Be Careful out There

So, these are sportive and fun fun fun times.

I’ve been meaning to do a PSA for a while, and today is as good as any: I keep getting emails from you guys, some of whom have been commenting here for years and using your real life name, or handles that people at work know you have: the emails ask me to delete their comments on my blog as someone at work is gunning for their job/trying to cancel them/whatever.

So this is a PSA: If you’re using your real name, evaluate your situation and the chances of someone finding you and using whatever you’ve said here, or simply the fact you comment on this blog to destroy your life. And if you’re at risk, you know where to email and just tell me what your new handle will be, so I can approve it.

And yes, I know you should be speaking out more. And I think so. But if you aren’t prepared to pay with your career — and I’m not your mother, or the boss of you and TRUST me I know what paying with your career means — you might not wish to be that exposed. I am only because it was a tight balance between losing my soul/mind and losing my career. Turns out I cared less for the career.

Do I have regrets? Oh, every other day, and mostly in the middle of the night. However, I didn’t feel I have a choice. You make your choices, but be aware the risk is there. Of interest a lot of these requests this month came from people working for engineering/tech firms, where you’d think the rot is not that deep.

The other and more… recent reason for you guys to be careful is that last night I got pulled into a rather insane cyber attack.

It started as I was sitting here, about to go to bed, and mind you, later than I usually go to bed, when we got a ping on our phones saying that I’d changed my phone chip to another phone.

We were sitting here, and anyway all the stores were closed.

Dan went to the office to see if it was just an error and AS I SIT HERE someone takes over my hotmail account. Since it didn’t log me out immediately (it doesn’t for a couple of hours) I could see what they were doing but not send messages/use it.

It only sent out four messages, all highly targeted to people they thought were somehow influential in my career. (They were wrong in two cases, but you know….) The messages were a puerile string of all caps swear words and racial slurs, of course.

As I watched, other things where I’d put my phone as two step authentication and used hotmail for the log in started falling.

And here I want to point out something very important: I have no active financial accounts in that email. I have two that I started to set up, failed, and aren’t useable, but no active financial/money/money data accounts. Because hotmail is my public email I don’t associate anything that can really hurt me with it.

But they got my dropbox — which I mostly use to store covers I’ve made and other such art — a chat account with friends (and that was fun, sending out an email from secondary account going “for the love of heaven, kick me out of chat.) My proton mail, which means they got nothing, because it shredded all previous data, as it does when you change password from the outside which is good to know. They also found a couple of weird accounts (like stock photos) I hadn’t used in YEARS.

But again nothing relating to my financial/shopping life is through that account, not one thing.

Still it was a pain in the ass, including breaking back into hotmail, who — knowing you’re trying to wrestle it because it was highjacked — still expects you to put in the hacker’s password and copy the last few emails the asshole sent.

Targeted or random?

I don’t know. Peter Grant’s lady makes a good case for “it’s random.”

Against it, I have nothing more than gut feeling. For instance, it sent out four emails BEFORE going on to capture other accounts. Those emails were NOT random. Two of the emails he answered had come in MONTHS ago, so it wasn’t the first two in the stack. Hell, they weren’t in the most recent 100. What they had in common is that they ALL sounded like they were about work. (Hint, two weren’t.) And I have trouble believing a random hacker taking the time to send those four emails BEFORE seeing if he could get cash/other info out of this.

The only other thing against it is that my phone was hacked FIRST and the hotmail after, using the phone. But the only place phone and email are coupled are in the diner — where I gave it to some people who asked — or I’ve sent people my phone # in email. So it would seem like it’s someone to whom I’ve given my phone number, or someone who knows them. Here I’ll note that my fans are not trustworthy that way, as I’ve been known to get mail at my not-public address with a note that “So and so gave me your address. He knew you wouldn’t mind.”

Now, this wasn’t your average hack. Changing a sim chip is not something you can do without the physical sim chip.

T-mobile says that it was done by an employee in one of their stores, but won’t tell us either the name of the employee or the location of the store. (And therefore no assurance it will not happen again.) They say they’re “Opening a fraud case.” Look at my hopeful face! Right?

Also hotmail is retarded. No. Seriously. Hotmail has mental acuity issues. Their process practically ensures that if someone breaks into your account, you can’t get it back.

Anyway, some measures will be taken today, including possibly a new even more super secret email. I’m not sure about changing phone services, because all others are fucked and one needs to be boycotted.

If you have emailed me recently and get a mail that seems off — well, they no longer have control of the account, but they might have gotten your address and be spoofing my email — contact me by other means to make sure it’s me. (Though if it’s a string of slurs, it’s not me.) And don’t give “me” any financial data or anything like that.

If you are deep under cover and emailed me, I wouldn’t worry too much. They only had control for 20 minutes, and other than sending those emails, they didn’t spend much time doing things. Mostly they seem to have spent it breaking into more and more accounts, most of them mothballed for almost a decade and not tied to anything that they could even remotely use.

Yes, if it was targeted there is a REMOTE off chance they downloaded the data and have enough to identify some of you. But again, gut feeling, they were too busy finding ways to “punish” me to think of that. That would have come today, if I hadn’t caught them and fixed it in time.

Here’s the thing: I’ve always kept things off my phone, including my social media, because I’m absent minded and if I lost the phone….

But I didn’t LOSE the phone. It was an employee of the company providing the system. The company with whom I’m DEFINITELY not happy just now.

None of this makes me happy right now. The fact that we stayed awake till 3am dealing with the fall out and making sure everything was secure and woke up at 6:30 because someone was trying to hack into Dan’s account is not happy making. (They failed. In fact, they might have sent a warning, rather than break in, but you know….)

It might be impossible to be absolutely safe, even with all precautions, or at least all precautions my non-techy self CAN take.

HOWEVER measure are being taken to make me more secure. And you also should do likewise.

Remember we’re fighting a wounded feral pig. It will do anything to take us down with him.

Be careful out there.

237 thoughts on “Be Careful out There

    Seriously folks, I wrote it in caps for a reason. Two Step authentication does NOT protect you. It makes it EASIER for your account to be hacked. Because all they need is your phone and they now have everything. And as making a copy of your simm card doesn’t even require them to touch your phone, they can hijack your entire life, quite easily.
    It’s like the ‘three questions’ they want you to create answers to.
    The ENTIRE PURPOSE of those questions is to make it EASIER to HACK your account.

    I’m a security expert. Know more about it than anyone working for the government, I can guaran friggin T you that.

    If you MUST use the three questions: NONSENSE answers only that make no sense (and write ’em down).

    And again, never use 2-step. If they force you to do it, find another company and move your business.

      1. I avoid text where I can.

        OTP, I’ll use, and have and still lean heavily on authenticator apps for that, with printed recovery keys stashed away offline where (often) provided

      2. Most of the two factor phone authentication I’m familiar with (I put the bank on my phone when we travel) is a program authenticator.

        Because phone numbers can be spoofed.

          1. Small. Children.

            Dongles aren’t an option. My thermometer gets stolen at least once a month and it’s way better……

            1. I have a dongle; it’s got a little hole designed to fit on a key ring. If your children steal your keys then they can steal your dongle, but the idea is that you treat it exactly like a key: put it on your key ring, and insert it into the appropriate slot when you need to get access to something locked with it. The only difference is that the slot is a USB slot on a computer, rather than a key slot in a physical door.

              1. I already had to split my keys because they’re heavy enough that the techs were warning me about damage from hanging off the car’s ignition slot.

                That said, the dongles I’ve been offered generate number codes, rather than being a physical key.

          1. It doesn’t have to be your phone. TOTP is built into some PC apps these days, usually encrypted password managers of one form or another.

          2. Umm, a what number, TFA, two factor authentication? How, if you generate the number, how does the other party know the correct number (because there’re using the same list / method)?

