The feature, known as “two-factor” authentication, is already used by companies like Google and Apple and works by sending a pin code via text message to a user’s cell phone. Twitter has details and a tutorial video here.

The decision to add an extra security feature comes after hackers have repeatedly gained control of high profile Twitter feeds. The most prominent example occurred last month when hackers used the Associated Press’s account to say bombs had injured President Obama. The fake tweet roiled financial markets and led to calls for Twitter to improve its security features.

Attackers have also targeted CBS, the BBC and the Onion. The latter offered a candid account of how the hackers phished employees accounts and induced some of them, including a person with control over social media passwords to share log-in information.

Two factor authentication would likely have prevented those attacks because the attackers would have had to enter a password sent to the employee’s cell phone.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Connected world: the consumer technology revolution
• The 2013 task management tools market
• How consumer media will change in 2013

A LivingSocial representative confirmed the hack with us, and said that the company would be contacting the more than 50 million users who might have been affected, sending them emails explaining what happened and encouraging them to reset their passwords. The hack affected all of the company’s users except those in South Korea, Thailand, Indonesia, and the Philippines, since data for those users is stored on different servers.

The hack comes as large consumer web companies are increasingly facing scrutiny regarding their security measures. In February Twitter reported that hackers may have accessed data on 250,000 user accounts, and LinkedIn was sued over a hacking incident last summer that exposed more than six million consumer passwords.

In a statement, O’Shaughnessy explains how the company was hacked and how that will affect customers:

“We recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers. We are actively working with law enforcement to investigate this issue.

The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords — technically ‘hashed’ and ‘salted’ passwords. We never store passwords in plain text.”

Currently, visitors to LivingSocial’s website will notice a large red bar telling them to reset their passwords:

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Facebook’s IPO filing: ideas and implications
• NewNet Q4: Platform mania and social commerce shakeout
• NewNet 2012: companies and technologies set to disrupt

Many of these problems stem from the fact that the Fitbit uses plain HTTP in its communications, exposing usernames, passwords, and data to opportunistic attackers. A suite of tools to probe the Fitbit created by the researchers was able to capture data from any Fitbit tracker within a radius of 15 feet. Another type of attack they tested forced the Fitbit to attempt frequent data upload, draining the battery 21 times faster than with normal once a day uploading.

An additional problem the researchers identified is an absence of a data consistency check on the Fitbit and its associated online social network. For example, they were able to inject 12.6 million steps into a user account, which the system translated into only 0.02 miles traveled, based on the initial calibration to the user’s stride length. This kind of data injection could be exploited by cheats, people who don’t want to work for the badges and monetary rewards that are available to fitness over-achievers.

While such an attack on a given individual might seem far-fetched, hackers could be motivated to expose or misuse sensitive personal health data. The consequences of that exposure could be no more than embarrassment for the Fitbit’s owner, but the security and privacy ramifications could go much deeper for similarly vulnerable wireless devices used in larger settings by healthcare companies.

The researchers also highlighted a few more bizarre “mule” attacks, such as attaching the Fitbit to a spinning rope or a car wheel (you can “burn” about 350 calories in 20 minutes with the latter method).

To combat these attacks, they developed FitLock, a hacked together defense system that includes encryption. A data consistency check also verifies new uploads against stride length and basal metabolic rate so that number of steps, distance traveled, and calories burned correspond. According to the recently released research, this additional security results in a negligible increase in processing time of 37 ms, about 2.4 percent more than normal Fitbit overhead. They also propose an extra step to thwart mule attacks: using a smaller, more accurate GPS chip to tell whether location is not changing (rope attack) while steps are being taken, or when the location is changing far too much (wheel attack).

The attacks that are averted with FitLock are not unique to Fitbit or other sensing devices. Insulin pumps and cardiac defibrillators, for example, could be manipulated with the same methods, with much more dire consequences.

Disclosure: Fitbit is backed by True Ventures, a venture capital firm that is an investor in the parent company of GigaOM. Om Malik, founder of GigaOM, is also a venture partner at True.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• GigaOM Research highs and lows from CES 2013
• Analyzing the wearable computing market
• Connected world: the consumer technology revolution

In case you missed it, the AP’s Twitter account was suspended yesterday afternoon after the fake tweet — possibly posted by the Syrian army — caused a temporary shock to stock markets, which rely on news wires like the AP for up-to-date information.

