My Twitter account was hacked. Thanks, Adobe!

This past weekend, I checked my Twitter feed and I noticed I was suddenly following a bunch of accounts that I had never seen before. I immediately sensed something was up, which was confirmed when there were posts from me in Russian (note: I don't speak, nor can I write, Russian).

I immediately changed my password and revoked access to most apps that could access my Twitter feed. Changing my password ended up being a bit of a chore, but it eventually happened. Things have settled down and are back to normal.

What was particularly interesting about this was that right after I changed my password, I got an email from Adobe:

As we announced on October 3, Adobe discovered sophisticated attacks on our network involving the illegal access and removal of a backup database containing Adobe IDs and encrypted passwords. We are writing to let you know that your Adobe ID was in the database taken by the attackers -- but, importantly, your current password was not. As a result, we did not reset your password. We have no reason to believe that your Adobe ID account is at risk or that there has been unauthorized activity on your account. The database taken by the attackers came from a backup system that contained many out-of-date records and was designated to be decommissioned. Adobe’s authentication system of record, which cryptographically hashes and salts customer passwords, was not the source of the database that was taken. (Emphasis mine.)

How sweet of them to tell me this in a timely fashion. It's only been two and half months.

I heard of the (egregious) Adobe breach, but to my knowledge, I didn't have an Adobe account. Apparently I did, so I changed the password on it anyway, but Adobe's wording has me wondering a few things.

  • Was my account "out-of-date" and about to be decommissioned?
  • Were the "out-of-date" credentials hashed and salted?
  • What constitutes "out-of-date" and what is the decommissioning process?

I highly suspect that the Adobe breach was the source of the hack here, and it's my fault for recycling passwords. I use a password manager but I probably created that Adobe account before I started using a password manager. My fault for not changing my Twitter password sooner, but Adobe sure didn't help matters.

Lesson learned. Slowly go through the hundreds of accounts I have, audit the passwords or delete the account where applicable.

And don't trust Adobe.

Science and business

Although I work in the software industry, I am an academic at heart, so I keep abreast of what's going on in the world of research. I'm also interested in the cozy relationship that academic institutions and businesses are being encouraged to undertake here in Canada.

A recent article in The Economist describes some of the problem with positive results oriented science, and notes

On data, Christine Laine, the editor of the Annals of Internal Medicine, told the peer-review congress in Chicago that five years ago about 60% of researchers said they would share their raw data if asked; now just 45% do.

I wonder, if I'm a researcher being funded by a company (perhaps being viewed as labour with good tax benefits), would I be willing (or even allowed?) to share data that may be generating revenue for said company?

I have my doubts.

Theory and practice (prelude)

I've often thought that if I were to do another degree (or even just take some more courses), it would probably be in economics.  I think that's because from what I've read, it's similar to computer science in that there seems to be a vast gulf between theory and practice.

I listened to an interesting lecture by Ha-Joon Chang that made me even more interested: 23 Things They Don't Tell You About Capitalism and what they mean for our economic prospects.

While the title is a little "folksy" for me, the content was worth listening to.  Dr. Chang seems like a pretty reasonable person and the beliefs he claims are commonplace in economic thinking don't fit with what I've seen.  Chang's approach seems like it would make sense as opposed to the dogma I hear about the topic.

It reminds me a lot of software engineering.

Taking notes

Eugene Wallingford wrote something that struck a chord with me with respect to taking notes:

Foremost, having no laptop affects my blogging. I can't take notes as quickly, or as voluminously. One of the upsides of this is that it's harder for me to distract myself by writing complete sentences or fact-checking vocabulary and URLs.

In my experience, electronic note-taking is more of a distraction than it is helpful. Taking notes on a laptop (or worse, a phone or tablet) reduces me to focusing on specific phrases instead of thinking about the bigger picture. This is true regardless of medium: attending a lecture, a meeting, or a reading a book.

The biggest benefit I get from lectures/meetings/books is connecting the ideas presented with my experiences. I'm working my way through Popper's The Logic of Scientific Discovery and while it's a demanding read, I don't take any notes (I can always go back and re-read it!). It's often the case that I will read five to ten pages, then dwell on it for days on end, relating it to my work in software development, specifically testing practices.

Burying myself in minutiae of a presentation causes me to get hung up on that minutiae. Getting a larger view is usually more useful. (And it is often the case that you can go back and review the little things anyway. For example, lectures aren't as ephemeral as they used to be.)