I noticed that Orly Taitz published an article this morning asking her readers to gather some information for her, and to send it by email. The email address is one that I hadn’t noticed for her before, at hushmail.com.
I first looked at Hushmail perhaps 10 years ago and even signed up for a trial. What was interesting about the service is that they provided end-to-end encryption of emails. Back then they provided more technical information on how the system worked than is readily apparent today, but it was pretty cool as I recall. Today, the system seems to be geared towards commercial customers–they will even sign HIPAA business associate agreements with health care providers.
Email privacy is a hot topic nowadays in the wake of revelations of the US Government reading everybody’s communications, even some encrypted ones. Even though encryption can be broken in time with brute force, that’s not economical in the general case. Effective snooping requires cheating, and how that’s accomplished is the subject of a fascinating article “How to Design — And Defend Against — The Perfect Security Backdoor” by Bruce Schneier published at Wired Magazine, and on his blog.
Using the insights from Schneier’s article, I find Hushmail a poor option because their system is secure only insofar as you can trust Hushmail. A proprietary system has fewer eyes on how it works, and a powerful government agency can sneak, threaten or bribe its way in.
On the heels of the shocking news that our emails are vulnerable, we learn that some of our personal hardware may be vulnerable too. Some models of the D-Link wireless routers have an intentional back door that allows an unauthenticated user to changes its settings (article at InfoWorld) and route your traffic somewhere to be read by others.
I’m not much worried about my emails being read. The NSA is about the only bunch that might read them, and I don’t put anything in emails they would care about, or don’t already know. In fact, I don’t know anything they would care about, or don’t already know. If the NSA wants RC’s identity, then I’m sure there are easier ways to get it than by sniffing my email.
What worries me far more is the security my mobile devices. I have an iPhone secured by a puny 4-digit PIN. Lots of mobile phone users don’t even bother to lock their phones. My phone has all of my contacts and emails. It also has all of my passwords and credit card information, but that’s separately encrypted. One of the things I like about Windows RT 8.1 is that all information on the device is encrypted by default.
I’m beginning to store more and more sensitive information (health insurance cards, medical history, credit card numbers, passwords, passport images and such) in the cloud. Indeed, I have so many cloud thingies, it’s hard to keep up with them all. Such information can be encrypted before storing in the cloud, provided the encryption technology is trusted which takes us back to Schneier’s article.
- Indiana University: Best practices for computer security
- Marquette University: Best practices for mobile devices
- University of Chicago: Mobile device security best practices
- Intel: Improving Security and Mobility for Personally Owned Devices