Reply All: #93 Beware All
April 6, 2017 2:16 PM - Subscribe

This week, we discover who was actually behind the hack of Alex Blumberg's Uber account. This episode picks up where Episode 91, The Russian Passenger, left off.
posted by dinty_moore (14 comments total) 1 user marked this as a favorite
 
OH MY GOD ALEX BLUMBERG DON'T SIGN UP FOR STUFF WITH YOUR WORK EMAIL.

Like, how is that not the takeaway from this episode. It's bad enough that health insurance is tied to employment, don't make it worse for yourself.
posted by dinty_moore at 2:18 PM on April 6, 2017 [6 favorites]


I loved this episode so much, it felt extremely satisfying to figure out the answer and the solution. I thought the hypotheses presented were out there but possible, yet none of them felt right at all. I knew there had to be an easier solution so it was pleasing to finally get closure on it.

That said, I am appalled that most everyone at Gimlet doesn't run a password manager. I feel like I put it off forever and I checked and I've had it for 7 years now. I signed up the day of the Gawker data breach because my often used user/pass was in it.

It was a pain to set up on the first day, but after a quick import and some changing of the most important passwords that took the better part of a day, it's been smooth ever since and I've changed passwords on thousands of sites to all be extremely difficult and unique. Now I can't imagine life without it.
posted by mathowie at 4:39 PM on April 6, 2017 [2 favorites]


I know I'm being dense but I don't get how the old email thing explains away the two-factor authentication. If someone logged in from another computer wouldn't Alex get texted a code?
posted by CMcG at 5:21 PM on April 6, 2017 [1 favorite]


His old and dead TAL email address (which is what was used for his Uber account instead of his Gmail address) did not have 2FA, so no text messages.

*stares at untouched KeePass download with immense guilt*
posted by maudlin at 6:32 PM on April 6, 2017


I enjoyed this episode. I can think of an embarrassingly large number of times when I was totally convinced I had been SCREWED by the SYSTEM and then realized I had at least had some large hand in what happened. The whole, "Oh shit I was signed up with that email?!!" seemed totally familiar to me. Funny.
posted by latkes at 8:49 AM on April 7, 2017


Enjoyable, but embarrassing for Alex to have not remembered he originally signed up with his TAL email (since that would have made this a lot simpler to solve).

It'd be nice if Reply All did a 'protect your internet security & privacy' show, but, as they are constantly demonstrating, they don't really seem to know how to keep themselves safe.
posted by durandal at 3:54 PM on April 7, 2017 [1 favorite]


I don't see how using a password manager would've prevented what happened. Wasn't the problem that his email address change didn't get changed everywhere in Uber's system? That's not user error.
posted by fuse theorem at 11:12 AM on April 8, 2017 [1 favorite]


Nope, that wasn't it. Alex used his TAL address for Uber, never changed it, and then forgot that fact. Uber never had his current email address. Uber's system did what it was supposed to do, which is to send message after message to the alex@tal address, which he didn't see. That's why they mentioned that he never saw his ride receipts.

And the password manager would have done a couple things. Kept track of what email address is associated with what account (so Alex might have been reminded to look into that TAL address and/or changing that with his Uber account) and allowed the use of unique passwords all over the place, so when breaches occurred, they'd only have compromised the accounts directly exposed (thus preventing the cross password shenanigans that got the Uber account jacked).
posted by ursus_comiter at 1:33 PM on April 8, 2017


If he used a password manager he wouldn't have one password used on every site. He'd have a uniquely generated password for each site he uses, so even though his user/pass was shared in a breach, no one could have used the passwords anywhere else.
posted by mathowie at 2:53 PM on April 9, 2017 [2 favorites]


I also am surprised at how many people use their work email for everything. For one, I just don't want my employer having so much access to my personal digital life. Second, you never know when you're going to change jobs!

At my last job, we had to provide a non-work email address as part of our disaster preparedness protocol (I worked for a medical facility in a hurricane zone). Many of my coworkers only logged in to their personal random Yahoo/Hotmail/MSN account once a year to make sure it was still active. So weird!
posted by radioamy at 4:30 PM on April 11, 2017 [2 favorites]


I wish they had held Uber a little more to account for the fact that he would never have gotten any useful assistance were it not for the fact that he's a journalist. He even called the emergency line AND got a sympathetic employee and got nowhere. Uber keeps its costs down by providing minimal customer service (unless you can threaten them with bad PR.)
posted by Horace Rumpole at 9:49 AM on April 15, 2017 [2 favorites]


I'd love to hear an episode about password managers. Specifically the crazy story of how the market is dominated by two tiny little companies, 1Password and LastPass. At least in the US. Maybe dive back into the history of Microsoft Passport, OpenID, etc. For a product that's so important it sure has some half-assed implementations.
posted by Nelson at 4:29 PM on April 19, 2017


This was very satisfying; and made me yell "oh my god Alex" during my run.

I wish they had held Uber a little more to account for the fact that he would never have gotten any useful assistance were it not for the fact that he's a journalist.

Yes, there was a lot of "nothing we can do" stonewalling from Uber in the first episode, and the whole excuse of "we can't look up an account by its previous email / phone" was bullshit and very unhelpful to victims of account hijacking. (There's also the odd detail that they were unable to find his account by credit card number, which presumably is the one thing that hadn't been changed by the hijacker.)
posted by We had a deal, Kyle at 7:57 AM on July 8, 2017 [2 favorites]


Seems like they should revisit this episode in light of the fact that UBER IS A COMPANY OF LYING LIERS AND THEY SPECIFICALLY LIED ABOUT BEING HACKED AND KNOWING IT
posted by latkes at 3:12 PM on November 30, 2017 [1 favorite]


« Older Into the Badlands: Tiger Pushe...   |  Into the Badlands: Force of Ea... Newer »

You are not logged in, either login or create an account to post comments