TechStuff Classic: More Data, More Problems

several years ago. This particular episode actually originally published on September three, two twelve, and at the time it was extremely topical. But I would argue that the message behind the show is one that we still should heed today, even though the actual incident now is more than seven years old. But this episode was called More Data, More Problems, and I hope you enjoy now when we're recording this,

it's in August, early August twelve. It's August ten, actually, and earlier this week, there was a news story that broke throughout the Twitter sphere really first and then beyond about a tech journalist named Matt Honan who has written for various UH publications including Wired, and how he had his essentially his entire digital life hacked over the course of about thirty minutes and uh, and to kind of

explain what happened. First, we'll sort of talk about the way he discovered this through his personal experience, and then how the hackers did it, and then what needs to happen so that we protect ourselves against such things happening in the future. So to start, he was he was playing with his kid and he noticed that his iPhone had shut down. It was so it crashed essentially, and

he thought, oh, well, that's annoying. I guess I'll have to go and uh connected to my computer over store from back up and just get this thing going again. He didn't really think much of it, because you know, technology occasionally fails. Yes, So then he goes and he goes over to his computer and tries to start that up, and that also isn't loading up properly. It's asking him for information that he doesn't have and it won't accept his password, and so he's thinking, well, that's weird, but

he doesn't again panic yet. Uh. He then thinks about trying his iPad, which also isn't working, and he tries logging into his Google account using a different computer, and that also gives him a failure, and it's at that point where he's thinking something seriously wrong is happening, and eventually he starts noticing that his own Twitter handle is posting stuff uh, and he's not the one doing it, and so he can't access his Twitter account anymore either.

And they are these horrible Twitter messages with various you know, uh, inappropriate tweets going out things that are racist or homophobic or having lots of foul language in it um and it's just, you know, it's it's just beyond his control. He gets on the phone with Apple trying to find out what's going on, uh, to explain that his his account has been hacked, and it takes him quite some time before they're able to sort this out. Part of the reason is that they, for a while, we're looking

at the wrong account. They had his name wrong, and so they were looking at an account that had none of the issues he was explaining. And then when the Apple representative repeated his name back to him, that's when he said, wait a minute, that's not who I am. I'm Matt Honan. You've got the wrong name. And then once they switched their focus, then they started seeing oh, well before you called in, and actually I think Honan had to ask about this. They didn't. They didn't volunteer

this information. But before Honan had called in, someone else had called in to regain access. They said, to regain access. Really it was to gain access for the first time. It was the hackers who had called in too, because they had claimed that they no longer had the password or security question answers, so they could not get the

password normally. They were trying to get into his dot me email right and the the reason for all of this is probably the craziest part of the story, although the pathway of how the hackers got to the point where they were able to do all these things. You know, once they got access to his iCloud account, they were able to do things like wipe his devices, which is what happened. They wiped his iPhone, his Mac, and his iPad in part to prevent him from being able to

head them off. While they were going down this trail of hacking his digital life. They were also able because of the way he had interconnected various accounts. They were able to do things like reset his Google password, send the message to the dot Me address, which they already had access to. Yes, because they had gained it from Apple.

Once they got the password for the Google account, then they were able to get the password for Twitter because that's where he had his Twitter account attached to his Google account, So it was kind of a leap frog thing, right, he would they could do a password recovery from one system, It would send the message to one of the email addresses that was already compromised, and then they would get

access to the next thing. Turns out what the hackers were interested in from the very beginning was getting hold of his Twitter account and posting these messages. That's really just for laughs. That's all they really wanted to do. They weren't really out to make a big show that you know, it should be Matt Honan that should suffer for this. Uh. They had nothing to do with Gizmodo, which Owen had written for, and his account was linked

to Gizmoto's account. It never been unlinked, even though he no longer wrote for Gizmoto, so they also had access to Gizmodo's Twitter account and hijack that for a while. Um so, you you know, it turned out the only reason they wanted to get his Twitter account was because he had one of the most rare things in Twitter. A three letter Twitter handle, yes, you know, because most people had to go with a longer Twitter handle because

of course, once one's taken, it's gone. Yes, so people who managed to land one of those three letter accounts are rare, and so they thought, oh, this is that's that's why they targeted this particular Twitter account. Had nothing to do with him personally, had nothing to do with who he worked for, and had nothing to do with the fact that he was a tech journalist. It was just because his Twitter handle was three letters long. And

