Cory Doctorow: Persistence Pays Parasites

My friend Katherine Myronuk once told me, “All complex ecosystems have parasites.” She was talking about spam and malware (these days they’re often the same thing) and other undesirable critters on the net. It’s one of the smartest things anyone’s ever said to me about the net – and about the world. If there’s a niche, a parasite will fill it. There’s a reason the cells of the organisms that live in your body outnumber your own by 100 to one. And every complex system has unfilled niches. The only way to eliminate unfilled niches is to keep everything simple to the point of insignificance.

But even armed with this intelligence, I’ve been pretty cavalier about my exposure to net-based security risks. I run an up-to-date version of a very robust flavor of GNU/Linux called Ubuntu, which has a single, easy-to-use interface for keeping all my apps patched with the latest fixes. My browser, Firefox, is far less prone to serious security vulnerabilities than dogs like Internet Explorer. I use good security technology: my hard-drive and backup are encrypted, I surf through Ipredator (a great and secure anonymizer based in Sweden), and I use GRC’s password generator to create new, strong passwords for every site I visit (I keep these passwords in a text file that is separately encrypted).

And I’m media-literate: I have a good nose for scams and linkbait, I know that no one’s planning to give me millions for aiding in a baroque scheme to smuggle cash out of Nigeria, and I can spot a phishing e-mail at a thousand paces.

I know that phishing – using clever fakes to trick the unsuspecting into revealing their passwords – is a real problem, with real victims. But I just assumed that phishing was someone else’s problem.

Or so I thought, until I got phished last week.

Here’s the thing: I thought that phishers set their sights on a certain kind of naive person, someone who hadn’t heard all the warnings, hadn’t learned to be wary of their attacks. I thought that the reason that phishers sent out millions of IMs and e-mails and other messages was to find those naifs and ensnare them.

But I’m not one of those naifs. I’d never been tricked, even for a second, by one of those phishing messages.

Here’s how I got fooled. On Monday, I unlocked my Nexus One phone, installing a new and more powerful version of the Android operating system that allowed me to do some neat tricks, like using the phone as a wireless modem on my laptop. In the process of reinstallation, I deleted all my stored passwords from the phone. I also had a couple of editorials come out that day, and did a couple of interviews, and generally emitted a pretty fair whack of information.

The next day, Tuesday, we were ten minutes late getting out of the house. My wife and I dropped my daughter off at the daycare, then hurried to our regular coffee shop to get take-outs before parting ways to go to our respective offices. Because we were a little late arriving, the line was longer than usual. My wife went off to read the free newspapers, I stood in the line. Bored, I opened up my phone fired up my freshly reinstalled Twitter client and saw that I had a direct message from an old friend in Seattle, someone I know through fandom. The message read “Is this you????” and was followed by one of those ubiquitous shortened URLs that consist of a domain and a short code, like this: http://owl.ly/iuefuew.

I opened the link with my phone and found that I’d been redirected to the Twitter login page, which was prompting me for my password. Seeing the page’s URL (truncated in the little phone-browser’s location bar as “http://twitter….”) and having grown accustomed to re-entering all my passwords since I’d reinstalled my phone’s OS the day before, I carefully tapped in my password, clicked the login button, and then felt my stomach do a slow flip-flop as I saw the URL that my browser was contacting with the login info: http://twitter.scamsite.com (it wasn’t really scamsite, it was some other domain that had been hijacked by the phishers).

And that’s when I realized that I’d been phished. And it was bad. Because I’d signed up for Twitter years ago, when Ev Williams, Twitter’s co-founder sent me an invite to the initial beta. I’d used a password that I used for all kinds of sites, back before I started strictly using long, random strings that I couldn’t remember for passwords. In defense of the old me, I only used that password for unimportant sites, like services that friends wanted me to sample in beta.

But unimportant sites have a way of becoming important. I’ve got 40,000+ Twitter followers, and if my account was hijacked, the hijackers could do great damage to my reputation and career through their identity theft. What’s more, Twitter isn’t the only place where I used my “low-security” password that has turned into a high-security context, which means that hijackers could conceivably break into lots of interesting places with that information.

