Image: Shutterstock
Stars—they're just like us! Except unlike most of us, celebrities are often targeted for systematic and sustained invasions of privacy, whether from trespassing paparazzi or determined hackers. In August, for example, hundreds of stolen nude celebrity photos began leaking online. Dozens of actresses, from Jennifer Lawrence to Kirsten Dunst to Kate Upton, had their photos posted around the world, in what Lawrence called a "sexual violation."High-profile people make high-profile targets—just ask Jennifer Lawrence or anyone caught up in the recent Sony document dump. Someone has to protect those targets, and in Hollywood that job often falls to a man we'll call "Moss." (He's asked for a pseudonym to avoid "poking the bear"—provoking hackers.) Moss started in tech a long time ago, back when maintaining security meant locking down one device and an email address. Along the way, he says, he developed a niche. "We sort of became the SWAT team for celebrities and athletes and high-profile individuals," he says.Today, serving clients who may travel the world with a dozen devices and a constantly changing staff, his job has only gotten more difficult. "Most people come to us after some sort of breach," he says. "It's the leaky roof theory. There're all kinds of weather issues around the US right now. You think your roof is in good shape, but when the snow and rain appear you really find out. Once your house starts leaking, you call the roofer."He's not surprised that rapidly evolving technology means people don't think about security as much as they should. Celebrities, just like us, have other things on their minds than keeping their Snapchats private. What surprises Moss is the blithe shrugs from users following a breach. "For me," he says, "if I had a breach and I could change one behavior to make that never happen again, I would do it. It's surprising to me that most people may not care as much after it happens."I recently caught up with Moss, who told me about doing passwords all wrong, celebrities' expectations of privacy, and Hollywood egos.MOTHERBOARD: Does it again come down to balancing convenience with security?
Without question. People want to keep using the easiest passwords in the world. Common words—maybe they'll have an uppercase letter and a single number. If we know someone's been hacked, we always ask, "Well, what was your password?" It's always some simple thing like "balloon5" or "texas." The next password is almost the same thing. Phishing attacks—people like to click on stuff indiscriminately. I tell them not to click on anything not approved without asking, but sometimes they don't want to take the time. The result is usually very bad.
Oh yeah. I've been warning the high-profile folks for years that because they're a high-profile target, it's not a question of if they'll be hacked. Especially on their social media, it's a question of when. Then what does their emergency preparedness plan look like? Who are they going to call? What are they going to do? Who's handling this for them? And what can be done now, on a daily basis, to help mitigate those possibilities? Unfortunately, some people just chose not to listen.The recent Sony hack has spread the company's secrets across the internet. Are you surprised at the breadth and depth of what's been released?
No. One of the leaked documents shows how they stored data, never deleting, never archiving, not encrypting sensitive files, etc. It's as if a house has a sign on the front door which says, "The key is under the mat," then, once inside, everything valuable was piled up neatly in the living room for the taking. That's how they operated for the last 10 - 15 years. Oncethe PlayStation nightmare occurred and they changed very little about their IT architecture, folks knew they were ripe for another hack. The earlier Brazil hack is now being made public, where the company never even bothered to notify the victims. This should be a wake up call for all companies.How do you advise clients to be safe while having to work in that kind of environment?
One of the messages we preach to clients is that anything you send—text, email, direct message, phone calls, any type of electronic transmission—is not secure. You should have no sense of privacy whatsoever, and anything you send should carry the expectation that it could be immediately made public. So don't send anything to anyone, even your most trusted people, that you don't want others to see. The only way to have a secure conversation these days is if you're locked in a room with someone one-on-one without any electronics. Even then you can't be sure.I think people find it hard to live with that level of security-awareness, not to say paranoia. But does it surprise you to see major CEOs and producers committing this stuff to email?
Hollywood is a very strange club, full of huge egos. You could be the most popular member one day, and cast out the next. There's no remorse. But you would expect the people in power to realize that you don't say things like that in an email.
Advertisement
Advertisement
Without question. People want to keep using the easiest passwords in the world. Common words—maybe they'll have an uppercase letter and a single number. If we know someone's been hacked, we always ask, "Well, what was your password?" It's always some simple thing like "balloon5" or "texas." The next password is almost the same thing. Phishing attacks—people like to click on stuff indiscriminately. I tell them not to click on anything not approved without asking, but sometimes they don't want to take the time. The result is usually very bad.
Do you have any horror stories that you share with clients, to drive home the importance of this stuff?You think your roof is in good shape, but when the snow and rain appear you really find out.
Oh yeah. I've been warning the high-profile folks for years that because they're a high-profile target, it's not a question of if they'll be hacked. Especially on their social media, it's a question of when. Then what does their emergency preparedness plan look like? Who are they going to call? What are they going to do? Who's handling this for them? And what can be done now, on a daily basis, to help mitigate those possibilities? Unfortunately, some people just chose not to listen.The recent Sony hack has spread the company's secrets across the internet. Are you surprised at the breadth and depth of what's been released?
No. One of the leaked documents shows how they stored data, never deleting, never archiving, not encrypting sensitive files, etc. It's as if a house has a sign on the front door which says, "The key is under the mat," then, once inside, everything valuable was piled up neatly in the living room for the taking. That's how they operated for the last 10 - 15 years. Oncethe PlayStation nightmare occurred and they changed very little about their IT architecture, folks knew they were ripe for another hack. The earlier Brazil hack is now being made public, where the company never even bothered to notify the victims. This should be a wake up call for all companies.How do you advise clients to be safe while having to work in that kind of environment?
One of the messages we preach to clients is that anything you send—text, email, direct message, phone calls, any type of electronic transmission—is not secure. You should have no sense of privacy whatsoever, and anything you send should carry the expectation that it could be immediately made public. So don't send anything to anyone, even your most trusted people, that you don't want others to see. The only way to have a secure conversation these days is if you're locked in a room with someone one-on-one without any electronics. Even then you can't be sure.I think people find it hard to live with that level of security-awareness, not to say paranoia. But does it surprise you to see major CEOs and producers committing this stuff to email?
Hollywood is a very strange club, full of huge egos. You could be the most popular member one day, and cast out the next. There's no remorse. But you would expect the people in power to realize that you don't say things like that in an email.