@ Risk
January 30, 2014 12:06 PM   Subscribe

"I had a rare Twitter username, @N. Yep, just one letter. I’ve been offered as much as $50,000 for it. People have tried to steal it. Password reset instructions are a regular sight in my email inbox. As of today, I no longer control @N. I was extorted into giving it up."
—Naoki Heroshima explains how his accounts were hacked in order to force him to give up his single-letter Twitter handle.

Heroshima is now at @N_is_stolen. Here's a list of all the single letter Twitter accounts. Private accounts marked with a *:
@a: Andrei Zmievski
@b: Brian Griffing
@c: Coley Cheng
@d: Change soon
@e: erin
@f: Fred Oliveria
@g: Greg Leding
@h: Helgi Þorbjörnsson
@i: IsRaEl *
@j: Juliette Melton
@k: Kevin Cheng
@l: L. That is all. *
@m: Mark Douglass
@n: Naoki Heroshima "Follow Badal_NEWS" *
@o: O Encoberto
@p: paolo i.
@q: Ariel Raunstien
@r: Rex Hammock
@s: Science! (by @yo, Troy Osinoff)
@t: Tantek Çelik
@u: [no name] *
@v: v
@w: Walter *
@x: gene x
@y: reY
@z: Zach Brock
And for the heck of it, here's 0-10, too:
@0: Success & Truth
@1: 1
@2: [no name]
@3: Blair
@4: Flight of Bumblebees *
@5: n
@6: Adrián Lamo
@7: . *
@8: Daniel
@9: julian
@10: edo *
@_: Dave Rutledge
posted by me3dia (86 comments total) 15 users marked this as a favorite
 
@d is (was?) the MeFite known as defenestration.
posted by griphus at 12:09 PM on January 30, 2014 [2 favorites]


I don't think "I've been offered as much as $X" equates to "It's worth $X" because the author clearly didn't want to sell it. It was both priceless (because no price was high enough to motivate sale) and worthless (because the owner never made any money off of it)

At least, as far as I can tell. The author doesn't strike me as a squatter or speculator, who was hoping to make money off the account. Anyway, Twitter owns the account, the author got it for free.
posted by rebent at 12:10 PM on January 30, 2014 [3 favorites]


The idea that people would care THAT MUCH as to hack someone else, about something so pointless, is depressing.
posted by agregoli at 12:11 PM on January 30, 2014 [11 favorites]


Four or five of the single character people follow me on Twitter, and they not only say their "interactions" tab is virtually worthless, Tantek once showed me what it looks like for everyone mentioning @t, and it's like randomly tweeted typos every 30 seconds, forever. It's crazy useless for them.
posted by mathowie at 12:13 PM on January 30, 2014 [15 favorites]


So, in the meantime, he has regained access to his domain, PayPal says they have record of a single failed attempt to gain access to his account, and Twitter are being assholes about it all.
posted by MissySedai at 12:15 PM on January 30, 2014 [5 favorites]


I've got some Gmail invites I can send him, if that would help
posted by thelonius at 12:16 PM on January 30, 2014 [28 favorites]


@agregoli, I agree, the idea that someone would want a single-character account badly enough to resort to stealing it is mindboggling.
posted by me3dia at 12:17 PM on January 30, 2014


Personally I'd have taken that $50k in a heartbeat when offered.
posted by jason_steakums at 12:18 PM on January 30, 2014 [26 favorites]


God, those Bridal News people will STOP AT NOTHING!!1!
posted by The 10th Regiment of Foot at 12:19 PM on January 30, 2014 [2 favorites]


At least this guy didn't have his Apple Cloud wiped.
posted by muddgirl at 12:20 PM on January 30, 2014 [1 favorite]


I should add that @_, the only non-alphanumeric single-character account possible on Twitter, is Dave Rutledge

MeFi's Own! I added Dave to the list in the post, as you requested on Twitter.
posted by mathowie at 12:21 PM on January 30, 2014 [2 favorites]


...And then I edited my comment to make it disappear. Magic! (Oh, and thanks.)
posted by me3dia at 12:25 PM on January 30, 2014


"I called godaddy and told them I had lost the card but I remembered the last four, the agent then allowed me to try a range of numbers (00-09 in your case)

That's some top notch security there.
posted by Kevin Street at 12:31 PM on January 30, 2014 [5 favorites]


This comment on the story by another guy who had to deal with similar things is worth a read, partly because it argues against using a big-name email provider such as gmail as your identity:

"If someone can fake being 'you' over the phone, they’re even more likely to succeed with these large providers."
posted by whir at 12:33 PM on January 30, 2014


I don't think we should be popularising the existence of these single letter accounts so that hackers can attack them too...
posted by edd at 12:33 PM on January 30, 2014 [1 favorite]


Personally I'd have taken that $50k in a heartbeat when offered.

