Blizzard should simply tie forum names to accounts in an opaque manner. You can only create a forum name if you have an account, and you can only create one per account and only if you have a game key activated on that account. The forum name can't be the same as the account username (to prevent disclosure), and once created you can't change it (CS can change it for you, but you have to give them a good reason to). That solves most of the problem without requiring real names anywhere.
Basically for the purposes Blizzard claims to need to address, real identities aren't needed. What's needed is only two things:
Users need to be sure that the person behind a forum name today is the same person as was behind it last week. Usually referred to as "continuity of identity". They don't need to know who the person is, just that it's the same person.
Users need to be reasonably sure that a single person can't quickly and easily create multiple new identities to hide behind, so a new forum name almost always does represent a real new person.
Neither of those requires disclosing real identities.
NTPD with clock-frequency adjustment should get you down to microsecond accuracy, if you're syncing directly to a stable stratum-1 (it'd better be stable or you've got bigger problems) server. And most Unixes have NTPD software that does clock-frequency adjustment. With all servers in the same rack and presumably sitting on the same Ethernet segment, you should never see loss of sync unless your stratum-0 reference goes out (at least I've never seen loss of sync in that setup). And even if you do lose sync, if the machines are temperature-stable and've been running long enough for NTPD to get the local clock's drift dialed in you should be able to maintain millisecond accuracy for at least a few days.
Windows is more problematic, since clock-frequency adjustment doesn't seem to work right on it.
Why is it unrealistic? It's the rule I was taught by my parents more than 30 years ago when I first started getting bank accounts and such I'd need to protect. If they can handle the concept, I see no reason why it'd be unrealistic to expect someone my age or younger to be unable to handle it.
And if the problem is someone not wanting to handle the concept? Sucks to be them, I guess, they aren't getting any sympathy from me.
The site doesn't seem to be posing as Microsoft, only using the Microsoft Partner logos. If that's the case, Microsoft would have to be the one to take action against them. Macafee seems to be checking for the site serving up malware and the like, and it's entirely possible the site itself is clean. In any case, again it'd be Macafee who'd have to take action about any misuse of their logos, not the regulators.
The best thing you can do to protect yourself against this kind of scam is actually not to protect just against this kind of scam. Be skeptical in general when someone else calls you making claims and wanting you to act on them. In past years it'd be someone calling claiming to be from your phone or utility company, saying there'd been a billing error and lo and behold you could make the payment over the phone to them and avoid having service cut off. More sophisticated ones claimed you'd overpayed and if you could just give them your payment information they'd credit the refund to you. This one they're claiming to be someone monitoring your computer for problems on behalf of Microsoft. The response to these should always be the same: get the details of the problem and any neccesary contact information, then hang up. Go to your contact information for the entity in question, ignoring any phone numbers the caller gave you, and place a call yourself to the entity. If it's legit, they'll have a record on your account of the problem and can connect you to the right department to handle it. If they don't know what you're talking about, chances are you just avoided a scam.
If they claim to be from your ISP? SOP for externally-initiated calls: ask the caller for their contact information (name or extension), then hang up and call the entity back at the number you have for them (don't trust any number the caller gave you) and ask to be connected to that contact or the department responsible for whatever the caller alleged was at issue. If it's legit, it'll be in your account record and you'll be connected to the right person. If they've no idea what you're talking about, you just avoided a scam.
NB: this applies to everything. Bank account, utility service, the works.
The proper response from Google should be a simple "Your terms are acceptable.". Followed by all IP addresses assigned in India getting only a "403 Forbidden" page when accessing any Google service, and all search results leading to sites located in India or operated by Indian entities being removed from the listings. For extra Bastard points, all e-mail originating from Indian addresses gets rejected and all phone calls from India get a no-service tone.
All these suggested "fixes" are just plain silly. Does anyone really think they can come up with a single stock tradihng solution better than the organic evolution of thousand years of human experience with exchanging financial claims?
Judging by the results of that organic evolution, I'd say "Yes.".
Instead of putting in fixes at the exchange level, put something in at the SEC regulation level so it applies to all US exchanges. And yes that'll stabilize foreign exchanges too. Think about supply and demand and what sellers do when prices drop in market A and don't drop (or don't drop as far) in market B.