    1. Any good write-ups you can direct us to?

      Is there a way to roll back two-factor authentication?

      1. Any site that allows it as an option should also allow you to turn it off. You just need to research how. Failing that, a dongle that generates a new code every minute is much more secure than a phone.

      2. Call them and tell then you want to be taken off of it. If they refuse, close your account and do business with someone else. That’s what I do.

      3. On my gmail, at least, it was as simple as going into my account settings and deleting the phone number. (Did that on both of them.)

        1. I had a Gmail account; due to battling ISPs, it was the only way to send messages to a particular person. He already had one, so I signed up too.

          Maybe three years ago Google locked me out of the account, and will not let me back in until I give them a cellular number for “two-factor authentication.” So, no way to change any settings…

          I still think the main purpose of “two-factor authentication” is to collect phone numbers to “enrich” the demographic data they collect and sell.

          1. Upon checking, I was also able to turn off the data collection and personalized ads. Now, do I for one minute believe that will stop them from collecting my data without my permission? Alas, no. But at least I DID turn off my actual permission (in fact, I didn’t even know those were there. No, thank you, I do NOT want you tracking what I watch on YouTube. Or search for. But they’ll track it anyway…now they just won’t tell me about it. Ugh.)

            1. And that’s why I have as little to do with Google as practical. I use a different search engine (*not* DDG), maps use Bing or odd sources, and have no accounts with antisocial media other than MeWe and a Gab, and AFAIK, have posted once on MeWe and only lurk on the other.

              I figure then that Google only has 95% of my net history then. (Only partially joking…)

              1. Google “partners” with lots of ISPs; they probably have at least your DNS lookups and what URLs you visited. And, unless you have them blocked in your hosts file or a browser extension, any time you hit a site with a cookie from doubleclick, urchin, oingo, 1e100, admob, googleanalytics, googletagmanagar, gstaticads, invitemedia, 2mdn, or any of the many web services hosted on the goog that are commonly used by webmasters, you’re still feeding the googmonster.

                1. So the 95% is too low. Sigh. It’s frustrating that so much is concentrated in a few companies. Hell, it’s frustrating that I have to trust Microsoft to be slightly less evil than Google.

                  Have to look at the cookie blocker.

          2. My problem is my phone is tied to my gmail account because Android phone, phone is also tied to the carrier email. One thing I have tied to my device emails (3 different platforms so different emails) is notification if a new device is added. The MS email passes through to the gmail email, ditto on the other one. Gmail sends a text. I can kill it within seconds. Financial data. Not one of our accounts uses emails for login. Recovery requires access to one of the emails for a link.

            Looks like I’m going with the random code authentication, sigh. Dang it.

    2. I’m a security expert. Know more about it than anyone working for the government, I can guaran friggin T you that.

      There are low bars, and there are “better than the government” low bars. We measure the later using Planck units.

      1. Kinda like thinking MILSPEC is really cool and tough; and maybe it is, but maybe you should read the specification first.

        And I’m kinda feeling disappointed in my own shrewdness in using two-factor authentication; I thought I was being clever / paranoid enough.

        1. It depends on the factor. OTP, for example, relies on a device generating a matching number that you then enter. This can only be spoofed if you can provide the same number to your app that you were given when you first set it up. This isn’t likely to happen.

          However, “texting to confirm” two-factor is dangerous, because the number texted to can be spoofed.

    3. I do not use multi-factor authentication (MFA) unless it’s required. I do create long passwords which I do not reuse (except for work sites tied to — ack! spit! — Active Directory). I use a password manager to keep track of them and back up the data regularly.

      1. I’ll grab a book and take random letters for that part of a password.

        HP used time-sensitive widgets for employees in the dialup days (mid 1990s), with IIRC, a dialback arrangement, but those were sufficiently annoying that they got dropped. (Not sure how the clocks would stay in sync for long times–I think it was before GPS time modules were a thing.)

        OTOH remote security sucked for our systems. In one memorable (like to forget the circumstances) occasion, my own account was inadvertently locked out, but I had access to the root account on one of our workgroup’s servers. In retrospect, yikes! Dialup mayhem potential, there.

        1. Several video games offer dongles about the size of your thumb, that you buy and then log in with the one-time password.

          Usually they offer something like a cute in game pet or similar as an additional reward.

        2. We use joke phrases and dates that are important to us– and things like the kids’ birth weight– for the lower security stuff.

        3. AFAIK, no modern tokens use GPS to sync the time. Nevertheless, the clocks are pretty accurate these days — less than a minute per year. So much so that, according to an article I read recently, some OAuth providers use a clock skew as short as two minutes for time-based tokens.

          As for remote security — well — you had to be present during during recent “discussions” on whether to turn off remote root login for all the Linux systems. The developers howled at not being able to login as root and groused about having to precede their commands with `sudo`. I still have to allow `sudo sudo` on a few systems because the dumb-arsed developers will not fix their damned update scripts to run as a non-privileged user.

          1. And it may not be “your” developers; lots of applications require root access to install or patch. Some companies are worse about it than others…..

            1. Well, my opinion is that developers should never touch anything outside the development environment. If they need a production of “QA” box they must provide instructions to a sysadmin to do the actual work. Administering networks and systems for quite a few years has taught me that letting developers change anything outside their home directory on a prod box is the first or second ingredients in a recipe for disaster.

            2. My personal Linux machines (did I really get up to 5?) don’t have user-level access to the package patch/install tools, nor to the directory where packages are downloaded and installed. OTOH, I’m the only non-root user on 4 of the machines, and my wife’s game machine is reasonably close to incommunicado.

        4. Company I last worked for has new owners. This may not apply now. But their “security” was running under the radar. Getting into the VPN, and your employee workstation was a PIA, or at least the setup was, but getting into the general client server and individual client sub directories was a matter of knowing the internet address and same password. General client server, not big deal, would just get helpful tools that if not already had main system setup correctly, then not working anyway. But the client sub directories would have snapshots of actual data, all of which had same backdoor password to unlock once imported in to SQL. Some of which would have SS# … think about that. Unless things have changed, I could get in now 5+ years after retiring. I do know the web site access has changed, I can’t get into the user portal anymore (I could have mess with documentation, that no one read, big thrill I tell you …/sarcasm jic) … website has been redone. My workstation has be “recycled” so 1/2 VPN access has been truncated … OTOH it was one of the first things I killed on my home computers (so I wouldn’t be tempted). The only reason I’m not into my old work email is because I have no idea what the last password I used was, which had to change every 90 days, which I didn’t change at the 90 day deadline. Good thing I’m not evil … My last workstation password was: 20160131ImDone, prior one was 20160131ImOutofHere … I think one of the was 20150131Bye … just saying.

        5. Time sensitive can be super annoying. I had an old laptop that I decided to resurrect for some uses and it wouldn’t update anything because the internal clock was supposedly off. Even though it appeared to be just fine. Never did figure it out, wiped the drive and threw it away.

    4. MFA is not inherently bad. Now, using a phone/SMS for it IS, but MFA in and of itself is not the problem. It’s using a method for MFA that can be hijacked remotely that is.

    5. I want to correct something. The security of two-step authentication entirely depends on the security of the second step. If the second step is a text message, then it is NOT secure. You can obtain copies of someone’s SMS messages remotely; I’ve had it explained to me, though I wouldn’t be able to explain it to you in detail. However, if the second step is an authenticator app, that IS secure, at least more secure than having just your password. Authenticator apps aren’t tied to your phone chip, they are tied to the physical phone. So to get control of your authenticator app, an attacker would have to steal your physical phone. The security guy at our company, who keeps up-to-date on this stuff, does recommend two-step authentication with authenticator apps, though he prefers the electronic dongles that you can put on your keychain. But he recommends strongly against SMS as a second factor; that, as you have pointed out, is LESS secure than simply having a password.