I would too, especially because twitter allows for "proper" renaming - all of your followers are automatically brought along to your new account. You might have to alert people "hey, @ me somewhere else now" but it's not like trying to switch to a new email address.
posted by Tomorrowful at 12:34 PM on January 30, 2014 [3 favorites]


The best part was how the extortionist pretended it was all just an important lesson in online security. No, dickbag, you did this because you are a bag of dicks.
posted by elizardbits at 12:36 PM on January 30, 2014 [39 favorites]


I don't think we should be popularising the existence of these single letter accounts so that hackers can attack them too...

I don't think the existence of any twitter username is a secret. If you know and care about the possibility of there being a username"@letterofthealphabet" then you know about all 26 of them without being told.
posted by yoink at 12:37 PM on January 30, 2014 [1 favorite]


yoink: It was a joke.
posted by edd at 12:38 PM on January 30, 2014 [1 favorite]


yoink: It was a joke.

When I and the other members of my robot army finally subject you hu-mans to the abject servitude for which you were born there will be no more jokes.

Well, we will make an exception for jokes followed by "#thatwasajoke."
posted by yoink at 12:40 PM on January 30, 2014 [37 favorites]


Personally I'd have taken that $50k in a heartbeat when offered.

Amen. And if I'm understanding the story correctly, he wasn't even especially active on the account. That's just bizarre. I mean, there's nothing wrong with refusing to sell it, if that's your prerogative then cool...but seriously, if somebody offered me $50,000 for something I'm not really using? I can definitely put that $50,000 to work.

Having said that, this is a reminder that sometimes when we talk about "GoDaddy" or "PayPal" or whatever we are talking about big corporate decisions...but sometimes we're equally talking about telephone wageslaves. People whose low pay is (often) commensurate with their competence at, and attentiveness to their jobs, and yet their actions and decisions have real consequences and to the customer are indistinguishable from "GoDaddy gave away my account." And that's why, as a business, you have an interest in raising the bar of your lowest-level employees' training and pay.
posted by cribcage at 12:45 PM on January 30, 2014 [9 favorites]


Yeah, my Twitter handle is "@chasing" and I get hit with a ton of unintentional at-mentions. I can't imagine how awful it is to have an even more common word or letter.

(It has been interesting to get a weird overview of all popular media that starts out "chasing..." "Chasing Fireflies." "Chasing New Jersey." "Chasing Pavements." "Chasing Clouds." Etc.)

Also: I think I've observed that many people on Twitter use the "@" as an emphasis symbol. At least, that's where many of my accidental at-mentions seem to come from. Which, if true, is interesting.

But enough about me.
posted by chasing at 12:46 PM on January 30, 2014 [1 favorite]


Man if I wonder how much my 5 digit ICQ number would go for!
posted by MisantropicPainforest at 12:47 PM on January 30, 2014 [13 favorites]


@jp has a good discussion about his attack. Hacker news discussion.
posted by sammyo at 12:47 PM on January 30, 2014


I just told my grad student type tech ladyperson to shift our host from GoDaddy to whatever is first on Wordpress' host list...
posted by infini at 12:48 PM on January 30, 2014


I joined twitter late. I'm @gazernombril. I have yet to be hit with an accidental mention. Or an intentional one, for that matter.
posted by Navelgazer at 12:51 PM on January 30, 2014 [3 favorites]


This comment on the story by another guy who had to deal with similar things is worth a read, partly because it argues against using a big-name email provider such as gmail as your identity:

"If someone can fake being 'you' over the phone, they’re even more likely to succeed with these large providers."


non non non, gmail disabled my real name account, as documented blow by tedious blow on mlkshk, because they wouldn't accept the govt issued ID they requested as proof I was over 13 adn wanted me run $1 by credit card through 'for charity'

extortion is what this is these days
posted by infini at 12:53 PM on January 30, 2014


> Personally I'd have taken that $50k in a heartbeat when offered.

I've been offered real money for a domain name I own. Not enough to affect my retirement plans, but above the threshold of easily-ignored, and written in a way that made it clear they had specific reasons for wanting that specific domain name.

The offer was easy to turn down, even though I'm not monetizing or otherwise making any real business case for owning it. It's just a thing I have, and I like having it. I have no idea who the prospective buyer is. They aren't offering escrow. No idea if the money is good. No idea if there's a scam underlying it.