First option: bunch trades by time. Define a market tick, say 2 seconds. All trades that come in in a given tick get bundled together and executed as if they'd arrived in a random order at the end of the tick. The exchange is allowed to use any method to randomize and order the trades, the only rules are that the method can't be based directly or indirectly on the original arrival sequence or the original arrival time and the method can't give preference to any particular trader or type of trader. The bunching should have no effect on people who trade on timescales more than about 2x the tick, but makes trading on timescales less than the tick infeasible because the market simply won't execute your trade any faster than the tick.
Second option: random delays. Define a market tick, say 2 seconds. All trades, as they arrive, have a random delay between 0 and the tick length calculated (same rules as option 1) and have their execution delayed by that much. You're guaranteed to have your trade executed within 1 tick of it's arrival, but you can't know when within that 1 tick it'll actually be executed. Again the delay should have no effect on people trading on timescales larger than about 2x the tick, but trading on timescales less than the tick becomes infeasible.
That should smooth out the noise caused by high-frequency trading without seriously impacting things for anybody who's not trading on sub-second intervals. And it avoids the whole quagmire of trying to ban every different way of doing high-frequency trading and seeing the HFTs try to find loopholes and methods you haven't banned yet by simply setting a time resolution for the exchanges below which everything's just random noise.
I've met a few of those. Except that when I ask the obvious question "And just how does your wireless card communicate with the wireless access point?", after a pause it's usually "... by radio?". BINGBINGBINGBINGBING We have a winner! A failure to think for a moment doesn't excuse anyone.
That depends. All of my computers do in fact have the software installed to monitor and record all network traffic that arrives at their network interfaces, including the wireless interface. That even includes traffic on secure networks if I've got the keys to connect to those networks. I may not fire it up all the time, but it's one of those pieces of software (along with things like Firefox and Thunderbird) that I automatically install while I'm setting the system up.
No, they don't, no more than the people shouting on the streetcorner have any expectation of privacy. That wifi uses radio's well-known. That radio is a broadcast medium, that anyone with a receiver can listen in, has been well-known since before I was born.
Those people were transmitting those passwords and e-mails in the clear over a broadcast medium (ie. to everybody in range who was listening). Google was in range and listening and heard them. That's like saying "I was shouting my password at the top of my lungs on the streetcorner and someone overheard me and wrote it down!": yes there's a problem, but it's not with the person who wrote the password down. It's with you, for thinking you can shout things in public and somehow miraculously have them remain private and confidential.
For #s 1-5, take my father as a simple case. Depending on who's talking, he can be either "Daniel" or "Tim". "Daniel" usually means the person doesn't know anybody else in my father's family (fairly reasonable, Dad lives in Nevada and the rest of his family's in Pennsylvania (the ones who're still alive, that is)). He gets called "Tim" by anybody he grew up around, because every male of that generation of his family got "Daniel" as a first name and inevitably went by their middle names or some abbreviation thereof to avoid endless rounds of "Daniel. No, the other Daniel. No, the other other Daniel.".
Now, think about how many variations you can get on a name taking into account just various shortenings of first and middle name and the ways they can be combined (ie. first initial plus middle name vs. first name plus middle initial), and add in nicknames ("No, I'm just named 'Dweezil', I'm called 'Ed'."). Now account for changes in name (a friend of mine's on her fourth legal first plus middle name). And we haven't even begun to touch on changes due to marriage.
And this is for ordinary (in the US) names. We haven't even begun to get into the rest of the world, or cultures who distinguish between what you call yourself, what people who know you call you, what strangers call you and what your name is (which we even have a bit of in the US, as in what my Mom said to an official who'd annoyed her: "My friends call me Patricia. You will call me Mrs. Knarr.").
Right. They've already made their position clear by refusing to even discuss when they'll be fixing it. Give them 60 days and they'll probably simply arrange for a nice smear campaign about how you're trying to use the vulnerability to extort them. First rule of tactics: never ever tell your enemy what you plan to do and then turn around and give him time to organize a reaction to your plans. The only thing that gets you is jumped from behind by the ambushes your enemy's set up along the route you told him you'd be following. If your enemy won't negotiate, forgo the threats and simply proceed with the plans you made for that contingency.
Had he kept his mouth shut, your systems would be safer.
