Upon getting to the inbox I was greeted with 1,777 emails with account information for everyone who had ever used the software and right at the top was mine. I decided to go ahead and blast every email to the deleted folder and then empty it. I may have accidentally changed the password and security question to something I don't remember as well, whoops, my bad. I also contacted google to erase this account as I didn't see a way to delete it myself.

I would like to say the following:

LOL.
posted by middleclasstool at 2:33 PM on March 9, 2008

contacted google to erase this account
I think he should have just changed the password. that way the author couldn't have logged in himself anymore.

alas, I just posted it in case anyone had used this app.
posted by krautland at 2:37 PM on March 9, 2008

As an ACM member I will:

1. Contribute to society and human well-being.
2. Avoid harm to others.
3. Be honest and trustworthy.
4. Be fair and take action not to discriminate.
5. Honor property rights including copyrights and patent.
6. Give proper credit for intellectual property.
7. Respect the privacy of others.
8. Honor confidentiality.

9. Ignore items 1 through 8.
posted by three blind mice at 2:38 PM on March 9, 2008 [1 favorite]

krautland: He did change the password and security question. He just decided to kill the account for good as well.
posted by middleclasstool at 2:40 PM on March 9, 2008 [1 favorite]

That's pretty scummy, but unsuprising. If you think this is unusual, you're naive. The only unsuprising thing about the story is that the user had placed his own email address and password in the program. That's just stupid.

If you give your email password to an unknown program, you're an idiot.
posted by seanyboy at 2:42 PM on March 9, 2008 [2 favorites]

Have you noticed a lot of sites now ask for your username/password to other sites in order to use some features? For example, I wanted to sign up for an online stock trading site. I tried scottrade, and they actually asked for the password for my online bank account to authorize it! I tried E*Trade, and they asked for the same thing, but they had a notice that they didn't save the data. I decided to enter the information on E*trade since I would be giving them access to my money anyway, but scottrade didn't even display the notice prominently.

Scottrade did have another option for authorizing your account though, the old 'two deposits' method. Also, I thought scottrade's interface sucked and I probably won't be using it anyway.

Also, facebook has options to import your MSN or GMail contracts... by having you enter the passwords for those systems right into facebook. People obviously still don't take their privacy very seriously.
posted by delmoi at 2:43 PM on March 9, 2008

very lame indeed.
posted by auralcoral at 2:54 PM on March 9, 2008

There are standard technological solutions to the problem of "I want to give this application access to certain parts of my account without giving away my password." They are OpenID and OAuth.
posted by breath at 3:01 PM on March 9, 2008 [3 favorites]

"The moral is obvious. You can't trust code that you did not totally create yourself." From Reflections on Trusting Trust by Ken Thomspon, a Turing Award lecture about a back door he created.
posted by grouse at 3:15 PM on March 9, 2008 [4 favorites]

delmoi typed "Have you noticed a lot of sites now ask for your username/password to other sites in order to use some features? For example, I wanted to sign up for an online stock trading site. I tried scottrade, and they actually asked for the password for my online bank account to authorize it! I tried E*Trade, and they asked for the same thing, but they had a notice that they didn't save the data. I decided to enter the information on E*trade since I would be giving them access to my money anyway, but scottrade didn't even display the notice prominently. "

If I understand correctly, this is what OpenID is intended to prevent. But of course, no one will really start using OpenID until/unless the big sites start requiring it.
posted by roll truck roll at 3:15 PM on March 9, 2008

Around 1990, before there was a web, I had an opportunity involving some used PBX equipment. I was going to start an e-mail-by-phone business. At the time, I was a member of a well-known Usenix node, and asked for some technical advice. I was quickly persuaded that not only would it be illegal to use the public backbone for profitable purposes, but nobody in their right mind would ever give me their e-mail password.

It seems that at least annually I have some ridiculous opportunity to relive that thread.

(At least none of those solons ever got rich off the net, either ...)
posted by dhartung at 3:26 PM on March 9, 2008

There are standard technological solutions to the problem of "I want to give this application access to certain parts of my account without giving away my password." They are OpenID and OAuth.

