Back to previous post: Open thread 113

Go to Making Light's front page.

Forward to next post: Crazy Creek Chair

Subscribe (via RSS) to this post's comment thread. (What does this mean? Here's a quick introduction.)

August 25, 2008

If you use Gmail, read this
Posted by Patrick at 08:57 AM *

Via Chad Orzel: why all GMail users should use https, never http, no exceptions and no foolin’:

Before Gmail released the ability to automatically encrypt your Gmail connections, your browser/server interactions went something like this:

Your Browser: Hey there Gmail, I want in. Here’s my encrypted login.
Gmail Servers: Hey there, browser. I see your encrypted login fits what I have here. If you want to keep talking to me, I will need to see proof of your login, but don’t bother encrypting it for me. Here is your unencrypted email.
Your Browser: Great. I want to read this particular email, my Gmail login is: webmonkey@wired.com and my password is: monkeylove. My name is John Hanks Doe and my social security number is 123-45-6789.
Gmail Servers: Sure, here you go. I see you are leaving for vacation with the house unlocked this weekend. Say, is this your credit card information?
Guy packet sniffing your wi-fi from Starbucks: Cool!

It’s a little more complex than that (and a little less goofy and dramatic), but the theory is sound. Using encryption at login only is the equivalent of setting up a toll booth in the desert.

Of course, for 36.2% of all Making Light readers, this information is news on the order of “water is wet.” (54.9% of those are about to post a comment explaining why Gmail is a Bad Thing no matter how you use it.) This post is a public service for the remaining 63.8%, none of whom deserve to have their personal information hijacked.

Gina “Lifehacker” Trapani’s Firefox extension Better Gmail forces Firefox to always use https for Gmail, and includes a nice set of other user-choosable Gmail-related enhancements and conveniences. Of course, to encrypt your Gmail sessions, all you have to do is preface Gmail’s URL with “https” rather than “http”, or turn on “always use https” from the “Browser Connection” settings of your Gmail account.

In conversation the other day, Cory Doctorow, a guy who keeps his mail on his own machine, remarked that in fact his anti-webmail stand doesn’t actually matter all that much; if I use Gmail and hundreds of his other correspondents use Gmail, in effect he’s using Gmail too. It’s a good point, and it gets at the way that good computer security practices aren’t just a matter of autonomous individuals choosing whether or not to fortify their personal castles. Bad security is like cholera in the water supply; it affects everyone.

Comments on If you use Gmail, read this :
#1 ::: xeger ::: (view all by) ::: August 25, 2008, 09:24 AM:

How about "you should always be aware of what you're sending in the clear" instead of "gmail is bad" ;)

I'll save the rant about how you only find out that you've lost ephemeral data through catastrophic failure for another day...

#2 ::: C.E. Petit ::: (view all by) ::: August 25, 2008, 09:30 AM:

Or how about "Use a real e-mail program, like Thunderbird, to interface to webmail programs that allow it, and avoid webmail that doesn't"? It's trivially easy to set it up so that one's system automatically logs in... and then deletes stuff off the server automatically.

Sure, it's possible to use a hammer (web browser) to put a screw (individually addressed messages like e-mail) into soft wood (the 'net). It's also not a good idea in the long run, even if it works sometimes.

#3 ::: AzureLunatic ::: (view all by) ::: August 25, 2008, 09:36 AM:

Of course, to encrypt your Gmail sessions, all you have to do is preface Gmail’s URL with “https” rather than “http”, or turn on “always use https” from the “Browser Connection” settings of your Gmail account.

I've heard that one should always do the second, as doing the first -- sure, it protects your own connection, but Gmail won't know that the friendly http:// request that looks like it's coming from you is in fact from that guy packet sniffing your connection in Starbucks and engaging in a little man-in-the-middle exploitation.

When specifying that Gmail must always use https://, Gmail will then reject attempted exploits of that nature.

#4 ::: Jo Walton ::: (view all by) ::: August 25, 2008, 09:38 AM:

Thank you. I have changed my settings appropriately.

#5 ::: don delny ::: (view all by) ::: August 25, 2008, 10:12 AM:

Er, expanding on C.E. Petit's comment in #2,
Mozilla Thunderbird, a free, decent email client, supports connecting to gmail, and (I think) defaults to using SSL for all communications. It's easy to set up, has a wizard* and everything.

You still have to get into your gmail settings and allow POP or IMAP access, so you might as well set the webmail to https while you are there.

I wonder why firefox doesn't default to trying to connect to sites using https first, and then falling back to http if that doesn't work?

*silently reflects on the diminishing value of the word wizard in our lifetime.

#6 ::: Evan Goer ::: (view all by) ::: August 25, 2008, 10:23 AM:

I just searched through ten years of email on my desktop, and I couldn't find my Social Security number or any of my credit card numbers. I don't understand the context where one would send this kind of information via email.

Now logging into a website, sure -- people happily pass in secret information all the time. That's how the bad guys have managed to amass millions of complete identities and tens of millions of credit numbers -- through phishing. And viruses. And laptop theft, and old fashioned "disgruntled employee on the inside" schemes. Nobody ever got rich sniffing Wi-Fi traffic in Starbucks.

#7 ::: Evan Goer ::: (view all by) ::: August 25, 2008, 10:32 AM:

I should note that I'm making a distinction between encrypting your mail login and encrypting the rest of your mail traffic. The first one *is* a good idea, which is why Google has it turned on by default. The second one isn't buying much real security and is expensive to implement, which is why Google has it turned off by default.

#8 ::: Ross Smith ::: (view all by) ::: August 25, 2008, 10:34 AM:

don delny #5: I wonder why firefox doesn't default to trying to connect to sites using https first, and then falling back to http if that doesn't work?

That would be because it's not unusual to have different sites set up on the http and https ports on the same server. Always defaulting to https would sometimes get you the wrong one.

#9 ::: Velma ::: (view all by) ::: August 25, 2008, 10:42 AM:

Thank you for the heads-up; have edited my preferences. I love the adventures of the online world.

#10 ::: John Chu ::: (view all by) ::: August 25, 2008, 10:43 AM:

#2: As don@5 points out, this only works if you've set up your email client to use SSL for all communications. Getting people to do that is on the same order as getting people to use https to connect to gmail. (I'm really surprised that this isn't the default, BTW.)

#6: Sometimes you receive sensitive information. In that case, it's to your benefit to get as many links on the chain as secure as possible.

