So, these are sportive and fun fun fun times.
I’ve been meaning to do a PSA for a while, and today is as good as any: I keep getting emails from you guys, some of whom have been commenting here for years and using your real life name, or handles that people at work know you have: the emails ask me to delete their comments on my blog as someone at work is gunning for their job/trying to cancel them/whatever.
So this is a PSA: If you’re using your real name, evaluate your situation and the chances of someone finding you and using whatever you’ve said here, or simply the fact you comment on this blog to destroy your life. And if you’re at risk, you know where to email and just tell me what your new handle will be, so I can approve it.
And yes, I know you should be speaking out more. And I think so. But if you aren’t prepared to pay with your career — and I’m not your mother, or the boss of you and TRUST me I know what paying with your career means — you might not wish to be that exposed. I am only because it was a tight balance between losing my soul/mind and losing my career. Turns out I cared less for the career.
Do I have regrets? Oh, every other day, and mostly in the middle of the night. However, I didn’t feel I have a choice. You make your choices, but be aware the risk is there. Of interest a lot of these requests this month came from people working for engineering/tech firms, where you’d think the rot is not that deep.
The other and more… recent reason for you guys to be careful is that last night I got pulled into a rather insane cyber attack.
It started as I was sitting here, about to go to bed, and mind you, later than I usually go to bed, when we got a ping on our phones saying that I’d changed my phone chip to another phone.
We were sitting here, and anyway all the stores were closed.
Dan went to the office to see if it was just an error and AS I SIT HERE someone takes over my hotmail account. Since it didn’t log me out immediately (it doesn’t for a couple of hours) I could see what they were doing but not send messages/use it.
It only sent out four messages, all highly targeted to people they thought were somehow influential in my career. (They were wrong in two cases, but you know….) The messages were a puerile string of all caps swear words and racial slurs, of course.
As I watched, other things where I’d put my phone as two step authentication and used hotmail for the log in started falling.
And here I want to point out something very important: I have no active financial accounts in that email. I have two that I started to set up, failed, and aren’t useable, but no active financial/money/money data accounts. Because hotmail is my public email I don’t associate anything that can really hurt me with it.
But they got my dropbox — which I mostly use to store covers I’ve made and other such art — a chat account with friends (and that was fun, sending out an email from secondary account going “for the love of heaven, kick me out of chat.) My proton mail, which means they got nothing, because it shredded all previous data, as it does when you change password from the outside which is good to know. They also found a couple of weird accounts (like stock photos) I hadn’t used in YEARS.
But again nothing relating to my financial/shopping life is through that account, not one thing.
Still it was a pain in the ass, including breaking back into hotmail, who — knowing you’re trying to wrestle it because it was highjacked — still expects you to put in the hacker’s password and copy the last few emails the asshole sent.
Targeted or random?
I don’t know. Peter Grant’s lady makes a good case for “it’s random.”
Against it, I have nothing more than gut feeling. For instance, it sent out four emails BEFORE going on to capture other accounts. Those emails were NOT random. Two of the emails he answered had come in MONTHS ago, so it wasn’t the first two in the stack. Hell, they weren’t in the most recent 100. What they had in common is that they ALL sounded like they were about work. (Hint, two weren’t.) And I have trouble believing a random hacker taking the time to send those four emails BEFORE seeing if he could get cash/other info out of this.
The only other thing against it is that my phone was hacked FIRST and the hotmail after, using the phone. But the only place phone and email are coupled are in the diner — where I gave it to some people who asked — or I’ve sent people my phone # in email. So it would seem like it’s someone to whom I’ve given my phone number, or someone who knows them. Here I’ll note that my fans are not trustworthy that way, as I’ve been known to get mail at my not-public address with a note that “So and so gave me your address. He knew you wouldn’t mind.”
Now, this wasn’t your average hack. Changing a sim chip is not something you can do without the physical sim chip.
T-mobile says that it was done by an employee in one of their stores, but won’t tell us either the name of the employee or the location of the store. (And therefore no assurance it will not happen again.) They say they’re “Opening a fraud case.” Look at my hopeful face! Right?
Also hotmail is retarded. No. Seriously. Hotmail has mental acuity issues. Their process practically ensures that if someone breaks into your account, you can’t get it back.
Anyway, some measures will be taken today, including possibly a new even more super secret email. I’m not sure about changing phone services, because all others are fucked and one needs to be boycotted.
If you have emailed me recently and get a mail that seems off — well, they no longer have control of the account, but they might have gotten your address and be spoofing my email — contact me by other means to make sure it’s me. (Though if it’s a string of slurs, it’s not me.) And don’t give “me” any financial data or anything like that.
If you are deep under cover and emailed me, I wouldn’t worry too much. They only had control for 20 minutes, and other than sending those emails, they didn’t spend much time doing things. Mostly they seem to have spent it breaking into more and more accounts, most of them mothballed for almost a decade and not tied to anything that they could even remotely use.
Yes, if it was targeted there is a REMOTE off chance they downloaded the data and have enough to identify some of you. But again, gut feeling, they were too busy finding ways to “punish” me to think of that. That would have come today, if I hadn’t caught them and fixed it in time.
Here’s the thing: I’ve always kept things off my phone, including my social media, because I’m absent minded and if I lost the phone….
But I didn’t LOSE the phone. It was an employee of the company providing the system. The company with whom I’m DEFINITELY not happy just now.
None of this makes me happy right now. The fact that we stayed awake till 3am dealing with the fall out and making sure everything was secure and woke up at 6:30 because someone was trying to hack into Dan’s account is not happy making. (They failed. In fact, they might have sent a warning, rather than break in, but you know….)
It might be impossible to be absolutely safe, even with all precautions, or at least all precautions my non-techy self CAN take.
HOWEVER measure are being taken to make me more secure. And you also should do likewise.
Remember we’re fighting a wounded feral pig. It will do anything to take us down with him.
Be careful out there.