Skip navigation

Tag Archives: thunderbird

Comments on this post are welcome and strongly encouraged.

Service providers such as Gmail, Yahoo, Facebook, Twitter…all of these, they need to offer users a data encryption option that does the following:

  1. It disables the password recovery system, so that no one else can exploit it or any weak links to it to get into our accounts, but if we “forget” our password then we can’t either; and
  2. Our passphrase encrypts a larger key which encrypts our non-public data on their servers with 256-bit AES encryption.

In light of the fact that General Petraeus was brought down by someone other than him and a personally trusted party accessing the data in his Gmail account, I think the users need to be handed the keys to our accounts and service providers need to give them up. By far the largest method for hackers to steal highly important or sensitive data is the “forgot password?” link at any given website.Our email accounts are almost universally used as a skeleton key to our other accounts. Mat Honan’s Gmail, Twitter, and Apple ID accounts were all hacked into in the space of an hour this way, and the hackers deleted all of the data on his MacBook, iPhone, and iPad when they got in.

For services that offer this encryption option, there should be an additional option to unlink all email accounts as well. There are some services that exist already which allow you to open an account for which an email account is optional, but they’re not very common and typically are also obscure and small.

Obviously, this is something that won’t do much with services like Facebook and Twitter, because in order for the service to show tweets or posts to anyone else, they have to be readable by the service provider itself. However, if you’re on Facebook and change a post or picture to be visible to “only me,” the media should be encrypted with your encryption key, then all unencrypted copies deleted from the provider’s servers, including its content delivery network.

Another feature that absolutely needs to be in place is for all mail service providers to support mail delivery and hopping over SSL or TLS, so that plaintext email does not go over the wire without any encryption. If email is encrypted on Gmail and encrypted on Yahoo! Mail, then the end-to-end link between them also needs to have encryption. Ultimately, the amount of time an email spends stored or transmitted as plaintext should be minimized. It would also be nice if mail applications such as Mozilla Thunderbird had built-in encryption for the entire user profile (stored/locally cached mail, stored account passwords, configuration settings, etc.) utilizing a master password, though it seems that most people point to workarounds that don’t ask Mozilla to add such support directly into Thunderbird. (What if I don’t want to install full disk encryption software, or can’t do so, or want to use Thunderbird in a portable fashion on a flash drive?)

Yet another feature that would be very nice to have is a “lockdown” feature, where you can log into your encryption-enabled account on a service like Facebook or Twitter, go to some sort of security settings page, press a button called “lock down account,” confirm that you really meant to lock down the account, and all media that is stored in your account automatically gets changed to “only me” privacy and encrypted in one shot, plus any attached “escrow” methods of password retrieval such as cell phones or email addresses are rendered unusable. If you have reason to believe that your data needs to be locked down quickly, having a feature like this is critica

The biggest downside to this system is that if you lose or forget your password, you lose everything. The most common response to this “downside” will be “that’s a great feature to have!” and I strongly agree: if I don’t want anyone accessing my account, I desperately need to be able to lose the password with no means of recovery. However, another downside is that if someone gains access to your account, they can lock you out of your own data in the same way that you can lock others out. The most obvious answer to this would be some form of two-factor authentication, but adding TFA to the mix would imply such things as if you lose your second factor, you can’t lock down your account or change your encryption password, so it’s a bit of a double-edged sword.

The major reason that “encrypt everything” has not been adopted by knowledgeable users is that it’s not available as an option, and where it is available, you have to jump through ridiculous hoops to get it set up and working. Things like the HTTPS Everywhere extension and Google switching its services to use HTTPS by default are steps in the right direction. The fact that anyone can get online and dig up your maiden name, social security number, city you were born in, first vehicle you owned, and much more within minutes and for small fees means that password recovery options with security questions and whatnot are the equivalent of locking your five deadbolts and leaving the key under the WELCOME mat. Furthermore, if the FBI, CIA, NSA, or some other three-letter agency decides they want to read your mail without your knowledge, there’s nothing at all stopping them from doing so.

One of the big arguments against encryption is that it allows bad people to hide bad things. News flash: bad people can use encryption even if you DON’T allow it. The only thing that happens when you don’t have encryption available is that GOOD people can’t protect themselves and their privacy so easily, but the bad guys have an extraordinary motivation to jump through the extra hoops required and certainly will do so to avoid being caught. This argument against providing encryption has no substance in a practical world.

In summary: Service providers need to give us the keys to our data.

Advertisements

(If you just want the good stuff and don’t care about the story, visit the snd2remote web page. Bottom line: run a listener on the LAN, then on a Linux box type “snd2remote C:/WINDOWS/Media/ding.wav”)

Problem: You’re running applications on a remote Linux system across a LAN, possibly using an X server such as Xming or x11vnc to view them on a Windows machine.  The programs run fine, displaying on the Windows machine, but there is no way to hear notifications on events such as receiving an email or IM. Every program has an option that lets you “run a custom command” on notification events, or has an available add-on that enables this functionality. There is no custom command that makes sounds play on the Windows machine you’re actually using.