It's like somebody seeing a tree on your lawn and saying, "Hey, yo, I'll give you a grand for that tree. Checkbook's in the car." Um. dude? Who are you, and what makes you think digging up my yard is worth a thousand bucks?
posted by at by at 12:55 PM on January 30, 2014 [5 favorites]


Well I mean, it's not like you're just "here's the keys, I'll be waiting for that $50k!" - it's at least worth a deeper look and insistence on escrow, though.
posted by jason_steakums at 12:57 PM on January 30, 2014 [1 favorite]


Having said that, this is a reminder that sometimes when we talk about "GoDaddy" or "PayPal" or whatever we are talking about big corporate decisions...but sometimes we're equally talking about telephone wageslaves. People whose low pay is (often) commensurate with their competence at, and attentiveness to their jobs, and yet their actions and decisions have real consequences and to the customer are indistinguishable from "GoDaddy gave away my account." And that's why, as a business, you have an interest in raising the bar of your lowest-level employees' training and pay.

This. I've social engineered my own information out of customer service folks - to include them giving me hints about "when I was getting close" - when I actually forgot how to get into old stuff. It's ridiculously hard to check that people are who they say they are, and why does the guy making 9$ an hour really care?
posted by corb at 12:58 PM on January 30, 2014 [1 favorite]


"I called godaddy and told them I had lost the card but I remembered the last four, the agent then allowed me to try a range of numbers (00-09 in your case)

That's some top notch security there.


Social engineering is often an under-appreciated/feared aspect of hacking. Why set up a brute-force system or (spear) phishing scheme when you can simply place a call and feign forgetfulness or bluff your credentials to get information directly the people in charge of the digital keys?
posted by filthy light thief at 1:00 PM on January 30, 2014 [2 favorites]


corb: It's ridiculously hard to check that people are who they say they are, and why does the guy making 9$ an hour really care?

Because they can lose their job over it, if the "social engineer" used this information to loot a bank account, steal information, or create other forms of real ruin. At least, it would be easy for a company to fire the lowly phone operator and say "mistakes were made, and we fixed them."
posted by filthy light thief at 1:02 PM on January 30, 2014


God damn do I loathe the 21st century.
posted by ob1quixote at 1:04 PM on January 30, 2014 [7 favorites]


When somebody's slaving away in a shitty job for poverty wages, firing them is often not as big a threat as it might be under other circumstances. If you want people to care about their jobs, you treat them like people. And if we're talking about workers who have the keys to my identity and financial life, I would definitely like them to care about their jobs, thanks.
posted by Holy Zarquon's Singing Fish at 1:07 PM on January 30, 2014 [7 favorites]


Yeah, you get fired from a call center job like GoDaddy support, odds are pretty good you can head on over to the next call center, sit through their paid training sessions, and start working there without even a hiccup in paychecks. The turnover's so high that they'll likely take you even with the black mark if you've shown you can handle doing call center work for any length of time. I've known people who have walked out on call center jobs mid-shift and reapplied and got another job few months later at the same place they left.
posted by jason_steakums at 1:12 PM on January 30, 2014 [4 favorites]


Maybe it's a generational thing, but I'd never consider the phone to be a secure line of communication. You just never know when somebody else is listening in, even if you trust the voice on the other end of the line. I wouldn't give my credit card information to someone on the phone, never mind somebody else's.
posted by Kevin Street at 1:14 PM on January 30, 2014


Yeah, call centers have notoriously high turnover and wildly varying standards, because they're such terrible places to work for. Even knowing someone was fired, they might well just assume he didn't meet his minute quota or whatever.
posted by corb at 1:17 PM on January 30, 2014


It's like somebody seeing a tree on your lawn and saying, "Hey, yo, I'll give you a grand for that tree. Checkbook's in the car."

It sort of is like that, yes, if you imagine the tree is mostly out of sight and you don't much care about it. But let's say that happened. You would tell the dude to pound sand? Me, I could use $1,000, so I'm at least going to talk to him. If he's legit and really wants my tree, maybe he'll come back with a cashier's check. Maybe he'll sign a one-sentence contract. Maybe he'll meet me at the bank, etc. I don't just shrug assuming he was full of crap and keep my forgotten tree.
posted by cribcage at 1:17 PM on January 30, 2014 [1 favorite]


God damn do I loathe the 21st century.

