Blowing in the wind

As mentioned before, in January my parents switched over to Optimum for TV/Internet/Phone. It’s been quite the journey thus far.

First there was the substantial delay in getting a phone number ported over. Then in late February the TV began to pixelate like mad – and after a flurry of calls and resets and two different service visits, the drop line (from pole to house) was replaced – and it seemed all was well.

Yesterday saw high winds (25 mph sustained, gusting to 50) for several hours, and service became unreliable, before ceasing entirely around 10pm. Checking Optimum’s [useless] website via cell service showed “all is well” in the system. This morning, under clear skies and a near-calm situation, service has returned.

In class I used to joke with a name of “Optimum Offline” – I’m beginning to realize my business experience with the company bears little resemblance to the travails of the residential consumer.

 

Updating the platform

Recent visitors should note the removal of advertising – I have upgraded to a paid account here. This site is now accessible via several methods:

  • custom domain: avoiceinthewoods.com
  • redirect: blog.woodall.com
  • direct: woodallrvcc.wordpress.com

This will be my first ever domain with “domain privacy” enabled – I’ll see if that actually does anything to slow the spammers.

More posts coming soon.

A proper email client

After a month of testing, I’ve found a proper email client. It meets my requirements – runs on Android phone, works with a blended IMAP/POP server, connects only when necessary to poll mail, has reasonable controls.

The winner is: K-9 email. Free, open-source, supports all that I need, free, can auto-thread received mail, easy to operate, and well-documented for advanced features.

Reading the fine print

Upon contemplation, blaming a time zone issue for the mail server problem just doesn’t seem right. Email works just fine across all the various time zones; why should it fail over something so simple?

When I “solved” the problem it was by updating the time zone, and bringing the server into proper sync with the client. But why would this be needed? As I made the change, I noticed something else unusual – there was a persistent connection to my mail server’s IMAP port, from the Amazon cloud. That struck me as odd, and potentially undesirable. So I closed the connection, and waited… and it reestablished itself within seconds. I put this down to being the tech-support diagnostic from the email client vendor, and then went about the business of kicking them off the server (write email to them, remove the extra account created for them, changing master passwords). As always, when I’ve opened a diagnostics port for outsiders, when it’s finished I go back and reset any master passwords which might have been [inadvertently] exposed – in this case, the password to my primary email – access to which had been the impetus for the whole exercise.

Changing the password on that email requires updating not just the mobile client on the phone, but also the mobile clients on the notebook computers, and the POP3 client on the administrative computer.  It’s an easy routine; pull up the client, stop the automatic message pull (which will fail as the password has changed), then make the change, do another message pull to validate, and we’re done.

Not so, this time. Instead, upon updating the password in the POP3 client, I get a “server closed connection” message. What? Did I type the password wrong? Let’s go try that again… get the same error… but that’s the wrong error for a password change. So it’s off to the mail server console to see what’s happened now – and the primary email account is now on ‘auto-ban’ status, meaning too many attempts were made with the wrong password in too short a time frame. I remove the account from auto-ban, do the POP3 pull from the client (works fine), then check the phone app.

It’s complaining it can’t connect. And that’s when it hits me – that persistent cloud connection was from the phone app. But why would it care? I’ve told the phone app to poll the server every 15 minutes… let’s fire up wireshark and do some packet analysis, see what’s happening. And sure enough, it’s the phone app, probing the mail server every 60 seconds for new email. Say what? And then I notice the section on the app menu, about privacy, and look in there. “Erase your data from our servers” – ahem. What data are you storing? Selecting Yes to “Erase data” tells me I may no longer use this app, and when I persist, it deletes the account from the app – resetting it back to the beginning.

Let’s go examine that app again… I should have been a bit more aware (read the fine print!) as to what was going on; how did a no-ads-install-for-free app have a dedicated tech-support team, without a visible source of revenue? Well, if you’re not paying, you’re the product, not the customer. In this case, the company providing the app is indeed reading the mail and making marketing trend analysis data available – to third-party [paying] clients. That’s how the app makes money.

I’d complain about deceptive advertising but… GMail is essentially the same. So Edison Email comes off the phone, and it’s time to find a better client.

Time and the ancient email server

For the past few days I’ve been chasing a rather pernicious problem – email clients weren’t interacting properly with the server. Since I haven’t changed the server software in, oh, five or six years, my first thought was – there’s something crazy going on with the clients.

As of this writing (November 2018) I run my own primary email server. It’s been a stable platform for years, requiring only very intermittent maintenance. However, it’s an older product, running on a non-supported platform. I run in a blended mode; the server is nominally IMAP4 but when I’m in the office I’m retrieving messages using the older POP3 protocol – which then removes the messages off the server. I’m used to this routine (23 years and counting) and it limits message exposure to only a few hours under most circumstances.