I subscribed via the web to SpeakEasy Stage's upcoming season. They used SSL for processing the financial transaction, so I'm as certain as I can be that my credit card number got to them securely. However, when they emailed back a confirmation, they included a complete copy of subscriber information, including my credit card number, at the bottom. *headdesk*

I've sent them email telling them that this is insecure. Maybe they'll become more careful with other people's private info. (However, my next financial transaction with them will be via a check. Yes, I know, someone can still do creative things with the routing number. At least, it doesn't start off traveling in the clear on the internet.)

I'm looking forward to their production of The Light in the Piazza. I'm not looking forward to what may have happened with my credit card number.

#11 ::: Emily ::: (view all by) ::: August 25, 2008, 11:01 AM:

this only works if you've set up your email client to use SSL for all communications. Getting people to do that is on the same order as getting people to use https to connect to gmail. (I'm really surprised that this isn't the default, BTW.)

It's not the default because even a decent security geek with a major case of paranoia can screw up the setup so that it is insecure with some/all clients. Doing security right is tricky, and figuring out all the hoops for all the various email clients gets a bit wonky.

I'm looking forward to their production of The Light in the Piazza. I'm not looking forward to what may have happened with my credit card number.

Contact your credit card company. Ask them to put a watch on the card because it was exposed, and tell them how and who did it. Takes a few minutes, and it makes it *much* harder for a bad guy to get up to no good with your card. We had to do this a year or so ago with one of our cards after a case of serious weird. We have gotten the odd call from the bank to check that a purchase is ok, and mostly they have been. The bank will also get worried if the card is used in places they don't expect, so we let them know if we're traveling with that card. (and on the whole it's worth it... a random purchase in Chicago or Munich really isn't likely to be us)

In our case, we're pretty sure the card data wasn't exposed. But only pretty sure. And the exposure window was in the 12-24hr range, so if it got out it could have been spread pretty widely. The watch is cheap insurance.

#12 ::: Alan Hamilton ::: (view all by) ::: August 25, 2008, 11:06 AM:

I agree with Gene Spafford:

Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit-card information from someone living in a cardboard box to someone living on a park bench.

The big compromises have either been via spyware on the client side or intrusions on the server side. Can someone cite some cases where passwords/credit card numbers have been stolen strictly by network sniffing?

#13 ::: John Stanning ::: (view all by) ::: August 25, 2008, 11:12 AM:

I blush to admit that I have a gmail account, tbough I don't use it for anything serious. Google's own instructions for setting up POP access with Outlook (blush again) give full details including the names of the incoming and outgoing servers, and tell you you tick the boxes for SSL connection. The instructions for Thunderbird (which I haven't used) seem to assume that it knows about gmail without being told the details.

#14 ::: eric ::: (view all by) ::: August 25, 2008, 11:21 AM:

Don: #5, The time that it would take to check if an https site exists would make it seem like firefox is really slow, even if it's not. Think about adding up 1/4 to 1/2 second each time you went to a new site.

Also, it's not a given that https://blah and http://blah are the same content, even if they're the same site. (possible, and probable, but not a given)


#15 ::: Graydon ::: (view all by) ::: August 25, 2008, 11:28 AM:

I have a gmail account; it sorta goes with a blogger blog, and all.

I use mutt, rather than any browser or graphical tool, to communicate with it using a secure IMAP connection, and I don't leave any significant email (well, to be fair, I don't have any significant email going to that account) on it.

Which doesn't really matter; the principal risk is Google's crossindexing and someone finding an exploit for that. But at least I get to do email in a console the way God intended.

#16 ::: eric ::: (view all by) ::: August 25, 2008, 11:32 AM:

Alan @ #12: I think that the network environment is a little more aggressive than it used to be, especially when it comes to wifi. When people used to have one wired connection, the chance of sniffing was pretty minimal. But now, it's actually pretty trivial to create a fake/real wifi node in a public place and attempt to do a man in the middle attack on everything that flows through the node. If you name it linksys, a non-trival portion of the population will use it without needing confirmation.

And what's worse, once there's that man in the middle, _any_ non-encrypted communication is suspect. DNS, http, mail, whatever.

Picture this:

You: get me gmail: http://mail.google.com
Hotspot in the middle: Hey, cool: Gmail, give me a login page.
Gmail: redirect yourself to https://mail.google.com
Hotspot in the middle: Hey, ok. https://mail.google.com
Gmail: login page
Hotspot: gets login page via https, serves it to you as http.
You: Login time.

If you type in your login now, game over. You have to go to https, and not let gmail force you over to it. Because someone out there could intercept that redirect and you'd never know it.

Incidentally, this is why if you get a form on an insecure connection that says that it submits to a secure site (like lots of _bank_ logins) you can't trust it. a man in the middle can drop an s really easily.

#17 ::: Red(Chris Holdredge) ::: (view all by) ::: August 25, 2008, 11:42 AM:

Evan (and others),

The problem is that, because of a more or less recently discovered security flaw in Gmail, encrypting the login transaction doesn't actually provide any protection if the rest of the session isn't also encrypted.

The concern here isn't just that the emails are sent in plaintext. They're sent along with an unprotected cookie that anyone can duplicate, and use to masquerade as you for as long as you're logged in. Once they've done that, they can do anything to your account that you could, including changing your password to something that they know. This isn't quite as bad as silently discovering your existing password, but it's not good at all.

If your password is worth protecting at the time you log in, you probably out to be protecting it every time it's made vulnerable. And the way things work now, that means every time your browser interacts with a Google server.

#18 ::: Evan Goer ::: (view all by) ::: August 25, 2008, 12:03 PM:

Hi Chris -- I'm confused, are you saying SSL is the solution for CSRF issues?

#19 ::: Randolph ::: (view all by) ::: August 25, 2008, 12:20 PM:

"this only works if you've set up your email client to use SSL for all communications. [...] (I'm really surprised that this isn't the default, BTW.)"

It isn't a default because Apple and Microsoft don't make it a default. Network integrity would be enormously improved (and spam reduced) if this were done.

#20 ::: j h woodyatt ::: (view all by) ::: August 25, 2008, 12:25 PM:

"Bad security is like cholera in the water supply; it affects everyone."

Not as much for those of us who only drink beer.

#21 ::: xeger ::: (view all by) ::: August 25, 2008, 12:38 PM:

Several people have wondered "why firefox doesn't default to trying to connect to sites using https first, and then falling back to http if that doesn't work?"