Once one allows an executable access to their machine, game over. That's that. The program can report to use OpenID or OAuth or whatever, but the fact of the matter is that once it's installed, it has access to every single keystroke the user types from that point forward. It's possible on most operating systems to install the software as a sandbox user and possibly contain the damage, but virtually no one who installs Windows shareware is that careful, and most desktop software isn't designed to work correctly when that is done.
posted by robla at 3:30 PM on March 9, 2008

I decided to go ahead and blast every email to the deleted folder and then empty it.

But, ironically, assuming that the creator of the program uses it himself, all this information had already been backed up to his hard drive.
posted by sour cream at 3:36 PM on March 9, 2008 [11 favorites]

When you add a new bank account to PayPal they try to get you to confirm it by giving them your banking username & password.

And that was the day I closed my PayPal account.
posted by aerotive at 3:42 PM on March 9, 2008

I find it very telling that FriendFeed launched complete with a feature to download your friends from your Gmail account. All you have to do is give FriendFeed your Gmail username and password. "Trust us, we won't do anything evil with it!". The irony is FriendFeed was founded and developed by some of the original Gmail software engineers, the very same guys who understand all the risks and dangers associated with giving out your Gmail password to a third party.

Yeah, third party authentication like OpenID, OAuth, or AuthSub are great ideas in theory. In practice? Not so much, not yet at least.

If you give your email password to an unknown program, you're an idiot.

Could you please let me know what constitutes an "unknown program" and how to distinguish it from a "known program"?
posted by Nelson at 3:55 PM on March 9, 2008 [1 favorite]

I use programs that require me to enter my username and password for a service - often this is unavoidable, but thinking about it I'm glad that as far as I remember they're all open source projects (like Pidgin messenger), so presumably including backdoors like this very unlikely. Three cheers for decompilers! As people point out in the comments thread from the original story, though, a lot of people rely on third-party sites that ask for usernames and password. Facebook "friend finders" that offer a service of logging into your Gmail or Hotmail account to see if any of your friends are on Facebook. The first time I saw one of these, I thought "what the hell? Who's going to fall for that?". Alas, apparently millions of people have. Then there's the web-email gateways, where you enter the username, password, and POP server of your email to view any account via a web interface. Tragic.

Any non-open source shareware or freeware you install could have a keylogger built in. This might be hard to detect - there are keyloggers out there that appear invisible in the Windows task manager, that don't send up firewall alerts, that watch what you're typing and only wake up and send something when they see the word "password" on the screen, or see you've typed a 16-digit number. I'm almost inclined to think that non-open source software should have to face some kind of public security audit before it's allowed online, but I can't see any way that's every going to work.
posted by Jimbob at 3:55 PM on March 9, 2008

Oh yeah, and the G-Archiver author? He belongs in jail.
posted by Nelson at 3:56 PM on March 9, 2008

Could you please let me know what constitutes an "unknown program" and how to distinguish it from a "known program"?

One definition could be a program where the source code is publicly available, and where an MD5 sum is available to confirm the program you're downloading hasn't been messed with. The second part is a bit technical for the casual user, but finding backdoors in open source software is a rare thing, and they're usually identified quickly.
posted by Jimbob at 3:58 PM on March 9, 2008

Also, facebook has options to import your MSN or GMail contracts... by having you enter the passwords for those systems right into facebook. People obviously still don't take their privacy very seriously.

This, and the fact that I don't have any friends is the sole reason I don't to social networking
posted by mattoxic at 4:02 PM on March 9, 2008 [1 favorite]

One definition could be a program where the source code is publicly available

You might want to read the Ken Thompson piece linked above. It's harder than you might think to know whether the source you see corresponds to the binary that is being executed, even if you built it yourself. At some point, you've essentially got to have blind faith in somebody.
posted by enn at 4:04 PM on March 9, 2008

One definition could be a program where the source code is publicly available, and where an MD5 sum is available to confirm the program you're downloading hasn't been messed with.

That's wildly impractical. I should only run software whose source is published? And of course it's not enough that I can read the source; to be safe I have to build it myself, too. And I have to build it with trusted, audited tools. The MD5 checksum prevents me from having to read all the source myself, I guess, but I still have to trust someone to vet the source code for me and publish the MD5s of the code I compile and run with my trusted toolchain. Or maybe we could have some giant organization that publishes signed, trustable binaries. I wonder how much of the $20 of a software sale they'd take?

