Email Security 101: A Lesson Yet Unlearned

So it looks like the Russians are doing their best to help proudly racist Trump, by stealing (and perhaps altering) emails passed between members of the Democratic National Committee. It seems like the Democratic party preferred the candidate who was actually part of the party over a guy hitching his wagon to the Democrats to use that political machine as long as it was convenient to him.

But that’s not the point of this episode.

The point is this: Had the Democrats taken the time to adopt email encryption, this would not have happened. When the state department emails were hacked, the same criticism applies.

It is possible to:

  1. Render email unreadable by anyone but the intended recipient
  2. Make alteration of emails provably false

But nobody does it! Not even people protecting state secrets. I used to wonder what email breach was going to be the one that made people take email security seriously. I’m starting to think, now, that there is no breach bad enough. Even the people who try to secure email focus on the servers, when it’s the messages that can be easily hardened.

There is no privacy in email. There is no security in email. But there could be. Google could be the white hat in this scenario, but they don’t want widespread email encryption because they make money reading your email.

Currently only the bad guys encrypt their emails, because the good guys seem to be too fucking stupid.

11 thoughts on “Email Security 101: A Lesson Yet Unlearned

  1. That kind of thing has to start from the top down. It wasn’t even possible for the State Department to convince the Secretary of State to use their server and not copy encrypted messages by hand into plaintext on an unsecured server.

    Personally, I’d go for that low-hanging fruit first. No matter what encryption you’re using, you’re only as secure as your boss’s copy-and-paste, to paraphrase an old saying.

    • Yeah, that’s the same thing my dear grammy told me whilst dandling me on her knee. But the nation is filled with so-called security experts, and some of them are close pals with the “top”. And this isn’t a party issue, the culture of email stupidity has been going on for a couple of decades now.

      Yet I just know that all across Washington everyone is saying even more loudly than usual “we have to secure our servers!” when what they need to do is secure their messages instead.

  2. When you say :
    “It is possible to:

    Render email unreadable by anyone but the intended recipient
    Make alteration of emails provably false”

    …I would say I never see that kind of statement in the news. Is this because journalists are doing enough research, or not talking to the correct people (experts)? How do we get that message out there and more generally known? What is the turn-key status of email security? Can it be done yesterday? Can it be done – easily – to the email of a top level person who insists on using their private email from home?

    How would email encryption affect FOIA?

    When you say, “Google could be the white hat in this scenario, but they don’t want widespread email encryption because they make money reading your email. ” … what do we know about this? How bad is it?

    • Frankly, I have no idea why organizations with dedicated IT resources don’t all use email encryption for all internal messages. But almost none do, so either there are stumbling blocks I don’t see, or company leadership still blithely trusts their firewalls and see email hacks as a failure to keep the bad guys out rather than to render the stolen content worthless. Someday, perhaps, corporate IT policymakers will learn from the car stereo industry.

      Any company that has an internal directory service already has a way to automatically distribute public keys within the network. There is a provisioning challenge getting people’s private keys set up and distributed to all their devices, but tools for that already exist.

      I think it’s just a matter of knowledge, will, and perceived value. It is very frustrating to me that people reporting on these hacks never take the time to say “how could this have been mitigated?” Stolen emails are just part of life now.

      Google could absolutely be a hero in this, by making email encryption the standard on their service. If that happened, the world would follow.

      Note that they already work hard to secure your email going to and from their servers, so others can’t read your private stuff, but once it’s on their server, it’s open to them.

      Google has robots that read the email that passes through their systems to further develop the profile they maintain about you. That profile is the core of their business, and is built from your communications, your location, the temperature you keep your house (Nest), what you buy (Google wallet), and on and on. Which is why I will never use home automation or pay-by-device that doesn’t have privacy built in. But I digress.

    • Oh, and Freedom of Information Act – Good question; I hadn’t thought about that:

      The short answer is that encryption thwarts thieves, but not legitimate requests for information, since the possessor of the information can decrypt it when delivering it. I don’t think it would make determining the existence of the information any more difficult, at least not though legal means.

  3. Just today is news that the FBI director wants, “a national conversation on encryption vs security.” Says they were unable to access 650 wwhatsits out of 5000 this year.

    [at this point, conflicting and jumbled thoughts prevent me from commenting further]

    • Yes, funny that those “troubles” still haven’t given the people in charge the idea that maybe their own security should include encryption. Encryption as an enemy of security is so backwards it makes me want to pull my beard off.

Leave a Reply

Your email address will not be published. Required fields are marked *