
My Email Canary - jgrahamc
http://blog.jgc.org/2011/06/my-email-canary.html
======
dholowiski
I built 1pix.me about six months ago and it would be perfect for this. You get
a link to a 1 p pixel transparent PNG, and phone or desktop notifications (via
notifo) every time it is served. Its totally free, enjoy.

~~~
andrewpi
Seems like a neat service, but I never got a request via notifo to approve the
subscription. I'm guessing the service is overloaded at the moment?

~~~
dholowiski
I'll check into it - it could be overloaded right now. Best bet is to just try
again in a bit.

~~~
andrewpi
Actually, I fixed it. I was trying to put my API key instead of my username.
It works now, thanks!

------
ktr
Maybe it doesn't matter (bc as I understand it, the image is really what
notifies you - but this might tip off a hacker if they're perceptive), but
would it be better for the zip file to be .zip instead of .gz? I would think
that most banks, when interacting with "regular customers" would send zip
files instead of gzip files ... maybe I'm wrong?

~~~
yangyang
It's probably a bit late by the time they've got to looking at the extension
of the attachment - the image will have already loaded and they'll be
"busted".

------
robg
Why not just a canary that a (unknown) IP has logged into the account? Gmail
displays the logged in IPs. How hard would it be to grab that info into
similar notifications? Add to that reverse look ups and you could get a IP and
location. Train the system through use and you'll quickly get a white list.

I'd pay for that service.

~~~
btilly
What about the attacker who compromises your home computer and then is using
it remotely while you are not home?

An IP based check won't help you there. This canary would.

~~~
chromic
If he's cautious enough to do two-factor auth, he probably doesn't leave his
accounts logged in. Plus you have a whole lot of other problems if someone
owns your personal machine.

~~~
btilly
_If he's cautious enough to do two-factor auth, he probably doesn't leave his
accounts logged in._

Suppose he uses [http://googleblog.blogspot.com/2011/02/advanced-sign-in-
secu...](http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-
your.html) and has it remember the second authentication for 30 days
(available from a checkbox). Then someone who has compromised his machine and
has installed a keylogger can find it password, and log back in as him from
that machine when he is not there. Two-factor has not saved you. Nor has the
IP check.

And yes, you're right. If someone owns your personal machine you have a whole
lot of other problems. This fact makes discovering that someone owns your
machine more important, not less.

------
davweb
Gmail already has something similar built in with the Last Account Activity
Alerts:

[http://mail.google.com/support/bin/answer.py?ctx=gmail&a...](http://mail.google.com/support/bin/answer.py?ctx=gmail&answer=45938)

~~~
username3
facebook can alert your by email when you log in from a new computer.
<http://www.google.com/search?q=facebook+computer+email+login>

~~~
lazerwalker
This is actually a fantastic feature. I was recently traveling in Europe, and
without thinking logged into Facebook without HTTPS (using a third-party
iframe app that couldn't use HTTPS). Within a few hours, I had a notification
from FB letting me know that there was a new login from the same city I was in
and a different OS/web browser combo.

~~~
peng
I've experienced this too. Apparently, Google Chrome on OS X gets labeled
Opera/Win XP by Facebook. I was paranoid for a little while, wondering how
these hackers kept tracking me around the world with that browser/os combo.

------
JoachimSchipper
Clever, but works only against targeted attacks - an attack on many accounts
would presumably rifle through your mailbox automatically, which would defeat
this.

~~~
reemrevnivek
That would have to be targeted attacks by foolish intruders, because a manual
attack would presumably start with changing your password, after which this
notification would be nearly useless.

~~~
pilom
Why would they change your password? That just lets you know they are in. In
Gmail, they simply search your email for other accounts and change the
passwords on those accounts. They can see when you are logged in and simply
send password reset requests for other services when you are not logged into
gmail.

------
metalfrog
Two big points here, any hacker with a brain wouldn't

1) Rummage through your emails with image loading turned on 2) At least at a
minimum be behind a service such as tor..

so uhhh, i guess this is a good idea for alerting you, if that is you are
un/lucky enough to get 'hacked' by those that ignore the previous two points.

~~~
JabavuAdams
Do you have data to support that?

It sounds too much like the No True Scotsman Fallacy for me to take it too
seriously.

~~~
metalfrog
Why do i need to provide you data? If i were to hack your email account there
is no way i'd use the web interface to trawl through them one-by-one.