Solution: Roll your own solution using free tools that are already available!

I use Mozilla Thunderbird for email and Pidgin for all instant messaging services. For two years, I have sat directly in front of the server at the shop and used these applications. Now, however, I use an old Windows laptop that we can’t sell for technical reasons along with Xming to run these Linux apps on my sever and show them as apps on my Windows laptop.  Unfortunately, as I have been getting busier and busier, I have been forgetting to periodically check my mail window.  Thunderbird in Xming has no tray mail notification and no sound on the Windows machine at all; likewise with Pidgin, which (at best) can put a star in the chat window title.  However, Pidgin on Linux comes with an option to “use a custom command” for playing sounds.  Thunderbird doesn’t, but an add-on easily adds “during new mail notification, run this command” capabilities to it.

So, I know that I CAN do this if I can run a command which plays the sound on the Windows machine, but a brief Google hunt turns up nothing of interest.  Oh, I’m sure somehow I can use JACK or some other complicated audio system, but I could care less about setting that up and dealing with the extra admin overhead if there’s a simpler way!

It takes some real Linux geek thought processes to do, but I figured out a way that, regardless of which machine in my shop I sit at, I can get audio notifications for my Xming apps (or any app that can run a command to play a sound for that matter).  The answer: UDP broadcast the sound you want to play to all the machines on the network.

I created a bash shell script and a Windows NT/2000/XP command prompt  batch file (it uses SET /P which I don’t think DOS/Win9x/Me have) that pair together to trigger sounds on my Windows machine from my Linux machine. An additional constraint which I artificially imposed on myself to minimize the number of required downloaded files was to only use Windows batch commands and not “cheat” by pulling a UNIX-style shell, sed, grep, and other UNIX commands.  This also forced me to learn some ways to do things in a batch file that I had never done before, meaning that not only do I make this easier to duplicate for others, but I’ll be a better Windows admin too.

I had to download the following free tools and Linux packages to make it work (links provided):

Here’s how we do it. The computer which is generating the notification event needs to order the computer at which we’re actually sitting to play some sort of sound. Ideally, we need to be able to play lots of different sounds, too. So, the quick and easy solution was to use socat (and netcat for Windows since there’s no native socat port) to broadcast the names of sound files to play and receive those broadcasted names, then try to play them.  Most of the time I spent was actually on file scanning and filtering code rather than making the *cat tools behave nicely.

“snd2remote” on Linux can both listen for events AND broadcast them, and does some fairly clever search tricks to try very hard to play a WAV file that is not valid for the Linux machine as-is.  The Windows version is restricted to batch file commands, which means it’s much “dumber” and therefore needs more hand-holding; most of the clever logic is in the Linux side so the Windows side can afford to be dumbed down.

snd2remote taught me the following lessons and/or has the following nice features:

  1. You can make netcat exit immediately on receipt of a single UDP packet in listen mode by piping an empty “echo” into it. This drastically decreases latency because the 1-second timeout is unnecessary.
  2. The way to remove timeout latency in socat is to specify a “udp4-recvfrom” endpoint instead of “udp4-listen” and also specify the “unidirectional” switch.
  3. Translating to backslashes for dumb Windows batch listeners and letting Linux listeners translate them back to normal forward slashes makes life a thousand times easier.
  4. Making the Linux version assume UNC paths such as \\server\share\path\file.wav equals /home/share/path/file.wav on the Linux side allows the use of a default Samba home directory share as a source for both machines to fetch the same WAV files from.
  5. Letting the Linux script perform quick scans in a couple of obvious locations for alternate copies of the specified file makes it extremely easy to feed Windows-specific paths and have them still play on the Linux listeners without replicating the path to the same file on Windows.
  6. snd2remote in listen mode checks the ROOT of the executing user’s home directory, does full subdirectory scanning of a custom directory (defaults to $HOME/media), and performs the previously mentioned UNC path to home directory translation, in an exhaustive effort to find a playable copy of the requested WAV file.
  7. It’s better to use the shell construct $(commands) than to use (backticked) `commands` because the latter interprets special characters in a way that makes life very painful.

By running “snd2remote -l” on a Linux box or “snd2remote-listener.bat” on a Windows box, any other Linux box on the LAN can broadcast a sound event to all listening computers with a simple command:

snd2remote [-q] /path/to/file.wav

For example, to play the classic Windows “ding” on all listeners:

snd2remote C:/WINDOWS/Media/ding.wav

If you are interested in the internal workings of these scripts, they are heavily commented to explain in detail what is going on.  Lots of shell/command interpreter constructs and command combinations are used in them which I had not needed, or had rarely used, before; therefore, these scripts would be a good starting point to nudge your way into some interesting scripting.

The code has grown too long and complex to document everything here, but it is freely available at the c02ware snd2remote page.

%d bloggers like this: