On the Latest Google Chinese-Hacking News

Thanks to many people who have written in asking whether today's Google announcement of a new China-based wave of attacks on Gmail accounts is related to the takeover of my wife's Gmail account just after we spent two months in China this spring. As the official Google announcement says:

>>[W]e recently uncovered a campaign to collect user passwords, likely through phishing. This campaign, which appears to originate from Jinan, China, affected what seem to be the personal Gmail accounts of hundreds of users including, among others, senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists.

The goal of this effort seems to have been to monitor the contents of these users' emails, with the perpetrators apparently using stolen passwords to change peoples' forwarding and delegation settings. (Gmail enables you to forward your emails automatically, as well as grant others access to your account.)<<

The short answer is: I can't yet know for sure, but I *think* that what happened to my wife was a case of "regular," small-stakes criminal hacking, to trick people to send in money, rather than anything more exotic or political. But I will say more about the whole situation of online email security, including the political and international aspects, in an upcoming article. On the other hand, some traits of what happened to my wife's account are similar to what the latest Gmail announcement warns about. For instance, redirecting all incoming mainly to a similar-looking but different account controlled by the hacker. And, hey, it's China!

Here is what I can be sure of: in case you haven't done so before, and in case your eyeballs skidded past my previous two zillion entreaties on this topic, if you use Gmail please install Google's relatively new, free "two-factor" authentication service. It reduces practically to zero the chance that anyone could control your account remotely, which in turn vastly increases your protection against attacks like these. Here are Google's official instructions, plus an earlier nag by me, Google has been fairly careful to "blame the hacker," rather than blaming the victims, in these episodes. But the truth is you'll blame yourself if you don't apply the two-step process and some day later get hacked.

Three other quick tips, before a fuller treatment later on:

   - Diversity. It sounds so school-marmish, but it really matters not to use the same password everywhere. Reason: if one of your passwords gets hacked, as for instance one of mine was, along with those of 1.25 million other people, in last year's Gawker episode, you could have trouble for that one account. But if you use that same one for banking, email, your credit cards, etc -- then, sigh...   
    On the other hand, you go crazy if you have to remember dozens of passwords. For "life is complicated enough" reasons, I use the same few passwords for a bunch of nickel-and-dime accounts where I don't really care if they're hacked -- for instance, free registration at some news site. But how do you manage a large variety of passwords for more important sites? This leads us to:

 - Password manager programs. I still use and like LastPass, even after the hacking attack it withstood last month. Details later, but "withstood" is the important term. There are a variety of these programs, of which RoboForm is also very well known. See, for instance, this LifeHacker review for more. The point is, there are cheap and easy ways to automate the process of juggling a diverse range of passwords.

- "Strong" passwords. The debate kicked off at the Danish Baekdal site back in 2007, about an easy way to construct good passwords, is worth following. The most surprising part of his argument is that a multi-word pass phrase, like "be my guest," could be both easy for you to remember and hard for anyone else to crack. As the original entry put it,

...it is 10 times more secure to use "this is fun" as your password, than "J4fS<2".

Not everyone agreed, and you can follow some of the back and forth here. I end up using "this is fun"-style pass phrases for some sites, obscure letter-character combos for others, and LastPass as repository for most. Mainly the discussion will make you think about password-ology in general, which in itself is an important step.

Presented by

James Fallows is a national correspondent for The Atlantic and has written for the magazine since the late 1970s. He has reported extensively from outside the United States and once worked as President Carter's chief speechwriter. His latest book is China Airborne. More

James Fallows is based in Washington as a national correspondent for The Atlantic. He has worked for the magazine for nearly 30 years and in that time has also lived in Seattle, Berkeley, Austin, Tokyo, Kuala Lumpur, Shanghai, and Beijing. He was raised in Redlands, California, received his undergraduate degree in American history and literature from Harvard, and received a graduate degree in economics from Oxford as a Rhodes scholar. In addition to working for The Atlantic, he has spent two years as chief White House speechwriter for Jimmy Carter, two years as the editor of US News & World Report, and six months as a program designer at Microsoft. He is an instrument-rated private pilot. He is also now the chair in U.S. media at the U.S. Studies Centre at the University of Sydney, in Australia.

Fallows has been a finalist for the National Magazine Award five times and has won once; he has also won the American Book Award for nonfiction and a N.Y. Emmy award for the documentary series Doing Business in China. He was the founding chairman of the New America Foundation. His recent books Blind Into Baghdad (2006) and Postcards From Tomorrow Square (2009) are based on his writings for The Atlantic. His latest book is China Airborne. He is married to Deborah Fallows, author of the recent book Dreaming in Chinese. They have two married sons.

Fallows welcomes and frequently quotes from reader mail sent via the "Email" button below. Unless you specify otherwise, we consider any incoming mail available for possible quotation -- but not with the sender's real name unless you explicitly state that it may be used. If you are wondering why Fallows does not use a "Comments" field below his posts, please see previous explanations here and here.


A Stop-Motion Tour of New York City

A filmmaker animated hundreds of still photographs to create this Big Apple flip book


The Absurd Psychology of Restaurant Menus

Would people eat healthier if celery was called "cool celery?"


This Japanese Inn Has Been Open for 1,300 Years

It's one of the oldest family businesses in the world.


What Happens Inside a Dying Mind?

Science cannot fully explain near-death experiences.

More in Technology

From This Author

Just In