      1. Sure. But while what they *say* is “two-factor authentication”, what they *mean* is almost always “text message to a cellular phone.”

        Note for anything via text message: companies like Syniverse Technologies in Tampa handle text messages between cellular providers, and they not only get the SMS in cleartext, they store them for… they don’t actually say. But the zombie Valentine messages a few years ago were over a year old.

        1. Didn’t the Patriot Act require providers to store text messages for a certain amount of time (to combat terrorism, of course).

      2. You can obtain copies of someone’s SMS messages remotely;

        It’s a default app for Windows 10, although the phone has to be new enough for it to work.

        1. The only way a person gets your password is if you tell them. So don’t tell anyone.

          Incorrect. Lots of people’s passwords have been leaked because the website was hacked and the hackers go hold of the password database. Now, nearly every website stores passwords in “hashed” form, meaning you apply a one-way math function to it. So if your password is “123456”, what’s stored in the database is “e10adc3949ba59abbe56e057f20f883e”, and there’s no way to take “e10adc3949ba59abbe56e057f20f883e” and work the one-way function backwards to get back to “123456” from there. But you CAN take a list of the million most common passwords, apply that same one-way math function to them, and get a list of the hashed version of the most common passwords. So when someone gets hold of the password database and sees “e10adc3949ba59abbe56e057f20f883e” as your password, he knows that it’s “123456”. And because many people reuse the same password on multiple sites, if someone gets hold of the password database from a popular online game, they also know the Facebook, email, and banking passwords for many of those users.

          And yes, your phone can be stolen, which is why password authenticator apps give ten single-use backup codes that you’re supposed to print out and keep in a secure location. If your phone is stolen, you can use one of those backup codes to log in and revoke the phone’s two-factor access. And if you lose your backup codes, you can log in with your password+phone and revoke the backup codes, and (if you’re doing it right) then generate ten *new* backup codes to print out again.

          If everyone did passwords *correctly*, generating long random passwords and using a *different* password for every site, then two-factor authentication would indeed be unneeded. But lots of people accidentally tell hackers their passwords, without knowing they’re doing so. 2FA helps mitigate that issue.

          Note on doing passwords correctly:

          1. “If everyone did passwords *correctly*, generating long random passwords and using a *different* password for every site,”

            Given the number of different passwords required for all the different sites we use, you quickly run up against the limitations of human memory.

            Which led to the following exchange with a co-worker 20 years ago:
            CW: I’d never take the Mark of the Beast; I mean, how could you take something like that especially if you know what it is!
            Steve: Oh? Here’s an ID that s a unique identifier and all you have to do is scan it to access any of your accounts; no passwords to remember again.
            CW: Steve, you’re evil.

            1. Another part of doing passwords *correctly* includes writing them down. Yes, I know you’ve been told never to write your passwords down. That advice was wrong. But “writing them down” includes keeping them in a password manager, where they’re easy to sort and copy-and-paste into password fields.

              For myself, I use, because it installs on my computer and doesn’t store anything in “the cloud” where I can’t control it. I have one master password, that’s extremely long and that I can remember easily but nobody else in the world could guess. That unlocks the encryption on my password manager and lets me access my other passwords any time I want. So I have 30-character-long random passwords that are different for every site. That’s the *right* way to do passwords.

    6. Heed this. Two step is a way to get you removed from your own accounts then refuse to get you back–“that’s not the phone number we have on record.”

      Yeah. FU amazon.

          1. Look at it this way: you’re making some Feeb take time away from the water cooler or Minesweeper to do some actual work. For you.

          2. Hell, I’d be worried the FIBs would open an investigation of you. Hate speech, you know. Raaaaacist hate speech.

            Have I lost faith in the FBI? Why would you ask that?

              1. Way back in 1987 my then wife took a job with a government contractor. One of the first steps was a standard background check with the FBI. Told her six to eight weeks was typical. Hers came back in three. Got her some strange looks as that was a sure sign you had an open FBI file, or your spouse did.
                Had to explain to her that at the time I was still working for C&NW railroad, a secure government carrier of highly regulated things, and also at that time held an FFL.
                Not long into my new civil service job I worked a source board that experienced a major security breach which was eventually solved though never made public because of political implications.
                So I assume my fibbie file likely has several red flags permanently attached.
                Does not keep me up at night, but I am careful about what I say and where I say it.

        1. Don’t you believe it. The cancer goes all the way to the receptionist at the local office.

          1. No, it doesn’t.

            There are asses, as there have been for decades; their co-workers find them to be asses, and work to do the job they were hired to do, honorably.

            Quit spreading doom and gloom, it’s no more true of the FBI, or “government workers,” than of teachers, or military folks, or any other group that has folks who are useful to the Progs.

            1. That isn’t doom and gloom. Your version is *much* more horrible because it dramatically complicates IFF.

              Even inside the ATF (*spit*) there are a few decent people. For example supposedly there is an argument going on between Technical and Leadership over the FRT-15 trigger. Leadership wants it classified as a machine gun, because duh. Technical is telling them they can’t do that, also because duh.

              But there is a scale of corruption: line military? Very likely non-corrupt, at least not the kind of corruption that matters in this context. Random agency that doesn’t have special reason to be corrupt? There will be some, but mostly “typical” crap.

              FBI? One half of the reason they began was corruption, so the logic flips: certain sections will be remarkably non-corrupt (HRT has this reputation), but a random spot in the org? Bet on corrupt.

              And then we have the ATF, er, sorry, “AFT”, where every year the PR arm loudly proclaims their heroism in butchering families.

              1. Reality generally is horribly complicated.

                Which Sarah has pointed out, because she and hers sons are targets if it’s not and which I have many folks I love and appreciate who will be unjust targets if folks buy into stupid tribalistic fear-mongering.

                And then we have the ATF, er, sorry, “AFT”, where every year the PR arm loudly proclaims their heroism in butchering families

                You’re going to have to unpack that one to be understood.

                    1. This may be another “those folks who failed their duty to you are f’d up” thing.

                      Hubs had an ATF agent ask where he could get a “should be a convenience store” shirt when he saw him wearing it.

                    2. Correction, I do remember crazy lady back under Clinton trying to brag about it, but since I was not even a teen yet I can’t remember details.

                      So not quite literally never, but it got smacked down.

                    3. Oh they get raped on twitter every time it happens.

                      The jury is still out on whether it is a honeypot, or the leadership are into S&M.

                    4. Nominating for it, see prior psycho statement…..

                      When ATF guys think you’re nuts for shoving a “victory,” you may be more harm than good to your goal.

              2. sections will be remarkably non-corrupt (HRT has this reputation)

                I’m not sure the survivors of Ruby Ridge have that opinion. Lon Hourchi was also at Waco. Fun fact: one gunstock manufacturer used Lon’s name for an endorsement. The blowback was epic. (Circa late 1980s.)

              3. “That isn’t doom and gloom. Your version is *much* more horrible because it dramatically complicates IFF.”

                No, not really. Within 60 days of the first confiscations, any agent who’s still working there can be assumed to be aware they’re being given unconstitutional and illegal orders. Unless they resign, they’ve chosen: Foe.

                1. While true, I’m not sure how that relates to what you are quoting?

                  My point was that the characterization of KL’s statements as doom and gloom was incorrect.

                  1. I understood it. And thanks, Ian. Real is real. Gloomy is someone else’s opinion of reality.

                2. My guess is this has already happened in many field offices. People already know which way the axe is going to fall; they’ve already chosen sides.

                  If they don’t quit/retire, they are not on my side.

      1. It does at least establish a “Filed a complaint when it happened” rather than some later claim (as if publishing online here didn’t make a record….). But right now that’s probably ALL it does. Or maybe would be all it did if you were lucky and the TLA’s weren’t so corrupt by leftism that I’d trust a strange dog to guard a pork roast more.

