I have finally finished compiling my detailed timeline of how I got hacked and then unhacked myself. It includes the exact times that I received password reset messages, when I wrote to support, when they wrote back to help, when they gave me the finger, etc.
I’ve got it all in a spreadsheet. Now, how can I display this publicly? I’d love to make a timeline like this http://www.simile-widgets.org/timeline/ Or is there a Google widget I could connect to a Google Doc Spreadsheet?
This would also make great fodder for any reporter who wants to help people understand and avoid this, and/or to write about how shockingly unresponsive certain companies can be (cough, Twitter) when their own services are compromised.
My close friend and favoritest mayor of all time and space bringing truth and justice to the N. C. Legislature last week. Join us every Monday to keep it going!
So, on Monday I attended an historic protest at the North Carolina General Assembly. My phone was in-hand nearly the entire time (see goofy pic), as my main goal was documenting the civil disobedience and arrests of five elected officials from Orange County, NC. However, I found myself only able to retweet others from the Hootsuite app I use on my Android phone. I could post with other apps like Instagram, but my tweets (as @ruby and as @orangepolitics) just sat in Hootsuite’s outbox.
In the chaos of the day I chalked this up to the ongoing tangle left by last week’s hacking, so today while I was at a computer I made sure to fully authorize Hootsuite using the 2-step verification that I enabled for @ruby about a week ago. It seemed to work. This evening I tried again to use Hootsuite from my phone and found that I still can’t send from any of my Twitter accounts. So I asked @hootsuite, and amazingly, they said:
@ruby We are unable to guarantee full functionality with Twitter 2-step verification at this time. ^TF
Now I know that Twitter only enabled this feature less than 2 weeks ago, but here I am – a paying customer of Hootsuite (through work) – and now that I have enabled better security on ONE of my accounts, I can no longer post tweets from ANY of my accounts from my phone.
Amazed again that huge companies that rely on their web services don’t seem to care much about the security of their accounts. They should be pushing US (customers/products) to get more secure, not the other way around!
So right after my Twitter account was hacked I learned that Twitter had finally implemented 2-step authentication just days earlier. I have now turned it on, of course.
But the really gigantic part of getting hacked was losing control over my entire Dreamhost account including several websites, e-mail addresses, and domain names. Today I learned that Dreamhost also offers 2-step authentication. But they are not doing much to encourage people to use it. I Googled and was able to find these instructions and am so relieved to have this in place now.
I already had this enabled for Google and Facebook, but now that I’m looking at it, there are many other services that offer 2-step (a.k.a. 2-factor) authentication, including Dropbox and Paypal. LinkedIn just started using it this week. I’m a little annoyed that I had to go looking to find out about many of these.
So here’s my list so far who supports 2-step:
Did I forget any? The best way to find out if your favorite web service supports this is to Google “2-step” and the name of the service.
Many hundreds at the NC Legislature for #MoralMonday.
I think this makes it pretty clear how seriously Twitter takes their security: The guy who hacked my account is still happily tweeting away about the latest social engineering methods and how it was my fault that he hacked into my personal accounts so he could try to sell @Ruby on hackerforum.net.
Better late than never, Twitter added two-step authentication for accounts last month, but it’s clear they aren’t really concerned about their users when they do nothing to help protect users like me or @Mat, even when we know people are targeting us, and let genuine security risks chill out indefinitely.
Please share this post if you agree that Twitter should take action against “Isolate” and any users who are known to have hacked other people’s Twitter accounts in the past.