The symptom was – the phone email client showed unread messages on the server, but gave me no way to access them. Over the period of a few days I narrowed it down to a specific sequence – leave a few messages on the server, off to bed, wake up in morning, check mail and find the unread and inaccessible new mail… which then caused me to do a POP3 run and retrieve stuff. But this wouldn’t do for the long run. I experienced the same phenomenon on Edison Email (Android) and on GMail (browser and Android client).

The Edison Software app has excellent tech support – and during the various steps they went through (including establishing a test account on my server) – I finally recognized the problem. My server had already executed the reset to standard time – two weeks early. Once I reset the server back to daylight time, things are back to working normally. Then it was time to track down the timezone file and fix that, so this won’t be a problem (at least for the next several months).

 

Reading instructions…

There’s just two more sessions left this term for my “Internet & Web Architecture” class (tonight, and next Friday night).

The class has a weird name. I preferred calling it “Introduction to Systems Administration” or perhaps “Basics of Internet Infrastructure” but when you’re the adjunct (part-timer) and the PhD wants another title… you go with what the PhD wants.

Either way, the basis of the class is to teach the bits and pieces most classes ignore – setting up servers, virtualization chores, DNS, registering domains… and introduces students to a real-world issue: keeping track of credentials.

It’s this last bit which causes the problems… that, and that no one seems to want to read instructions.

Well, guess what. I’d rather not read them, either. Except I know what happens when you don’t read the instructions – it blows up in your face, and then you have to go and start all over again, and this time, read the instructions.

So reading instructions first turns out to save time.

But just try getting students to understand that…

Keeping email private…

Whenever one of the market-anointed tech titans speaks, people start to pay attention to their privacy… or lack thereof. In this instance, the question received regarded email, asking about alternatives to Microsoft & Google offerings, as compared to a Swiss service ProtonMail. Get your beverage(s) ready, this is going to be a long one.

Disclaimer: I am not a lawyer, and I did not sleep in a Holiday Inn Express last night. This discussion is relative to my understanding of United States Laws and court decisions. Your mileage may vary. 

First – how much inconvenience are you willing to suffer to keep your email private? What are you willing to pay?

On the surface, ProtonMail (which prides itself on end-to-end-encryption, and being based in Switzerland) seems like the obvious winner, since there’s a free version. But there are issues here. First is the recently passed CLOUD Act (Clarifying Lawful Overseas Use of Data Act, HR 4943, signed into law March 23, 2018) which allows for bilateral treaty-based exchange of overseas data between signatories. Note there is already such a treaty in existence with Switzerland. Proton’s off-stated “we only store encrypted data” claim is only good to the extent a user is not otherwise compelled to give up a password… or that the encryption is as described. Further, the only interface allowed to Proton is via web browser…

Gmail/Hotmail etc – “free” or “paid” – your email is going to be read by robots, mostly looking for advertising ‘bait’ or to build a better profile… (more on this later). Of course, these offerings win on convenience, and of course “free!”

Finally, there’s “roll-your-own” email. Invest in a server, configure your own email, have your own custom address pool, make your own filters and blocks, set auto-replies, run email lists… in simple terms, do everything the big boys can, but in your own way. All the mission-critical email for me has run on my own email server for more than twenty years. I use Gmail as a convenience, and am forced to use Outlook by various clients.

Now – let’s look at the legal implications on privacy, for the three offerings above. In the US, email privacy is governed by two major acts: the aforementioned CLOUD Act, and the ECPA (Electronic Communications Privacy Act, 1986). Most email communications falls under the [ancient] ECPA guidelines (assuming it is stored in the US).

The ECPA defines five types of communication for email. Three of those types require a warrant for access; two require a subpoena. Subpoenas are routinely issued by lawyers in the name of the court; penalties may be assessed for non-compliance. Warrants are issued by a judge, have stringent requirements for issuance, and are usually enforced by police agencies.

The ‘warrant required’ types of communications are: email in transit, email stored on a home computer, and email in remote storage, unopened, stored for 180 days or less.

The subpoena required types of communications are: email in remote storage, opened, and email in remote storage, unopened, stored for more than 180 days.

I run a combination server – it is IMAP when I’m away from home, and POP3 when I’m home. In simple terms – during a work day outside the house, or while travelling, I’m running the server in much the same mode as one does with any web-based system. The email is available via remote access (remote storage in ECPA terms). When I’m home, I have a POP3 client which downloads the email to a home computer, and erases that mail from the server.

In this mode, my critical email is always in the warrant-required states per the ECPA. Warrants are issued under standards more than 200 years old – it must be based on probable cause, describe the place or person to be searched, and for what evidence the search is being requested; all under oath or affirmation to a judge or magistrate. I feel reasonably secure.

Hope this helps the decision matrix.

ps – Gmail’s robots really kick in after about 200 emails are in the account. Want to baffle the builder? Set Gmail to operate in POP3 mode (delete after download) and watch the fun. (Running NoScript and disabling the Google Stats scripts also screws up the profile builder).