DigitalOutbox Episode 130

DigitalOutbox Episode 130
DigitalOutbox Episode 130 – Metro dropped, App.net and Mat Honan gets hacked hard.

Playback
Listen via iTunes
Listen via M4A
Listen via MP3

Shownotes
2:38 – T-mobile – tethering no longer available to new full monthly customers
– UK network T-Mobile has confirmed that new customers signing up to its Full Monty tariff will not be eligible for unlimited tethering on their device.
– Launched back in February, the Full Monty plan offered T-Mobile customers unlimited calls, texts and data – including tethering – for £36 per month.
– However anyone looking to take advantage of this offer now will notice the Full Monty tariff clearly states “excludes tethering” next to its “unlimited internet” claim.
– Unfortunately the spokesperson was unable to reveal why the network had decided to stop offering tethering as part of the terms of the Fully Monty contract, stating: “We don’t have anything more to share.”
– We can only assume T-Mobile has witnessed a dramatic drain on its bandwidth since launching the Full Monty plan, so has had to quickly back-track on its offer of truly unlimited internet to stop the network falling over.
5:14 – Microsoft drop the Metro brand
– Microsoft is killing off the use of its Metro design name to describe a tiled interface in Windows Phone and Windows 8. We brought you news of the change earlier today, but a tipster has provided an internal memo sent to Microsoft employees confirming the move. In it, Microsoft reveals that “discussions with an important European partner” led to the decision to “discontinue the use” of the Metro branding for Windows 8 and other Microsoft products — one that employees must adhere to immediately.
– The Windows team is “working on a replacement term” according to the memo, “and plans to land on that by the end of this week.” Until then, employees have been advised to refer to the Metro style user interface as the “Windows 8 style UI.” The memo was distributed to employees earlier this week, so we expect to hear official news about the Metro replacement by the weekend.
– Microsoft has used the Metro branding as a codename for its typography-based design language. The company has used a number of elements from the design language across its Windows 8 and Windows Phone products, as well as the recently released Office 2013 preview.
– 7 days later and it’s no longer Windows 8 style UI – it’s “Modern UI Style” to describe Windows 8 applications – it may even just be called….Windows 8
7:07 – Valve to sell non-gaming software on Steam starting September 5th
– Valve is opening up Steam to non-gaming software, the company announced today, bringing applications ranging from “creativity to productivity” to the digital distribution platform. The first software titles will be released on September 5th.
– Non-gaming software sold via Steam will take advantage of the platform’s Steamworks features, which include simplified installation, auto-updating, and the ability to save work to the Steam Cloud for cross-platform access from multiple computers.
– “The 40 million gamers frequenting Steam are interested in more than playing games,” said Valve’s Mark Richardson in a press release. “They have told us they would like to have more of their software on Steam, so this expansion is in response to those customer requests.”
8:51 – Would you pay for a social network – App.net hopes so
– Dalton Caldwell wrote a blog post over a month ago lamenting Twitter and the route it was taking
– A few days later, launched his own Kickstarter like appeal for App.net – a paid for twitter clone
– No ad’s, focused on users and developers
– Open API
– Paid for – $50 a year min pricing, $100 for access to API for developers
– 3 days to go for fundraising – $150,000 short
– Will it work? Nope. Ouch.
15:51 – Google Free iPhone
– Latest iOS 6 beta drops the YouTube app
– Apple confirmed – Our license to include the YouTube app in iOS has ended, customers can use YouTube in the Safari browser and Google is working on a new YouTube app to be on the App Store.
– Google response – We are working with Apple to make sure we have the best possible YouTube experience for iOS users.
– Could be good and bad for iOS users – Youtube app for me is best way of viewing youtube content but it hasn’t changed in years. Google could develop a very slick app for iOS. Who killed the app – Apple or Google? No ad’s in the iOS app at the moment.
– Good opportunity for third party dev’s
– Will google be dropped in search and siri? Surely not?
19:02 – Google brings knowledge graph to rest of the world (if you speak english)
– Now live in the UK
– Still feels like wikipedia on the RHS of your search results
– Also announced the start of a trial which will allow people to search their Gmail messages from the Google.com search box.
– Move was a “baby step towards pre-emptive search” and an example of search engines “getting to know people better”.
– “So if you’re planning a biking trip to Tahoe, you might see relevant emails from friends about the best bike trails, or great places to eat on the right hand side of the results page. If it looks relevant you can then expand the box to read the emails.”
Gmail results will appear on the right hand side of the search results page and will only be available to the single user whose email account is being included in the results.
23:03 – Mat Honan Hacked Hard
– In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.
– In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc. Lulz.
– Had I been regularly backing up the data on my MacBook, I wouldn’t have had to worry about losing more than a year’s worth of photos, covering the entire lifespan of my daughter, or documents and e-mails that I had stored in no other location.
