A few days ago I received a spammy email that appeared to be from someone I’ve known for a long time.  I was pretty sure that it wasn’t from the individual but maybe a coincidence since he has a common name; that is, until I looked at the email address the message was sent from; it was his Hotmail address.  I also found this same message in another of my email accounts.

I contacted him about the messages and he had no idea how they were being sent.  Looking that the email headers, one can see that the email was not spoofed as it actually originated on the Hotmail service.  The headers also show that originating IP address is in Asia.  Someone (or an automated process on a server) in Asia logged into my friend’s Hotmail account and sent emails to his contacts and who knows who else.

What Probably Happened

In October, it was reported that the passwords of tens of thousands of users of the Windows Live Hotmail email service were leaked online.  Microsoft confirmed that these passwords were obtained as a result of a phishing scheme.  If this is the case, any email service could be a target of such attacks.  In addition to sites that might pretend to be related to Hotmail to get a user to enter their login credentials, there are an unlimited number of seemingly innocuous websites that ask for email credentials many times social networking sites in order to see if the user’s friends are already using their service.  In fact, services like Twitter, MySpace, FaceBook, and LinkedIn have done this very thing to get more users on their sites.  Another factor is trojans that hide on a user’s computer with the sole purpose of stealing passwords.

Spam Isn’t the Real Issue

What many people fail to realize is that when you give away the password to your email account you are essentially giving away the keys to the kingdom.  Many users have financial and other personal information stored in their email accounts.  New websites pop up everyday and there is no way to know how reputable those sites are.  Even when the company is reputable, what happens to the data it has collected if it folds?

You Have to Protect Your Data

The weakest link in information security is always the users themselves.  Users have to be more vigilant in protecting their information.  There is only so much service providers can do if users give out their passwords themselves.

To resolve my friend’s immediate problem, I recommended that he change his Hotmail password and scan his computer for trojans.  The real solution, however, is to prevent disclosure of his password – accidental or otherwise.  It is also a good idea to change the password periodically.

• Comments

Rocky Mountain Bank, a small regional bank in Wyoming, has been in the news recently because it sued Google to reveal the identity of the owner of a GMail account to which the bank accidentally sent customer data. In addition, the bank wanted Google to delete that email as well as deactivate the user’s account. Many articles I’ve seen about the incident focus on the privacy of the GMail user.

More concern should be focused on Rocky Mountain Bank’s 1,325 loan customers. The bank sent their names, addresses, social security numbers and loan balances to the “wrong” GMail address. There are just so many things wrong with that statement. Most glaring is how could this information ever be sent to the right GMail account. This bank has opened up 1,325 people to the possibility of the irreparable damage of identity theft.

As a financial institution, Rocky Mountain Bank is bound by regulations meant to protect consumers from having their personally identifiable information exposed. The bank was completely and utterly reckless in the way this was handled. It is likely that the bank could be fined. The bank may even face lawsuits.

What They Did Wrong

They emailed personally identifiable information.
First, personally identifiable information should never been emailed even if requested. The moment unencrypted data is transmitted over the internet, that data is practically available for all to see. Data is stored at each server it has to traverse to get to its destination. It can also be intercepted by anyone on that route. While RMB focused on that one email account, it is impossible to delete all traces of this data as it could be anywhere by now. If this user is in a country that does not cooperate with U.S. law enforcement and has already downloaded or otherwise saved the email, that user is not subject to any litigation originating from the U.S. This data could already be available on the black market.

They did not use encryption.
If there is no other way to transmit the information other than email it must be encrypted. That data must be encrypted whether it’s at rest (on a hard drive, in a database, on a floppy, etc.) or whether it’s in motion (emailed, FTPed, etc.). This is a very basic principle.

Does anything else matter?
The bank could have also used filtering on outgoing messages to recognize sensitive data being emailed. The bank could have also double checked the email address that the message was being sent to as well as the actual email attachment. Or the bank could have implemented a secure messaging system so sensitive information never leaves their network. I’m not so sure this is the point, however. The fact that the wrong file was sent and the wrong email address are beside the point. If the bank made a habit of encrypting data and not sending financial records via email, all the other “what ifs” regarding the incident wouldn’t matter.

They covered their butts first.
In requesting these court orders Rocky Mountain Bank wanted the lawsuit sealed. That to me looks like the bank was trying to protect itself hoping the details of this data breach would not be exposed. The bank has most likely reported the breach to its customers but likely not how the breach occurred. What they have done by getting the email deleted, receiving the GMail user’s identity and deactivating that account does nothing to remedy a situation that cannot be remedied. This bank should bear sole responsibility for releasing customer information in such a reckless manner and should be held accountable.

Rocky Mountain Bank found that the email containing the sensitive data was not read by the email account owner. Rocky Mountain Bank has dropped its lawsuit against Google. Bank representatives are certainly relieved but this hardly means the data is not available elsewhere.

• Comments

The individual entertainment systems on Virgin America all run Linux. I caught some video of the boot sequence.

Virgin America runs Linux on 12seconds.tv

• Comments Off

I had the opportunity to trial a Nokia E71x for a few weeks.  My first impression of the phone was that it was a lot like a Blackberry in design.  It has a full QWERTY keyboard with a navigation button in the middle similar to the Blackberry’s trackball.  (Others compared it to a Samsung Blackjack.)  I liked the form factor and the metal finish.  The phone fit comfortably in my hand and the keys are a good size.  The E71x, which runs the same operating system as the Nokia S60, is available on the AT&T network.

