About a year ago I discovered strange activity in my EVERNOTE (premium) log — despite changing my upload email address, I felt it was likely still at risk. I removed everything from my account, ended and never paid premium again. I also do not save sensitive info on EVERNOTE — like facebook, I expect it to be exposed.
Today, catching up on RSS…. “Vindicated!” (I said to myself, less the ego.) I read the EVERNOTE Support post, where they disclosed a “Service-Wide Password Reset” [no wonder my password didn’t work the other day!] Perhaps they sent an email, but I did not see one, and apparently, nor did any other user.
While I would consider myself a student, still new to many of the concepts I read about, yet from sources, I piece things together. Setting EVERNOTE aside for a moment, I feel compelled to share that no one seems to be concerned with security. I experience problems and have the past 2-3 years. I come across a number cautionary flags, had an over-worked-heated macbook less than a year old, drive nuked, returning problems, relying on a genius bar (86 knowledge of terminal commands) I felt very much alone with my issues. This caused me to look beyond Apple. I began reviewing my logs, digging into information, like greek to me, yet I was curious and hungry for resolution. This ultimately led to a year of ad hoc education and research.
I discovered what I interpreted to be not bugs, but security holes.
For example: cross-browser exploits, network hacks, backend database brute force attacks, manipulating mobile, telephony stunts using VoIP, even Bluetooth, Apple Cloud abuse, iOS exploits, SIM card swaps…and on and on.
You name it, I wanted to know about it. It began to make sense after some time, like seing a constellation in the sky, discovering the simplicity of connecting dots. I see the social engineering schemes, and we basically invite or welcome hackers into our space (game on!)
Finally, it was the frightening thought of a voyeur on the other end of your webcam peering at you, even tapping into your mic, listening to all your conversations at home. The punch in the gut was reading logs –indicating my webcam was enabled for many hours, over several days, even weeks…I was sick to my stomach.
Simple analogy then causes me to wonder, if this can be done with my macbook, what is preventing it from happening to my iPhone? (I now have a black sticker that remains over my camera, and since heard reports where even authorities in a school were monitoring students through webcams. sick.) Of course I was relieved when Apple announced a patch for to Java, etc., yet never seemed to fix my problems. I had raised my awareness, developed my own cryptic system of passwords, committed it to memory, making each password unique to every site. Chalking up any of the lost time of resetting my password to be better over time, to a floating password or hijacked cookie.
Quite frankly, there was a point I felt like there was no end, seeing the advice of a smart man in the industry, and someone I respect very much, he said “you’re going to have to play dumb or decide on a career in security.” It was then I recognized, this was beyond my control. Until a collective authority, and/or zombie users snap out of it, I / we, must endure the exploits, taking the bad with the good.
Unfortunately, I can’t help but to look at the web differently. Just about a week ago, I saw this tweet and it resonated with me.
This leads me to a question I posted on facebook today:
Do you think security should be a premium cost to web or mobile applications, or expected as a user, period?
Thinking back to my premium account with EVERNOTE I recall, it was only as a premium user I would have a four digit pin [which really isn’t too difficult to crack; max 4 characters, all numeric.] It causes me to wonder, so many users are seemingly careless with security, and why? I can only conclude they are so far into the Rat Race that caring or fidgeting with an extra step, longer password, 2-way verification… will slow them down. Similar to an addicts, they might realize the risk their personal actions or standards have on themselves, but refuse to believe it affects others around them. With security, it’s people you are connected to, in your address book, or anyone sharing on your home network. If you try to help them, they know it all, and declining any help, they would rather ‘sync & sink’ — until it’s too late, beyond crashing and losing recent work, it isn’t typically concerning until they’ve lost everything; a selfish concern.
A few other tweets that got me thinking…
— Computer History (@ComputerHistory) February 20, 2013
— Tim O’Reilly (@timoreilly) February 20, 2013
I wasn’t careless with my online identity before, matter of fact most knew me as aware and cautious. One of my past contracts working under the FCC and FTC (Federal Trade Commission), working in ID Theft, privy to the horror stories, or potential risks, I took pre-cautionary measures I was aware of. Looking back, as a new Mac OS X user five years ago, of the first three, I didn’t even know what I know today. I remember using the automatic set-up, and I could have been sitting duck. Do users simply not know how many layers there are, and the ways to prevent other than “McAfee?”
Do we roll back to the creators, or our government? I conclude that we have to start holding each other accountable. Not just our government, but people as a collective. Those who are trained and aware, If we see someone getting ‘whacked in the elevator’ we should do something about it! Same applies to what you see happening around you online. Don’t ignore it. Don’t be an opportunist either. Likely, it may take some time, but I know goodness and truth prevail, and web security will find its way through this too. Eventually, it will rise above, and so will the honest and good.
Look for a post soon where that idea is tied into building better communities, that are resourceful and likable.