The perils of email: My Gmail account hacked

August 5, 2008

It was, I suppose, when, not if, one of my email accounts was hacked. I was in office with a colleague when he said that I had sent the most unusual email that went,

Wonderful shopping! How are u doing these days?Yesterday I found a web of a large trading company from china,which is an agent of all the well-known digital product factories,and facing to both wholesalers,retailsalers,and personal customer all over the world. They export all kinds of digital products and offer most competitive and reasonable price and high quality goods for our clients,so i think we you make a big profit if we do business with them.And they promise they will provide the best after-sales-service.In my opinion we can make a trial order to test that. Look forward to your early reply! The Web address: {some URL}

Guessing what had occured, my first fear was that I was locked out of my account. Tried to log in, was elated when I could and immediately changed my password and deleted all of my contacts. Unfortunately it was too late to stop this email going to around 600+ contacts.

Many friends and colleagues wrote or called in to say that something was awry with my email. Later in the evening, I sent an email to everyone who may have got the spam email apologising, though everyone was very nice and good humoured about it. From a few I learnt that spambot attacks on email accounts as well as Facebook and MySpace accounts are on the rise.

Doing a spot of research on the web, I came across this excellent post (which I strongly encourage you to read in full) that mirrors precisely what I experienced and did after my Gmail account was hacked. It also saves me from going into detail about the remedial measures I took after the attack. One thing I did that’s not mentioned in Tiffehr’s post was to log out of all other sessions on Gmail (Remote Logout is a new Gmail feature).

I want to underline and reaffirm concerns flagged in Tiffehr’s post,

• There is very little reassuring documentation or steps to rectify a frozen account.  An e-mail form that lets you indicate the number of hours you’ve been waiting between last reporting your frozen account.  You can fill that out to your heart’s content, but there is no message confirming your issue has entered any kind of queue.
• There is nothing in the help documentation about a hacked account for which you have control.  It seems the majority or reported cases are hijacked accounts, not one-time-hacked accounts.
• Google’s help system is not at all reassuring about the security of your other google services when an account is hacked.  In fact, there is not one word about how to report or escalate hacked activity in other services.  I find that an egregious oversight that now puts me much more toward the school of thought that google’s combined account is a terrifying thing to be feared.
• The help forums are shallow.  So are general google searches about hacked accounts.
• Google is in fact of little help when it comes to looking up information about a hacked Google account.

My Gmail account is still frozen and I hope they keep their word and unfreeze it after 24 hours. Far as I can tell, there’s simply no way to tell Google to speed things up. 

Finally, it’s a strange, unnerving feeling to have your email account hacked. I’ve used email for over 12 years and this is the first time a spambot has managed to crack my password. It’s all the more surprising and worrying because I always log into Gmail securely and my passwords are robust.

There’s also the associated paranoia of my other email accounts being compromised in the same manner, which has led me to change all my passwords of all my emails, Facebook and other online accounts. Which is a lot and a lot of work. Not to mention a bloody pain in the arse. 

I’m seriously thinking in investing in 1Password, which also has a delectable iPod Touch / iPhone version. Does anyone know of a comparable / better product?

At US$ 35, 1Password isn’t cheap, but the cost of a hijacked account and the havoc it can create is incalculable, so I think I’m going to go ahead and purchase this ASAP.

UDPATE

Went ahead and bought 1Password, which works precisely as advertised and after a couple hours of use is something I can recommend for users who want a robust password generation / management tools for their Mac.

The only shortcoming at the time of writing is that there is no way to access my passwords or manage them online. There are several workarounds for this though. Syncing 1Password with my iPod touch gives me access to the passwords on the go if I’m not on my Mac. The only problem with this workaround is that the new passwords I’ve generated are a mix of alpha-numeric and other ASCII characters which are rather tedious to type in manually and impossible to remember. The other solution is more elegant – a password protected web page that I can create using the programme which opens in Safari, with the ability to copy and paste my passwords.

There’s also a web based version of 1Password in the works which needs an invite to participate in.

