Image
Interordi Menu
WindRider739
Cyberspace Ghost Hunter
Inactive
331 posts
Quote

Hey, folks! I just thought I'd make this quick topic as a warning not to leave your information floating around in cyberspace. Don't roll your eyes at me. I know you know not to give Skype bots and Russian Bride sites your social security number. I mean stuff you might not even think about. The stupidest little bit of information can get you. Stuff you wouldn't even think about. I know because it happened to me. I'm going to give you the short version which is still too long. If you want to read my example of what happened to me, hit the spoiler tag. If not, skip it and go right to a list-in-progress of ways to protect yourself online.

Spoiler (click to toggle)
So way back in the beginning, when message boards still hadn't fully developed... it was 1998 and Baby Wind had just gotten himself a copy of Duke Nukem 3D (which came out in 96 mind you) complete with level editor and everything. I loved that level editor but couldn't figure out how to make a paralax image happen for the sky. So I joined a message board, asked the question, logged off, immediately realized the super simple process for how to DO the thing, and never went back. Problem is, I filled out my profile a little. Specifically, I included my full date of birth, and my username was my real first and last name. My password was my date of birth, too. (I was TWELVE and the internet was NEW)

Something a LOT of people don't seem to realize is that gathering or knowing basic info like your name, date of birth, mother's maiden name, favorite sports team, names of pets, and the town you were born in is stupid easy, especially with social media in full swing. I can google a user name and if I've talked to that person for more than a few minutes, there's a good chance I can break into some stuff. Let me tell you this; if someone breaks into the right email account, it's all over.

In the 20 years since that single post in 1998, I've been all OVER the place. I've made probably 50 email accounts, had single and double accounts at forums, websites, MMOs and everything else. I forgot many of these accounts ever existed, sometimes within a week of making them. Scattered across these accounts were tiny little personal details that alone really couldn't do any harm. From: X CITY, lives in X STATE, an old phone number from ten years ago, old AOL Instant Messenger names, Xangas and LiveJournals. (Kids, those are how we pretended people wanted to know every detail of our lives before Twitter and Facebook)

Well, someone - over the course of a couple months - systematically collected or already knew a bunch of that information and used it to break into some accounts. They broke into (or probably guessed the password of) that old forum account. There, they found an old yahoo email account THAT FOR SOME REASON WAS STILL ACTIVE and used the same information to get into it. From there, it was just patience. You find something else associated with that email address, do the password recovery bit, and boom - you have new accounts and email to play with. They did this undetected for two months, and it's almost impossible to notice happening if they're smart and you're not paying attention.

This person daisy-chained their way from one forum post in 1998 through a confirmed 122 accounts spanning various platforms. A total of 384 accounts were potentially compromised. I didn't notice until Google sent me a message like 'Hey... how do you have three devices synced and running where you are, plus another 3 in the Chicago area?' I got to looking and found some recovery emails in my gmail trash and that's when I figured out what was up. This person had 3 devices in the Chicago suburbs synced to my primary account through which I do all my banking and everything else. They were downloading apps - some of which I had paid for - watching my netflix and who knows what else.

I spent a total of 36 hours over three days (and then more time since as I found more accounts) following breadcrumbs, finding every account I had ever made, getting in, wiping information, wrestling with admins to change usernames and delete stuff I couldn't, and basically undoing a majority of 20 years of crap that I had left behind me. So far, I've wiped, secured and consolidated everything I've found and am working very hard to seperate my public presence from my private existence. I'm working with Google to try and secure information that's still archived out there. I will literally never be able to chase down all the information that is public and shouldn't be, because for a long time I had an enormous online presence.

As an aside - the idiot that attached these devices to my account basically set them up so they were mine. As such I was able to remotely lock all three of them, so whoever owns them can only see a short 'Stay out of my shit' message and a contact number for me. Sunday night I was able to reset two of them back to factory default remotely. While this feels like a little bit of justice, they could have JUST as easily done the same to me from inside my account.


It can be scary out there, and a lot of the time, most of us are too acclimated to the internet to realize how dangerous it is. There are a lot of things you can do to prevent this, and I'm not an expert on internet security, but here's a few tips.

  • Change passwords often. Use random letters and numbers and special characters and / or random words strung together. For example, @ppl3h0rsEba11scarr0Ts (apple horse balls carrots) which will make it impossible to guess and take forever for machines to crack. This example specifically is rated for up to 252 sextillion or 252,000,000,000,000,000,000,000 YEARS and is easy to remember after punching it in a dozen times or so.

  • Keep track of old email addresses and once you haven't used them for a while, delete everything in them, then go to trash and delete them again, then deactivate the account.

  • Never use your first name, last name or date of birth in your username, screen name or instant messengers. You will probably want an email like that for professional reasons, but it shouldn't be used for non-professional places. For example kylievigus88@hotmail.com would be great for LinkedIn but not so much for a dating website.

