Read more of our privacy and security coverage, and be sure to tune into HBO Friday at 11 PM EST as VICE founder Shane Smith meets the man who started the conversation about government surveillance, Edward Snowden.
In the column “How Scared Should I Be?” VICE staff writer and generalized anxiety disorder sufferer Mike Pearl seeks to quantify the scariness of the world he lives in. We hope it helps you to more wisely allocate that most precious of natural resources: your fear.
It scares me just to write this entry in my column. People who are afraid of, say, sharks can just avoid swimming in the ocean. But how are you supposed to avoid the internet? We’re all on the internet right now, and blogging about hackers feels to me like diving into the water wearing a bathing suit made of chum.
The nightmare scenario, I suppose, is that I’ll accidentally say something a hacker misconstrues as a slight, or if I piss off Anonymous or the Chinese government or Edward Snowden (love you guys!) or just any hoodie-wearing white dude inside a storm of green numbers, then one day when I wake up to find that someone in another country used their coding skills to make my smartphone electrocute my scrotum every time I try to tweet.
So I set out to learn just how likely it is that an elite hacker will come after my precious data, and whether I have the skills necessary to digitally thwart them. I’ll tell you right now: I didn’t like what I found out.
I’ve been thinking about hacking all wrong according to Justin Cappos, a cyber security expert and assistant professor of computer science at New York University. Computer magicians with a better grasp of Fortran than English aren’t the end-all-be-all-of elite hacking, he told me. Even when a hacker wants fame, Cappos explained, “it’s often the goal, and the thing that you’re able to accomplish that’s most impressive,” not the technical skills.
Deliberate attacks don’t necessarily involve much high-level computer know-how, if any. The hacks that make headlines are often just the digital equivalent of watching over someone’s shoulder while they enter their PIN into an ATM. That can mean figuring out their passwords via educated guesses, or studying a piece of software for quirks then “finding a weird loophole or corner case to go in,” as Cappo put it. In other words, there’s not much of the furious, cinematic typing you’re probably imagining.
And contrary to another of my assumptions, Cappo told me that intrusive, personal hacks don’t always come from full-time hackers attempting to steal important secrets or sabotage people. “A lot of people I know doing this don’t fit the white-male-with-hoodie stereotype very well,” Cappo said. The average person is much more likely to see “something where your ex-boyfriend or ex-girlfriend wants to get into your account because they want to know what’s happening, or who you were talking to.”
Or, in the case of former Miss Teen USACassidy Wolf, you might be targeted by a perv from school who want to sneakily switch on your webcam so he can peep at you when you’re naked. Wolf’s real life horror story is a deeply unsettling tale of sextortion, but a simple countermeasure can help prevent similar cases in the future: “Sometimes the simple physical hack, like putting a sticker over your webcam, is the most effective,” Cappo told me.
While it’s hard to imagine anyone gaining anything at all by sneaking nude photos of me, Cappo told me I’m missing the point: “You need to think about what you personally value.” He said if I can figure out what kind of exposure would really damage my career or relationships, I can focus my efforts on protecting that information from people—some of whom I might know—crazy enough to steal it. I can be a little more relaxed about the rest.
But Info sec writer and former hacker Nik Cubrilovic re-scared me. “I think most people should be aware that they can be hacked, but that they won’t be directly targeted—it’s more likely to happen as a bulk hack,” he told me in an email.
According to a New York Times calculator app built last year, I’ve already been part of groups who were hacked in bulk three times. Generally these were security breaches in the payment systems of large retail chains whose sites I’ve used, but it seems someone might also have had access to my email at some point as well.
The immediate effects of a bulk hack aren’t always readily apparent, and they can, in theory, compound each other in terms of impact. For instance, let’s say I’ve I’m a little lax about security, and a chat service I use gets hacked. If I’ve used that chat service to share my HBO Go password with my parents, and my HBO Go password is similar to my online banking password, my bank account could be vulnerable.
For an even scarier example, apps can now record audio while you’re just going about your business and analyze it for marketing purposes. (One such app is Facebook). “Once it’s collected, it’s just there. It’s counter to their interests to have any information about you ever be lost,” Cappo said. So even if such services have benevolent intentions about what they do with audio they record around you, that audio could eventually be of interest to hackers.
“Think about what the worst plausible outcome is from those kinds of situations,” Cappo said.
When you imagine hacks that can theoretically leapfrog on other hacks, the world abounds with worst plausible outcomes, he explained. And with that in mind, you might want to be suspicious of any internet-enabled stuff you may have lying around your house. “It may sound smart to have an internet-connected kettle. When you think about ‘smart,’ think about ‘hackable,'” he said.
Wait. What could a hacker do with my iKettle Wi-Fi Electric Kettle?
“If they overwrite the firmware in your kettle, who knows?” Cappo said. “Maybe they can start a fire in your house.”
Final Verdict: How Scared Should I Be of Getting Hacked?
4/5: Pissing Myself
Follow Mike Pearl on Twitter.