Google Docs Has A Big Gaping Security Hole

One of my final projects here as a Peace Corps volunteer in Kenya has been to implement a temporary information sharing platform for volunteers while we wait for a more permanent solution from the angels on high. Due to its speed, stability and bevy of features, we have decided to use the popular collaboration tool Google Docs. I have used it personally, but never on the scale of a Peace Corps program (around 150 users).

This morning, I was reverse engineering the invitation-based security model of Docs with a ICT RPCV friend of mine (whom I thank profusely for his patience), when I noticed a big, gaping, security hole: no matter what email address the invitation is sent to, if there is any Google account active in your browser’s session, then when you click the invitation link, it will link the Docs account to the active Google account, whether you authorize it or not.

This is great if you are clicking the link from a Google account. It just authorizes the account that the email was sent to in the first place. Works like a champ. But what if you use a Yahoo account or non-Google email…

The security concern scenario: A Peace Corps Volunteer (PCV) is sitting in a cyber cafe. The person at the computer before the volunteer forgets to log out of his Google account. The PCV subsequently gets on the computer and checks his Yahoo account, clicking the Google Docs invitation link. That’s all it takes. The owner of the logged-in Google account now has access to the Google Docs.

It’s not a particularly malicious hole. All it takes is for the admin of the Google Docs share to de-authorize the illegitimate Google account, but at the same time, no warning flags would be raised until the illegitimate account attempted to upload a file, which would subsequently be attributed to his Gmail account, and hopefully, catch someone’s eye. In the meantime, the illegitimate account has full access to the share and its information.

A solution to this would be a simple authorization confirmation step, where a dialog is brought up ensuring that, in fact, the user does want to link the currently logged-in Google account to the Docs application. Sadly, I don’t feel like this is really a large issue for Google because how frequently does a situation like this, where we have multiple users running on the same browser session, occur in the West?

N.B. I never ran a check to see if someone else has already discussed this topic, so sorry if this is a repeat.

Advertisements

Comments Off on Google Docs Has A Big Gaping Security Hole

Filed under A Category Other Than Uncategorized

Ubuntu: A New Style of Linux

I know just yesterday I wrote that I would not be updating my blog for a bit, but with two recent announcements in the Ubuntu-sphere, I felt obligated to chime in with my own two cents. For those who haven’t heard the news, Ubuntu last week announced that it would be shipping version 11.04 with its Unity interface, dropping the traditional GNOME shell that it has used for… ever.

Continue reading

1 Comment

Filed under Linux

Gone Fishin’

wood sign with words gone fishin

Image says it all peeps. Life has been really busy these past few weeks. My students have received textbooks for their computer courses, and though each doesn’t have their own set (far too expensive), they have been working hard at absorbing through text everything I have taught them over the past year. They have their national examinations for their first year certification in December. Needless to say, they are a little stressed.

On top of that, I was recalled to Nairobi for Close of Service (COS) medical examinations this past week and next week I will be hosting the ICT session for the new Peace Corps trainees at both training sites. That’s right, our program has grown, and we now train in both Loitokitok and Machakos. I have never been to Machakos, so it will be nice to see a new town. As always, it will also be good to go “home” to Loitokitok, even if only for a couple nights.

In the meantime, I find myself in the village Mitheru, just outside the town of Chuka. I am here helping a volunteer out with some resource creation, as well as using the abundant electricity and lack of distractions to get a lot of other little projects done for various people: a logo here, some consultation there, and some programming to finish it off. Busy indeed. So please, bear with me and my dearth of blog posts, as I have “gone fishin.'”

1 Comment

Filed under A Category Other Than Uncategorized

Ubuntu Revelations: Better Safaricom Integration, One App Away

It took me two years to come to this revelation, which is sadly two years too late for me, but I hope this helps out some others.

When I first started using Ubuntu in Kenya, I was more than pleased to notice that the Safaricom modem, a Huawei E160 by model name, is seamlessly supported by the stock Ubuntu kernel from as early as version 8.04 I believe.  Of course, though the modem is seamlessly supported, not all of the features found in the Huawei dialing app bundled with the modem, are supported.  This includes such functionality as the ability to send an SMS through the modem, particularly useful for activating new data bundles and checking your existing bundle’s remaining balance.