  • Keep a list of places you have accounts somewhere safe, so if you switch email addresses you can just spend half an hour or so changing your account information over. I keep an encrypted spreadsheet on a thumb drive that requires its own password to access in a fire-proof lockbox.

  • ALWAYS look at your public profile immediately after account creation. Take note of what's visible to people.

  • If a non-government, non-current-employer site, forum or anything else requires what you consider to be personal information which other people can see, create a separate identity for yourself and keep that info somewhere in case you lose it. Be a 42 year old man named Chad Bennington from Brunswick New Jersey. Unless of course that's who you actually are.

  • YOU are on social media. Unless you are a company page, don't let people find you by email. I can go to the member list here right now, grab a couple dozen emails and punch them into the search bar on Facebook and I guaruntee I find someone who hasn't been here in 5+ years in less than 20 minutes. Go to your privacy settings - EVERY social media outlet has them - and read and customize EVERY option. Don't just select a pre-defined setting for the whole thing.

  • When prompted for security questions, don't choose things like mother's maiden name, favorite cousin, favorite sports team, first car, favorite pet's name, etc. This is all information you've given people without realizing and is very easy to find out if you've made any sort of public posts. When choosing questions, ask yourself Is this something my friends would know? and if the answer is yes, pick a different one.

  • When possible, ALWAYS double authenticate. My Steam account is worth significant dollars and I used to stream a lot. I've had people try to get into it before. Having Steam send me a text message with a specific code every time I log in can be a pain in the butt sometimes, but it's worth it.

  • ALWAYS have a recovery account. You use your email for everything? Good. Set up another email and never use it. Make THAT the account your primary email sends password change notifications and such to. That way if someone breaks in, it's potentially easier to get back.

  • Quit hoarding emails and private messages. Download what you absolutely must keep and then delete them. I know they're nice to have, but that conversation with the girlfriend you had for a month 12 years ago isn't going to be useful to anyone anymore. Neither is the confirmation number for an electric bill payment from more than a month ago. If someone gets in, they have less to play with.

  • Once in a while, look through your accounts. If it's something you haven't used in a year and you don't see yourself ever using again, either wipe it of any sort of personal contact data or shut it down. You don't need that Ebaum's World account you created and never used.



You can have an online life and an offline life, and those can cross over as often as you're comfortable with. It is however your responsibility to make sure that it doesn't cross over in a way you AREN'T comfortable with. That's all I've got off the top of my head. Some of you out there probably have even more advice. Throw it out here and I'll add it to the list. Stay safe out there, folks.

Edited by WindRider739 on February 20, 2018 at 14:32:23


Image

Staff Backer Doctacosa
Admin
SciLab Official
Benevolent Dictator
Offline
6447 posts
Princess Celestia
Princess Celestia
Got all items in the AFD2012 event!
Acquired on 1 April 2012
Squid beaker
Squid beaker
Earned all 150 original CL achievements
Acquired on 17 January 2016
Unity.EXE emblem
Unity.EXE emblem
Defeat Bass.EXE in the AFD2013 event!
Acquired on 1 April 2013
Zenny
Zenny
Unlock all of the main forum features!
Acquired on 1 April 2014
Lilly Satou
Lilly Satou
Acquired on 1 April 2012

... and 25 more
Quote

One thing I'd like to add that's important is to avoid reusing passwords whenever possible. If you do, and someone guesses that password (or it gets compromised due to bad security...), they can instantly gain access to a bunch of your accounts. Using a different password for each location is much safer.

"But Doc," you might say, "I don't want/can't remember this many passwords! This is madness!"

It sounds difficult, but it doesn't have to be. Nowadays, I use a different password for each separate website or account that I have registered. The key is, *I* don't even know what they are, as they've been randomly generated. I use KeyPass to manage them, which is a secure passwords manager. Basically, you create one master password for that database (Wind's @ppl3h0rsEba11scarr0Ts is a good example), which you use to access your list of accounts. You can create different entries for each account you have, then it's a simple matter of right-click -> copy password to get the value you want, then paste it in the login box of the place you're trying to access. It takes seconds and is more secure. There are also apps to manage this on mobile, so you can do it on your tablet or phone without worries.

One extra detail, on the topic of account recovery. If you've forgotten your password somewhere, you use the "I forgot my password option", and they e-mail that exact value to you, nuke that account if possible. That means that they don't use a secure backend. A proper setup, like we have here, involves e-mailing you a new random code that offers you to set a new password, as the old one can't be recovered by any means.


The admin formerly known as Dr. Cossack.

I post musings, images and nonsense on Tumblr! I play games on Steam! Add me on either/both, and don't hesitate to ask if you want to play something with me!

"There are only three things certain in life: Death, taxes, and Teej's obsessions." ~ RisingDragon (still true in 2019!)

