Keeping email private…

Whenever one of the market-anointed tech titans speaks, people start to pay attention to their privacy… or lack thereof. In this instance, the question received regarded email, asking about alternatives to Microsoft & Google offerings, as compared to a Swiss service ProtonMail. Get your beverage(s) ready, this is going to be a long one.

Disclaimer: I am not a lawyer, and I did not sleep in a Holiday Inn Express last night. This discussion is relative to my understanding of United States Laws and court decisions. Your mileage may vary. 

First – how much inconvenience are you willing to suffer to keep your email private? What are you willing to pay?

On the surface, ProtonMail (which prides itself on end-to-end-encryption, and being based in Switzerland) seems like the obvious winner, since there’s a free version. But there are issues here. First is the recently passed CLOUD Act (Clarifying Lawful Overseas Use of Data Act, HR 4943, signed into law March 23, 2018) which allows for bilateral treaty-based exchange of overseas data between signatories. Note there is already such a treaty in existence with Switzerland. Proton’s off-stated “we only store encrypted data” claim is only good to the extent a user is not otherwise compelled to give up a password… or that the encryption is as described. Further, the only interface allowed to Proton is via web browser…

Gmail/Hotmail etc – “free” or “paid” – your email is going to be read by robots, mostly looking for advertising ‘bait’ or to build a better profile… (more on this later). Of course, these offerings win on convenience, and of course “free!”

Finally, there’s “roll-your-own” email. Invest in a server, configure your own email, have your own custom address pool, make your own filters and blocks, set auto-replies, run email lists… in simple terms, do everything the big boys can, but in your own way. All the mission-critical email for me has run on my own email server for more than twenty years. I use Gmail as a convenience, and am forced to use Outlook by various clients.

Now – let’s look at the legal implications on privacy, for the three offerings above. In the US, email privacy is governed by two major acts: the aforementioned CLOUD Act, and the ECPA (Electronic Communications Privacy Act, 1986). Most email communications falls under the [ancient] ECPA guidelines (assuming it is stored in the US).

The ECPA defines five types of communication for email. Three of those types require a warrant for access; two require a subpoena. Subpoenas are routinely issued by lawyers in the name of the court; penalties may be assessed for non-compliance. Warrants are issued by a judge, have stringent requirements for issuance, and are usually enforced by police agencies.

The ‘warrant required’ types of communications are: email in transit, email stored on a home computer, and email in remote storage, unopened, stored for 180 days or less.

The subpoena required types of communications are: email in remote storage, opened, and email in remote storage, unopened, stored for more than 180 days.

I run a combination server – it is IMAP when I’m away from home, and POP3 when I’m home. In simple terms – during a work day outside the house, or while travelling, I’m running the server in much the same mode as one does with any web-based system. The email is available via remote access (remote storage in ECPA terms). When I’m home, I have a POP3 client which downloads the email to a home computer, and erases that mail from the server.

In this mode, my critical email is always in the warrant-required states per the ECPA. Warrants are issued under standards more than 200 years old – it must be based on probable cause, describe the place or person to be searched, and for what evidence the search is being requested; all under oath or affirmation to a judge or magistrate. I feel reasonably secure.

Hope this helps the decision matrix.

ps – Gmail’s robots really kick in after about 200 emails are in the account. Want to baffle the builder? Set Gmail to operate in POP3 mode (delete after download) and watch the fun. (Running NoScript and disabling the Google Stats scripts also screws up the profile builder).

 

Advertisements

A word on doing work for “exposure:”

NO.

That’s it, just say NO.

If the work is sufficiently complex to require special skills (yours) then it’s of sufficient value to the client to get paid.

I recently went through this dance. A prospect got in touch via email (referral from various sources), then we did some phone tag, several conference calls, a ream or more of additional email, and then a meeting was arranged.

For me, it was a two-hour drive early in the morning (I’m a night owl) to a breakfast meeting in a diner. Got there, and things started downhill almost immediately. The client principal wasn’t in attendance even though she would have to approve any ‘deal.’ The talk quickly turned to my doing this for ‘exposure’ (sorry, No); then well “you do the design and if we like the design then you can bid on the job and if you’re the winner you get paid after the job is all done.”

NO.

Not playing that game… time to leave. They wanted a ‘ball-park’ figure; I gave them one, and then added that it would of necessity be much higher should they return in a few months – disgruntled people are much more difficult clients. When they told me it wasn’t likely, I wished them success – with all those other consultants they’d tracked down for this sort of work.

My exit was made in silence, at least from that group. I expect they’ll be back, and my answer will, for them, always be NO.

End result – I think I’m going to have to start charging for prospect meetings, especially if the prospect isn’t used to dealing with custom software.

Phish story

Boy howdy this one was good… but not quite good enough.

The back story – I am teaching a class on Content Management Systems. To help support the class, I registered several domains using the course name and number… cisy222.net, .us, .org, .com.

Getting ready for the class I went ahead and configured a multisite WordPress installation on cisy222.net (hosted here on the spareparts box). After deciding to use siteground.com as the freeware hosting supplier for the course (they offer 3 months’ free service for students) I then moved cisy222.us over to siteground.

In order to move the domain over to siteground, I had to change the authoritative nameservers to siteground (common limitation on low-end hosting), and that generated a routine alert message from the registrar.

