It can happen to anyone.
May 7, 2010 1:20 PM   Subscribe

Cory Doctorow Gets Phished. A Twitter message with a URL-shortener link is all it took.
posted by sidereal (30 comments total)

This post was deleted for the following reason: It's funny in an ironic sort of way but this isn't exactly substantial news. -- cortex



 
cache.
posted by stavrogin at 1:25 PM on May 7, 2010


On a wing and a prayer here, could we stave off the "HARR H8 U CORY" or "G_D D_M BOINGBOING" comments and truly focus on the whole Shortener-->Scam URLs-->Pwned thing?

Please? Think of the puppies!
posted by cavalier at 1:28 PM on May 7, 2010


could we stave off the "HARR H8 U CORY" or "G_D D_M BOINGBOING"

Yeah, we could, by not having posted a story about fucking Cory Doctrow getting phished. I'm sure there are a few million other stores just like this that could be posted in its stead.
posted by Threeway Handshake at 1:31 PM on May 7, 2010 [3 favorites]


HARR H8 U CORY.
posted by seanyboy at 1:31 PM on May 7, 2010


C'mon cav -- why else would this be posted here if not to goad the nascent Corey GRAR-age? A horrifically boring account, ultimately. Less interestng than losing one's wallet.
posted by Ogre Lawless at 1:31 PM on May 7, 2010 [1 favorite]


He clicked on a url-shortened link and then typed in his password. He clicked on a url-shortened link and then typed in his password. That's the opposite of internet savvy.

But at least it works as a cautionary tale; all url-shortened links should be ignored and discarded out of hand.
posted by Justinian at 1:31 PM on May 7, 2010


It wouldn't have helped in this case, but one of the many reasons I like Brizzly for twitterin' is that it automatically un-shortens most URLs that have gone through one of these services.
posted by Lentrohamsanin at 1:32 PM on May 7, 2010 [2 favorites]


Well, part of the problem was the short address bar of his mobile phone. Maybe it's time mobile browsers started offering anti-phishing features.

Also, URL shorteners are the devil. Twitter clients (including the Twitter web interface) need to automatically expand shortened URLs. I use a Firefox extension, but that wouldn't do me any good on a phone.

On preview: apparently at least one Twitter interface does that already, so there's hope it'll become a standard practice.
posted by jedicus at 1:34 PM on May 7, 2010


If you want to pass on this thread to anyone, it's at http://bit.ly/d9aoZ8.
posted by lukemeister at 1:34 PM on May 7, 2010 [2 favorites]


Alright, I take it back. His whole premise once it finally loaded was "Look at me, I'm so smart, but I still got phished! Phishing isn't just pointed towards the naive, smart busy people can get phished too!"

Erase my earlier comment >_<.
posted by cavalier at 1:35 PM on May 7, 2010 [1 favorite]


Yeah, it ultimately came down to him entering his password on his N1 without looking at the full URL. There's really no interesting perspective to what happened here. He knew better, he just got lazy.
posted by SpiffyRob at 1:38 PM on May 7, 2010


Still not loading for me. So he was checking twitter on his phone when this happened? Ak. Brizzly - great as it is - isn't something you'd use on a smartphone, it's a (great) web-thing.
posted by dabitch at 1:38 PM on May 7, 2010


He must be steamed.
posted by Blazecock Pileon at 1:38 PM on May 7, 2010 [3 favorites]


I heard he's writing a book.
posted by mecran01 at 1:40 PM on May 7, 2010 [1 favorite]


He must be steamed.

Well, he did get punked.
posted by Shepherd at 1:40 PM on May 7, 2010 [10 favorites]


All it takes is a papercraft model of a steampunk raygun.

"Tell Mr Raygun your password Corey"

"OMGOMG it's 1234AMYCREHORE OMG this is so awesome!"
posted by fire&wings at 1:42 PM on May 7, 2010


That's sad... I've always liked his book Ragtime
posted by daninnj at 1:44 PM on May 7, 2010 [1 favorite]


[/lame]
posted by daninnj at 1:45 PM on May 7, 2010


And that’s when I realized that I’d been phished. And it was bad. Because I’d signed up for Twitter years ago, when Ev Williams, Twitter’s co-founder sent me an invite to the initial beta

I HATE YOU I HATE YOU I HATE YOU I HATE YOU I HATE YOU I HATE YOU I HATE YOU I HATE YOU I HATE YOU I HATE YOU I HATE YOU I HATE YOU I HATE YOU I HATE YOU
posted by nathancaswell at 1:46 PM on May 7, 2010 [9 favorites]


If you're unsure of a shortened web address, try unshortme. Try it on lukemeister's link.
via.
posted by charred husk at 1:49 PM on May 7, 2010 [2 favorites]


People who take from this that Cory isn't internet savvy are letting their biases get in the way of their thinking.

The fact that Cory can, at least, explain in simple terms what he did (wrong) after the fact demonstrates this.

I would say 85% of smartphone users wouldn't even realize they'd done something wrong.

Yes, a URL shortener was the vector here, but equally to blame are the bad habits established by Twitter's insistence on an artificial limit (140 is only really needed if the message is going out over SMS, for which they could run their own shortener) and the general fact that everyone re-uses passwords everywhere.

