Metafilter's 20th anniversary
! To celebrate,
scan some cats
help fund Mefi
: #93 Beware All
April 6, 2017 2:16 PM -
This week, we discover who was actually behind the hack of Alex Blumberg's Uber account. This episode picks up where Episode 91, The Russian Passenger, left off.
(14 comments total)
1 user marked this as a favorite
OH MY GOD ALEX BLUMBERG DON'T SIGN UP FOR STUFF WITH YOUR WORK EMAIL.
Like, how is that not the takeaway from this episode. It's bad enough that health insurance is tied to employment, don't make it worse for yourself.
on April 6, 2017 [
I loved this episode so much, it felt extremely satisfying to figure out the answer and the solution. I thought the hypotheses presented were out there but possible, yet none of them felt right at all. I knew there had to be an easier solution so it was pleasing to finally get closure on it.
That said, I am appalled that most everyone at Gimlet doesn't run a password manager. I feel like I put it off
and I checked and I've had it for 7 years now. I signed up the day of the Gawker data breach because my often used user/pass was in it.
It was a pain to set up on the first day, but after a quick import and some changing of the most important passwords that took the better part of a day, it's been smooth ever since and I've changed passwords on thousands of sites to all be extremely difficult and unique. Now I can't imagine life without it.
on April 6, 2017 [
I know I'm being dense but I don't get how the old email thing explains away the two-factor authentication. If someone logged in from another computer wouldn't Alex get texted a code?
on April 6, 2017 [
His old and dead TAL email address (which is what was used for his Uber account instead of his Gmail address) did not have 2FA, so no text messages.
*stares at untouched KeePass download with immense guilt*
on April 6, 2017
I enjoyed this episode. I can think of an embarrassingly large number of times when I was totally convinced I had been SCREWED by the SYSTEM and then realized I had at least had some large hand in what happened. The whole, "Oh shit I was signed up with that email?!!" seemed totally familiar to me. Funny.
on April 7, 2017
Enjoyable, but embarrassing for Alex to have not remembered he originally signed up with his TAL email (since that would have made this a lot simpler to solve).
It'd be nice if Reply All did a 'protect your internet security & privacy' show, but, as they are constantly demonstrating, they don't really seem to know how to keep themselves safe.
on April 7, 2017 [
I don't see how using a password manager would've prevented what happened. Wasn't the problem that his email address change didn't get changed everywhere in Uber's system? That's not user error.
on April 8, 2017 [
Nope, that wasn't it. Alex used his TAL address for Uber, never changed it, and then forgot that fact. Uber never had his current email address. Uber's system did what it was supposed to do, which is to send message after message to the alex@tal address, which he didn't see. That's why they mentioned that he never saw his ride receipts.
And the password manager would have done a couple things. Kept track of what email address is associated with what account (so Alex might have been reminded to look into that TAL address and/or changing that with his Uber account) and allowed the use of unique passwords all over the place, so when breaches occurred, they'd only have compromised the accounts directly exposed (thus preventing the cross password shenanigans that got the Uber account jacked).
on April 8, 2017
If he used a password manager he wouldn't have one password used on every site. He'd have a uniquely generated password for each site he uses, so even though his user/pass was shared in a breach, no one could have used the passwords anywhere else.
on April 9, 2017 [
I also am surprised at how many people use their work email for everything. For one, I just don't want my employer having so much access to my personal digital life. Second, you never know when you're going to change jobs!
At my last job, we had to provide a non-work email address as part of our disaster preparedness protocol (I worked for a medical facility in a hurricane zone). Many of my coworkers only logged in to their personal random Yahoo/Hotmail/MSN account once a year to make sure it was still active. So weird!
on April 11, 2017 [
I wish they had held Uber a little more to account for the fact that he would never have gotten any useful assistance were it not for the fact that he's a journalist. He even called the emergency line AND got a sympathetic employee and got nowhere. Uber keeps its costs down by providing minimal customer service (unless you can threaten them with bad PR.)
on April 15, 2017 [
I'd love to hear an episode about password managers. Specifically the crazy story of how the market is dominated by two tiny little companies, 1Password and LastPass. At least in the US. Maybe dive back into the history of Microsoft Passport, OpenID, etc. For a product that's so important it sure has some half-assed implementations.
on April 19, 2017
This was very satisfying; and made me yell "oh my god Alex" during my run.
I wish they had held Uber a little more to account for the fact that he would never have gotten any useful assistance were it not for the fact that he's a journalist.
Yes, there was a
of "nothing we can do" stonewalling from Uber in the first episode, and the whole excuse of "we can't look up an account by its previous email / phone" was bullshit and very unhelpful to victims of account hijacking. (There's also the odd detail that they were unable to find his account by credit card number, which presumably is the one thing that
been changed by the hijacker.)
We had a deal, Kyle
on July 8, 2017 [
Seems like they should revisit this episode in light of the fact that UBER IS A COMPANY OF LYING LIERS AND THEY SPECIFICALLY LIED ABOUT BEING HACKED AND KNOWING IT
on November 30, 2017 [
« Previous Episode
Next Episode »
Into the Badlands: Tiger Pushe... | Into the Badlands: Force of Ea...
You are not logged in, either
create an account
to post comments
Apr 6, 2017