Posts filed under ‘Software’

More Reasons To Shun Webmail and Use XMPP

This is a follow-up to an earlier entry about webmail and why I was ditching it. Also recommended: Thunderbird and GPG.

Background

I had set up someone I know in real life’s computer. Hid Internet Explorer, installed Firefox and Opera, and set things up to generally block things from domains other than the one the person had gone to. You know, just the basics that everyone’s computer should be set up to do.

I get called over because “Gmail doesn’t work.” They did a site redesign, but I never see the site because I don’t use webmail. It turned out that part of the problem was that Google added more domains, and downloading an attachment caused it to be sent from a different domain, which was blocked. The rest of the problem was that the new layout is not friendly to those users who have both high volumes of current messages and large backlogs of stored messages.

This sparked thought about the problems that webmail causes, which those of us that use clients do not see.

Not My Problem: I Do Not Use Webmail

In Thunderbird or Claws-mail, I don’t have to deal with tactical support for ad servers. Attachments are downloaded with the messages that they are attached to, and able to be opened at my leisure.

Because I use clients instead of webmail, I don’t have to be concerned with someone limiting the number of messages I can view at once in order to push me to search instead of organizing and cleaning up messages. I can immediately receive messages from multiple accounts without the long log-in and wait for a ton of Javascript to load, so it can download and render the page that characterizes webmail.

I did discover that I still had some Yahoo Mail accounts from as far back as 1997. Since Yahoo does not support client access (except for paid accounts, I believe), I have no reason to ever use them, so I’ve closed 75% of them and have started clearing out all connections to the last one.

Best of all, I can use GPG signing on the one account that I still remember my passphrase.

Encryption Important

If you read yesterday’s entry and followed the link to Thistleweb’s original post, you’re starting to understand that encryption is foundational to the establishment and preservation of computer and online freedoms. I do not have any inside information, but I assume that there is some government agency which can, with reasonable effort, crack any encryption you and I might use. Encrypting your communications may dissuade most agencies from “fishing expeditions,” but once you’ve gotten priority attention, they’ll know in an hour or two what you’ve been saying.

One reason we should be encrypting our communications is that the corporations who act as hubs for our data typically offer to handle that data for zero-price, in exchange for advertising. Advertisers, in turn, want more and more of your personal information, sometimes including the content of your communications, in order to target their ads at people who are going to be interested. Personally, I do not believe it works very well. An ultra-targeted advertisement is spooky, and tends to chase people away. Be that as it may, once all the sporting goods chains have a copy of your plan to go skiing next December, you have no clue what they will do with that information. As privacy policies may be changed at any time without notice, they are not worth the paper they are written on.

Now imagine if you and your friends use PGP or GPG in your client, so that your mail service cannot read your messages. That means that the mail service cannot sell or rent that information to their advertising partners, and that sporting goods stores and home security alarm companies won’t be calling you with their offers. It means that the mail service’s director’s nephew won’t show up and ask your boss to “temporarily” assume your job during a trip that your boss does not yet know about. It means that the Keep Snow Pretty Coalition will not show up at your door (and your workplace) to protest your plan to fill some snow with ski tracks.

Now, that is all exaggerated, but the fact is, any information an organization collects will eventually be stored; any information an organization stores will eventually be misused. Encryption is your tool to help prevent the misuse or abuse of your information, and webmail is not designed for end-to-end encryption, but instead to allow the service provider to access, utilize, and present your data as they see fit.

I should add that most proprietary instant messaging services have similar issues. First of all, many of them are presented inside the service provider’s webmail service. That means that everything you send may be subject to monitoring (even after-the-fact monitoring, depending on how long the service stores messages), just like your e-mail. Their client applications are likewise advertising tools, although I’ve never seen any indication that IM contents are being fed to advertisers for targeting purposes.

