Email (which is shorthand for electronic mail) is broken. The current model can't be fixed. It needs to be tossed, and we need to start over.
Way back when email was first conceived in the 1960s, it only involved very small groups of people. Basing it on the paper mail model wasn't really a problem. When I got my first email address back in the 80s, there were probably only a few hundred thousand others with addresses. No one worried about spam in their email. There was a system called Usenet that was email's baby cousin. It was the earliest type of message board. There were groups dedicated to discussions of particular topics, and the name of the group described the topic. I used to read a Usenet group called comp.os.unix. It had discussions on the Unix operating system, and it was just as thrilling as it sounds. There were lively discussions, and since techies tend to get worked up over their particular favorite whatever, there were more than a few flame wars. In the late 80s, a little bit of spam started showing up in Usenet, but it was still unheard of in email. Even Usenet spam was pretty harmless. It was mostly people hyping their latest brilliant idea or trying to get people to post on other Usenet groups.
The problem began with AOL (America Online). In the 90s, they connected their walled garden to the internet and the flood gates opened. Not unsurprisingly, it was child pornography that gave birth to the first amateur spam. People used to put their email addresses on their Usenet posts so that discussions could be carried on offline, or people could contact one another for collaborations, or a number of other legitimate reasons. Suddenly, all over Usenet, even in groups like comp.os.unix, posts like this started showing up:
Where is the kiddie porn? Can you tell me?
Invariably, the poster would have an aol.com address. Remember that AOL was host to some of the biggest child porn rings in the world. Ever. The porn trollers would harvest email addresses from everyone who ever posted in the group. A short time later, posts like this started showing up:
WTF?! I just got 10 email messages from aol.com addresses asking me if I knew where to find the kiddie porn.
In response to all of the requests, purveyors of all kinds of porn started flooding newsgroups with links and addresses. Pretty soon, anyone who had used their real email address found their inbox bombarded with porn spam. Everyone had to stop using their real email addresses. By the way, Usenet is a wasteland now. Completely lost to porn and unsanctioned downloads. The social, technical, and religious discussion groups are nothing but spam buckets now.
And that's what's wrong with email. Anyone who has your email address can send you anything they want to. Not only that, but anyone who has your email address has the ability to track where your emails come from and where they are going to. And, if you aren't using a secure transport between your computer and the email server, anyone can see what your emails say. That brings us to the most villainous aspect of email, the email server. The server represents a trusted third party that you believe will have your best interests at heart and will protect your privacy. As we have discovered lately, that trust is largely unfounded. The government doesn't even need a very good reason to demand your emails from the owner of the server, and they are all too willing to give them up. Too many email servers are ridiculously easy to hack, giving access to your emails to whichever creepy-crawly happens to stumble upon them.
So, there are four aspects of email that have to be fixed:
1. Your email address needs to be private and only accessible to those who you allow to have it.
2. There can be no "trusted" third party involved in storing or delivering your emails.
3. Your emails need to be absolutely untraceable.
4. Your emails need to be encrypted, end to end, using strong cryptography.
There are providers who try to address these issues, but it's all just icing on the poop cake. They offer all sorts of spam filtering, but the problem is that they accepted the spam on your behalf, and even worse, sent it to you so it could fall into your very own spam bucket, which you have to scour every once in a while to make sure nothing you wanted accidentally fell in there. If, instead of accepting the mail in the first place, they bounced it, especially from known spammer origins, spam would fall off very quickly. But, they can't do that because they don't know what you want and don't want. That's because they have to honor the broken "trust" relationship with you. Google is going to offer end-to-end encryption for gmail. It's a step in the right direction, and it goes a long way toward allowing them to tell the government to take a hike when it comes calling, but the problem is that your email, at some point, resides on their server, and the server knows where it came from and where it is going to. That, in itself, is enough to tell a fourth party a lot about your emails. None of the provider solutions can address item 2 because it takes them out of the loop. And if they can't address item 2, then there is nothing they can do about item 3.
The good news is that there are several people working on solutions. I'll have more about that in future posts.
Friday, June 27, 2014
Saturday, June 21, 2014
On Security
Sorry for not posting for a while. I've been wandering around in techie-land for a bit.
I've always thought that online security is important. I've also always taken a decidedly lazy approach to it. I used eight character passwords that were dictionary names with a few letter-to-number transpositions. I didn't always pay attention to whether I was using a secure interface when I set up an email account. I didn't pay attention to whether or not the web pages I was looking at were secure.