No, my systems would not have been safer. They would have been just as vulnerable to attack, and attackers would have been just as likely to be exploiting the vulnerability. If a vulnerability exists, you should assume that if you know about it the bad guys are 100% likely to know about it and 100% likely to be actively attempting to exploit it. The only difference is that, if this disclosure hadn't happened, I wouldn't know I needed to check whether my systems are in fact vulnerable (they aren't, because I've disabled the service the vulnerability exploits) and wouldn't know what steps I could take to secure them until Microsoft released a fix. Nor would I even necessarily know when Microsoft fixed the problem. They could very well (as they've already been shown to have down) back-doored the fix into another update and not made any explicit mention of it, leaving me open to the very real possibility of leaving myself vulnerable because I looked at the description of the update, saw that it didn't address anything that affected me immediately (eg. it fixes a remotely-exploitable vulnerability in a service I don't run or have blocked at my firewall), classified it as low priority and put off installing it.
Yep. And he followed Google's policies. Microsoft failed to comply with responsible disclosure by refusing to commit to fixing the bug, at which point Ormandy followed responsible disclosure rules by disclosing the vulnerability through proper channels. Note that that is the "disclosure" part of "responsible disclosure". Much as Microsoft might wish otherwise, responsible disclosure does not mean "Let the vendor leave the vulnerability in place while denying any vulnerability exists.".
Because he told Microsoft privately about it, and Microsoft refused to even discuss when they'd be fixing it. Which basically translates to "We have no intention of fixing it. Nobody knows about it, so we won't suffer any penalty for leaving it unfixed.". To them the problem isn't the technical one of the bug existing, it's the PR one of their users knowing it exists. They want to "fix" the problem not by fixing the bug but by insuring their users continue to not know about it.
Well, now we know about it, so Microsoft has no choice but to actually fix it. They could've avoided the whole black eye by simply agreeing to fix it in the first place, but no they had to take the embarrassing route instead. To quote my dad, "See this? This is the world's smallest violin, playing the world's saddest song, just for you.".
Yes, Microsoft's rules for "responsible disclosure" are undoubtably "Don't mention this to anybody. Ideally including us. Just shut up and ignore the problem.". But that's not the definition of responsible disclosure the rest of us use, and Microsoft isn't the one who sets the rules for the rest of us. Unless Microsoft can pull out a signed contract where Ormandy agreed to abide by their rules, and I doubt they can.
Actually, he didn't give Microsoft 5 days to fix it. He gave them 5 days to commit to an actual timeline for fixing it (IMO the 60 days he asked for is, if anything, on the generous side). They didn't just refuse to fix it, they refused to even commit to a timeline for fixing it. But Microsoft isn't mentioning that part of it.
Ormandy followed the rules for responsible disclosure. He reported the problem to Microsoft, and asked for a commitment to actually fixing the problem promptly. Microsoft refused to commit to fixing it. Ormandy then published the details, including the means for others to confirm it was actually a problem, so the rest of us could take steps to protect our systems. This had the desired result: it forced Microsoft to step up and fix the problem. Had Microsoft committed to this from the start, they wouldn't be faced with public disclosure. I have no sympathy for Microsoft, nor for any other vendor who puts my systems at risk because they don't want to fix their own bugs.
It could just be that the kind of reckless idiot who drives dangerously also likes to drive dangerously in his video games. The link isn't between the video game and the reckless driving, it's between the basic recklessness and the behavior in both games and driving.
Sorry, but 802.11a/b/g/n uses radio. Radio is a broadcast medium. Once the signal's in the air, any receiver can pull it in and listen to it. That you intend it to only be for a specific recipient doesn't change the fact that the signal's broadcast to everyone who's listening and you don't know who's listening. If you don't want your transmission to be broadcast, don't use a broadcast medium.
I don't even bother asking that question. I assume that if I'm broadcasting it, someone will be listening to it and that someone will be who I least want listening in. That may or may not be the case, but by the time I know for sure it'll be too late so I'd better assume the worst from the start. I can see why people have concerns, but it simply boggles me that those people are, quite bluntly, blabbing their deepest darkest secrets in front of an audience of hundreds and are then suprised when hundreds of people know their deepest darkest secrets. I know it happens, I simply cannot wrap my head around the concept of someone so utterly oblivious.
Nope. I know Google would like to riffle through my e-mail. That's why, while I have a Google Mail account, I don't use it for sensitive things like banking that I don't want going into Google's database. When I'm deciding what e-mail address to give people, I ask myself what's going to be going across it and choose one with an appropriate level of protection.