Instead, I’ve found that I prefer to use Jabber / XMPP. XMPP does not have a central service provider, although Gmail / Google Talk instant messaging and Facebook’s IM are both said to be powered by XMPP. There are plenty of public providers, such as Jabber.org, Tigase.im and comm.unicate.me. One of the most important things you should do is ensure the client software you use supports both encrypted connections to the server and especially OTR. With OTR, you have some assurance that your messages are going to the correct person, with no one else reading them.

Special thanks to DuckDuckGo. When writing these posts, working the duck really helps my research.

Thursday, 2012-August-16 at 05:22 1 comment

Tech Privacy Rights As Fundamental As Gun Rights

Your private data isn’t a physical product. If someone steals your laptop, you can get a new laptop, or get it returned. It may have sentimental value, but it’s just a replaceable physical item. Information is not something that can be returned.

The value is not in the laptop, it’s in the private data contained within it. Do you have images or videos only meant for your eyes or your partners? If your laptop is stolen, count on those being shared online, count on the fact that anyone you see in your day-to-day life may have seen them, and recognize you from them. Still think that can be reversed and no harm done if you get your laptop back or get a replacement?

Continue Reading Wednesday, 2012-August-15 at 13:26 1 comment

On SOPA, PIPA, and Copyright Maximalism: How We Must Respond

Joel Spolsky – Google+ – Two things about SOPA/PIPA and then I’ll shut up 🙂 (1) …

(1) The internet seems to ignore legislation until somebody tries to take something away from us… then we carefully defend that one thing and never counter-attack. Then the other side says, “OK, compromise,” and gets half of what they want. That’s not the way to win… that’s the way to see a steady and continuous erosion of rights online.

The solution is to start lobbying for our own laws. It’s time to go on the offensive if we want to preserve what we’ve got. Let’s force the RIAA and MPAA to use up all their political clout just protecting what they have. Here are some ideas we should be pushing for:

  • Elimination of software patents
  • Legal fees paid by the loser in patent cases; non-practicing entities must post bond before they can file fishing expedition lawsuits
  • Roll back length of copyright protection to the minimum necessary “to promote the useful arts.” Maybe 10 years?
  • Create a legal doctrine that merely linking is protected free speech
  • And ponies. We want ponies. We don’t have to get all this stuff. We merely have to tie them up fighting it, and re-center the “compromise” position.

Mr Spolsky is expressing thoughts that all of us should be thinking. In fact, I’ve partially expressed some related concepts before. Only, now that they’ve been expressed, we need to discuss them, modify them as needed, and then implement them. I encourage you to go to his post on GPlus and read the whole thing.

Sunday, 2012-January-22 at 20:18 3 comments

Moving Away From Webmail: Why?

Back in the late 1990s, I encountered webmail services. I quickly signed up for accounts with every service I knew:

  • Yahoo! mail—sponsored by Yahoo!, which had a top-notch human-curated search engine directory
  • Mailexcite—later known as Excite mail—at that time sponsored by Excite and Webcrawler search engines
  • Hotmail—before it became a Microsoft property
  • and over time, various services that went by names like Warmmail, Coolmail, Coldmail, and CoolEmail—these services came and went and sometimes came back under completely different owners

What I liked about them was that I could go to the local college, the state college, or to friends’ homes and still check my e-mail without having to set up client software for each computer I used. This was before we knew a lot of the things we have learned about online security. Passwords were often restricted to 4-6 characters, often either all lower-case or all numeric.

If you forgot the password you used on site ‘X’, you would click ‘Send my password’ and check the relevant webmail account where the password would be sent.

Over time, things changed. Passwords started to require a mix of upper and lower case, along with one or more numeric digits. Then special characters were added. Passwords became longer. And ‘forgot my password’ started taking you through one or more secret questions before sending a password reset link to your e-mail. (No more mailing your password.)

It became more and more time consuming to log into a website, scroll through your new and existing messages to find the ones you choose to read, and write responses as necessary. This would be enough to make me switch back to the convenience of using client software to handle my e-mail messages (at the small cost of more complicated set-up than just typing a name and password into a couple of boxes on a webpage). But this is not even really the problem.

