Saturday, September 1

your paranoia is justified

So Elizabeth’s Gmail account got cracked sometime last week, which of course in this era of deeply intermeshed and profoundly vulnerable authentication regimes pretty much means that our shared financial life just took on the security profile of a comatose hedgehog on its back.

So far the little bastards have only spent about a hundred bucks of our reserves, primarily on RuneScape subscriptions.[1] We’ve taken the usual steps, redundantly reported fraud to enough of the appropriate parties to hope that someone, somewhere in the chain, will refund the missing dollars, and things are probably contained. Maybe.

Outcomes will depend heavily on how Google responds to our desperate plea for help. Their security policy appears to work as follows in the case of a compromised account:

  1. Can’t log in? We’ll e-mail you a change password link!
  2. Gosh, someone has changed the secondary e-mail associated with your gmail account? Well, just wait 5 days without attempting a login and answer your security questions!
  3. Someone is actively using your account and/or has changed your security questions anyway? Gosh, you’re completely fucked!

There’s a “my account has been compromised holy shit please help” form, but until early this morning it was mysteriously returning a 404. I filled it out. We’ll see what happens. If no real response arrives, you can be assured that I will make as much noise as humanly possible about the insane catch-22 built into Gmail security (“a question for Google: what’s the fundamental difference between indifferent and evil?” strikes me as a catchy social-bookmarking sort of headline), but of course it won’t make a goddamned bit of difference.

ANYWAY, the truth is that this is all my fault and I know it. I forgot a fundamental technological rule: paranoia is always justified, and your complacence will destroy you.

Systems fail. Catastrophically. All of them, in proportion to the trust you place in them and the magnitude of your need for their basic functions. Often enough to matter, there are malicious parties interested in their failure. Script-kiddies breed like flies. The government where you live is careening ever-closer to a totalitarianism overhauled by the fundamental realization that mundane and implicit evil mixed well with broadcast commercial soul-rot has a half-life that makes Stalin and Hitler look like complete chumps.[2] What matters more for your immediate concerns, entropy is out to get you and entropy is going to win. Learn this and live by it. Back up your hard drive every day. Encrypt the living shit out of everything. Never send anything in plaintext. Change your passwords. Don’t give the Verizon/Qwest/Comcast rep on the phone your goddamned Social Security Number. Laugh at the Best Buy peon asking for your home phone, date of birth, and mother’s maiden name. Compartmentalize every important form of access to the things you care about. Use version control for everything that matters. Have redundant copies. Stop using public terminals and sketchy unsecured wireless. I am watching you download mediocre internet porn. Just fucking stop it. Bring your bike inside from the front porch, because I promise you some kid with a hacksaw can take care of that cute little lock in about 30 seconds flat.

1. At least no one is doing anything that will ever get them laid on my remarkably limited dime.

2. Fuck you, Mike Godwin.

p1k3 / 2007 / 9 / 1