Followup to yesterday’s post on how someone hacked my gmail account:
If you choose to add Google Authenticator instead of SMS messages as a two-factor authentication scheme, be aware of the following:
There is a good chance you will add Authenticator as a “primary” authentication scheme, but SMS messages will remain as an alternative option.
This means that an attacker could always bypass Authenticator and just use SMS, which is weak with Pushbullet/any sync-SMS-to-desktop scheme.
If you sync your SMS messages to your phone, you have to make sure to remove SMS messages as an alternative authentication method, not just add Authenticator.
Thanks Eyal Brosh for alerting me to this fact.
Update: See also this important followup.
Or: why 2-factor authentication is important, and how to use and misuse it.
This is a really important post, and everyone should read it. There’s even a bonus at the end.
I’ve been using 2-factor authentication since forever now. A while ago, I had horrible security practices – I was basically using the same simple password everywhere “because it didn’t matter and I was lazy”.
Then, someone hacked into Pizza Hut’s website and got to my email. Not fun.
Well, it turns out there are edge cases.
My chosen method of doing two-factor auth was using SMS codes. Whenever I logged in to a service, a unique code was sent to me via SMS. Well, I recently started using the wonderful Pushbullet chrome extension that lets me send SMS messages from my laptop, and all kinds of wonderful thngs. Problem is: it’s a security hazard, especially when you’re using SMS as your two-factor component.
The whole point of two-factor auth is this: You separate your authentication into two factors: One thing you remember (password), and one thing you have (your phone). An attacker might take possession or guess one of these factors, but it’s much more difficult to simultaneously guess/know your password while having possession of your physical phone.
Using extensions such as pushbullet, or whatever equivalent thing Apple users do, defeats this purpose. If someone hacks into your computer and sniffs your password, they also have access to your phone because it’s synced to the computer. So they basically OWNz you.
So, my solution was to switch to the Google Authenticator app which is the standard solution to the problem I just described. Its purpose is to generate login codes in a secure way, and it is in no way synced to anywhere, so an attacker would still have to have your physical phone in order to use it. Problem solved, right?
Well, yes and no.
So the good news is that this covers most issues and works well most of the time. But, there are caveats. One major caveat is this: in some cases, if your phone is lost or damaged, you are fucked. Since the authentication isn’t based on something like a phone number / SIM card that you can recover if needed, but rather on an app that isn’t backed up anywhere by design … if your phone is lost you just cannot recreate these codes.
There are a few workarounds.
The common workaround is a “backup phone number“. You can enter a friend’s phone number (one that doesn’t use Pushbullet!), so that if your own phone is lost, you can contact your friend and have them help you log in.
Another, argubaly more secure alternative is backup codes. Now, this is rather advanced so I assume 99% of the people who use two-factor auth don’t do this, but you can prepare in advance and print out backup codes that help you login if your phone is lost. I haven’t been doing this systematically until now, but will start using them today on every supported service. Note: depending on your level of paranoia, you should keep this codes somewhere safe from burglars, loss, cats etc.
So, why did I pick today to start using backup codes? Because I was just hacked. Yes, me with all my paranoia… hacked.
What just happened? I don’t really know the full story.
TL;DR – I disabled my 2-factor auth for a few days for technical reasons. A hacker used this time to login into my account.
How do I know I was hacked? Because of this:
I just woke up to find two emails from Google that my account was accessed, one from Safari (which I never use), and another from Android. These emails are normal when you log in from a new device, but these login attempts happened while I was asleep/busy and from a device I never use which is a big freaking warning sign. I’m lucky the attacker wasn’t able to use their access to delete these emails, because otherwise I wouldn’t have known the hack even happened.
Note: The key icon which indicates this is not a phishing attempt, but rather the emails really came from Google. Note: the emails were addressed to “email@example.com” and not “firstname.lastname@example.org” or “email@example.com”, but they were sent to firstname.lastname@example.org – this is a detail that still puzzles me … if anyone can explain this inconsistency, they’ll earn my gratitude.
To summarize this post: Login security is still an unsolved problem. All the details I described above are way too difficult for the average user to bother to understand and follow. Accounts are not safe, but you can significantly upgrade your security by learning and applying some techniques. Stay safe.
P.S – Why did I disable 2-factor auth in the first place?
My primary phone had a malfunctioning GPS device, so I was having it fixed and I was using an alt phone. Before I put my phone in the repair shop, I had to switch my Google Authenticator from my primary phone to my alt one (you must do this for every account/service you use Authenticator with! Remember, you have to have your physical phone with you in order to login!)
The problem was that my alt phone was rather shitty and braindead. After a bit of usage, its charger outlet gave out, and now it can never be recharged again! As soon as I noticed this I made a mental note to myself that I need to keep a little bit of battery in order to move Authenticator apps from my alt back to my primary phone, after I get it back from the shop.