On Wednesday morning, the AP announced its Twitter feed had returned and began tweeting ordinary news items (though initially forgetting to delete the hoax tweet):

The @AP Twitter account, which was suspended after being hacked, has been secured and is back up. Thank you for your patience. – @EricCarvin—
The Associated Press (@AP) April 24, 2013

Most of the account’s followers, however, appear to have disappeared. At the time of the hacking incident, the AP had nearly 2 million followers:

As of Wednesday morning at 9:30 ET, however, the AP account had fewer than 100,000 followers:

I’ve asked the AP for an explanation and am still waiting on a response. At this point,Twitter may be adding the followers back gradually; the 85,454 figure is almost double the number from earlier this morning.

Update: The AP says its social media editor ”was told by Twitter that it can take up to 24 hours for the follower count of a suspended account to return to normal.”

If the followers have indeed been wiped out, this would represent a serious blow for the AP. Like other news organizations, the AP relies heavily on social media outlets to disseminate its stories, and an organization’s (or person’s) number of Twitter followers can stand as proxy for influence.

The AP hacking incident has also led to calls for Twitter to introduce a security feature known as 2-step authentication.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Connected world: the consumer technology revolution
• The future of mobile: a segment analysis by GigaOM Pro
• The 2013 task management tools market

Twitter has since suspended the account and the AP issued the following statement: “Advisory: @AP Twitter account has been hacked. Tweet about an attack at the White House is false. We will advise more as soon as possible.”

The episode shows again, as it did during the Boston tragedy, the mischief that can occur as a result of huge number of people instantly relaying false information through false tweets. The Anonymous hacker news account, for instance, saw its reporting of the message retweeted almost 500 times:

Breaking: Two Explosions in the White House and Barack Obama is injured via @AP—
Anonymous (@YourAnonNews) April 23, 2013

In the last year, Twitter has become an essential news source not only for news outlets but for the financial community. This month, Bloomberg incorporated Twitter feeds into its terminals while the SEC gave companies the green light to use it for relating market moving news.

Update: The AP has since issued this tweet from a separate account associated with its political news outlet:

All, AP's Twitter accounts will be suspended until we can be assured of their security. Do not respond to any news posted by these accounts.—
AP Politics (@AP_Politics) April 23, 2013

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• The future of mobile: a segment analysis by GigaOM Pro
• The 2013 task management tools market
• How consumer media will change in 2013

Following the demise of one proposal, the Cyber Intelligence Sharing and Protection Act (CISPA), the Obama administration has taken new steps with an executive order and a policy strategy. The executive order draws a roadmap for sharing more of its information with the private sector, and the strategy shows the intent to do more on diplomatic and intelligence fronts.

The Microsoft and Zendesk hacks follow others in recent weeks at Apple, Facebook, the New York Times, the Wall Street Journal and the Washington Post. Twitter said people had attempted to hack the site. And the security company Mandiant released a report providing details on a Shanghai-based division of the People’s Liberation Army of China that has stolen “hundreds of terabytes of data from at least 141 organizations,” almost all of which have headquarters in countries where English is the native language. Hackers even found a way to build a lure for a spear-phishing attack out of one version of the report.

President Barack Obama, in his State of the Union address last week, acknowledged that American companies have been hacked and said the country must not “look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.” Obama’s executive order on cybersecurity, released on the same day as the president gave the speech, directs the government to release more, and more timely, information on cybersecurity threats. It calls for a framework for reducing “cyber risks” to critical infrastructure in the United States, and the framework will have to help owners and operators of that infrastructure manage the risk. In doing so, the government cannot pick one product or service as a cure-all; it claims to value a competitive marketplace. The order also mandates that owners or operators of critical infrastructure that could cause catastrophes if hacked will be confidentially contacted and be given a way to submit information to the federal government.

A week after the executive order, the Obama administration released a policy paper laying out steps for advancing cybersecurity. It says businesses should share best practices, and it states that the FBI and the State Department will do more to try to stop hacks of trade secrets. Elsewhere, it promises that several other federal agencies will continue to do what they have been doing toward that end.

Some people have argued that the executive order doesn’t do enough to improve cybersecurity. Then again, others like it much better than CISPA.

Regardless of what people think about it, the federal government’s efforts to respond to the hacks could prompt more companies to protect their own assets. It takes advantage of the good parts of CISPA but not the bad, which my colleague Derrick Harris has previously identified. And with news of more and more attacks coming to the fore, more companies could be inclined to try sharing information with the federal government for the purpose of the greater good. How bad could that be?

