.:Computer Defense:.

I was reading about the Gmail Labs option to display a key icon if the sender's domain is signed using DKIM and the sender is eBay or PayPal. This allows you to quickly verify if the email is legitimate by looking at the icon.  Now it apparently takes some work for a domain to be "super-trustworthy", so this key can't just work for any domain. (I suggested two types of keys, one for all DKIM emails and one for these "super-trustworthy" DKIM emails -- almost like SSL vs EV SSL (it kinda hurt to say that though))

Anyways, to get back on track, as I was reading some of the comments on the Google Group, I came across this one, 'Censoring my Email'. It actually made me stop and think for a second. One one hand Gmail is indeed censoring the email you see, however they're doing it to filter spam... is it really censoring at that point?

I think we first need to consider what's being filtered. Any email from paypal.com or ebay.com (or their international counterpart domains) must be signed with DKIM. If Gmail can verify the DKIM signature, it delivers it to your inbox, however if they can't they send it to /dev/null. How much spam does this filter? Well, basically anyone who's set their own 'MAIL FROM' response to paypal.com/ebay.com.  People who set their name to 'PayPal Support' with an email address of paypal-support@gmail.com will not be filtered and will show up as just 'PayPal Support', unless the recipient clicks 'Show Details'.

Now imagine that you're a non-technical Gmail user who's read an article that says paypal.com/ebay.com emails aren't even delivered to you if they are spam (that wasn't quite the wording Gmail used, but it's not hard to imagine it happening). You see an email that says 'PayPal Support' and you're going to click on it (after all, users are trusting... that's why phishing works in the first place). This could cause a lot of problems (maybe this is why the idea of showing the key for "super-trustworthy" domains came along even). So Gmail responds by introducing this key icon... and when you look at it this way, it almost seems required. Yet it was this introduction that made the filtering more evident to people and which prompted the commented that sparked this blog post.

So, back to the original question... is filtering spam and phishing emails the same as censoring email. I definitely don't think so. I applaud Gmail for making an effort to limit the spam that appears in a persons inbox (if only they were filtering my personal and work email ). However, I disagree with their approach and I see two problems with it.

The first is that they waited over a year between filtering email and providing verification for valid email. This could have lead to many cases like the scenario I described above and since the feature is only in Labs, not everyone will use it and it could lead to many, many more cases like the that.

The second is that they filter anything not signed via DKIM from ebay.com/paypal.com. After reading about this I went and setup DKIM on my server to get a better understanding of how it works. It requires a trust in two protocols that can't necessarily be trusted, SMTP and DNS.  What happens when eBay/PayPal have  a DNS issue and restart DNS and it doesn't start immediately... how many potentially valid emails could be dropped? What happens if someone gets it in their heads attack Gmail with DNS Cache Poisoning? What if someone at eBay/PayPal adjusts a mail server rule and the DKIM header stops being sent?

It's entirely possible that this email is "super-trustworthy" because work arounds have been implemented for every issue I've mentioned above, that still doesn't protect users that don't have the key icon yet. At this point, I guess the best we can hope for, is that this feature spends very little time in Labs before being implemented across Gmail.

So in the end... (Spam|Phishing) Filtering != Email Censoring and we should be thankful for it, not fighting it.

There's an interesting post on VitalSecurity.org by paperghost. He's talking about a feature in Gmail that allows you to see all IP Addresses logged into your Gmail account and even sign out all other users. He has two interesting thoughts in the article. That there's now a privacy concern if an attacker is in your account and that password protecting this information may be a valid counter measure. The second thought is disregarded in the same sentence on the basis that the attacker has the password, however if you're the victim of sidejacking, perhaps this is the perfect defense.

I want to discuss the other point... that it's time to be paranoid, throw up the proxies and worry that your IP is being stored. I wonder if your IP Address is even an important piece of information these days? I'd prefer if not everyone knew my IP but at the same time, does it matter?

We mask packet captures because quite often those contain private IPs that could contain information on infrastructure and available resources. After all a host named dc.example.com or exchange.example.com probably tells you it's exact function. Should we worry as much about public facing IPs?

Let's picture the attacker and the victim. The victim is likely to log in from one of four places... Work, Home, Mobile, Free Wifi. Let's take a look at each of these.

Work - The attacker has access to your email and quite possibly targeted you. This means they're likely to know where you work. A simple search on a site like ARIN Whois will tell me all the public facing IPs... Sure this may speed things up... but I'm an attacker, I've got more than enough time.

Home - How often is your home IP targeted by an individual these days? Sure it may be scanned by bots and sure you may be targeted by malware, but an individual attacker? Unless they really want something specific from you, your home IP doesn't matter to them. Even if they do want it, having it shouldn't help them, a simple home router for $39.95 from Best Buy is going to keep those open ports from facing the internet.

Mobile - Since this is probably a NAT'ed IP Address what are they going to get... your cell provider?

Free Wifi - The attacker may now know where you are located if you are out and about, but twitter, Facebook and everything else under the sun already tells them that information.

So is an IP Address important private information these days? Maybe if you're breaking the law... but otherwise I don't think it matters.

I fully support the idea of adding password validation to the details section (perhaps even a different password than your login) but I definitely wouldn't want the feature going away... I love it.

The bigger issue will probably come when you can assign names to sessions ( and have it link that IP to the session for future ease of use). If your spouse happens to log in and sees another session open and it doesn't have 'Office' next to it like your previous ones, especially after you said you were going to be working late... well then you might have problems.

I don't know about everyone else, but I tend to send hit 'Reply to All' much more frequently than just Reply. So when the Gmail labs feature to make 'Reply to All' the default became available, I was rather excited. It isn't much (a simple click on a drop down) but it made life more convienient and I rather enjoyed it. The other day I replied to an email intended for 4 people and realized that I'd sent it only to the person who sent the last email in the thread. Confused I went back into the thread and replied again, only this time did I realize that reply was the default and not 'Reply to All'

I searched Labs and discovered that the feature was gone, after some googling I came across this link. It contains a very minimal comment stating that it was removed because it was causing issues for people who had enabled it, followed by a series of responses requesting the feature be brought back. Obviously it was working for a number of people, myself included.

Now, I can accept that in my lifetime the beta tag on my Gmail may never disappear and I can accept that adding a Labs feature may break my "Gmail experience". What I don't get is how a feature from Labs could be pulled because it's causing some people a bad user experience? Perhaps those people just shouldn't use it. Let those of us that want to risk the alpha release (after all if Gmail is beta, Labs can only really be considered alpha). I assumed risk when I enabled the feature, I've accepted that... those people who are having issues also assumed risk... let them suffer on their own.

Anyways, this post had two purposes... the first was to inform anyone who hadn't yet noticed that their "Reply to All" feature was gone and second to rant about an alpha feature being pulled.

Romain Gaucher mentioned this on twitter and I had to post a screenshot for anyone who hasn't seen it... it's awesome.

This is a "wish post". I'm a huge fan of Google Apps, I love using my @computerdefense.org email address with everything Google and having it inside of GMail is great. However there are a number of labs features that I would love to have access to and don't get because I use Google Apps intead of GMail. So this is a request that Google make the Labs feature of GMail available to Google Apps users.

I learned something rather cool today, and whenever I learn something, I like to share it.

I'm sure everyone is aware of this and I'm the last one to learn about it, but it's cool anyways. Let's say your GMail (or Google Apps account) is example@gmail.com. You can create customized addresses for each mailing list, or page you sign up for (for separation, or to see if anyone is selling your address) by using + in your email.

Example:

example+computerdefense.org@gmail.com will still be delivered to example@gmail.com, however it will contain that unique identifier in the address. This allows you to identify spam that computerdefense.org may generate (of course, that would never happen), or to distinguish incoming email.

Another potential use (especially on the Google Apps side) is for a small business with a sales office. Let's say you have 20 customers, you could easily distinguish between mail from each customer by giving them the following addresses sales+customer1@mybusiness.com, sales+customer2@mybusiness.com, etc.

As I said, this is probably old news... but it's new to me, so I figured I'd share.

About 15 minutes ago I had connection problems with my Google Apps account. My web-based Google Chat had disappeared, so I closed my browser and reopened it, but it's gone... completely gone... the Chat tab is even gone inside my settings options.

Anybody got any ideas?

The X represents where the Chat Window normally is and the arrow points to where the chat settings would normally be.

Update:

Alex Word just pointed out that this is back up now. Thanks Alex!