|
|
|
putting the tootpaste back in the tube
Wednesday, September 29 2010
I was awaken this morning to the ringing of the telephone. It was David of Penny and David calling me in hopes that I would ride in and save the day. The crisis was technological, and I was on the shortlist for helping fix it because, well, I guess because I volunteered to help port his website from Cold Fusion to PHP when there was nobody else on the planet who would do it for the low pay available (in conclusion of this passive-aggressive rant, it's all in keeping with the unpleasant vortex of doing professional work for friends).
David's Gmail account had been taken over by somebody who was now sending scam emails to people telling them that he, "David" was in London and had just been robbed at knife point, that had all his money and identity papers taken, and could money be wired to him via Western Union? It's a classic internet identity scam that often happens when scammers seize control of Facebook account. Still, people were falling for it enough to call David and ask if he was alright. (If one tends to fall for urgent pleas delivered delivered in impersonal language from friends, it's always good to confirm the situation via alternative communication technology.) By the time David reached me, it was actually Penny who was doing the calling (as David was on the phone with the FBI, though of course there was nothing they could do). My job, should I be willing to accept it, was to get the customer mass mailer for David's site working. That was a part of the port from Cold Fusion that I'd never gotten to, and it seemed the old Cold Fusion mass mailer was broken. Most of the people being targeted by the scammer were David's customers in the site I'd helped to port. He wanted to send a mass mailing telling them not to respond.
So in the course of the next twenty minutes or so, I built a brand new tool allowing for the spamming of the customer database with an arbitary message. But for some reason Godaddy's outgoing mailer was being really fussy about what to send, so I had to implement a complicated system that sent out only a few emails at a time and resent to those whose mails Godaddy had refused to send. When you think about the skills and creativity I have to have to be able to route around other people's damage, incompetence, and laziness, the amount of money I make is infuriatingly small. I've decided to double my rate, which (fortunately for people who get my work for free) is still zero.
David's crisis played out gradually over the rest of the day. My new spamming program slowly sent out emails, the volume of people semi-gullibly calling David to ask if he was alright fell to a trickle, and things returned to normal. David tried to wrest control of his Gmail account back, but of course all the methods in place to allow for that had been cut off by the scammer. The password had been changed, the secret questions and answers had been changed, and even the backup email was different. When David tried to reach a real human being at Google, of course, he woke up to the red-pilled Matrixesque reality of what a modern internet company actually is: millions of lines of code (or, if you prefer, a collection of impersonal robots). If he were able to get through to a human at Google, it wouldn't be someone with enough of a relationship with David to know whether the account he was trying to reclaim was actually his, or was (say) the honestly-acquired account of someone who was simply doing or saying something he didn't like.
At first I'd suspected that the reason David's Gmail account had been taken over was that he'd used some easily-guessable password. This is a common problem among people who aren't familiar with computers, don't know basic probability theory, and cannot fathom what is and what is not within the realm of computational possibility. Such people have never heard of dictionary attacks and don't really even know why passwords work at all. They also think it makes sense to play the lottery, though the reason good passwords work is the same reason it's very hard to win the PowerBall jackpot. But no, it turned out that David's password was complicated and would have been impossible to guess. Which led me to consider another possibility for how a scammer took over his Gmail account.
You may not know this, but website administrators often have access to plaintext passwords of everyone in the databases they control. For example, I have access to the plaintext versions of passwords of semi-famous people whose names you might know. These people do not know this, and these people probably also use these same passwords at multiple sites all over the internet. I've seen these passwords, and they are shockingly poor. About 40% of the time the password and username are identical (though usually websites prevent the use of such shoddy credentials). The problem is that if you use the same credentials over and over at lots of different sites, it only takes a hacker gaining access to one database to compromise accounts at sites all over the web, both secure and insecure. Such a hacker doesn't even have to be all that skilled if the site being broken into (say, that of a small-town newspaper) was created by somebody's teenage nephew with minimal site security experience. I suspect that this is what happened to poor David. He's a journalist, so he has accounts at various newspapers and magazines all around the web. All that had to happen was a hacker gaining access to one of those sites (or a disgruntled site administrator deciding to turn to the dark side), and then his credentials could fall into the wrong hands. If his username was simply his Gmail address, then it would be a simple thing to try out the associated password there. That's undoubtedly what happened. The moral here is as follows: if you have email accounts or bank accounts with sensitive information, use a special set of credentials for those. For all the craptastic messageboards and other things on the web, use a more disposable set of credentials (though feel free to use them over and over for all such sites). As for Facebook, it lies in the middle of the continuum between sensitive and disposable. On the one hand, it connects to all your friends, whom you don't want to piss off and to whom you don't want to give a scammer access. On the other hand, you shouldn't be doing anything too sensitive with a Facebook account, especially given that the site itself isn't all that secure (and is completely open to the prying eyes of the government). So you should perhaps use a third kind of credential for Facebook (at least for your primary identity, if, like me, you delight in deploying multiple avatars).
Today was a sunny day, but clouds and rain were expected to be returning soon. It was my job to pick up the CSA vegetables, and while I was out I got a gallon of gasoline in my little red plastic gas container so I could test the Subaru's fuel filler pipe.
Back at the house, I sealed up all the ends of the fuel filler pipe, added about a cup of gasoline, and let it sit in an orientation approximating the way the pipe sits when it is attached to the car. I'd go back to it every now and then and look for leaks (which could be identified by smell as well as visually and by touch). Happily, there didn't appear to be any. (I might have used water for this test, but I didn't want to risk further corrosion or water contamination during future use.)
Later I took advantage of another tank of solar-heated water by taking a bath late this afternoon.
For linking purposes this article's URL is:
http://asecular.com/blog.php?100929 feedback
previous | next |