– Those security lapses are my fault, and I deeply, deeply regret them.
– How was he hacked – In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.
– Timeline
– At 4:33 p.m., according to Apple’s tech support records, someone called AppleCare claiming to be me. Apple says the caller reported that he couldn’t get into his .Me e-mail — which, of course was my .Me e-mail.
– In response, Apple issued a temporary password. It did this despite the caller’s inability to answer security questions I had set up. And it did this after the hacker supplied only two pieces of information that anyone with an internet connection and a phone can discover.
– At 4:50 p.m., a password reset confirmation arrived in my inbox. I don’t really use my .Me e-mail, and rarely check it. But even if I did, I might not have noticed the message because the hackers immediately sent it to the trash. They then were able to follow the link in that e-mail to permanently reset my AppleID password.
– At 4:52 p.m., a Gmail password recovery e-mail arrived in my .Me mailbox. Two minutes later, another e-mail arrived notifying me that my Google account password had changed.
– At 5:02 p.m., they reset my Twitter password. At 5:00 they used iCloud’s “Find My” tool to remotely wipe my iPhone. At 5:01 they remotely wiped my iPad. At 5:05 they remotely wiped my MacBook. Around this same time, they deleted my Google account. At 5:10, I placed the call to AppleCare. At 5:12 the attackers posted a message to my account on Twitter taking credit for the hack.
– All the hackers wanted was access to mat’s twitter account – nothing else
– Apple tech support confirmed to me twice over the weekend that all you need to access someone’s AppleID is the associated e-mail address, a credit card number, the billing address, and the last four digits of a credit card on file. I was very clear about this. During my second tech support call to AppleCare, the representative confirmed this to me. “That’s really all you have to have to verify something with us,” he said.
– Getting a credit card number is tricker, but it also relies on taking advantage of a company’s back-end systems. Phobia says that a partner performed this part of the hack, but described the technique to us, which we were able to verify via our own tech support phone calls. It’s remarkably easy — so easy that Wired was able to duplicate the exploit twice in minutes.
– First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry’s published self-check algorithm.) Then you hang up.
– Next you call back, and tell Amazon that you’ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn’t have anything to share by press time.
– And it’s also worth noting that one wouldn’t have to call Amazon to pull this off. Your pizza guy could do the same thing, for example. If you have an AppleID, every time you call Pizza Hut, you’ve giving the 16-year-old on the other end of the line all he needs to take over your entire digital life.
– Lessons
– Backup!
– I shouldn’t have daisy-chained two such vital accounts — my Google and my iCloud account — together. I shouldn’t have used the same e-mail prefix across multiple accounts — mhonan@gmail.com, mhonan@me.com, and mhonan@wired.com. And I should have had a recovery address that’s only used for recovery without being tied to core services.
– But, mostly, I shouldn’t have used Find My Mac. Find My iPhone has been a brilliant Apple service. If you lose your iPhone, or have it stolen, the service lets you see where it is on a map. When you perform a remote hard drive wipe on Find my Mac, the system asks you to create a four-digit PIN so that the process can be reversed. But here’s the thing: If someone else performs that wipe — someone who gained access to your iCloud account through malicious means — there’s no way for you to enter that PIN. A better way to have this set up would be to require a second method of authentication when Find My Mac is initially set up. If this were the case, someone who was able to get into an iCloud account wouldn’t be able to remotely wipe devices with malicious intent. It would also mean that you could potentially have a way to stop a remote wipe in progress.
– 2 factor security on google accounts would have helped too – http://www.mattcutts.com/blog/google-two-step-authentication/
– Prey a more secure option than Find my Mac – http://preyproject.com/
– Don’t make your address public
– Use strong single use passwords – Lastpass or 1password will help
– Change passwords regularly
– Updates
– Amazon have changed their policies quietly – On Tuesday, Amazon handed down to its customer service department a policy change that no longer allows people to call in and change account settings, such as credit cards or email addresses associated with its user accounts.
– Apple on Tuesday ordered its support staff to immediately stop processing AppleID password changes requested over the phone, following the identity hacking of Wired reporter Mat Honan over the weekend, according to Apple employees.
– An Apple worker with knowledge of the situation, speaking on condition of anonymity, told Wired that the over-the-phone password freeze would last at least 24 hours. The employee speculated that the freeze was put in place to give Apple more time to determine what security policies needed to be changed, if any.

Picks
Ian
Pixelmator
– £10.49
– Great image editor for the Mac
– Now at version 2.1 and on sale, hence the recomendation
– Everything you probably need in an image editor and now comes with iCloud, retina and Mountain Lion support