Am I missing something here? From their website, it looks pretty clear that Etacts advertises checking your e-mail to remind you to keep in touch with people. Just like I wouldn't be surprised that Mint.com accesses my bank account online, this is hardly as outrageous as he makes it seem. Also, wiping your computer or using 1Password isn't going to stop you from giving your password to random web apps...
I did specify that the IP address is not clearly associated with Etacts, though it turns out that it probably is them. However, that's not the point. My post is an an invitation of sorts to check one's Activity Window, plus my suggestions in terms of what steps can be taken when an intrusion is suspected. BTW, the tone of my post was not meant to be outrageous nor accusatory of Etacts.
> Also, wiping your computer or using 1Password isn't going to stop you from giving your password to random web apps...
I'm not incautious with my password in the least. It's generally not hazardous to sign in with Google elsewhere, provided you trust the site. You can make an assessment of the risks and benefits of singing in through your Google account yourself on a site-by-site basis. If you have reason to believe that they've violated your trust or that a security breach has happened, you can revoke access (from that site) and change your password (or even decide to be paranoid and never login elsewhere again).
Changing my password that I've given to a website hardly qualifies as "revoking access". I have no problem using my Google Account as a login mechanism when it's through oAuth or xAuth or whatever Google is using these days for that pass through, but the Facebook give-us-your-login-temporarily style stuff is unacceptable.
the Facebook give-us-your-login-temporarily style stuff is unacceptable
Agreed. IMO, asking for your password when there are API's readily available is alone enough to disqualify a company from being "trustworthy". Just the idea of keeping a bunch of GMail passwords in some decryptable database is quite a bit scary.
Not if you give your username and passwords to websites. I feel like you don't understand this distinction all up and down this thread...
Also, man, what is the point of DBANing your install? Is software that is no longer accessible to the OS or likely even any consumer level hardware going to magically log your keystrokes, I mean make you give your usernames and passwords to websites and then be surprised that they use them?
>Not if you give your username and passwords to websites. I feel like you don't understand this distinction all up and down this thread...
I've never given my username and password directly to websites, except for Etacts. For the other sites, I simply authorized them (through the Google interface) to access certain functionalities. Behind the scenes Google doesn't provide them with my password: https://www.google.com/support/accounts/bin/answer.py?answer...
They also put such sites on a list of that is accessible from your account. You can remove sites from that list at any time.
> Also, man, what is the point of DBANing your install?
Yeah, that's sort of unrelated. I've been planning a clean install for a while.
> you give your usernames and passwords to websites and then be surprised that they use them?
When THEY use them? No. When someone else does, yes.
Anyway, we have beaten this horse to death many times over.
You're giving your password to someone else. You don't magically get some guarantee that they are safe, that they won't be stolen etc. Yes, I know that oAuth perms can be revoked, that is the entire point and that's why it's dumb to give a site your credentials when better alternatives exist.
"I've never given my username and password directly to websites, except for Etacts." This is all about Etacts right? How do you expect someone to be accessing your account? You gave them your user and password. The point is, you hand out your username and password, it just makes you look silly to suggest that your account is being compromised by covert wifi sniffers (you are using encryption right?), etc.
I still don't understand why you need to DBAN to do an OS reinstall unless you are just using the term DBAN loosely.
If you're concerned enough about email privacy that you're going to wipe your computers for keyloggers, why in the world would you ever grant a SaaS access? That's just asking for trouble.
I trusted the SaaS applications I signed up with. One of them is used by the jQuery team, another one has just been acquired by Twitter, and the last one is a YC startup. I wasn't exactly tossing my password around. When evidence of a possible intrusion emerged, I revoked access (from those apps) and took steps to prevent a worst case scenario.
You gave your password to several companies and then freaked out when your account got accessed and assumed that someone camping outside your house must have cracked your WiFi connection and decided to wipe your computers while hardwired into your internet connection... I think Occam's razor applies here and the account was accessed by someone you gave the password to, though your paranoia is amusing.
It's pretty simple to keep someone out of your email, don't give anyone the password.
First, I'm not freaking out, nor am I paranoid. I clearly stated that I believe that the most likely explanation is to be found with the reputable applications I granted access to.
Of course if I suspect an intrusion, I'm going to ensure that proper action is taken to cover all of my bases. I was planning a cleanup of my laptop anyway, so I may as well do it now.