My "everywhere" username, dirtdirt, that I've been using since 1998 has recently become slang that some kids use to mean some complicated combination of "filthy, sexy, sweetheart, gross". It's not super widespread, but widespread enough that my Twitter feed is often full of weirdness and I regularly get account reset requests, at all sorts of services, that I didn't initiate. I can't imagine what it would be like if that slang ever caught on in a wider sense.
posted by dirtdirt at 1:19 PM on January 30, 2014 [4 favorites]


From the perspective of someone like GoDaddy it's kind of a no-win situation. If you refuse to do a thing for a customer until they authenticate in a way that wouldn't cause a security expert to hurt himself laughing, the 20% of your customers who are complete fuckups and have lost or forgotten or allowed to lapse every single thing that might authenticate them are going to suck up huge amounts of your time and slag you off on the forums and sic lawyers on you and write letters to their AG, etc., costing you money and customers. At $9/domain this isn't a winner. If OTOH you allow your reps to exercise some discretion, you're going to play right into somebody's hands.

A responsible company will raise the stakes to be in the game: if you don't have your shit together enough to even prove who you are, you lose access until you work something out. That company will charge more and never be big time. I honestly think this calls for regulation or a voluntary compliance program. And if you decide to save money by not going with a compliant provider, well, sucks to be you, and threads like this wouldn't happen because nobody has sympathy for someone who punches himself in the face.
posted by George_Spiggott at 1:22 PM on January 30, 2014 [4 favorites]


I have to imagine that there were a lot of clever souls who made a killing at what we'd now call social engineering throughout history, back when information security was, y'know, wax seals that some hapless serf has never seen and couriers that they have never met and have no way of verifying. "Lord so and so requires half a cow and a bushel of apples for his harvest feast, get thee to loading up mine wagon."
posted by jason_steakums at 1:24 PM on January 30, 2014 [3 favorites]


Hey... so... I work at GoDaddy, but not on the customer service side of things, nor in security. Here's our statement on this situation. Don't have any extra insight into what's going on here, but I suspect there's more to this story than has surfaced.

Corb - I think you'd be surprised at how good GoDaddy's call center staff is. The crew here is remarkably stable, all things considered, probably because pay is decent and benefits are awesome. (GoDaddy pays 100% of health insurance, for instance.)
posted by ph00dz at 1:24 PM on January 30, 2014 [6 favorites]


at by: "It's like somebody seeing a tree on your lawn and saying, "Hey, yo, I'll give you a grand for that tree. Checkbook's in the car." Um. dude? Who are you, and what makes you think digging up my yard is worth a thousand bucks?"

A tree is kind of a weird example because it isn't readily transferred. But I've done and had this done to me with cars and it's been successful both ways. A buddy of mine once walked home from a gas station because a passenger in another car filling up made him a cash offer for the car he was driving.
posted by Mitheral at 1:24 PM on January 30, 2014 [1 favorite]


Anyone else think it's likely the hacker lied about how he'd stolen the accounts? I wouldn't give away my tricks that way or do anything to make it easier for law enforcement to find me.
posted by straight at 1:27 PM on January 30, 2014


I think if I ever became a con man, my signature social engineering scam would include fake hauntings.
posted by jason_steakums at 1:30 PM on January 30, 2014 [2 favorites]


OOOoooOOOhhh whaat is your GoOOOooDaddy paaaswoooord
posted by jason_steakums at 1:31 PM on January 30, 2014 [31 favorites]


"I have to imagine that there were a lot of clever souls who made a killing at what we'd now call social engineering throughout history, back when information security was, y'know, wax seals that some hapless serf has never seen and couriers that they have never met and have no way of verifying."

But Lord so and so could send his sheriff to find and eventually hang the enterprising proto-conman (and there's only so far they could get on foot or horse afer the crime was discovered), so the penalty for failure could be quite high.
posted by Kevin Street at 1:36 PM on January 30, 2014


The only thing I learned from this was never used PayPal. And Since I quit using them years ago because of general asshattery (requiring you to use a bank account instead of a credit card after you bought too much, yeah like I'm going to give those weenies access to any bank account of mine), I feel good.
posted by Kokopuff at 1:41 PM on January 30, 2014


I feel like I haven't read an article involving PayPal where the moral of the story wasn't "never use PayPal" in years and years.
posted by jason_steakums at 1:50 PM on January 30, 2014 [8 favorites]


I see the occasional password reset email from Twitter for my three character username, but it's not as desirable since it's all consonants. This story and @mat's will motivate me to transfer that e-mail address from a Google Apps for Business address, though.

A three character username does make Twitter more fun in that I somehow got involved in some Twitter campaign for a Japanese girl band reality show, I have random followers and mentions from the Middle East and Indonesia, and a group of people for a period of time thought I was a tech journalist.
posted by chinesefood at 2:08 PM on January 30, 2014


Man if I wonder how much my 5 digit ICQ number would go for!