Slashdot Mirror
Blizzard should simply tie forum names to accounts in an opaque manner. You can only create a forum name if you have an account, and you can only create one per account and only if you have a game key activated on that account. The forum name can't be the same as the account username (to prevent disclosure), and once created you can't change it (CS can change it for you, but you have to give them a good reason to). That solves most of the problem without requiring real names anywhere.
Basically for the purposes Blizzard claims to need to address, real identities aren't needed. What's needed is only two things:
Neither of those requires disclosing real identities.
NTPD with clock-frequency adjustment should get you down to microsecond accuracy, if you're syncing directly to a stable stratum-1 (it'd better be stable or you've got bigger problems) server. And most Unixes have NTPD software that does clock-frequency adjustment. With all servers in the same rack and presumably sitting on the same Ethernet segment, you should never see loss of sync unless your stratum-0 reference goes out (at least I've never seen loss of sync in that setup). And even if you do lose sync, if the machines are temperature-stable and've been running long enough for NTPD to get the local clock's drift dialed in you should be able to maintain millisecond accuracy for at least a few days.
Windows is more problematic, since clock-frequency adjustment doesn't seem to work right on it.
Why is it unrealistic? It's the rule I was taught by my parents more than 30 years ago when I first started getting bank accounts and such I'd need to protect. If they can handle the concept, I see no reason why it'd be unrealistic to expect someone my age or younger to be unable to handle it.
And if the problem is someone not wanting to handle the concept? Sucks to be them, I guess, they aren't getting any sympathy from me.
The site doesn't seem to be posing as Microsoft, only using the Microsoft Partner logos. If that's the case, Microsoft would have to be the one to take action against them. Macafee seems to be checking for the site serving up malware and the like, and it's entirely possible the site itself is clean. In any case, again it'd be Macafee who'd have to take action about any misuse of their logos, not the regulators.
The best thing you can do to protect yourself against this kind of scam is actually not to protect just against this kind of scam. Be skeptical in general when someone else calls you making claims and wanting you to act on them. In past years it'd be someone calling claiming to be from your phone or utility company, saying there'd been a billing error and lo and behold you could make the payment over the phone to them and avoid having service cut off. More sophisticated ones claimed you'd overpayed and if you could just give them your payment information they'd credit the refund to you. This one they're claiming to be someone monitoring your computer for problems on behalf of Microsoft. The response to these should always be the same: get the details of the problem and any neccesary contact information, then hang up. Go to your contact information for the entity in question, ignoring any phone numbers the caller gave you, and place a call yourself to the entity. If it's legit, they'll have a record on your account of the problem and can connect you to the right department to handle it. If they don't know what you're talking about, chances are you just avoided a scam.
If they claim to be from your ISP? SOP for externally-initiated calls: ask the caller for their contact information (name or extension), then hang up and call the entity back at the number you have for them (don't trust any number the caller gave you) and ask to be connected to that contact or the department responsible for whatever the caller alleged was at issue. If it's legit, it'll be in your account record and you'll be connected to the right person. If they've no idea what you're talking about, you just avoided a scam.
NB: this applies to everything. Bank account, utility service, the works.
The proper response from Google should be a simple "Your terms are acceptable.". Followed by all IP addresses assigned in India getting only a "403 Forbidden" page when accessing any Google service, and all search results leading to sites located in India or operated by Indian entities being removed from the listings. For extra Bastard points, all e-mail originating from Indian addresses gets rejected and all phone calls from India get a no-service tone.
All these suggested "fixes" are just plain silly. Does anyone really think they can come up with a single stock tradihng solution better than the organic evolution of thousand years of human experience with exchanging financial claims?
Judging by the results of that organic evolution, I'd say "Yes.".
Instead of putting in fixes at the exchange level, put something in at the SEC regulation level so it applies to all US exchanges. And yes that'll stabilize foreign exchanges too. Think about supply and demand and what sellers do when prices drop in market A and don't drop (or don't drop as far) in market B.
First option: bunch trades by time. Define a market tick, say 2 seconds. All trades that come in in a given tick get bundled together and executed as if they'd arrived in a random order at the end of the tick. The exchange is allowed to use any method to randomize and order the trades, the only rules are that the method can't be based directly or indirectly on the original arrival sequence or the original arrival time and the method can't give preference to any particular trader or type of trader. The bunching should have no effect on people who trade on timescales more than about 2x the tick, but makes trading on timescales less than the tick infeasible because the market simply won't execute your trade any faster than the tick.
