Jason Owens

Learn. Teach. Grow.

You are here: Home / Archives for Email

Interview With Abine

by Leave a Comment

This is the second part of a two-part review of Abine’s privacy solution. See the previous post, Abine to Protect Privacy for the first part of the review.

Rob Shavell from Abine and I discussed some questions about Abine’s application, the company itself, and the future.

J: In June this year Abine purchased TACO. How did that come about, what was the process like, and was this something that Abine had always considered pursuing?

R: It’s really not about economics: Abine wants to support privacy-enhancing technologies.  We’ve always been open to working with other privacy add-ons that do the right things for users.  Any add-on or Web service that truly respects users privacy is someone we want to talk to, no matter what.  On the other hand, we don’t want to partner with add-ons owned by advertising companies, or developers looking to collect data, for example.  If any add-on developers who love privacy read this, please get in touch with us – my email is rob at getabine.com
J:  TACO v3 has already received some updates. How does Abine anticipate TACO evolving in the future?

R: TACO is evolving fast and is getting more development time and resources.  TACO users have told us over 300 changes they’d like, and we’re busy at work with these.   We also support the older TACO 2 versions, BEEF TACO, etc.  Of course, we are 100% convinced that TACO 2. alone doesn’t provide an adequate level of online privacy and users should consider combining a few add-ons together or try TACO 3 with Abine to get better privacy online.

J: What are somethings you’ve all learned along the way since starting Abine?

R: Bringing together privacy features into one place is complex.  The users and developers giving us critical feedback are our best teachers.   We also learned that we must commit to native Firefox development even though we have an IE version as well.  Performance is too important – the community let us hear that one pretty loudly.

J: Who is Abine’s target demographic?

R: We want to target the non-technical web user. Anybody who uses the web for anything at all or that has a bundle of important accounts they want to protect and keep private.

J: How do you plan to instill trust in your users?

R: We aren’t asking users to trust us. We’re asking them to trust themselves. By this we mean something very important. We have no access to our users data. This is super important. First, our users “own their data” – of course. But we also do NOT store or see our users private data. This is a key reason why many of our users today store all their passwords in our Privacy Suite and do all their browsing using Abine: they don’t have to make any complicated decisions about who they can trust: it’s simply, factually, technically, more private.

Other key points on trust:

  1. We are very clear about how we are going to make money: by selling services that protect and enhance your privacy, not by selling user data.
  2. You keep your data on your computer, we don’t use the add-on to collect data.
  3. We made the source available for review by Mozilla and others.

J: With regards to instilling trust, I’d agree that you’re not directly asking users to trust Abine. Given the stated target demographic (non-technical users) their basis for trusting the application may be different from say, a security researcher or coder that might review code and sniff traffic. As a result, they may make an evaluation of trustworthiness based on your website, usability, or how Abine communicates with them. There’s the notion that trust is a function of competence plus likability. An example I see of this is people trusting Google based on their performance, actions, and statements rather than their code, or people trusting Mint.com based on good design and the fact that it does what they want it to. For less savvy users, what do you see as challenges in establishing and maintaining a good reputation in order to grow the business?

R: Great points.  Regular users of course can’t do technical reviews of applications.  They’ll need to trust the technical reviews and press.  This is why we make our code available to reviewers who ask for it even though we haven’t open-sourced it yet.   It’s really important for people – no matter how technical they are – to have a basis to trust a company with their personal information.  A somewhat more unfortunate way users learn about how Abine does what it says is when they lose their Abine Master Password: since we really don’t know it, they have to re-install!

J: You history mentions working on previous startups and security projects. What were some of those efforts?

R: Andrew was at @stake as well as the create of linux-based public access terminals in the Boston are in the mid-to-late 90s. Eugene was the founder of Datapower and the Linux Hardware Database. Rob helped companies comply with data privacy laws and worked on products for consumer identity protection at Identity Force.

J: The Abine  website mentions companies “helping people” that were basically slick marketing outfits out to get cash. What are some examples, and what should people look out for?