I don't know if you're joking, but low ICQ numbers are status symbols among Russian hackers. For example, here's a 5 digit ICQ number that has a $1000 asking price.
posted by zsazsa at 2:16 PM on January 30, 2014 [4 favorites]


I mentioned Navelgazer on Twitter just to make the universe better.
posted by mephron at 2:22 PM on January 30, 2014 [4 favorites]


I feel like I haven't read an article involving PayPal where the moral of the story wasn't "never use PayPal" in years and years.

Same goes for GoDaddy, really.
posted by oulipian at 2:31 PM on January 30, 2014 [2 favorites]


yoink: When I and the other members of my robot army finally subject you hu-mans

Nice try, Quark. I'm sure Constable Odo will want a word with you about the origin of this robot army.
posted by dr_dank at 2:41 PM on January 30, 2014


I don't host my sites with the same company that controls my domain names & I sure as hell don't store any credit card info with either company, and I don't use the same username & password for them or the email that is my email of record for both.

Though I have yet to be offered any money for woefullyneglected.com, it turns out I have all the time in the world, so I'm waiting patiently for the offers to roll in.
posted by Devils Rancher at 2:53 PM on January 30, 2014 [1 favorite]


Godaddy does offer a kind of two-factor authentication. The question is, if you enable it, will they steadfastly refuse to allow access without it? No authentication scheme will help if they'll let anyone in who simply whines hard enough.
posted by George_Spiggott at 2:57 PM on January 30, 2014


If someone can fake being 'you' over the phone, they’re even more likely to succeed with these large providers.

I know of someone who's using the name Jack Ryan when his given name isn't even CLOSE to that. Using the "I'm Jack Ryan" routine he got the State to transfer the unemployment fund from the firm where he was the General Manager to his new company. Same thing with the health inspection certs - in a different business name.

The government's position is 'we can just correct this, we did you no harm'. And like with the big corps - what ya gonna do? Sue if you are harmed? Enjoy the fight....

making 9$ an hour really care? Because they can lose their job over it,

Cuz they'll never find another $9 an hour customer support job and that makes the job loss a real threat?
posted by rough ashlar at 3:04 PM on January 30, 2014


Isn't this like stealing a famous piece of art? Did the people who stole @N think no one would have noticed its use by someone else?
posted by Blazecock Pileon at 3:05 PM on January 30, 2014


> I don't know if you're joking, but low ICQ numbers are status symbols among Russian hackers

Aw, man. I can't remember my number or login, but I was using ICQ in 1998, at the latest. I wonder if that's low enough to impress the Russian hackers. (And then I wonder why I would want to impress the Russian hackers.)
posted by The corpse in the library at 3:10 PM on January 30, 2014 [2 favorites]


Did the people who stole @N think no one would have noticed its use by someone else?

If they are being a griefer - the griefing is enough.

But the Twitter terms of service and policy tend to be "suck eggs" on loosing control of a Twitter handle. Fired employees and trademark squatters - the "best" they seem to be willing to offer is locking out the account. Pay4tweet.com's page is an example from their POV of the Twitter sand pounding 'tude.

Now one MIGHT be able to litigate your way back to what you had......but what "consideration" has been exchanged and is a Judge willing to break a contract over the issue of getting a handle back? And what sanctions will a Judge bring for non-compliance?
posted by rough ashlar at 3:17 PM on January 30, 2014


here's a 5 digit ICQ number that has a $1000 asking price.

Ooh, they offer free shipping!
posted by aubilenon at 3:20 PM on January 30, 2014 [4 favorites]


jason_steakums: I feel like I haven't read an article involving PayPal where the moral of the story wasn't "never use PayPal" in years and years.

I hate hate hate that they're literally the only allowable way to pay on ebay now. ebay advertises you can use other services, but restricts them to a really narrow set of categories. Like cars, and commercial stoves. They wouldn't even let me use a different payment scheme when i was selling $5000+ espresso machines. You literally get hit with $500 in fees on that, by the way. $250 from ebay, and around 250 with some weird decimals because arbitrary percentages from paypal.

My personal reason for hating paypal though, was this. Yea, you could argue this was my fault, but this is goddam weasely on their part and TERRIBLE customer service.

So i've been selling scads of stuff i pick from thrift stores on ebay for years now. At the time, i had sold a pair of motorcycle boots and a macbook for the same price. The guy who bought the macbook starts trying to extort me because ebays auto-generated table of specs didn't match what i had clearly written in the listing, even though i had written it in language like "This is model XYZ, except for spec 1, 2, and 3 are now this". So he wanted $45 back, or he'd file an ebay case. And we both knew he would win because they don't give a shit about sellers.