So far, so good.

Then came the phish, a day later. Disguised as a status alert message from the registrar, this suggested that the nameservers were being changed for a different (but related) domain: cisy222.net. Yikes! So I went and signed in to the registrar (not using the convenient link in the email) and everything looked fine.

So I went back and studied the email a bit.

It was a phish.

But well-executed, Russian in origin, reasonably convincing, and I could see it being successful in many cases.

Don’t ever ever EVER click the link in an email without careful study first. 

Dear web-design fiends:

Please check spelling and use the appropriate words when putting up your portfolio sights… if you want future work.

It happened again. In the course of my work, I’ll run across a small business or non-profit in desperate need of a website refresh. I then refer the business to a former student (many of whom have completed web-development classes), and both are happy.

But not this time… because of a simple spelling error. Actually, the word is correctly spelled, but it’s the wrong word – “bare with me” is not the same as “bear with me” – and given the basic purpose of a website is to communicate – it’s a major failing.

Quality has to extend to all the parts… or what’s the point?

Why I block Javascript.

This subject surfaces from time to time, especially when I’m conversing with the bleeding-edge web design community. “You do WHAT?” followed by a lot of strange looks and laughter is the typical reaction. Then I’m told all about how JavaScript has been “modernized” and “browsers are sandboxed” and other nice things.

I run a variety of browsers; the current desktop has Firefox (with NoScript); Chrome; IE 4; IE 6; IE 8; and Lynx. Most of the time I browse with Firefox/NoScript. Yep, it slows me down, and there’s the minor annoyance of having to set temporary JavaScript execution privileges. This post will attempt to explain why I do things the way I do. Standard disclaimers apply.

First two-word explanation: Zeus Trojan.

The Zeus Trojan is a password-stealer which is usually deployed via JavaScript malware which was introduced to the victim by way of an infected website. As JavaScript has “matured” it also allows for much-improved obfuscation and cross-linking and all sorts of nice ways to operate an attack vector dynamically (to the point where most Zeus variants check location data and refuse to infect systems in certain countries).

For US-based small business (and local government) there is no protective cap on money stolen via identity fraud – and this is the standard use of Zeus. Once the credentials are acquired the thieves can empty a bank account in a matter of hours – and there is no legal recourse against the bank. The money is gone; the victim is not going to get it back.

A part of my professional practice deals with security – no, I’m not going to enter a forum with all the scripts executing. I only look foolish.

…and as I’m writing this post, in over the transom flies this notice – Google has awarded $60,000 as a prize in the Pwnium competition, for a method to overcome Chrome’s “sandbox” feature and run code on a fully-patched Window 7 system. All that is necessary is for someone to browse to an infected website – viewing the page is sufficient to load and execute the payload. A little bit of JavaScript acts as an enabler – there’s no need to bother with an exploit attempt if the browser is something else.

Another reason not to automatically run JavaScript is a common Facebook malware attack – the click-jacking survey scams which pop up several times a day. Click-jacking is a specialized attack vector on Facebook which work by having the victim click on a link – which leads to a survey – and also “spams” the link as a status post from the victim. If you run with JavaScript enabled you’re usually taken straight over to the payload page – which is typically a survey… but it might be something worse.

By not running JavaScript I get stuck on the interstitial dispatch page; this is where the Facebook click-jack link leads; and this page contains various JavaScript functions to identify the victim. Typical contents of these pages include a bit of geolocation which is used to decide which survey to play. From time to time, I see ones where the dispatch code includes a mechanism to reject the entry if location appears to be in .ru, .ua, .by or .ge  – authorities in these countries only track cybercrime if local users are affected. Generally speaking, if the interstitial page contains the ru-ua-by-ge code, the payload page is loading something other than a simple survey.

But security isn’t the only reason to avoid JavaScript.

Second two-word answer: Existing Investment.

This probably comes as a shock to many web designers – but companies don’t rush right out and buy the latest technology just because it got a great writeup on reddit or slashdot or wherever, or even if it’s the best seller on Amazon or the Apple store. There are a lot of systems out there with no capacity to execute JavaScript (embedded devices) or where internal policies discourage its use. I’ve been writing web-apps for more than a decade which require no JavaScript or even cookies on the browser in order to maintain state… and I know that some of these clients are not going to change those devices or policies for at least several years. Have you discarded your car simply because its OBDC works at a glacial 1200 bits/sec on a serial port?

Not executing JavaScript allows me to see how these clients perceive the “outside world” and thus better understand their mindset. It is very interesting to see which major companies’ websites are still functional without JavaScript (although not all the bells and whistles may work).

Keeping up the pace…

Starting tonight the assignment for the 232 crowd (web architecture) is to build a blog on a hosted platform, and update it three times a week.

If I assign it, I should be able to do it.

Famous last words, but perhaps not.

The in-between-class question today has centered around hosting providers – which will be the subject of a homework assignment, I think… but not just yet. First we have to cross this bridge – getting the first “real” content up (as opposed to “un”-real, which is how I classify Google-Sites content).

Initially, student blogs will be linked to the class webpage inside the  college portal. Upon approval by students, selected blogs may be featured as links from this blog… but again, only with explicit approval of the affected student(s).

Almost time for class…