Second option: random delays. Define a market tick, say 2 seconds. All trades, as they arrive, have a random delay between 0 and the tick length calculated (same rules as option 1) and have their execution delayed by that much. You're guaranteed to have your trade executed within 1 tick of it's arrival, but you can't know when within that 1 tick it'll actually be executed. Again the delay should have no effect on people trading on timescales larger than about 2x the tick, but trading on timescales less than the tick becomes infeasible.
That should smooth out the noise caused by high-frequency trading without seriously impacting things for anybody who's not trading on sub-second intervals. And it avoids the whole quagmire of trying to ban every different way of doing high-frequency trading and seeing the HFTs try to find loopholes and methods you haven't banned yet by simply setting a time resolution for the exchanges below which everything's just random noise.
I've met a few of those. Except that when I ask the obvious question "And just how does your wireless card communicate with the wireless access point?", after a pause it's usually "... by radio?". BINGBINGBINGBINGBING We have a winner! A failure to think for a moment doesn't excuse anyone.
That depends. All of my computers do in fact have the software installed to monitor and record all network traffic that arrives at their network interfaces, including the wireless interface. That even includes traffic on secure networks if I've got the keys to connect to those networks. I may not fire it up all the time, but it's one of those pieces of software (along with things like Firefox and Thunderbird) that I automatically install while I'm setting the system up.
No, they don't, no more than the people shouting on the streetcorner have any expectation of privacy. That wifi uses radio's well-known. That radio is a broadcast medium, that anyone with a receiver can listen in, has been well-known since before I was born.
Those people were transmitting those passwords and e-mails in the clear over a broadcast medium (ie. to everybody in range who was listening). Google was in range and listening and heard them. That's like saying "I was shouting my password at the top of my lungs on the streetcorner and someone overheard me and wrote it down!": yes there's a problem, but it's not with the person who wrote the password down. It's with you, for thinking you can shout things in public and somehow miraculously have them remain private and confidential.
For #s 1-5, take my father as a simple case. Depending on who's talking, he can be either "Daniel" or "Tim". "Daniel" usually means the person doesn't know anybody else in my father's family (fairly reasonable, Dad lives in Nevada and the rest of his family's in Pennsylvania (the ones who're still alive, that is)). He gets called "Tim" by anybody he grew up around, because every male of that generation of his family got "Daniel" as a first name and inevitably went by their middle names or some abbreviation thereof to avoid endless rounds of "Daniel. No, the other Daniel. No, the other other Daniel.".
Now, think about how many variations you can get on a name taking into account just various shortenings of first and middle name and the ways they can be combined (ie. first initial plus middle name vs. first name plus middle initial), and add in nicknames ("No, I'm just named 'Dweezil', I'm called 'Ed'."). Now account for changes in name (a friend of mine's on her fourth legal first plus middle name). And we haven't even begun to touch on changes due to marriage.
And this is for ordinary (in the US) names. We haven't even begun to get into the rest of the world, or cultures who distinguish between what you call yourself, what people who know you call you, what strangers call you and what your name is (which we even have a bit of in the US, as in what my Mom said to an official who'd annoyed her: "My friends call me Patricia. You will call me Mrs. Knarr.").
Article ID: 2219475 - Vulnerability in Help Center could allow remote code execution. The related security advisory was first posted June 10th, and the KB article with the FixIt in it was first referred to on June 11th.
Right. They've already made their position clear by refusing to even discuss when they'll be fixing it. Give them 60 days and they'll probably simply arrange for a nice smear campaign about how you're trying to use the vulnerability to extort them. First rule of tactics: never ever tell your enemy what you plan to do and then turn around and give him time to organize a reaction to your plans. The only thing that gets you is jumped from behind by the ambushes your enemy's set up along the route you told him you'd be following. If your enemy won't negotiate, forgo the threats and simply proceed with the plans you made for that contingency.
Had he kept his mouth shut, your systems would be safer.