I wish I had a simple solution to offer here.
posted by These Premises Are Alarmed at 1:51 PM on May 7, 2010 [2 favorites]


People who take from this that Cory isn't internet savvy are letting their biases get in the way of their thinking.

I agree. What happened to Cory was actually pretty scary... I'm sure it could easily happen to me:

Here’s how I got fooled. On Monday, I unlocked my Nexus One phone, installing a new and more powerful version of the Android operating system that allowed me to do some neat tricks, like using the phone as a wireless modem on my laptop. In the process of reinstallation, I deleted all my stored passwords from the phone. I also had a couple of editorials come out that day, and did a couple of interviews, and generally emitted a pretty fair whack of information.

The next day, Tuesday, we were ten minutes late getting out of the house. My wife and I dropped my daughter off at the daycare, then hurried to our regular coffee shop to get take-outs before parting ways to go to our respective offices. Because we were a little late arriving, the line was longer than usual. My wife went off to read the free newspapers, I stood in the line. Bored, I opened up my phone fired up my freshly reinstalled Twitter client and saw that I had a direct message from an old friend in Seattle, someone I know through fandom. The message read “Is this you????” and was followed by one of those ubiquitous shortened URLs that consist of a domain and a short code, like this: http://owl.ly/iuefuew.

I opened the link with my phone and found that I’d been redirected to the Twitter login page, which was prompting me for my password. Seeing the page’s URL (truncated in the little phone-browser’s location bar as “http://twitter….”) and having grown accustomed to re-entering all my passwords since I’d reinstalled my phone’s OS the day before, I carefully tapped in my password, clicked the login button, and then felt my stomach do a slow flip-flop as I saw the URL that my browser was contacting with the login info: http://twitter.scamsite.com (it wasn’t really scamsite, it was some other domain that had been hijacked by the phishers).

posted by KokuRyu at 1:52 PM on May 7, 2010


*sigh* sorry about the slow load. It's basically an edge case - he got dinged with a phish tweet linking to a fake Twitter login page at the exact time same that he was loading up a new internet device. It seemed normal to get the login page, and that's how successful phishing works.
posted by sidereal at 1:53 PM on May 7, 2010


Brizzly for the ipod touch doesn't unshorten links, which is interesting, as one of the things I like about the web interface is that it does show the real url (as well as calculate your character count based on the shortened link).
posted by jeather at 1:54 PM on May 7, 2010


His whole premise once it finally loaded was 'Look at me, I'm so smart...'"

Don't forget his waxing metaphorical about the way this parallels biological parasites.

yes thanks cory no one had ever noticed those similarities before that's why i installed norton anti-bad-computer-programs, which takes any harmfully-modified files and isolates-them-in-a-safe-directory-on-my-computer please sir could you be sharing some more of your technological insights

I mean, I hate piling on the guy for no reason, but positioning yourself as a major thinker and creative mind in the modern age and then posting this self-congratulatory bloviating pap, is basically just making a forty-foot "Mock Me!" sign adorned with steampunk greebles.
posted by Riki tiki at 1:56 PM on May 7, 2010 [1 favorite]


Seeing the page’s URL (truncated in the little phone-browser’s location bar as “http://twitter….”)

This is the lazy part by the way. You should never, ever, ever enter your credentials without verifying the whole URL. Cory knows this. He doesn't need to change his outlook, he just needs to be consistent in his actions. The rise of mobile devices is only going to make attacks like this more prevalent, specifically because the entire URL isn't shown.
posted by SpiffyRob at 1:59 PM on May 7, 2010


Riki tiki: "positioning yourself as a major thinker and creative mind in the modern age and then posting this self-congratulatory bloviating pap"

Christ. Did I read a different article than everyone else?
posted by charred husk at 2:00 PM on May 7, 2010


But even armed with this intelligence, I’ve been pretty cavalier about my exposure to net-based security risks.

This doesn't even make sense. He goes on to talk about how secure he is with everything. Which would be the opposite of 'cavalier'. But then the sentence makes less sense.

"But even armed with this intelligence, I’ve been pretty serious about my exposure to net-based security risks."

Brain.. can't... ack.
posted by lholladay at 2:01 PM on May 7, 2010


Also, URL shorteners are the devil. Twitter clients (including the Twitter web interface) need to automatically expand shortened URLs.

Absolutely. Twitter should really unshorten those links in it's feed and on the page. Not only does it make fishing really easy, it also damages the web's link structure.

The story makes more sense when you consider that this was on a mobile phone he wasn't used to yet. And they had gotten him through someone else they'd successfully fished.

My bank does something where they show a particular image after entering your username. Of course, all an attacker has to do is get the username in order to find out what the image is, and there are only three pictures to pick from so even if they just guess, they have a 33% of success, if the user doesn't notice the certificate changing. (Which is better now that browsers show the certified name in the URL bar)
posted by delmoi at 2:02 PM on May 7, 2010


The message read “Is this you????” ...
If they’d come a few minutes earlier, the multiple copies would have tripped my radar and I would have seen them for a scam.

When I get random messages like that from a friend, I'm immediately suspicious.
Mainly because most of my friends that use multiple ?s have been killed.
posted by Lemurrhea at 2:03 PM on May 7, 2010 [2 favorites]


« Older The quantum mechanics of the waggle dance.   |   Vancouver's Basquiat? Newer »


This thread has been archived and is closed to new comments