My Own Dogfood – Mmmmmm

First, my apologies to anyone that may have received spicy email invites from one of several of my personal email addresses.  I won’t share the addresses, as they are cryptically named, and wouldn’t help you discern who I am in real life anyway.  Regardless, I have taken a big bite of my own personal dogfood.  Not too long ago, I posted this entry on my blog calling for care and caution from researchers and security professionals.  My own vigilance allowed me to detect a security lapse caused by my own carelesness and trust.  This isn’t the first time, and I am sure it will not be the last.

Recently, I have found at least 3 of my 5 personal email addresses have been receiving what I deemed to be spam.  I initially ignored it, figuring it will eventually just go away, as these things seem to do after soliciting no response over time.  Not so.  I have received many invitations from folks on various “adult forums” that require a valid email to join, and a confirmation of that email address to confirm.  It seems these email addresses may have been compromised.

Now, I don’t generally object to porn, to each their own, consenting adults, and as long as no one is getting hurt…  However, the sites I have found I now have valid accounts on could cause some questions and dismay from my spouse, caling into question my loyalty and even my sexual orientation.  (I still like girls, and love my wife, by the way!!!)  The accounts had the same passwords, which weren’t too hard to figure out.  I am changing the passwords and shutting these accounts down wherever I find them.  I will be changing the passwords on ALL of my email accounts as well, and may kill a few off too for good measure.  Same goes for forum and web accounts.  My personal system will be wiped and imaged as a precautionary measure.

I hope that this has been an elaborate prank, and not some wierd attempt at revenge for some perceived misdeed.  I suspect that I have found the source of at least the pranksters’ point of entry.  It seems my wireless pre-shared key has been compromised, as family members often need to get wifi access for their PC or smartphone.  One of the “features” of these devices is their ability to store the key cryptically (****** instead of text) or displayed as plain text at the flick of a tick box, without any aditional password prompting.  I believe that someone close to one of these family members accessed a device that was not well secured, left on a table, or otherwise unlocked.  They clicked the tick box and viola.  Exposed credentials.  Either that or I have several alternate personalities that I am not yet aware of surfing up interesting content in my sleep.

Over the past few weeks, I have been seeing traffic utilization returning to the levels that they used to hover at while multiple adults lived here, lots of DNS queries for odd sounding URLs and such.  The wireless network will be reconfigured again shortly, and will use a new key for encryption and access.  I am in the process of visiting many, many “dating sites” and the like, and hope that when my wife catches me surfing over to “spicy_dates [dot] com” she has already read this blog post.

  • Pre-shared keys are a convenience feature.  I constantly battle convenience, and should not have taken a shortcut.  Lesson learned.
  • All the precautions in the world won’t stop a determined attacker.  Lesson learned.
  • There is still no patch for sTuPiD.  Still learning.