It was the Edward Snowden incident that really started to wake me up. If you don't know, Edward Snowden is an ex-NSA counterintelligence specialist who leaked thousands of classified documents on the NSA's domestic spying programs. You can read about it here. It woke me up. I'm typing this fully aware that once Google crawls this page, an NSA droid somewhere has added my blog to a list of sites mentioning Snowden. This post isn't about what I think of what Snowden did. Maybe I'll address that later.
So, some reflections on online security...
Usernames and passwords are part of a completely broken security system. They date back to the early days of computing. We have made gigantic leaps forward in technology, but we're still using an antiquated system for you to prove to a computer that you are who you say you are. It was an OK system back then because A) people were more honest, and B) computers just weren't powerful enough to run a brute force attack to crack a password in a reasonable amount of time. These days, things are different. Passwords are cracked all of the time. There are better ways for you to prove your identity, and the really sad part is that they have been around for quite a while. The most prevalent method is to use a cryptographic key. It works like this. You create a secret key and a public key. Think of them like keys to a lock box that holds messages. Anyone can use your public key to put a message in the box, but only you can take them out using your secret key. In public key authentication (a techie term for using your public key to prove who you are), you give your public key to the internet entity you want to contact (your bank, your Amazon account, etc.). Then, when you contact the site, you present your key. The site looks to see if it has a record of your key, and if so, it sends you a message using it. You prove that you can read the message by using your secret key and telling the web site what it said. The keys are very long strings of random data. For all intents and purposes, they can't be cracked any time during the remaining lifespan of the universe. A similar way to prove who your are is with digital certificates. They work in a way similar to public keys, but they involve a trusted third party that certifies that you are who you say you are. Another way that has been around for quite a while, but never seemed to gain traction is the zero knowledge proof (ZKP). In the ZKP system, you have a secret that you share with the website, kind of like a password, but more complex. You never send the secret to the website after you initially share it. When you go to the site and log in, the website will ask your browser indirect questions that will prove that your browser knows the secret. Once the browser proves that it knows the secret, the website lets you in. Because no passwords are exchanged, they can't be phished or cracked. The questions that the website asks your browser are different every time, so no one can listen in and use the last set of questions that were asked.
A lot of people think that because they can't see their internet traffic, neither can anyone else. Once again, the whole internet system was invented (not by Al Gore) a long time ago. Even though it was initially built by the defense department, no serious thought was given to securing what traveled over the wires. The people who built it never imagined what it would become. Only in the last few years have people begun to take security of the lowest levels of the internet seriously. The Snowden incident has accelerated that. There will be more attention paid to things like encryption (hiding things in secret codes) and traffic analysis (snooping to find out who is talking to whom and how). That's a good thing. A lot more commercial websites will start to use secure interfaces. Does your browser say http, or does it say https? It matters. Secure transports use the cryptographic key system I described above to turn all of the information that goes over the internet into random gibberish that can only be decoded by the parties on either end of the traffic. No one can listen in on the conversation, including the NSA.
The email system is probably the most broken thing on the internet. It it based on a simple, but archaic system, regular mail (sometimes known as snail mail). You give someone your address, and then they can send you messages. Sadly, so can the evil bastards who generate junk mail. The email system has the same problem, and it adds additional problems to the mix. An email message can have browser links in it. If you click on the link, it will send your browser to some location on the internet. That location could have malware (viruses and other bad juju), and if you are using a defective browser (in other words, Internet Explorer), you run the risk of putting a virus on your computer without knowing it. Also, most email is not sent over a secure transport. With snail mail, it's not likely that someone is going to open up random letters and read them for nefarious purposes. With email, it happens all of the time. With snail mail, you would probably know if it happened. With email, you don't. I am very sure that at least half of the people who read this post have had an email intercepted for one reason or another. And finally, the most infuriating aspect of email is spam. With snail mail, you might get half a dozen or so junk letters in a week. With email, you can (and will) get hundreds per day. Spammers have no shame, and they use automation to flood inboxes everywhere with crap. Spammer know about security, though, and they can hide their tracks. Evil bastards. Once again, using things like public key encryption (like I described above), no one would be able to track or intercept your emails. Using keys, certificates, and another kind of cryptographic identity called digital signatures, no one can fool you into believing that they are someone else.
Security is important. Instant information can lead to instant destruction of your privacy. Think about it next time you log into a site using "SusieQ" as your username and "happy1" as your password.
I've always thought that online security is important. I've also always taken a decidedly lazy approach to it. I used eight character passwords that were dictionary names with a few letter-to-number transpositions. I didn't always pay attention to whether I was using a secure interface when I set up an email account. I didn't pay attention to whether or not the web pages I was looking at were secure.