    1. So is knocking down mail boxes, repeatedly, but I found the FBI too busy with other stuff when that happened.

      I was raised, and raised my kids, if in trouble call a cop, not so sure that’s a good idea now.

      1. So, calling the cops won’t work.
        And Biden is doing his best to make sure nobody can defend themselves when the cops aren’t there.

      2. Will the FBI do much? Probably not, unless you drop a suspect gift-wrapped into their lap.


        If you don’t file a report, and the fact that you were hacked becomes important later, then people will note that you didn’t file a report, and cast doubt on your claims.

        Something to keep in mind.

        1. ^this^

          They’re not going to investigate Sarah unless they already WERE going to, and not filing the report looks really suspicious.

          1. Not filing the report can be a matter of basic persec. No, not because of the FBI coming after you, but because they are too fucking incompetent to not leak. I know a professional security person who made the reports you are supposed to make of serious crimes being committed.

            She got to experience the joys of the criminal you reported knowing you are the one who caught and reported them. (Nothing happened, so lucky there)

            1. Thank God she was alright.

              There’s a reason I start foaming about New York’s “give all info about witnesses” law.

              1. Yep. ‘Let violent criminals out of jail without bail, and tell them who got them put in jail.’ What could go wrong? 😦

                1. “Don’t call the cops; there aren’t any, and don’t defend yourself or we’ll jail the corpse.”

                    1. You’re right; ain’t nothin’ stinks like a hog farm. My 9th grade class walked through the FFA hog barn behind the school, and our clothes stunk of pig shit for the rest of the day. We didn’t even touch anything!

                    2. Turkey Barn … we did touch. It was a fundraiser for Job’s Daughter’s. Picking up and handing off to craters live Turkeys. Some adults (dad) could work alone. But most of us, girls, worked in pairs, as Turkeys had to be crated in pairs … 55 years ago, almost. By the time the night was done we weren’t smelling it anymore. Mom made us strip outside the garage to our skives. Dad first (we turned our backs). Then me and the good friend that went with. Mom had robes for us to wear to the shower. Don’t remember if she burned the cloths or just washed them 5 or 6 times. She also washed the robes.

                      Don’t remember hog pen being particularly smelly at my Aunt’s and Uncle’s. OTOH they only had two or 3 at most and a huge outdoor pen. They were still mean.

                    3. Three big things:

                      1) pigs are very much like humans, so their poop is more offensive to our noses.
                      2) pig barns are a (relatively) tightly packed mass of pigs that often have been upset by moving them.
                      3) pig pens, if big enough have enough room for the pigs to control their environment. As my mom rather sharply commented, pigs have more sense than humans because if there’s any option, they won’t s**t in their own bed. (That was, looking back, when she was around a LOT of teenagers, and a lot of chronological adults who didn’t.)

        2. Also, file a complaint with the state — I’ve no idea which department in Colorado handles such, but likely the Attorney-General’s office. Look for “Phishing Attempt” or “Consumer Fraud” and fill in the form. Highest probability result is a form letter acknowledging the complaint and assuring you the department takes all such matters very seriously.

          Conceivably it will come up in T-Mobiles licensing renewal process, but the most important factor is to establish a record. That way when the person responsible escalates to more serious and direct attacks the police will be able to inform the public that it was part of a pattern of anti-immigrant hatred.

          Say, there’s a thought! Complain to T-Mobile that they’re indolence in pursuing this assault on you must be because you are an immigrant and if they don’t do right by you it must mean they’re anti-immigrant.

          1. Just about every law enforcement agency nowadays has a cyber crime department. At the local level may just be an officer stuck at a desk due to health issues, but they will take and file a report. Won’t do much unless the violation involves big bucks or “important” people, but at least you’re on record.

  2. Targeted or random?

    I agree – the four emails were NOT the act of some random cyberjacker.

  3. If we have donated at support using the credit card option, are we vulnerable? Thanks.

  4. Somebody needs a close encounter of the tire iron kind.

    Let us know if we can arrange the meeting.

  5. Of interest a lot of these requests this month came from people working for engineering/tech firms, where you’d think the rot is not that deep.

    Do engineering/tech firms not have HR departments? Is the field devoid of envious colleagues co-workers who, while not congregants of the Church of the Woken might nonetheless employ its adherents as attack dogs?

    1. Engineering/Tech is precisely where you would expect that at the point in time.

      Not so woke that people already knew they were unsafe.

      And around now the slower folks are realizing the likelihood of boog.

    2. I’ve worked at tech startups for 10 years. They are full of the woke. Some of the new startups are the worst. Their websites are full of DEI genuflections and promises that they are the wokest of the woke. My guess is that a certain percentage of employees are not woke, but are afraid to be public about it. In general they’re full of ambitious college-educated young(ish) people, so it’s exactly the demographic that is most woke.

    3. I’ve worked in Software engineering for well nigh on 40 years. You do get a higher proportion than in standard populationof Libertarian/classic liberal from the ingestion of Heinlein, Pournelle et alia. They’re maybe more vocal but in no sense predominant. And even engineers from Ivys (Yale, Cornell, Brown) Have been liberal/woke since the mid 80’s. Top Engineering schools went next (MIT, Cal Tech,RPI) in the 90’s. Even lesser known engineering schools have gone woke because thats the predominant stripe of folks getting advanced (PhD) degrees. And the office politics get ugly fast…Engineers haven’t averaged conservative since when NASA could find its backside with both hands 2 time out of 3.

      1. In my experience, the more conservative engineers were likely to be in positions (manufacturing, design) that were part of the great off-shoring fiasco started in the ’80s and pushed in the ’90s. The software people tended to be more liberal-to-progressive, and those entities stayed. At least for the SF bar area, when “Silicon Valley” turned into a bitter joke the home of EBay, FaceBorg, Twit, “Don’t get caught being evil” Google, more and more of the conservative engineers were either retired or had moved to the portions of the country that managed to keep manufacturing. The rest were keeping their heads down.

        1. When I started in the 80’s Software tended more liberal than the physical based (Mechanical, Electrical) engineering fields. I had little to no exposure to Civil/Chemical Engineers so can’t say there. Over time the
          EE/ME that I interact with seem to have slid left socially , although they tend to remain moderate to right fiscally. I think part of the issue is that Computer Science types require no connection to the physical world which slap you if you’re an ME or EE and ignore reality.

          1. Agreed. The engineering types who had to deal with reality (in semiconductors, screwups ranged from expensive to potentially fatal, though I never encountered anything that bad). We had a lot of Chem types in the fab, though things were going leftwards in the late ’90s and on.

  6. My employer quite a while back asked all of the employees to not identify themselves as employees of that company on social media to avoid problems with clients. That rule has been one that I’ve since followed, though for more self-interested reasons. I’m also intentionally vague on which city I live in for the same reason.

    As for two-factor –

    The warning above is probably a good idea. However, there are times when it’s needed. I had an e-mail account get hacked once for a protracted period of time. Nothing went out, but a lot of accounts that used that address suddenly started getting password changes. And the hacking survived my changing the password on the e-mail account. The host company insisted that the information was being pulled from my computer. But accounts that didn’t use that e-mail address didn’t get compromised. So, yeah…

    Two-factor was what stopped the reviews under my account name from being posted on Amazon. Fortunately, I hadn’t saved any credit card information there…

    1. From a theoretical standpoint, two factor is a great idea. The problem is that there is no way of knowing which companies are using two factor as two factors, and which are saying, oh, you have the phone? Well, we won’t require the password then. Despite the existence of services like Google Voice that can only exist because phone numbers are easily spoofed.

      Security questions, on the other hand, were a bad idea from the get go.

      1. Well, two-factor in this case is an authenticator app, so…

        The thing to remember is that there are different kinds of two-factor authorization. None of them are completely risk-free. But some are more vulnerable than others.

