You Can’t Win an iPhone Here: The Story of How We Got Hacked
Inspired by The Exploratorium’s account of how it got phished (link) – turns out John Podesta’s emails were “hacked” in the same way (link) – this is our own story of hacking, sketchy iPhone games and the generosity of the Internet.
Last May, I started working on a new UnPD website that would host our toolbox and represent a “beefier” version of our old Squarespace site. I chose a WordPress template that had great reviews, and on August 25, I shared it with our listserv in an email titled “It’s the UnPD Redux!”
On August 30, I discovered that when a user accessed unprofessionaldevelopment.org for the first time on an iPhone, they would see a suspicious “check your browser” message. After clicking continue, they would arrive at our homepage but the URL would look something like vyhub.com/c22. And, simultaneously, I realized that our Google Analytics was off the charts: Suddenly, hundreds of visitors from all over the world were visiting UnPD (!) and clicking on very suspicious links (!!).
By September 1, visitors were being invited to play a fun game (screenshot, left) to win an iPhone, and Google Analytics was informing me that folks in South Korea were attempting to download the film Train to Busan from the site. We may strive to be unprofessional, but not at this level.
It’s only at this point that I realized that “hacking” is the best word to describe what has happened, and a number of questions occurred to me all at once: What is hacking, anyway? Why would someone use UnPD, certainly not the most popular site out on the Internet, as a vehicle for Korean film downloads? And how does one even begin attempting to undo this situation?
After hearing some helpful advice and bleak forecasts (“rebuild the whole thing from scratch”), I connected with a friend of a friend named Davis Shaver via a Slack channel for developers who work in media. Thirty seven emails and two weeks later, Davis “cleaned and rebuilt” the site but managed to save all of our data. I don’t know how many dozens of hours this pro bono project required, but I do know that without his generosity, UnPD might very well still be a destination for folks trying to win free iPhones.
So how did it happen? Davis said that there were some security vulnerabilities in the site template, but I blame myself: Unlike most sites, which have password quality requirements, WordPress installations (which involve downloading and hosting website files yourself, instead of using the free wordpress.com versions) have no such conditions. My username and password were both unpd.
So there are obviously a lot of lessons here. My password now looks more like z?w#qn39$9wnv2!0. But I’m even more struck by what I still don’t understand: I don’t have answers to any of the questions I asked before (What is hacking, why would someone do it to us, and how do I fix it?). When we talk about the DNC hack (link) or the Panama Papers hack (link; it was possibly due to an outdated WordPress installation and a vulnerable plugin – link), the distance between our use of the word and our understanding of what “hacking” really means is – at least in my own case – quite vast. Even more vast is my understanding of the problem and my capacity to fix it, which reveals an uncomfortable dependency on the generosity of folks like Davis.
Unprofessional Development is based on a true belief in our – especially educators’ – individual capacity to learn stuff as curious humans. And while our website is now “secure,” I’m still struck by how beholden I am to other folks for that safety because I don’t have a full command over the tools I use. Finally, how is this analogous to our students’ position as perpetual amateurs – folks who may be building websites without being able to fix them, or running science experiments they don’t know how to explain – in our classrooms?