You may not realize it, but your organization is probably using one or more free email accounts from platforms like Google and Microsoft. Smaller companies may still be using them as their primary email accounts (let’s talk – you need to stop doing that!), but most have moved up to what we call “enterprise-grade” versions from the same providers. Despite upgrading their email to the more secure, paid services, many companies opt to continue using free-mail accounts for various applications like email copier scanning, Quickbooks invoicing, and automation systems that send out email alerts. In the case of the latter two, not having this functionality could result in some pain or even safety concerns.
What did you do, Google?
I looked back at my long-standing free Gmail account to see if Google sent any notifications out about this change. I don’t see anything in an email, but it’s likely they posted on-screen notices in their webmail interface, which I rarely see as I use Outlook or my phone to view email for this particular account, so I’m going to say this was a stealth change. What changed? They removed the “less secure apps” feature on May 30th of this year. Unless you are a Gmail aficionado or in IT, you probably aren’t going to know what this does, or how it impacts you now that it’s gone. In a nutshell, it allowed you to use your Gmail account with applications that Google considers “less secure” – including Outlook (a little rivalry shade or legit concern?) and more importantly, any device or service that uses SMTP delivery to send emails via their servers, such as your multi-function copier when you scan to email, or your building automation alarms that send emails to engineers or security that there is a leak or a door propped open. If you suddenly find that something that was previously Gmail-powered has stopped sending emails, it’s probably because you were using the less secure apps feature to do so.
How do you fix this?
Unfortunately, it’s not as simple as turning that feature back on – Google has removed it completely. Now you will have to set up an “app password” for your service or function to use. As the name would imply, app passwords are passwords that are set up for a specific application and only that application. You can have multiple app passwords for your email account, and they aren’t recoverable or resettable if you happen to lose them. That’s OK because they can be re-created easily and without additional cost (except for your time) as long as you can log into your Gmail account using your main password. However, in order to enable the app password feature, you have to set up 2-Factor Authentication for your account, and before you think of jumping ship to Microsoft’s Outlook.com free-mail service, they are doing the same thing – requiring 2-factor authentication before you can set up app-specific passwords. You can thank the hackers and spammers for this – they have been abusing free-mail accounts for years and finally the big boys are doing something about it by locking down exploited features of free-mail accounts, but rest unassured – this will only slow them down, and create minor headaches for everyone else. Get used to it – two factor isn’t going away anytime soon.
Any day we can take a purveyor of child pornography off the streets is a good day in my book. In this case, we can thank Google for discovering a Texas man sending images of child sex abuse through his Gmail account. As you might have guessed, a search algorithm rather than a human spotted the transgression and sent an alert to the National Center for Missing and Exploited Children, who then tipped off local authorities. According to Google, this is the only criminal activity they actively scan for within Gmail, and the search relies heavily on a large database of known illegal images maintained by NCMEC against which comparisons are made.
What this means for you:
In the case of child pornography, I’d say that just about any method used to catch perpetrators is justified, but as many pundits and security analysts point out, this practice teeters precariously on a knife edge of ethics. Telecommunication service providers like Google are required to inform law enforcement of suspected child abuse whenever it is made aware of such activity within its systems, but that word “aware” is ill-defined in today’s age of artificial intelligence, big data analysis and search algorithms. Does a search algorithm matching mathematical hashes on images constitute “awareness”? Should this same algorithm be used to look for other serious crimes? What about petty crimes? Does talking about a crime constitute the commission of a crime? What happens if someone hacks your account and sends out a bunch of disgusting images in an attempt to get you arrested? All the more reason to keep your passwords strong, unique and very, very safe. Oh, and don’t use email to commit or plan out crimes, because even though Google says they are only watching for child pornography, you can bet other agencies are looking at everything. Heck, maybe you should just not commit crimes at all, mmkay?
Ahead of a court order that is still pending, Google has blocked delivery of a single email mistakenly sent to a wrong address at the request of the sender’s employer. As most of you can attest, doing something like this, while technically possible within certain parameters, is usually not done for a variety of reasons, not the least of which is opening the Pandora’s box of requests for Google to do the same thing for every email sent to the wrong address or for the wrong reasons. In this particular instance, the sender was a contractor for Goldman Sachs, and the email in question contained significant sensitive customer data sent to the wrong address. Rather than risking a signficant exposure for the customers whose data was contained in the email, on top of saving Goldman Sachs from considerable liability, Google acquiesced to the request, which normally requires a court order.