So there's no refund button on ebay, you have to log in to paypal separately and do it there. So i go there and refund the WRONG person $45.

I pick up the phone, and call paypal instantly. By the time i'm talking to a real person it's say, 8:50pm and the error occurred at like.. 8:46. This person, however, instantly becomes that nipple-rubbing cable company support guy from south park. They say there's no way they can reverse the payment even though it was a mistake, and this is the kicker, i should write an apologetic message to the person who i sent the payment too and ask them to send me the money back.

Seriously. I'm not even kidding.

So i call ebay, and they say they'll send the person an official message telling them to give me the money back. No "or else", no enforcement, just "hey could you please do this?"

Of course the person never responds and enjoys their ridiculously cheap BMW boots, and i have zero recourse.

It took me a second to figure out why paypal would want this, when it was obviously a mistake and it's such terrible customer service.

I send the payment, the other person sends it back: $3.something in fees each way. $6.42 or something total

They reverse it: $0 in fees.

They were willing to be that much of assholes over $6.something. That's how little they care about their customers. I bet the reps are only allowed to reverse anything that would lose them fees with like, manager/supervisor approval or something.

And that's the story of how i lost $45. i realize that's not a lot in the grand scheme of things when stuff like this happens all the time. But it was seriously the worst customer support i've ever encountered. I've been more satisfied with freaking comcast and centurylink, who are both olympics athletes of being awful.

And don't even get me started on go-daddy. They basically funnel expired domains, even that are otherwise worthless to the average company or person, to domain squatters i'm pretty sure they control. Their CS reps are also assholes, and as this has shown, fucking useless and clueless.
posted by emptythought at 3:22 PM on January 30, 2014 [6 favorites]


It took me a second to figure out why paypal would want this, when it was obviously a mistake and it's such terrible customer service.

I send the payment, the other person sends it back: $3.something in fees each way. $6.42 or something total

They reverse it: $0 in fees.


Isn't it more that they don't want to be known as that payment service where you can "send a payment" and then have that payment evaporate seconds later? I mean, if all they wanted was fees, they could charge you a fee for "erasing the mistake." If you want to know why social engineering fraud is successful, this comment is a good example. When you know you're being honest about it and you know that you're just trying to rectify a mistake, it seems utterly and ludicrously bureaucratic and pettifogging that giant-corporation-X's service drones refuse to bend the rules a little for you. And, of course, if you're the service drone dealing with the angry customers, you know perfectly well that 99 times out of a hundred it's not some evil scammer but someone who has quite genuinely made a mistake: sent the wrong refund, forgotten one crucial digit from their password etc.

I'm sure that must have been a horribly frustrating situation, but as someone who has received refunds from eBay sellers before now, I'm glad that PayPal doesn't make it a routine practice of allowing them to yank the money back into their accounts if they tell a good enough story about it.
posted by yoink at 3:45 PM on January 30, 2014 [5 favorites]


With Hushmail the passphrase is stored encrypted and it is impossible to recover if you forget it. It is safe from social engineering because even the customer service can't reset the password. However you have to log in every 3 weeks or the account is deleted (or pay about $40/yr for an account).
posted by stbalbach at 4:09 PM on January 30, 2014


I thought I was doing well when I sold my 6-digit ICQ number for $25 in 2001.
posted by stopgap at 4:34 PM on January 30, 2014


Also, Hushmail is not NSA/other-TLAs-safe, so keep that in mind.
posted by ymgve at 4:37 PM on January 30, 2014


With Hushmail the passphrase is stored encrypted and it is impossible to recover if you forget it.

Hushmail is hardly secure. It can accept messages from people that don't use PGP, and if you're not using the Java version, the encryption is done on their servers, leaving your message cleartext on Hushmail's servers. This leaves many messages, and entire accounts unprotected. Hushmail has admitted to releasing this cleartext data to US authorities.

Over the last two years I've been part of a small team making an encrypted social messaging (and social coding) platform that's entirely client-side and HTML4. Common carriers never see plaintext user content unless users explicitly opt out. Components are licensed under the AGPL and LGPL, so the cryptographic machinery is auditable. This is the only way to reliably provide this kind of service.