You see, in some areas, we have never advanced. We call it electronic mail, but it is really more like electronic postcards. This means that anyone, anywhere along the chain between you and the other party (or parties) could easily and quickly read your messages. That contract to buy a retirement property in Hawaii? Someone could have grabbed a copy, whipped out their word processor, and read everything in it. Same with that e-mail to your kid’s school about her grades. Didn’t you say they use Social Security numbers as student ID numbers?

You may say that you don’t do anything illegal and you don’t use e-mail to conduct financial transactions, therefore you have nothing to worry about. That is not so. You cannot know in 2012 whether information you “leak” today will become useful to someone who decides to use it against you in 2017 or 2022.

What is the answer? PGP. PGP (or Gnu Privacy Guard, which is a freedom-preserving implementation of OpenPGP). PGP puts your e-mail messages into an envelope, making it more difficult for someone to snoop on your message. Since the message is electronic, the envelope is also electronic, a type of public-key encryption.

Now, there are some who believe that anyone who encrypts data is doing it because they are doing something wrong or illegal. Those people are wrong. I personally believe that it is patriotic to encrypt your data. First of all, I do not believe that the government would have permitted its use if they had not figured out how to penetrate the encryption, if they are willing to devote enough time and computing power to do so. This means that encryption is not going to protect spying or terrorism. Our government will still be able to see what evil deeds such people are planning.

However, for unimportant people like you and I, people who may occasionally speed on the freeway, but do not otherwise break the law, the government is not likely to invest the effort. Our lives are too boring. There is nothing to be gained. I cannot imagine Jon and Ponch showing up at your door to write you a ticket because you admitted in an e-mail message that you drove 70 in a 65 zone.

I should point out that I have no evidence that our security agencies can read your encrypted messages. It is purely my opinion that they would still be trying to suppress PGP is some security agency had not figured out how to penetrate it. (Disclaimer: I work for a federal agency, but I don’t speak for them and they don’t speak for me.)

On the other hand, using encryption gives you some privacy. While I firmly believe the government can read your encrypted messages, the average computer criminal cannot. And more importantly, the casual observer who inadvertently is exposed to your message is not able to read it. The beat cop who is trying to make his quota cannot read it. The junior high kid down the street cannot read it.

So you and I should be using PGP (or the open source implementation, GPG) for most of our messages. Remember that an envelope only protects its contents in transit. If you’ve got the unencrypted contents sitting on your hard drive, or if the person on the other end has them, all that anyone has to do is gain access to that computer.

It is sometimes convenient to think of encryption like a vault. The locks on 1920s-era vaults probably would not slow modern criminals very much. The locks on current bank vaults are probably sufficient to slow down the majority of criminals long enough for the police to arrive. If you think encryption will protect your secret treasure map forever, you’re mistaken.

Now, once you decide to encrypt your e-mail, you’ll immediately be faced with two big issues. First of all, none of the big webmail providers supports using PGP through their websites. So unless you can get FireGPG working, you cannot do the prudent thing. Secondly, installing and configuring PGP/GPG is somewhat complicated. It isn’t really–some of the most tech-adverse people I know today set up similarly-complex software on their computers back in the 1990s–but it isn’t as easy as it could or should be.

Enter GPG4Win. GPG4Win comes with a lightweight mail client (Claws Mail), the GPG and Kleopatra and GPA software to manage the process from creating keys to uploading to public key to a keyserver to signing keys of others whom you know in person, a file encryption plugin (GpgEX), and an optional encryption plugin for Outlook. Mac users can use GPGTools instead of GPG4Win. BSD, Hurd, and Gnu+Linux users can use a somewhat less polished version or KDE’s Kleopatra.