        1. THIS THIS THIS. Two-factor that relies on SMS is a terrible idea from a security standpoint. Two-factor with an authenticator app is fine. Two-factor with a physical key (it’s usually one that plugs into a USB port) is very good.

        2. > Well, two-factor in this case is an authenticator app, so…

          “App” suggests “something that runs on a smartphone.”

          A) not everyone has a smartphone

          B) if they do, they might not want that phone tied to whatever you’re trying to authenticate

          C) if I’m the one you’re trying to authenticate, it’s up to you to prove to my satisfaction that your software isn’t otherwise malicious

          D) doesn’t depend on a Google or Apple “store”

          E) your 2FA will still fail if your user isn’t close enough to a tower to get a signal; that’s a largeish part of my state

      2. That’s the way my company does it. Of course, if you’ve stored that password on the phone……

        1. My bank and insurance company, once you log in AND use your PIN, text a number to your phone to use to finish logging in. If you phone, they are pretty fast about answering. If you don’t have a smart phone, the insurance company is very good about having work-arounds. YMMV. I don’t use aps to log into anything, so I have no idea if they are safe or not.

    1. I’m not sure if my comment went to moderation because it’s my first comment here under a new name or if it’s because I now have a WordPress account. I’m the person formerly identified as “mrsizer” (“m” is for “Mark”).

  7. I never mention where I work.

    I only just got a cell phone; but since I don’t use it for banking, or note keeping or anything other than a phone, it just sits next to the computer on my desk to replace the old landline. I don’t even carry it with me.

    I’m sure the feds all know where I am.
    (Especially since I sent an e-mail to the Fraud in Chief this morning calling him a lying sack of shit for blaming the border problem on former President Trump.)

    1. LOL… wonder what poor sap got dinged with scanning messages on the White House contact form. That’s not an enviable job just now…tho I suppose they’re making a nice database of People Who Don’t Like Joe.

      Hint to WH staff: you’re gonna need a bigger file.

    2. I use a basic flip phone for phone calls. When I required a particular “app” I added second line and a cheap android phone I only turn on when I need it. I made the lock code long but memorable. Fibbonachi and Prime Numbers are my close personal friends.

      1. Yeah, basic flip phones are nice. Mine uses an oddball OS that doesn’t support apps, though the camping trailer wanted a smartphone for controlling bits and pieces. I bought a refurb’ed phone of indeterminate brand whose default state is “off” for that.

        Those of us of the get-off-my lawn age might have used Usenet. Pretty sure that had my real name, but the relevant addresses are gone. Email lists could also be a weak part, though the only digest I’ve seen from one excised the addresses. Other fora in that age used a different nom d’internet.

        On general principles, we don’t do online banking, though the only ID theft that got me relied on crooks in the bank. Bank manager was annoyed that I called the police (local–no luck) to report it. At which point I got loud and detailed. Got the nontrivial amount that was drained from my checking replaced, and a new checking account elsewhere.

          1. I still do. Elements of it are still alive and well, mostly in the alt groups, though much of the former high traffic areas have fallen by the wayside.

        1. For a couple of years I’ve also been using a flip phone for business/personal calls (my “whitelist”) and never give out the number. I also have a $10 a month “smart” phone for everything else. It gets all the telemarketers and robocalls. I use it to call any number not on my whitelist. No problems so far….

  8. So there’s MFA over text messaging or even email, which is dumb but might be the only thing on offer past a simple password, and MFA using one of the magic code apps, which seems to me to be less dumb as there’s no required info in transit, and then 2FA using approve-me-in-the-logged-in-dedicated-app, which seems less dumb yet since the approval has to be done on something that’s otherwise already logged i securely.

    At previous employer they gave everyone a dedicated token which I kept on my lanyard behind my badge, with the verification algo and hardware managed by the IT guys down in the IT lab. I personally AM my IT department, so I don’t have that to fall back on.

    My concern with random-token-hardware is that the mainstream seems to want nothing to do with any of those.

    Is there some open-source but secure-algo-and-seed-methodology hardware token solution that’s not made in the middle Kingdom and has any general adoption out there?

  9. Sarah. Your Hotmail account was the one we were corresponding on about me making you a cover. Do we need an alternate?

    1. No. I recovered it.
      It’s as secure as it was, and as I said since no random things deleted and no “answer all” with obscenities happened, my feeling is that they saw a first email about royalties — not mine — and then searched royalties and sent out four emails trying to fuck up my life.
      Then started breaking into other things, having intuited this email had no financial stuff attached.

    2. Honestly, my feeling is that they were looking for something embarrassing/awful to embarrass me with/discredit me.
      Not having found it they started trying to look other places.

      1. Or looking for info and identity of people you know or post on your site so that they can target those people. The left will not rest until they have destroyed all who disagree with them.

          1. Or, ‘A Quiet Normal Life’? 😛

            (Subtitle of The Best Of Warren Zevon, including ‘Werewolves Of London’, ‘Excitable Boy’, ‘Roland The Headless Thompson Gunner’ and ‘Lawyers, Guns And Money’)

        1. Yes, but this character may not have thought out a strategy.

          Remember there are leftists who have posted screen captures of horrible comments on a right-wing site without realizing that everyone can see it’s the comment screen, and they haven’t posted it yet.

      2. I forget who said it, maybe President Reagan, but “Live your life so that you never have to be ashamed of anything they say about you, even if it isn’t true”.

  10. It kinda sounds like an employee selling TMobile hacks on the side intersected with someone who sees Our Kind as good targets, and is randomly hitting ’em up… given the comical blackmail stunt that was just pulled on Matt Gaetz (seriously, read the letter; he released it. Longwinded “Nice career you’ve got there”) and how it coincided with Bill Kristol’s group targeting GOPs-with-spines. So, mix of purposeful and random.

    As to 2FA, why would I want some site of unknown security habits to have an access like my phone number? not that my dumber-than-rocks-phone knows anything interesting, but I can tell you that someone out there sells targeted phone numbers… I persistently get texts addressed to my real name in its public form, trying to sell me ghost-writing services (which appear to be a scam).

    If some site insists on a phone number just because, and won’t take a string of zeros, I give ’em an old one that’s in permanent limbo (thanks, Virgin Mobile … took an FCC complaint to regain control of my phone, but the number is toast)… which before I got it, apparently belonged to a dope dealer in Cheyenne. My, the interesting drunken calls I’d get….

    Trouble is there are so many databases out there nowadays, and so many that have been leaked, that unless you’re a wildman in the woods who’s never been to town, said many data points can be correlated and there you are on some site like MyLife, for all the world to see.

    As to my handle, it’s hardly private; I even own the matching domain. But in my current situation, I’m pretty well hardened.

    1. In my experience they want a cellular phone to send a text to. If they don’t get a reply to the text, you’re not “authenticated.”

    2. I think Reziac has hit the nail on the head. Why would some lowlife lives in moms basement and traded up from Starbucks barista or burger flipper to phone monkey want to muck with your career? Answer:They wouldn’t but money (especially if they have a drug habit) would motivate them. Unfortunately the most that’s going to happen is they’ll get fired and go do something else and the company will sweep it under the rug. Local Cops won’t care, FBI is a really bad idea (Think you can trust local FBI offices? Talk to the widows and Orphans made by Stephen Flemmi after he was an FBI informant they’ve been gone since the 70’s) . No chance in heck we get to follow the money it was cash probably not much and squandered. I only wonder what the going rate is today. Long ago it was 30 pieces of silver. Wa could ask cui bono, but honestly I can’t tell if that set is huge or empty or a little of each.

      I’ve had credit hacked one time (and the galling thing is they spent my money at a Steak & Shake in Atlanta and I can’t even get that here in the frozen north). It really is discomfiting to be that vulnerable and truly a pain to have to fix all this stuff.