So I sat down at a table, kissed my wife goodbye, got my laptop out and started changing passwords all over the net. It took hours (but at least I’ve expunged that old password from my existing accounts, I think). By the time I finished, three more copies of the phishing scam had landed in my Twitter inbox. If they’d come a few minutes earlier, the multiple copies would have tripped my radar and I would have seen them for a scam. The long process gave me lots of time to reconsider my internal model of how phishing works.

Phishing isn’t (just) about finding a person who is technically naive. It’s about attacking the seemingly impregnable defenses of the technically sophisticated until you find a single, incredibly unlikely, short-lived crack in the wall.

If I hadn’t reinstalled my phone’s OS the day before. If I hadn’t been late to the cafe. If I hadn’t been primed to hear from old friends wondering if some press mention was me, having just published a lot of new work. If I hadn’t been using a browser that didn’t fully expose URLs. If I hadn’t used the same password for Twitter as I use for lots of other services. If I’d been ten minutes later to the cafe, late enough to get multiple copies of the scam at once – for the want of a nail, and so on.

But all the stars aligned for that one moment, and in that exact and precise moment of vulnerability, I was attacked by a phisher. This is eerily biological, this idea of parasites trying every conceivable variation, at all times, on every front, seeking a way to colonize a host organism. The net’s complex ecosystem is so crowded with parasites now that it is a sure bet that there will be a parasite lurking in the next vulnerable moment I experience, and the next. And I will have vulnerable moments. We all do.

I don’t have a solution, but at least I have a better understanding of the problem. Falling victim to a scam isn’t just a matter of not being wise to the ways of the world: it’s a matter of being caught out in a moment of distraction and of unlikely circumstance.


Cory Doctorow is the author of Walkaway, Little Brother and Information Doesn’t Want to Be Free (among many others); he is the co-owner of Boing Boing, a special consultant to the Electronic Frontier Foundation, a visiting professor of Computer Science at the Open University and an MIT Media Lab Research Affiliate.


From the May 2010 issue of Locus Magazine

68 thoughts on “Cory Doctorow: Persistence Pays Parasites

  • Pingback:Cory Doctorow’s craphound.com >> Blog Archive » Persistence Pays Parasites

  • May 6, 2010 at 1:16 am
    Permalink

    So, in order to fix the problem, you sat in a location with a public wifi? Even if you are using an SSL connection, that was not a smart thing to do. Anyone could have been there with a wireless sniffer and could potentially have captured one of your new passwords.

    Reply
  • May 6, 2010 at 1:36 am
    Permalink

    I got caught in a similar fashion… All the stars seemed to be aligned against me t the moment an email arrived. I now do not click on any link in an email from any one for 24 hours after it arrives unless a private code is used in the subject. Very few people have the code, and any one who doesn’t can wait 24 hours. It won’t close every gate, but it closes most of them

    Reply
  • Pingback:Tweets that mention Locus Online Perspectives » Cory Doctorow: Persistence Pays Parasites -- Topsy.com

  • May 6, 2010 at 3:03 am
    Permalink

    To avoid “password reuse” I love LastPass — one passphrase unlocks site-unique, mostly-random passwords for every site I open an account on. No Android client yet, AFAIK, shame — I end up tapping out a random-looking string into each Android client, which is a pain (but less painful than what you describe!).

    Reply
  • May 6, 2010 at 3:21 am
    Permalink

    in addition to common paranoid caution, i simply do not click on ‘shortened’ urls

    Reply
  • May 6, 2010 at 3:45 am
    Permalink

    I like Katherine’s thoughts about parasites also. I enjoyed this article, well done. I’ll now be extra careful myself.

    Reply
  • Pingback:How I got phished | Top Blogs News

  • May 6, 2010 at 4:25 am
    Permalink

    Communicate in a non-english language only. 🙂 If I receive a “Is that you???” message – being a native german speaker – I would be suspicious from the beginning. But of course I would fail on a “Wie geht’s?”, too… We all have bad days.

    Reply
  • May 6, 2010 at 4:44 am
    Permalink

    Interesting.
    It’s always important to check the full URL of all sites you log in on with passwords.

    It will be nice when Fennec for Android is in 1.0 – then you can have both Adblock Plus (blocks those fake “you won” ads) and NoScript that blocks XSS, and many other things.