Once I got my primary phone, I realized the repair shop had formatted it completely, despite my explicit instructions (it’s Eline, don’t buy anything there!). Long story short, my alt phone with a working Authenticator was quickly running out of battery as I was trying to switch my Authenticator app to my new App. I was literally racing against time, because if my phone reached 0% battery then I would be locked out of my account. So in this race, I only had time to disable 2 factor auth, because installing the Authenticator app on my new formatted phone took a bit more time than I had battery left. I thought to myself “well, I’ll just turn off 2-factor auth for a few days, it won’t hurt … I have a strong password”. Well, guess I was wrong. In the 3 days since I did that, someone already hacked my account. I don’t know how, I had a working assumption that my laptop was mostly hacker free, but perhaps that’s not the case. In any case, another important thing you should take away (Luckily I already know this) – assume your laptop can be hacked, and don’t keep anything really important on it
P.S.S – Bonus
For those who survived this post until this point: A new website I just discovered and starting to use is haveibeenpwned.com. You can check if your login information is found in any known major hacking, and get notified on future hacks. Here is how I was pwned:
So, apparently I had an account at Forbes.com (I didn’t even remember this), and this account was haccked on Feb 2014. It’s not really critical to me since I don’t use the same password there, but it’s still nice to know a little bit about known hacks that uncover my details. Are you pwned?
As I was running yesterday, this image flashed into my mind.
I believe I had never seen this fractal before. It is original.
It’s possible someone else discovered it, maybe even that I saw it somewhere. The mind works in mysterious ways.
But if that happened, I repressed the memory of seeing it.
In other words, I believe I came up with this one all by myself.
So, after seeing this image flashing in my head, I just had to make it a reality. To code it.
Some Googling led me to this awesome post on 7 awsome free tools for creating fractals. I tried out a couple of tools – they were awesome indeed! But they were too limited and could not produce the image that haunted me.
So, I turned to the basics. Coding it from scratch. Using Logo.
Logo was the first programming language I ever learned. My dad taught me how to code in Logo when I was a young kid. I don’t know how old I was, maybe 8 or 9. I had a 286 computer which was rad, because all the other kids had xt, except my friend who had a 386 powerhouse.
I never thought I would use Logo for anything. But yesterday, it was the best tool for the job.
So, here I present the code for Fractional Fractal. This Fractal represents the series of fractions 1/2, 1/3, 1/4, 1/5, 1/6…
Finally, I’d like to end this post with a thank you.
Thank you dad, for believing in me. For teaching a young kid how to program. How think. How to love math, logic, programming and reasoning. How to be analytical. This is a core part of myself that I owe to you. #StillYourKid.
<tears of joy>
Update: If you are able to read Hebrew, forget this post, and go read this. It is a much more useful description of an awakening experience.
I would like to tell you about two unique experiences in my life, unlike everything else I have ever experienced. These, I learned, are called “Satori” experiences.
In the Zen Buddhist tradition, satori refers to the experience of kenshō, “seeing into one’s true nature”. Ken means “seeing,” shō means “nature” or “essence.”
Satori and kenshō are commonly translated as enlightenment, a word that is also used to translate bodhi, prajna and buddhahood.
I don’t know about other people’s experience of satori, I can only tell you about my own. I can’t really describe them, reading about the experience pales in comparison to experiencing them.
My first satori happened about three years ago. It happened several days after my first ever intake of weed. I have no idea if that had anything to do with the experience or not, but I know it was a very small dose, I wasn’t feeling high or anything out of the ordinary in the days between my weed consumption and my satori experience. It felt like it didn’t affect me at all. And then satori happened.
I experienced utter bliss. I knew that my place in the world was right here, right now. Everything I did felt perfect. I could make no mistakes, even if I really tried. In fact, the very concept of mistakes didn’t make sense to me – anything that anyone ever did was perfect. It was what was needed at that time. I knew that I had a role to play in the universe, and I was playing it perfectly. I was doing my important bit to progress the universe to its next, evolved state. I was important, not more than other people, but I was zoomed in on my own importance and felt that my existence mattered. I hardly needed sleep, for almost a week. I was going to sleep at 3 AM and waking up at 5 AM … just because my brain woke up me. I had to go do important work.
I was walking my dog in the garden, and felt how this moment was perfect. I had a headache from hardly sleeping for days, and the pain registered on my senses, but I felt that the pain is just a phenomenon I observed … it didn’t cause me any suffering whatsoever, it was just a signal from my body “I need more sleep”. Just something that was happening to my body, not to “my self”.
My second satori happened a few months ago, in Midburn, the Israeli Burning Man. It was a lot like the first one, with a few differences:
It was definitely unrelated to weed or any other drug. I am actually on a break from weed for the last few months, in order to diagnose my suspected bipolar symptoms, and I was clean when satori happened.