Oh, by the way, as a side effect of all of these attacks and the new federal policies, don’t be surprised to see more enterprises trying out security products that focus on infrastructure, such as Mandiant and Cylance, which I wrote about earlier this month. Look for more stealth-mode security startups jumping out of the shadows, too.

Feature image courtesy of Shutterstock user Tatiana Popova.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• A near-term outlook for big data
• Dissecting the data: 5 issues for our digital future
• What Amazon’s new Kindle line means for Apple, Netflix and online media

The strange Twitter activity took place after hackers apparently took control of Burger King’s account and replaced its name and image with the McDonald’s logo. Here is a screenshot of what followers of @burgerking saw on Monday:

The blue checkmark beside the @burgerking name indicate that this is indeed Burger King’s official Twitter account. Other tweets included:

This is why we were sold to @mcdonalds! All of our employees crush and sniff percocets in the bathrooms =[ @dfnctsc twitter.com/BurgerKing/sta…

— McDonalds (@BurgerKing) February 18, 2013

It’s unclear who is behind  the mischief but the tweets’ references to “lulz’ and “@youranonnews” suggest the hacker collective Anonymous is involved.

Meanwhile, regular Twitter users are having a merry time speculating on how this may have happened:

haha! re: j.mp/W018Vi : RT @cebsilver .@scottmonty "What was the account password?" SM Intern: "It was 'whopper.'" "You're Fired."—
  (@jeffscott) February 18, 2013

It’s accepted as common wisdom for big brands to have an active presence on social media but this incident shows how things can go very wrong. Previous Twitter disasters involve McDonald’s buying a sponsored hashtag to promote “McDStories” only to see users tell tales of gross food and alleged animal cruelty.

As of early Monday afternoon Eastern Time, the Burger King account was still under control of the hackers.

Update: At 1:15 ET, Twitter said the account had been suspended. As Frank Reed notes in the comments below, the incident may not be all bad it’s given Burger King more publicity than it’s had in a long time. And, as a hacker account notes:

With @BurgerKing getting hacked they got a 30% rase in followers, remember to unfollow.—
Anonymous (@YourAnonNews) February 18, 2013

As for McDonald’s, the company offered this response:

We empathize with our @BurgerKing counterparts. Rest assured, we had nothing to do with the hacking.—
McDonald's (@McDonalds) February 18, 2013

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Examining the rise of crowd labor platforms in 2012
• Social third-quarter 2012: analysis and outlook
• Listening platforms: finding the value in social media data

In the wake of his suicide, Swartz’s case quickly became a cause celebre, and a group of legislators including Darrell Issa (R-Calif) — who was also instrumental in the fight against SOPA and PIPA — recently asked the Justice Department to look into the behavior of the U.S. attorney’s office in pressing for a severe penalty against the young hacker. Zoe Lofgren (D-Calif.) has also proposed a number of changes to the Computer Fraud and Abuse Act that would prevent the state from going after others for what Swartz did.

Breaching terms of use shouldn’t qualify as hacking

Among other things, those changes — some of which were proposed by users of Reddit during a session with Lofgren last month — would prevent prosecutors from pressing charges for simple breaches of a website’s terms of service or user agreement, which is one of the clauses in the CFAA that was used against Swartz. Changing a computer’s hardware address (which Swartz did in order to avoid detection) would also not qualify as criminal hacking.

But while Aaron Swartz’s experience has drawn some much-needed attention to the problems with outdated laws like the Computer Fraud and Abuse Act — which was written in 1986, before the web was even invented — we shouldn’t forget that others have also been hit with this overly broad and vague piece of legislation, even though they haven’t become popular causes in the way that Swartz has.

As Marcia Hoffman of the Electronic Frontier Foundation has pointed out, one of the most problematic parts of the CFAA is that the law makes it a crime to access a computer or website “without authorization” or in a way that “exceeds authorized access,” but those terms are never really defined. In a number of cases, prosecutors have defined them to mean that anyone accessing a web-based service in any way that isn’t explicitly approved by the terms of use is committing a crime under the act.

A broad and overly vague legal net

In 2008, for example, prosecutors used this aspect of the law to go after a woman who created a MySpace profile using an assumed name (although a judge declined to hear the case) — and as one security researcher has explained, the same principle could easily be used to charge anyone who simply goes to a website without the explicit permission of the owner.