HTTPS (and SSL/TLS in general) are expensive in terms of time and processing power -- and will both slow down how fast you get the service, and how many instances of the service the far end can support.

Beyond that, (feel free to groan if you've heard this too many times before), it's all about your threat model.

Functionally I'd rather get my web comics fast than get them securely -- I'd rather have my online purchases secure than fast...

You protect what needs to be protected at the appropriate level... and balance your resources accordingly.

#22 ::: Mike Booth ::: (view all by) ::: August 25, 2008, 01:00 PM:

Chris at #18: I don't think that having a remote sniffer steal your Google cookie and use it to masquerade as you counts as "CSRF". The term "CSRF" usually refers to a piece of Javascript running on *your own computer* that submits illicit transactions to (e.g.) Google, and gets away with it because your computer is currently logged on to Google in your name and has a cookie to prove it. I don't believe SSL helps prevent that; there are other countermeasures.


#23 ::: Leva Cygnet ::: (view all by) ::: August 25, 2008, 01:05 PM:

One thing that bears stressing is that your gmail account password/login gives bad guys access to anything else you may be doing in Google, not just Gmail.

If you're using Adsense or Adwords with the same account as your gmail account and someone gets access to your gmail account they can also do nasty things like potentially redirect your Adsense income to a different bank account, or run a $xxx,xxx Adwords campaign to their spammy spyware site in Nigeria, using your credit card. It's all the same login.

-- Leva

#24 ::: Mike Booth ::: (view all by) ::: August 25, 2008, 01:22 PM:

Leva @23: It's worse than that. If folks get your actual gmail login and password -- even if all they can do is read your unencrypted mail as it travels to your machine -- they potentially have access to *anything* you do online, whether on Google or not.

They can go to all the big sites -- PayPal, eBay, Amazon, banks, brokerages, etc -- and enter your email in the "I forgot my password" box. Then the sites will send out helpful emails containing links that can be used to change your password. The attacker can read those emails and use those links.

This will work even if all the attacker can do is read your mail. If the attacker can also log in to Gmail as you, (s)he can delete these emails as they come in, so you won't even notice them in your Inbox. You'll only discover that your PayPal password has changed when you try to log in and find that your old password doesn't work anymore.

As it happens, a lot of big target sites like banks have tried to design their forgotten-password procedures to make this kind of attack more difficult. And I'm not sure this sort of thing happens often -- plain-old phishing attacks probably have higher yield for less effort, and they pay off in the form of credit card numbers which are less difficult to fence. But that doesn't mean that allowing your email to be vulnerable is a good idea. It's a single point of failure for all sorts of other things.

#25 ::: Michael Roberts ::: (view all by) ::: August 25, 2008, 01:32 PM:

I think I have to take exception to Cory's alarmism. If he doesn't email sensitive information to Gmail users (and really -- nobody should ever email sensitive information, period), then your use of Gmail doesn't affect him in the slightest.

Or so it seems to me. But I'm no great shakes at security.

#26 ::: Joel Polowin ::: (view all by) ::: August 25, 2008, 01:35 PM:

A couple of months ago, I was at a hotel for a con. The hotel had a "business center" with a few computers for use by guests, providing net access, the standard set of MS Office apps, etc. The machines had a customized interface which gave access to these tools, rather than just letting people start applications from the desktop.

I'd been intending to check my E-mail occasionally over the weekend, but as I was logging in, I noticed something odd. Though the browser appeared to be a customized version of Internet Explorer, with the usual application window icon, what should have been a secure web page for log-in wasn't secure -- or at least it was showing the "not secure" icon, even though the URL started with "https://". Then I noticed that the address bar was labelled "Aderss:".

I decided I didn't need to check my E-mail that badly. I'm cautious about public-access terminals in general. This one looked dodgier than I was comfortable with.

#27 ::: John Farrell ::: (view all by) ::: August 25, 2008, 01:39 PM:

Of course, to encrypt your Gmail sessions, all you have to do is preface Gmail’s URL with “https” rather than “http”, or turn on “always use https” from the “Browser Connection” settings of your Gmail account.

Yikes--thanks for passing this along!

#28 ::: Josh Millard ::: (view all by) ::: August 25, 2008, 02:37 PM:

I just searched through ten years of email on my desktop, and I couldn't find my Social Security number or any of my credit card numbers. I don't understand the context where one would send this kind of information via email.

Any passwords or other account-management info? Bank statements or receipts? Personal information that you'd rather not be published to the world? Etc.

There are plenty of folks who manifestly refrain from putting anything in email that they wouldn't shout on a street corner, and as far as that goes the access issue goes away, but I think there are probably a lot more folks who out of some mix of ignorance of the risk (likely your big majority, that) or laziness despite their awareness (hi!) will allow sensitive things into their mail.

So, from that, what Mike said, with a heaping helping of what Red said to make it even worse.

And even if you keep your mail pristine from a privacy perspective, having someone invade your account to, say, wipe out your entire inbox likely qualifies as ruining your week, if not exactly ruining your life.

#29 ::: don delny ::: (view all by) ::: August 25, 2008, 02:44 PM:

Thanks to all above who answered my question regarding why defaulting to https isn't automatic.

Michael Roberts, 25,
I had a longer answer, but, basically somebody is wrong on the internet, and in this case, I think it is you.

#30 ::: P J Evans ::: (view all by) ::: August 25, 2008, 02:51 PM:

At least one place I buy from online, asked people, before they got a secure shopping cart, to e-mail their card numbers in pieces, figuring it would make it more difficult for anyone wanting to steal the numbers.

There was a very recent news story about people stealing information from not-secure-enough WiFi/wireless networks at popular businesses.

#31 ::: xeger ::: (view all by) ::: August 25, 2008, 03:33 PM:

Michael Roberts @ 25 ...
I think I have to take exception to Cory's alarmism. If he doesn't email sensitive information to Gmail users (and really -- nobody should ever email sensitive information, period), then your use of Gmail doesn't affect him in the slightest.

Again - this depends on what you consider to be sensitive material.

On my part, there are a lot of things I consider sensitive that other folk might consider completely unremarkable (I'll choose travel plans as an example) -- so while I wouldn't put them in email, somebody else would cheerfully write back with "I'm looking forward to seeing you on your trip to Dallas in December. Debbie will be picking you up, like she usually does.".