Sometimes social measures work better than technical ones. The suggestion of an ACM code of ethics is a bit laughable, the ACM being such a weak organization. But I meant what I said above; people who write software like G-Archiver belong in jail. This guy's not even hard to bust, he's not trying to hide who he is. I'm much more concerned day-to-day by the malware that installs itself via backdoors without any user consent at all.
posted by Nelson at 4:05 PM on March 9, 2008

Also, facebook has options to import your MSN or GMail contracts... by having you enter the passwords for those systems right into facebook.

Too bad for Facebook that Google finally closed the security hole that allowed any website at all to read your contact information without the need for any pesky passwords.
posted by enn at 4:07 PM on March 9, 2008

Could you please let me know what constitutes an "unknown program" and how to distinguish it from a "known program"?
If you've heard of it & you trust it, then use it. If you haven't heard of it, ask around. If you have no-one to ask, stick with Microsoft products. That may annoy people, and I agree it's sad, but there's really no way for normal people to differentiate between Thunderbird and "Super HotBar Email Program"

I tend to over-trust open source software and that may come back to bite me on the ass. As with all things, the less you know, the more at risk you are, but even if you know what you're doing there's a risk.

It's a tricky problem for sure, but a bit of common sense can go a long way.
posted by seanyboy at 4:10 PM on March 9, 2008

Sometimes social measures work better than technical ones.

Well, to an extent, open source software is a social solution, in that you can rely on a group of people to be checking through the code for you. Although, to be sure, you do point out some other weaknesses in the chain.

But there's really no way for normal people to differentiate between Thunderbird and "Super HotBar Email Program"

I used to tell non-computer-savvy relatives not to download "free" software that they see advertised somewhere. If this program is really 'free', then how are the authors making money from it to pay thousands of dollars to advertise it? They're making money from it somehow, and it's probably by selling your personal information or taking over your computer. Of course, that doesn't work so well anymore, given that trustworthy "free" programs like Firefox and Picasa are advertised on the net.
posted by Jimbob at 4:18 PM on March 9, 2008

But there's really no way for normal people to differentiate between Thunderbird and "Super HotBar Email Program"
And on the other thread ppl be going nuts about Apple requiring iPhone apps be verified and signed.
posted by bonaldi at 4:42 PM on March 9, 2008

And on the other thread ppl be going nuts about Apple requiring iPhone apps be verified and signed.

Yes, I'm sure Apple will be doing in-depth code audits for every single application. After all, everyone knows it's impossible to get a malicious ActiveX control signed, or a VeriSign SSL cert for a phishing site! Come on. The certification and code-signing racket is a way to make money off of people's fear. It's one step up from from the tiger-repellent rock business.
posted by enn at 4:50 PM on March 9, 2008

If you have no-one to ask, stick with Microsoft products.

For many years, having MSIE or Outlook Express on your machine was the surest way to make your system utterly insecure. I not entirely confident Windows itself is particularly secure yet.

There are certainly options these days. OS X with iLife, iWorks, and a couple games fulfills about 99% of most people's need for a computer. Plus it'll all just work. And from my dabblings in Ubuntu, I'm thinking it's about ready for Joe Anybody to use. The UI looks solid and sensible, and the main applications seem robust and easy to use.

And then there are the various PDA-like and UMPC-like options. How many people really need a full-blown wordprocessor in their day-to-day personal lives? They want to take notes, make calls, track bills and lists and things to do, and look at the web and entertainment.

In many ways, sticking with Microsoft products is the worst solution.
posted by five fresh fish at 5:10 PM on March 9, 2008 [1 favorite]

I think the main point of signed code in this kind of situation is not that the code has been vetted as safe, but that the code is identified as coming from a known author, rather than some random person.
posted by TravellingDen at 5:14 PM on March 9, 2008

I think that security is epistemological state, not ontological. I don't want to think about it any more closely. Laa-laa-laa.
posted by Free word order! at 6:26 PM on March 9, 2008

Or maybe we could have some giant organization that publishes signed, trustable binaries. I wonder how much of the $20 of a software sale they'd take?

