Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the best-selling Take Control ebooks.

 

 

Pick an apple! 
 
Disinfect Your Keyboard

Keyboards, particularly those shared by multiple people, harbor huge quantities of bacteria. If you want to reduce the chances of picking up your co-worker's cold, you can disinfect your keyboard with disinfecting wipes. To avoid damage to the keyboard, be sure to:

  • Unplug the keyboard before disinfecting it.
  • Squeeze out any excess liquids from the cloth to avoid liquid dripping into the keyboard.
  • Don't let any liquid from the wipe sit for long periods of time on the keyboard.
  • Don't scrub the keyboard, just lightly wipe down. Rubbing too hard leaves behind more lint.
  • Avoid cleansing cloths that contain bleach.

Visit Das Keyboard

 
 

Security Experts Urge Google to Secure All Sessions

Send Article to a Friend

Google has been name-checked on security. A letter sent on 16-Jun-09 to Google CEO Eric Schmidt strongly urges the company to make a secure connection the default method for Web applications. Among the 38 signatories to the letter are a host of well-known security experts, researchers, and advocates, including Ronald Rivest (the R of RSA), Bruce Schneier, Jon Callas, Eugene Spafford, Peter G. Neumann, William Cheswick, and Steven Bellovin.

Two years ago, Google's use of unsecured connections came to the fore with the discovery of sidejacking, a technique for grabbing the authentication cookies that Google uses to identify users during an unsecured session and inserting them into a browser under the sidejacker's control. Sidejacking can be performed anywhere there's an open Wi-Fi hotspot or an untrusted Ethernet network in which traffic is mingled and sniffable. (See "Sidejack Attack Jimmies Open Gmail, Other Services," 2007-08-27.)

Google has taken some steps to derail sidejacking, including marking the Gmail authentication cookie with a secure flag that should keep it from being sent without encryption even if https isn't used. Google also added an option to require https (SSL/TLS secured) connections for Gmail. (See "Google Gmail Adds Secure Session Option," 2008-07-28.) The researchers noted that other services, like Google Docs and Google Calendar, support https as well, although there's no way to set that level of security as a default.

The letter sent to Google claims that acquiring a Google authentication cookie from Docs or Calendar would allow access to Gmail, but one of Google's security team members, Alma Whitten, said in a blog entry that it wouldn't be possible for such a cookie to be intercepted.

The security experts urge that https sessions become the default for all Web-based services. The letter acknowledges that this lack is a widespread problem, and is even worse at Microsoft Hotmail, Yahoo Mail, Facebook, and MySpace because those services don't offer a secure option. We expect that the security experts are starting with Google because of Google's existing optional support for secure connections, and if they can convince Google to make the switch, they'll move on to these other companies.

They note that because Google apps are designed to work asynchronously, queuing and performing tasks at the server and then updating the browser without a page reload, any latency introduced by the additional user or server computational load for encryption won't make the experience of using these applications worse.

Google's response, in Whitten's blog entry, is that Google remains concerned that there's not enough known about whether specific computer configurations, networks, or parts of the world would suffer far worse performance in an all-https world. Whitten also said that Google is planning a trial that moves small sets of Gmail customers who haven't explicitly requested https-only sessions to that option.

 

Automatic turns almost any car into a connected car. By pairing
Automatic’s connected car adapter with iPhone apps on
Automatic’s platform, drivers are able to drive safer and smarter.
TidBITS readers get 20% off all orders at <http://automatic.com/tb>