Further, I don't know if you're of an age to recall McCarthyism particularly well, but things like email/instant message/social networking sites are a lovely way to track who you associate with...

#32 ::: Erik V. Olson ::: (view all by) ::: August 25, 2008, 03:38 PM:

if I use Gmail and hundreds of his other correspondents use Gmail, in effect he’s using Gmail too.

Yes. And even if your send is somewhat secure, when the recipient replies-to-all and fails to trim the response, all your effort has gone to naught. (As a bonus, they will reply on top as well.)

The correct answer: Assuming that any email you send is between you, the recipient, and anyone with access to Google Search.

Even if you "encrypt" it -- because it's way too easy for someone to forward it without encryption (and never mind the number of bad crypto implementations.)

The reason that HTTPS is important with Google is the auth cookie, which, if the bad guy sniffs, will let them *act* as you. Screw reading your email, how much damage can I do if I can send email that is indistinguishable from your normally sent email?

Can someone cite some cases where passwords/credit card numbers have been stolen strictly by network sniffing?

It has happened. It doesn't get reported because the number of thefts is low -- you get a couple at a time, not thousands, and if the bad guy is smart, he sells the info to someone else, which makes it much harder to find the bad guy.

I assume that all connections are being sniffed, because it's just safer to make that assumption. For one thing, most of the wireless networks out there *are not mine*, and the provider gets to do what they want with the bits they pass.

#33 ::: Terry Karney ::: (view all by) ::: August 25, 2008, 03:41 PM:

I've been using gmail manager; I have it set to secure login. The affiliated password is what, sort of, bothers me.

The way I handle different items (and would with adsense, were I running a blog which could make use of it) is to have different gmail accounts, so no one of them is handling more than a small amount of personal/sensitive data.

#34 ::: Nicole J. LeBoeuf-Little ::: (view all by) ::: August 25, 2008, 03:41 PM:

On the general subject of email woes...

Is there a way to send email from Thunderbird using Gmail's SMTP, and *not* have the Reply-To on that email changed to your Gmail account email address?

I sometimes have problems using both my domain host SMTP and my home internet provider's SMTP, so Gmail is my third fall-back. But when I do, all replies to my email end up going to my Gmail account, because using the Gmail SMTP appears to rewrite the From or Reply-To headers in my outgoing mail. Sucks, because (for instance) I would prefer fiction submissions reach editors looking like they came from Me at NicoleJLeBoeuf dot com, not vortexae at Gmail dot com. Ditto professional communications to customers of Little Bull Creations; they should see email from littlebull dot com, not from Gmail dot com. Darn it.

grumblegrumblegrumble

But maybe this a feature, not a bug, as far as Gmail is concerned? "You may not use us to send mail unless it's actual Gmail business!!" Yergh.

#35 ::: R. M. Koske ::: (view all by) ::: August 25, 2008, 04:05 PM:

#32, Erik V. Olsen -

As a bonus, they will reply on top as well.

I'm very icked out by the realization that I've learned that reply on top is okay from my time in cubicle-land. When I first got online I pretty much defaulted to "reply below" on the assumption that if I was bothering to quote, then it was only logical to quote first, then respond. Even now, that's what I do in my private correspondence.

But at work, *everything* is CYA*, so you quote without trimming and respond above, even if all you're saying is "Okay, thanks."

When I recently ran into the hatred for replying on top, I was surprised and even a bit defensive. I feel dirty now.

*It's a friendly sort of CYA in my department. The difficult decisions and choices are sometimes made up to two months before the final work sees the customer, and we're totally hands-off for the last three weeks before the customer sees it. Few of us can remember that long what was done or why. Paper trails are the only solution.

#36 ::: Jon Sobel ::: (view all by) ::: August 25, 2008, 05:55 PM:

I realize this thread is essentially about security, but it's worth noting that people use Gmail for specific reasons not related to security. I've saved countless hours because of Gmail's a) superior search feature and b) thread-based interface. The interface is so far superior to working in even a well-made client like Thunderbird that I couldn't see going back. In fact, if I found out that my Gmail account was compromised and I couldn't re-secure it, I'd probably just start fresh with a new Gmail account.

#37 ::: Charlie Stross ::: (view all by) ::: August 25, 2008, 06:20 PM:

I use gmail extensively. In fact, I'm close to moving to it as my main eail service.

... but ...

1. I don't use the web interface; I use IMAP over SSL.

2. I don't use public terminals to check email. Ever.

3. I don't do internet banking. Ever. (I register my bank accounts, then shred to paper mail with the PIN, specifically to stop a hypothetical black-hat third party from setting up the accounts for me.)

(Also 4: my own mail server is getting 15-20,000 spams a day, spiking as high as 60,000 spams per day. It's damn near unusable at present. Hence the motivation for this.)

I'd be happier if Gmail would provide the option of using S/Key or similar for logins, or ssh public keys, and of switching the webmail option off completely. But for the time being, it beats the alternative.

#38 ::: Daniel Martin ::: (view all by) ::: August 25, 2008, 06:47 PM:

First of all, this is just me speaking as someone who is a techy, using no non-publicly available information. I AM NOT SPEAKING FOR MY EMPLOYER HERE. At all. If you don't know why I shouted that, good. Now:

One thing that bears stressing is that your gmail account password/login gives bad guys access to anything else you may be doing in Google, not just Gmail.

If you're using Adsense or Adwords with the same account as your gmail account and someone gets access to your gmail account they can also do nasty things like potentially redirect your Adsense income to a different bank account, or run a $xxx,xxx Adwords campaign to their spammy spyware site in Nigeria, using your credit card. It's all the same login.
I would like to correct a slight misunderstanding that seems to be present in the quoted text: the gmail vulnerability being discussed is session hijacking. It will not give an attacker direct access to your password, nor will the same session cookie work on other Google services, such as AdWords or Google Checkout. Given that an open email session can be leveraged into other access through "forgot my password" links, this may seem like a distinction without a difference.

Also:

The problem is that, because of a more or less recently discovered security flaw in Gmail, encrypting the login transaction doesn't actually provide any protection if the rest of the session isn't also encrypted.