Initial hack->Gains credentials->Pull down everything imap/pop->Load that shit
into thunderbird on a dedicated vm->And we're away

~~~
jodrellblank
_Why do i need to provide you data?_

You pulled a statement about behaviour out of thin air, and it wont hold up to
scrutiny. Now its being scrutinised, you are dodging it.

1) What percentage of all hackers count as "hackers with a brain"?

2) How do you know most or all "hackers with a brain" would not be caught by
this, without generalising from your example of one (you)?

3) Since both of the above are unknown, how can you use those as arguments to
justify this being an ineffective precaution?

~~~
idonthack
>You pulled a statement about behaviour out of thin air, and it wont hold up
to scrutiny. Now its being scrutinised, you are dodging it.

Why does the most obvious and logical course of events require justification?
"Most hackers breathe constantly." "Do you have data to support that?"

Maybe you're right. Maybe this "canary" is extremely effective. Maybe everyone
who makes a living by breaking security also happens to be dumb enough that
they fail to take the most basic precautions to protect themselves.

Even if that's true, there are still more effective solutions that should be
used instead of this "canary".

~~~
mootothemax
_Why does the most obvious and logical course of events require
justification?_

Obviously because what you've written is non-obvious ;)

Enough people "hack" by using simple password-reset forms[1]. Whilst I have no
doubt that there are plenty of worringly-competent hackers out there, I'd bet
that there are also lots of less competent hackers. Taking this through to its
logical conclusion: I'd rather know about some of them than give up and know
about none of them.

[1] <http://en.wikipedia.org/wiki/Sarah_Palin_email_hack>

------
uptown
Neat idea. One thing I'd probably do if I wanted to use this technique would
be to develop a browser extension to go along with it to either hide the row
when accessed from "trusted" IP addresses, or injects the row via the
extension when accessed from an unknown IP. That way I wouldn't be forced to
have that row on my screen from home or work where it might accidentally be
clicked on and triggered.

~~~
jonknee
> injects the row via the extension when accessed from an unknown IP

Not so sure that would work. You'd have to first get the guy who stole your
email account to install a custom browser extension.

~~~
uptown
You're right. I was thinking of this in the scenario where somebody stole the
whole laptop, and not just gained access to your email.

------
eik3_de
To the OP: Do you use Google's two-factor authentication with that account? If
so, where do you see potential attack vectors?

~~~
jgrahamc
Yes, I do. And when I think of Google Authenticator and its security I think
of RSA SecurID and its security. Nothing is secure in the long run.

------
dsl
This assumes that the attacker is using a web browser.

Many toolkits exist (no, I'm not going to link to them) where you just feed in
a list of usernames and passwords for popular email systems and they go
harvesting, usually via IMAP.

~~~
blantonl
Dont forget, many email clients also consume Web content.

~~~
dsl
Right, so this will catch jealous girlfriends, snooping coworkers, and
malicious kids. People that would try to grab your credentials and set it up
in Outlook Express...

------
ericfrenkiel
Check out www.inboxalarm.com which is something I built for fun a couple years
ago. It's a free service and uses SMS to alert you the moment the image is
triggered.

~~~
affiliator
any way to sign up without facebook? I don't have an account.

~~~
ericfrenkiel
decided to use facebook authentication since it can also push an alert to your
friends' newsfeeds not to click links until the hack has been mitigated.

It also decreased friction in the sign up process - no need to enter a name,
email adddress, etc. Was built before Facebook allowed application to access a
phone number, or I would have added that too.

~~~
asmosoinio
The FB connect thing didn't work for me. The page gave an error when I click
Allow: "Virhe myönnettäessä lupaa sovelluksen käyttöön" (in Finnish).

~~~
ericfrenkiel
Thanks for the heads up; taking a look into it.

------
munin
and so when an attacker configures thunderbird to slurp all the email out of
your inbox this does .. what? why not just poll the list of most recently
logged in IP addresses and track the number of currently logged in
sessions/authentications, and when that number approaches a certain hair
trigger, sound the alarm? oh right, google already does that for you...

------
verroq
If an attacker is going to attack your gmail, they already know that their IP
is logged on the "Last account activity". If they are really going in, they'll
be behind at least 7 proxies. Then again, there is next to nothing you can do
with an IP address, if this make you feel safer then w/e.

~~~
rytis
it still gives you time to "sign out all other sessions" in your browser and
change password immediately. granted, you may be afk etc but still better than
nothing at all...