that's crazy to me. First of all, that you know that that was the that they were were willing to go through, the steps that they had to go through in order to get this one Twitter account. Well, that's true, although it only took them a little less than an hour to accomplish. Once they had, once they had determined

their route of attack, it was all over. So the way they did this was not through any kind of crazy sit down at the computer, type in the password three times and then you managed to get in type thing. And it certainly wasn't a Hollywood style hacker brute force attack where there was uh, you know, some group of of hackers trying everything they could to brute force their

way in. Yeah, it wasn't like a computer program that was just running password after password and you see the little like digits flip up each time you hit one. That's correct, That wasn't what happened. What happened was much more simple, really in a way, because I had nothing to do with using code. It has everything to do with manipulating SISS stems, but from a person perspective, not or or a policy perspective, not from a technological one. Yeah.

And it's it's also clear that although Apple's security procedures are in part to at fault, um, they are not the only ones the hackers targeted to get more information on on Honan and that um, it just so happened that, uh, the information they needed coincided across multiple companies with his accounts, and once they got some information from a couple of places, they were easily able to go in and fiddle with

other stuff. There are really three parties that are I don't want to say at fault you don't blame the victim. There are three party There are three parties that made this possible for the hackers to get the access to to the accounts. One of those is Honan himself. Yeah, and he freely admits that, yes, if you he has written an incredible uh uh article that that documents this

entire process and what he went through. He he blogged about it when it happened, but then he wrote up a much more comprehensive account of it for Wired and uh and it's a very interesting read. I highly recommend you read it, especially if you're concerned with your own potential security computer security. So he was at fault and not at fault. He was. He some of his choices

made this possible. Uh. The Amazon, Amazon dot Com also, its policies made this possible, and Apple's policies made this possible. So those three parties together made it possible for the hackers to achieve this and uh and it's kind of interesting how how they came about it. Yeah, and and some of the irony as we get into this, is that some of the very things that made this possible are in place specifically to make it more difficult for

someone to steal identities. So it actually uh, some of these some of these procedures actually worked in exactly the opposite way in which they weren't intended when they were implemented. So the way this started off was it was fairly clever. So they they first they started the hackers did a little recon work and they wanted to find out, um about how they would get uh the access to the Twitter account. And then they were able to find out

Honan's uh email address because he has a website. They went to the website, they did a who is look up on Honan, which gave them two things, like two things they needed. They needed the email address and they needed his physical address. Yeah. Now, if you register a domain name, you are required to have contact information available. Um, and that information is publicly available now um some well we could talk about that too, but anyway, the the

who is record for the domain had his information in it. Yeah. So once they had that information, the Google account and the just the email address didn't have access to the account yet. Um. They figured out that the Twitter account was linked to the personal website. That's what That's where they found the Gmail address, That's where they found the

physical address. And then they started to look at the account recovery for a Google and without actually sending in a recovery request, they saw that the address, which was only partially obscured per Google's policy, wasn't at me dot com email address. That was the recovery address. Yeah, well

that's an Apple thing, right. So that's where they said, Ah, now we know how to get at him because it's because his Google address, uh will go back if we did a password recovery, because that will go to an Apple address. And because we know how to manipulate the system so that we can get access to his Apple account. It's all over. And the way they got access to the Apple account was kind of interesting. Now, they did not have the password, they did not have the answer

to security questions. So calling up Apple and getting access to this account would require that they have some other information. What Apple requires is that you have to have the building address and the last four digits of the credit card you used to establish that account. So what the hackers did was they said, well, there's a good chance that the same credit card this guy used to establish his iCloud account is the one that he uses for Amazon.

And so instead of calling Apple first, they called Amazon first, and they said that they wanted to add a credit card number to the existing Amazon account. That's right, So they weren't trying to get the credit card number. They wanted to add a credit card number, right, So then they add a credit card number to the Amazon account.