Clearly, though, the process of using PGP and GPG needs to be simplified and streamlined. However, even in their current condition, you and I should be using PGP / GPG. And that means, given that the webmail providers have not figured out how to support it in their interfaces, that I need to pull back from using webmail for most of my messages.

I should also point out that you have to remember your passphrase, or you will not be able to use PGP / GPG. You should probably not create keys that are valid for more than a year or two. I am still learning about it, so I am by no means an expert. It just seems to me that if you forget your passphrase, you want a quick expiration, rather than waiting for years.

Monday, 2012-January-09 at 04:55 5 comments

September, 2010: Revisiting Mail Clients

I wrote about my switch to Claws-Mail about a year and a half ago. At the time, one of my major concerns with Thunderbird was their “only use one sending account” hangup. If you have a variety of business-related and personal accounts, you need to ensure that you don’t send out mail meant for one account through another one. T-bird made it a difficult process to set up, because you essentially had to go through the set-up process twice, and then link the incoming and outgoing accounts together.

Claws isn’t perfect either, so I occasionally look at another client. I recently decided to reinstall the OS on both partitions of my laptop. Since I’m using KDE (most of the time) and occasionally Xfce or Lxde, for my desktop environment, I thought I’d give Kontact a try. Kontact, if you haven’t seen it, integrates Kmail, the KDE addressbook, and a few other applications into one whole.

It didn’t make me set up filters, although the whole thing of creating an identity, then creating an e-mail account and assigning that account to that identity is beyond me. So set up wasn’t horribly difficult, and I wasn’t banging my head against the wall. Until I replied to an e-mail message from a friend and found my private, family-only address getting filled with mail enhancement spam (the friend’s computer was infected). It turns out that Kontact / Kmail generally uses the “default account” that is associated with the “default identity” for sending purposes. Changing the settings didn’t change this. Immediately, that took the whole KDE e-mail infrastructure off my list.

Past experience with Evolution meant I wasn’t even going to try it. (Incidentally, GNOME, when someone sends an error report, you really shouldn’t post their e-mail address online. I had to close the address I used with Evolution because of this.)

What is so hard about this? Here’s how it works: You have an e-mail address for work-related stuff. You have another one that you give to your friends and to your uncle Fred who likes to send you all the forwarded jokes and political stuff. You have another one that you give to certain family members who have shown that they are responsible. You read messages for that third address whenever they come in, while the other two may have varying waiting periods before you read their messages. The key to making this work is that you should never send a message from account 1 when you meant it to come from account 3.

So I immediately made sure Thunderbird was installed and started the account set-up process. Gmail, Hotmail, independent POP or IMAP, it didn’t matter. T-bird setup automatically did the right thing each time (with POP accounts, it asks you whether you want a single dumping ground or separate folders). One particular service uses non-standard ports, so I had to click “edit” and change that. I was also impressed that T-bird no longer needs an extension to let me accept various services’ changing security certificates.

Now, my next step was (finally) to restore some of my backed-up data. Then I installed Claws-Mail. When I launched, I had a surprise: I had copied my configuration, so it immediately had all my past messages and all my settings.

Claws-Mail doesn’t support sending HTML mail, whereas I’d rather have the capability there with a checkbox to turn it on or off for each message I send. (T-bird uses a per-account model: you choose to send HTML mail, and thereafter, every message you send from that account is in HTML.) I do like the speed and reliability of plain-text e-mail, however, so I am currently using the two side by side. (Three accounts in each client, with no overlap.) It also means that I can have a mail client open without having to accept delivery of every account’s messages. (And I also have four of those six accounts configured on my WebOS phone.)

Now, if only there was a “save to ODF” and “send as ODF” plugin, I’d be glad.

Wednesday, 2010-September-29 at 19:21 1 comment

Can’t Browse Web, Can Ping and E-mail

This one is here so I can find it easily next time. I spent most of a day troubleshooting this before I found the solution.