What this means for you:
The only reason this was even possible in the first place was because the unintended recipient hadn’t actually accessed the account since the email was sent, and therefore Google knew for certain that the email wouldn’t have been read, and there could be “un-sent.” You may have experienced both the relief and disappointment of attempting to “unsend” emails via your own company’s Exchange server, which can call back unread emails, but once the email has been opened by the recipient, intended or not, there’s no way to unsend it. What you should really be taking away from this was why someone was using email to send a report with such sensitive information in the first place. In this case, convenience and ease of use led to a near-catastrophic breach. Do you use email to exchange confidential information with other parties? If you do, you should carefully consider the consequences of a mis-delivered email, and what it might cost your organization.
Last week, Google made a change to it’s widely used webmail platform Gmail: instead of asking if you want to “show images” in emails, Gmail will automatically display them by default instead of asking permission. This particular behavior is also seen in the other two webmail titans (Yahoo and Microsoft), as well as a common feature in mail clients like Outlook. Why aren’t images loaded by default? Primarily because when you open that email full of graphics and you actually want to see them, the mail client (or webpage) makes a request to the server hosting the images, which is usually the same server that sent the email in the first place.
If that sounds like a sneaky way to confirm that you’ve opened a particular email, that’s because it is. This process reveals certain data about the recipient, including date and time of opening, what browser or mail client you are using to view the email, as well as some rough geographical data about your location, based upon your IP address. So why is Google loading images by default? It’s because now they are caching the images to their own server, and then showing them to you, which effectively acts as a proxy between you and the sender, and blinds many marketers who were relying on the image requests to track you.
What this means for you:
Whether you realized it or not, your email client’s annoying tendency to not show you images in emails was actually in your best interests. Because displaying images required you to actively “opt in” by choosing to view the graphics, if that email was sent by a marketer, you sent them a nice packet of data and a positive affirmation that you saw the email, whether you intended to or not. With Gmail’s image caching, some of that data is no longer being unwittingly sent by its customers, however, notice that I wrote “some.” The more clever marketers out there (including Mailchimp, the service I use for my own email) tag email images individually, so they can still track opens, as Gmail still has to load the image to its servers before showing it to you. In my case, this is merely so I can tell if anyone is reading my newsletters, but even that one point of data is still valuable information to email marketers, and you can bet they will find other ways to track your online activity.
Only seven months after a major redesign that many considered a huge flop, Yahoo has unveiled major changes to its Ymail service, and it has its users up in arms again. The new features like conversation threads, themed background images and a massive terabyte of storage are clearly following in Gmail’s footsteps, changes that weren’t unexpected, given that Yahoo’s CEO, Marissa Meyer was one of the core designers of Gmail when she was at Google.
What this means for you:
Yahoo Mail is the second largest webmail service in the world, and very close on the heels of Gmail. Feature changes like the ones above are attempting to build on Google’s successes, but as many customers have noted in the large volume of complaints, the main reason they use Yahoo Mail is because it is not Gmail. The biggest change seems to be the removal of the Mail Tabs feature, something that nearly 40K users have voted to have Yahoo reinstate. Users are also complaining about numerous bugs that appear to have never been quashed from the last time Yahoo messed with its email service. Seemingly heedless to the outpouring of complaints, Yahoo has issued press statements reiterating the need for the company to progress the development of its services into a “…more modern and personalized Yahoo!” Perhaps that development means some loyal fans will be left behind.
Apple has joined the growing ranks of digital services enabling two-factor authentication as a means to protect their customers from account theft. Two-factor authentication has long been a staple of secure corporate and government networks, and employs a basic mechanic of password plus a randomly-generated authentication code that is delivered to a device that you must have in your possession at the time of authentication. In the past, this device has traditionally taken the form of keychain fobs and cards whose sole purpose was to generate numeric keys constantly, but this same functionality can now be delivered through apps that are installable on smartphones, via SMS message to registered cell phones, or even via automated voice calls to your home or office phone.
What this means for you:
In Apple’s case (as with services like Gmail, Facebook, and many massive, multiplayer online games like World of Warcraft), two-factor authentication is an opt-in service, and is not enabled by default with your Apple ID/iTunes account. Enabling the extra security requires you register one or more cell phones with Apple that will receive your authentication code via SMS. Should you do this? If you use services that require an AppleID (iTunes, iCloud, Mac.com, etc.) with any frequency, and especially if you have iTunes credit banked, you should absolutely enable two-factor authentication, especially if the account is tied to a core service you rely on, such as a Mac.com email address, or iCloud for your iPhone and other Apple devices. Two-factor security makes your AppleID (or any other account like Gmail, etc.) that much harder to hack. There will be some inconvenience, especially if you are in a hurry to access your account and have to hassle with the extra security code entry, but imagine the alternative if your account is hacked.