  11. As I just discovered: Apple will not allow you to remove two-factor authentication. So if you have an apple device…you are SOL on that front.

    Further reasons for, when my ipad finally dies, I will NOT be getting another apple device EVER.

    1. Only reason I have an iPhone is that it fell on my head. Hasn’t been put into service yet. But I’m disinclined to use a phone for anything besides, well, a phone.

        1. Well, I suppose I could use it for that… but given I don’t have the habit of carrying a phone with me, and rarely think to do so… and hardly ever go anywhere… might be a long time between turning pages.

          1. I live in the middle of nowhere, where the weather is such that getting stuck/into a wreck/other things could actually kill you, and so carrying a phone is as much a survival tool as anything else (But if you use the local phone company, coverage is good even in pretty remote spots). Also have aging parents and a very elderly grandmother prone to falls, so…it pretty much never leaves my person.

            1. I grew up before there were such things, and spent a lot of time in the middle of nowhere… back then we had to rescue ourselves. Then lived for years where there was no phone service of any sort. So the habit of carrying a phone never developed.

              Now I live within walking distance of town, and could shout for a neighbor… it’s embarrassing. 😛

              1. We never had them either, but I have gotten into the habit of: calendar for my business; contacts for my business, family, and friends; music to replace Walkman; “books” to replace books; “maps” to replace maps; etc. I wouldn’t be particularly bothered if phones went away but there would definitely be an adjustment period.

                1. I wouldn’t be particularly bothered if phones went away but there would definitely be an adjustment period.

                  I grew up before there were such things, and spent a lot of time in the middle of nowhere… back then we had to rescue ourselves. Then lived for years where there was no phone service of any sort.

                  Both apply to us. Not the “live” in an area with no phone service of any sort, but we go places like that all the time. Especially the no cell service, not just wilderness hiking/backpacking, but areas where “100% turn off cell phone or it’ll turn off because battery is drained” is a *thing. We were late to the “get a cell phone”, then late to “get a smart phone” (mom got her smart phone before we did!)

                  I was surprised at my husband’s response when we went to Canada, 2019. I told him when we switched to Xfinity Mobile that we wouldn’t have Cell coverage in Canada (without *selling our first born and first born said No to that), except through WIFI at the hotels. Getting cut off rattled him. Which was surprising. I’m the one “tied” to tech (ex-programmer, eBooks, etc.). Him not so much. But he was really upset to not be able to use cell, where there was coverage, in Banff and Jasper proper.

                  * No cell tower = drained battery, faster when it is cold. When cell phones keep pinging repeatably to find a tower, or WIFI, there is no “timeout” feature. Putting phone in airplane mode with WIFI off also works. We’ve even been places where GPS features are intermediate at best. The only way to disable GPS is to turn off the phone. You (in theory) use settings to not allow phone to sent location out, but you can’t turn off location off.

                  ** Now for $10/bill cycle we can add Canada or Mexico to our plan. Just have it added for the billing cycles needed. But in 2019 that wasn’t an option. We survived. Biggest challenge was, avoiding Calgary, how to get from the border crossing coming out of Glacier NP to Hwy 1 west to Banff. Second challenge was finding Tower Mtn Resort (right up there with Tower Mtn Campground, which we’ve used before, guessing worked). After that, we’d been there before. (Remaining challenges were OMG, Banff and Jasper have been discovered as non-winter destinations, even the hiking trails were insanely busy. Get to trailhead parking by 7 AM or before or park 2 or 3 miles away along the road. Or 4 AM or take the shuttle, or have a dog with you, at which point they’ll let you go hunt for a parking spot (Moraine Lake).)

    2. In their defense, Apple is one of the companies that appears to take security seriously. So two-factor authentication there probably really is two-factor authentication, and not half-factor authentication. Apple is the only company I know of that occasionally gets into the news for not giving access to someone who (presumably rightfully, although with today’s journalists you never can tell) claims over the phone that the real owner is dead, and I don’t know the password, etc.

      1. This is true. They actually send me a text whenever I go to log in online, so I really DO have to have BOTH the phone AND my password to hand. Even so…I wasn’t happy when they forced me to do it, and I was already unhappy about them trying to force me to buy a new ipad (mine is circa 2012, and still largely works as good as new), and even MORE unhappy at the loss of a number of previously purchased music that I could no longer download. (I ended up having to reach out to the actual artist, who made good. Amazon, who did something similar to my music library, willingly looked at the receipts I showed them and gave me a gift card to re-purchase 97% of what I’d lost–there were a few things no longer available at all, and I learned a valuable lesson about backing up to cds. See, I’d had a hard drive crash…)

      2. In their defense, Apple is one of the companies that appears to take security seriously.

        They put on a good show– after having the whole public exposure of a ton of famous folk’s data, because they required security questions that you couldn’t change, and all the information was publicly available stuff.

        1. Do not provide accurate information on those questions.

          1. In what city did you get married? Hell, No (real place, BTW)

          2. What high school did you graduate from? Hard Knocks Reform School.

          3. What was the name of your childhood pet? Alligator

          Get a password manager that supports encrypt note on each account and store the responses there.

          1. Great, now go back in time and tell the gals whose intimate pictures they thought were secure, because Apple said so, to do that.

            1. If I could go back in time I’d tell them to never, **ever** post anything they do not want the world to see. It is not a new problem. Heck, even back in the BBS days there was an informal rule that you never post while drinking because you can never take it back and everyone on the list can see it.

              1. I don’t “do” naughty pictures, so mine would be the same.

                Still, that was a major, obvious breach. Mother’s maiden name, seriously?!?!

      3. Which is why P&G is working with China to get around it. Story on WSJ Best of the Web yesterday.

      4. A lot of security “improvements” seem not to be a decrease in risk, but a displacement of responsibility.

    3. Apple is overpriced and overrated in general. Android has it’s own warts, but if you’re willing to put some work in you’ll have far greater control over your device.

  12. On a similar topic, did you ever receive my audio samples?
    I rather suspect it was over the email in question that I sent them too you.
    (I don’t check my emails from the computers at work. Nor are they accessible on my phone. The paranoia runs deep.)

    1. Oh, dear Lord. Yes, I DID. I meant to listen to them, and then I spaced.
      Look, 2021 hasn’t been as bad, but it’s been…. interruptive. Little things keep pulling me away.
      And the sleep ain’t great.
      Can you send again. At this point I’d have to remember your RL name to find them. And I really want to get moving on this.

      1. I was just worried you hadn’t gotten them.
        I’ll send them again. I know how crazy it’s been.

        1. Thank you. Things are finally moving forward here. House getting fixed by contractors, we’re getting our funds together and going forth…..with our move to Free America.

  13. Send a letter to T-Mobile to the attention of the store manager, corporate headquarters executive management team and to attention of their general counsels office; detail that the store admitted that it was one of their employees but they refuse to identify the employee or provide any assurance that the hacking won’t happen again; make sure it is by certified/express and regular mail so you can prove receipt of the letter.

    The letter should tell T-Mobile that they are responsible for any losses or damages that you suffer and demand that they provide assurances that it will not happen again. Indicate that you reserve all of your legal rights and claims, including right to bring suit against T-mobile. The letter should demand the employee’s name and that the employee be referred for criminal prosecution, and that if they fail to do so or provide the name of the employee, that you will consider T-Mobile to be an accomplice who is aiding and abetting their employees criminal activity.

    If you have a local newspaper(or a national one, such as Breitbart or PJ Media) that you trust, copy them also. You might want to reach out to Professor Reynolds as he may know someone who can provide some good legal counsel and assistance.

