Hotmail: Not Safe For Work?

silentknight writes "According to MSNBC, web-based e-mail providers such as Yahoo and Hotmail may not be a haven for your private e-mail anymore. At least not while you're at work. SpectorSoft is introducing eBlaster, which aims to "secretly forward all e-mail coming and going through such Web-based accounts to a spy's e-mail". Corporations will most likely argue that, because of sites like Internal Memos, companies need to keep a tighter grip on the information that flows in and out of their companies. But attempting to spying on private e-mail?? In the words of Homer J. Simpson: "Butt out, Buttinsky"."

blocked at work

[Jucius Maximus]

In the large company where I work, all access to Hotmail, Yahoo, etc is blocked at the firewall. This is because too many lusers kept downloading klez, hybris, (random vbs trojan), etc and executing them.

After this was done, all virus problems on the network dropped from one incident per 2 weeks to maybe 1 incident per 4 months.

As to the privacy issue, the easy solution is to NOT SEND PRIVATE E-MAIL FROM WORK (or at least use GnuPG or PGP!)

One word :

[M1000]

http://www.hushmail.com

this can be monitored already

[prisen]

Not really anything new here; "The Man" can see what I'm doing right now, where I'm going, whether or not I'm logged in to a site (including my username and password), how long I've been on a certain page, etc etc etc - And he doesn't need a kiddie script to do it. That's just part of working for the DoD or any other institution that has full monitoring instilled in their computer use policy, I guess.

Re:blocked at work

[Jucius Maximus]

"Bah, forget it. I'm not feeding a box I don't trust a disk with my private key on it, much less even type out my passphrase on that machine."

You are encrypting to send to someone else. No private key is required. If you really need one, generate a new key for work purposes.

you missed something

[mattdm]

The 9th amendment -- for some reason, people who want to restrict the rights of US citizens seem to conveniently forget that one. Here it is:

The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people.

There's my right -- and yours --to an adequate standard of health, to be looked after after a life of contributing to society, and yes, to pursue happiness. Oh, and of course, to live like a free human being, not a corporate slave, even when I'm at work.

Re:blocked at work

[Nomad7674]

Another alternative, when e-mail from work is essential, is to get a wireless device capable of sending e-mail without using the work e-mail system. The Kyocera 6035 Smartphone [kyocera-wireless.com] (and the coming-soon 7135 [pdabuzz.net]), Palm's i705 Palm.Net service [palm.com] and Earthlink's various wireless services [earthlink.net] seem like good possibilities.

Of course, a truly persistent person or corporation can find a way to tap into any technology, given time and money.

Free Webmail-over-SSL: mail2web.com

[kriegsman]

If you've already got a POP or IMAP e-mail account somewhere and you want to check it from work, consider using www.mail2web.com [mail2web.com]. They support full-SSL access to their tools, and they even seem to do some nice things to prevent referer-tracking from site you link to from e-mails you receive.

-Mark, unaffiliated with mail2web, but a happy user

Examples of privacy at work

[dcollins]

From the article:

...a personal letter through the company mailroom. The contents of such a letter are protected by U.S. mail regulations.

Contrary to the large contingent of "company can do whatever it wants on its property" boosters, there in fact seem to be all kinds of legal protections and privacy expectations established for workers in corporate offices.

The fascist model that says otherwise is not only frightening, it's untrue.

The full quote from the lawyer in the article (in reference to the 1986 Electronic Communications Privacy Act):

Spyware like that produced by SpectorSoft and competitor WinWhatWhere Corp. has not yet faced a definitive courtroom test. But David Sobel, general counsel of the Electronic Privacy Information Center, equated private Web-based e-mail account with an employee receiving a personal letter through the company mailroom. The contents of such a letter are protected by U.S. mail regulations.
"The question is: Is there a reasonable expectation of privacy? I would argue that if a company.com account is provided to me for company business, I can assume it might be subject to monitoring ... but if I take additional step to set up a Hotmail account that I occasionally access from my desktop at work, I think that could be construed as an expression of an expectation of privacy."

[from the FAQ]

[FuzzyBad-Mofo]

18. I do not have physical access to the PC I wish to monitor. Does eBlaster support remote installation? eBlaster can be configured to send the program installation file to another email address. Assuming that the receiving email client will allow the receipt of a .EXE file attachment and that the user opening the email clicks on the file attachment, then eBlaster will automatically install itself on that computer. Once installed on the remote computer, eBlaster will send recordings from that computer to your email address. VERY IMPORTANT: You MUST be the owner of the computer to which you are remotely installing eBlaster. If you are NOT the owner, or have not received permission from the owner to install eBlaster on that computer, you could be in violation of state or local law by monitoring the activities of property that does not belong to you.

Re:Ooh, goody...

[Anonymous Coward]

If this bothers you, use one of many excellent web based email providers that support secure connections.

I can totally recommend FastMail [fastmail.fm].

Though of course, if you are using IE, you are shot anyway.

Simple, OpenSSH-tunnel work arround

[depsypul]

When I'm using a Linux box away from home, and I absolutely don't want my web traffic to be able to be sniffed, I use this semi-quick solution.

I installed Squid (the proxy server) on my box at home (which has a cable connection) and then use this simple one-line SSH command to create a SSH tunnel, which forwards all my web browsing to my proxy server at home, across an encrypted channel.

ssh -o ProtocolKeepAlives=15 -q -f -N -C -g -L 45855:localhost:3128 myusername@MY.HOME.IP.ADDRESS

Then I just have a copy of Opera on my machine away from home, set to use a proxy server on localhost port 45855. Works beautifully for web browsing that a company can't sniff.

Note that I used the "-g" option of SSH, which allows other machines to connect to my locally forwarded ports (i.e. they can use the proxy server back at my home by connecting to the local port on my machine.) Take it out if you don't want this.

With this, no help to encrypt your connections!

[Nonesuch]

Please read the linked web site before posting.

Encrypted communications will not help here, as the software is a "trojan" installed on your PC, logs every keystroke, and intercepts content of email after it has been decrypted.

Basically, if you cannot trust the PC that you are running your HTTPS browser on, you should assume that the encryption is not giving you any protection against the owner of that PC, or anybody else who "0WNZ" that PC...

Personally, I bring my personal laptop to the office each day, run a local firewall on that laptop, connect it to the office LAN, and never install any company-provided binaries on that laptop.

The company provides a corporate-owned business desktop, and I use that machine solely for messages and network traffic that I would not have any problem with the helpdesk people reading -- since the corporate standard is to install LanDesk, I have to assume that the HelpDesk people can and do have access to anything on that machine.

Keep your business life as distinct from your personal life as you possibly can.