too, um. And and a lot of them have the same policies. So if you can get as they did, if you can get one piece, then you can apply it to other pieces and get information from them and put the whole puzzle together that way.
So it's not while while I've seen people singling out Apple and Amazon and um, and they should to some degree be uh considering new stuff. It's not just their fault. The catch twenty two here is once you make an account so locked down that it's extremely hard to get into, it's also hard for you to get into when you do forget your password, when you do forget what credit card you used. Say you've got ten credit cards. Um, let's say you h you shredded one of them because
you don't use that card anymore. But that's the one that you set up the account with two years ago. Well, now you can't get back in. And so if they lock it down too hard, then you can't get back in either. So that's why they make it. Yeah, that's why they make those those pieces available. Well, can you tell me the last four digits of your Social Security number? Oh? Yeah, I know those. Well they got that from somebody else.
So there there's a catch twenty two here. How how how secure is secure enough and not too secure to lock you out forever? So so there there is that is a challenge. Um. The part of it is to um, when we're talking about the domain name, they were able to get information from his domain name. Uh, and you
can there are things you can do there too. UM. A lot of the services, the places where you can register domain names offer a secure UH service where you pay an additional fee per year or or per however often you UH you renew your domain name, that will lock it down so that it has a basically the the registrar is responsible for it. So if you want to contact the owner of the domain name to say make them an offer, Hey, we want so and so dot com. You've got it, Can we offer you ten
thousand dollars and buy the domain name for you? It would go through your registrar and you would get contacted for it. But your information is not the the information out there, so there's a proxy between you and them. UM. That would have helped him too, if he had had something like that in place, it would have helped lock it down Google. UM the UH. It's it's kind of interesting because what Google showed them was uh M star star star star star star n at, you know, the
the Gmail name. They were pretty right in guessing that it was his first initial last name. He had that address at at at several places. He points that out, and that was that was easy. Could Google fix that and make it more obscure so that it wouldn't be so easy to guess. Maybe could he have picked a more difficult name to use as his backup email address? Probably, But these are there are lots of little stuff that everyone involved could have done to make it more difficult.
And there's Google also has a a two step verification process. That's exactly what I was going to mention nextel two part authentication is um is a useful approach. It also and I've used it, Yeah, I've used it. It's so two part of authentication is kind of what it sounds like. You need you need to have two different things in order to be able to act as the account. And a typical approach is that you register a phone number
with whatever the services of like a cell phone. You register that cell phone with whatever the services, and then when you try to access it, you have to be able to provide not only the password, but then an authentication code is sent to your device that you have registered and you have to insert whatever that that number is, and then then you can and then and only then
you can actually access whatever the account is. And that helps a lot because as long as that device remains in your possession and no one has been able to intercept it in any way, you should be fairly safe. So even if they try to reset the password, they can't get access to it because they're trying through a different device that has not been registered. Uh, and then you get that that message. And we've seen very variations of this as well, not just two part authentication, but
also registering devices with services like UM. Lots of them do that so that you can look at the different sessions that are logged in through a particular service and then if you if you see that there's one there that you don't recognize, someone might have access to your account. So, for example, Facebook does this where if you try and access your UM Facebook account through different devices, it may
tell you, hey, I don't recognize this device. This isn't something that you've used to access this account before UM and it'll send an email to you and let you know if you are that that hey, someone's accessing this. Is this you? Because if it's you, it's cool. But if it's not you, then you need to look into this now. Again, this is this is a good tool for people who feel like they may have been hacked. However, let's say that the person who is trying to access
your Facebook account. Um, you know where they're trying to hack into your Facebook account also has control of your email address. Then when they say that, hey, is this you and they send that to your email address, well they've got that email address, yes, yes, if it's gotten to that point. It's this particular approach doesn't really help you. But other things that that you can do, because there's some things that you can't have any control over. It's
it's the pole, it's the companies you work with. Well, one, you can choose which companies you you associate yourself with, but beyond that, you know you have to hope that they put in the right stuff in place to protect you. What you can do one, continue to use strong passwords and don't don't use the same ones across multiple platforms because it just makes it way easier if one if one account does get compromised, it makes it way easier
for all the others to get compromised. It's the domino effect. Yeah, so you we wanna you want to start picking some pretty tough passwords and and vary the across and change them fairly regularly, because the longer they stay, the more likely you're going to UM encounter a problem, use some sort of password manager so that you can keep track of them all because I know it is. You know, the flip side of a strong password is it's really
hard to remember. So if you're if you've got lots and lots of online accounts, then it's going to be really challenging to keep all those straight. So some sort of password manager is important. UM Also, think about what you share before you share it online, because some of the details you share may also serve as answers to various security questions, or they may give off other information that companies use to verify identity. So be careful about that.
You know, don't don't be too free with personal information if that means that information could be used to circumventanced security systems. One suggestion I've always heard is that when you create answers to security questions you create, you're essentially creating another password. You don't you don't answer the question you and you put something else in there, and you put something something unrelated but something you will easily remember, all right, So something that doesn't have to be a
strong password. In other words, it just needs to be a keyword that doesn't have anything to do with a question, but it's a keyword you are guaranteed to remember. So, So, for example, if you, uh, maybe I've seen something that asked for the name of your friend model of your first car, you could say something like grapefruit. Yeah, which, well, I know if I'm asked about my car, I'm going to say grapefruit. Somebody might go, oh, it's a Chevy.
They might have looked on your Facebook page and you might have had a thing like this says man, I have such great memories of my of my first car, and then you have a picture of it on there. Well, that's all they would need to be able to answer that question if you use the right answer, the right
or a corresponding answer. So if you've done, say a thing on on genealogy, and you've uh, you know, talked about your parents and say, well, you know my mother who was so and so, and it's like, what's your mother's maiden name? Oh, well I know it was Steven's because I saw it on the on their Facebook account.