God
Chris Ray Gun is still cool
Offline
844 posts
Quote

Allowing any company to send a "text message code" to a "phone number" is very stupid, and significantly increases the chances of account getting stolen. It's also illegal, because the ADA and the Homeless Bill of Rights both exist in America, and the former exists presumably everywhere anyone reading this message board would be (unless some people became serious multi-country Nomads). (ADA is disability nondiscrimination requirements.) You own your "it's okay for surveillance companies to track me" email address for the rest of your life, unless you decide to move it, in which case any surveillance company and log-ins will be moved there now or in a bit. Unlike a phone number which will LITERALLY CIRCUMVENT ALL POSSIBLE HOPE OF RECOVERY BY NOT EVEN EMAILING YOU ANYMORE because now you've enabled the ability for someone else to easily steal.

No one wants to see the black box. It needs to be edited some time when I have three hours. There's probably another portion somewhere that should be written better eventually.


Spoiler (click to toggle)
Or just don't put your shit online in the first place. You don't need to delete personal conversations from your e-mail which are obviously important to you and may be needed if you are accused of something by said human being who you had said conversations with, or to perhaps prevent suicide because you can see happy memories with this dead human being. Nobody cares about those personal conversations besides people who personally know you for one. What's important is to NEVER delete things you may like or need. Deleting anything you don't need is good for cleanliness purposes or ease of finding things and organization, but of course that won't be most of them unless you're a sociopath or have NEVER met any important friends/people. The latter of which would presumably require you being under a certain age if you like ever leave the house or ever have non-public conversations online. Or on the phone with someone you met through repeated public conversations, even. Telling other people to destroy everything that is important to them is wrong - as well as the fact that they obviously already know that they can do this if they want to, unless they are like CURRENTLY twelve.

It's also a good idea to NEVER use "two factor authentication" or any other extreme annoyances that are designed for the purpose of ensuring you can't even have access to your own account. The company doesn't care AT ALL if you need it to pay rent or some bill and will be homeless or murdered because you couldn't get your money from PayPal because both PayPal and Google refuse to let you log in from a browser, even, at random times for random non-reasons for PayPal, and, until VERY recently, literally any Internet connection of any kind which ALSO has prior cookies in ADDITION, which is obviously extremely unlikely from your phone, laptop, or anyone who lives nowhere or lives more then one place, anyone with a dynamic IP and anyone who clears cookies when they close their browser, or ever. Now you can't even log on to your e-mail to send a message to your boyfriend in an extreme emergency via your computer, which is what you would do if your phone battery is dead at this time, because you even told Google to demand your phone number as well! Not to mention that you are providing your own personal phone number to extremely malicious corporations, such as Google and the NSA, by doing this. If you want to delete stuff, delete stuff. If you want to keep all your e-mails and accounts to yourself, use one e-mail and don't make accounts for no reason without deleting them. Or randomly change your e-mail address dozens of times so that you will no longer get notices from websites that have morphed into something you'll never want to use and therefore don't monitor those accounts because you stupidly changed your e-mail address in order to lose things. However, don't make yourself homeless and your wife dead because you couldn't log into your PayPal account for 6 months or ever because you changed phone companies after the prior phone company removed their existence from the state or country you live in. As known, anyone who wants to do these things is already doing them.

As for passwords, that is also incorrect. As we all know and hope to avoid slightly-less-annoying website or network administrators with, using "symbols" or non-letters and non-numbers - which usually are never "symbols" but instead are punctuation - is simply stupid, unless it was because it was something you wanted to begin with such as when Wind used to include one in his user name, or if you write the words in your passwords with exclamation points anyway because you wish to, or if you're one of those unwanted 10-year-olds who puts asterisks in their swears, and that asterisked swear is your password. Of course, this also won't work or be accepted on most websites. Below is the reason why the example password here is dumb.

Image

The other, more obvious, reason, is because nobody uses brute forcing to obtain passwords anyway, and hasn't for more then a decade. They use phishing if they don't know you personally. And if they do know you personally, why do you know someone malicious and if they aren't malicious why do you care. However, if they do know you personally they will use guessing, for which the words in the XKCD also will not be useful or guessed. Of course that is incredibly unlikely for most people anyway, unless it's your wife who, if she has to "break in to" your account, this means YOU are the problem, you've hidden something from your own wife or at the very least have been wrong enough in the relationship to not even share passwords if asked. The way anyone else will get your password is phishing, or at least, also incredibly unlikely, keylogging/WiFi spying. All of which show the password, in complete, and don't discriminate by randomly somehow not keylogging just because the password is written in l33t. Unless your password is "password123" you don't have to be concerned about brute forcing, or guessing any passwords letter-by-letter from Indian and Russia. (Well even then you still don't have to since no one is brute forcing, but technically a stranger or spam-hacker could guess it if it is that... I suppose they do still write "password123" to try for several accounts to find the ones that use that. But they don't do so with "Molly121588" your birthday, because only you are using that, not half of the over-45-population.)