    1. Oh, yes – this.
      I’m probably safe enough from the malicious because – my phone is in my daughter’s account, and she has been resolutely non-political from the get-go. And my public profile is not the legal identity under which I have bank and business accounts. And I am in Texas, which is … outside of Austin, and maybe sink neighborhoods in Houston and Dallas-Ft. Worth … pretty straight-up conservative-friendly.

  14. Reason number ______ as to way I refuse to get a “smartphone” and use a regular, not so smart basic flip-phone.

    1. I finally got one—which I use as a phone. Though I do have one hiking app on there, since it’s handy for tracking lengths when I’m actually needing specific distances. (Merit badge counselor here.) The rest of the time, the locator is turned off.

      1. Most of them, even when the locator is turned off, it really isn’t off. One of the many privacy abuses that the tech companies engage in.

        1. Actually, it’s always on because the phone has to triangulate among available cell towers. But that still means so long as the phone is powered on, it can be tracked via tower data. (And of course, that’s mighty convenient data for whoever wants to abuse it.)

          And even when powered off, they’re not quiescent… try powering off but leave wireless or bluetooth active, and see what that does to your battery life vs having both disabled. (On my old ZTE, the difference is 3 days vs lasting indefinitely. As in months, if not years.)


          Speaking of battery life… you may have noticed that since 1/6, cellphone service goes through spates of shit connectivity. I’ve speculated that this is caused by a surveillance spike that is hogging a lot of bandwidth… occurs to me there’s probably also been a ping spike as they try to track all of us.

          Funny thing, since then my battery life went completely to hell as well… the retard phone usually retains a charge for several days hard use or several weeks idle, but now it’s down to no more than a day or two (even with the new battery)… but only sometimes. Other times it’s as good as ever. Picked it up a few days ago and the durn thing is hot… woke it up to make a call and I see “entering service area”, over and over. Hmm… what’s sucking battery life is that it’s having to repeatedly hunt for a tower, because the signal has become so crappy that it’s regularly being zeroed out. Which also heats it up, because it’s working its poor little retarded ass off trying to find a responsive tower. (Yet when it works, everything is fine and it doesn’t run hot, so it’s not the hardware… mine or the towers.)

          You might not notice this with a regular account, but when you’re on a bottom-tier account and therefore already on throttled bandwidth, it’s really noticeable when it gets further choked.

          1. > battery life

            I used a Red Pocket prepaid account while setting up the spyphone. I used it for about a year, until the 2008 craptophone finally died, then had Verizon send me a SIM for that number so I could plug it into the spyphone. It took repeated explanations before the support droid got the concept of “the old phone didn’t have a SIM card.”

            Battery life with the Red Pocket SIM was about 3 weeks. Life with the Verizon SIM is one week to three days, varying. That’s no data, and the usual talk time of three to five minutes a week.

            I suspect Verizon is chatting continuously with the phone. Probably demanding all sorts of data that LineageOS isn’t set up to provide…

            1. That’s very interesting… I wonder what battery life would be with a Ting sim card, given they now offer Verizon and AT&T (formerly they only offered Sprint, which gets zero bars here unless you’re literally standing under the tower).

          2. Huh.
            I’d been blaming the Google Chrome update for eating my battery and bandwidth.
            But you’re right on the timeframe.

          3. FFN seems to have stopped letting me download fics using calibre’s fanfic plug in around the start of January. Seems to be cloudflare protection against cloud scraping. I figure it is also a sign of the info war.

            I think spam calls may partly be an artifact of compromised telecom companies, PRC bust out of the US, and the Democrats going all in. Some of the recent flavor…

        2. Oh, I don’t doubt that. Not that it matters much at the moment, and if it ever truly did, I wouldn’t have a need for a phone anyway.

  15. For those who are not really certain how easy it is to pwn someone else’s computer, tablet, phone, or IoT items, look up the free training at tryhackme dot com…

    Be blessed.

    1. When our 10 year old TV gives up, any replacement will have to work in dumb mode. I’m not letting the Botnet of Things access to my ‘net. Looks like that’s doable for our purposes. Not enough bandwidth for Netflix, anyway.

  16. This is why I’m going through and tweaking all of my passwords and checking for several possible issues.

    And, suggesting that our lovely host ask some of the people she knows for…resolution. You know a resolution of status. At this point, we might have to use that as a serious option for these kinds of things.

  17. Maybe this is why my ATT email account, it comes through Yahoo, had its password changed Tuesday night. I went in and changed the password Wed AM and still couldn’t get the email. I can get it on the web. I spent yesterday uselessly trying to resolve the problem. Nada.
    So today I spent 45 minutes getting the runaround between menus to talk to a tech. I finally got one who was alive, he told me they are having “issues” and they should be resolved maybe tomorrow, maybe the next day. Why didn’t they put that in an email, we can get it on the web, so me and everyone else wasn’t hassled?
    Were they hacked? It showed my password was changed in a city far away at 5:23 PM on Tuesday. My password app showed me that. And I never have wanted to bother with that 2 step thing.

    1. Just FYI, Yahoo email has regular spates of disappearing email. No bounce, no error, just vanishes, sometimes only in one direction, usually only some emails (probably depends on source), and only some users (probably depends which server you’re on). This may go on for several months, then suddenly resolves. Someone who knew how to check told me this was a specific server config problem (details went in one eyeball and out the other)… but it’s been happening every so often for at least 20 years that I know of, most recently about a year ago.

      First became aware of it back around 2000 when our little software team (in all, 3) lost our coder… he thought we’d jumped ship, we thought he’d vanished… nope, it was that for several months Yahoo decided we didn’t need to speak to each other.

  18. First mistake was hotmail. I’ve never thought they were secure. Same with yahoo. Everyone famous, everyone I know that has one has been hacked. I killed my gmail account years ago. I have a dummy one now that I use for work, for development. I do nothing else with it, other than google voice, which I’ll get to below. That said, gmail at least prevented hacking.

    I have three emails. I use protonmail for anything financial. No one has that account, other than people I spend money with. Period.

    I have my own web service that I use for emails, which also hosts my business ventures. I have two emails I use with that – first, a normal one that is my main email, the one I give friends, those I trust, and those I’m ok communicating with. Everyone else gets the BS one which isn’t actually an account, it’s merely a forward. I don’t answer emails from it and about every year or so I delete it and create another. Since email was created, I’ve had a throwaway account.

    For those that want my number they get the home number or google voice. I check neither. I have a SIP service for my business that I’m thinking of getting another number to hand out. I’ve used Skype in the past for this.

    Back to the story..This seems actionable with t-mobile. They are liable if one of their employees cloned your sim card. The only way to stop this is make them pay.

  19. The T-Mobile employee was able to hack your phone without having your physical phone ?
    I didnt realize that was possible.

    1. Technically, it was spoofing the phone.

      Hacking gives access to the contents of the thing hacked; spoofing gives the appearance of being the item being spoofed.

      The criminal then used the spoof phone to hack various accounts.

    2. I used to do it frequently when I worked call customer service, basically whenever anyone wanted to change phones. If he still had his old SIM, the customer could just put it in his new phone and everything would switch over by itself. If he had lost it, I would have to tell the number to go to the new device ID and SIM.

      …clearly, the power can be used for evil.

  20. Thanks for the warning, but I plan to continue posting here and elsewhere using my real name, for the following reasons:
    1) EFF Them
    2) I don’t have a job, so they can’t get me fired
    3) They could conceivably go after my ability to publish books on Amazon, and I wouldn’t like that. But it’s extremely unlikely and in any event, we don’t depend on the writing income any more. I’m not very brave, but this level of risk is okay even for me.
    4) EFF Them with a rusty post-hole digger.

    1. Not using my real name, just an (short) abbreviation.

      1) EFF Them

      Agree 100%

      2) I don’t have a job, so they can’t get me fired

      Ditto. Retired. On SS. Not getting a job, again, ever.

