Personal tools
You are here: Home Yahoo/GMail/Hotmail etc. all suck and I renew my vow to never use Windows
Who is Tracy Reed?

I am a Cyber/Cloud/Information Security Engineer, an Airline Transport Pilot rated pilot, and a traveler. I am interested in all aspects of computing and technology in general, especially Linux and Free Software. As a professional pilot I can be found somewhere over the skies of the southwestern US most weekends.  As a traveler I have been to many interesting places. Check out my photo gallery. Want to get me something cool? Check out my wish list!

You might enjoy the flying videos I have on my YouTube channel.

And here is my LinkedIn.



Yahoo/GMail/Hotmail etc. all suck and I renew my vow to never use Windows

by Tracy R Reed — last modified Jan 01, 2009 11:48 PM

or perhaps this entry should be called "Why is there such a lack of professionalism in some places?" or "Why give up all control of your email?"

A friend of mine in Vietnam had cablemodem installed in her place a few months back. Unfortunately the person who installed it was a very unprofessional young man. She is a hot chick and he was gawking at her the whole time, asking her personal questions, etc. He had to come back once or twice before the cablemodem finally worked properly. Then he started IM'ing her. He started knowing things he should not. Eventually it was determined that while he was setting up the cablemodem he had installed spyware including a keylogger onto her computer and basically took over her whole online life. What a nightmare! She complained to the cable company and the guy got fired but that does not get her information back. Now they are just waiting for the extortion letter. No joke.

The moral of the story is do not use any free webmail service for anything even remotely important. This may seem obvious to many people but many more still don't seem to realize the implications. Do not store or send any info on a free webmail service that you would not want posted on the bulletin board at work.

The big problem is control. Who has the real ultimate control over your webmail account? Whoever owns the hardware it is hosted on which is invariably a big corporation who doesn't give a care about you the individual. My friend emailed yahoo a number of times about getting her account either restored to her or deleted entirely but they get a million requests like this every day and completely blew it off. There is no reliable way for her to prove who she is to yahoo. She set a "security question" years ago to be used in such an event when she created the account but no longer remembers the answer.

So what is the answer? The answer is to only use email accounts with someone you can hold directly accountable. When using free email they are under no obligation to do anything for you. When you use your local ISP's email account you can always show up at their office with your ID and prove your identity and have them reset your password. Or if you are technically inclined (most of the people who read my humble blog probably are) you can do like I do and run your own mail server. Or you can ask a trusted friend for an account on their email server which they are likely to happily provide as it costs them nothing.

Which leads me to the second part of my rant: Windows is a completely insecure piece of garbage which I will never use for anything. And I am determined never to enter my password into any sort of Windows box again since you can never tell if a keylogger has somehow been installed. I am looking into some sort of one-time password system to use as well. This is where you carry around a list of passwords in your wallet and the system accepts each one only once and then it is never to be used again so it does not matter if someone snoops it. Then I could occasionally enter my password on a Windows box and not have to worry about it being stolen. Since the keylogger incident my friend has started migrating to Linux. She finds it relatively easy to use for her common tasks but needs some hardware upgrades to run Fedora Core 5 seeing as how she has been running Windows 95 or 98 which has more modest hardware requirements.

Document Actions

Not too sure about this

Posted by Joshua at Jan 01, 2009 11:32 PM

I use a webmail, but only one, and for years eschewed them entirely, until Google came out with Gmail. Even then, I didn't use any webmail until I didn't have a shell/email account anymore (from a trusted friend :P ). Also, I can't beat Gmail for uptime and availability, and I think that if one uses strong passwords, and changes them enough, webmail is fine. I've used it to no detriment for a couple years now.

Further, as has been pointed out, your hapless friend was taken advantage of due to a lack of paranoia (not watching everything this weasel did), a lack of technical acumen (e.g. needing someone else to set up her cablemodem, to configure her host to use it which should only require either setting the stack to use DHCP or statically defining whatever the IP settings are should be sufficient).

I also disagree that you can never tell if there's a keylogger on a Windows machine...

