The Magazine and Website of the Science Fiction & Fantasy Field

Locus Online
Sub Menu contents

Recent Posts




Cory Doctorow: Persistence Pays Parasites

My friend Katherine Myronuk once told me, “All complex ecosystems have parasites.” She was talking about spam and malware (these days they’re often the same thing) and other undesirable critters on the net. It’s one of the smartest things anyone’s ever said to me about the net – and about the world. If there’s a niche, a parasite will fill it. There’s a reason the cells of the organisms that live in your body outnumber your own by 100 to one. And every complex system has unfilled niches. The only way to eliminate unfilled niches is to keep everything simple to the point of insignificance.

But even armed with this intelligence, I’ve been pretty cavalier about my exposure to net-based security risks. I run an up-to-date version of a very robust flavor of GNU/Linux called Ubuntu, which has a single, easy-to-use interface for keeping all my apps patched with the latest fixes. My browser, Firefox, is far less prone to serious security vulnerabilities than dogs like Internet Explorer. I use good security technology: my hard-drive and backup are encrypted, I surf through Ipredator (a great and secure anonymizer based in Sweden), and I use GRC’s password generator to create new, strong passwords for every site I visit (I keep these passwords in a text file that is separately encrypted).

And I’m media-literate: I have a good nose for scams and linkbait, I know that no one’s planning to give me millions for aiding in a baroque scheme to smuggle cash out of Nigeria, and I can spot a phishing e-mail at a thousand paces.

I know that phishing – using clever fakes to trick the unsuspecting into revealing their passwords – is a real problem, with real victims. But I just assumed that phishing was someone else’s problem.

Or so I thought, until I got phished last week.

Here’s the thing: I thought that phishers set their sights on a certain kind of naive person, someone who hadn’t heard all the warnings, hadn’t learned to be wary of their attacks. I thought that the reason that phishers sent out millions of IMs and e-mails and other messages was to find those naifs and ensnare them.

But I’m not one of those naifs. I’d never been tricked, even for a second, by one of those phishing messages.

Here’s how I got fooled. On Monday, I unlocked my Nexus One phone, installing a new and more powerful version of the Android operating system that allowed me to do some neat tricks, like using the phone as a wireless modem on my laptop. In the process of reinstallation, I deleted all my stored passwords from the phone. I also had a couple of editorials come out that day, and did a couple of interviews, and generally emitted a pretty fair whack of information.

The next day, Tuesday, we were ten minutes late getting out of the house. My wife and I dropped my daughter off at the daycare, then hurried to our regular coffee shop to get take-outs before parting ways to go to our respective offices. Because we were a little late arriving, the line was longer than usual. My wife went off to read the free newspapers, I stood in the line. Bored, I opened up my phone fired up my freshly reinstalled Twitter client and saw that I had a direct message from an old friend in Seattle, someone I know through fandom. The message read “Is this you????” and was followed by one of those ubiquitous shortened URLs that consist of a domain and a short code, like this:

I opened the link with my phone and found that I’d been redirected to the Twitter login page, which was prompting me for my password. Seeing the page’s URL (truncated in the little phone-browser’s location bar as “http://twitter….”) and having grown accustomed to re-entering all my passwords since I’d reinstalled my phone’s OS the day before, I carefully tapped in my password, clicked the login button, and then felt my stomach do a slow flip-flop as I saw the URL that my browser was contacting with the login info: (it wasn’t really scamsite, it was some other domain that had been hijacked by the phishers).

And that’s when I realized that I’d been phished. And it was bad. Because I’d signed up for Twitter years ago, when Ev Williams, Twitter’s co-founder sent me an invite to the initial beta. I’d used a password that I used for all kinds of sites, back before I started strictly using long, random strings that I couldn’t remember for passwords. In defense of the old me, I only used that password for unimportant sites, like services that friends wanted me to sample in beta.

But unimportant sites have a way of becoming important. I’ve got 40,000+ Twitter followers, and if my account was hijacked, the hijackers could do great damage to my reputation and career through their identity theft. What’s more, Twitter isn’t the only place where I used my “low-security” password that has turned into a high-security context, which means that hijackers could conceivably break into lots of interesting places with that information.

So I sat down at a table, kissed my wife goodbye, got my laptop out and started changing passwords all over the net. It took hours (but at least I’ve expunged that old password from my existing accounts, I think). By the time I finished, three more copies of the phishing scam had landed in my Twitter inbox. If they’d come a few minutes earlier, the multiple copies would have tripped my radar and I would have seen them for a scam. The long process gave me lots of time to reconsider my internal model of how phishing works.

Phishing isn’t (just) about finding a person who is technically naive. It’s about attacking the seemingly impregnable defenses of the technically sophisticated until you find a single, incredibly unlikely, short-lived crack in the wall.

If I hadn’t reinstalled my phone’s OS the day before. If I hadn’t been late to the cafe. If I hadn’t been primed to hear from old friends wondering if some press mention was me, having just published a lot of new work. If I hadn’t been using a browser that didn’t fully expose URLs. If I hadn’t used the same password for Twitter as I use for lots of other services. If I’d been ten minutes later to the cafe, late enough to get multiple copies of the scam at once – for the want of a nail, and so on.

But all the stars aligned for that one moment, and in that exact and precise moment of vulnerability, I was attacked by a phisher. This is eerily biological, this idea of parasites trying every conceivable variation, at all times, on every front, seeking a way to colonize a host organism. The net’s complex ecosystem is so crowded with parasites now that it is a sure bet that there will be a parasite lurking in the next vulnerable moment I experience, and the next. And I will have vulnerable moments. We all do.

I don’t have a solution, but at least I have a better understanding of the problem. Falling victim to a scam isn’t just a matter of not being wise to the ways of the world: it’s a matter of being caught out in a moment of distraction and of unlikely circumstance.