Then they hang up. Then they call Amazon back and they say that they have lost access to their account and that they will provide the name, the billing address, which they already have from the who is look up of the website, and then the credit card number they gave at the at the call they made earlier. So there's now this credit card number that is legit because they provided it. It's not the same one that was

used to establish the account in the first place. So then Amazon says, oh, all right, well we'll send you the password to the account. Here's which email addressed you wanted to go to. So they hackers give their email address or an email address that they have created for

the purposes of this hack. So now Amazon sends the log in information to UH to Amazon dot Com to that account, to the email they log into the Amazon dot Com account, and then they look for the other credit card number, the one that was actually used to establish that account. So this is Honan's actual final four digits,

because those are unmasked in the Amazon dot Com system. Yes, they mask the rest of it, right, Yeah, the rest of the numbers are mass So it's not that the hackers ever had access to the credit card, other than they could have bought a whole bunch of stuff on Amazon and had it sent somewhere. But that's all. That's. Yeah, that's what they could have done if they had wanted to, But they could not actually pull the credit card number

itself other than the last four digits. But those last four digits are what Apple needs for account verification, right, So they take those four digits, they've got the building address, they give a call to Apple, they give that information, and because Honan used the same billing address and the same credit card for both services, Apple said, oh, well then you're clearly this guy. We will send you the

account retrieval information to your email address. So then they now have the way to log into Honan's iCloud account. They do that. That's where they then disable his devices. They wipe them to help slow things down so they can continue to do this stuff. Now they have access to his Apple email, they have access to his Amazon account. That's when they go to the Google password recovery asked for the recovery information so that they can access his

Google account. Well, that goes to his Apple address, which they already have access to. The information comes to the Apple address, they go into the Google account. They immediately delete the password recovery UH email out of his account so that if he has any other devices that would alert him that his password had been changed, that he would not be aware of it. So they they hide that they changed the password, so that now they've locked

him out, they have access to his Google account. They then were able to go and get access to the Twitter account. Um, this is kind of scary, and again it has nothing to do with sitting down encoding stuff. It is hacking. You're hacking a system, but you're doing it more through social engineering and manipulating policies and systems. So if you guys remember we had that discussion and I think it was episode three ninety nine where we

interviewed Brian Brushwood and we talked about social engineering. Now with Brushwood, his approach to social engineering is more about you know, having fun and uh, like, you're in a social situation where you you know, you never have to buy a drink because you're doing these cool things and convincing other people to buy drinks for you, or you know, you're doing something so that you can get the phone number of someone you're interested in. So you're still social

engineering people. But it's not necessarily this as nefarious as as what these hackers were doing. Yeah, and it's not typically what one thinks of when one thinks of identity theft. I mean again, Um, a lot of us would look at the specifically maybe the Amazon portion of this or an online retail portion of this and say, oh, well, they got access to his credit card number, they can buy stuff well you and and in a lot of cases that maybe what a hacker might try to do.

After all, we have talked about uh online systems being hacked for financial information and financial gain, but that's not the point of this. Um, the system that I was speaking of a few minutes ago, when I was saying that ironically, some of these things were turned against him tools that would be used to protect him. Um, if you're not in an Apple customer, you may not be aware there's a there's a uh an I cloud system called find my and there're a couple of them like

to find my iPhone. Yeah. Um, so let's say Uh, you know, we're talking completely behind here. Let's say you have an iPhone and your kids run off with it and stuffed it somewhere in some piece of furniture or dropped it and or you left it in a cab, or you left it in a cab. Well, if you're if you're Natalie Dell Conti, well yeah, um, well, I was going to start with the the easy one. You can make it. You can make your phone make a noise so you know it's in the house, but you

can't figure out where it went. I'd like to have one of these for my keys and maybe the remote. But you know you can you can make it make a noise, or if you've left it in a cab,

you can have it tell you roughly where it is. Uh. This is especially useful if you can't remember if you left it in a cab, or if you at a restaurant whatever, or you know, you were at bar and you had a prototype version of the newest iPhone and it was sitting on the stool next to you when you were sitting there at the bar, but then when you turned around, it was gone, and then it ends up at some tech blog. Yeah, that could happen. Yeah,

there their Twitter feed could be hacked to UM. But yeah, I mean, so you can find out where it is. You can have it make a noise so that if it is in the same location as you are, Uh, you know you can you can track it down. UM if you don't know where it is, Let's say you did leave it in a in a bar somewhere and uh you say, oh, well, you know it's not I don't know where that is, and you could see a location it shows you on the map where where it might be. Oh, it's no longer in my control. It's