    I wonder how you can make security soo much easier that even this couldn’t happen…

    Reply
  • May 6, 2010 at 4:46 am
    Permalink

    Worth recognising indeed that even the aware and capable can get caught out. Like you I tend to think I am above getting caught so this is a good wake up call to be a little more careful. Thanks for telling us.

    Reply
  • May 6, 2010 at 4:56 am
    Permalink

    That makes me feel so much better about myself! I fell prone to the same Twitter phishing attack in almost the exact same way, minus the Nexus One, wife, and baby. And boy did I feel stupid. If it can happen to Cory too, I don’t feel like such a boob.

    Reply
  • May 6, 2010 at 7:30 am
    Permalink

    After selling an item on ebay, I received an email with the message “Congratulations. Because of your positive feedback, your account is being upgraded to ‘Power Seller'”.

    Of course, I followed the phishing link and attempted to log into my ebay account to confirm my Power Seller status.

    Reply
  • May 6, 2010 at 9:14 am
    Permalink

    good to know that this doesn’t just happen to the naive – the scammers are getting better and better at fooling us! Thank you for posting this so the rest of us can learn something! 🙂

    Reply
  • May 6, 2010 at 9:32 am
    Permalink

    I too can smell phish a mile off – but when I made a Paypal payment yesterday – something I do about every 8 weeks – and three seconds later I get a paypal phish email about my account being suspended, I was nearly caught out. Luckily, the smell was strong enough this time…

    Reply
  • May 6, 2010 at 9:43 am
    Permalink

    Good to hear you caught it in time – and that you have the good sense and taste to be a fellow Nexus One owner 😉

    Reply
  • May 6, 2010 at 9:45 am
    Permalink

    This is almost precisely what happened to me about a month ago. In fact, it was also a short URL in a message from someone I know in Seattle through the con circuit. I was infected rather than fished (I use a variety of OSes, you can guess which one this was) but the circumstances, busy day, distracted user, were the same.

    Reply
  • May 6, 2010 at 10:14 am
    Permalink

    Isn’t this more in the category of “even smart people do dumb things sometimes”? I’m in no way immune to this, but overly-generic subject lines like “is this you?” are a hallmark of phishing scams. I figured that out without anyone having to tell me. And checking to see if a URL is what it’s supposed to be should be automatic.

    Reply
  • May 6, 2010 at 11:18 am
    Permalink

    Yet another example of why URL shorteners are evil, and using Twitter to distribute URLs is a stupid thing to do.

    Reply
  • May 6, 2010 at 2:39 pm
    Permalink

    I’m not getting the part about storing all your strong passwords in an encrypted text file. To be of any use, you need to be able to easily access that file from different computers or mobile devices, or from the web if you’re remote. So you have to use encryption locally on all those devices. Also, it has to have a password you can remember since you can’t write it down anywhere without also encrypting that. So the password protecting your master file of strong passwords is itself not strong (I for one can’t memorize a 256 bit strong 64 character password). Hmmmm…

    Reply
  • May 6, 2010 at 3:29 pm
    Permalink

    @Mark: I think you’re overstating the vulnerability of SSL.

    But I also use a secure proxy, IPRedator.

    Reply
  • May 6, 2010 at 3:45 pm
    Permalink

    The classic “swiss cheese” effect where every barrier to failure has a few holes in it that unfortunately line up occasionally to allow the failure to happen.

    Reply
  • May 7, 2010 at 6:11 am
    Permalink

    This is exactly the kind of thing Pwdhash was developed to guard against. The idea is simple: you use a browser extension that sends to the website a domain-specific hash of what you type in the password field. That way, you can even use (type) the “same password” for every website if you wish (though of course it’s better not to), and your actual password on each website will be different. More importantly, phishing scams, where the domain is different from the one you set up your password for, will not get your actual password but an almost-certainly useless (one-way function) hash of what you type. (You can implement your own pwdhash if you don’t trust their implementation, but one of the developers is Blake Ross…)

    Reply
  • May 7, 2010 at 7:25 am
    Permalink

    “good to know that this doesn’t just happen to the naive”

    It was incredibly naïve to enter one’s details to a site, whose name you can’t see, that you entered via a suspect link.

    Reply
  • Pingback:Cory Doctorow falls to a phishing attack « Later On

  • May 8, 2010 at 3:43 pm
    Permalink

    The blogger at What The Hell? Security (whatthehellsecurity.com) writes an edgy piece titled “The 9 Laws of Phishing.” It’s worth reading because each law challenges the conventional thinking that makes phishing intractable.