It was the Edward Snowden incident that really started to wake me up. If you don't know, Edward Snowden is an ex-NSA counterintelligence specialist who leaked thousands of classified documents on the NSA's domestic spying programs. You can read about it here. It woke me up. I'm typing this fully aware that once Google crawls this page, an NSA droid somewhere has added my blog to a list of sites mentioning Snowden. This post isn't about what I think of what Snowden did. Maybe I'll address that later.
So, some reflections on online security...
Usernames and passwords are part of a completely broken security system. They date back to the early days of computing. We have made gigantic leaps forward in technology, but we're still using an antiquated system for you to prove to a computer that you are who you say you are. It was an OK system back then because A) people were more honest, and B) computers just weren't powerful enough to run a brute force attack to crack a password in a reasonable amount of time. These days, things are different. Passwords are cracked all of the time. There are better ways for you to prove your identity, and the really sad part is that they have been around for quite a while. The most prevalent method is to use a cryptographic key. It works like this. You create a secret key and a public key. Think of them like keys to a lock box that holds messages. Anyone can use your public key to put a message in the box, but only you can take them out using your secret key. In public key authentication (a techie term for using your public key to prove who you are), you give your public key to the internet entity you want to contact (your bank, your Amazon account, etc.). Then, when you contact the site, you present your key. The site looks to see if it has a record of your key, and if so, it sends you a message using it. You prove that you can read the message by using your secret key and telling the web site what it said. The keys are very long strings of random data. For all intents and purposes, they can't be cracked any time during the remaining lifespan of the universe. A similar way to prove who your are is with digital certificates. They work in a way similar to public keys, but they involve a trusted third party that certifies that you are who you say you are. Another way that has been around for quite a while, but never seemed to gain traction is the zero knowledge proof (ZKP). In the ZKP system, you have a secret that you share with the website, kind of like a password, but more complex. You never send the secret to the website after you initially share it. When you go to the site and log in, the website will ask your browser indirect questions that will prove that your browser knows the secret. Once the browser proves that it knows the secret, the website lets you in. Because no passwords are exchanged, they can't be phished or cracked. The questions that the website asks your browser are different every time, so no one can listen in and use the last set of questions that were asked.
A lot of people think that because they can't see their internet traffic, neither can anyone else. Once again, the whole internet system was invented (not by Al Gore) a long time ago. Even though it was initially built by the defense department, no serious thought was given to securing what traveled over the wires. The people who built it never imagined what it would become. Only in the last few years have people begun to take security of the lowest levels of the internet seriously. The Snowden incident has accelerated that. There will be more attention paid to things like encryption (hiding things in secret codes) and traffic analysis (snooping to find out who is talking to whom and how). That's a good thing. A lot more commercial websites will start to use secure interfaces. Does your browser say http, or does it say https? It matters. Secure transports use the cryptographic key system I described above to turn all of the information that goes over the internet into random gibberish that can only be decoded by the parties on either end of the traffic. No one can listen in on the conversation, including the NSA.
The email system is probably the most broken thing on the internet. It it based on a simple, but archaic system, regular mail (sometimes known as snail mail). You give someone your address, and then they can send you messages. Sadly, so can the evil bastards who generate junk mail. The email system has the same problem, and it adds additional problems to the mix. An email message can have browser links in it. If you click on the link, it will send your browser to some location on the internet. That location could have malware (viruses and other bad juju), and if you are using a defective browser (in other words, Internet Explorer), you run the risk of putting a virus on your computer without knowing it. Also, most email is not sent over a secure transport. With snail mail, it's not likely that someone is going to open up random letters and read them for nefarious purposes. With email, it happens all of the time. With snail mail, you would probably know if it happened. With email, you don't. I am very sure that at least half of the people who read this post have had an email intercepted for one reason or another. And finally, the most infuriating aspect of email is spam. With snail mail, you might get half a dozen or so junk letters in a week. With email, you can (and will) get hundreds per day. Spammers have no shame, and they use automation to flood inboxes everywhere with crap. Spammer know about security, though, and they can hide their tracks. Evil bastards. Once again, using things like public key encryption (like I described above), no one would be able to track or intercept your emails. Using keys, certificates, and another kind of cryptographic identity called digital signatures, no one can fool you into believing that they are someone else.
Security is important. Instant information can lead to instant destruction of your privacy. Think about it next time you log into a site using "SusieQ" as your username and "happy1" as your password.
Subscribe to:
Posts (Atom)