somewhere where I don't know where it is. I'm I have sensitive information on there. My my calendars on there, my contacts are on there. Um as as Honan himself said, you know he had um information from many other tech journalists. UM, so he might just let's say he was still in control of his accounts, but no longer in control of the device. He could say, wipe this device. I don't want anything on it anymore, you know, I want to wipe it clean so that nobody else gains information in

my personal stuff. It's only a matter of time before they figure out my my pass code, wipe it clean. You know, you can tell it to do that and will remotely do that. Apple has added that for the Mac to find my Mac. So in that case, let's say he had corporate information. Many companies have have this policy in place. Yes, you can check your corporate email on your personal device, but if you do that, um, we retain the right to wipe the information on the device.

If it should fall into somebody else's hands. Or let's say that you were to uh, you were to to either be fired or you you know, you left or whatever, they might retain that right so that they can protect themselves as a corporate entity. Yeah, so there there are positive reason uh to be able to do this in this case. Once the hackers gained information about his account and we're able to get access to his account and lock him out, um, they also chose to completely wipe

his phone, his iPad, and his Mac laptop. And in doing so, they not only wiped out any you know, corporate information. He's he's a freelance writer, so any articles he might have been working on that we're on his hard drive gone. He also lost a year's worth or more, I guess the photos of personal photos personal stuff that that he had created. And yeah, Liz leads us to the the thing that we have said a billion times on this podcast that is an exaggeration, but back up

your data. Yeah, and he admits he admits he was not regularly backing up his hard drive. This is not to pick on him or anything else. It's something that he wishes in retrospect he had been doing on a regular basis. Because, um, oddly enough, this is where this this is where the story takes an unusual turn. He has been in contact with his hackers and has agreed not to in return, they were telling him how they

did it. Yes, and uh, I think first of all, the first thing we can agree on easily is that Amazon has to change its policy. Well, yeah, because because that's the first step that means that anyone could access anyone else's Amazon accounting. This Well, um, I wasn't going to get there quite yet. I wanted to make the point that this is where it kind of gets a little weird, because they they shared all this information with him. This is how he was able to write such a

comprehensive post on onn Wired about it was. They told him what they were doing, what the point of it was, Um, they admitted, look, you know, we weren't trying to deal your your stuff. We weren't really trying to wipe out your your personal life. We have nothing against you personally. We wanted your Twitter account. Um. The guy that that that he talked to primarily UM was saying, essentially, hey, you know, my partner was the one who wiped out

your computer. And now that you tell me, all your personal files, your your the pictures of your your kid were on here. I'm really sorry. I'm actually really sorry. I didn't mean to to cause you personal harm as a result of this. And and they say, now, I don't know, you know, I don't know whether their motives are are as pure as they say. You know, they say part of it was that they wanted to point out that it really is this easy to hack into

your personal account. They wanted to draw attention to that. Now, I say that all the time. I suspect, based upon the messages that they posted on Twitter, that that's something they they that's covering the tracks. I think they were doing it for the kicks. Yes, exactly. Well, if you're looking at again, if you're reading the Twitter, the Twitter posts that he that were posted under his name, and there were a lot that he left there. He says, I wanted to keep a record of it. He did

delete some because they were overly hurtful offensive. Yes, and he said, you know, these could actually cause people to feel badly about themselves, and I don't want that. I do want there to be a record of what had happened, but not at that, not that, not at the expense of someone else's feelings, um, other than my own obviously. So then he went out and he deleted the ones they felt were particularly offensive, and then the rest he left up. If you read those, I think it's it's

pretty hard to defend yourself with. I'm just showing how the system can be hacked. It's more than that. It's also hey, you know, ha ha, we did it, you know, And and it's so it goes beyond that. And I think it's very telling the hacker he got in touch with, assuming that the what he the information he gave was accurate about himself, about the hacker himself as a young guy nineteen years old, might not quite really get be mature enough to realize, you know, what the consequences are

of those actions. And what how they could affect the target beyond just oh, you know, they're thinking, we have a goal, we want to get hold of this Twitter account. They're not thinking of what consequences are going to be felt by the target beyond just the fact that our Twitter handle has been taken over. And so some of them may just be that they were very narrowly focused on what they wanted to do and they didn't really consider what could happen or how it would feel for