To rectify this situation, I first started to hack my own program to send an SMS, as searches were returning very few positive results.  Wanting to push something out quick, I found myself settling on Python (of course), and scouting out various libraries for interacting with AT commands over a serial interface.  This project didn’t go over well and I always seemed to find myself with more pressing concerns, [insert other hacker excuses here].  For the past two years I have stuck with the good ole’ switcheroo method of taking my modem SIM out of the modem, putting it in a phone, performing any necessary SMS-based functions, and then replacing the SIM in the modem.  Clunky but functional.

It turns out that over the past two years I have been searching for the wrong terms and the application I have wanted has been here all along.  It is known in the Ubuntu graphical universe as Phone Manager and in the command line world as gnome-phone-manager.

What threw me off the scent was that the app is heavily advertised as focusing on working with phones via Bluetooth, whereas my modem uses a USB connection.  Upon reading the fine print, I noticed that some descriptions also include, “and other serial connections.” Well, hmm, that changes the situation a bit.  While the app installed, I crossed my fingers hoping it included a halfway-decent serial port selection mechanism.

It does.  It’s so decent that it even lets specify the device node directly!  Huzzah!  For Huawei modems, once the USB Modeswitch finishes its song and dance, the modem portion of the device will settle on /dev/ttyUSB0.  Under the Phone Manager app preferences, just throw that into the “Other port” input box and you are good to go.

Now with just a click of the icon I can be sending balance check SMS and even activation SMS through Ubuntu and my Safaricom modem.  To activate new bundles, just sambaza your modem credit from another phone, or MPESA, and you are good to go.  Ubuntu (and other Linux) are first-class modem users after all. Take that Windows.

1 Comment

Filed under Linux

A Day At The Baraza: First Impressions of Google Baraza

Baraza – n. – A Kiswahili term. An attempt at translation would be, “a meeting,” but usually it connotes a meeting with a specific goal, usually solving a problem or answering questions, led by a village committee or village elders.

I thought I would take some time and share my first impressions with a new Google service specifically targeting Africa: Google Baraza. Last week I was lucky enough to be individually selected amongst a group of handpicked candidates to help pilot this amazing new program.

Actually, that’s a lie. I requested a beta invite, and got one.

But the first version makes me seem so much more important! I’m not important, and in fact, here’s the link so that you might sign up for the service yourself if you so choose.  Mind you, it is heavily Africa-oriented, so join only if you have specific local knowledge about various parts of Africa (with a heavy focus on Ghana, Kenya, South Africa and Nigeria at the moment).

What is it?

Continue reading

2 Comments

Filed under A Category Other Than Uncategorized

Boats and Buildings: An Analogy For Your Social Supports

black and white image of a sailing boat

Last night a friend of mine and I were discussing life, as we do in Peace Corps, and our personal social support systems. Who are our friends? What do they mean to us? Where do they fit in our respective lives. Over the course of the discussion an analogy emerged about friendship; about the different types of support people get from their friends, and I liked the analogy so I thought that I would share it: as an individual, depending on your support system, you are either a boat, or a building. Neither is better or worse than the other, and there are some distinct advantages and disadvantages to each, and obviously in reality it’s not so black and white, but give me a chance to explain.

Boats

Boats are craft designed to move around over the waters of the world. Their world is inherently a moving world, even when they desire to stay relatively fixed, and as a result they must learn to sometimes just ebb and flow with the currents that take them. A boat’s support is an anchor. Anchors are extremely beneficial to a boat because they allow a boat to pick a spot to stay at for the time being and while their world moves around, find some sense of calm. When they are ready to go, boats can pull their anchors up with them and move on to the next stage of life, knowing always their support is there with them.

Problems for boats arise when they lose their anchor. Without an anchor, a boat is constantly forced to move about, most likely heading for the nearest harbor or port to put up in dry dock for an anchor refitting. But boats do not last long in dry dock, as their structures are designed to be floated, and without constant attention and unnatural external support structures they will actually collapse in on themselves. The casual example of this that my friend shared was that of the stereotyped old man who has lost his wife, the love of his life, and passes away briefly afterwards. Sometimes anchors are just that important.

Being a boat primarily, may also mean that you find yourself as someone else’s anchor (obviously in real life, boats and anchors don’t work this way). Problems can arise when one person’s anchor is inherently not a boat, and is unwilling to travel around, to ebb and flow through life. If your anchor cannot come with you, or will not come with you, it may be hard to find peace in your journeys.