~~~
wladimir
You should really automate that... at least then you'll be faster than the
intruder (at least if he/she hasn't already changed the password :p)

~~~
acron0
Is it possible to automate sign out and password change?

~~~
wladimir
Yes. Easiest way would be to just have a script (for example, Firefox addon or
greasemonkey script) that drives a browser.

Or if you don't want the overhead of a browser, a somewhat more tricky way is
to do it once yourself and record the traffic using a plugin, and repeat that
in a script... (but this might require some reverse engineering work on the
clientside JS if there are fields like one-time tokens)

------
callmeed
This is very cool ... but what would you actually do (to prevent disaster)
from your phone?

Let's say I get an alert on my iPhone but I'm 30 mins from getting to my
laptop.

How would you stop them from recovering your DropBox or VPS console password?

------
tcarnell
I like the idea - but please do not confuse this with security. While the
canary might be activated, all of your genuine information has also been
compromised.

I have thought about the security issues with gmail, especially for mobile
devices (they can be easily stolen).

It would be really REALLY great if Google offered several account access
levels - I could use a 'read only' account for my mobile device, which could
also only give me access to the last 1 hour of emails for example. and
seperate account access for use with 3rd party services (facebook, gtalk apps
etc)

~~~
tcarnell
Following on from the idea of Google offering account access for different
security levels, would also be great if you could label an email as 'bank',
'money' or 'personal' and these emails, photos and calendar items would only
be visible with full account access - so effectively you could associate a
particular email label to a 'security' or 'access' level.

I would DEFINATELY use a feature like this.

------
revorad
The catch is that images are not displayed by default. Why would an attacker
click on show images? Only if the text of the email asked them to...

EDIT: I'm wrong as pointed out by others in the replies below.

~~~
limmeau
An IMAP client somewhere could poll the 'read' state of message 0x12345678
instead, alerting the owner when the message turns 'read'. However, that
client would have to have access to the Gmail box...

~~~
wladimir
But would an attacker read a message marked as unread? A careful attacker
would know that this alerts the owner of the mailbox, as he can't remember
opening the message.

His canary is a mail that has already been opened, so the attacker assumes he
can look at it harmlessly.

~~~
eru
You can mark messages un-read again in the gmail UI.

------
talboito
I'm thinking of a secondary alarm anytime you get an email that may be a
password recovery.

Something like SpamBayes put trained for account related emails from the
popular services and banks.

------
jvandenbroeck
Cool idea! But I think that if would get widely adopted, hackers would see it
coming from miles away.

------
jarin
Awesome idea, even though it means you can never use stars again.

~~~
thirsteh
You can just change Priority Inbox to display some label, e.g. "Confidential"
above the usual tabs.

~~~
jarin
Oh I didn't know about that, I can totally use that for server notifications.

------
a3_nm
I don't see the point. The guy says he owns a private server. Why doesn't he
just move his email there, and monitor activity in all sort of imaginable
ways?

------
thewisedude
May be I am missing something here... what if the Display Images is turned
off? How will that activate the alert system?

~~~
pavel_lishin
This is for his own account; presumably, he's turned that option on.

~~~
thewisedude
I would think that the hacker might try to turn that off before he starts
looking into emails? If doing that can avoid detection, then, its difficult to
have faith in this system.

------
chrisjsmith
I think that it's a bit over the top. The "canary" gets in the way of what you
are doing.

I operate on the opposite principle: there is nothing sensitive in my email
account. When it arrives, it is actioned and disposed of (properly)
immediately.

I am not sentimental and do not keep every email "just in case" as I do not
remember 99.9% of telephone conversations I've had.

~~~
brown9-2
_When it arrives, it is actioned and disposed of (properly) immediately_

What about "important" emails in your inbox that you have not yet had a chance
to take action on? Can you be taking action on your email 24 hours a day?

~~~
chrisjsmith
Gets summarised and copied straight onto my task list which is a text file
with relevant information within an hour usually (unless I'm out cold). If it
takes less than 5 mins it's done there and then.

I use Vim Outliner for task management.

------
forgotmyuser
Why not build an app that keeps a log of every time you log into your email,
stores it to x specified # of logins and sends you an sms showing your email
activity including # of logins, what time and IP address.