Well that's pretty easy to track down. Um. And and speaking of Facebook, Uh, it occurs to me that a lot of sites these days are using Facebook Connect or Google or Yahoo and you can say, hey, would you like to sign in with your blank account? Some of them exclusively do that where you cannot access it unless you happen to have one of those are their accounts. Yes, Like I believe Pinterest you had to log in through Facebook when it was when it first started. I don't
know if that's still the case. And Spotify, Uh, Spotify, you know, had had switched to requiring Facebook. Um, okay. So if they gain access to your Facebook account, all of a sudden, they've got access to every other account that you've used that log in with. So when they offer you an opportunity to create a separate log in, maybe you should take that opportunity. Yeah, it's a pain.
Is a pain. And the whole point about the whole Facebook connect is that it makes it much more convenient, you know, you you know, Facebook loves it because it becomes the platform for the Internet, and people love it because it means that it's one less thing they have to worry about when they want to log in. But it does mean that there is this point of vulnerability that is incredibly attractive to someone who wants to get
access to your stuff. Because it's going if they get access to one thing, they get access to a dozen more. And it doesn't I say Facebook, but like Chris was saying, it's not just Facebook. Google is the same way. There are lots of different services that if you have a Google account you could potentially access. UM. Another another suggestion I've seen is that there are a lot of services out there that some of us will sign up for
and then stop using and then forget about UM. It might not be a bad idea to if you never use those services, it might not be a bad idea to go back and check and delete those accounts, because those are other points of vulnerability, especially if it's going to you know, if you do tend to use the same group of passwords over and over and hackers get access to something, particularly if it's something that isn't terribly popular anymore, and maybe as a result, the security measures
aren't as up to date as they could be. It's a possibility you might want to get rid of that stuff. So you know that my Space account that you haven't checked in four years, maybe it's time to just go ahead and close that out, you know that kind of stuff. Yeah, Uh, And we've already mentioned back up your data. It's also very important. Uh yeah, so basic basic tips that you can follow to try and protect yourself and keeping in line that you know, a lot of this also depends
upon the other parties involved. Yeah, and so looking back at at at Matt hone and did he do something wrong or you know, deserving of being you know, you know, really he could have been any of us. And even though he's a known tech journalist, he you know, sort of succumbed to being human. You know, he had the same password, he didn't change it for a long time. He's probably told he didn't back up. And I'm sure he's probably told people to do that a thousand times,
just like we have. You know, we're all guilty of doing these little things because their pains in the neck. We don't want to do it, we don't have time to do it. I mean, he's got kids times of premium for him, just like it is for so many of us. Um, you know, is it is it Apple's fault in particular? Is it Amazon's fault in particular? The only people who are are really at fault of the hackers. Yeah, it's it's it's the combination of all of these things
together that made it possible. It's the hackers that are really at fault. Yeah, And the thing is, yeah, we're all busy, and none of us really wants to make up a new, you know, twenty four digit password for each thing and worry about them. No, none of us really wants to mess with that. But the truth of the matter is that all these systems worked together to make this possible. And and it's true for all of us. I mean, these these vulnerabilities are vulnerable for all of us.
It's I know that Amazon and Apple both have thought about this. It's still kind of fresh um as the recording, Yeah, as they're recording this podcast. So you know, neither of them, I don't think, have made some public proclamation about how they're going to fix this going forward quote unquote fix it again. How what do you do? It's not obvious to do this, So I think the two part authentication
is probably one of the the more obvious approaches. And uh, well we might see some other elements thrown in there too, And and how of her I have seen people say, yeah, and I turned this on and it was the point I was making earlier. It made it so difficult that it took me two weeks to figure out how to get back into my account, and it was a real pain in the neck. I got in, but it took me a while because I kind of, uh laid myself
a trap. So it's it's one of those things where I think you kind of have to work into it and think about this stuff when you set it up and go back and look at your accounts and see how it's laid out to fix this for yourself. Yeah, this is this is why it's really important for companies to uh to hire white hat hackers who I mean, all they do is look at systems and try and find ways to to breach systems so that those systems
can be improved over time. And it's important to get a third party to do it because when you design a system again, you may be thinking of the obvious points of injury, which is where you've really really put in great security, right like you know, like there's no way anyone's going to get through this, at least not in the next five years. We require people to use non alpha numeric characters, Well, that's great if they're going to use the password in case they used a backdoor. Yeah.
So again that's why you want to have a third party, because they're not thinking the way you think. They're thinking how do I get into this system? Not not how strong do I make this door? So yeah, there's certain things companies can do, um, but there are a lot of things we can do as customers, as users to try and protect ourselves. And uh. And it's a great responsible to you. Don't forget it's a cautionary tale. And uh, I mean in a way it could have turned out
way worse than it did. Um. So I'm sure, I'm sure there's some solace in that for Honan, But I mean I can't imagine how and I really don't want to imagine how how how he felt when all that happened. Uh. Anyway, that wraps up this discussion about the cloud security, maintaining your own security there and uh and and the problems
that exist in our digital age. So you guys, if you have any suggestions for topics we should cover in future episodes of tech Stuff, you can let us know by sending us an email are adjust as tech Stuff at Discovery dot com, or send us a message on Facebook or Twitter, or handle it both of those is text stuff. H. S W and Chris and I will talk to you again really soon. For more on this and thousands of other topics, visit how stuff works dot com.
Brought to you by the reinvented two thousand twelve Camray. It's ready, are you