    Reply
  • May 9, 2010 at 6:29 am
    Permalink

    A few years ago, having fallen victim (once again) to a real-estate scam, I had an epiphany that led to Steve’s Third Axiom: You can’t protect yourself part time….from people committed to taking advantage of you full-time”. If you have a life, you will only be able to be an expert at 2-3 things, usually those at which you earn your living, or those related to personally important things like parenting, hobbies, etc. This means that for the remaining 98% of things in which you’re involved there will inevitably be people who do nothing but concentrate all their efforts on taking advantage of your inability to be an expert in those things.

    Reply
  • Pingback:Phishing: how Cory Doctorow (and I) got punk’d | Mediapunk

  • May 9, 2010 at 3:58 pm
    Permalink

    Obviously it’s easy for us reading this to be wise after the fact, but one thing that perhaps should have tipped you off – and might tip off others in the future – is the lack of connection between the context of the link and where it took you. Why should someone asking ‘is this you?’ link you to a page where you need to log in to twitter?

    Reply
  • May 9, 2010 at 4:07 pm
    Permalink

    Just want to point out that twitter recent signed up to using truedomain (http://www.truedomain.net/), so if you have a Fastmail account (http://www.fastmail.fm), emails appear with the twitter logo next to them in the web interface. Makes spotting phishing emails a lot easier. It would be great if email clients start supporting this.

    I wrote a summary of what truedomain are trying to do in the anti-phishing space here:

    http://blog.fastmail.fm/2010/01/06/truedomain-anti-phishing-and-email-authentication/

    Reply
  • Pingback:Robert Sharp » Blog Archive » Linklog for 9th April to 10th May

  • May 10, 2010 at 9:38 pm
    Permalink

    As they say, all theft is opportunity.

    Reply
  • May 11, 2010 at 1:36 pm
    Permalink

    Yep, that one got me. Probably from the same person, too. 😉 Thanks, Cory.

    Reply
  • May 11, 2010 at 2:23 pm
    Permalink

    “By the time I finished, three more copies of the phishing scam had landed in my Twitter inbox. If they’d come a few minutes earlier, the multiple copies would have tripped my radar and I would have seen them for a scam.”

    I assume that when you gave your password to the phishers, their software automatically send the scam message to all your twitter friends (which is the usual procedure). 40000 followers you had?

    I believe your scam radar may be good, but I don’t think those multiple copies would have entered your inbox if you DIDN’T get fished.

    Reply
  • May 11, 2010 at 2:40 pm
    Permalink

    A good security practice is to never log in from any links received via email, does not matter who sent them, even if it’s your bank.

    Bookmark the URLs of interest and always use the bookmarks for login, or manually type if a common address.

    That way, you are going where you think you are going.

    After logging in, you can click on the email link if you can’t navigate within the site to find it, and it should work if it was legit.

    Reply
  • May 12, 2010 at 7:56 am
    Permalink

    To be fair, anyone over the age of 15 that uses twitter probably has exploitable decision making vulnerabilities anyway…

    Reply
  • Pingback:Ed The Dev .com » Blog Archive » Cory Doctrow on Phishing

  • Pingback:Why everyone should write down their passwords | In Software We Trust

  • May 12, 2010 at 12:53 pm
    Permalink

    Had this same stars-align-with-a-predatory-parasite-waiting vulnerable moment exploited about six months ago. No harm except the time spent resetting passwords and the normal post-attack hyper-vigilance for several weeks.

    So, now I’m always careful in new ways; perhaps akin to the biological protection elicited by a prior infection….

    …Or, better done, “immunization,” which is the space I’m working in now: Humans, our habits and human nature make us the weakest – or at least the most frequently vulnerable – component in any security system so… How do we safely “immunize” ourselves against security threats?

    Human ability to make frequent rapid judgements about who we trust and don’t and the matrix of behavior we’ll accept or won’t expanded by our actions and reactions based on our level of trust also make us the most flexible and irreplaceable security evaluators.