R: We think consumers should beware of many “identity protection and monitoring services”, “million dollar guarantees” and “free 10 day trials”.  As always, when the marketers come visiting, these kinds of terms pop up. In reality, while these subscription services can help you track down problems once and a while after they happen, they do not address the root causes of privacy. If you’re using these kinds of things, come try Abine. It’s free, and free forever (not just for 10 days).

J: What is the relationship between opyaq.com and Abine?

R: Opayq.com is simply the first of several domains we offer for our users to have safe disposable email addresses (similar to say, www.Mailinator.com.)

J: After purchasing TACO, Abine received some mixed feedback from users regarding the upgrade to version 3.

R: Check out the page and the copy on it, it’s as clear as our team could possibly make it:

J: Why is Abine better than other established solutions used for privacy such as LastPass, Tor, RoboForm, or Google Voice?

R: Now Jason, we love your insightful reviews, but we have to take issue with this question! LastPass stores your passwords online (see your trust question) and Google Voice is the opposite of a privacy product, right? Tor does one thing (and well) and is probably a future partner of ours. The time has come for a company to integrate privacy features and make them available to everyday users, with fantastic customer support.

J: Where does the name Abine come from?

R: For privacy… A Bit Is Not Enough

J: What is your revenue model?

R: We are going to make our money selling additional products and services that directly protect and enhance users privacy, for example fast proxy servers, disposable phone numbers, etc. Whatever value-added services people want around privacy will offer as a business. If it costs us money to provide than we will charge, if it doesn’t than we can offer for free.

J: Are there any plans for a version of Abine for Safari, Chrome, or mobile devices?

R: Yes.  We’ll be making announcements here in the next few months, for sure.  We have a looong waiting list of users that want this on their browser and platform of choice.

J: Does the eventual shift to HTML5 have any impact on Abine or its functionality?

R: We see HTML5 as having only a minor impact on our vision and technology roadmap at this point, though some of the demos out there are pretty impressive.

J: What do you see as upcoming challenges for Abine?

R: Because of recent press and users concerns, we expect a lot of competition.  We just want to stay close to the community that cares about their online privacy and to take our direction from them instead of worrying about others.

J: What do you see as some upcoming milestones for Abine in the next 6-12 months?

R: Abine’s got to earn the respect of the privacy and technical community by building a great set of solutions.  We’re totally focused on product: performance, simplification, better smoother features, in short, online privacy that works.

Follow Jason on Twitter @jason_owens

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...
* Who is your target demographic?
We want to target the non-technical web user. Anybody who uses the web for anything at all or that has a bundle of important accounts they want to protect and keep private.
* How do you plan to instill trust in your users? We aren’t asking users to trust us. We’re asking them to trust themselves. By this we mean something very important:
We have no access to our users data. This is super important. First, our users “own their data” – of course. But we also do NOT store or see our users private data. This is a key reason why many of our users today store all their passwords in our Privacy Suite and do all their browsing using Abine: they don’t have to make any complicated decisions about who they can trust: it’s simply, factually, technically, more private.
Other key points on trust: 1. We are very clear about how we are going to make money: by selling services that protect and enhance your privacy, not by selling user data. 2. You keep your data on your computer, we don’t use the add-on to collect data. 3. We made the source available for review by Mozilla and others.
* You history mentions working on previous startups and security projects. What were some of those efforts? Andrew was at @stake as well as the create of linux-based public access terminals in the Boston are in the mid-to-late 90s. Eugene was the founder of Datapower and the Linux Hardware Database. Rob helped companies comply with data privacy laws and worked on products for consumer identity protection at Identity Force.
* You site mentions companies “helping people” that were basically slick marketing outfits out to get cash. What are some examples, and what should people look out for? We think consumers should beware of many “identity protection and monitoring services”, “million dollar guarantees” and “free 10 day trials”. As always, when the marketers come visiting, these kinds of terms pop up. In reality, while these subscription services can help you track down problems once and a while after they happen, they do not address the root causes of privacy. If you’re using these kinds of things, come try Abine. It’s free, and free forever (not just for 10 days).
What is the relationship between opyaq and Abine?
opayq.com
simply the first of several domains we offer for our users to have safe disposable email addresses (similar to say, www.Mailinator.com
)
* Why is Abine better than other established solutions used for privacy such as LastPass, Tor, RoboForm, or Google Voice? Now Jason, we love your insightful reviews, but we have to take issue with this question! LastPass stores your passwords online (see your trust question) and Google Voice is the opposite of a privacy product, right? Tor does one thing (and well) and is probably a future partner of ours. The time has come for a company to integrate privacy features and make them available to everyday users, with fantastic customer support.
* Where does the name Abine come from?
For privacy…
A Bit Is Not Enough
* What is your revenue model?
We are going to make our money selling additional products and services that directly protect and enhance users privacy, for example fast proxy servers, disposable phone numbers, etc. Whatever value-added services people want around privacy will offer as a business. If it costs us money to provide than we will charge, if it doesn’t than we can offer for free.