30%?
posted by tmcw at 7:28 PM on March 9, 2008

Heh. I contacted the Brothersoft people. They're going to take it down "soon," which I suppose means "when someone who doesn't have to work Sundays is in the office."
posted by middleclasstool at 7:42 PM on March 9, 2008

So... this is a double-bummer, because I really need a utility like this. Anyone know, is there a another Gmail archiver without the "evil" feature?
posted by Robson at 7:47 PM on March 9, 2008

Robson, I recommend checking out Google IMAP
posted by rodo at 9:12 PM on March 9, 2008

Someone in the comments on that site mentioned using thunderbird.

Why would anyone pay $30 to get a backup copy of their GMail account when Thunderbird is free? Just connect to GMail's IMAP server, set TB to save all downloaded messages, and do a complete sync. Not only would you then have a complete backup, but you would also be able to read and send email from TB while having it synced with GMail.

Just about any other mail client with IMAP support should also work.
posted by puke & cry at 9:58 PM on March 9, 2008

The argument might be that Google's POP/IMAP support is kind of flaky when trying to get lots of messages at once (My "All Mail" has like 28,000 messages and the first time I ran Apple Mail it took several days to actually download them all even though my connection should've been more than fast enough to download the 1.5 GB in just a few hours.)

Of course, there's no reason to use this app, but what you could also do is get a copy of Thunderbird and then just minimize it and not bother with watching it, if the slowness annoys you.
posted by leffler at 10:06 PM on March 9, 2008

Worried about your passwords? Here's what you do:

1. Download KeePass (available for Windows, OSX, and Linux)
2. Put in all the sites you use passwords for, or at least the important ones where money can change hands (I have my email, bank, PayPal, eBay, etc.)
3. Either have KeePass generate random passwords for you, or run this command under OSX or Linux:

dd if=/dev/urandom count=1 2>/dev/null | uuencode -m - | cut -c-16 | head -2 | tail -1

This will generate a reasonably random 16 character password. Do it for each site and copy it into KeePass.

4. Go to all your different sites and change your password to the one you generated.
5. Make new passwords periodically and change them again.

This is a simple, easy way to be reasonably sure your password won't be compromised. A good password should be impossible to memorize. When you want to login somewhere, you load up KeePass and do "copy password to clipboard". Passwords stay in the clipboard for like 20 seconds. Your KeePass database is protected by a master password, which should be something you can memorize. The database can't be compromised unless your physical machine is stolen or someone otherwise gets physical access, so it doesn't need to be unmemorizably strong. If you're worried about physical access, you can configure it so you need a keyfile to access the database, which you can put on a USB stick on your keychain. That way someone would need to steal your computer, keys, and figure out that the keyfile is on the USB stick.
posted by DecemberBoy at 10:13 PM on March 9, 2008 [2 favorites]

DecemberBoy, once you give that 16-character random password to one site, it's potentially no longer secure....
posted by JHarris at 10:28 PM on March 9, 2008

JHarris: I don't know if DecemberBoy is clueless or just forgot to mention it, but when you use techniques like that you use different passwords for each site
posted by blasdelf at 11:04 PM on March 9, 2008

Pretty sure this qualifies as mentioning it: "This will generate a reasonably random 16 character password. Do it for each site and copy it into KeePass."
posted by punishinglemur at 11:14 PM on March 9, 2008

DecemberBoy - what's wrong with just using pwgen instead of all that piping?