The problem is accountability

Posted by Tracy R Reed at Jan 01, 2009 11:32 PM
Even if you simply forget your webmail password, who is accountable to verifying that you are who you say you are and restoring your access? With a big webmail provider the answer is nobody. And as far as OS security goes I've never run into a console keylogger on a Linux box. I've seen plenty on Windows. How can you tell if there is a keylogger on a Windows machine if the kernel itself is subverted to tell any antivirus/spyware software whatever it should normally get upon inspecting the system?

Personal experience

Posted by Joshua at Jan 01, 2009 11:32 PM

Well, on the first note Gmail has a perhaps-too-stringent verification process. For example, even getting to a deceased relative's Gmail requires a death certificate for them, ID for you, and a notarized letter granting you permission in the event of their death to get into their e-mail. For living beings there's surely a process as well. On to more interesting questions...

There's a few ways of catching kernel mode rootkits on a Windows box. One is detecting all their happy hooking, which usually catches an heuristic engine's eye. I've seen it work. Another is that you don't have to use the OS itself to check the filesystem (using an API). You can a)make yourself a driver or b)make your own protected partition, increasingly what desktop agents do, seriously and then a)you're not asking the subverted OS about some file that's probably hiding its existence from the OS (this assumes you have a signature for the file of course, which polymorphing tools like Morphine can help hide) or b)You can look at the filesystem or kernel externally (as a driver not asking the OS, or big hassle, from a liveCD) and compare responses when using an OS call. Differences are, well, giveaways of hiding behavior, which are usually interesting in themselves. I could go on on this...

There's ways around some of these ideas, but there's ways around those detection countermeasures, and so on. Bottom line, I can do it, it can be done.

There are plenty of Linux keyloggers

Posted by Anonymous User at Jan 01, 2009 11:32 PM
Simply search for "linux keylogger."

The exact same scenario could have occured on Mac OS, Linux, or Windows. The operating system isn't the issue.

Frankly neither is webmail. If someone's installed a remote control application on your system, all bets are off. They have total control. They can do anything you can do.

The moral of this story is don't let people you don't trust use your computer.


Posted by Anonymous User at Jan 01, 2009 11:32 PM
What a goddammed whiner!
Get some cheese with that whine peckerhead.

Your friend forgot the answer to Yahoo's secret question!
What kind of dumb ass does that?
Also, how in the hell is that Yahoo's fault?
Just quit using the account or "block" all incoming mail.

Why weren't the police called when you dicovered what the tech had done?

Updating Key

Posted by Sam at Jan 01, 2009 11:32 PM

One time use passwords is an interesting idea. Problem, however, is managing and storing those passwords for those off occassions you see yourself stuck in front of a Windows machine at a password prompt. I recall managing an AOL store for a company I worked for some time ago (back when e-commerce more or less required you to have a shop on AOLs network). I believe it was 1999. In any case, if you had a merchant account you were provided with a key fab that had a small display on it which updated an 8 digit code on a 90 second interval. That code was used to log into the management account. Could be an alternative to relying on access to a list of one time use password...unless you left your keys at home because you rode your bike to work.

Updating Key

Posted by Tracy R Reed at Jan 01, 2009 11:32 PM
My plan is to just print out 20 or so OTP's on a piece of paper and keep it in my wallet until I need it. I'm pretty good about always having my wallet on me. Require the code on the paper to be concatonated with another code you have memorized and don't write your username and hostname down on the paper and you are pretty safe even if your wallet gets stolen. I have used those key fob thingies before. They are usually SecureID key fobs. Nice, but rather expensive.

How is Windows less secure than Linux?

Posted by Yaytay at Jan 01, 2009 11:32 PM

In your example the key logger was installed whilst the ratbag had unlimited access to the machine. In such a situation a key logger could just as easily have been installed on a Linux box.

The moral is not to never run Windows, but to never allow someone you don't trust access to a machine that contains things you care about.

PS. There may well be other examples of why you shouldn't run Windows, it's just that this isn't one :)