While the experience was similar to the first in that I felt the ultimate acceptance, peace, “All is well with the world and with my life” feeling … an interesting difference was that this time, I felt all kinds of what people usually describe as “negative emotions”. I was dancing alone in a crowded party, and felt alone. I felt afraid. I felt angry. The amazing thing, however, is that throughout feeling these so called “negative emotions”, I simultaneously felt “This is still perfect. I am feeling exactly what I’m supposed to be feeling right now. The world is perfect. My life is perfect. I am supposed to feel alone right now, because I really didn’t connect to anyone in this party. I am supposed to be sad, or angry or whatever other emotion I was having”.
Usually when “negative emotions” arise, they are accompanied with a sense of “damn, why I am feeling this right now. My life sucks”, or “I shouldn’t feel this right now, stop feeling it already!”. This time, my satori stayed through these strong emotions, and I was still feeling bliss coupled with all the other human emotions. Like my first satori, the second one lasted for a few days as well.
At first, after my first satori had ended, I felt quite alone. Nobody could understand what I went through. I failed to reproduce this ultimate high I had reached, and I couldn’t communicate what I felt. This year, something amazing happened. I met someone awesome who told me she’s had the same experience and me and told me the name “Satori” that categorizes this unique experience. She then followed to introduce me to a group of people who have had several different awakening experience, some of them having had dozens or more different satori experiences! I had people to talk to about this, and explore what they mean and how to see past them. I am still exploring this, I don’t have all the answers. But I’m seeking.
I’m building a social network designed for Polyamory and non-monogamous relationships. Not going to elaborate a lot at this point, but: if you know a great UX/UI designer who is passionate about the subject and willing to work for percentages, let me know.
Details … when it’s ready
I would like to introduce you to Synereo, the world’s first fully decentralized, attention-based social network.
I wrote before about the need for a decentralized internet, which is rapidly being built. Synereo is building the social networking platform for that model. One important difference between them and other decentralized open source social networks (Diaspora anyone?) is that Synereo has an internal tradeable token that can be used to monetize the network, fund development, and attract users (free amps anyone?)
In a world where users are products, Synereo’s model turns users into active agents that get rewarded for the actions, content and attention.
I haven’t had the chance to really dig into their model or tech stack, although I know and highly appreciate the founder. The tech isn’t really ready yet, they are just raising funds now (the sale of ‘amps’ ends in 16 days).
* Disclaimer – I am not invested in Synereo, nor do I own any ‘amps’.
It’s been a while dear readers. How are you people doing?
The focus of this blog was always a bit unclear. A bit of programming, Magic: the Gathering, Bitcoin … but mainly as the title says “Stuff Ron Gross Finds Interesting”. So, here’s what’s been going on with my life lately.
I quit my last paying job at Commerce Sciences around July 2013, to focus on my first full-time startup, bitblu. After a few months of assessing the market, business model, and mainly regulation, my partner Yuval and I decided that this business was not viable at that time.
I sat at home depressed for a few weeks, because yet another startup I tried had failed. Then, I realized that the Mastercoin Foundation, of which I was a founding board member, needed leadership and direction. I accepted the position of Executive Director, and spent the next several months turning it from an extremely loose and chaotic organization, to something that at least resembles a traditional startup in terms of organization and operations (I can’t thank my CTO Craig for that enough – you rock Craig!). For the first time of my life, I was an “actual CEO” of a company with a real budget!
I gained invaluable experience and learned a ton, and appreciate the unique opportunity I was given. However, the stress of that period was, quite literally, enormous. I was managing a team of about 15+ people, spread out all around the world, most of them I hardly ever met except the occasional Bitcoin conference. Our budget, denominated in Bitcoin, initially rose with the Bitcoin bubble of Dec 2013 … but then quickly plunged as the bubble burst. We did not have the foresight to liquidate a significant amount into USD in time, and thus the Foundation was stuck with dwindling resources, when a lot of the dev work still remained. Also, unlike a traditional startup, there was simply no way to do another financing round. The financing structure, as decided in July 2013, was selling newly minted ‘MSC’ tokens to investors when the Foundation started, and we promised these investors that no new MSC will be issued, ever. The Foundation was a non-profit entity from its conception, and we struggled without success to find a viable for-profit business model to support the tremendous innovation that we were developing. Even though we pioneered the “Bitcoin 2.0” industry, emerging agile competitors emerged under every rock.
I was having major doubts both about the project’s apparent lack of a business model, and about my personal ability to lead it and inspire our team, and so finally, in August 2014 I decided to resign. It felt both absolutely horrible and joyful at the same time. Horrible, because I felt like I was abandoning the ship (shouldn’t the captain be the last one to leave, or drown with the ship?), and joyful because the tremendous pressure has finally lifted.