that sort of stuff to happen to a person. Um. So that's that's something there too, and we see that a lot. I mean, there are a lot of hackers out there who because they can do something, they'll do it and they don't realize or they don't care what the consequences of that action are going to be to the people who are also involved in that whatever that situation is. Hey, guys, Jonathan from two thousand nineteen, just interrupting this episode to say, we're going to take a

quick break, but we'll be right back. So maybe maybe now this According to the article, it sounds like this guy is at least a little remorseful, and remorseful yes, that he's feeling some remorse for this, and you know, we don't know if really, like he was at all culpable in the actual deletion. He claims that it was the other guy who did it, but you know, you

never know. So it's interesting to look at that. And you know, if if you kind of put yourself in the shoes of the the hacker, um, you know, especially if you're thinking of somebody who is doing it for for fun, to mess with somebody, and and the person says, hey, look, I'm not going to press charges against you, but I want to know how how you did it. He started thinking, hey,

this guy is working with me. You know, the heat of the moments off, the sense of accomplishment you get from hacking in and gaining access to all this information. You know, after the fact, you've had a chance to cool down, they've had a chance to cool down. You start thinking about it like, well, you know what, this guy is not angry enough with me to to press charges with the cops. You know, we kind of damaged this guy and he's willing to talk to us about

it and share the story online. You know, they kind of got something out of it too. They kind of got a little anonymity anonymous press, so they get to point to themselves and say, hey, look he's talking about us. He doesn't seem like such a bad guy. I guess we kind of you know, burned a lot of stuff of his online that kind of stay ex We were really kind of doing it for the fun of it, and now it's so much fun as a decent guy. Now you know that there's a real person on the

other end of that account. That's the other thing is there's a dehumanizing effects sometimes with the whole you know, you don't really identify the fact that there's a person on the other end of these accounts. Sometimes you don't. It doesn't the concept isn't fully formed. For for a lot of us, we would have gone out and if we had found out who did it, we would have pressed charges. We would have wanted to take them. Now some of us would have re enacted the film taken

but I will find you. But yeah, that that's that's what makes this story more interesting than other hacking stories, I think is that that it's got a humanizing factor to character for both parties. The person who or people who took advantage of of honing and honing himself, and it does point to security issues. Now, these are sitimate for UM. You think about your Amazon account, for example, Let's say you don't have anything else except an email

account and an Amazon account. By and large, you probably wouldn't have a lot of these security issues. The security issues that Amazon would have in place would make it very difficult for them for someone else to get that information from them. But then you start sharing. You start using this UM email address with Amazon and every other company that you do business with online. That makes your email address a a key to getting information from other companies.

And then you start doing business with other pieces. You've got the same credit card number across these different companies, and once you have the last four digits of your social Security number or a credit card number, that makes it possible to use that information as a key across

multiple entities. And all of a sudden, if you do business with a whole bunch of places, they get something like your physical address, your name, your email address, a credit card number, any of that stuff, and they've got the keys to open lots and lots of accounts for for them to get more information. And once they've hacked one, they can get information that will let them into lots and lots of other places. Oh, they have an Amazon account. I wonder if they have a Barnes and Noble account.

We could find out in about ten minutes. Yea. So Honan admits that his password was not the strongest. It was a seven seven digit alpha numeric password, but that it was one he had used for many years. But they haven't. They didn't really use it, right, So that's that's the point of this thing, is that even if he had had the strongest password in the world, it would not have mattered because they circumvented that, right. They didn't.

They weren't attacking through that direction. And this this demonstrates why security is so tough, because you think about the most obvious point of entry, which would be the log in right your user name and your password. That's the most obvious point because that's the way we access our information.

Hackers are looking at a system and saying, what's the best vulnerable spot to go in at And if the front door is heavily locked, you look for a window or a backdoor, You look for something else it's gonna let you get into there, and not even you just bypass the place where you've got all the security and

you go in through a different entrance. So when I said that Amazon really needs to work on its policy, mainly the reason for that is that the only thing you need in order to get that that lug and recovery information was the credit card number that's associated with the account, which they did by adding in one the building address and an email address, and that's it, um uh. And in order to add the credit card number, all you need is the building address and the email address

that is associated with the account. So you know, using some guesswork, thinking that okay, well he's got an Amazon account, he's probably got an Amazon account. He's probably using this address for that Amazon account. We know his address because we looked it up from his website. We can create fabricate a a a credit card using a generator that creates a realistic but not actually activated credit card number and assign that to the Amazon account and then use

that to get the entry point. So obviously Amazon needs to fix that because if all you have is a person's address, and you have a good guess at what email address they use for that Amazon account, then you could do the same thing. And so that's that's a. That's number one. Number two would be the fact that Apple uses the last four digits of the credit card, the building and the building address as a security recovery method.