I'd say more but we're currently being hushhush about it.
posted by clarknova at 4:38 PM on January 30, 2014


In an alternate universe, the Compuserve email addresses that are Mersenne primes are highly desired
posted by thelonius at 4:40 PM on January 30, 2014 [5 favorites]


yoink: I'm sure that must have been a horribly frustrating situation, but as someone who has received refunds from eBay sellers before now, I'm glad that PayPal doesn't make it a routine practice of allowing them to yank the money back into their accounts if they tell a good enough story about it.

The thing is, there's so many mechanisms in place to prevent any sort of meaningful abuse of this. The item on ebay would no longer be marked as refunded and they'd be able to file a case there and still get a refund, if they were supposed to.

In addition to this, since ebay and paypal are merged now the rep i was talking to could see everything. The messages between me and the person i was intending to refund, the correct transaction the refund was meant to be on and the accidental one, etc.

That's where the nipple-rubbing comes in. They could CLEARLY see it was a mistake, and there was no possibility of me somehow "pulling one over on them" and pulling a givesies-backsies on a legitimate refund social engineering style.

The rep was just like "oh, we don't have access to the system to reverse things like that. you have to sort it out with that person" which is just so blatantly bullshit because paypal holds or reverses payments all the time, yes, even on refunds.

I would have been a lot less offended if the guy wasn't either blatantly lying or ignorant. There's a big difference between "we can access everything and see that you're obviously telling the truth, but we're not going to do shit" and "we have no way of knowing whether you're telling the truth so we're going to err on the side of caution". You seem to be assuming option b, when it was option a.

I guess i just take issue with the fact that paypal magically isn't a bank even though they act like one. Barring debit cards and checks, in any fancy online payment system like this run by a bank or really just anyone not paypal you can reverse/cancel payments within a certain window. Part of the reason i called right that second was i figured there was some 5-15 minute window in which nothing had authorized/gone through yet and errors could be corrected.

The funny thing is that in other situations with paypal, it has absolutely seemed like such a thing existed.

I have no idea why twitter is trying to copy their obtuse, inconsistent, awful CS here.
posted by emptythought at 6:09 PM on January 30, 2014


clarknova: "Hushmail is hardly secure. "

All that has nothing to do with the ability to social engineer the account away from the owner.
posted by Mitheral at 6:16 PM on January 30, 2014


I was hoping to save this for an Ignite talk or something, but someone encouraged me to log in and share my song. My twitter handle is a whopping seven letters, but it is also my first name, which I share with an island nation in the European Union that some of you may have heard of. (Hint: also my MeFi username)

Much, and some weeks the vast majority, of my twitter reply activity is misdirected. Here's what last July 4 was like. I also see a flare-up of activity on spring weekends when "Britain's Got Talent" is airing on ITV, because although they have an account at @gottalent, many people just type "watching @Britain's Got Talent," so it goes to me.

Other common misuses include random remarks about UK weather, UK Politics, and outpourings of pride on historic occasions like royal weddings or milestones. The British expat who repeatedly tweeted about @britain's corruption and paedophilia had to be asked a couple times, including by her own followers, to knock that shit off. I might have eventually blocked her, I don't recall.

I used to get a lot of foursquare-ish checkins at locations of "Britain," a Dutch chain of street and skate wear shops like Hot Topic or Journeys in the US, but those completely ceased a while back when they changed their name to "Go-Britain."

One time some guys suggested I give my handle to them so they could tweet from it like @sweden does. If they were serious, I would probably give up this handle to the UK government, but only in exchange for an aristocratic title or something. Until then, I guess I'd like to ask history teachers who restage famous wars as social-media conversations 144 characters at a time -- please have your students address "#britain."
posted by britain at 6:36 PM on January 30, 2014 [9 favorites]


> you lose access until you work something out.

This episode had got my paranoia going and so I checked the post-Mat Honan-attack recovery settings. With two-step verification turned on, If you lost two or more of the required sign-in items
you will not be able to sign in or regain access to your account. You will need to create a new Apple ID.
posted by morganw at 6:47 PM on January 30, 2014


How odd. As of yesterday, when I first heard about this, twitter.com/n wasn't actually working, and I wondered whether the company was, you know, actually doing the right thing and shutting down whoever extorted this guy for it. But now it's up with this Badal_NEWS nonsense. I wonder whether the person linking to that site with the account is the extortionist, or whether it's someone the extortionist turned a quick profit on by selling it to them.
posted by limeonaire at 6:53 PM on January 30, 2014


clarknova: "Over the last two years I've been part of a small team making an encrypted social messaging (and social coding) platform that's entirely client-side and HTML4. Common carriers never see plaintext user content unless users explicitly opt out. Components are licensed under the AGPL and LGPL, so the cryptographic machinery is auditable. This is the only way to reliably provide this kind of service.