    Analogues from nature and biology as they interface with the new phenomena of synthetic engineered and over-sterilized environments together with frequent rapid communication and travel are indeed pervasive:

    Highly structured “clean” and narrow purpose environments or mono-cultures are especially vulnerable *because* of the huge aggregate space comprised of unfilled – and thus unprotected – niches and further multiplied by rapid transmission through high-speed ubiquitous communication and travel, especially within a closed “trusted system.”

    …While “organic” open and diverse environments are more exposed but more resilient after any successful attack; more protected by a diversity of immune “experience” and beneficially predatory symbiosis; and have fewer unfilled niches to exploit.

    I suspect that, even though net and biological parasites are pervasive and ever searching for those momentary gaps, we all still have many moments of complete vulnerability that are not successfully exploited simply by the luck of the complex timing and synchronicity required for exploitation.

    Growth in numbers, specialization, complexity and sophistication to match the richly diverse global reach, growth and maturity of the net – again, very like the biological niches exploited by exotic invasive organisms on both the macro and micro scales in our increasingly globalized world – will make unsuccessfully exploited vulnerable moments more rare as probability increases that any gap, however narrow or momentary, will be exploited.

    Reply
  • Pingback:i’m invincible! (you’re a looney!)

  • Pingback:Use a Password Manager to Assign Unique, Random 15 Character Passwords for all Accounts, Protecting them with a Strong Master Password

  • Pingback:20 passwords to never use on Facebook | Mediasourceme's Blog

  • Pingback:Monocultured » Blog Archive » Technical support

  • May 15, 2010 at 8:03 am
    Permalink

    All of the phishing attacks that I have seen rely on social or psychological form (or both). Being technically savvy can only help one that much. That’s what makes them devastatingingly effective.

    It’s quite easy to create extensions for the Android browser (no rooting required), in contrast to the other smartphones around (especially the Cupertino designed ones). These include password managers and URL shortener expanders. Why there aren’t any around yet completely baffles me. I might write an Angel password-manager extension sometime as an exercise. It’s pretty much just a single screenful of code.

    Anyway, you might want to use a backup application before upgrading your Nexus One firmware. I use Titanium Backup on mine which seems to be the most popular choice around. Besides the backing up the actual apps (and their Android Market links), it also saves each app’s settings. This way you can keep your password cache across updates. Combined with SMS and call log backups (two additional free apps), firmware upgrades are as seamless as they can get.

    Reply
  • May 17, 2010 at 10:10 pm
    Permalink

    Aww, so now maybe Cory “Master Of The Thieves Guild” (AKA EFF) Doctorow knows what it’s like to have something stolen,as do those fighting to preserve copyright.

    Reply
  • Pingback:IAM – Passwords « Selfish Man's Conscience 2.0

  • May 19, 2010 at 12:32 pm
    Permalink

    Actually this is not true – It’s about attacking the seemingly impregnable defenses of the technically sophisticated until you find a single, incredibly unlikely, short-lived crack in the wall.

    What they did was attack the old human trait of complacency.

    Reply
  • May 23, 2010 at 9:30 am
    Permalink

    Silver lining to this story. I use my Twitter account to promote my artwork. I duped by this largely due to my excitement that HiFructose Magazine had apparently reached out to me. I don’t think I’d ever entered my log-in so quickly or with more glee. Obviously this was not really the case. After apologizing to every one of my followers, I mentioned the @hifructosemag lead in to the incident. Now HiFructose follows me!

    Reply
  • Pingback:The Technology newsbucket: too many Angry Birds, pirating free games, skipping Windows Phone and more | Teh Lolz

  • Pingback:Cory Doctorow: Persistence Pays Parasites | The Cynxpire

  • June 5, 2010 at 2:17 pm
    Permalink

    Stuff happens. You’re human. 🙂 Glad you fixed all your passwords before someone created havoc.

    Though, to be sure, the scam “is this you????” + link (usually to what’s purported to be a picture or video), sent from the account of someone you know has been around for a while. Sadly it can mean your friend’s account was hacked, so sending them some feedback via a reliable channel is usually appreciated.

    Just an fyi to anyone reading comments. 🙂

    Reply
  • June 7, 2010 at 6:56 pm
    Permalink

    If you had been using a phone OS that didn’t “upgrade” you by deleting almost everything on your phone – addressbook entries, passwords, etc. – in the process you’d be better off too. You didn’t delete your passwords, Google’s broken update process did.

