Re: Thunderbird - Lock Inbox (security) - Mozilla

This is a discussion on Re: Thunderbird - Lock Inbox (security) - Mozilla ; Brian Heinrich wrote: > On 2007-02-11 03:22 (-0700 UTC), Rabid man wrote: > >> I have not saved my password for new incoming email so prying eyes >> can't see that. However, if someone doesn't know your mail server >> ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Re: Thunderbird - Lock Inbox (security)

  1. Re: Thunderbird - Lock Inbox (security)

    Brian Heinrich wrote:
    > On 2007-02-11 03:22 (-0700 UTC), Rabid man wrote:
    >
    >> I have not saved my password for new incoming email so prying eyes
    >> can't see that. However, if someone doesn't know your mail server
    >> password, they can cancel the login for new mail but still see all of
    >> your previous in and sent mail.
    >>
    >> A quick search found nothing - isn't there a way to lock this up so
    >> that people can't read your email ? I would have thought logically
    >> that the in and sent boxes would be empty - once you entered a
    >> "thunderbird password" they would become accesible...that would even
    >> negate the necessity to "not save" your mail server password - the
    >> program should be completely locked and not accesible unless you have
    >> the right password...
    >>
    >> any tips on this ?
    >> thanks

    >
    > [Setting f'up to m.s.t.]
    >
    > Try activating FIPS by pressing the Security Devices button under
    > Advanced : Certificates. You should be able to get more information
    > using Help.
    >
    > /b.

    That's why god gave your user login a password! Just locking your email
    is short sited. What about all your other valuable data? What about the
    fact, even if you lock TB I could still read your email simply by going
    to your profile directory and using any plain text editor to open up
    your mbox formated folders. Some security.

    Lock it all. Type Win-L, you're done!
    --
    Andrew DeFaria
    I wake up every morning at nine and grab for the morning paper. Then I
    look at the obituary page. If my name is not on it, I get up. - Benjamin
    Franklin


  2. Re: Thunderbird - Lock Inbox (security)

    On 2007-02-11 18:25 (-0700 UTC), Andrew DeFaria wrote:



    > That's why god gave your user login a password!


    There are a surprising number of people -- even in business environments --
    who seem to have some fundamental objection to typing a password, even if
    they're dealing with sensitive data.

    > Just locking your email
    > is short sited.


    I wouldn't suggest otherwise.

    > What about all your other valuable data? What about the
    > fact, even if you lock TB I could still read your email simply by going
    > to your profile directory and using any plain text editor to open up
    > your mbox formated folders.


    And how many people actually know where their user data is stored? To them,
    it's magic.

    'Sides, isn't that what disk encryption is for? :-P

    > Some security.
    >
    > Lock it all. Type Win-L, you're done!


    Thanks for making me look; it's + + L here -- easier than
    having to find open desktop space and | Lock Session. (I also
    have only one Win key, and it's mapped to Compose.)

    /b.

    --
    People are stupid. /A/ person may be smart, but /people/ are stupid.
    --Stephen M. Graham


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.5 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFFz8XsimlR3GKt7kYRAiIfAJ45RJhxhKvJIA56WfqHpP F5cT5FmwCgo1na
    lKfu7RTnJSJi60ODOaCwiQA=
    =E0ZB
    -----END PGP SIGNATURE-----


  3. Re: Thunderbird - Lock Inbox (security)

    On 2007-02-11 21:01 (-0700 UTC), Andrew DeFaria wrote:

    > Brian Heinrich wrote:
    >> On 2007-02-11 18:25 (-0700 UTC), Andrew DeFaria wrote:




    >>> Just locking your email is short sited.

    >>
    >> I wouldn't suggest otherwise.
    >>

    > Then you agree with me.


    Yes -- but that doesn't mean that there can't be other things one can do to
    help secure one's correspondence. FIPS is one of them, and I'm not even
    convinced it's the best of them.

    One of the things that I've found amusing is that there are these people who
    are oh-so-concerned about tracking cookies, and yet I wonder what any of
    them are doing to try to secure their communications.

    Are they IMing over encrypted connexions? Are they concerned about sending
    e-mail and other passwords in clear text? Are they encrypting their e-mail
    correspondence?



    >> And how many people actually know where their user data is stored? To
    >> them, it's magic.

    >
    > It's not magic! It's documented! Exactly how hard do you think it is to
    > type "thunderbird profile location" into Google and read the results?
    > Anybody really wanting to steal your data knows all about this stuff
    > already.


    But to many people it /is/ magic. I've spent /hours/ trying to explain
    basic security precautions to people, and their only answer in reply is to
    state that none of the situations I've outlined are likely to happen.

    One case was particularly frustrating, because personal and financial data
    was involved, and one person kept turning off password protection on the
    screensaver. I was at the point of using MMC just to make that tab
    disappear. . . .

    >> 'Sides, isn't that what disk encryption is for? :-P
    >>

    > Disk encryption (I've used it, have you?), for example EFS that is built
    > in, does no good because guess what? You're already logged in! I mean TB
    > it reading it right? Why couldn't more(1) as easily read it? Answer is
    > it can.


    I was being a bit of a smart-a**. Consider it from the perspective of the
    naf who doesn't get what all the fuss is about; he or she wouldn't
    recognise that encryption isn't an answer if you're already logged in.



    > (IOW you must always assume that the hacker is smarter than the user).


    Yep. Unfortunately, most users don't understand that. :-(

    > Bottom line: If you're data is important to you then all of your data
    > should be important to you and you should really be locking the front
    > door instead of just the bedroom door.


    But -- and I don't want to think of how many times I've heard this -- it's
    neither easy nor convenient.

    It really is a mindset, and too few people have it. Consider the commentI
    made above about encrypting e-mail correspondence. Opening someone's
    correspondence is, AFAIK, a felony in the U.S. and an indictable offence
    here in Canada.

    Yet, unencrypted, your e-mail correspondence is subject precisely to such
    tampering -- it's the modern-day equivalent of wiretapping. (In fact, I
    once had to explain to someone why a criminal lawyer of my acquaintance (we
    were in university together, in case anyone was wondering :-P ) didn't have
    a portable 'phone in her home.)

    At some level, we need to become a lot more paranoid. I'm not suggesting
    going over to the survivalist lunatic fringe, but we need to be more
    conscious that much of what we do on our computers involves data that night
    be of use or interest to others -- whether those others are involved in
    unscrupulous identity theft or law enforcement is, ultimately, irrelevant.

    /b.

    --
    People are stupid. /A/ person may be smart, but /people/ are stupid.
    --Stephen M. Graham


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.5 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFF0CiEimlR3GKt7kYRAjPtAJ9J7B+FGIbyNj0FNhjUSJ en7BZgBgCglFYe
    8cr7+ANWWwfQ3LUfkFd7icc=
    =1sgd
    -----END PGP SIGNATURE-----


+ Reply to Thread