Not shocked by EVERNOTE® security issue. Just curious, who cares?

evernote logo

About a year ago I discovered strange activity in my EVERNOTE® (premium) log — despite changing my upload email address, I felt it was likely still at risk.  I removed everything from my account, ended and never paid premium again. I also do not save sensitive info on EVERNOTE® — like facebook, I expect it to be exposed.

Today, catching up on RSS…. “Vindicated!” (I said to myself, less the ego.)  I read the EVERNOTE® Support post, where they disclosed a “Service-Wide Password Reset” [no wonder my password didn’t work the other day!] Perhaps they sent an email, but I did not see one, and apparently, nor did any other user.

While I would consider myself a student, still new to many of the concepts I read about, yet from sources, I piece things together.  Setting EVERNOTE® aside for a moment, I feel compelled to share that no one seems to be concerned with security.  I experience problems and have the past 2-3 years.  I come across a number cautionary flags, had an over-worked-heated macbook less than a year old, drive nuked, returning problems, relying on a genius bar (86 knowledge of terminal commands) I felt very much alone with my issues.  This caused me to look beyond Apple.   I began reviewing my logs, digging into information, like greek to me, yet I was curious and hungry for resolution.  This ultimately led to a year of ad hoc education and research.

I discovered what I interpreted to be not bugs, but security holes.
For example: cross-browser exploits, network hacks, backend database brute force attacks, manipulating mobile, telephony stunts using VoIP, even Bluetooth, Apple Cloud abuse, iOS exploits, SIM card swaps…and on and on.

You name it, I wanted to know about it.  It began to make sense after some time, like seing a constellation in the sky, discovering the simplicity of connecting dots.  I see the social engineering schemes, and we basically invite or welcome hackers into our space (game on!)

Finally, it was the frightening thought of a voyeur on the other end of your webcam peering at you, even tapping into your mic, listening to all your conversations at home.  The punch in the gut was reading logs –indicating my webcam was enabled for many hours, over several days, even weeks…I was sick to my stomach.

Simple analogy then causes me to wonder, if this can be done with my macbook, what is preventing it from happening to my iPhone?  (I now have a black sticker that remains over my camera, and since heard reports where even authorities in a school were monitoring students through webcams. sick.)  Of course I was relieved when Apple announced a patch for to Java, etc., yet never seemed to fix my problems.  I had raised my awareness, developed my own cryptic system of passwords,  committed it to memory, making each password unique to every site.  Chalking up any of the lost time of resetting my password to be better over time, to a floating password or hijacked cookie.

Quite frankly, there was a point I felt like there was no end, seeing the advice of a smart man in the industry, and someone I respect very much, he said  “you’re going to have to play dumb or decide on a career in security.”  It was then I recognized, this was beyond my control.  Until a collective authority, and/or zombie users snap out of it, I / we, must endure the exploits, taking the bad with the good.

Unfortunately, I can’t help but to look at the web differently.  Just about a week ago, I saw this tweet and it resonated with me.

This leads me to a question I posted on facebook today:

Do you think security should be a premium cost to web or mobile applications, or expected as a user, period?

Thinking back to my premium account with EVERNOTE® I recall, it was only as a premium user I would have a four digit pin [which really isn’t too difficult to crack; max 4 characters, all numeric.]  It causes me to wonder, so many users are seemingly careless with security, and why?  I can only conclude they are so far into the Rat Race that caring or fidgeting with an extra step, longer password, 2-way verification… will slow them down.  Similar to an addicts, they  might realize the risk their personal actions or standards have on themselves, but refuse to believe it affects others around them.  With security, it’s people you are connected to, in your address book, or anyone sharing on your home network.  If you try to help them, they know it all, and declining any help, they would rather ‘sync & sink’ — until it’s too late, beyond crashing and losing recent work, it isn’t typically concerning until they’ve lost everything; a selfish concern.

