Minimal Heroes

My friend is about to have his first son (after multiple daughters), and as such, is beginning to prep the nursery with decor appropriate for a little boy. He requested that I make some minimal designs that he will print on canvas with familiar super hero logos or identities.

The two he wanted most were Iron Man and Captain America. I did a quick design for each based on the most iconic symbol for each.

I’m not a huge fan of “minimalist” design. When I say minimal, I’m speaking mainly of “flat” design. I can see the appeal of flat design; It’s easy to make, easy to print, easy to display. It feels lazy to me though. My friend however wanted them flatter.

I obliged his request. He was ecstatic. The flatness doesn’t speak to me. It feels sterile, and boring. But he’s happy, so I’m happy.

Jumping Flash

Robbit2Growing up, I was not allowed to have any game consoles, until the PlayStation came out. My brother convinced our dad that it was technically advanced enough to merit buying.

One of the first games we played was a demo for Jumping Flash! that came on the sample games CD with the PlayStation. Soon thereafter we purchased it, and I played it ad-naseum for years to come. It’s a very whimsical platform type game that is very light-hearted. The protagonist, Robbit (A robotic rabbit) is sent to save “jet pods” that are located on various pieces of planets that have been stolen by the evil Baron Aloha. One particular level, world 3-2, was the favorite. It had flying whales, catchy music, and fun rainbow roller coasters that you could ride.

This digital painting, like my other ones, was done in Adobe Photoshop with a Bamboo Graphic Pen in my spare time. I still play this game from time to time using an emulator. It’s great fun, and something I’ve wanted to illustrate for quite a while.

Security Breach

welcome_iphone

I had an interesting morning… You generally should not see this screen on your 6 month old iPhone while you are out and about doing errands…

9:30 AM

My wife visited me at work because her phone stopped working. It had shut down spontaneously, and she thought perhaps it was broken. It turns out it was more than just not working. It had been remotely erased via iCloud. Obviously, neither of us did it, so began the panic of figuring out who was in our account, how they breached our account, and how to get them out.

I tried logging into iCloud, but it would not accept the password. I initiated a password reset, only to find that the recovery email address, a Gmail account, was also not accepting the correct password. Great…

9:35 AM

IMG_3287

Unfortunately, Gmail was the most difficult account to recover (and most time consuming). Gmail provides a means of recovering an account if someone other than the owner changes the password. Unfortunately it was very difficult to get all the information they wanted. Some of this information includes:

  • Date that the email address was created
  • Security question answers
  • Frequent contacts (5)
  • Oldest recovery email address
  • Dates other Google services were registered

After trying about 10 times (with a lot of frustrated yelling…), I finally hit the combination of answers that let me back into the account. I changed the password, and began looking for evidence of damage.

The perpetrator did not enable forwarding. Well, that’s good. He did remove the recovery email address, and he also took the time to delete every email in the inbox and outbox.

10:00 AM

We checked other accounts tied to that email address. Our Amazon account password was changed, however nothing else appeared to be touched. No orders, no change of address, no change in credit card information, etc.

We called Amazon to see what to do in cases like this. I wanted them to verify that nothing was changed, and that no orders were placed. They in essence told us that they couldn’t do anything for two days, and to not use the account for the time being. It was fairly frustrating because it felt like they had no motivation or means for helping people in this situation.

10:30 AM

The rest of the day way spent changing passwords, and verifying that no other accounts were breached.

I filled out a request to Google to restore the deleted email messages thinking that they would be non-responsive, however, they kindly complied within 20 minutes or so. The restored emails show the time line of events, as well as give some closure as to what additional sites the perpetrator attempted to breach.

9:00 AM – There was an alert that the Gmail password reset had occurred.

9:05 AM – Notification of change of recovery email address.

9:11 AM – Notification of password reset for iCloud.

9:20 AM – Notification that the iPhone had been wiped.

So, clearly, the Gmail account was the weak link in this scenario. My guess is that the intruder guessed the security questions required to reset the password.

What is the Takeaway?

two-factorAlthough the intruder had decidedly ruined our day, nothing of consequence was hurt. No bank accounts were affected, and no fraudulent orders were made. Only a few family videos may have been lost from the iPhone.

It appears that this was just someone being annoying rather than someone attempting to steal our identity, or money.

We have now upped our security by doing the following, and recommend that you do too:

  • Utilize 2-factor authentication when it is available
    (Gmail and iCloud both offer this)
  • Use longer/harder passwords
    Relevant xkcd
  • Use passwords that are unique for each site and application
    If one service you use has a security breach, at least you don’t have to worry about any other accounts.
  • Do NOT use security questions if you can avoid it
    If you have to use security questions, use obscure responses that are not easily guessable or contextually relevant.

All in all, things could have been a lot worse, and we are lucky we were able to get everything back under control so quickly. Still, it’s always better to practice good security before there is a problem

© 2007-2015 Michael Caldwell