About me
My name is Jose Sandoval, and I'm a software developer. I consult on all areas of software engineering. You can reach me at jose@josesandoval.com.

If you are interested in RESTful web services, I wrote a book titled RESTful Java Web Services.

I was named after my father (Jose) and my grandfather (Felix). The Sandoval last name comes from a little town located in the northern part of the province of Burgos, Spain, called Sandoval de la Reina.

One of the first Sandovals to have set foot in the continent of America was Gonzalo de Sandoval, a conquistador who was led by Hernan Cortez in 1519.

As with many Spanish last names, a coat of arms for it exists.

The color gold means generosity and intellectual pursuit; the black scarf or knight's shield suspender means protector; the helmet signifies wisdom, strength, and invulnerability.

Most popular posts
» REST in Java (Restlet demo)
» Semantic Journal
» Google's GWT + RSS Feed Reader
» Google's GWT + Google's API Example (AJAX)
» XMLHttpRequest Example

Recent posts
» WTF, Digsby? I'm just trying to install you and no...
» Google App Engine and Python Learning from a Java ...
» Facebook's security hole?
» The Agony of the End
» Gabriel's Video Game - Part 1
» Golden Ratio and Rectangle Calculator
» Word clouds are neat
» Bank web sites and UI consolidation
» Improving Twitter's loading time in your blog or s...
» Social Media Demographics

Archives
» September 2004
» October 2004
» November 2004
» December 2004
» January 2005
» February 2005
» March 2005
» April 2005
» May 2005
» June 2005
» July 2005
» August 2005
» September 2005
» October 2005
» November 2005
» December 2005
» January 2006
» February 2006
» March 2006
» April 2006
» May 2006
» June 2006
» July 2006
» August 2006
» September 2006
» October 2006
» November 2006
» December 2006
» January 2007
» February 2007
» March 2007
» April 2007
» May 2007
» June 2007
» July 2007
» August 2007
» September 2007
» October 2007
» November 2007
» December 2007
» January 2008
» February 2008
» March 2008
» April 2008
» May 2008
» June 2008
» July 2008
» August 2008
» September 2008
» October 2008
» November 2008
» December 2008
» January 2009
» February 2009
» March 2009
» April 2009
» May 2009
» June 2009
» July 2009
» August 2009
» September 2009
» October 2009
» November 2009
» December 2009
» January 2010

Google's GMail and encrypted ZIP files
Thursday, February 26, 2009

I use my gmail account as a storage device--7GB is a lot of free disk space. I zip my files and email them to me. From time to time, I have sensitive data that I don't want google to look at (all right, google's programs). Because of this, I encrypt the zip archive with the strongest key possible (right now, it's a 256-bit key; this thing is virtually unbreakable). As it happens, google doesn't like if you do this, because its virus scanner can't read the file and it immediately flags it as a virus. If you've done this you know your messages will bounce.

What are you to do, if you really want to send that encrypted email to someone (or yourself)?

Simple: just change the extension of the file to something else. I change it to '.txt' and send the file. Google's virus scanner doesn't flag it and it sends fine.

Note that you can do the same for executable files, as google will not let you email anything that is a program (a file with an extension of .exe, .com, or .bat). So, change the extension from '.exe' to '.txt' and that's it.

Of course, when you download the file from gmail you have to remember to change the extension of the file back to its original.

This trick defies the purpose of the virus scanner: a stream of malicious binary data is floating around just waiting to be executed. At some point, google will catch up to our tricks and will make its virus scanner software smarter than what it is. Until then, happy emailing encrypted (or executable) files.

3:24 PM | 3 comment(s) | Translate Italian German Spanish French Portuguese Arabic Japanese Korean Chinese (S)

---

Comments:

smrts!

That could potentially be a new attack such that.

1. Hacker dude creates malicious binary and renames its extension to TXT.
2. Hacker dude crafts email telling users to rename file extension to EXE and run for a special surprise.
3. Hacker dude distributes email with seemingly-innocuous attachment.
4. Profit?

Because many non-techies will fall for this, it will work, sadly.

Kind of strange that Google hasn't fixed it already. I've worked with email servers that scan the contents of the file rather than the name, to avoid the workaround you mentioned. Since Google is usually ahead of the technology curve, I would have expected them to do it already.

But it's good to know that a workaround does still exist.