Clearly that needs to to change in some way. Yeah, I think I think this is a uh they're there are a couple of things. Now, if you read uh, there's an account on Honan's tumbler and if you want to read some truly hurtful comments, I would suggest reading that. Um because some people blame him for owning Apple devices, which is ridiculous. In fact, that the one that that bugged me probably the most was the one that said,

serves him right for owning I crap. And I'm going you know this, this really could have happened with pretty much any manufacturer or it's just I mean, Apple had policies that they were able to leverage. That's not to say that other companies don't have those same policies, and it's just that Apples were well known to them. So that's how they, once they saw the me dot com addresses, said all right, we know how to do this. Yeah.

And the thing is, I would say the vast majority of online retailers or or companies that have that offer services online. UM, I mean they knew how to get into a Google account to um and and a lot of them have the same policies. So if you can get as they did, if you can get one piece, then you can apply it to other pieces and get information from them and put the whole puzzle together that way.

So it's not while while I've seen people singling out Apple and Amazon and um And, they should to some degree be uh considering new stuff, it's not just their fault. The catch twenty two here is once you make an account so locked down that it's extremely hard to get into, it's also hard for you to get into when you do forget your password, when you do forget what credit card you used. Say you've got ten credit cards. UM, let's say you you shredded one of them because you

don't use that card anymore. But that's the one that you set up the account with two years ago. Now you can't get back in. So and so if they lock it down this too hard, then you can't get back in either. So that's why they make a Yeah, that's why they make those those pieces available. Well, can you tell me the last four digits of your social Security number. Oh yeah, I know those. Well they got that from somebody else. So there there's a catch twenty

two here. How how how secure is secure enough and not too secure to lock you out forever? So so there there is that is a challenge. UM. The part of it is to UM when we're talking about the domain name. They were able to get information from his domain name, UH, and you can. There are things you

can do there too. UM. A lot of the services, the places where you can register domain names offer a secure UH service where you pay an additional fee per year or or per however often you you renew your domain name, that will lock it down so that it has a Basically the the registrar is responsible for it. So if you want to contact the owner of the domain name to say make them an offer, Hey, we want so and so dot com. You've got it, Can we offer you ten thousand dollars and buy the domain

name for you? It would go through your registrar and you would get contacted for it. But your information is not the information out there, so there's a proxy between you and them. UM. That would have helped him too, If he had had something like that in place, it would have helped lock it down Google um the uh it's it's kind of interesting because what Google showed them was uh M, star star star star star star n at, you know, the Gmail name. They were pretty right in

guessing that it was his first initial last name. He had that address at at several places. He points that out, and that was that was easy. Could Google fix that and make it more or obscure so that it wouldn't be so easy to guess? Maybe? Could he have picked a more difficult name to use as his backup email address? Probably? But these are there are lots of little stuff that everyone involved could have done to make it more difficult. And there's Google also has a a two step verification process.

That's exactly what I was going to mention next to two part authentication is um is a useful approach it also and I've used it, Yeah, I've used it. It's so two part of authentication is kind of what it sounds like. You need. You need to have two different things in order to be able to access the account. And a typical approach is that you register a phone number with whatever the services of like a cell phone.

You register that cell phone with whatever the services and then when you try to access it, you have to be able to provide not only the password, but then an authentication code is sent to your device that you have registered and you have to insert whatever that that number is, and then then you can and then and only then you can actually access whatever the account is.