The concern here isn't just that the emails are sent in plaintext. They're sent along with an unprotected cookie that anyone can duplicate, and use to masquerade as you for as long as you're logged in. Once they've done that, they can do anything to your account that you could, including changing your password to something that they know. This isn't quite as bad as silently discovering your existing password, but it's not good at all.
It's not a recently discovered flaw - it's a well-known limitation of non-https services. Livejournal, wordpress, your bank that's too cheap to pay for an SSL certificate? Same issue. The issue is that someone has decided to release a tool that specifically targets gmail.

Finally:

When people used to have one wired connection, the chance of sniffing was pretty minimal.
This applied only to people behind switched port hubs. I'm not quite sure when they become the norm, but I know that Carleton was still switching offices over to them in 1995, and I know it was pretty common at my internship in 1998 for the office's hub to become confused and go into unswitched mode. (this was at an office in the corp. headquarters location of a fortune 500 computer company)

#39 ::: Reba ::: (view all by) ::: August 25, 2008, 07:09 PM:

Thanks for the heads up. Just changed my settings and will pass this info on. Not all of us are tech savvy, even if we're good little end users.

#40 ::: Rob Rusick ::: (view all by) ::: August 25, 2008, 07:22 PM:

Nicole J. LeBoeuf-Little @34: Is there a way to send email from Thunderbird using Gmail's SMTP, and *not* have the Reply-To on that email changed to your Gmail account email address?

Sounds similar to what I have set up. I have a couple of email accounts; one through Gmail, and one through my ISP (RoadRunner).

If I've clicked on one of the accounts (under the 'All Folders' pane) and then go to 'Write', the 'Compose:' window automatically selects the corresponding email addr in the 'From:' field. If I do a 'Reply to All/Reply to Sender Only' on a message in the Inbox for either account, again the corresponding addr is automatically assigned to the 'From:' field.

But in the 'Compose:' window, to the right of the 'From:' field, there is an arrow pop-down that lets you select one of your other accounts.

I don't know if there is a setting anywhere that will let you set a preference. I installed an 'about:conig' Thunderbird plug-in that gives you an ability to edit settings like you can with about:config in Firefox (i.e., gives you control over much more than you can get to through the Preference settings); but I couldn't advise you which (if any) settings you could change to make one email address your default 'Send' for all accounts.

Maybe just knowing about that pop-down in the Compose window answers your question?

#41 ::: Daniel Martin ::: (view all by) ::: August 25, 2008, 07:43 PM:

Note that the "including changing your password to something that they know" bit is also slightly excessive paranoia - a gmail session cookie won't by itself let you change the associated gmail password.

That being said, turning on the SSL-always option? A double-plus good idea, even with the firefox extension.

#42 ::: Daniel Martin ::: (view all by) ::: August 25, 2008, 08:07 PM:

In fairness, I guess I'll also point out a way that the described attack is worse than the discussion so far has covered:

If you do not turn on the "SSL only" option, and you have things set on your laptop so that you're remembered at gmail (i.e., you don't need to type in your password to log in), then if you browse anything on an unsecured wifi also being used by a mildly clever attacker, then that attacker has access to your gmail account.

Anything you could do on gmail while logged in - delete emails, send email as you, search all your archived emails, etc. - that attacker can now do. Simply avoiding looking at gmail while connected in a bad part of the world is insufficient.

This applies to any service running over http that: 1) remembers you so that you don't have to login again, and 2) is able to recognize that it's you without doing https every time you type their address. (That second condition doesn't knock out any services I know of)

So, for example, does livejournal remember you? Do people on your friends list post friendslocked entries it would be very, very bad to let an attacker see? Better not ever browse anything from an open wifi network then...

#43 ::: Lin D ::: (view all by) ::: August 25, 2008, 08:57 PM:

If I log in to a local coffeeshop's wifi, and leave without specifically logging out, can someone use my session ID to continue running up access charges?

#44 ::: Nathaniel ::: (view all by) ::: August 25, 2008, 09:15 PM:

@42: I take it that your (2) is referring to the "secure" attribute that one can set on cookies, but apparently no-one ever does? I have seen it claimed that if you check that "use https:// only" box in gmail that it actually *will* set that attribute on its login cookie, which would protect at least your gmail account against the attack you're referring to. I can't check for myself because I don't have a standard gmail account.

If it's true, though (anyone want to check?), then it does mean that for the best security you need both a Firefox extension that forces your connections to https (Better Gmail or CustomizeGoogle), *and* to check the box in your Gmail settings tab. Either will protect you against a passive listener (someone sitting and listening to your unencrypted wireless connection), but only the extension will protect you against an active man-in-the-middle (someone who convinced you to connect to their nefarious wireless access point) stealing your password when you try to check your mail, and only the settings tab option will protect you against that same active attacker from stealing your "remember me on this computer" access to gmail when you try to view some other non-gmail site entirely.

Still won't help with LJ etc., though.

#45 ::: Nick Fagerlund ::: (view all by) ::: August 25, 2008, 10:24 PM:

Since it hasn't been mentioned yet, I should point out that the Google Notifier program doesn't default to encrypting your connection, either. On the Mac version, you can secure it by setting a secret preference, which is a completely wrongheaded way to go about it but is better than nothing. One does this by going to the Terminal and issuing the command:

defaults write com.google.GmailNotifier SecureAlways 1

#46 ::: Mike Booth ::: (view all by) ::: August 26, 2008, 12:35 AM:

As Daniel Martin @42 points out, just remaining permanently logged in to sites is a security risk. Google is hardly the only site that can leak cookies.

I get around this problem with liberal use of 1Password, a piece of Mac software that I heartily recommend. It remembers and fills in passwords for you. Using it, I'm more willing to just log out of sites when I leave, because I can often log back in with a single press of Command-\

#47 ::: Caroline ::: (view all by) ::: August 26, 2008, 10:59 AM:

What exactly is wrong with replying on top? If I have something specific to quote and respond to, I'll do so, but I generally do reply on top, and have never heard that it was a gross breach of etiquette worthy of feeling dirty about.

I hate it when people reply below because I don't want to scroll through the entire email I already wrote before I get to their responses. It also gets confusing if the thread goes on for any length of time, with interleaved replies and replies to replies and so on. I find it a lot easier to keep track when everything is in order.

If it's something point-by-point, I may go point-by-point, but in most of my correspondence no one is going point by point. Most emails consist of [question] [brief background explanation], and the reply consists of either [answer] or [followup question]. Either that or [letter about what's going on in my life], and the reply is [letter about what's going on in their life].

I agree with Jon Sobel @ 36 about Gmail.