Don't read too much into my changing the password on a wired desktop. It was one of the computers at hand, so I went with the most secure option, however unlikely it may be to make a difference (doing so didn't require any extra effort on my part).
> It's pretty simple to keep someone out of your email, don't give anyone the password.
This will be a moot point when Google will implement OAuth for IMAP.
PS: At this point, I believe it was a legitimate access by Etacts.
I'm afraid this is common. We better find out what the heck is going on with that IP. I've enquired with Slicehost about it, and we'll see if they get back to us.
This was Etacts. We responded to Antonio's support email this morning within a few minutes of its arrival to let him know the IP address in question belongs to us. We are talking about ways now to prevent this type of confusion from happening in the future.
Correct. That's a reasonable thing to do. You sign up with a service you trust because it's convenient and useful to you (e.g., Etacts), and then you make sure that your trust isn't abused.
You do the same with your credit card whenever you purchased from a site or in a store. You trust them, but then verify that you are not being screwed over.
Actually the correct thing would be not to give your email password to 3rd party website especially if you know will panic afterwards for every strange IP you'll see in your logs.
The credit card comparison doesn't really make sense as credit cards were especially designed to be used the way we use them.
Email accounts haven't been designed to be used in such a fashion as to allow 3rd party applications access them. Especially not the kind of email services where you don't have access to the server / firewall. What Google is providing is a nice thing but you only get the see the last 10 entries or so. What happens when you go on vacation ? What happens if you use some other email provider ?
My point is that the main conclusion of your blog post should be about how you control this but how you should avoid doing this in the first place.
For the last week or so, I've had a bunch of "Delivery to the following recipient failed permanently:" emails, for email that was apparently sent from my gmail account - I assumed that someone started using my return address for their spam. At about that time, gmail asked me to sign in with a CAPTCHA - I assumed that google had just added that.
I use an older (faster) version of gmail on my (slower) netbook, which doesn't have the "account activity" link. After reading this article, I switched versions and checked: 6 days ago, there was an alert about an access from China with this IP: 116.30.36.239
The emails in question have stopped for the last couple of days. It seems that google automatically detected and solved the problem, without me even being aware of it. Good google.
Did you check your 'sent' folder, by any chance? If there are copies of the emails there, then most likely they simply accessed your account directly with your password - which is much more concerning (albeit easy to fix by changing all your passwords)
Whoa, thanks, I should thought of that! They sent one on the day of the access (10 June).
There are 17 other potential ones, but I had moved them to my spam folder, so I can't tell where they came from originally. Looking closer, the first email in each chain seems to come from my account, but they are spread over several days, not just the day of the access.
Unfortunately, they could have potentially accessed any other services whose "forgotten password" emails go to this one, and then deleted the replies. But it looks like an automated spam attack.
When I realized today, I now logged out all other users (there didn't seem to be any) and changed my password. Maybe I should check all my linked accounts.
EDIT The header of their email has:
Received: from PC-201004061503 ([116.30.36.239])
Where that IP is the hacker's IP. Comparing with mail I've sent, the Received line includes my IP and "with HTTP". So it looks like they weren't using the web interface, but some direct one (IMAP? POP3?). If they're a spammer, it would be automated. BTW their emails all had the same content, most of them with the subject " 请在这里编辑主题...", which I'm guessing is "buy viagra" in Chinese.
The alert mechanism looks for successful logins, not spam seen in the wild with his account as the sender, so yes, someone has definitely accessed his account...
That's happened to me several times. In my case I'm sure it was spamming (nothing sent, no account access other than my own, for an account with a single word name).
Hello, fellow Apache user! You may wish to look into Nginx. My Japanese toilet seat practically has enough memory on it to serve all my business needs.
One of these days I have to migrate all of my Apache-hosted Wordpress blogs to Nginx.
Yeah, nginx is my favorite web server as well. I use it for my startup, and I'm in the process of migrating all my blogs from a 1GB slice with Apache, to a 4GB server in the cloud with nginx. With that I should be ready for virtually any amount of traffic my tech site may get.
Interestingly it's not a default installation. It's an installation that, in the past, I fine-tuned with great success. That said, it has been less than satisfactory over the past few weeks.