Aaron Swartz

One of those who has been caught in this particular net is almost the polar opposite of Aaron Swartz, although both were clearly hackers: Andrew Auernheimer, who is known by the online handle Weev, has also been found guilty and is facing potential jail time for unauthorized access to a computer or web service. In his case, Weev and a fellow hacker collected a list of AT&T customer email addresses by generating random URLs at the AT&T website, and then gave them to Gawker in what they said was an attempt to draw attention to AT&T’s lax security measures.

Unlike Swartz, who has been hailed by most of his friends and acquaintances — including luminaries such as Creative Commons founder Lawrence Lessig and even the creator of the World Wide Web, Sir Tim Berners-Lee — as a force for good and a crusader for openness and other just causes, Weev is somewhat notorious for being an online troll who reportedly delights in causing mischief, aggravation and hurt feelings wherever he goes.

Being a troll shouldn’t qualify as hacking either

All of that may make him less than appealing as a public cause, but the flaws in the Computer Fraud and Abuse Act are just as obvious in his case: in fact, what Weev did barely even qualifies as hacking, since he simply generated random iPad ID numbers and then used those to get the AT&T email addresses. In other words, the addresses were freely available and not hidden behind technological locks or passwords of any kind (Weev also made no attempt to use them or sell them).

The bottom line is that the CFAA isn’t worth scrapping or rewriting just because it was used to go after Swartz, or even Weev — the biggest issue is that it is so broad and technologically ignorant that it can be used to criminalize behavior that should barely even register as a nuisance, let alone a crime. Swartz’s downloading of JSTOR documents wasn’t serious enough for the archive to press charges, and yet the prosecutor chose to threaten the young hacker with jail time.

At its best, hacking of the kind that both Swartz and Weev engaged in is no different than the kind that Microsoft founder Bill Gates employed when he let lose a worm that shut down a corporate computer network when he was 14. Within reason, testing the limits of computer systems and revealing security holes is something for which we should be thanking hackers — or possibly admonishing them — not sentencing them to prison terms.

Post and thumbnail images courtesy of Shutterstock / ER 09 and Fred Benenson

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• The importance of putting the U and I in visualization
• AWS Storage Gateway jolts cloud-storage ecosystem
• A near-term outlook for big data

As the news of his death spread throughout the web and social networks like Twitter, there was an outpouring of grief and sorrow from some of his friends and those he had worked with on a number of projects — including the early development of the RSS syndication standard, the web.py software framework, the Creative Commons movement and the W3C web standards committee.

We’ve collected some of those comments and responses here (there’s also a Reddit thread and a Hacker News thread about his death, and Alex Howard of O’Reilly has collected some tweets and links in a Storify post):

Update: Swartz’s family and his partner have released a statement about his death, in which they point the finger of blame directly at the U.S. Attorney’s office and say their prosecution played a role in Aaron’s suicide. The statement says:

“Aaron’s death is not simply a personal tragedy. It is the product of a criminal justice system rife with intimidation and prosecutorial overreach. Decisions made by officials in the Massachusetts U.S. Attorney’s office and at MIT contributed to his death.”

Sir Tim Berners-Lee, the creator of the web, posted a message after he learned of the news, saying: “Aaron dead. World wanderers, we have lost a wise elder. Hackers for right, we are one down. Parents all, we have lost a child. Let us weep.”

Heartbroken about @aaronsw, so brilliant, idealistic, soulful. Here's where I first met him. thedailybeast.com/newsweek/2004/…

—
Steven Levy (@StevenLevy) January 12, 2013

Shocked and saddened to hear about the suicide of Aaron Swartz, whom I first met when he was 14. @doctorow's eulogy bit.ly/VSk8Td

—
Tim O'Reilly (@timoreilly) January 12, 2013

Cory Doctorow, author and BoingBoing co-founder, posted a long and heart-felt tribute to Swartz and a discussion of his struggles with depression, saying:

“Aaron accomplished some incredible things in his life. He was one of the early builders of Reddit (someone always turns up to point out that he was technically not a co-founder, but he was close enough as makes no damn), got bought by Wired/Conde Nast, engineered his own dismissal and got cashed out, and then became a full-time, uncompromising, reckless and delightful shit-disturber… we have all lost someone today who had more work to do, and who made the world a better place when he did it.”