I also kind of feel like Internet security is the same kind of mini-arms-race as home security. You can't make your home completely impervious unless you seal yourself in a concrete bunker. You just have to make your house less tempting to break into than the house next door. A really determined burglar could still get in, but the majority who are just committing crimes of opportunity will say "Well, there's too many outdoor lights, the dog will bark, and I'd have to break the window to disable the slide lock. I'll go next door where it's dark and there's not a deadbolt on the door."

So you do stuff like use SSL, change your passwords frequently, use non-dictionary passwords, don't do anything sensitive if you're on an unknown or public terminal, and refrain from sending credit-card, password, or bank account info in the clear. A determined attacker could still get past it, but is he going to bother when five other people in the coffee shop have their Gmail open to the world?

I'm willing to trade a little Total Security for the massive conveniences of being able to do things online, just like I'm willing to trade a little total home security in order to have windows that let some light and air in.

#48 ::: R. M. Koske ::: (view all by) ::: August 26, 2008, 11:29 AM:

#47, Caroline -

Don't fret it too much - I tend to accept others' opinions of what I should and shouldn't be doing far too easily, especially if it's strongly worded, and the first few times I ran into it as a peeve they were rather ranty peeves. I doubt "feeling dirty" is an appropriate response, nevermind that I did respond that way. I was partially joking, partially exaggerating, and partially overreacting to criticism.

If someone replies below and you have to scroll through the whole email to get to the reply, they're doing it wrong. You *must* trim for replying below to work.

"Reply below and trim" gives you small posts (important back when for dialup and pay-by-the-byte services, important now for mobile users) with clear context. "Reply at the top" is faster to read and write for rapidfire conversations, where you don't need a reminder of the immediate context, plus it gives you the whole conversation in one post if you need it later. They're useful for different things, but I've only seen the people who like reply below rant about it. (Not that Erik did, but I've seen it.)

I think the apparent strong opinions about it are a combination of genuine practicality combined with annoyance at widespread newbie behavior. "That's backwards!" mixed with "they won't trim!" plus "someone is wrong on the internet!" New users don't know to trim unless they're taught, and the default Microsoft Office setting is "reply to top." So there are large groups of people who learned to use email at the office and all do it that way. If they display(ed) much other newbie behavior at the same time, replying at the top could easily become some folks' pet peeve with a strong tie to "only annoying newbs do it," whether that opinion is conscious or unconscious.

Or, I could be utterly wrong in my idea that many people care strongly about it, basing all this on a few nuts.

#49 ::: David Wald ::: (view all by) ::: August 26, 2008, 12:01 PM:

R. M. Koske @48: I'd actually managed to forget all the Usenet posting style flamage until just now. That summary fits my memory of the issue pretty well. I don't think it was just a few nuts in my Usenet days (although I would say that if I were one of the nuts, wouldn't I?)

For any given forum it comes down to 1) how hard it is to figure out context; 2) how hard it is to skip excess text; and 3) local standards. Usenet was unfriendly to top-posting on all three counts, since some groups were gatewayed with mailing lists, some were rendered as digests, everything was typically rendered in 80 columns of plain text, and the standard that evolved was therefore minimal bottom- or inline-posting.

#50 ::: Tim Walters ::: (view all by) ::: August 26, 2008, 12:06 PM:

One situation where reply-below is a real problem is any mailing list with a digest option. Trying to read a digest that consists of seven people adding one-line comments to a long thread, all using reply-below with no editing, is enough to make one a bit ranty.

#51 ::: R. M. Koske ::: (view all by) ::: August 26, 2008, 12:24 PM:

#49, David -

I'm embarrassed to admit that I have never been on Usenet.* I've only seen bottom- posting mentioned in the last year in comments on other topics, and I couldn't really imagine any technical limitations that would make it matter, so I was a little surprised about the passion it evoked, but it makes more sense now.

*I started using email about a year before the world wide web really took off, so all my experiences have been on mailing lists or the web.

#52 ::: R. M. Koske ::: (view all by) ::: August 26, 2008, 12:34 PM:

#50, Tim -

Digests made me ranty anyway. I never did understand why they were described as an easier way to deal with a high-traffic list. Instead of immediately discarding a post unread because of the subject line, you had to scroll past it and all sixteen of its replies, interleaved with the stuff you were actually interested in. Oh, and if something hit the list out of order, you had to scroll even more. Yeah, that saves a ton of my time and energy.

The inability of many email users to trim is astounding. I absolutely maintain that reply-below with no editing is reply-below done wrong, which is probably part of why the office environment likes reply-above. You don't have to depend on someone learning to edit their posts to make it actually usable.

Reply-below done correctly on a digest is just as readable as reply-above on a digest. Mileage varies on how readable that actually is. *grins*

#53 ::: Tim Walters ::: (view all by) ::: August 26, 2008, 12:55 PM:

I just realized that I said "reply-below" when I meant "reply-above". I think. Now I'm confused.

Anyway, yes, it's not the below or above part that's important, but the trimming. The difference is that I've never seen a message where the new content was below the old content that wasn't also trimmed, whereas I see untrimmed messages in the other format on a daily basis.


#54 ::: cajunfj40 ::: (view all by) ::: August 26, 2008, 01:18 PM:

Alan Hamilton @#12:
Can someone cite some cases where passwords/credit card numbers have been stolen strictly by network sniffing?

P J Evans @#30:
There was a very recent news story about people stealing information from not-secure-enough WiFi/wireless networks at popular businesses.

This is true, both my wife and I got numbers lifted from such transactions, in brick and mortar stores. Seems some group was hacking into insufficiently secured in-store wifi - that had store business info running across it.

Luckily, both our banks caught it right quick and we were able to cancel the cards and get new ones, plus not be liable for any of the fraudulent charges that had started to occur.

It is important to note that this was not a case of an employee stealing the numbers.

Now back to your regularly scheduled e-mail security discussion.

#55 ::: Mark Temporis ::: (view all by) ::: August 26, 2008, 02:36 PM:

Most of the online purchasing that I have seen uses their own secure forms; I don't see why you would ever send your CCN or other secure info via any kind of email.

Anyway, it's pretty academic for me since I don't actually do any online business--I can't get a credit card.