And that helps a lot because as long as that device remains in your possession and no one has been able to intercept it in any way, you should be fairly safe. So even if they try to reset the password, they can't get access to it because they're trying through a different device that has not been registered. Uh, And

then you get that that message. And we've seen very variations of this as well, not just too part authentication, but also registering devices with services like UM Lots of them do that so that you can look at the different sessions that are logged in through a particular service and then if you if you see that there's one there that you don't recognize, someone might have access to

your account. So, for example, Facebook does this where if you try and access your UM Facebook account through different devices, it may tell you, hey, I don't recognize this device. This isn't something that you've used to access this account before um, and it'll send an email to you and let you know if you are that that, hey, someone's accessing this. Is this you? Because if it's you, it's cool. But if it's not you, then you need to look

into this. Johnathan, I'm two thousand nineteen. Again. Uh, well, you know, we still have some more information to give you about this particular story, but before we can dive into that, we need to take one more break. Now. Again, this is this is a good tool for people who feel like they may have been hacked. However, let's say that the person who is trying to access your Facebook account, um, you know where they're trying to hack into your Facebook

account also has control of your email address. Then when they say that, hey, is this you, and they send that to your email address, well they've got that email address, yes, yes, if it's gotten to that point. It's this particular approach doesn't really help you. But other things that that you can do, because there's some things that you can't have any control over. It's it's the pole, it's the companies

you work with. Well, one, you can choose which companies you you associate yourself with, but beyond that, you know you have to hope that they put in the right stuff in place to protect you. What you can do one, continue to use strong passwords and don't don't use the same ones across multiple platforms because it just makes it way easier if one if one account does get compromised, it makes it way easier for all the others to

get compromised. It's the domino effect. Yeah, so you we wanna you want to start picking some pretty tough passwords and and vary them across and change the UM you know fairly regularly because the longer they stay, the more likely you're going to UM encounter a problem. Use some sort of password manager so that you can keep track of them all, because I know it is you know, the flip side of a strong password is it's really

hard to remember. So if you're if you've got lots and lots of online accounts, then it's going to be really challenging to keep all those straight. So some sort

of password manager is important. UM Also, think about what you share before you share it online, because some of the details you share may also serve as answers to various security questions, or they may give off other information that companies use to verify identity, So be careful about that, you know, don't don't be too free with personal information if that means that information could be used to circumvent

security systems. One suggestion I've always heard is that when you create answers to security questions you create, you're essentially creating another password. You don't you don't answer the question. You and you put something else in there, and you put something something unrelated but something you will easily remember, all right, So something that doesn't have to be a strong password. In other words, it just needs to be a keyword that doesn't have anything to do with a question,

but it's a keyword you are guaranteed to remember. So so for example, if you, uh, maybe I've seen something that ask for the name of your friend, model of your first car, you could say something like grapefruit, yeah, which, well, I know, if I'm asked about my car, I'm going to say grapefruit. Right. Somebody might go, oh, it's a Chevy.

They might have looked on your Facebook page and you might have had a thing like this, says man, I have such great memories of my of my first car, and then you have a picture of it on there. But that's all they would need to be able to answer that question if you use the right answer, the right or the corresponding answer. So if you've done, say a thing on genealogy, and you've uh, you know, talked about your parents and say, well, you know my mother who was so and so, and it's like, what's your

mother's maiden name? Oh? Well, I know it was Steven's because I saw it on the on their Facebook account. Well that's pretty easy to track down. Um. And and speaking of Facebook, uh, it occurs to me that a lot of sites these days are using Facebook connect or Google or Yahoo, and you can say, hey, would you like to sign in with your blank account? Some of them exclusively do that where you cannot access it unless

you happen to have one of those are their accounts? Yes, Like I believe Pinterest you had to log in through Facebook when it was when it first started. I don't know if that's still the case. And Spotify, Uh, Spotify, you know had had switched to requiring Facebook. Um. Okay, So if they gain access to your Facebook account, all of a sudden, they've got access to every their account that you've used that log in with when they offer you an opportunity to create a separate log in. Maybe

you should take that opportunity. Yeah, it's a pain. It is a pain. And the whole point about the whole Facebook connect is that it makes it much more convenient. You know, you you know, Facebook loves it because it becomes the platform for the Internet, and people love it because it means that it's one less thing they have

to worry about when they want to log in. But it does mean that there is this point of vulnerability that is incredibly attractive to someone who wants to get access to your stuff, because it's going if they get access to one thing, they get access to a dozen more. And it doesn't I say Facebook, but like Chris was saying, it's not just Facebook. Google is the same way. There are lots of different services that if you have a

Google account you could potentially access. UM. Another another suggestion I've seen is that there are a lot of services out there that some of us will sign up for

and then stop using and then forget about um. It might not be a bad idea to if you never use those services, it might not be a bad idea to go back and check and delete those accounts because those are other points of vulnerability, especially if it's going to you know, if you do tend to use the same group of passwords over and over and hackers get access to something, particularly if it's something that isn't terribly popular anymore, and maybe as a result, the security measures

aren't as up to date as they could be. It's a possibility you might want to get rid of that stuff. So you know that my Space account that you haven't checked in four years, maybe it's time to just go ahead and close that out, you know that kind of stuff. Yeah, uh, and we've already mentioned back up your data. It's also very important. So yeah, so basic basic tips that you can follow to try and protect yourself and keeping in mind that you know, a lot this also depends upon

the other parties involved. Yeah, and so looking back at at at Matt hone and did he do something wrong or you know, deserving of being you know, you know, really he could have been any of us. And even though he's a known tech journalist, he you know, sort of succumbed to being human. You know, he had the same password, he didn't change it for a long time. He's probably told he didn't back up and I'm sure he's probably told people to do that a thousand times,

just like we have. You know, we're all guilty of doing these little things because their pains in the neck. We don't want to do it, we don't have time to do it. I mean, he's got kids times of premium for him, just like it is for so many of us. Um, you know, is it is it Apple's fault in particular? Is it Amazon's fault in particular? The only people who are are really at fault of the hackers. Yeah, it's it's it's the combination of all of these things

together that made it possible. It's the hackers that are really at fault. Yeah. And the thing is, yeah, we're all busy and none of us really wants to make up a new, you know, twenty four digit password for each thing and worry about them. No, none of us really wants to mess with that. But the truth of the matter is that all these systems worked together to make this possible, and it's true for all of us. I mean, these these vulnerabilities are vulnerable for all of us.

It's I know that Amazon and Apple both have thought about this. It's still kind of fresh. Um as the recording. Yeah, as they're recording this podcast. So you know, neither of them, I don't think, have made some public proclamation about how they're going to fix this going forward quote unquote fix it again. How what do you do? It's not obvious to do this, so I think the two part authentication

is probably one of the the more obvious approaches. And uh, well we might see some other elements thrown in there too. And and however, I have seen people say yeah, and I turned this on and it was the point I was making earlier. It made it so difficult that it took me two weeks to figure out how to get back into my account, and it was a real pain in the neck. I got in, but it took me a while because I kind of, uh laid myself a trap.

So it's it's one of those things where I think you kind of have to work into it and think about this stuff when you set it up, and go back and look at your accounts and see how it's laid out to fix this for yourself. Yeah, this is this is why it's really important for companies to uh to hire white hat hackers who I mean, all they do is look at systems and try and find ways to to breach systems so that those systems can be

improved over time. And it's important to get a third party to do it because when you design a system again, you may be thinking of the obvious points of entry, which is where you've really really put in great security, right like you know, like there's no way anyone's gonna get through this, at least not in the next five years. We require people to use non alpha numeric characters. Well, that's great if they're going to use the password in

case the door. Yeah. So again, that's why you want to have a third party, because they're not thinking the way you think. They're thinking how do I get into this system? Not not how strong do I make this door? And that wraps up another classic episode. Hope you guys enjoyed this walk down memory lane and the reminder that

things can get pretty dicey out there. Uh though, sometimes you can find out that the people who attacked you aren't really terrible people, but sometimes do questionable things for weird motivations. I don't know how much comfort we can take in that, but I guess it's something anyway. If you guys have any suggestions for future episodes of tech Stuff. Feel free to reach out and let me know the email addresses tech Stuff at how stuff works dot com, or pop on over to our website that's tech stuff

podcast dot com. You will f links to our presence on social media. Over there, you also find links to all of the archived episodes of tech Stuff, all of the episodes that have ever published, obviously not including the legendary lost episodes of tech Stuff. And you also find a link to our online store, where every purchase you make goes to help the show. We greatly appreciate it, and I will talk to you again really soon. Y. Tech Stuff is a production of I Heart Radio's How

Stuff Works. For more podcasts from my heart Radio, visit the i heart Radio app, Apple Podcasts, or wherever you listen to your favorite shows.