Until then, I had been literally working my ass off nonstop for more than a decade, and finally, I took a few precious months as vacation. I wish I could say I did something awesome with my time off like traveled, volunteered, or some amazing creative work … but frankly what I did most of the time was play Starcraft 2 (oh, and I got back to playing chess regularly after about 18 years away from the game!)
At this point, I was exhausted and confused. I didn’t really know what I wanted, whether I want to work on something productive, and stay at home and play computer games for the next five years. Being on vacation was harder than I thought (I kept blaming myself for not checking my inbox at all for a week at a time), but I was getting used to it and actually started to enjoy it. This vacation continued for a couple of months, until, bam! A flash of inspiration exploded in my mind, and I started ReverseFunder with a blaze of glory.
The idea was to solve the Mother of All Problems – how to accelerate the rate of human innovation. Tap into ideas from the hivemind, connect capable Makers with a drive to develop projects, and fuel this with funding from Kickstarter-like Backers. Add in some crowd-editing collaboration magic sauce, and you got a startup-generation machine. I found a great co-founder, and together we went out and talked to a billion different people. We analyzed the market, studied existing solutions, needs … and came to the sad conclusion that the market was overcrowded, and that our envisioned solution was just too complicated to ever work. We pivoted, but then, my personal life kicked in and turned the tables.
Yes, entrepreneurs are “allowed” to have a personal life.
See, about 2.5 years ago, I discovered Polyamory.
There I was, in a monogamous marriage … and suddenly discovered that I was Poly. In fact, the idea of monogamy just didn’t click for me anymore, at all. I think it’s something that’s always lurked behind the scenes, and now, having found out that there are actually people out there having multiple, consensual, honest romantic and sexual relationship, just hit me like a ton of bricks.
I won’t go into all the details for obvious reasons. It suffices to say that last November, shit finally hit the fans. I knew that I could not stay in a closed relationship, and my wife did not want to open our marriage (I fully support her on this – Polyamory is not for everyone!). I realized that staying together any longer and working on our problems is just us playing delay tactics, and will just cause more pain for us both long term. So I decided to jump yet another ship (I at least take comfort in the fact we were together for a whole nine years … a lot more than I held any job or position).
Long story short, I “found myself” in two lovely polyamorous relationships, learning how to work within that system as I go along. It’s complicated and there are new challenges, yet I find it to be a very rewarding, viable alternative to Monogamy. More on that later in a separate post?
Now, I’ll queue in the kicker. Together with everything else that was happening to me, I found myself stuck in a cycle of hypomania and depression. I self-diagnosed myself as bipolar (pending a formal diagnosis). What this means is that throughout the last few years, I’ve been having episodes of hypomania – a terrific state of mind where everything is clear, energetic, I almost don’t need any sleep (3 hours a night for a week), I have tons of ideas for new projects and activities, and I do a shitload of useful work. The other end of the stick is episodes of deep depression – staying in bed for days at a time, playing chess on my smartphone, and doing nothing, not seeing the point of getting up and going to work, of doing anything, of treating myself, of communicating with loved ones and family members.
These fluctuations have been my difficult routine for the last several months. I started seeing a psychologist (I feel very optimistic about the process when I’m manic, and I feel like he’s not contributing anything when I’m depressed), planning to see a psychiatrist for a formal diagnosis, trying to get my shit together. I’ll confess here that thoughts of suicide have crossed my mind several times.
I wanted to blog about my depression / bipolar episodes for a while, but didn’t have the energy to do it. When depressed, anything, even trivial tasks, seem enormous and impossible to accomplish. I do thank the support of friends and loved ones throughout what I’m going through. I feel blessed and loved and thankful.
These episodes of depression didn’t help my startup one bit. I had to quit ReverseFunder/Oxify, leaving Ortal to carry most of the burden, with me minimized to an advisory role. I wish I could do more, and I felt like a total failure so many times for QUITTING YET ANOTHER STARTUP OF MINE, but that was the reality. I just could not handle.
At present time I am left at a difficult crossroad. My skills as a developer have waned in the last two years, and it’s possible some of the passion and commitment I once had for programming had weakened (it’s hard to tell if it’s just the depression speaking or something deeper). I’m trying to understand what I want to do with my life, what I’m best qualified to do, where can my skills produce the most benefit to society, to the company or project I’ll work on, while giving me a satisfying experience and keeping me paid (I haven’t drawn a salary for a year and a half now).
I am dreading starting Yet Another Project I’ll March Enthusiastically Into Only to Quit A Month After. But I am hopeful. I’m not giving up. I realize the millions of reasons I have to be thankful and happy, and am working on remembering and experiencing that.
I do have a small project that has been tickling my fancy for some time now, but I don’t want to spill the beans about it just yet, not unless I actually dedicate enough chair time to get it off the ground. Thanks for reading so far, and for caring. Stay tuned!