#56 ::: Daniel Martin ::: (view all by) ::: August 26, 2008, 03:59 PM:

@44:

I take it that your (2) is referring to the "secure" attribute that one can set on cookies, but apparently no-one ever does? I have seen it claimed that if you check that "use https:// only" box in gmail that it actually *will* set that attribute on its login cookie, which would protect at least your gmail account against the attack you're referring to. I can't check for myself because I don't have a standard gmail account.
This is getting dangerously close to areas I shouldn't be talking about, but that's not quite what I mean. (Setting the secure attribute on the login cookie is only part of what's needed to protect against this) The issue is that on an unsecured wifi network an attacker can inject HTML into any non-ssl response from anywhere, which can cause your browser to fire off a request.

There's a fundamental problem when these two things are combined:
1) A service that can recognize a user automatically via unencrypted communication, and
2) Attackers who can cause a user to visit an arbitrary site in an environment where they can watch all the unencrypted communication

Checking the "ssl only" option in gmail does two things:
1) It sets things up so that your gmail session cookie will never be sent in the clear, and
2) It configures google's accounts login feature so that it won't send you to a non-secure URL that generates a new session cookie, even if you enter gmail through a non-secure url.

It's not enough to exercise personal URL hygiene and only visit services you care about through https urls, if there's still a way for the service to automatically recognize you and hand you a non-secure session cookie.

#57 ::: Caroline ::: (view all by) ::: August 26, 2008, 06:39 PM:

Re: reply-top vs reply-bottom:

So I googled a bit, and it makes a lot more sense when you are talking about an email list that is, essentially, a comments forum. I certainly hate comments forums that are backwards-chronological (newest first).

When you are talking about one-to-one email conversations, as over 90% of my email is, it doesn't make much difference. Everyone in the conversation has been there since the beginning, so there's no need to have a top-down chronological record of the conversation for newcomers to catch up easily. They seem like such different applications and different needs. May be that I'm just too young to remember when they weren't, but it seems pretty clear that they are now.

It absolutely doesn't strike me as annoying newbie behavior. Everyone I correspond with replies on top -- and I'm not just talking my whippersnapper under-30 friends, but the hardened old-school engineers I work with.

*shrug*

(I think it just kind of pushed a button. I've been told that I'm Doing It Wrong pretty much everywhere of late, and this was just like "Aw jesus, now I'm doing EMAIL wrong?")

#58 ::: Marilee ::: (view all by) ::: August 26, 2008, 08:18 PM:

Everybody replied below until MS Office came out. It was infuriating at first, going back and forth to see what the heck they were talking about, but these days I just roll my eyes at it.

#59 ::: Terry Karney ::: (view all by) ::: August 26, 2008, 08:20 PM:

I far prefer comment under.

It makes it easier for me to refer to what I responding to, and to remove those things to which I am not responding.

I also find it easier to track, because I don't have to go back and forth to find the things being referenced.

#60 ::: Tom Brandt ::: (view all by) ::: August 26, 2008, 09:16 PM:

Another way to secure your communications is to use a vpn. There are several vpn services out there anyone can use. I use HotSpotVPN and am quite happy with it. They have clients for a number of different OS, including OS X, Windows, and iPhone. Installing the client takes a bit of technical skill, but is within reach of most people.

WiTopia is a similar service.

#61 ::: Nicole J. LeBoeuf-Little ::: (view all by) ::: August 26, 2008, 09:55 PM:

Rob Rusik:

Thanks for your response. I do in fact know about the identity drop-down in the control panel. I'm not talking about a setting in Thunderbird, though. What I'm talking about is something that Gmail's outgoing mail server (SMTP) is doing to my email when it gets it.

So, say I'm down the road at the Purl Knit Cafe. Whenever I'm on their wifi network, I can't seem to use Comcast's SMTP--it refuses connection. OK. But I'm writing email to an Earthlink address, and Earthlink from time to time becomes convinced that it should be blocking mail from Drak.net's Alabanza server (where Littlebull.com is hosted). So, before I hit send, I go into Account Options for my Littlebull.com address, and I change Outgoing Server (SMTP) to say "Gmail - smtp.gmail.com." Then I double-check in the Compose window that I actually have "From: Niki at littlebull dot com". Then I hit send. I see the little dialogue box telling me that it's connecting to smtp.gmail.com, and then I see that delivery succeeds.

When I get a response, it's addressed to Vortexae at gmail.com, and when I see my email quoted in my correspondent's response, I see they received email with a From: header of Vortexae at gmail.com. This seems to be because when my passes through Gmail's smtp server, Gmail helpfully changes its headers.

That's the behavior I want to change. I'm not sure if I can. It may just be the price of using Gmail's smtp server. I don't know.

#62 ::: G D Townshende ::: (view all by) ::: August 27, 2008, 01:33 AM:

Thanks for the info. Made the necessary changes.

Emily @ #11: Contact your credit card company. Ask them to put a watch on the card because it was exposed, and tell them how and who did it. Takes a few minutes, and it makes it *much* harder for a bad guy to get up to no good with your card. We had to do this a year or so ago with one of our cards after a case of serious weird. We have gotten the odd call from the bank to check that a purchase is ok, and mostly they have been. The bank will also get worried if the card is used in places they don't expect, so we let them know if we're traveling with that card. (and on the whole it's worth it... a random purchase in Chicago or Munich really isn't likely to be us)

I had some weird shit happen with my ATM card recently (within the past 4-6 weeks, actually). I was checking my account online, and found some purchases I didn't remember making. One was at a cinema I go to infrequently, and another was at a different cinema. Both purchases were made on the same day. The other cinema, I learned after a little research, is in Boca Raton, Florida. It's rather difficult for me to go to two different cinemas that are hundreds of miles apart... on the same day. So, I called my bank, told them I was disputing the charges, had the card cancelled, and a new card was sent to me in the mail. I'm not sure where my info got knabbed, but I think it was at a Blockbuster I recently started patronizing. I've never had this sort of thing happen before, and that one Blockbuster is the only new 'kink' in my spending habits. I thought it was interesting that I found the Boca Raton purchase BEFORE my bank did. Then again, I'm always checking my account. Most of the time they've called me, it's been in reference to large purchases, such as a new computer.

Whenever I travel (I go to Europe once a year) I always call my bank and all my credit card companies, so that they're aware that there might be purchases outside of the country.

#63 ::: G D Townshende ::: (view all by) ::: August 27, 2008, 01:43 AM:

Erm, Make that nabbed, not knabbed. Was talking to a co-worker this evening about the 'kn' letter combination in English and its relation to German/Dutch. Must've caused a kn knack (crack) in the old brain. ~shakes head~ I hope that when it heals, it knits together well, and doesn't leave a knarry scar.