No, my systems would not have been safer. They would have been just as vulnerable to attack, and attackers would have been just as likely to be exploiting the vulnerability. If a vulnerability exists, you should assume that if you know about it the bad guys are 100% likely to know about it and 100% likely to be actively attempting to exploit it. The only difference is that, if this disclosure hadn't happened, I wouldn't know I needed to check whether my systems are in fact vulnerable (they aren't, because I've disabled the service the vulnerability exploits) and wouldn't know what steps I could take to secure them until Microsoft released a fix. Nor would I even necessarily know when Microsoft fixed the problem. They could very well (as they've already been shown to have down) back-doored the fix into another update and not made any explicit mention of it, leaving me open to the very real possibility of leaving myself vulnerable because I looked at the description of the update, saw that it didn't address anything that affected me immediately (eg. it fixes a remotely-exploitable vulnerability in a service I don't run or have blocked at my firewall), classified it as low priority and put off installing it.
Yep. And he followed Google's policies. Microsoft failed to comply with responsible disclosure by refusing to commit to fixing the bug, at which point Ormandy followed responsible disclosure rules by disclosing the vulnerability through proper channels. Note that that is the "disclosure" part of "responsible disclosure". Much as Microsoft might wish otherwise, responsible disclosure does not mean "Let the vendor leave the vulnerability in place while denying any vulnerability exists.".
Because he told Microsoft privately about it, and Microsoft refused to even discuss when they'd be fixing it. Which basically translates to "We have no intention of fixing it. Nobody knows about it, so we won't suffer any penalty for leaving it unfixed.". To them the problem isn't the technical one of the bug existing, it's the PR one of their users knowing it exists. They want to "fix" the problem not by fixing the bug but by insuring their users continue to not know about it.
Well, now we know about it, so Microsoft has no choice but to actually fix it. They could've avoided the whole black eye by simply agreeing to fix it in the first place, but no they had to take the embarrassing route instead. To quote my dad, "See this? This is the world's smallest violin, playing the world's saddest song, just for you.".
Yes, Microsoft's rules for "responsible disclosure" are undoubtably "Don't mention this to anybody. Ideally including us. Just shut up and ignore the problem.". But that's not the definition of responsible disclosure the rest of us use, and Microsoft isn't the one who sets the rules for the rest of us. Unless Microsoft can pull out a signed contract where Ormandy agreed to abide by their rules, and I doubt they can.
Actually, he didn't give Microsoft 5 days to fix it. He gave them 5 days to commit to an actual timeline for fixing it (IMO the 60 days he asked for is, if anything, on the generous side). They didn't just refuse to fix it, they refused to even commit to a timeline for fixing it. But Microsoft isn't mentioning that part of it.
Ormandy followed the rules for responsible disclosure. He reported the problem to Microsoft, and asked for a commitment to actually fixing the problem promptly. Microsoft refused to commit to fixing it. Ormandy then published the details, including the means for others to confirm it was actually a problem, so the rest of us could take steps to protect our systems. This had the desired result: it forced Microsoft to step up and fix the problem. Had Microsoft committed to this from the start, they wouldn't be faced with public disclosure. I have no sympathy for Microsoft, nor for any other vendor who puts my systems at risk because they don't want to fix their own bugs.
It could just be that the kind of reckless idiot who drives dangerously also likes to drive dangerously in his video games. The link isn't between the video game and the reckless driving, it's between the basic recklessness and the behavior in both games and driving.
Sorry, but 802.11a/b/g/n uses radio. Radio is a broadcast medium. Once the signal's in the air, any receiver can pull it in and listen to it. That you intend it to only be for a specific recipient doesn't change the fact that the signal's broadcast to everyone who's listening and you don't know who's listening. If you don't want your transmission to be broadcast, don't use a broadcast medium.
I don't even bother asking that question. I assume that if I'm broadcasting it, someone will be listening to it and that someone will be who I least want listening in. That may or may not be the case, but by the time I know for sure it'll be too late so I'd better assume the worst from the start. I can see why people have concerns, but it simply boggles me that those people are, quite bluntly, blabbing their deepest darkest secrets in front of an audience of hundreds and are then suprised when hundreds of people know their deepest darkest secrets. I know it happens, I simply cannot wrap my head around the concept of someone so utterly oblivious.
Nope. I know Google would like to riffle through my e-mail. That's why, while I have a Google Mail account, I don't use it for sensitive things like banking that I don't want going into Google's database. When I'm deciding what e-mail address to give people, I ask myself what's going to be going across it and choose one with an appropriate level of protection.