A passionate programmer’s findings in the world of internet.

Email Security Issues

August 6th, 2009


Photo by Mzelle Biscotte

It all started with an notification on top of my Gmail account, asking me to reconfirm my secondary email account, which is my Yahoo Mail. The notification reminds me of the news of a Twitter employee got his Gmail account hacked:

About a month ago, a hacker was able to access a Twitter employee's personal email account, according to a blog post by Twitter cofounder Biz Stone. Once there, the hacker struck the mother lode: access to the employee's Google Apps account, which contained Docs, Calendars and other Google Apps that Twitter uses for sharing notes, spreadsheets, ideas, financial details and so on.

If you didn't follow the story, the hack happened through Gmail's password recovery procedure, which sends password recovery information to the user's secondary email, which is an expired hotmail account:

At Hotmail, Hacker Croll again attempted the password recovery procedure - making an educated guess of what the username would be based on what he already knew. This is the point where the chain of trust broke down, as the attacker discovered that the account specified as a secondary for Gmail, and hosted at Hotmail was no longer active. This is due to a policy at Hotmail where old and dormant accounts are removed and recycled. He registered the account, re-requested the password recovery feature at Gmail and within a few moments had access to the personal Gmail account of a Twitter employee. The first domino had fallen.

In fact, not only Gmail, but all email services has similar recovery process. Most of the time, things like this has to be learned the hard way. All free email accounts expire if you don't log in after some time, approximately 3 months.

Let me continue with my story. So, I believe Google gave that notification to all users to make sure everyone had a valid secondary email account (after somebody got attacked, of course). I thought it might be a good idea to check my Yahoo Mail to see if the account is expired or not.

When I logged on to Yahoo Mail, Yahoo said they found some suspicious activities with my account and forces me to change my password! I changed it.

Then I was brought to my inbox, I was greeted by the name "Heather", and my profile picture shows a girl, a hot babe! All my information in profile was changed!

The first question was how does this "girl" broke into my Yahoo? Why she did not change the password? Does she have any bigger motive after hijacking my Yahoo Mail?

Immediately, I changed the secondary email of my Gmail. Suddenly, I felt the internet is so insecure. Anything could happen overnight.

My advice (conclusion) to everyone:

  • Probably backup is good. Lifehacker has got a good guide on Gmail backup.
  • Strong password is important. Alphanumeric + symbols. Best password is a combination of easy to remember, hard to guess. Using first characters of words in a sentence to create a password seems to be a good way.
  • Avoid using same password across different websites!

Can you afford to lose your main email account? How do you prevent that from happening?

Online Advertising: Promoting Competitor?

July 31st, 2009

When come to online advertising, you should always consider properly whether it's appropriate to put up an contextual ads (such as Google AdSense) or not. It is fine if you are running a blog or content based website, but it's may not be so good if you are running a product website, whether it's a free or a paid product.


It's debatable if the ads are raising funds to support freewares like TortoiseSVN, but the ads is confusing the users. The first thing the user sees in the Download Page is the link to VisualSVN, which I suppose to be another company selling similar product.

Of course, the user would be clicking on the link especially when the download links are only shown after the user scrolls down. I assume this would generate good money for them and gets the user confused in the website of another product.

Is this something right? I'm not sure. What I know is TortoiseSVN is a good software.

Update: Forgot to mention about AdSense's Competitive Ad Filter, which is good to filter out competitor's ads, but if the user is not there for that product, would they be interested to buy a car in a software website? Very unlikely, though possible.

My Website Shows Up Differently in Different Browser!

July 21st, 2009

Do you spend hours trying to correct some CSS or JavaScript so that it shows up exactly the same in all browsers?

Most of the time, I am having problem with Internet Explorer 6, which most web designers tend to ignore nowadays. Sometimes, you find that the spacing is different. Sometimes, the alignment is different. These are minor problems that you can't really recall it very well, but it always happen.

You could be spending only few minutes to fix it, and that few minutes can turned up to be few hours of research.

If I can test my system on Firefox and Internet Explorer, can I actually test everything on Opera? Safari? (Yeah, I am the sole programmer and the tester of all my systems! My office is still on the way..)

To avoid spending unnecessary time to deal with the minor problems, I locked my systems to run on Mozilla Firefox only. I'm not sure whether it's a good move, but at least I have a small group of users which I can control and force them to install Firefox.

Finally, I found a website that has the ultimate answer: Do websites need to look exactly the same in every browser?

Cool, huh?

Anyhow, I would still spend time to make sure my system acts the same in every browser, if possible.. How about you?

Just Downloaded Firefox 3.5.1

July 19th, 2009

Installed Mozilla Firefox version 3.5.1.

As with every Firefox release, I was expecting that it would reduce memory consumption, but it's didn't happen, or it wasn't obvious. With only four tabs running, it's using 125MB of memory.

On the UI, I notice a "new tab" button on the tab bar. I would normally have to double click on the tab bar to create new tab. Now, I can do it with single click on that button.

In the Options, I notice a new tab, the Privacy tab. But the content of the tab seems to be taken from other tab to create this new tab.

Nothing interesting. Still, it's worth upgrading. They had put lots of effort to enhance the stability and security of the browser.

Get yours: Mozilla Firefox

Belkin SurgeMaster Surge Protector

July 18th, 2009

If you are following my twitter, you probably knew that two of my computers were struck by lightning few days ago. Had the hardware replaced. But that's not the solution to the problem although it gets the computer running again. I don't know when I'm going to get hit again.

So, I went to Digital Mall to get an Automatic Voltage Regulator (AVR). I find that most AVR came with surge protection. At most, the AVR will get spoiled and replacing an AVR only costs me RM50.00. Replacing power supplies, modems and motherboards costs much more!

The normal rating for AVR is at 800A. Looking at it, what is the ampere of a lightning? According to Wikipedia, an average one could go up to 30 kiloamperes (kA)!

What is 800A compared to 30kA?! So, the salesperson recommended me to use Belkin SurgeMaster Surge Protector which claims to protect up to 45kA (or higher, depending on model). It also came with insurance for your equipments connected to power through the Surge Protector.

There are a few models, I get the one that protects up to 45ka with maximum RM10,000 insurance. The price is at around RM150 only. Much cheaper than motherboards!

Consider getting one for yourself!