Matt Haughey, the founder of Metafilter, posted a comment on his site about Aaron, whom he met while he was working on the Creative Commons project with Larry Lessig — and how at one programming event, Swartz had to come with his father because he was only 15:

“Aaron, I’m so sorry to see you go. You were an amazing person who did incredible work that helps us all out and I really wish you stayed for many more decades so you could continue making society a better place to be. I’ll really miss you.”

Brewster Kahle, founder of the Internet Archive, posted a memorial entitled “Aaron Swartz, hero of the open world, dies” — and recalled working with the young man on Kahle’s Open Library project, which he helped to code:

“Aaron was steadfast in his dedication to building a better and open world. Selfless. Willing to cause change. He is among the best spirits of the Internet generation. I am crushed by his loss, but will continue to be enlightened by his work and dedication. May a hero and founder of our open world rest in peace.”

In 2007, Swartz wrote what many took to be a suicide note (thanks to Nik Cubrilovic for the link) after he had been fired by Conde Nast (which acquired Reddit in 2006), a note that eventually led Reddit founder Alexis Ohanian to call the police and break into Swartz’s apartment. The young programmer later explained that he wrote it while he was in pain due to a medical issue, but some friends took it as a sign that he was struggling with emotional problems as well.

RIP Aaron Swartz. What a terrible, tragic waste. boingboing.net/2013/01/12/rip…

—
Timothy B. Lee (@binarybits) January 12, 2013

Aaron Swartz was one of my favorite people, and I'm crying. j.mp/UdKWvB

—
Adrian Holovaty (@adrianholovaty) January 12, 2013

In 2007, Philipp Lenssen of the blog Google Blogoscoped posted a long interview with Swartz about his development as a programmer, his work with Reddit and Creative Commons, getting fired by Conde Nast and a number of other topics:

“Seriously, though, the Web is what we make of it. We have a powerful, widely-deployed, largely uncontrolled communication network. It’s up to us to decide where to go next.”

John Gruber of the Apple blog Daring Fireball also posted a tribute, saying: “Aaron was a friend and a brilliant mind… he had an enormous intellect — again, a brilliant mind — but also an enormous capacity for empathy. He was a great person. I’m dumbfounded and heartbroken.”

wow so sad @aaronsw. he was definitely fighting the good fight.

—
from the future (@nk) January 12, 2013

Swartz was also involved in the fight against SOPA, the draconian anti-piracy law that Congress tried to pass last year — this is a video of him discussing the campaign against the bill, which was later shelved:

Many of those who mourned Swartz’s passing wondered whether he knew how respected and loved he was by those who were close to him:

Angry about @aaronsw's suicide. So much love for him on the Internet today, did he know?

—
Nelson Minar (@nelson) January 12, 2013

Some of Swartz’s supporters in his fight against the federal charges related to his JSTOR hacking questioned whether the threat of jail time might have accelerated his depression, but others said he didn’t seem that troubled by it. As we wrote last year, Swartz — who had hacked into a federal database in 2009 and download thousands of documents but never been prosecuted for it — gained access to a computer at Harvard and ran a program that downloaded a huge proportion of the research papers JSTOR sells to universities and other institutions.

Fuck. The world seems emptier knowing Aaron's not in it. Hounded to death by the DOJ after the "victims" dropped charges. All is sadness.

—
Nat Torkington (@gnat) January 12, 2013

Larry Lessig, who worked with Swartz on Creative Commons and other projects, has written a post saying what his young friend did with the JSTOR archive was wrong — although the principle may have been right — but that the government’s case against him was reprehensible and over-reaching in the extreme: “Here is where we need a better sense of justice, and shame. For the outrageousness in this story is not just Aaron. It is also the absurdity of the prosecutor’s behavior. From the beginning, the government worked as hard as it could to characterize what Aaron did in the most extreme and absurd way.”

The best tribute to #Aaron Swartz would be to keep this JSTOR torrent alive. Lasting legacy of a great prodigy - thepiratebay.se/torrent/655433…

—
Suhail Kazi (@kazisuhail) January 12, 2013

@jdrch We don't know what Aaron was thinking. We do know that, two months from now, he was facing up to 50+ years for "hacking." @JPBarlow

—
Declan McCullagh (@declanm) January 12, 2013

According to those who knew him, Swartz believed that it was wrong to charge so much for access to these papers, many of which were produced by academics for free, and in some cases with government funding (Maria Bustillos has a great overview of the case here). And even though JSTOR said it didn’t want to proceed with a case against him (and has since opened up its database — at least a little) the Department of Justice continued with its case, and Swartz faced a potential 35 years in prison.