daniel@shodan:~/workspace$ pwgen
Au0eiph8 noe9Je0m UaPheem5 seij6oeH ohcaeT4d theuZ3oo jiuc1Luz too2eXoo
roi6Quei aiC8eiSh pee8Zahm dey7ig7B ge3CaeP0 ohJu3eil tee5ahLe chaiXoo8
ahnget6E Ri5eiJaT ieyoh9Ge zax6bu3A Coova5oo phequ3Ae ahk4Hegh ahf7keeS
nongaiJ3 aePh0aef lahb9aiH Eem9aoph Tahx3duR TeiF6ahx Ahkai7he ra2Ohkoh
phahNg7J veekeaX2 yoh5OhG6 Pi5quie8 Fah4yieh Oon3geef ohth6Ooz AH8aek5v
AhK8ohw6 or4Aiphe fohC2Sho Chiu6eBo eKiek8Th Woohoh9T Iefe1ro0 aa8geoV8
Maew7hei oobai8Ea ohVahw3z ciSh7aes Wahthie7 eGaeth0a roo2Ooyo su8uSiew
Shad5ahy OoChoo1E EiR9eeGi hieCh5ei aaWeeR5w Auh0too7 Chohh7eb qua2Quei
Lovie7ij Uteer5ai eeMu3ohf ieCeiHo6 og7Loomo shahng1B Chabe3pu Zow6ieJo
eiNgoa2p Ol4shei8 veirei2O ifoX8uox eeGhah5A theeY6ao ohj2aeG2 Coo0MeeM
Aep8Azoh OoNg1cai OogiF9ph RiZah1ph eiVoo1ae eeKa2vo0 aviXai5R aa2boo3U
aesu5Dei eeBegh0y ahnu1Ce5 aXahs9ku le7ahZ7z cooVae7i aeluTh6f Paqueof7
Sai7vaec eet5aiCe uRi8oaxo She5ahVi ohr5ieNg Ohgh9eek Auveiph6 eeYapei3
Leik2bai ieQuoo0s Gaivahb8 Ain2Tu3u esh0Aipu Houth2ie Xudi8eid ich2iePh
Ieng4aev Mai6gee6 vooNg9Ee eu4ieYei EiReeB1C ahN3aeng uo9eiS7u Boo1zees
Aew5aida Eyaz9ofa eiF5Oulu nae6iY1i UaGee4oh zoot5aiB eegh3aeD eiJie5xa
uC3baQuo aine4Eey fahgh7Ai Ohgh9yii ach7aeJo QuaV7Mau Yayah2oh ooS5ieco
eLee9uya TioPei5i Bee6acae EetahM8i fae2Um7z Af4Eehei puNgeip6 Ahrec2ko
eeF3aeti mie1aiM1 zaewoo9C ue2Fi5ha chaeY7Nu Vaes2quo OeGhuux9 iub8Aise
duf2baJo lao4Xon9 aiF6haev koo6Eir8 Aew1ji0v AGhu1Sae Quoo0tah ooM4Yah5

There! A bunch of secure passwords for alla y'all.
posted by thedaniel at 11:42 PM on March 9, 2008

Hrm, that took up about half as much vertical space in the preview box.. sorry all
posted by thedaniel at 11:43 PM on March 9, 2008

Yes, you need to generate a DIFFERENT random password for each site. Sorry if that wasn't clear. Also, if you're on OSX, you can use your Keychain and create a secure note with all your passwords in it rather than use KeePass if you want. It's also a good idea to have your KeePass database on multiple machines or drives in case of hardware failure, if you only have the one computer you can have it on there and also on a USB stick using the portable version from PortableApps. I even have credit card numbers in mine, so when I'm ordering something online I can just copy and paste rather than go find my wallet.
posted by DecemberBoy at 12:18 AM on March 10, 2008

roll truck roll, AOL, Orange, LiveJournal, WordPress and Yahoo/Flickr already support OpenID as a provider. When building a web app to use OpenID for user registration there's no mechanism to collect your provider username/password, only the data that you allow from your OpenID 'persona' and it's fairly simple as implement well (I've done it myself, it took less than a day to do).

Google's contacts and Social graph APIs in theory do away with a need for this "Social Network Anti-pattern", but they are both recently released.
posted by X-00 at 12:33 AM on March 10, 2008

5ff. I agree, and I'd tell people to use Thunderbird or mail.app & not trust anything else. However, for those people who don't know what advice to trust or who don't have an IT literate friend, they need to be taught simple rules that they can remember.

There's some terrible advice in the last few comments.

thedaniel : I don't know what you're thinking, but recommending that people use one of 300 passwords that you've generated for them is retarded. I'm hoping that you're joking.

DecemberBoy. The issue here isn't generating secure passwords. The implication that secure passwords somehow make you safe is extremely worrying.
posted by seanyboy at 12:47 AM on March 10, 2008

Can someone explain how openID works and why it's a good idea? Despite many efforts to understand it, I usually only find explanations that are either too simple or too technical for me.
posted by Shakeer at 1:07 AM on March 10, 2008

The issue here isn't generating secure passwords. The implication that secure passwords somehow make you safe is extremely worrying.