Related Posts:

Top of Page

Abine To Protect Online Privacy

by 1 Comment

This is part 1 of a 2 part article on Abine. Part 2 will cover a Q & A session with the team at Abine.

Rob Shavell form Abine contacted me after reading a Mint.com article I wrote, and wondered if I would be interested in reviewing their new solution that’s currently in beta testing, along with their website and anything else that might be relevant. According to their website, Abine was founded in 2008 and “provides Internet privacy solutions for consumers. Abine’s products and services allow regular people to regain control over their personal information while continuing to browse, interact and shop online.”

General Observations About Abine

My only knowledge of Abine other than a few email exchanges was their website initially. If we assume that trust is in large part a function of competence and likability, then it’s important for Abine to make a crisp, professional impression in order to garner user’s trust. I initially found broken links, confusing navigation, typos, spelling and grammatical errors, and missing information. However, the website has since gone through many updates and improvements, with most of the issues I saw corrected. If you haven’t visited the site in the last month or so, take a look.

Documentation refers to the software somewhat inconsistently. In some places it is referred to as a browser plug-in. In other places, a suite, and yet others a collection of privacy apps and spam protection. Before installing,I wasn’t quite sure what I was going to get.

What Can Abine Do For You?

Abine installed as a Firefox plug-in. So far I’ve tried it on both Mac and Windows. With the latest release there is now an IE version available as well. Essentially it allows you to do the following

  • Turn on and off various privacy settings
  • Manage and generate passwords
  • Manage credit cards
  • Manage and shield personal information tied to the various privacy applications
  • Create and manage “shield” email accounts and alternate identities
  • Integrate additional purchased features and third-party apps
  • Submit the managed information to websites automatically
  • See what cookies sites are setting and block them
  • See a gauge of how “safe” Abine thinks the website is from a privacy perspective
  • Opt out of ad networks
  • Sign up for Hushmail serivces
  • Sign up for web proxy services

Im my opinion, Abine’s possibly unsung strength is its ability to help support and enforce best practices with regard to security, browsing, and privacy. It puts several useful solutions in one place and helps you to use them. See below for more comments on this.

It’s not entirely clear how Abine determines how “safe” a site is from a privacy perspective. When tested on various sites, it reported the following risk levels:

I didn’t turn up any high risk sites, but I didn’t really want to look to hard for those either. Ironically, when I first pointed Abine at its own website during testing, Abine did not report the website as safe. I’ve noticed with the latest update however that it is now registering at the lowest risk level.

As a good example, when testing the privacy info feature I went to TMZ. This was the first time I’d ever been to the site. According to Abine, TMZ’s home page tried to put 150 cookies and 16 ad networks on my system.

The Abine website provides some educational information regarding how you can be tracked online. The recommendations are sound, however none of them currently are accomplished using the application directly:

  • Block third-party cookies
  • Prevent unwanted JavaScript from loading
  • Don’t keep browser history
  • Know that your IP address can be tracked and correlated with other logging to determine where you go on the internet.

There were some other features of the Abine interface I found helpful. The privacy popup window that displays when you first visit a site shows usueful information, including a like to any recent data breaches associated with the site.

Up For Debate

The site makes some statements that I think need clarification or refinement.

