Sunday, April 20, 2008

Is Mint.com Safe?

Is mint.com really as secure as they purport it to be? The blogosphere tends to disagree, except for wilkinsonlaw and a few others. But is it really?

At least you are logged out automatically after ten minutes. But if you've ever submitted a password reset request on the Mint.com web site, the link stays active for a long time, much too long. It was still active a month after the request. I emailed the webmaster as I couldn't find any other contact address on the site, and got back a boilerplate response, naturally:

Please do the following to recover your password:

1. Go to the login page at: https://wwws.mint.com/recovery.event
2. Click on the “recover it” link next to “forgot your password”.
3. Enter in the email address you used to create your Mint account.
4. An email will be sent to the email address you specified (note: the link is valid for only two hours).
5. If you don’t see the information in your inbox, please be sure to check your spam and bulk mail folders as well (ISPs sometimes route emails to these folders).

At least the email got through to a person and didn't sit around forever in unread email lalaland. You have to give them credit on that, in this age of email inundation. On a tangent, is knowledge management the solution? Back to the topic, I emailed them saying that email can be captured and snooped. All I ever got back was the standard "a highly trained team of monkeys is feverishly working on the situation" automatic reply email.


Today I reset my password again, and the same thing happens. The reset link stays alive after using it. It's not a big deal if you use the link, because you'll notice if someone snooped and reset it. You'd think Mint would send an email alerting you that your password has changed.


Here's the reset email:
This email was sent in response to your request to recover your password. To reset your password and access your account, click on the link below.

Reset your password [https://wwws.mint.com/recovery.event?username=email@example.com&token=xxxxxxxxxxxxxxxxxxxx&utm_source=xxx&utm_medium=xxx&utm_content=xxx]

The link will reset your forgotten password, and let you create a new one. For security purposes, this link will remain active only for the next 2 hours.

If you did not request that we send this Forgotten Password email to you, please report this email to us at: support@mint.com

Thank you for using Mint.com!

Cheers,
The Mint Team
Also they are using a google analytics urchin tracking link, which is kind of irksome for the paranoidal borderline-schizo types like me.

One final thing, I also get a "Connection Partially Encrypted" message in the Firefox "Page Info" window.

Wednesday, April 9, 2008

Search Engines User Data

I just read this article Search engines warned over data, and it really makes me mad. Why can't the search engines just use a unique id for each user, using a one-way hash function which cannot be decoded back to the original IP address unless it's brute-forced, which would take years just to get one ip address unless you're the NSA with their alien technology?

Or is the real privacy problem with relating different searches together, and not ip addresses? They could merely be removing ip addresses like they say and not removing your GUID linking the searches together for their relational data.

I hope someone at Google reads this.

Also I doubt Yahoo! has done anything like the article says, and if they have, when why did they give up data on the chinese dissident blogger who is now sitting in jail? It's hypocrisy, and Yahoo!'s privacy reputation is now ruined forever. They are the Micro$oft of search engines.

Friday, April 4, 2008

unzip, strip, touch, finger, grep, mount, fsck, more, yes,fsck,fsck,fsck,umount, sleep SEO Contest

Enter it today?

unzip, strip, touch, finger, grep, mount, fsck, more, yes,fsck,fsck,fsck,umount, sleep

Tuesday, April 1, 2008

But Alas, The Internet Archive Does Have Search

Bow down in my eliteness for this nugget of knowledge:

http://web.archive.org/web/*/people.netscape.com/*

I found an really amazing quote on Jamie Zawinski's old page:

``We all enter this world in the same way: naked; screaming; soaked in blood. But if you live your life right, that kind of thing doesn't have to stop there.''

-- Dana Gould

Gmail Custom TimeTM

Google's newest april fools joke, Gmail Custom TimeTM, brings up a great idea for Gmail, or any email service or architecture. What about sending an email in the future? If my eight year old Nokia phone can schedule an SMS text message at a certain point in the future, why can't gmail?

read more | digg story