#64 ::: R. M. Koske ::: (view all by) ::: August 27, 2008, 08:42 AM:

#57, Caroline -

I'm sorry that I hit that button. I've been having a bad week myself, so I can definitely sympathize.

And I think you hit a great distinction that I hadn't made before. There's definitely a major element of public vs. private in the situation too.

#61, Nicole -

I can't recall or check right now, but I have this vague idea that the "from" field and the "reply to" field are two separate creatures. Maybe you could investigate that avenue?

#65 ::: abi ::: (view all by) ::: August 27, 2008, 09:07 AM:

Caroline @57:
I've been told that I'm Doing It Wrong pretty much everywhere of late

OK, then let me just mention that your comments 60, 63 and 81 on the Biden thread represent a very good example of Doing It Right. And I've seen plenty of people just get worse and worse in exactly that situation (I'm working on another lot of them in another context right now), so it was no mean achievement.

You reminded me of, and reinforced in me, my firm belief in the value of a good apology in raising the tone of a discussion above what it was before the offense. It's served me in good stead in the last 48 hours, and your performance there is part of the reason I had that tool readily to hand.

#66 ::: Tykewriter ::: (view all by) ::: August 27, 2008, 04:50 PM:

I did this and advised a friend to do the same. Now gmail has locked her out, sent her password notification to a long defunct account, and told her to come back in 5 days. Meanwhile she is on the world's slowest laptop, chewing her mouse. Anybody help?

#67 ::: Tykewriter ::: (view all by) ::: August 27, 2008, 04:52 PM:

Ahh - this was after she downloaded firefox 3 (which works fine for me). Still, ideas?

#68 ::: Caroline ::: (view all by) ::: August 27, 2008, 06:06 PM:

abi @ 65: awwww. *shuffles feet*

R.M. @ 64, it's okay. I wasn't upset at you personally; I think (as you said of yourself at 48) I tend to maybe pay too much attention to other people's opinions on what I'm doing, so it was like "Wait, there's a consensus on this, I was unaware of it, and I'm on the wrong side of it! Ack!"

(For the record, I went out into the garden afterwards to cheer myself up, on the assumption that at least I couldn't Do Digging Wrong. I proceeded to discover that yes, I could. But that is because I think I need a pickax to dig holes big enough for my new azaleas. The shovel was just chipping away little tiny pieces of hard-packed soil. And today we are getting the ends of Fay, so there was no going out and pickaxing. Ah well.)

#69 ::: Kathryn Cramer ::: (view all by) ::: August 28, 2008, 07:31 AM:

A year or so ago, I bent Patrick's ear at Readercon with a disquisition on why Gmail is insecure which involved completely different techniques than described here. I have gone through and changed my settings according to instructions. But in general, the best way to keep one's personal information safe from info-thieves is not to live online. And that may not work.

As Cory rightly observed, other people's security habits expose you to risk. And in our case the big thing last year was the security habits of several banks, at least one of which we don't even do business with. They have gotten very lax about the handling of paper checks. Such that in the space of a month both my husband and my parents had five-figure amounts withdrawn from their bank accounts via fraudulent checks. Any idiot can buy check forms at Staples and, with minimal information of the type you would give to the checkout clerk at the grocery store, withdraw money from your account these days.

Regarding the Internet specifically though, it seems to that we have a largescale case if broken-window syndrome going on. The term was invented to describe what happens when neighborhoods decay, but I think it is very apt for today's Internet:

One unrepaired window is a signal that no one cares, so breaking more windows costs nothing. . . . Untended property becomes fair game for people out for fun or plunder." If disorder goes unchecked, a vicious cycle begins. First, it kindles a fear of crime among residents, who respond by staying behind locked doors. Their involvement in the neighborhood declines; people begin to ignore rowdy and threatening behavior in public. They cease to exercise social regulation over little things like litter on the street, loitering strangers, or truant schoolchildren. When law-abiding eyes stop watching the streets, the social order breaks down and criminals move in.
It seems to me that the general state of things these days is that people will behave worse on the Internet than they will in other contexts because of how they see others behaving, and that the risk of having someone, say, hijack your Gmail account rises not just because of security flaws in the software, but because many more people would be willing to consider trying it.

#70 ::: Zeekar ::: (view all by) ::: August 29, 2008, 12:56 AM:

Hey, R. M. Koske . . . are you who I think you are? Rather intimately acquainted with a gentleman who uses the sobriquet Krenath?

#71 ::: Nicole J. LeBoeuf-Little ::: (view all by) ::: August 29, 2008, 02:23 PM:

I can't recall or check right now, but I have this vague idea that the "from" field and the "reply to" field are two separate creatures. Maybe you could investigate that avenue?

Yes, they are separate fields, but I'm not sure that'll help. When the replies start showing up at my gmail account, I'm fairly certain my outgoing mail had no reply-to set, which meant it should have defaulted to the "from" address. And changing the smtp doesn't cause the reply-to to change on my end, before sending it. (Using Comcast's smtp doesn't result in replies at my Comcast email address.) This is why I'm so sure that the change is happening on Gmail's servers, rather than happening somewhere in Thunderbird before I hit "send."

But I will double check and test and everything! Just in case. I really do appreciate all this feedback, so many thanks to you and Rob!

#72 ::: BuffySquirrel ::: (view all by) ::: September 04, 2008, 06:44 PM:

Eh, uh, what? I've changed the settings. Haven't been a Gmail user for long, and foolishly assumed it was high profile enough to be, yanno, secure.

I'm too stupid to live, right?

#73 ::: KayTei is watching the spamalanche grow ::: (view all by) ::: February 01, 2014, 05:44 AM:

I have a sudden vision of the gnomes building competitive spam-castles and other spam-sculptures.

#74 ::: Idumea Arbacoochee, Speaker to Tall People ::: (view all by) ::: February 01, 2014, 06:11 AM:

We were, and I won with a spam bust of TNH in her aspect as the Mighty Disemvoweler. Making spam into the little lightning bolts and suspending them from the ceiling in the correct places and at the correct angles was challenging.

Cleaned up now.

Choose:
Smaller type (our default)
Larger type
Even larger type, with serifs

Dire legal notice
Making Light copyright 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012 by Patrick & Teresa Nielsen Hayden. All rights reserved.