“Safer and easier because you own everything.” I don’t understand that statement. I own my information now, and don’t see how then application would change that. It does seem to make it easier to manage information having it in one place, but I don’t see how I am safer when using Abine itself. Also, it’s not an objective statement to equate privacy with safety. In some situations this could be true, but not always.

Abine implies it can help prevent identity theft. It also draws a correlation between increased privacy and less spam. Remember, you’re still providing information but in a controlled manner. The info is still released once you submit it, and whether it’s your real account or a shielded one, you can still end up receiving spam on that email address. If you submit your email to a site that would eventually end up in some type of spam, whether or not you submit that info from Abine isn’t relevant. In my opinion what is beneficial is how you use the tool, not just the tool itself. If you’re using the same passwords everywhere, and especially if they’re weak, keeping them in a safe place doesn’t help.

Problems and Weakness

Unprotected by Default

The data file where information is stored is encrypted with 256 bit AES. In order to protect your information though you need to remember to enable a master password in the security preferences. If you don’t do this, password, credit card data etc. you enter into Abine will not be protected on the desktop. Once a someone opens your browser, they would have access to your information and your profiles.

Good Potential but Chaotic Complicated Interface

Mentioned above, one of the benefits of Abine is that it provides a lot of tools to help manage your privacy. The interface in my opinion however has some major flaws with usability and branding

  • Inconsistent and overly complicated interface
  • Seeming unnecessary mechanics to turn on and enable/disable features
  • Visual presentation, GUI, and branding inconsistent with Abine’s website
  • Hard to determine who the target audience is

The two major challenges I see for Abine right now are a) determining their target audience and designing for them, and b) refining the interface to reinforce the ability to simply, safely, and quickly protect your privacy online.

Profile Not Easily Portable

One of the things that makes apps like Evernote, Xmarks, and DropBox so useful for me is their ubiquity and their ability to sync across browsers, platforms, and devices. Xmarks for example allows me to maintain one set of bookmark information and sync it securely across Firefox, Chrome, and IE and on multiple OSs. If a user had the ability to do that with Abine, and potentially use it via a browser when using a potentially unsafe computer, it would be that much better. Maybe this would make a great upgrade or paid feature of the application.

Recommendations

Download the latest beta version of Abine and give it a try. Even if you don’t want to enter credit card information and passwords, the cookie, ad blocking, and form entry functions are helpful. And give Abine feedback. They seem genuinely interested in what people have to say and making their product as good as possible.

For Abine, IMHO here are some ideas that could help optimize the solution for users

  • Lead with benefits to users rather than the tool and what it does, and educate users
  • Define your audience and design your tool and content for them
  • Simplify

Simplify would be the biggest recommendation overall. If the target demographic ends up being the average user, then Abine needs to be a simple tool that “just works.” Make it powerful enough so that advanced users can do as much as they want while at the same time making the interface intuitive enough that it doesn’t deter users from taking advantage of the protection that Abine can help maintain.

Follow Jason on Twitter @jason_owens

1 Star2 Stars3 Stars4 Stars5 Stars (4 votes, average: 3.75 out of 5)
Loading...

Related Posts:

Top of Page

Protecting Your Email

by Leave a Comment

You might occasionally think about email security. You might try use use strong passwords and be careful with attachments. There may be a lot more however that you haven’t thought about when it comes to email security and protecting your messages.

Why worry about protecting your email if you’re not sending sensitive information? You might be more at risk depending on the nature of work you do or the type of information you send about. Even if you’re in the habit of not sending sensitive inforation, you might receive it. You might not realize the importance of information you have. And it’s not always about the content of your messages. Your email traffic may be more valuable than content , and this might lead to other, bigger exposures. Examples of this are the recent Twitter.com hacks/compromises, in one instance where an attacker was able to gain significant leverage over Twitter by starting with a single email account. Read more about Hacker Croll and the Twitter attack on Techcrunch.