      3) …

      N/A … not writing for sell. Not volunteering anywhere. Don’t need approval of the trainers to learn agility with my dog. Or the dog trainer we support for her charity. Otherwise, well the one person who matters who is liberal, at least I get the “I love you … but …” … we already stay away from politics.

      I didn’t talk politics to people before all this cancel culture started. Not starting now. Most political I’ve ever been has been commenting here. Not even during the Nixon years and I was an opinionated know it all little twerp (pretty sure it is called being 16, but hey, I out grew it).

      That said. I do take tech security seriously.

    2. Similar here. I do have a job, but one that goes through back channels and doesn’t show up on their targeting systems.

      And every person who can speak up without being struck by lightning makes it easier for the others.

  21. I don’t bank on my phone. But I did have a co worker (David Weber fan) ask if I was on faceplant once and I was like…better modulate a bit. Libertarian type co worker but still…nonetheless I have never said a thing that I won’t stand behind. I just need to say my things without so many four letter adjectives. And not mention my work so I don’t have to disclaim that I don’t speak for them.

  22. I would not say I was paranoid exactly, But I have a plethora of email addresses that I use for various logins. While different accounts may have the same email login, I create a unique password for each account, so learning one such won’t compromise any of the others.

    It helps that I own four domain names and can set up as many email accounts as I need. It means the emails go to my hosting service, not to one of the common pools like gmail or hotmail. It also means they aren’t subject to being saved and scanned by the “pool” owner, e.g., Yahoo, AOL, gmail, etc. I read my mail using Thunderbird, which is set up to delete mail from the server after I have downloaded it to my computer.

    I do have a couple of “pool” emails, one is basically a throw-away, and the other is only used so my web host can contact me if something goes wrong that makes me unable to reach my domain emails. That has only happened a couple times in fifteen years.

    Owning your own domain(s) allows you to host them anywhere you wish. I have mine registered with Dotster and have no complaints with their pricing or service. (I host them elsewhere just because.) It is worth paying for the “privacy” option, which substitutes the registrar’s name and address info for yours on “Whois” queries. You can also lock your domains so they cannot be modified or taken over by anyone without your permission.

    Re the emails sent from the spoofed sim – if you still have access to them, you might look at the full header information. There may be sufficient encoded information to prove the email did not come from your phone.

    I am glad you were able to control the damage quickly, but if it were me, I’d consider that email address as compromised and get a new one, despite the hassles involved. YMMV. 😉

  23. Re: phone company employee — Wherever there is confidential info, ideally there are employees who regard that info as absolutely sacrosanct, who actively try to forget personal data after working with it, as well as never writing anything down. These people would never, ever look up or change data on any friend, relative, acquaintance, or enemy, and they would be very careful about avoiding any appearance of such a thing.

    OTOH, there are also criminals, fraudsters, stalkers, and general baddies. When people like that are caught, it’s almost never the first bad thing that they’ve done with someone’s personal info.

    1. It’s quite possible the phone company employee was simply serving someone who came to the shop and said “I’m Sarah Hoyt and I need a new SIM because [reasons] – can you issue me one please?”
      “Certainly, Mrs Hoyt. Can you provide us with some sort of ID please?”
      “Sorry, no, I’ve nothing like that with me. Look, I’m in a hurry here and I need the phone back up and running. I can give you some details …” [various publicly available information]
      “OK, that’s fine; here you go. It will be activated shortly. No, no charge”

      Possibly a bit of paperwork as well but you get the idea. That’s about all it took last time I did it (in my case, because I’d bought, elsewhere, a new handset that took a different size SIM).

      1. Certainly, Mrs Hoyt. Can you provide us with some sort of ID please?

        Demanding ID is raaaaacist.

  24. Re: annoying things that don’t matter, once long ago I had a Twitter account, which was inactive about five minutes after I had to set it up (for work reasons that didn’t actually pan out). It stayed active only because it followed automatically some accounts by other people, as I had set it up to do (being lazy).

    Somebody (allegedly from Australia, but doesn’t sound Australian a bit) took over the account last April, and has now been running it 5000x longer than I ever cared to. Goodness only knows why they went to the trouble. We don’t share any interests, and certainly my Twitter account only had a couple of (equally automatic) followers. Twitter may even have killed my account for good at some point. But sure enough, somebody out there liked my username enough to steal it.

    It is possible that this person isn’t even the first person to steal it, because the older postings on the account do sound like somebody from Australia, and that person was interested in makeup and Goth stuff. But maybe there are Australians out there who desperately want to sound like American SJWs. (In which case, I hope the person will grow out of it.)

    I’m not even mad, because in some ways it protects me to have another suburbanbanshee roaming the cyber world. But why would it even occur to someone to pretend that some rando foreigner was the same person as herself? (Of course, if she came up with the username independently, I can only commend her taste.)

    So anyway… if anybody was still on Twitter, that chick or dude is not me.

    1. But sure enough, somebody out there liked my username enough to steal it.

      Hey, I’d steal your name!

      It’s only safe because it doesn’t fit!

  25. Crypto exchanges require 2fa.
    My phone is not set up to send or receive email. The email address Google (Android) requires to setup the phone is not from the same provider as the email addresses I actually use (and I don’t have a gmail address – “not going to do it, wouldn’t be prudent” ). So since the exchanges do real 2fa it should be OK.

    And I’m retired except for volunteer work done online, so I can say what I please here. Though not where I volunteer. All politics are verboten there since the open source community is a place where people of disparate political leanings can work together with the goal of making things work properly – iff you keep the politics out of it.

  26. Yeah, that’s my real name. Most fun I’ve had with mfa is an email acct I have which requires 2 factor auth the first time you use a different machine. I work in a gov’t secure area, and we can’t bring our cells phones into the office. Normally I leave mine in my car. We are allowed incidental personal use of the govt system, so I wanted to set up this email acct to be able to check it from work. Code they sent to the phone expired in ten minutes, so going out to the car to get the code from my phone, and coming back to enter it just didn’t work. So one day, I left the phone at home. I got on the landline to my wife, logged into the email with my password, and had her read me the code from my phone. And the email system now recognizes my work computer as mine, so I only need the password.

  27. At this point, there is too much out there under my real name to undo it.

    If anything, I’m more honest knowing that. With my employer telling us to call the ethics hotline for saying non-woke things even if we aren’t identifying with that employer means it’s only a matter of time. As it is, do I want to work for someone who thinks 1984 is superior to Drucker on management?

    BTW, I got the latest D&I email (I made a poor choice in checking a box about my personal identity so I keep getting them) which reminded me to pass the subscription link to all my co-workers so they could stay up to date.

  28. “My proton mail, which means they got nothing, because it shredded all previous data, as it does when you change password from the outside which is good to know.”

    Turns out there’s a fix for this, IF (and only if) you’ve gotten back the account and also remember the previous password — so it won’t work for the ‘got the cell phone cloned and using the forgot-my-password back door’ black-hats.

    Got to the Settings -> Keys menu, which page “lists all of the encryption keys which have ever been active on your account” that lets you “reactivate” the old key that enciphered those messages, and: ‘enter your previous password from before your account was reset’…

    see: protonmail dot com slash support/knowledge-base/
    + restoring-encrypted-mailbox
    + reset-password

    Gotta love that end-to-end encryption.

    (And condolences and all good luck, Sarah.)

    1. I don’t actually have anything that important there. Proton mail is a just in case.
      It worried me only because under cover people email me there.

  29. When it comes to 2FA, text-message-based “2FA” is really bad.

    On the other hand, U2F or FIDO2 based 2FA is actually quite strong and also quite secure. It’s also resistant to tracking across web-sites that belong to different entities. You could be tracked in OTHER ways, but the U2F or FIDO2 part won’t be involved. (Yes, that’s the opinion of a trained and educated professional. But I don’t expect anyone who doesn’t know me to trust me on that…)

Comments are closed.