Thoughtworks Geek Night

Was at Thoughtworks GEEK NIGHT

Securing Gmail with OTP : Demo


I put together a quick demo on how to secure Gmail with SecurID.

Technical Details can be found here

Gmail Burglar Alarm - UserPrefs Issue


You may have noticed a that the Gmail Burglar alarm seemed to have stopped working sometime ago. The code had not changed much, so it was a little strange for it to stop working suddenly. A little poking and I noticed that the user preferences were not stored properly in the Gadget. The preferences were not persisted across browser sessions and hence, the user's Google Calendar session token was not saved.
The default values for were empty strings. Changing them to strings with spaces solved the problem. Hence, the default values have changed from empty strings to "none". It is a little strange, but I also noticed that the preferences were infact fetched properly from the server. Will investigate this later.

Another frequent error that I seem to encounter seems to be related to gadgets on a wider scale. When the page does not load completly or when some links are clicked, contents of the page are replaced with [ObjectHTMLDiv] which seems to be the toString() representation of a div assigned. This has not been consistant and it would be interesting to see how this is caused. Watch out this space for details as I discover them. If you know what this is about, I would be glad to hear.

Sign On Manager - quick update


A quick update on sign on manager - many users had complained that the sign on manager displayed an annoying div on every login page. This has now been removed and hence, the sign on manager will only activate using the user menu. It can be activated by
  1. Right clicking on greasemonkey icon
  2. Select User Scripts
  3. Select Start Sign On Manager
This was a little tricky to achieve with the current code. The SignOnManager.init() not takes a parameter that tells it to display the "div" or not. This was done to ensure that it does not break existing functionality of restarting SignOnManager, etc.

Gmail Burglar Alarm - better dates on reports


This is a continuation to the series of posts about the Gmail Burglar Alarm Gadget and details an improvement to the reports screen. The reports used to spit out ISO8061 formatted values in the tables and many users agreed that the format was difficult to read.
This has changed and the data is now sent to the client in terms of "seconds from 1970". The javascript code at the client then converts this number to a display format that is native to the browser, allowing the users to interpret the data better. This required looping over the data returned to the client and setting the "formatted value" in the appropriate columns.
An extra column has also been to show the duration and it is displayed as a bar graph. This allows users to sort of duration of visits and seems to be more useful that just showing numbers. We are also planning more visualizations for looking at the Gmail sessions. Suggestions welcome.

Securing Gmail a little more - with OTPs and CardSpace


I had earlier posted a series of articles on Gmail gadgets. I had also written about using one time passwords like SecurID to secure Gmail better. This post describes the technical details to achieve that. The steps look something like this

  1. The user logs into Gmail
  2. The gadget is loaded. It sets the top.location to the securID login page
  3. The user is sent a random code via SMS (using Google Calendar). If the token is SecurID, the SecurID SDK is use
  4. The user enters the code in the page.
  5. If the code is correct, it is set as a cookie (or store it temporarily at the server) and the page redirects the user to Gmail
  6. The Gadget loads again and gadget asks the server for status of the token
  7. If the server gets the token code from the cookie (or from the user session) and sends the result of authentication back to the user.
The approach is simple. However, this is not 100% secure with the current state of gadgets. This is because of the following.
  • Gadgets are disabled in the basic mode
  • Gadgets are not "REQUIRED" to be executed for gmail to load. Only certain special gadgets (chat, labs, etc) are mandatory.
  • POP3 and IMAP could be other ways mail is retrieved. These have to be turned on.
Hence, if Gmail gives us the extra privilages, one time passwords and two factor authentication would be possible.

Gmail Burglar Alarm - Technical Details


I had written about the Google Gadget [Gmail Burglar Alarm] that logs your gmail session. This post is dedicated to the technical details of the Gadget. The gadget is hosted on Google App engine with its code available on Google Code.
The Gadget is a simple xml file that loads some javascript to make the first call to store the time of login. It also checks the preferences of the gadget ot see if it has been initialized already. The preferences store the session token required for writing events to Google Calendar and would be available if this is not the first run.
If it is indeed the first time the gadget is executed, the following takes place. It is a little tricky to
  1. Show grant access button in the gadget
  2. On clicking grant access, open a new window and show Google's Grant access page with target set to domain.
  3. When user selects grant access, he is redirected to the target page with the session token
  4. The auth token is exchanged for session token and the page is reloaded
  5. The page stores the session token in the cookie and closes the window
  6. The gadget would be listening to a window close event and when it does, it requests for a cookie reader page.
  7. The cookie reader page reads the cookie at the server and includes it as a script.
  8. This is then saved as a user preference and the page is reloaded.
Once we have the session token, we make a request to store the login time. Similarily, we also make requests every 30 seconds to update the possible log off time. The gadget can listen for window.onunload, but there appreas to be a problem. The logoff time has to be stored by making a remote URL request, and this HTTP call is interrupted as the window closes.
I have not been able to figure out a way where I could get app engine to ignore the connection termination and store the request. Till then, I store the session every 30 seconds and it is written to the store when the application loads next.

This was the overall design of the application. Please do suggest improvements / ideas, etc.

The Gmail Burglar Alarm

GMail Burglar Alarm is a gadget that you can add to your standard Gmail web interface to record your gmail sessions. Additionally, it also analyzes details of all sessions (like IP address, browser type, etc) and tries to determine if a session was suspicious. If the percentage of suspicion is high, you are alerted via a text message to the mobile number configured in your Google calendar. All the data stays with you and is stored on your Google Calendar.

The following video shows the various steps to add the Gadget to your gmail account. It also shows steps required to grant the application, access to write to your google calendar.

You will also have to configure your google calendar to recieve text message alerts.
This can be done as shown in the following video

The data is stored in a new calendar created on Google Calendar. This calendar is private to you and has details like IP address of login, HTTP Headers, browser version, etc. The gadget also displays the total time you spend on gmail, etc. The gadget analyzes recent sessions and tries to establish a pattern. Anything that is way out of this pattern is potentially dangerous and you are alerted.
Please do drop in your comments and suggestions to improve this application. Watch out this blog for techanical details and updates.

Note: Please note that this application works only on Gmail standard interface with gadgets enabled. The gadget can record and alert only on the pages where the gadget is run. This is not a total security solution but only an idea..

Gmail IDS - Version Alpha

A lot of hacking and coding during the holidays, and I have the alpha version of the gadget that saves your Gmail login sessions into Google Calendar. The gadget is available at I am planning to add a video demonstration on how to add the gadget and configure calendar for your mobile later, but for now, you can add the gadget by the following steps.
  1. Login to gmail
  2. Select "Settings" [Top right corner]
  3. Select the Labs Tab
  4. Select Enable in the Add Gadget [usually the last option]
  5. You will get a new "Gadget" Tab. Click on it
  6. Type the URL "" in the text box and click "Add"
This shows the Gmail IDS gadget on the left side bar. Click on grant access, and after navigating through Google's Grant access page, a timer appears, showing the gadget working. You can also look for a "Gmail Event Log" in Google Calendar for the log in sessions recorded.

Technical details of how the gadget was made will follow.
To follow new and updates, keep checking this link.