Just heard about @aaronsw: bit.ly/13oQE2B Rends my heart. Horrible news for all who loved him, and the Net he loved as well.

—
Doc Searls (@dsearls) January 12, 2013

Bradley Horowitz of Google, and formerly of Yahoo, remembered talking with Swartz about his plans to use Hangouts for journalistic purposes around the Occupy Wall Street movement:

“I was really heart-broken by this news… Thank you Aaron, for all you contributed to the world, and inspiring so many.”

This world needs people as brave and brilliant as Aaron Swartz. It just does not tolerate them well.

—
Siva Vaidhyanathan (@sivavaid) January 12, 2013

In this video conversation from 2008, Swartz talked about how he got started as a programmer with Economist blogger Will Wilkinson:

Swartz had prepared a webpage in the event that he was “hit by a truck” as he put it:

“I ask that the contents of all my hard drives be made publicly available from aaronsw.com… please update the footer of this page with a link. Also email the relevant lists and set up an autoresponder for my email address to email people who write to me. Feel free to publish things people say about me on the site. Oh, and BTW, I’ll miss you all.”

This is a photo of the teenaged Aaron Swartz meeting Creative Commons founder and copyright activist Larry Lessig (photo by Richard Gibson)

Web pioneer and Harvard fellow Doc Searls wrote a memorial post for Swartz, along with a picture of him at a conference with Dave Winer — a conference Swartz had to be driven to by his mom, since he was only 15 — and said: “We haven’t just lost a good man, but the better world he was helping to make.”

Alex Macgillivray, general counsel at Twitter and former Google lawyer, said:

. @aaronsw made the internet better in so many ways. We are all worse off for his passing. So. Sad. http://t.co/ynBGkhdx

—
Alex Macgillivray (@amac) January 12, 2013

Remembering just some of @aaronsw's life of service to an open Internet. Cannot express my sadness. reddit.com/r/pics/comment…

—
David Weinberger (@dweinberger) January 12, 2013

A comment on the discussion thread on the Y Combinator site Hacker News that appeared to be from Swartz’s mother said: “Thank you all for your kind words and thoughts. Aaron has been depressed about his case/upcoming trial, but we had no idea what he was going through was this painful. Aaron was a terrific young man. He contributed a lot to the world in his short life and I regret the loss of all the things he had yet to accomplish. As you can imagine, we all miss him dearly. The grief is unfathomable.”

The website public.resource.org — founded by freedom-of-information activist Carl Malamud, who worked with Swartz after with his earlier hack of the federal PACER archive — has gone dark as a tribute, with text that reads in part “Aaron Swartz made our world more free. Thank you Aaron for what you gave us.”

Microsoft research and sociologist Danah Boyd has written about the boy/man she knew for the past nine years, and how he could be both brilliant and frustrating — but she says the thing that makes her the angriest is how unreasonable his prosecution was: “He became a toy for a government set on showing their strength. And they bullied him and preyed on his weaknesses and sought to break him. And they did.”

Heartbreaking news that my dear friend Aaron Swartz has died at 26. Imaginative, smart about everything, and, best of all, different.

—
Edward Tufte (@EdwardTufte) January 12, 2013

David Weinberger of Harvard’s Berkman Center for Internet and Society has a post on his blog in which he calls Aaron Swartz not a hacker but “a builder.” And Weinberger points (as many others have) to a post from Alex Stamos, an expert in information technology who was an expert witness in Swartz’s case, who argues that his downloading of JSTOR articles wasn’t a criminal hack: “I know a criminal hack when I see it, and Aaron’s downloading of journal articles from an unlocked closet is not an offense worth 35 years in jail.”

Micah Sifry of TechPresident remembers meeting Aaron in 2004, when he was 18, and being impressed with how dedicated he was: “I don’t know where he got the bug, but I understood it. If you have “change the world” disease, there is only one cure. And he tried mightily to change the world using every tool at his disposal.” And Dan Gillmor argues that we should remember Aaron by working for open society and against government abuses: “So amid my grief for Aaron, I’m angry — and committed to working for honorable enforcement of rational laws, and for values Aaron exemplified in his short life.”