Ok, so maybe you’re not a billion dollar enterprise, but you do probably bank online. And check your credit cards. And maybe shop at Amazon.com or iTunes. And it’s not hard to steal your information via WiFi when you’re sipping you half-half mocha-frappa-double extra wipped chocopresso at ThatCoffePlace. I bet you’re using the same password for your email account that you use for your iTunes account…

What to Protect

There’s more than just the content of your messages to consider. Think of it as layers. At each layer there is something to protect:

  • Your authentication (username and password)
  • The email traffic
  • The mailstore (local copy of mail, cache, etc.)
  • The content
  • You

For simplicity’s sake, let’s assume the following covers Mac and PC systems using tools like Outlook, Entourage, Exchange, Firefox, and Gmail.

Your Email Authentication

Let’s say that you’re a business user on a Mac or PC trying to get mail from your company’s Exchange server. To start with, have a good password. If your company has a public web interface available via something like Outlook Web Access (OWA) and it isn’t configured to lock out after so many failed attempts, an attacker can brute force that all they want until they’re blacklisted. And don’t let your Outlook client remember the password for you. If your laptop was running when it was stolen, and the thief has access to the desktop, opening the mail client  gives direct access to email and whatever else Outlook has access to. Under the security settings in Outlook select “Always prompt for logon credentials.” For Entourage users on the Mac, you may want to have Entourage place your password in your MacOS Keychain (provided you have a strong keychain password.) For a POP or IMAP client, again, use strong passwords and see the traffic comments below.

Your Email Traffic

Exchange users, while you’re in the security settings, check “Encrypt data between Outlook and Exchange…” as well. If you’re concerned about the security of your email traffic between your email client and your Exchange server, check with your Mail Administrator for more information. What about POP, SMTP, and IMAP email? Normal POP, SMTP , and IMAP sessions are insecure by default, meaning if you open your email client and check for mail from your ISP, if you are using the standard mail network setup, your username and password is being sent in clear text, along with email. This might not be as big a concern at home, but if you’re on a laptop using public wifi somewhere, it’s very easy for someone to grab your email username and password.

It’s possible to use secure connection settings with your email client, however your ISP must provide the ability, and your email client must be capable. In Thunderbird for example, when setting up a POP account, POP traffic would normally talk on port 110. Changing the connection security to TLS/SSL will force the POP traffic over SSL, and probably change to port 995. The same is true for an IMAP connection. Changing its connection security to TLS/SSL will accomplish the same and will use port 993 rather than port 143. Don’t forget to check the settings for your outgoing mail server (SMTP) as well. Default SMTP traffic talks unprotected on port 25. Changing the connection security for SMTP will encrypt email traffic when you are sending mail, and will talk on a secure port other than port 25.

If you’re not able to do the above, an alternative is to use SSH port forwards to tunnel your mail traffic if your ISP allows SSH traffic to their mail server. This will send your email traffic through an encrypted tunnel protecting it from prying eyes.

The Mailstore

The mailstore is the local copy of your mail. If you’re using cached mode in Outlook there is a local copy of your mail in an .OST file (Windows.) If your have personal or local mail in Outlook, that’s kept in a .PST file. (Windows.) PST files can essentially be opened by anyone. They can be password-protected however prior to 2003, the passwords could be stripped simply by downloading a utility from Microsoft. The utility’s purpose was to do exactly that, strip passwords off of .pst files when people forgot or lost passwords.  Even with improved and more current protection on these files, once an attacker gets a copy of those files, there is nothing preventing them from performing brute-force attempts on their copy until they get in and get all your downloaded email.

Similar to the .pst and .ost files under Windows, the Mac Entourage 2008 client stores email in a file at “/Users/Your_ID/Documents/Microsoft User Data/Office 2008 Identities/Your_Profile” and the Mail app stores it’s mail in “/Users/Your_ID/Library/Mail/.” Other email clients such as Thunderbird will put their mail and profiles in the directories you specify during the setup.

