Tag Archives: email

A tiny project

So last weekend I realized that the City of Minneapolis maintains a lot of email lists (I think you need to enter an email address to see them after following that link, but it’s quite a few). I was curious to learn more about what was on them, but there wasn’t an obvious way to read the archives of each mailing list. And I surely wasn’t going to sign up for over 100 mailing lists just to get a taste of what they were sending out.

So I made a new website and twitter account in order to get a better sense of what’s going on in the city. Each email sent out by the city to any of their mailing lists is published online in a new post, and a link to that post is tweeted out. Simple!

I apologize for the Geocities-esque aesthetics of the website, but the emails don’t use consistent HTML and my email parsing utility was pulling some crazy shenanigans with nesting and CSS, so this is the best I cold make it look in about an hour’s worth of time. (I work in infosec, not web design.) Got a better idea? Tweet me or send an email.

Obviously in the future I’d love to have a calendar, and the ability to only see messages from one particular mailing list. Even better, I’ve asked the city to look into doing this for me. Hopefully the folks at GovDelivery can get this simple problem taken care of and increase online engagement between the City of Minneapolis and its residents.

Email and the Petraeus Affair

To be honest, I haven’t been following the Petraeus affair saga with a whole lot of interest. ISure, it’s interesting to some, but I would rather not separate the wheat from the chaff in terms of reporting. I simply don’t trust many news outlets to get the details right, and so I’d rather not get wrapped up in the nitty-gritty.

But I saw an interesting question on twitter – how exactly DOES the FBI go about reading people’s email? And, by extension – how do *I* go about reading others’ email? Well, the cold reality is that I’m not really interested in reading your email. I sometimes have to do it (as part of my job) and believe me, it’s boring, and I think most people who work in IT feel the same way.

The first thing to remember is that if the FBI wants to read any email of yours that is beyond six months old, it’s easy! A federal prosecutor needs to approve a subpoena, and that’s it. No, I did not substitute “prosecutor” for “judge” – it’s really a federal prosecutor. It’s kinda like having your own prescription pad and writing out what you want, without the hassle of going to the doctor!

Second, if you’re accessing your email from behind a corporate firewall, you may already be subject to monitoring! At many large organizations, all traffic may be filtered through a web proxy – these are often used for filtering content (like blocking Facebook at work), and can also be leveraged to perform Man-In-The-Middle attacks on other sites you visit, including your personal email or bank information.

See, normally when you go to your webmail or banking site and enter your credentials, you’re “safe” because the certificate presented by the site is also on a list of “approved” Trusted Certificate Issuers. While this is inherently insecure for many reasons (Google arbitrarily chooses whom to trust if you’re using Google Chrome, for example), the system can easily be manipulated by corporate IT departments by simply adding their own certificate to your browser’s Trusted Certificates list. This enables anyone with this certificate who is sitting between you and Gmail (for example) to decrypt information travelling between your computer and the email server.

Well I was going to write more, but I’m kinda busy today. Suffice to say, only check email on a device you can control and whose entry point to the internet is a gateway that you trust. But there’s not too much you can do about a subpoena (short of running your own mail server)…