Comment from art_heals
Time May 23, 2010 at 9:30 am

Silver lining to this story. I use my Twitter account to promote my artwork. I duped by this largely due to my excitement that HiFructose Magazine had apparently reached out to me. I don’t think I’d ever entered my log-in so quickly or with more glee. Obviously this was not really the case. After apologizing to every one of my followers, I mentioned the @hifructosemag lead in to the incident. Now HiFructose follows me!

Pingback from The Technology newsbucket: too many Angry Birds, pirating free games, skipping Windows Phone and more | Teh Lolz
Time May 25, 2010 at 3:57 am

[…] Cory Doctorow: Persistence Pays Parasites >> Locus OnlineCory Doctorow – yes, him – got phished. Yes, really. And it could happen to you. “for the want of a nail, and so on. […]

Pingback from Cory Doctorow: Persistence Pays Parasites | The Cynxpire
Time June 5, 2010 at 3:59 am

[…] Or so I thought, until I got phished last week. Artikel auf […]

Comment from readingtheinternet
Time June 5, 2010 at 2:17 pm

Stuff happens. You’re human. 🙂 Glad you fixed all your passwords before someone created havoc.

Though, to be sure, the scam “is this you????” + link (usually to what’s purported to be a picture or video), sent from the account of someone you know has been around for a while. Sadly it can mean your friend’s account was hacked, so sending them some feedback via a reliable channel is usually appreciated.

Just an fyi to anyone reading comments. 🙂

Comment from David S.
Time June 7, 2010 at 6:56 pm

If you had been using a phone OS that didn’t “upgrade” you by deleting almost everything on your phone – addressbook entries, passwords, etc. – in the process you’d be better off too. You didn’t delete your passwords, Google’s broken update process did.

Android’s upgrade process is something Google should be ashamed of, and most PC Linux’s aren’t much better (Ububtu 10.04 is the first major upgrade I’ve ever installed without serious problems that required a complete reinstall from scratch to resolve, and a consequent loss of data, scrabbling around with backups and so forth.) In ten years of doing Mac OS X upgrades I’ve had only one, quite minor, problem with an upgrade.

There’s simply no comparison, Linux is almost as bad as Windows when it comes to upgrades.

Comment from Fred
Time June 10, 2010 at 7:49 am

Amusingly, ‘dogs like Internet Explorer’ use the address bar point out what the actual domain of the website you visit is, even if it’s not fully visible, which would have saved you from the debacle. But hey, let’s all keep reiterating how bad IE is instead of looking for the strong and weak points in all browsers.

Comment from tom swift
Time June 19, 2010 at 10:30 am

Hmmm. So all the fancy techno-gimcracks, the encrupted drive, long random passwords, use of a fringe OS, were not useful defenses. The weak point is the user, not the OS or any of that fancy stuff.

The other approach is the one I use. Skip the techno tricks (though of course nobody should be using any Microsoft browser in any case) and type in passwords only on sites I’ve typed in myself. No exceptions!

At least, it’s worked so far.

Comment from W^L+
Time June 19, 2010 at 11:16 am

Almost every *desktop* browser has those same protections. *Mobile* browsers don’t have the space to show the full domain name of a twitter.scamsite URL.

Comment from Sean
Time June 19, 2010 at 11:51 am

So you’re using a coffee shop’s un-secure WiFi, to enter your passwords somewhere, and you’re clicking on shortened hyperlinks, amongst other things.

And you SERIOUSLY call yourself technically proficient? You got what you deserved, really. Those are some things no one should do to keep themselves secure, and the “technically sophisticated” author seems to do a lot of them.

Comment from Blacque Jacques Shellacque
Time June 19, 2010 at 2:34 pm

I saw the URL that my browser was contacting with the login info:

Whenever I look at my mail (I don’t have any use for those iPhone style cells), if I see something that looks like it might be legit and there’s a link, I always put the cursor over it and look at the status bar below to see if the displayed link name matches. 99.9% of the time the phishing expedition becomes obvious right then and there.

Comment from CptNerd
Time June 19, 2010 at 2:35 pm

The MacOS X mail app has the ability to show the full URL of any link in an email, and I use it all the time when I get mail that seems legit (I spam filter out all the obvious crap), and even if the URL looks real, that is, matches the text in the email, I go to a browser to log in using a bookmark to that site. In other words, I get mail from “” that has a link text of “” but a real URL of “”, so I teach the spam filter that it’s spam. If the URL matches the text, I still don’t click on the link. I’d still be vulnerable to DNS poisoning, but there’s not much I could do about that anyway.

Comment from John
Time June 20, 2010 at 2:10 pm

I stopped reading at the Firefox / Linux snobbery. Being as unsophisticated as I am, I merely use IE with no anti-virus software whatsoever, and I’ve never had any sort of virus, malware, etc.

You Linux / Mac guys really need to get over yourselves.

Comment from Shawn M.
Time June 22, 2010 at 7:09 pm

Besides all the tips listed above, another good thing to do is enter a bogus password if you suspect the site is illegitimate. Usually it will accept it without protest, whereas the true site will error out.

Comment from Alec Berg
Time June 28, 2010 at 7:40 am

I use McAfee SiteAdvisor which is free and always check the url before I enter a password. Also use different passwords on different sites. Don’t drop your guard for a second.

Pingback from In which I am stupid |
Time August 19, 2010 at 10:11 pm

[…] you’ve never read the Persistence Pays Parasites entry of Cory Doctrow’s Locus column then I heartily recommend dropping over and taking a […]

© 2010-2016 by Locus Publications. All rights reserved. Powered by WordPress, modified from a theme design by Lorem Ipsum