the Cloud
On the Media is an excellent resource always, but the second segment of the Apr. 23, 2010 goes over the lack of protection afforded data in the cloud due to the Stored Communications Act, an increasingly important topic.
Current law allows a very low standard for access to “Stored Communication” such as Gmail or Google Docs or any other “cloud service.” It turns out that Google gets about 20 requests for data a day and if an investigator asks for your email they do not need a warrant to get it.
If you don’t own the hardware, you don’t own the data.
Even if the Stored Communications Act is overturned, any data you store on a remote server such as Google’s, is Google’s and not yours. You have no right to get it back, no rights controlling Google’s dissemination of your data or resale thereof. In many cases there is a click through agreement with the service provider which may, for example, state that certain information will be kept private or not sold, but such clauses are typically superseded by statements claiming the right to rewrite the agreement without notification.
For example, FaceBook might change default privacy settings such that information you stored on their server with the understanding that it would be kept private is later exposed to search engines and indexed and thus made public, thereby increasing search traffic to their site, and thus to their advertisers.
FaceBook did not give, and was not required to give any particular notice. The data you put on their servers is theirs, not yours.
Don’t put data in the “cloud” you don’t want to be public. Google Docs is not a replacement for Open Office on your own hardware. Companies don’t make any money offering you free, private compute resources and storage; these services are profitable by exploiting the value of your information. In the long run it is probably cheaper to buy your own hardware.
Side note: in this excellent episode of OTM, they also cover the GAO’s pooping all over the MPAA/RIAA linkage between guerrilla antitrust (unauthorized copying) and economic problems. OTM also points out the linkage between the asinine ruling against the FCC and Net Neutrality, which is a free speech disaster, and worse still the MPAA/RIAA efforts to create a world-wide three-strikes rule to extort money to replace the money they used to be able to generate with their obsolete business model.
Facebook Open Graph Fun
More detailed instructions about how to access facebook’s new Open Graph (below). Open Graph is an interesting OAuth based mechanism by which facebook is opening their database to “select” third parties and allowing those parties to read FB cookies and automatically connect to FB and read “engagement enhancing” information about the user such as their social graph, their profile, their news feed, the groups they belong to, their pictures (including all that they’ve been tagged in): just about everything FB knows about them. The details are at this URL.
It is not 100% clear to me yet whether giving the third party access to the facebook cookies, but if the techcrunch article is correct, then third parties can read FB cookies, which are all under the domain .facebook.com and all “send for: Any type of connection” including the “lxe” cookie which is the user’s sign-in email address.
To experiment with Open Graph, first log in to facebook… Read more…
Cleaning Out Duplicate IMAP messages
There are a number of ways to end up with a lot of duplicate messages in an IMAP folder, and while IMAP tends to handle very large stores gracefully, it is possible to hose things. On my 32 bit server and with Mulberry as a client things get weird after about 15,000 messages in a single folder.
Google does some odd things and at one point a periodic check of my gMail account resulted in about 70,000 messages in a single folder, which definitely caused some chaos.
I thought that was pretty impressive, but my girlfriend just managed to get 144,000 messages in a single folder. Woo Hoo!!! High Score.
Anyway, things like the dedup plugins for Thunderbird can just make things worse at that point as they seem to fail gracelessly on very large message counts.
I found that Rick Sander’s perl scripts are the best way out of this difficult situation. delIMAPdups.pl solves the problem without running out of memory or munging files. I haven’t had any lost data and just tested by clearing about 1400 dups out of a directory of 15,000 messages (my 2009 store to date).
/.delIMAPdups.pl -S example.com:993/user/pass -m INBOX.2009 -p
-m is the mailbox to expunge
-p is purge
-S means use SSL
Logicmail send via gmail
Tonight probably wasn’t the best night to try to configure logicmail to send via gmail. I went through every permutation then found out that gmail is flaking out tonight. Go Cloud Computing. Brilliant idea to trust your business to the cloud. Anyway, I did get LogicMail to work. It isn’t the fastest way to get your mail, but it connects via IMAP to my home server to read (never a problem) which means the client is synchronized with Mulberry (running on 3 computers) and Roundcube webmail and whatever else.
I also sync to gmail using procmail on my server to forward selected messages to my gmail account. Google’s mobile mail clients are great, by gmail does not work as an imap client and so reply/read status doesn’t get updated on my server, which is the canonical reference. I can remember for a quick reply, but I forget when I’m using my blackberry in some extended way and then when I get to a real client I sometimes double answer, which can be embarrassing…
LogicMail still has problems with certain TLS authentication schemes, which I use on my server, and so I can’t seem to send through my own SMTP, but thankfully gmail lets me send through theirs with the only penalty being the Return-Path: <youraccount@gmail.com> header.
I used:
Server: smtp.gmail.com
Use Secure Connection: SSL
Port: 465
Authentication: LOGIN
Username: youraccount@gmail.com
Password: *********
(don't use MDS proxy)
Verisign Cold Calls to Push Pay Certs
I got an interesting call from 305-800-1000 claiming to represent Verisign. Whoever was calling (“they,” not necessarily Verisign, but I don’t have any reason to doubt that) had reviewed my site and found I was using a CACert certificate, which the caller accurately pointed out generates a warning in most browsers, and accurately pointed out might turn users away for no valid reason whatsoever except that I didn’t pay Verisign for the privelege of using encyrption and FireFox penalizes me for not having done so.
They thought I should “upgrade” to a Verisign cert.
I politely explained that I understood that CACert isn’t included in most default browsers and that it should be and that charging for certificates was a scam and that I absolutely would not be switching and I was doing my part to make the web a better place. Amazingly, the caller actually seemed to understand my off-script rant and thanked me for my time.
I hate the current cert model. It is totally broken. People seem to think that certs work as a trust tool and if only you give people big enough, annoying enough warnings they’ll not trust a free, expired (or perhaps even illegitimate) cert. The problem is that certs are a pain in the ass. Recently my BlackBerry started telling me Google Maps’ cert had expired. Did I not use maps until they fixed it? Would you? No, of course not. You just pick through an extra stupid dialog. The worst thing about the new FireFox update is the real estate wasted on cert validity and the astonishingly annoying “are you absolutely sure you trust this cert?” dialogs.
The only valid reason for SSL is so that when you’re at a coffee shop or on an untrusted networks, it is harder for people to sniff your passwords. That’s it. It completely fails as a validity check, no matter how big and red the policeman warning logo is. It always fails for a number of reasons:
- A bad cert doesn’t mean anything. “Green” certs are absurdly expensive (they should be free), expire, and are hard to manage so one frequently finds bad certs on known good sites.
- A good cert doesn’t mean anything. All it means is that the site paid and the URL matches. But even a place like a bank might have dozens of URLs for different parts of their service and so getting a green cert for www.my-bank.com is just as good as www.mybank.com. If the site looks the same, most people will log right in to either.
- Nobody pays any attention anyway. And they really shouldn’t.
In the end this is a disaster for net neutrality. There are some interesting debates about FireFox’s new, intrustive dialog boxes. The cold call I just got is a natural consequence of a FUD policy which in effect reduces interent security to the benefit of people selling certificates FireFox approves. If it turns out there is financial benefit flowing from the vendors of “approved” certificates to FireFox, I’ll never use it again. Even without impropriety, I think Mozilla has done a grave disservice to the internet.
Cool Tracking Technology
Instamapper.com was a pretty cool solution (until the end of 2012). Nothing radically novel in concept, but it does pretty much just work and with most devices with a GPS.
It’s a little different from Google Latitude, which has a social aspect (your friends) but no history. Latitude is built into Google Maps Mobile 3.0, so everyone will have this on their phone in a few days. That’ll be weird fur sure.
Amazingly I downloaded this app this morning at 3.0.0, by the time I’d told a friend about it the release was 3.0.1, and the last person I told got 3.0.2. I guess Google is excited about this one.
Sync Outlook and Google
UPDATE: GOOGLE SYNC IS FAIL!
Google sync just stopped working. I tried all the suggestions including multiple removal and reinstall and even installing the Gears Calendar (why not) to no avail. Then I tried Mobile Sync and I am happy again.
I’ve used Funambol’s outlook client to sync Outlook on one computer with Mulberry’s Calendar on another as part of a complex web of synchronization involving GCal, ScheduleWorld, Funambol, and GCalDaemon, which pretty much worked.
But I just discovered Google Calendar Sync and just in time as Funambol 7.0.7 did not seem to work with outlook 2007 reliably (probably wacky corporate calendar entries, but whatever). So I switched to Google Calendar Sync. It obviates ScheduleWorld and intermediates directly between Outlook and GCal. On the minus side, it only syncs to your primary calendar and my old system would sync to my calendar of choice thanks to ScheduleWorld’s cleverness. But it does work and it is very fast. It is odd that it doesn’t support multiple calendars though, everything else does.
MD5 Crack: Does It Matter?
Some very clever people have figured out how to create an exploitable real world MD5 hash collision. It is interesting work and suggests that the value of an MD5 signature to verify a certificate is lower than intended. In the end the work shows it is possible to spoof a web site in such a way that a browser’s normal security features for detecting false websites are defeated. But does it really matter?
That presumption, that a CA would be meaningful in preventing phishing or redirection or whatever by uniquely identifying a site as belonging to the entity in question because the user trusts the domain name, is prima facia absurd. Would you even think about going to www.bofa.com instead of www.bankofamerica.com or whatever? I wouldn’t; most banks would buy every variation of their name including common misspellings (www.bnkofamerica.com?), so that a misspelling seems to work wouldn’t surprise me at all. That a misspelling gets a cert thus means nothing either.
Further, what do you do when a cert fails, for example if the CA can’t be identified or the cert is expired or whatever? Do you back out of the transaction and call the bank to find out what’s going on? Do you think you could ever reach anyone at the bank who knew? Send them an email? (which would probably go to the fake bank anyway). I just accept the cert and move on.
Since CAs and certs are already a complete failure as a proof of identity mechanism, MD5 signature spoofing is also irrelevant for the vast majority of users.
HTTPS is useful for encrypting traffic. It shouldn’t be used for anything else. The whole signed CA/Cert thing is an impediment to this useful function for a useless feature that is merely cryptographically entertaining. Google’s and various browser mechanisms to identify malicious sites are far more effective, although a few users are likely to get scammed before the fraud is identified.
Calendar Syncing
Like many people, I have to use Outlook. It is by far not my favorite email or calendar system; I use Mulberry personally because it does not suck at all and it has a cool calendar I can use offline. I haven’t quite figured out my own webdav server, so I use Google Calendar to keep track of shared events with my girlfriends and others in my life. And everyone can use Google calendar and it does not suck either, so there’s no reason not to.
But it does create a sync issue. One which can be solved with free software and services by the following fine providers:
I end up using Google as my shared hub, sort of. Technically scheduleworld.com is the hub, but it’s invisible to everyone but me. To get there I use the Funambol outlook plug-in to sync my outlook calendar with scheduleworld.com (following these directions). It is not able to sync directly to Google yet because Google has to do it their way. Fortunately the clever man behind scheduleworld has that figured out. I also sync contacts using funambol to scheduleworld, but Google borked the contact API and so they don’t make it to Google Contacts from scheduleworld any more: scheduleworld does have an LDAP server though.
On the well-designed side, I use gcal daemon to sync my Mulberry calendars with Google (my directions here). I also subscribe to the scheduleworld LDAP server from Mulberry so I can access my outlook contacts from mulberry.
Now, oddly, Outlook’s contact databases are painfully borked and the local address book and global address books do not collaborate at all. Stupid. Unfortunately neither does Mulberry offer an option to sync the local address book to one or more remote LDAP directories, which would be very useful. I think there is still an odd disconnect on the part of developers who tend to work stationary and assume everyone has an always-on connection with very rare moments of disconnect, but as someone who gets on at least 4 planes a week can attest: this is not always the case. Even Mulberry, which is the only IMAP client I’ve found that supports a workable disconnected mode, does not make frequently disconnected mode trivial to use – neither to keep IMAP mailboxes in sync nor to provide off-line lookup of LDAP databases.
But Cyrus is responsive and I am optimistic we might, someday, have a good solution. If not, Adobe Air is pointing the way toward a viable seamless connected/disconnected (or periodically disconnected) world. I think this will become increasingly essential as the world goes to frequently interrupted wireless connectivity. Currently we tolerate wireless (WAN) interruptions because we have to, but that rules out far too much of what we’d like to be able to do and solutions thus far are generaly ad-hoc. We need an imperfect WAN connected world that is perceptively as relaible as a wired one.