So how do you protect the mailstore? You can place your .ost and .pst files in an encrypted drive. Using a free utility like TrueCrypt you can create an encrypted drive or volume, put the files in that location, and then configure Outlook to use the files in that location. For example, you could create a TrueCrypt volume called “EncryptedMailstore”, and with Outlook shut off, move the files to your new drive, modify the email settings via the control panel, and have Outlook look there for the offline folder and personal files. Additionally you can password-protect your .pst files (limited but with newer versions of Outlook better doing it than not.) The drawback to this is that you need to mount the drive before you launch Outlook, as well as give it the same drive letter each time.

You can do exactly the same thing with Thunderbird mail. Entourage and Mail however pose a problem. Both applications seem to be fixed with the locations in which they store their data. I have yet to find any way to direct or modify where they store their mail. If you move the files that Entourage creates to another location, it just creates new blank ones the next time Entourage is started. And as far was I can tell, there ‘s nothing preventing Entourage files from being opened on another system. True you could use the Mac OS to encrypt the drive or user directory, but I don’t think that would protect the files once the Mac was running and/or files were unencrypted and in use.

I thought you could be sneaky by using a combination of symbolic links and encrypted volumes. I tested by creating a TrueCrypt volume, moved my Entourage files to the new volume, and then via the Terminal created a symbolic link with the same exact name in the correct place and pointed it at the files on the encrypted volume.  It worked. And then it didn’t. For some reason, when I initially started Entourage up, if worked and used my protected files. Once I restarted Entourage however, it seemed to realize what I was doing and started making blank default files in the old location again.Try Angie's List Today!

The Email Content

It it possible (and free) to encrypt the content of the email message itself. Frankly though, unless you are dealing with some type of extreme that would require only the recipient to ever be able to read the message, most of us would probably not have a need to encrypt email messages. To be sure, emailing sensitive information such as passwords, financial information, or valuable intellectual property would benefit from encryption. Depending on where in the world you live, if you are politically active what you say in email could result in real danger if the wrong people read your messages.

There are many solutions for email encryption. There are some simple solutions for small businesses and individuals that are  adequate. Examples include Unified Threat Manager (UTM) solutions such as the Astaro Gateway and their Virtual Machine option (free to home users) or GNU Privacy Guard (GPG) which is a free replacement to PGP. GPG runs under Mac, Windows, and Linux, and can be used with Outlook, Firefox, and other email clients. Users install GPG on their computer, generate a public and private key for their given email account, and users then distribute and share their public keys so that others can use the key to send them an encrypted message that only they can decrypt. You can start learning more about Public Key Infrastructure (PKI) at Wikipedia. Differences between GPG and other commercial solutions include no third-party verification and no central authoritative repository for keys, however the quality of encryption is just as good as any other.

Protect Your Identify

How does the recipient know that it’s really you that sent them an email? We assume that when we get a message from someone, especially someone we know, that it was really them that sent the message. Malware or a virus could be capable of collecting data from a user’s address book and sending messages to the addresses it finds. In some circumstances it might again be critical to verify the authenticity of the sender. Products such as Digital IDs from Verisign provide a means to digitally sign a message, providing verification that the message was sent from your account, with your permission, and has not been altered since being sent (provided of course the sender is being responsible about protecting their digital ID and authentication, and is using strong credentials.) And GPG keys can also be used to sign as well as encrypt.

What about Gmail?

If you’re using an email client to get your email from Gmail via POP or IMAP, that traffic is subject to the same concerns any other mail connection would be. If you use the browser to get your mail, traffic is secured the same way any other secure website would be via SSL (https in the URL.) However Gmail did not always default to https. Some web-based email doesn’t offer any encrypted connections. It was possible to force Gmail to use SSL by changing the address manually from http to https. According to a post by Google dated January 12th 2010, Gmail is now defaulting to https. This was posted shortly after notification of their being attacked, and some speculate this change was made to protect Gmail users from having their mail intercepted and read.

Before authenticating to web-based email, make sure that the page is secure (https) otherwise the username and password you enter will be in clear text over the network. If there’s no SSL once you’ve logged in, mail that you send and read could be captured as well if your network traffic is capable of being intercepted.

Related Posts:

Top of Page

Categories

RSS US-CERT Alerts (5 Recent)

1 FREE Audiobook Credit RISK-FREE from Audible.com