To provide better spam and phishing protection, a number of ways to improve on email message authentication have been available for years, and are being steadily implemented. However, it is a difficult path to make these methods work. Part of the problem is because there are multiple standards and sadly, you need to understand how these different standards interact and complement each other. Ultimately, you are going to need to deploy all of them.
Email encryption products have made major strides since I last looked at them nearly two years ago in this review for Network World. This week I had an opportunity to revisit these products, and found that they have gotten easier to use and deploy, thanks to a combination of user interface and encryption key management improvements. They are at the point where encryption can almost be called effortless on the part of the end user.
I reviewed five products: the two that I reviewed in 2015 (HPE/Voltage Secure Email and Virtru Pro) and three others (Inky, Zix Gateway, and Symantec Email Security.cloud). The overall winner was Zix (shown here). It was easy to install and manage, well-documented, and the encryption features were numerous and solid. The only drawback was that Zix lacks a separate mobile client to compose messages, but having a very responsive mobile web app made up for most of this issue.
You can read the complete review in Network World here, and you can watch a screencast video comparing how three of the products handle data leak protection:
I never thought I would see the day where executives and major public figures would be proud of their techno-luddite status. Scratch that. Not proud, but grateful. In a story in today’s New York Times, several senators and other public figures are quoted about how they have given up their personal email accounts, or have begun scrubbing their sent folders, thanks to the recent series of leaks from the mailboxes of the DNC and Colin Powell.
Senator Lindsey Graham said, “I haven’t worried about an email being hacked since I’ve never sent one. I’m, like, ahead of my time.” Senator Chuck Schumer is noted for still using a flip phone. And of course there are the email-related stories that doggedly follow one of our presidential candidates around. All of a sudden, it is cool to be more disconnected. Especially ironic, given today is also the day millions will flock to the nearest Apple Store and buy a phone that doesn’t have a headphone jack. (Shelly Palmer’s rant on this is pure pleasure.)
The hacked emails seem to be genuine, at least according to press reports and the impact they have had with the shake up of the DNC leadership. But they have also had the effect that others in the public eye are reconsidering the contents of their own message store.
I have even learned a new acronym: LDL, for let’s discuss live. Meaning, “too hot to talk about in email.”
So let’s all just take a deep breath and look calmly at a few simple rules for your own email usage going forward. First off, yes, emails can be compromised. Don’t say anything there that you wouldn’t want anyone else to read. While you may not think you are a target or of any interest, you have no control over where that message might end up. You might want to walk down the hall for a quick FTF meeting, or even pick up the phone. Think about the 80’s.
Second, if you are very worried, start using encryption, and make sure it covers the complete path end-to-end. There are several instant messaging platforms that are easy to use (Network World did a recent review comparing them, and I have written reviews of encrypted email products for them as well). Yeah, I know, encryption is a pain, but the current crop of products is actually pretty easy to deploy and use. Having said that, hardly anyone sends me encrypted emails, ever.
Third, take a moment to review your password collection for your communications products, including your IMs, email accounts, voice mails and VoIP products. If you use the same password for more than one of these tools, take a day and install LastPass or some other password manager and start treating these passwords more seriously. Do it this weekend.
Finally, don’t hide behind your personal accounts such as Facebook or a non-corporate email address. Those are just as much at risk, as one network anchor realized who hurriedly deleted his Gmail account that was cited in the Times story. Everything is discoverable and vulnerable these days.
There are numerous articles on the misuse of email (including this post where we talk about ways to onboard Gen Y workers), but one of the biggest mistakes is email becomes the general all-purpose tool for all kinds of inappropriate collaboration methods for your team. While email is great for point-to-point communications, it falls down when it comes to sharing and editing spreadsheets and documents, scheduling meetings, and tracking projects — all things that I talk about in my latest post for the Quickbase Fast Track blog here.
With the passing this week of Ray Tomlinson, I am tripping down memory lane and thinking once again about email. Ray, for those of you that don’t recall, was credited with the invention of the @ sign back in 1971 as a mechanism to separate a user from the computer that ran the user’s account. It took decades before it became the ubiquitous part of the Internet addressing system that we all take for granted today.
But, no disrespect to Ray, email is a lot more than just the @ sign, although it certainly is the easiest and most recognizable part of it. If you want to really dive into the history of email, I would start with Dave Crocker’s excellent compendium site. Crocker had a hand in inventing several key elements of email infrastructure himself and wrote this excellent history of early email for the Washington Post several years ago.
As you review some of these documents, you’ll quickly see that email isn’t just the product of any one person. Like many of the things behind the Internet and the world of open source software, dozens if not hundreds of people contributed, block by block and bit by bit. Today’s email system makes use of numerous different protocols to get a message from you to me and back again. What is astounding is that essentially email is the same basic service and “has not been replaced or interrupted in 40 years. It simply grew from a couple hundred users to a couple billion,” as Crocker wrote in his Post piece. Well, maybe not so simply, but still.
