Aside

2018.1.17

Blew away over 10K emails that were collecting dust in one of my main accounts. My goal over the next few months is to remove the mass majority of old email that serves no purpose. Doing so will both free up some space (not that I really need it) while also cutting down on the possible deleterious effects of having the account in question getting hacked and contents selectively modified and/or leaked.

Contemporary Email is a Threat to Us All

Per researchers:

Companies and other organizations are even more vulnerable than individuals. One person needs only to worry about his or her own clicking, but each worker in an organization is a separate point of weakness. It’s a matter of simple math: If every worker has that same 1 percent chance of falling for a phishing scam, the combined risk to the company as a whole is much higher. In fact, companies with 70 or more employees have a greater than 50 percent chance that someone will be hoodwinked. Companies should look very critically at webmail providers who offer them worse security odds than they’d get from a coin toss.

As technologists, we have long since come to terms with the fact that some technology is just a bad idea, even if it looks exciting. Society needs to do the same. Security-conscious users must demand that their email providers offer a plain-text option. Unfortunately, such options are few and far between, but they are a key to stemming the webmail insecurity epidemic.

Mail providers that refuse to do so should be avoided, just like back alleys that are bad places to conduct business. Those online back alleys may look eye-pleasing, with ads, images and animations, but they are not safe.

The problem is that few people appreciate the dangers of email; their understanding of phishing tends to be centred around the garbage that gets caught by most SPAM filters, when they have any clue what phishing is in the first place. Further, it’s not enough to personally avoid the ‘back alleys’ of the Internet email crowd: you need to excise all email that is received by such providers. And that means the problem is one of herd protection and immunity, which is challenging at best to overcome. Who’s going to unilaterally ban email from all the major email providers in the world today?

Link

More Thoughts on the Yahoo Scan

Macy Wheeler:

To sum up: ex-Yahoo employees want this story to be about the technical recklessness of the request and Yahoo’s bureaucratic implementation of it. Government lawyers and spooks are happy to explain this was a traditional FISA order, but want to downplay the intrusiveness and recklessness of this by claiming it just involved adapting an existing scan. And intelligence committee members mistakenly believed this scan happened under Section 702, and wanted to make it a 702 renewal fight issue, but since appear to have learned differently.

This is the definitive summarization of what Yahoo! (likely) did when they monitored all of their customers’ emails for the US government. Well worth the read for its content and, also, to see what goes into a critical media evaluation of an unfolding intelligence-related series of news stories.

Link

Yahoo May Have Exposed Rogers Customer Emails to US Spies

Motherboard:

“Any program that scans all the mail that Yahoo has access to would have scanned this email,” Gillmor wrote me in a message.

“If Yahoo chose to segment their scanning by limiting it only to mails that have ‘@yahoo.com’ email addresses [and omitted those sent from @rogers.com], of course, then they would have chosen to exclude this email from the scan,” Gillmor continued. “It’s not clear to me whether any such constraint was in place, though.”

“I’d imagine that, yes, the program would have applied to Rogers customer emails, unless Yahoo elected to specifically exclude them,” wrote Marczak in an email.

Yahoo declined to comment on whether the alleged system filtered out emails from Rogers customers.

Tobi Cohen, a spokesperson for the Office of the Privacy Commissioner, confirmed that Rogers consulted the office in the wake of the Yahoo hack. But as far as the possibility that Rogers customer emails had been siphoned into a surveillance dragnet goes, “Given we don’t have detailed information about the matter, we are not in a position to comment,” Cohen wrote.

When asked if Rogers was aware of the allegations against Yahoo or if the company is concerned that a backdoor could have affected its customers, spokesperson Garas referred me to Yahoo’s statement and wrote that “as such, we believe this matter is closed.”

Great to know that Rogers thinks it shouldn’t (or, worse, doesn’t have to) explain how one of its contracted service providers may have grossly violated the privacy of Rogers’ customers.

Link

What’s the big deal about Hillary using her personal email at work?

What’s the big deal about Hillary using her personal email at work?

Christopher Parsons, a Toronto-based cybersecurity expert with the think tank Citizen Lab, explained the security difference between a personal and official government email.

“The core security advantage is that the U.S. government will be attuned to the risk of her communications being deliberately targeted and, as such, would have a chance to maximize protections afforded to her communications,” Parsons said. “Moreover, data sent and received in U.S. government systems could be protected according to the sensitivity of the communications. So when sending classified or secret documents, a higher standard of care could have been provided.”

I would note that I don’t work at a think tank: I work at the University of Toronto, within the Munk School of Global Affairs.

Quote

Shaw email customers are scrambling after an interruption of Shaw’s email services Thursday led to millions of emails being deleted.

About 70 per cent of Shaw’s email customers were affected when the company was troubleshooting an unrelated email delay problem and an attempted solution caused incoming emails to be deleted, a spokesman told The Sunday Province.

Shaw has about 1.9 million Internet subscribers across Canada, with the majority in Western Canada.

Emails were deleted for a 10-hour period between 7:45 a.m. and 6:15 p.m. Thursday, although customers did not learn about the problem until Friday, and only then by calling customer service or accessing an online forum for Shaw Internet subscribers.

Shaw promised to email affected customers some time over the weekend with a list of deleted messages and details such as sender, subject and time sent. The actual content of the emails, however, is unrecoverable.

Count this amongst the many reasons I just don’t trust ISPs to host my email. It’s great that Shaw does this, really, given how it generally interferes with ports used for email: not only are they screwing consumers in how they treat email protocols (you can pay a monthly fee for full port access) but they’re also screwing them by not properly managing their email systems. I bet that Shaw customers don’t receive any restitution beyond an apology.

A Poignant Comment on Deleting Email

For the past two months I’ve been trying to figure out what to say about something Peter Fleischer, Google’s Global Privacy Counsel, wrote about his personal email retention and deletion policies. After talking about whether people should worry about “covering their tracks” from government snooping, he writes (emphasis added):

In the meantime, as users, we all have to decide if we want to keep thousands of old emails in our inboxes in the cloud.  It’s free and convenient to keep them.  Statistics published by some companies seem to confirm that the risks of governments seeking access to our data are extremely remote for “normal people”.  But the laws, like ECPA, that are meant to protect the privacy of our old emails are obsolete and full of holes.  The choice is yours:  keep or delete.  I’m a pragmatist, and I’m not paranoid, but personally, I’ve gotten in the habit of deleting almost all my daily emails, except for those that I’d want to keep for the future.  Like the rule at my tennis club:  sweep the clay after you play.

His comments struck me as being incredibly poignant when I first read them, and remain so today. I’ve stopped archiving email. I delete email (as best I can, given cloud data retention policies and all…) on a regular basis. Over the Christmas break I removed an aggregate of about 6 GB of mail that had just…accrued…in my various accounts over the past decade. In short, his post motivated me enough to spend the better part of 3 or 4 days sifting and sorting through my digital life. Ultimately I removed an awful lot of what was there.

At some point I hope to spend more time writing about, and thinking through, some of Peter’s points. At the moment, however, I’d just recommend you think about what it means when Google’s Global Privacy Counsel – the guy who is best able to go to the mat to protect the privacy of his own inbox – chooses to routinely delete his email from the cloud. If he takes that precaution, and he has the influence that he does, shouldn’t you at least consider following his lead?