Nothing will make you completely safe, but using different unguessable passwords everywhere and changing them regularly will at least somewhat lessen your vulnerability should one of them be compromised. Like, if your bank password and your GMail password are totally different, shitcock here with his trojaned crapware can read your penis enlargement spam, but at least he can't get to your bank account. You'd be shocked how many people use the same easily guessable password everywhere.
posted by DecemberBoy at 3:02 AM on March 10, 2008

1) I know how many people use the same easily guessable passwords.
2) I have no idea what keepass is. For all I know, it gathers all my passwords, encrypts them and sends them to Russia.

On Passwords:
There is a conflict for users between security and complexity. If you tell them a method that relies on third hand software and complex linux statements, they're just going to default to the name of their dog.

Personally, I'd much rather recommend the use of pass phrases, and a three tier password system. (where your bank and your email get there own passwords, things that are quite important get a single password and throw away sites you don't care about get a single but different password).

There's also a need for a non-password authentication system. keepass does this, but there should be simpler methods tied into all web browsers.

Of course, one of the keys to good password security is for there to be a multitude of systems for creating different passwords.
posted by seanyboy at 4:35 AM on March 10, 2008

seanyboy, I'm pretty sure thedaniel was just demonstrating the output of that program.
posted by Jimbob at 4:42 AM on March 10, 2008

Of course, if I'm gonna use keepass, I'm gonna use the Easy Install version of it.
posted by seanyboy at 5:10 AM on March 10, 2008

DecemberBoy: A good password should be impossible to memorize.... Your KeePass database is protected by a master password, which should be something you can memorize.

So the KeePass database is protected by a bad master password, thereby compromising all the good passwords inside it.
posted by signal at 6:50 AM on March 10, 2008

The KeePass suggestion is also impractical. I'll ignore the problem of it being, itself, a potentially untrusted program. So I'm supposed to have a different password on every site I go to and maintain and rotate it weekly? What a PITA! And what happens if I need to log into a site on some other computer that doesn't have KeePass installed? And anyway, strong passwords isn't solving the problem of the original post here, which was your password being stolen by malicious, criminal software. I don't care how secure my password is; from the moment I give it to G-Archiver it's compromised.

Using a different password on every site is a good idea, though. I'm fond of using PwdHash to do that. But I don't think it's going to magically protect me from malware.
posted by Nelson at 9:47 AM on March 10, 2008

I have no idea what keepass is. For all I know, it gathers all my passwords, encrypts them and sends them to Russia.

It's a secure password safe used by thousands of people. It's open source, so you can download the source and audit and build it yourself if you like. Again, there's no way to be totally safe, but using different secure passwords everywhere and changing them regularly helps a lot. KeePass simply makes it convenient to do that. If you like, you can use secure notes on OSX or make a textfile and encrypt it or something else like that.

So the KeePass database is protected by a bad master password, thereby compromising all the good passwords inside it.

Only if someone gets physical access to your machine, in which case you have bigger problems. If you want, you can make the master password 32 random characters, write it on a post-it and lock it in your wall safe. Or not use a password at all and use a keyfile you keep on a USB stick on your keychain. Or you can use both. Whatever you want the balance between convenience and security to be. Look, there's no perfect solution, I'm just tellling you what I and many others do, and it's way better than what most people do, i.e. using the name of their dog for every password they have.
posted by DecemberBoy at 2:46 PM on March 10, 2008

Have you noticed a lot of sites now ask for your username/password to other sites in order to use some features?

Just last night, my wife asked for our online banking username and password, because PayPal wanted it to immediately verify our bank account rather than wait the 3-5 days it would otherwise take.

Mind you, she went there directly, it wasn't a phishing thing.

Needless to say I told her no, and she's waiting the 3-5 instead. It's a terrible practice, and I don't know why anyone would blindly provide that information, but it must work, and it feeds directly into phishing sites looking more legit when they ask for such info.
posted by davejay at 3:02 PM on March 10, 2008

DecemberBoy: You just don't get it.

b.t.w. I set up an adwords campaign pimping my own version of KeePass. 75 hits from 78,000 views in 10 hours or so. With a bit of fiddling of the domain names and web pages, I'm thinking that I could have got a good percentage of those people to download compromised code.

Password managers are a bad idea. Assuming that everyone is technically capable is a bad idea. The fact that you can't recognise either of these two facts provides just another data point proving my point.
posted by seanyboy at 3:43 PM on March 10, 2008

Also, keepass, keepass, keepass or keepass. You decide.
posted by seanyboy at 3:47 PM on March 10, 2008