With greater security comes less convenience, a fact of life in this digital age, and not something that will change in the foreseeable future without a significant evolution in security technology.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
Microsoft is (re)launching Outlook.com and consolidating its various “free” email service domains under the Outlook.com brand in an effort to regain the former glory it once held with Hotmail.com which has since fallen to a distant third behind Google’s Gmail and Yahoo Mail. Microsoft estimates it will be spending anywhere from $30 to $90 million in marketing in all the major media over the next 3 months on a combination of attack ads aimed at Gmail users as well as informational campaigns they hope will help persuade users to switch (back, in many cases) to Microsoft.
What this means for you:
If you already have a Hotmail.com or MSN.com email address and you haven’t already converted over, you’ll be migrated over to Outlook.com gradually as Microsoft consolidates the services under the new brand. If you are considering switching (or opening another webmail account), the only feature Outlook.com is offering that differs from the competition is Contacts stored in your online address book will automatically update information based upon information available on social media platforms like Facebook, Twitter and LinkedIn. Gmail does this with G+ but you have to resort to third-party extensions and services to mine the other social media sites for this information. Beyond this feature, Outlook.com is mostly playing catch-up to Gmail, though their marketing dollars may steal some of Yahoo’s marketshare despite the company’s revamp of its webmail service a little over a year ago.
According to The Verge, Google notified Microsoft of its plans to discontinue support for ActiveSync on the Gmail platform last year, and has recently notified Microsoft that the cut-off is coming on Jan 30, despite Microsoft’s efforts to get a 6-month extension from Google. ActiveSync is widely used to sync calendar and contact data from Gmail to Windows and iOS devices. Microsoft has noted that the Windows Phone OS will support CardDAV and CalDAV, which are the protocols used currently for synching on Android devices, in a future update of Windows Phone OS, but the update release data has not been announced yet.
What this means for you:
If you use Gmail as your primary calendar and contact management system, and you are syncing contacts and calendar data to a Windows Phone or an iPhone, you will lose the ability to sync up your data between phone and the cloud for an unknown length of time once Google drops support for ActiveSync – Gizmodo projects it could be as long as six months time. If you need this functionality, start considering alternatives ASAP!
Yesterday, the internet experienced a moment of apocalypse angst when Gmail users around the world (including C2) experienced a variety of issues getting email. Lasting roughly 40 minutes, users experienced complete outages, slowness and, if they were using Chrome with browser syncing enabled, outright application crashes. It turns out, rather than being able to blame ancient prophecies, Google fingered one of their own as the root source of the problem.
What this means for you:
Cloud nay-sayers may have had a brief moment in the sun while Gmail was on the ropes, but the fact remains that it’s still a very reliable service. Several lessons may be learned from the experience, all of them common sense:
- If your critical business practices rely on a free email service being available all the time, everywhere, you may want to re-evaluate those practices.
- When making adjustments to your business infrastructure, always double-check your work, and make sure you have a backup of your data.
- When technology fails, 9 times out of 10, a human is behind the failure.
In what is being the called the largest migration to cloud services so far, the Department of Veteran Affairs has just inked a deal with Microsoft and HP Enterprise Services to move its 600k users to Microsoft’s cloudbased office productivity suite Office 365. The move is seen by many as further evidence of a significant shift in corporate IT strategy away from costly infrastructure investments to cloud services for every aspect of technology. Over the past 10 years, enterprise IT departments have been gradually, but inexorably moving application platforms out of their own datacenters to providers like Oracle and SAP, but hesitated when it came to the garden-variety desktop applications that knowledge workers use daily. That reluctance may be disintegrating as services from Google and Microsoft make it hard to dismiss the tremendous efficiencies and savings that can be realized by getting rid of the real estate and overhead needed to maintain desktop-based applications.
What this means for you:
Many of you work in the cloud daily without giving it a thought. Perhaps you never thought of Gmail or Hotmail or Yahoo Mail as a productivity app, but what about Salesforce, or LinkedIn, or even Facebook? Both Google and Microsoft’s cloud-based office apps are full-featured and powerful enough for everyday business tasks, and the very nature of their delivery makes deployment, security and maintenance much simpler that software installed on desktops. It’s this same strength that also proves to be a weakness, as if you lose your internet connection, you also lose your ability to work. Well that’s easy to solve, I can hear you say. Why not just move to another location where the internet is working? What if it’s the cloud itself that is unavailable? Once again, the cardinal rule compartmentalization comes into play – never base the entirety of your critical business operations in the hands of a single, monolithic platform, even if that platform is largely reliable. And this goes doubly so for a platform around whose neck you can’t comfortably get your hands, as is the case with a provider like Microsoft or Google.