A few other tweets that got me thinking…

I wasn’t careless with my online identity before, matter of fact most knew me as aware and cautious.  One of my past contracts working under the FCC and FTC (Federal Trade Commission), working in ID Theft, privy to the horror stories, or potential risks, I took pre-cautionary measures I was aware of.   Looking back, as a new Mac OS X user five years ago, of the first three, I didn’t even know what I know today.  I remember using the automatic set-up, and I could have been sitting duck.  Do users simply not know how many layers there are, and the ways to prevent other than “McAfee?”

Do we roll back to the creators, or our government?  I conclude that we have to start holding each other accountable.  Not just our goverment, but people as a collective.  Those who are trained and aware, If we see someone getting ‘whacked in the elevator’ we should do something about it! Same applies to what you see happening around you online.  Don’t ignore it.  Don’t be an opportunist either. Likely, it may take some time, but I know goodness and truth prevail, and web security will find its way through this too.   Eventually, it will rise above, and so will the honest and good.

Look for a post soon where that idea is tied into building better communities, that are resourceful and likable.

About these ads

10 thoughts on “Not shocked by EVERNOTE® security issue. Just curious, who cares?

  1. Great article. I use my Facebook page to a alert people to security risks as they become known. Of course in the grand scheme of things, that is not likely to help a ton of people.
    I’m looking forward to your next post.

  2. From a political perspective, you have to reach the point in which harm is done prior to action. It is the warped mentality of the legislative process, but it is the reality of the system we have. It is why our laws are named after crime victims, and major publicity cases often are followed by new legislative efforts. A great example of this was the sexual abuse of children by the coach from Penn State. I was advocating for statewide mandated reporting long before anyone heard of the no infamous case. A simple idea that if you know of sexual abuse of a child you are required to report it. Instead of a law that will actually save children we have a law that requires college coaches to report known abuse information. The odds of another child being abused in a college sports camp by an NCAA coach and have it not be reported.. slim to none. The odds a child will be abused again – guaranteed. But there is no public or media outcry there is no will to address.

    Did you ever see the movie The Life of David Gale? If you want a legislative fix, we need that kind of scenario, that kind of outrage. It is going to take a massive scale of fraud, abuse and privacy exposure for a true solution to be addressed legislatively. I jokingly told a judge last year that with the invention of social media an entire generation of people will need new identities one day. Maybe it shouldn’t have been a joke.

    • At a federal level, I know with FTC, had to have massive amounts similar reports before FBI would investigate any ID Theft case. We would defer back to State Attorney General’s Office. Again, I’m sure that number is high…yet suppose that is the upside to local government.

      Never saw the movie, I will have to check it out now.

      Doppelganger =)

      Thanks for your feedback, Kyle!

  3. Ok, so my previous comment was about me being cautious with security–rightfully so. And I agree with all your points, Nicole. But something else ticks in the back of my head. It speaks to a larger philosophy in life. I try to not hold so tightly onto my world possessions. Thinking back to how people must have lived centuries ago, there were no locks on doors. And yet in our age, we protect what we own so tightly that it influences how we treat others less fortunate than ourselves. I’m guilty of that 100%.

    • I’ve moved my life into less is more. (always working on it)
      I have been coaching my mom on this — when she’ll say.. “I need…XYZthing” and that is the subconscious, so now she says “air and water”

  4. Great read. I never got an email about the evernote hack however I did see the news about it right away via social media outlets. I was far from shocked. IMO anything that syncs that way or cloud based programs (even iCloud) as much as I love apple are just horrible choices for privacy and security. It’s a shame that people are not willing to take the time to educate and safegaurd themselves and their private information. In this Facebook era it seems they rather use the facebook button for one click sign ups in an effort to make it easier for them to exploit themselves. Great Post. Hope this helps open the eyes of many.

    • Good point Julio, that Facebook one click sign-up is kinda freaky to me. I avoid it at all times and go with a standard email sign up. And even with my email, I don’t check any of my primary email accounts on my phone. I use a dummy account that is only meant to send email. And if someone replies to an email from my phone, that gets automatically redirected to one of my primary email addresses. Your primary email address is the entrance gate to ALL your passwords. Why would someone ever want to carry that gateway around with them in public on such a steal-able device?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s