The best tribute we can offer Aaron Swartz is to do what he did at his amazing best: work to expand an open Net and stop govt abuses.

—
Dan Gillmor (@dangillmor) January 12, 2013

James Grimmelmann, a law professor at New York Law School who knew Swartz well, writes about some of the incredible things that he accomplished at such a young age: “Aaron was a friend, and more than that, he was one of my heroes. No one I have known better embodied the bumper-sticker motto to “be the change you wish to see in the world.” It is hard to believe he is gone.” And Glenn Greenwald writes at The Guardian about what he calls the “inspiring heroism” of Aaron Swartz — he didn’t just talk about internet freedom and civil liberties, Greenwald says, “He repeatedly sacrificed his own interests, even his liberty, in order to defend these values and challenge and subvert the most powerful factions that were their enemies. That’s what makes him, in my view, so consummately heroic.”

A number of academics have tried to honor Swartz’s commitment to open information by making their journal articles free to download. And Quinn Norton, who was Swartz’s girlfriend for a time, has written a heart-wrenching post about their time together here.

Post and thumbnail images courtesy of Fred Benenson

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• GigaOM Research highs and lows from CES 2013
• How HR can make the case for workforce analytics
• The 2013 task management tools market

1. Be smart about passwords and security questions.

Ideally, passwords and usernames should be unique for each service so a breach at one doesn’t result in carte blanche access to the rest of your accounts (if the LinkedIn breach didn’t beat the practice into our collective head, nothing will). Passwords also should be obscure enough that someone won’t be able to guess them if they know a few factoids about the target. And complex helps too: interspersing numbers, symbols and upper-case letters makes it harder to guess even if someone gets the phrase right.

When it comes to security questions, don’t choose answers that are readily available online. If you have a really good memory (or are already good at keeping track of numerous passwords and usernames), choose non-sensical answers to the questions. Your mother’s maiden name: Thomas & Friends, for example.

2. When possible, encrypt

Essentially, encryption software will scramble information and make it unreadable to anybody without the password to decrypt it (or the determination to crack it). However, like anything that make us more secure, it requires some effort on the user’s part. At the least, that means remembering the password for services (such as FileVault on Mac devices) that offer encryption as a standard feature, because losing it might mean losing access to data when it’s needed. For true security in the cloud, though, client-side encryption is probably the best idea, which means finding, possibly paying for and, most importantly, actually using third-party software.

3. Use two-factor authentication

AWS’s Multi-Factor Authentication device

Two-factor authentication means logging in requires both username and password, and a unique code sent at that time to a device the user has on his or her person. For Google accounts, for example, that’s usually via an SMS message to a mobile phone although it can be an app, as well. For some banks (as well as for Amazon Web Services) that can be a device designed especially for the purpose. It can be a pain to always look to another device while logging in, and those without their devices can be out of luck or in for a hassle if they need access, but it’s a pretty effective method even if someone gets your password.

4. If you need it, back it up

It’s kind of strange how cloud services have become so prolific we’re now talking about backing up data locally. Irony aside, however, it’s about the smartest thing someone can do to make sure they always have their important data. External hard drives are relatively cheap, as are third-party cloud services designed specifically for backing up data, so there’s really no excuse not to have multiple copies of files. For whatever it’s worth, Google even lets users download certain account information, which could ensure you never lose Gmail data.

5. Delete it when it’s done

In an era of seemingly limitless online storage, it can be hard to come to terms with the idea that e-mail messages or files might outlive their importance. But to ensure no one sees potentially damaging information — such as salacious messages, messages including personal information such as credit card or Social Security numbers, or username/password reminders for online accounts — it’s smart to delete some stuff sometimes. If messages or other files really must exist ad infinitum, though, back them up (and maybe encrypt them) before deleting them.

6. Don’t be a dummy

Just generally, be smart when doing stuff online. Use antivirus software to help prevent malware (such as keystroke loggers) that could help someone access account information. Keep your Wi-Fi network locked down; maybe don’t even broadcast it. Don’t click on links or open attachments in suspicious e-mail messages, even when they’re from companies with which you do business. If you end up on a site that looks sketchy and has a .ru domain, leave. Don’t go to Black Hat and send anything remotely important over the Wi-Fi network. You get the point.

Dunce image courtesy of Shutterstock user RTImages.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• The rise of M2M security challenges
• Quality of the cloud: best practices for ISVs
• The role of converged infrastructure in the data center