Have you encountered a website that asks for the username and password to your e-mail provider? I’m talking about this:

LinkedIn asking for my Gmail password

Yelp asking for my Gmail password

This really needs to stop and people need to start using the Gmail Contacts Data API.

I think it’s kind of needless to say that not only is this unsafe, but it helps users become victims of phishing at some point in the future. Socializing users into giving away their passwords to arbitrary 3rd parties is not OK.

So, thanks Facebook, LinkedIn, Yelp, and others for continuing to make the Internet just that much more dangerous; now start using the Contacts API.

If you know of any other websites that still ask for your Gmail password, list them in the comments!

UPDATE: This exact same issue was highlighted in Coding Horror 2 months after my post went up.

Breach Laws Charts (updated)

This might be good information for any of the students taking Information Security Management this semester to include in their work. 

BitTorrent Presentation

A: If you’re concerned about keeping the data in your possession, why not do that? The ready-made NAS market is starting to mature and they’re great for use as backup appliances. I wrote about this previously when I bought a Synology CS407. Now the market has changed a bit and I see 4 good options: Synology, Netgear (they bought Infrant), get an Apple and start using Time Capsule + Time Machine, or even FreeNAS as soon it will be based on FreeBSD 7 and use ZFS internally (can’t get much better than that).

But then what happens when I click the wrong button and delete my data (if I’m a terrible sysadmin), or when someone breaks into my apartment and steals my hardware? Maybe I don’t want to spend as much money and maybe, this sounds like you, I’m just more concerned with the availability of the data and the confidentiality issue is just a distraction. If someone breaks into Amazon S3 (or maybe they already work there) will they care about your data when they find it? Or, if someone is after your data, are they going to want to/be able to break into Amazon S3? If it were me, I’d be going after your data before it leaves your laptop, it’s an easier target. And besides, there are ways to mitigate your risks to confidentiality by using something like TrueCrypt or PGPDisk (two passwords to get your data isn’t so bad). Rather, you’re defaulting to an outsourced backup provider because they:

• are better sysadmins than you
• have more reliable hardware and systems than you
• have lower overhead costs than doing it yourself (probably the biggest motivator)

Given that an outsourced backup provider is only as useful as the above 3 services it provides, it’s important not to choose solely based on cost. Their value decreased rapidly with the possibility that they may not be as big and distributed as you thought, they have less expertise than you thought, or even if they get taken over in an acquisition. Hence, this list immediately, unconsciously recommended only Tier 1 backup providers like Amazon S3 who we know are a) experts and b) will be around as long as we need our data.

With all that out of the way, the big question becomes: Would I use it? And the answer is: absolutely not. First let me state that I’m a little bit of a hypocrite as I obviously outsource my e-mail, and for some reason, all of us completely underestimate the confidential nature of our *communications* online relative to the *stored* data on our hard drives. Even when we recognize this, there is little we can do to protect the confidentiality of our e-mail in the hands of others as the medium is incredibly difficult to encrypt.

So why not backup? I’m not at all comfortable with the level of control or the level of visibility of my data. All I can do to check on my backups is log in to S3 and see that they are still there. I don’t know if one more HD failure will pop them into nonexistence, I don’t know if they’ve been compromised, I don’t know if they are planning downtime, I don’t know if they are rebuilding part of their infrastructure, I don’t know anything. In other words, I am not in control of the risks I *have to* accept when using their service.

Contrast this to the Linux NAS in my apartment, where I control the level of risk I’m comfortable with. I can see when HDs fail (none have, go Seagate!), I can SSH in and view logs if I think I’ve been compromised, I’m in complete control of what I do with it. If I want more reliability, I can add another hard drive. If I want less, I can kick it really really hard when I get angry. If my appliance dies, I can take the HDs to Ontrack and get them recovered. You can’t do, control, or even know about these things with an outsourced provider.

Hopefully this will give you enough information to make an informed decision regarding how you want to backup your data.

-Dan

1. Use an email as the username.
2. Provide tight restrictions on the password creation (Decent minimum length, requirements of alpha+digits)
3. Log unsuccessful logins and password changes

I’m sure you can see where I’m going with this, but if the service is popular the users will always first try their other common passwords until they list their entire mental list of every password they generally use (which most likely do not match the ones they came up with to register with the site), thus collecting credentials of other services the users are members of (A few google searches of their emails, or just the user-name part of the email will reveal most services they are members of.)

I am going on the basis of the idea that most people (or the ones I’ve spoken to) believe that some data like failed authentication attempts, passwords that were changed, and accounts that were removed are erased from existence after the event, but in today’s world of virtually limitless storage and facile logging mechanisms, why wouldn’t administrators log everything that goes through their systems?

I have never heard of such a harvest vector and was thinking of ways to protect from this. Using a password manager like PassSafe can reduce failed attempts and randomly generate a fresh password, but careful attention has to be paid to keep that database secure. Whichever method you use, the goal is to not supply data to a third (or second) party without them needing-to-know.

What I think would be a useful public policy is to mandate the junk mailers to put all personal information on a single, easily identifiable paper (I would go as far as to suggest use fading ink that will disappear after a certain date, but I am not going to go that far today) so that it is easy for us, the general public, to destroy our private information, which you have gathered without our permission in the first place. Why can’t SFS/ISIS send out a letter to our State Senators about this? Isn’t it worth it?