Situation:
User cannot browse the Web. May be able to browse secured (https) sites, but normal (http) sites blocked. Can ping sites. Can use an e-mail client. Can use Telnet, except for port 80.

  • Check firewall settings, anti-virus, anti-spyware, anti-malware. Run full scan with your security software.
  • Check proxy settings.
  • Connect another computer to see whether there is something filtering out HTTP upstream.

Done all that already? So had I. Then I found this, which led me to this.

Here’s what you can try next:

  1. Reboot the computer into safe mode. If you don’t, you won’t be able to do this.
  2. Log in with a local machine administrator’s account. Open the registry editor.
  3. Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vsdatant and set Start to 3. NOTE: if this key isn’t there, this isn’t your problem and this fix will not help you.
  4. Restart the computer.

In this case, you’re probably dealing with the leftover pieces of a ZoneAlarm firewall installation.

As the HP discussion site above says:

1. Even if you think you never installed ZoneAlarm (like me), still look out for vdatant.sys, it may be there!
2. You cannot change the registry setting when vdatant.sys is loaded/running, even if you have Admin privileges. You need to boot your machine in safe mode (with or without networking), and then you can edit the registry setting to disable the driver.

Thursday, 2009-September-24 at 01:50 1 comment

Why Do I Use OpenOffice?

I admit it. I use OpenOffice.org (OOo) at home. I use it in preference to most similar products. I use it because its price is zero and because it is free. (Otherwise, I’d be paying a small amount and using StarOffice.) But if price was the only reason, there are other products out there. KOffice, for example, and both AbiWord and Gnumeric are all zero-price freeware as well as free software. And finally, there is WordPerfect, which remains my favorite office product, but is not available on my preferred platform at any price. There is Microsoft Office, which is what I have to use at work.

I also use KOffice. KOffice is my third favorite office product. I use KOffice when I already have multiple applications open and do not want the dragginess that OpenOffice.org would produce. Whenever that drag is not an issue (e.g., only one other application open), I go back to OOo.

I have access to Microsoft Office 2003 at work. So why do I prefer to wait until after work and use OpenOffice? Because OOo offers nearly everything that MSOffice offers, without being so annoying. One annoyance that I commonly find with Microsoft’s product is the way it changes the interface to hide functionality (menu items, toolbar buttons) it decides you don’t need. It was there last week, but now when I want to use it, it is no longer there. Or how about opening attached documents in “reading layout”? Like it or not, most documents eventually get printed onto paper. When I open an attached document, it is not the content that I am looking for (or it would be pasted into the message body), but the way it looks. Switching to a non-page-oriented display is exactly the wrong thing to do.

In addition, using OpenDocument Format as the default file format helps future-proof my documents. After the current producers of “office software” all move on to something else, will you have the right to create a program to read and manipulate your data in the formats it was saved in? Will you be forced to buy a license from someone? Or perhaps be required to use a particular operating system?

If software is female, WordPerfect is the French maid, OpenOffice is MaryAnn (Gilligan’s Island) and MS Office is the Russian weightlifter. I know which one I’d avoid. This may explain why I question the wisdom of soon-coming MS Ad-infested Office, when others think so highly of it. Or it could be the memory of the old “free dial-up Internet if you view our constant ads” days. I quickly went back to a paid service when the ads consumed most of the bandwidth. Just wait until your print preview requires you to wait 30 seconds while an ad banner dances, sparkles, and sings to you.

Thursday, 2009-May-07 at 20:41 1 comment

Older Posts


RSS Slingshot

  • An error has occurred; the feed is probably down. Try again later.

RSS Unknown Feed

  • An error has occurred; the feed is probably down. Try again later.

RSS Unknown Feed

  • An error has occurred; the feed is probably down. Try again later.

RSS Owner Managed Business

  • An error has occurred; the feed is probably down. Try again later.

Archives

Recent Posts

Blog Stats

  • 599,208 hits

Top Clicks

  • None

SUBSCRIBE


%d bloggers like this: