21 August 2008

Secure your GMail

If you're a GMail user (and if you're not, why not?) you should see about securing your GMail connection. This is much easier than it sounds; follow that link and the directions are clear as day.

Elusis informs me that this has become more urgent than you might have imagined.

Mike Perry, a reverse engineer from San Francisco, announced his intention to release his Gmail Account Hacking Tool to the public. According to a quote at Hacking Truths, Perry mentioned he was unimpressed with how Google presented the SSL feature as less-than-urgent.
Lest you think Mr Perry is a shmuck, security expert Bruce Schneier explains why he's actually being responsible.
Full disclosure -- the practice of making the details of security vulnerabilities public -- is a damned good idea. Public scrutiny is the only reliable way to improve security, while secrecy only makes us less secure.

Unfortunately, secrecy sounds like a good idea. Keeping software vulnerabilities secret, the argument goes, keeps them out of the hands of the hackers (See The Vulnerability Disclosure Game: Are We More Secure?). The problem, according to this position, is less the vulnerability itself and more the information about the vulnerability.

But that assumes that hackers can't discover vulnerabilities on their own, and that software companies will spend time and money fixing secret vulnerabilities. Both of those assumptions are false. Hackers have proven to be quite adept at discovering secret vulnerabilities, and full disclosure is the only reason vendors routinely patch their systems.

To understand why the second assumption isn't true, you need to understand the underlying economics. To a software company, vulnerabilities are largely an externality. That is, they affect you -- the user -- much more than they affect it. A smart vendor treats vulnerabilities less as a software problem, and more as a PR problem. So if we, the user community, want software vendors to patch vulnerabilities, we need to make the PR problem more acute.

Full disclosure does this. Before full disclosure was the norm, researchers would discover vulnerabilities in software and send details to the software companies -- who would ignore them, trusting in the security of secrecy. Some would go so far as to threaten the researchers with legal action if they disclosed the vulnerabilities.

Later on, researchers announced that particular vulnerabilities existed, but did not publish details. Software companies would then call the vulnerabilities “theoretical” and deny that they actually existed. Of course, they would still ignore the problems, and occasionally threaten the researcher with legal action. Then, of course, some hacker would create an exploit using the vulnerability -- and the company would release a really quick patch, apologize profusely, and then go on to explain that the whole thing was entirely the fault of the evil, vile hackers.

It wasn't until researchers published complete details of the vulnerabilities that the software companies started fixing them.

7 comments:

Al said...

Why not use gmail? Because Google doesn't ever actually delete the mail that you "delete" and archives it forever? Privacy, much?

Google stores massive data on people. If you blog through them (hmm), use Google Reader to read blogs, use Gmail, and have Google tracking cookies (and you do), they know whenever you visit a site with Google ads on it, they know what blogs you read, they have copies of all of your posts and they have copies of all e-mail correspondence.

If this doesn't scare you, it should. Even if you trust Google, do you trust them not to hand it over to DHS if given a court order until the end of time?

Jonathan Korman said...

To that last point, if it comes to that level of intrusion, there is no solution that a normal person might use today that is safe.

Al said...

Ok, how about this, your local DA thinks you've been talking about stuff in e-mail for charges against you so gets a court order for your records...

Do you really want Google to have every bit of messaging that you exchange with the world?

They aren't your friend. They are a corporation that will mine all of your data in order to make a buck. Currently, they don't sell it to others but what happens in five years if their stock price tumbles?

I've got Usenet posts of mine from 18 years or so ago showing up in Usenet archives. Luckily for me, I never used my real name back in the day so you have to know how to find it. What will be available on you in 20 years that you might not want in Google's jar?

Conner said...

Privacy concerns are fuzzy, because all email passes through many hands, any of which can choose to save it forever. Gmail doesn't really change this problem one way or the other. The only way around this is end-to-end encryption, a la pgp.

But I personally find the technical argument against using gmail to be much more compelling: "web applications" are an abomination that should not exist.

They invariably result in atrocities like gmail, which behave inconsistently with the platform on which they're being used; inconsistent widget appearance and function, inconsistent menu, mouse, and keyboard access, inconsistent text editing behaviors, even inconsistent spellchecking. Bah!

And in exchange for all this inconsistency of interface, one gets... well, nothing, so far as I can see.

So no, I'm happy to continue to use a civilized imap client, thanks.

Al said...

Conner, that's not true at all (that it doesn't change things). While e-mail is unsecure and can be gathered, only hosted services like Google make a point of gathering it all in one place, knowingly, from the moment that the account is created.

The fact that someone, putting themselves in the middle, could gather *some* of my e-mail as it is piped to my server isn't the same as guaranteeing that it is being done (and making it part of the business model, which Google does).

As to IMAP, it is an expensive protocol. It has to maintain state in order to do its work. The argument for web applications is that I don't have to configure anything locally, "it just works." It is just that I'd rather run my own webplication on my own box rather than trust the good intentions of any corporation.

Jonathan Korman said...

Usenet posts of mine from 18 years or so ago showing up in Usenet archives

Just so. Everything is archived somewhere. People taking ordinary precautions are significantly exposed whether they use GMail or another solution.

Google's business model depends upon people trusting them as a custodian of their data, so they have enlightened self-interest in protecting my privacy — and they know it, unlike other behemoths like Yahoo and Microsoft. Counting on that is a gamble, but it's a reasonable one given the options available.

“web applications” are an abomination that should not exist

Having been making my living telling people that, I'm embarrassed to find myself rising to GMail's defense on this score, but after twenty years of desktop email clients breaking my heart again and again, GMail has brought me over to the Dark Side with permanent archiving, universal availability, graceful display of threads, good search, and nicely-executed non-exclusive labels. That a web application gives me better interaction design than most of its desktop competitors is an indictment of the entire software industry.

Al said...

You missed who is now showing my old usenet posts: Google.

They bought an old archive and then made it available online a few years back.

Who is going to get Google's assets after the next dot com crash?