I sent my phone through the wash a couple of months ago, and no amount of stewing in a bowl of dry rice was able to bring it back. So I got a replacement on eBay — an unlocked Nexus One which also happened to be rooted (I wasn’t looking for that in particular; it was just what came up at the time at a reasonable price). Shortly thereafter, my GMail account got hacked, or my address book lifted and used for spamming. I changed a password. Then my Twitter account sent out a bunch of spammy links. Of course everyone knows that using the same password in a bunch of different places is a bad idea. And most easily memorable passwords are at least somewhat susceptible to dictionary attacks. And of course everyone does it anyway. I wondered if there might have been some malevolent bytes within the compromised phone (remembering of course that uncompromised phones are also often full of malevolent bytes). It’s been lingering in the back of my mind.
So today I finally took on the machines, and did a whole giant pile of security crap. I managed to flash a reputable ROM into my phone. I set up the now native full disk encryption on my boot disk. I got off-site encrypted backups running using SpiderOak (though… with 200GB of stuff to upload, that’s gonna take a while to finish). I set up Google’s 2-factor authentication. And I changed dozens of passwords all over the web to be long and unmemorable and unique. Of course that means the machine has to remember them for me… but overall, I think this is less likely to result in cascading failures.
Not my favorite way to spend a Saturday in summer, but once or twice a year, days like this are necessary.