My friend Katherine Myronuk once told me, “All complex ecosystems have parasites.” She was talking about spam and malware (these days they’re often the same thing) and other undesirable critters on the net. It’s one of the smartest things anyone’s ever said to me about the net – and about the world. If there’s a niche, a parasite will fill it. There’s a reason the cells of the organisms that live in your body outnumber your own by 100 to one. And every complex system has unfilled niches. The only way to eliminate unfilled niches is to keep everything simple to the point of insignificance.
But even armed with this intelligence, I’ve been pretty cavalier about my exposure to net-based security risks. I run an up-to-date version of a very robust flavor of GNU/Linux called Ubuntu, which has a single, easy-to-use interface for keeping all my apps patched with the latest fixes. My browser, Firefox, is far less prone to serious security vulnerabilities than dogs like Internet Explorer. I use good security technology: my hard-drive and backup are encrypted, I surf through Ipredator (a great and secure anonymizer based in Sweden), and I use GRC’s password generator to create new, strong passwords for every site I visit (I keep these passwords in a text file that is separately encrypted).
And I’m media-literate: I have a good nose for scams and linkbait, I know that no one’s planning to give me millions for aiding in a baroque scheme to smuggle cash out of Nigeria, and I can spot a phishing e-mail at a thousand paces.
I know that phishing – using clever fakes to trick the unsuspecting into revealing their passwords – is a real problem, with real victims. But I just assumed that phishing was someone else’s problem.
Or so I thought, until I got phished last week.
Here’s the thing: I thought that phishers set their sights on a certain kind of naive person, someone who hadn’t heard all the warnings, hadn’t learned to be wary of their attacks. I thought that the reason that phishers sent out millions of IMs and e-mails and other messages was to find those naifs and ensnare them.
But I’m not one of those naifs. I’d never been tricked, even for a second, by one of those phishing messages.
Here’s how I got fooled. On Monday, I unlocked my Nexus One phone, installing a new and more powerful version of the Android operating system that allowed me to do some neat tricks, like using the phone as a wireless modem on my laptop. In the process of reinstallation, I deleted all my stored passwords from the phone. I also had a couple of editorials come out that day, and did a couple of interviews, and generally emitted a pretty fair whack of information.
The next day, Tuesday, we were ten minutes late getting out of the house. My wife and I dropped my daughter off at the daycare, then hurried to our regular coffee shop to get take-outs before parting ways to go to our respective offices. Because we were a little late arriving, the line was longer than usual. My wife went off to read the free newspapers, I stood in the line. Bored, I opened up my phone fired up my freshly reinstalled Twitter client and saw that I had a direct message from an old friend in Seattle, someone I know through fandom. The message read “Is this you????” and was followed by one of those ubiquitous shortened URLs that consist of a domain and a short code, like this: http://owl.ly/iuefuew.
I opened the link with my phone and found that I’d been redirected to the Twitter login page, which was prompting me for my password. Seeing the page’s URL (truncated in the little phone-browser’s location bar as “http://twitter….”) and having grown accustomed to re-entering all my passwords since I’d reinstalled my phone’s OS the day before, I carefully tapped in my password, clicked the login button, and then felt my stomach do a slow flip-flop as I saw the URL that my browser was contacting with the login info: http://twitter.scamsite.com (it wasn’t really scamsite, it was some other domain that had been hijacked by the phishers).
And that’s when I realized that I’d been phished. And it was bad. Because I’d signed up for Twitter years ago, when Ev Williams, Twitter’s co-founder sent me an invite to the initial beta. I’d used a password that I used for all kinds of sites, back before I started strictly using long, random strings that I couldn’t remember for passwords. In defense of the old me, I only used that password for unimportant sites, like services that friends wanted me to sample in beta.
But unimportant sites have a way of becoming important. I’ve got 40,000+ Twitter followers, and if my account was hijacked, the hijackers could do great damage to my reputation and career through their identity theft. What’s more, Twitter isn’t the only place where I used my “low-security” password that has turned into a high-security context, which means that hijackers could conceivably break into lots of interesting places with that information.
So I sat down at a table, kissed my wife goodbye, got my laptop out and started changing passwords all over the net. It took hours (but at least I’ve expunged that old password from my existing accounts, I think). By the time I finished, three more copies of the phishing scam had landed in my Twitter inbox. If they’d come a few minutes earlier, the multiple copies would have tripped my radar and I would have seen them for a scam. The long process gave me lots of time to reconsider my internal model of how phishing works.
Phishing isn’t (just) about finding a person who is technically naive. It’s about attacking the seemingly impregnable defenses of the technically sophisticated until you find a single, incredibly unlikely, short-lived crack in the wall.
If I hadn’t reinstalled my phone’s OS the day before. If I hadn’t been late to the cafe. If I hadn’t been primed to hear from old friends wondering if some press mention was me, having just published a lot of new work. If I hadn’t been using a browser that didn’t fully expose URLs. If I hadn’t used the same password for Twitter as I use for lots of other services. If I’d been ten minutes later to the cafe, late enough to get multiple copies of the scam at once – for the want of a nail, and so on.
But all the stars aligned for that one moment, and in that exact and precise moment of vulnerability, I was attacked by a phisher. This is eerily biological, this idea of parasites trying every conceivable variation, at all times, on every front, seeking a way to colonize a host organism. The net’s complex ecosystem is so crowded with parasites now that it is a sure bet that there will be a parasite lurking in the next vulnerable moment I experience, and the next. And I will have vulnerable moments. We all do.
I don’t have a solution, but at least I have a better understanding of the problem. Falling victim to a scam isn’t just a matter of not being wise to the ways of the world: it’s a matter of being caught out in a moment of distraction and of unlikely circumstance.
Cory Doctorow is the author of Walkaway, Little Brother and Information Doesn’t Want to Be Free (among many others); he is the co-owner of Boing Boing, a special consultant to the Electronic Frontier Foundation, a visiting professor of Computer Science at the Open University and an MIT Media Lab Research Affiliate.
From the May 2010 issue of Locus Magazine