Buildings

On the flip-side of boats are buildings. Buildings are people who have developed a foundation of friends, preferably dug deep for an even more solid footings. Though no single individual in this group may shine above the rest, it is only because all of them are so important. When a building is having problems, the problems can be distributed amongst different friends, never putting too much stress on a single person (some friends may exist to help with specific problems). Depending on the strength of the foundation, buildings can grow tall, and become even larger than the largest boats, but at steep costs.

Buildings cannot ebb and flow, and though they may sway in the breeze, their ability to journey is limited. The deeper their roots, their foundation, the harder it is to move locations. Though a boat may lose an anchor and potentially survive, a building losing its foundation is an almost guaranteed tragedy.

What is both a curse and wonder of foundations is that a solid foundation rarely needs constant attention. Sometimes, a completely unattended foundation might allow small problems to escalate into friendship-shattering problems, but by striking a healthy balance of giving attention depending on each unique part of the foundation, a building is able to grow tall and mighty. However, even the strongest buildings will need their lally columns, those not-quite-foundation individuals that are still ever critical to holding a building upright.

Some buildings are built on slab foundations. With a slab foundation, there is a very real sense of support every day. Your foundation is constantly beneath your feet, you feel it, you attend to it every day, and you may think it is the best thing in the world. But beware slab foundations, as the true strength of a foundation lies in its depth, and though you might not be as immediately aware of a more depthful foundation, it is ever more important than the sense of constant support granted by a slab foundation.

There you have it. Boats and buildings. Please feel free to tell me what you think. It’s not a perfect analogy of course, nothing is, but I liked the fit of it.

3 Comments

Filed under A Category Other Than Uncategorized

Witch-doctors and Pretty Pink Ribbons

pretty pink ribbon around my right ankle

Peace Corps Kenya has a tradition (which we admittedly stole from Peace Corps Thailand). About three months from out Completion of Service (COS), we hold a COS workshop and it is during this workshop that the tradition takes place. Without getting into the specifics of the ceremony (because it’s a super secret ceremony), the end result is that we all end up tied together by a ribbon. We are not to remove this ribbon until we return “home” (whatever that means to you) and tumesifiri salama (we have traveled safeyly).

Our particular ribbon just so happened to be bright pink, or maybe electric fuscia, with gold thread through it.

Hot, I know.

There are some traditions that I appreciate and some that I despise; this particular tradition struck to my core because I am full believer in the power of “reminders,” or little items that are constantly present on our body, lest we never forget. In more fantastical terms, these reminders have morphed into talismans, or to the Harry Potter generation, horcruxes. What these items do is they allow us to tap our own inner strength, our power of mind, so as to embolden ourselves with a sense of belonging, one of the most important aspects of our highly social nature.

Needless to say, I walk around with a Pretty Pink Ribbon tied to my right ankle.

It turns out, the ribbon also brings it’s own Kenyan culture-specific protection as well, not only emboldening myself, but also instigating preconceptions in those around me: I’ve been to the witch doctor.

The coastal regions of Kenya, particularly the regions of the Mjikenda, are steeped in sorcery, spells and witchcraft. Living on the NYS compound, I am not particular exposed to heightened levels of this tendency, but I do remember the stories a fellow volunteer would tell me of her more remote coastal village, including women casting spells by dancing naked with octupuses on nights of the full moon. Yes, it really does happen, and may explain why immolation is our favorite means of mob-justice: not even a demon can escape wrathful fire.

On several seperate instances I have been informed that my Pretty Pink Ribbon is a sign that I have visited the witch-doctor, and though nobody seems to be able to tell me anything specific, people are cautious of me. After having “integrated” for two years, I am appreciative of the breathing space it gets me, especially while waiting at the cattle pen for the ferry. And for those who are brave enough to ask me why I wear a ribbon, I get to talk to them about Peace Corps and the work we do, and traditions we have. It’s a win-win. Those who are fearful and afraid of change stay away. Those who are curious about the weird mzungu approach and respectfully inquire.

My advice to any Coast volunteers looking for some piece of mind once in a while: tie yourself up in a Pretty Pink Ribbon and enjoy the space.

2 Comments

Filed under A Category Other Than Uncategorized