I'd say more but we're currently being hushhush about it.
"

Priv.ly's been pretty public about their approach, so if you stay hushhush for too long you'll soon become the thing nobody's ever heard of!
posted by pwnguin at 6:58 PM on January 30, 2014


or whether it's someone the extortionist turned a quick profit on by selling it to them.

I feel like no organization would want to directly be the hackers doing this kind of shit, nor would anyone smart/good enough to pull this off run a site like that, even if it's SEO/blogspam crap.

I would bet good money the extortionist just sold it quickly. I wonder how much they made?
posted by emptythought at 7:15 PM on January 30, 2014 [1 favorite]


The guy turned down $50k to hang on to his Twitter handle.

I don't care what happened to him, it's going to be very difficult for me to take his side.
posted by ShutterBun at 7:20 PM on January 30, 2014 [1 favorite]


All that has nothing to do with the ability to social engineer the account away from the owner.

Which isn't what the (probably derailing) posts about Hushmail were about. There's always a side-channel attack that can break a security chain. If that's the bar you set there's no point to security on anything, including online banking.

ymgve and I were talking about a gaping technical flaw in Hushmail, which affects users who weren't tricked into handing over credentials.


Priv.ly's been pretty public about their approach, so if you stay hushhush for too long you'll soon become the thing nobody's ever heard of!

We're not too concerned. Like Diaspora, Priv.ly has fundamental design limitations. It's more and more looking like the thing everyone's heard of and nobody uses.

Again, this is starting to become a derail. Sorry about that. If you want to read me ramble about it you can MeMail me. Or check MeFi Projects in the months ahead.
posted by clarknova at 7:21 PM on January 30, 2014


> > All that has nothing to do with the ability to social engineer the account away from the owner.

Which isn't what the (probably derailing) posts about Hushmail were about.

The discussion was about using Hushmail to prevent social engineering.
posted by stbalbach at 11:39 PM on January 30, 2014


The guy turned down $50k to hang on to his Twitter handle.

What if it turned out he was offered $50k in... bitcoins? DUN DUN DUNNNN
posted by um at 12:28 AM on January 31, 2014 [2 favorites]


There are responsible web hosts that do actually implement and maintain security for account holders (e.g. pair.com). It's not that hard.

Godaddy is not one of them.
posted by miss tea at 3:21 AM on January 31, 2014 [1 favorite]


MisantropicPainforest: Man if I wonder how much my 5 digit ICQ number would go for!

Today I learn two things: 1, I am still vaguely impressed by low ICQ numbers, mostly out of nostalgia, and 2, ICQ is still around, trying to compete with Skype and whatnot with video chatting capabilities. I remember when AOL acquired it, and it looks like ICQs value dropped significantly in 22 years: bought by AOL in 1998 for $407 million, sold in 2010 for $187.5 million, the same year that the buyer, Digital Sky Technologies, "led a $135 million investment in Groupon at a rumored $1.35 billion valuation."

And I have to confess, I stole some guy's seven-digit ICQ number because the Hotmail account he had associated with the account had gone dormant. So I claimed the email account as my own, and spent a few days battling him for control of the ICQ account. Dear whoever you are, I will happily give you back your vintage ICQ number of 1984777. It hasn't been used in years. Heck, you can have your old Hotmail/Live account back, too. I apologize for my actions.
posted by filthy light thief at 12:45 PM on January 31, 2014 [1 favorite]


Holy shit I just remembered my ICQ number. I couldn't even believe it but it checks out.

I can't remember to get paper towels, but I can remember an eight digit number that hasn't been relevant in my life in well over a decade.
posted by griphus at 12:53 PM on January 31, 2014 [1 favorite]


The guy turned down $50k to hang on to his Twitter handle.

Yeah, it's not something I'd expect you people with 5- and 6-digit MeFi user ids to understand.

(My low MeFi number saved me FIVE DOLLARS!)
posted by straight at 1:10 PM on January 31, 2014


@britain, you may want to check out my previous post. ;)
posted by me3dia at 10:31 PM on January 31, 2014 [1 favorite]


thanks to filthy light thief informing me that icq lives, i wrote to customer support to dig up ancient files from the late nineties, i have no idea that I even had an icq number ;p back then i mean.
posted by infini at 2:23 AM on February 1, 2014


Update for posterity: @n has been restored to its rightful owner.
posted by me3dia at 10:10 PM on February 25, 2014


« Older Arrange to introduce a great fire   |   Sugar Cane Workers and Chronic Kidney Failure Newer »


This thread has been archived and is closed to new comments