This Blog Is Not For Reading

A blog, just like any blog, only more so

  • Subscribe

  • Categories

  • RSS Bob Jonkman’s Microblog

    • New note by bobjonkman 2 April 2020
      oh, hang on. That was a ReTweet from @wilkieii@twitter.com But you're still invited to make that presentation!
    • New note by bobjonkman 2 April 2020
      ...and you'll make a presentation at an upcoming @KWLUG meeting, right? On the very platform you're presenting about!
    • bobjonkman repeated a notice by hubert 2 April 2020
      RT @hubert ♲ @matrix: RT @wilkieii@twitter.com Successfully using entirely self-hosted+federated Riot/Matrix/Jitsi/Etherpad/PeerTube to host lectures, teleconference with students, answer questions in chat, and collaboratively edit their code. Write-up is incoming. Once I take a nap. 🐦🔗: twitter.com/wilkieii/status/12…
    • Favorite 2 April 2020
      bobjonkman favorited something by hubert: ♲ @matrix@mastodon.matrix.org: RT @wilkieii@twitter.comSuccessfully using entirely self-hosted+federated Riot/Matrix/Jitsi/Etherpad/PeerTube to host lectures, teleconference with students, answer questions in chat, and collaboratively edit their code. Write-up is incoming. Once I take a nap.🐦🔗: twitter.com/wilkieii/status/12…
    • New note by bobjonkman 22 March 2020
      He'll never find it again. But you get a tree!
    • New note by bobjonkman 22 March 2020
      Ja, ich bin hier noch. Aber meine timeline ist oft zwei oder drei monaten langzam...
    • Favorite 27 February 2020
      bobjonkman favorited something by showerpickles: imagine an internet that was ran like a utility. one where it was the norm to run a little box server at your home that you run your services on (email, mastodon, file storage, etc), and there was a whole industry of unionized repair people who would come to your […]
    • Favorite 27 February 2020
      bobjonkman favorited something by douginamug: One of the core 'demands' of #ExtinctionRebellion is to set up a #CitizensAssembly. This is not a new concept: #sortition has been around since Athens.I find a lot of people worried about trusting 'normal people' to make big decisions. I would love to have a CA as one of the […]
    • bobjonkman repeated a notice by douginamug 27 February 2020
      RT @douginamug #ExtinctionRebellion session @ #35c3 is FULL! One third of the people sitting on the floor 😂 Amazing to see a room full of hackers excited to join the cause. There's enthusiasm to help non-techy people switch to #signal, #mastodon & #nextcloud ⚡ 💻 🌐
    • Favorite 27 February 2020
      bobjonkman favorited something by douginamug: #ExtinctionRebellion session @ #35c3 is FULL! One third of the people sitting on the floor 😂 Amazing to see a room full of hackers excited to join the cause. There's enthusiasm to help non-techy people switch to #signal, #mastodon & #nextcloud ⚡ 💻 🌐

Why I’m an E-mail Luddite

Posted by Bob Jonkman on 2nd October 2013

Statue of a Luddite

Luddite Memorial, Liversedge

The pervasive expectation of HTML everywhere came to light in a recent e-mail exchange:

Him: Bob, have a look at this video: LOLcats at work

Me: Did you intend to send a link with that?

Him: Yes, here it is: LOLcats at work

Me: Sorry, still no link. Remember, I don’t receive HTML e-mail…

Him: Wut? I’ve never heard of someone not receiving HTML e-mail!

E-mail was never designed for HTML; it is intended to be a plain-text medium. HTML is merely cobbled on, and mail clients have no standard way to render HTML messages, resulting in different displays on different mail programs. Some mail programs, especially those run from the command line, can’t show HTML rendered messages at all.

Although I use a graphical mail client (Thunderbird), I choose to not display HTML for two reasons:

1) Security: HTML mail can have Javascript code or other objects embedded. That’s a great way to get virus infections on your computer. I don’t want any code running on my computer that I didn’t put there myself.

2) Privacy: HTML mail that links to external images allows the owner of those images to track your mail usage: When you open the mail, how often you open it, the location you open it at, what computer you’re using, and whether you forward it to others (and then, when they open the mail, how often, their location, &c).

Not to mention that HTML messages are far bigger than text messages, especially when the HTML contains embedded images, fonts, and other stuff. Now, that’s not such a big deal with fast connections, unlimited download caps, and cheap disk drives, but it will still make a difference on small-format devices like phones and watches.

That said, if you do send me HTML e-mail, be sure to embed any images or LOLcat videos. That way I can still view them as static attachments, without revealing when, where, and how often I view them.

For more info have a look at the Wikipedia article on HTML e-mail

–Bob.

You can send HTML e-mail to Bob Jonkman at bjonkman@sobac.com

The Luddite Memorial, Liversedge by Tim Green is used under a CC-BYCreative Commons — Attribution 2.0 Generic — CC BY 2.0 license.

Tags: , , , , , , , , , , , , , , , , , ,
Posted in email, privacy, security | 1 Comment »

What to do about compromised Hotmail passwords

Posted by Bob Jonkman on 18th November 2010

autoroute à emails

autoroute à emails by Biscarotte

I administer a number of e-mail systems, and I’ve been seeing a lot of spam coming from Hotmail accounts recently. And both friends and clients have been telling me that it’s not them who are sending spam from Hotmail (and ending up in my e-mail systems), their accounts have been hacked. One person asked me:

Is it just Hotmail? What else could I use? Can’t I just change my password?

Changing passwords is only an effective solution if the account was compromised by social engineering, eg. the legitimate user giving out the password in a phishing attempt or other direct means, or if a simple password was guessed or cracked.

There is evidence that Hotmail and Yahoo’s password recovery mechanism is flawed (eg. the Sarah Palin breach), so that malusers can acquire a new password for an account. I don’t think this is happening, because victims are not reporting being locked out of their accounts. Of course, if the service merely sends out the current password then this may be what is happening, and no amount of password complexity will protect the account.

If the passwords were compromised by an automated password cracker then I would expect only simple passwords to be breached, and accounts with strong passwords would be safe. I do not know what kind of passwords were in use by the people who have compromised accounts, but it is likely they were simple passwords.

While I have no evidence, I think the current rash of breaches is due to a more systematic attack by URL munging, or fuzzing the inputs on a POST request, or some other attack vector. These attacks do not require an authenticated login, and in that case no amount of password complexity will provide security either.

I haven’t heard of similar compromised accounts in Gmail, so that may be a suitable alternative for now. I’ve been recommending that people use the mail accounts provided by their ISPs, largely so that they can make use of the ISP’s technical support if their accounts do get compromised. And, of course, if they’re paying their ISP for a mail account then there may be immunity from liability (“My mail account was compromised and I was paying my ISP for security, so all this spam is their fault”).

–Bob.

Update 5 Feb 2012: I retract the first sentence in the last paragraph. E-mail Administrator friends have been telling me that Google Mail is just as vulnerable as Hotmail and Yahoo. Having just read “Hacked!” in The Atlantic I’m convinced the problem of compromised mail accounts is worse than I thought, and that no online providers (especially the “free” ones) adequately protect the e-mail of their users.

autoroute à emails by Biscarotte is used under a Creative Commons by-sa-v2.0 license.

Tags: , , , , , , , , , , , ,
Posted in email, Internet, spam | 1 Comment »

 
Better Tag Cloud