Phone

The phone quality is pretty good.  I like the loudspeaker mode as it was pretty easy to hear my phone calls.  With other phones it has been somewhat difficult to hear on speaker mode above background noise.  Another feature I like about the phone is the audible caller ID alert.  Though some names sounded strange others were pronounced very well.  This is a neat feature though I’d probably never use it in real life.

There was one day when my calls kept dropping but this only happened when talking with one person in particular.  It did not happen with anyone else I talked to that day or any other day.

Messaging

The first thing I tried to do after inserting my SIM card was send an MMS message but found that I could not – this is most likely because my AT&T account is set up for my iPhone.  The next thing I did was set up Mail for Outlook to use Google Sync to synchronize my calendar and address book.  I was happy that my calendar and contacts were synched.  Included were photos for any contacts for which I had photos attached in my Google contacts.  I then set up Express Mail for two of my GMail accounts and one Yahoo mail account.  I was not as happy about the email client since not many emails were displayed and the emails are displayed in plain text format.  I also did not like that individual mailboxes were displayed instead of one box containing all email and SMS messages (like Blackberry).  The phone also does not seem to support IMAP so I could not organize my mail.  It is likely that Mail for Outlook supports multiple folders but I can’t use this with my GMail accounts.

Browser

The browser can render an entire website but not necessarily the same way it would be viewed on a computer screen.  Navigation in the browser takes a little getting used to but includes a thumbnail window to see what you are looking at in context of the page.  Some pluses of the browser are that it supports multiple browser windows (similar to Safari on the iPhone) and that it supports Flash.

Bluetooth

The phone is has full Bluetooth capability.  Not only does it allow you to use stereo Bluetooth headsets but it also allow you to access files on the phone via Bluetooth (OBEX).  I transfered my images and video from the phone that way.  It syncs the address book, calendar, notes, text messages and bookmarks via Bluetooth as well.  In addition, I was able to  share wifi or other internet connections with other devices via Bluetooth.  I did this with my Palm LifeDrive.

Media

The device can play audio files.  I was able to play my voice mails that I received in email.  I did not use the phone much for audio but there is an included audio player.  In addition to audio, the phone plays video.  The miniSD slot can be used to expand the phone’s memory to hold more media files.  Other helpful apps included are QuickOffice and Adobe PDF viewer which allow you to view various email attachments.

Camera

The E71x’s 3.2 megapixel camera has scene modes that allow you to change the picture taking settings (i.e. portrait, landscape, night, close up, etc.) much like that on standalone digital cameras.  There are various settings for flash, timer, white balance and color settings as well.  The camera has a light instead of a flash.  It stays on a while most likely to prevent red eye.  The camera does pretty decent quality video as well.  While shooting video the light stays on.

Apps

I installed Qik right away and Twibble (a Twitter client).  I tried to install Gravity several times with no success.  I eventually installed Google Maps, which I used to find my way to Assateague Island, Virginia from Pocomoke City, Maryland.  It is a good alternative to the fee-based AT&T Maps service.  I also installed the GMail Java app, Google Mobile and Fring.  I definitely preferred the GMail app to the included email client.  Fring allowed me to make VOIP calls via AT&T’s 3G as well as wi-fi connections.  It also allowed me to connect to Skype and all of my IM accounts.

There are a lot of apps included on the phone including games, XM radio, MobiTV and mSpot Music.  I never used them so I offer no opinion of them.

Verdict

I really enjoyed this phone primarily for the media features (i.e. photos, videos, etc).  I also enjoyed being able to retrieve the files via Bluetooth.  Another feature I liked was the ability to sync my calendar and contacts as I am not one to enter this information into the phone by hand.  It’s a pretty decent phone to use for business and for fun.

• Comments Off

I’ve received a number of hits regarding my previous Google Sync post so I felt that I needed to give an update.  I am no longer connecting my iPhone to a corporate Microsoft Exchange server so I am now able to use Google Sync to manage my calendar and contacts.

Setup

Setup was extremely easy.  It requires no special software on your computer or phone.  All that is required is to set up an Exchange Activesync account using one’s Google email/calendar credentials.  Before doing this, however, it is important to back up contacts and calendar on the device and upload this information to Google.

Functionality

If I create a new event on my Google Calendar online I am able to see it on the iPhone calendar application within a few seconds and vice versa.  I noticed that changes to contacts seemed to take a few minutes to sync.  I now keep my calendar and contacts in sync without 1) having to pay for a service to do this, 2) connecting to the office and 3) connecting my iPhone to my computer for synching.

Limitations

Google Sync currently only synchronizes contacts and calendar items.  It does not synchronize mail through the Microsoft Exchange Activesync protocol but instead though IMAP, so two accounts have to be set up on the phone to get both mail and calendar/contact information.  The only features that I would like to see added are the ability to sync notes and tasks.

If you still use Outlook you will need to download a separate tool to synchronize Outlook with Google Calendar.  The verdict is out on syncing contacts directly, however.  Plaxo will synchronize calendar, contacts, notes and tasks with Outlook for a fee, however.

Google Sync is a good tool for businesses and individuals that cannot afford to run Microsoft Exchange in house especially when used with a Google Apps hosted domain.  Google Sync is available on iPhone, Blackberry, Nokia and Windows Mobile phones.

• Comments Off