Hackers steal tools from NSA, hack everyone with them

From the New York Times:

Hackers exploiting data stolen from the United States government conducted extensive cyberattacks on Friday that hit dozens of countries, severely disrupting Britain’s public health system and wreaking havoc on tens of thousands of computers elsewhere, including Russia’s ministry for internal security.

Link

There are really only two things that need to be said about this, both said well by others:

  1. “Remember last year when a whole bunch of people wanted Apple to create a special version of iOS for the U.S. government, under the promise that it would never escape their safe hands and get into the wild?” John Gruber, Daring Fireball (link)
  2. “Either everyone gets security or no one does.” Bruce Schneier (link)

The point is there’s no such thing as a security backdoor that “only I can use.” If you want systems to truly be secure, they must truly be secure.

Don’t Click Links in Emails, John Podesta Edition

The news today thinks it knows how John Podesta, Hillary Clinton’s campaign chairperson, got badly hacked.

John gets an email. It’s allegedly from no-reply@accounts.googlemail.com. It tells him that “someone” from the Ukraine tried to login to his Gmail account, and he should change his password.

John’s IT person inexplicably says the email is legit and that he should change his password immediately. John apparently clicks the provided link and gives his Gmail password away.

Red flags that the email is not legit:

  • The subject is *Sоmeоne has your passwоrd*. Hmm… odd phrasing. Odd-looking o‘s.
  • The change password link is to a bitly.com address. (Don’t go there.)

Do not click links in emails. Especially do not click links in odd emails or on links behind link shortening services.

I don’t really blame Mr. Podesta. We expect too much of users regarding computer security. But still. This is avoidable.