    Android’s upgrade process is something Google should be ashamed of, and most PC Linux’s aren’t much better (Ububtu 10.04 is the first major upgrade I’ve ever installed without serious problems that required a complete reinstall from scratch to resolve, and a consequent loss of data, scrabbling around with backups and so forth.) In ten years of doing Mac OS X upgrades I’ve had only one, quite minor, problem with an upgrade.

    There’s simply no comparison, Linux is almost as bad as Windows when it comes to upgrades.

    Reply
  • June 10, 2010 at 7:49 am
    Permalink

    Amusingly, ‘dogs like Internet Explorer’ use the address bar point out what the actual domain of the website you visit is, even if it’s not fully visible, which would have saved you from the twitter.scamsite.com debacle. But hey, let’s all keep reiterating how bad IE is instead of looking for the strong and weak points in all browsers.

    Reply
  • June 19, 2010 at 10:30 am
    Permalink

    Hmmm. So all the fancy techno-gimcracks, the encrupted drive, long random passwords, use of a fringe OS, were not useful defenses. The weak point is the user, not the OS or any of that fancy stuff.

    The other approach is the one I use. Skip the techno tricks (though of course nobody should be using any Microsoft browser in any case) and type in passwords only on sites I’ve typed in myself. No exceptions!

    At least, it’s worked so far.

    Reply
  • June 19, 2010 at 11:16 am
    Permalink

    @Fred
    Almost every *desktop* browser has those same protections. *Mobile* browsers don’t have the space to show the full domain name of a twitter.scamsite URL.

    Reply
  • June 19, 2010 at 11:51 am
    Permalink

    So you’re using a coffee shop’s un-secure WiFi, to enter your passwords somewhere, and you’re clicking on shortened hyperlinks, amongst other things.

    And you SERIOUSLY call yourself technically proficient? You got what you deserved, really. Those are some things no one should do to keep themselves secure, and the “technically sophisticated” author seems to do a lot of them.

    Reply
  • June 19, 2010 at 2:34 pm
    Permalink

    I saw the URL that my browser was contacting with the login info: http://twitter.scamsite.com

    Whenever I look at my mail (I don’t have any use for those iPhone style cells), if I see something that looks like it might be legit and there’s a link, I always put the cursor over it and look at the status bar below to see if the displayed link name matches. 99.9% of the time the phishing expedition becomes obvious right then and there.

    Reply
  • June 19, 2010 at 2:35 pm
    Permalink

    The MacOS X mail app has the ability to show the full URL of any link in an email, and I use it all the time when I get mail that seems legit (I spam filter out all the obvious crap), and even if the URL looks real, that is, matches the text in the email, I go to a browser to log in using a bookmark to that site. In other words, I get mail from “Amazon.com” that has a link text of “amazon.com” but a real URL of “amazon.com.bogus.site.ru/gobblygook_amazon/passwordgrabber.php”, so I teach the spam filter that it’s spam. If the URL matches the text, I still don’t click on the link. I’d still be vulnerable to DNS poisoning, but there’s not much I could do about that anyway.

    Reply
  • June 20, 2010 at 2:10 pm
    Permalink

    I stopped reading at the Firefox / Linux snobbery. Being as unsophisticated as I am, I merely use IE with no anti-virus software whatsoever, and I’ve never had any sort of virus, malware, etc.

    You Linux / Mac guys really need to get over yourselves.

    Reply
  • June 22, 2010 at 7:09 pm
    Permalink

    Besides all the tips listed above, another good thing to do is enter a bogus password if you suspect the site is illegitimate. Usually it will accept it without protest, whereas the true site will error out.

    Reply
  • June 28, 2010 at 7:40 am
    Permalink

    I use McAfee SiteAdvisor which is free and always check the url before I enter a password. Also use different passwords on different sites. Don’t drop your guard for a second.

    Reply
  • Pingback:In which I am stupid | PeterMBall.com

  • Pingback:Pluralistic: How I got scammed (05 Feb 2024) – Pluralistic: Daily links from Cory Doctorow

  • Pingback:Top author reveals how his credit card was scammed – Channel361

  • Pingback:科里·多科托罗:坚持是寄生虫的付出(2010) - 偏执的码农

Leave a Reply

Your email address will not be published. Required fields are marked *