Don’t want your info hacked? Don’t put it online.

4 03 2013

The free and paid note-taking application Evernote was recently hacked, forcing the company to reset passwords for many users, including myself, and to require them to reset their passwords on all of their computers and devices before they could continue to use it. This has caused a small stir and some have chosen to enumerate some of its security failings.

Evernote iconI use Evernote every day and I love it. It is a great way to keep notes and documents synced between my computers and to see them on my iPhone. However, I still acknowledge that this is a web-based service because all of my notes live on a server somewhere else, a server that I neither own nor maintain. Since it is on the web, I approach it with a fair amount of caution. I use the same rule that I use for all my other web-based accounts on Facebook, Twitter, GitHub, Flickr, et cetera. I do not put anything into Evernote that I would not be fine with the whole world seeing. Everything else, I keep on my own drive(s).

The Evernote team certainly has their share of blame, with their lax attitude toward security and even encouraging users to put their tax documents on Evernote. However, the users have their share of blame. If you are willing to put any of your tax documents on a non-governmental web site, you are essentially accepting the consequences of sharing very sensitive documents with the whole world.

It may sound harsh, but there it is. If you do not want to see Evernote leak your personal information, do not give Evernote that information. It will not make it into someone else’s hands unless you give that information to them.


Google is less evil than China

2 07 2010

Google has begun a practice of flagging Google accounts that are being accessed from unusually parts of the world. Typically, you access your Google account from a relatively small geographic area. Home, work, and areas around your city are areas where you are most likely to log in. In response to an attack on Google’s Gmail servers in January, presumably by the Chinese government, the search company has started flagging users’ accounts if they are being accessed from abnormal parts of the world for that user.

This practice is nothing new. If your credit card information has been stolen and big-ticket items are being purchased rapidly, the credit card company will put a hold on that card and contact you. This is no different.

This is a generally positive development and should help to discourage at least a few attacks on Google’s mail servers. However, according to the Ars Technica article linked to earlier in this post, there is still a backdoor into Google’s systems via ActiveSync. Citing a blog post from Gabriel Landau at Independent Security Evaluators, it is possible to circumvent the Gmail access logs, which is how Gmail knows where it is being accessed from. One only needs proper credentials for the account in question to read and send emails with that account and no one can stop it because ActiveSync cannot be disabled like IMAP or POP can.

Assuming Google patches that gaping hole in its fence soon, I think that it is doing better to protect the security of its users from unauthorized access than it was before the Chinese attack. Call me a Google fanboy, but I was happy to see Google take action after the attack and work to make its users safer.