The 1Password iPhone / iTouch app is extremely functional and beautifully designed to boot. I wish there was a way in which it integrated with native iPod Touch apps such as Facebook for seamless password management, but I guess this is impossible on these devices under strict Apple APIs. At present, the app launches the iPhone versions of Gmail and Facebook when you click on each secure account, which is not bad, but not ideal for those of us now used to accessing Gmail via the native applications.

Here’s the 1Password video (narrated by a bloke with a distinctly British accent) that’s a good intro to this programme. 

done

My Gmail is still frozen.

I’m still unsettled by this experience, but I’m reading up on this issue, I’ve installed 1Password and I’m now more diligent about logging off from website even when they are on my PC. In the interim, many many friends and colleagues have written in with stories of how their own email accounts and social networking site accounts were hacked. Some repeatedly.

It’s also been a wake up call as to just how much of data I already have “in the cloud” that could be inaccessible or worse, misused, if someone were to get access to the respective accounts. Perhaps all users who have had their privacy and online security compromised look at the web storage differently.

I know I do.

UPDATE – 20th September 2008

Lifehacker has an excellent round-up of password managers for Windows as well as OS X.

Legal action against MoD regulations on CDMA and mobile phones

August 5, 2008

The Daily Mirror carries the story of a lawyer who has filed a writ application in the Appeal Court yesterday against the proposed law to prevent the use of mobile or CDMA phones by anyone other than the registered owner.

“The lawyer complained that the proposed law would create a series of problems to phone subscribers and users. He said this law would even prevent people using phones registered under their spouses. He said this would ultimately result in a large number of cellular phones and CDMA users being be forced to discontinue the existing phone connections and buy new telephone connections.

The petitioner charged the proposed law was arbitrary, unlawful, against the Telecommunication Regulatory Act and it was not in the interest of the telephone users of this country.

He asked court to issue an order staying the alleged announcement made by the TRC preventing the use of cellular or CDMA phones by anyone other than the registered owners and quash the proposed law in this regard. “

Read the story in full here and a related story on Lirneasia’s blog here.

Addressing hatred on the web

August 5, 2008

Image courtesy The Economist

An article in the Economist explores an issue central to my work – the rise of hate speech on the web and the means through which it’s production, dissemination and influence can be constrained. In The brave new world of e-hatred, the Economist notes that,

What is much more disturbing is the way in which skilled young surfers—the very people whom the internet might have liberated from the shackles of state-sponsored ideologies—are using the wonders of electronics to stoke hatred between countries, races or religions…

A decade ago, a zealot seeking to prove some absurd proposition—such as the denial of the Nazi Holocaust, or the Ukrainian famine—might spend days of research in the library looking for obscure works of propaganda. Today, digital versions of these books, even those out of press for decades, are accessible in dedicated online libraries. In short, it has never been easier to propagate hatred and lies. People with better intentions might think harder about how they too can make use of the net.

I keep going back to David Pogue’s comments in 2007. Speaking of the timbre of debate online, the NY Times renown tech columnist said:

The real shame, though, is that the kneejerk “everyone else is an idiot” tenor is poisoning the potential the Internet once had. People used to dream of a global village, where maybe we can work out our differences, where direct communication might make us realize that we have a lot in common after all, no matter where we live or what our beliefs.

But instead of finding common ground, we’re finding new ways to spit on the other guy, to push them away. The Internet is making it easier to attack, not to embrace.Maybe as the Internet becomes as predominant as air, somebody will realize that online behavior isn’t just an afterthought. Maybe, along with HTML and how to gauge a Web site’s credibility, schools and colleges will one day realize that there’s something else to teach about the Internet: Civility 101.

I’ve also tracked Sri Lankan bloggers talk about the issue of trolls and hate speech in the SL blogosphere and have documented the downfall of Moju, one of Sri Lanka’s first group blogs aimed at young social and political activists after it was consumed by spite.

In April 2007, a couple of us who were in Liverpool for the Online Dispute Resolution Forum came up with a Statement for Respectful Communication that personally inspired the submission and discussion guidelines at Groundviews, an award winning citizen journalism site I created and edit.

The Economist article makes a vital point however. It notes that,

The small size of these online communities does not mean they are unimportant. The power of a nationalist message can be amplified with blogs, online maps and text messaging; and as a campaign migrates from medium to medium, fresh layers of falsehood can be created. During the crisis that engulfed Kenya earlier this year, for example, it was often blog posts and mobile-phone messages that gave the signal for fresh attacks. Participants in recent anti-American marches in South Korea were mobilised by online petitions, forums and blogs, some of which promoted a crazy theory about Koreans having a genetic vulnerability to mad-cow disease.

I’ve seen plenty of Facebook groups, blogs, community websites and even news services that promote lies, half-truths and vicious propaganda as the one and only Truth. There is no engagement encouraged or possible in these fora with the unlike-minded and it follows that same jingoistic dualism that defines the Bush administration’s approach to so much of its policies on terrorism – one is either with them or against them. No alternatives. No concessions. No debate. No multiple truths. No reconciliation.

One example of this mindset is to be found in a comment on an article concerning a landmark ruling by the European Court of Human Rights which noted that a Tamil denied asylum in Britain could not be sent back to Sri Lanka because he would be at risk of torture.

The comment notes that,

Some Sri Lankan Tamils seeking asylum in the West on account of what they call “torture” in Sri Lanka (and we from Sri Lanka know the self-inficted torture that Tamils practice) are falsely producing scars as evidence of having been inflicted by the military and/or police.

One has only to go to Kataragama and see the Kavadi dancers with the sharp metal objects pierced through their skins, mouths, and tongues; others similarly pierced dragging heavy loads using these pierced elements as harnesses to prove their devotion, and fire-walkers, etc. etc.).

The sheer chutzpah of this statement is incredible, but is indicative of a milder version of the vicious, partisan, exclusive nationalist rhetoric that colours both pro-LTTE Tamil national as well as pro-Sinhala Buddist / pro-Rajapaksa Sinhala nationalism on the web.

This vicious narrative echoes much of what is outlined in a recent article published in the New York Times that is fascinating for its exploration of the (secret) lives of trolls, including the one purported behind the notorious Kathy Sierra incident. Looking at why online hate is promoted by trolls, Malwebolence notes,

One promising answer comes from the computer scientist Jon Postel, now known as “god of the Internet” for the influence he exercised over the emerging network. In 1981, he formulated what’s known as Postel’s Law: “Be conservative in what you do; be liberal in what you accept from others.” Originally intended to foster “interoperability,” the ability of multiple computer systems to understand one another, Postel’s Law is now recognized as having wider applications. To build a robust global network with no central authority, engineers were encouraged to write code that could “speak” as clearly as possible yet “listen” to the widest possible range of other speakers, including those who do not conform perfectly to the rules of the road. The human equivalent of this robustness is a combination of eloquence and tolerance — the spirit of good conversation. Trolls embody the opposite principle. They are liberal in what they do and conservative in what they construe as acceptable behavior from others. You, the troll says, are not worthy of my understanding; I, therefore, will do everything I can to confound you.

Emphasis mine.

My own interest is in the creation of (virtual) spaces that allow the unlike-minded to engage as constructively and progressively as possible in the shared belief that it is only through civil, respectful conversations that peace can be imagined, nurtured, given birth to and sustained.

One measure I took when creating Groundviews for example was a well defined framework for submissions and discussions on the site. What I noticed very early on was that few actually cared to read this and fewer comprehended what was put down. I then put up a blurb on top of the comments section that noted quite expressly that comments were moderated according to a set of guidelines. Both measures were able to keep the trolls at bay on the site, though the site and I got plenty of vicious flak on the blogs and websites run by individuals who felt slighted that their diatribes weren’t published.

Today, the number of comments I actually reject is close to zero, proving that a set of guidelines that allow for the negotiation of difference and the contestation of varying viewpoints in a civil manner can and does ultimately facilitate a qualitatively rich discussion online.