One thing not often discussed is the fact that for its early years, email thrived outside of the Internet. Many of the early email systems were local to a company, and only able to exchange messages with other users there. Vendors such as cc:Mail, Network Courier, and Higgins (remember those?) dominated that early corporate landscape. Eventually, the Internet would connect these disparate systems together and avoid the use of messaging gateways or remote dial-up modems. Now it is almost impossible to use email and not be connected to the billions of others online. Of course, finding a current email address for a recipient is another matter.
In the 1990s, I was lucky to have worked with some of these early pioneers, such as Crocker. Also with Marshall Rose, who wrote some of those early Internet email standards. Marshall and I co-authored a book called Internet Messaging back in 1998. Penn Jillette, part of the comedy magic team of Penn and Teller, wrote the foreword to our book. He says, “email is still the greatest thing ever invented in the history of the world. ‘What about fire?’ you say. And I answer, what good would it be without an email to ‘come and get it?'” Penn also had some sage advice: “When I see your words [via email], they are in my font and color on my computer, and the computer feels like part of my brain. Telephone is talking; email is whispering thoughts directly into my mind.”
All food for thought when you send your next email.
Whether you think Ed Snowden is a patriot or a traitor or somewhere in between, it certainly has been an interesting couple of years in the secure email business. It is a continued series of ironies, starting with the fact that Snowden had trouble convincing his chosen scribes to make use of encrypted email technology itself to transmit his documents. As I wrote about earlier this year, since Snowden’s revelations, more people have been motivated to employ encryption than ever before.
Ironically, it seems that the type of encryption that you use can make you a target of the spy agencies, who can scoop up your transmissions and figure out your origins. As Bruce Schneier said in a post last year, “There’s nothing that screams “hack me” more than using specially designed al Qaeda encryption software.”
That is a scary thought. But I don’t want to debate this here; instead I wanted to take a closer look at both new and older email encryption technologies and how much they actually protect your communications.
I took this two-year mark of Snowden’s unintended flight to Russia to write this review of seven different products for Network World. They include Hushmail, ProtonMail, Datamotion SecureMail, HP’s Voltage SecureMail, Tutanota, Virtru and AppRiver. Using one of them will certainly be better than not using any encryption, even if it raises your profile with certain three-lettered agencies. Tutanova’s Outlook plug-in is pictured above.
You can read my full review here.
Two years ago a young man left his girlfriend and home with his laptops and a fantastic story that has changed the world and the way we think about our Internet privacy. I am of course talking about the flight and plight of Ed Snowden and his cache of secret documents about the massive NSA surveillance of electronic communications.
Whether you think Snowden is a patriot or a traitor or somewhere in between, it certainly has been an interesting couple of years in the secure email biz. It is a continued series of ironies, starting with the fact that Snowden had trouble convincing his chosen scribes to make use of encrypted email technology. (He isn’t the only one.) While he ultimately was successful in securing his communications with the press, another irony was how things ended up for him: now he is living in Russia, certainly not one of the most privacy-friendly places in the world. It is also ironic that his Russian residency has enabled his new career as a professional speaker, albeit using various remote video technologies since he can’t get on a plane because he doesn’t have a passport. (Part of me is envious of this, having to still give speeches the old fashioned way by getting on planes. But I am glad that I have my passport.)
But the ironies extend beyond Snowden’s life to more important matters. We have evidence that shows how the NSA abused numerous statutes in what they call “bulk metadata collection” of phone calls and emails. And we all now know what metadata means, and how former NSA director Michael Hayden said last year: “We kill people based on metadata.” Certainly, the Snowden effect is quite real, given the current debates in Congress over reauthorizing various legislative means for them to continue these practices.
And the ultimate irony of them all is another Snowden effect: while the NSA revelations have closed down several secure email providers such as Lavabit and Silent Circle, others have taken their place and encrypted email usage is most likely at an all-time high, thanks to the paranoid and prudent among us.
I have spent a lot of time listening to Snowden’s various public discussions, held at SxSW, with John Oliver for his HBO show, and at a recent conference at Princeton where he exchanged words with a New York Times reporter that broke some of the early stories. And while I am not sure where I stand on the traitor/patriot index, Snowden certainly has a lot of interesting things to say. It is clear that he has spent a good portion of his clandestine career preparing for his media close ups and photo ops. He also has a lot of time on his hands to keep up with current events.
I think Snowden has done more than just about anyone since Phil Zimmerman (the creator of PGP and now involved with DarkMail) to encourage email encryption usage. When Marshall Rose and I wrote a book about corporate email use back in 1998 (cover reproduced above), we said that secure email was “best described as a sucking chest wound.” For most of the last 17 years, secure email was more a curiosity and almost unknown and unused in corporate America. That changed two years ago, and it is catching on in more places.
It is still too difficult to use, as this story in Ars Technica takes you through how to deploy it on an individual basis. Maybe not a sucking chest wound, but still more than just a mere blister to be sure.
I am interested in hearing more about your own secure email usage, and it is partly motivated by a review that I am writing for Network World comparing several of the more useful business-oriented tools. Having used some of these products for decades, I welcome your own thoughts and will let you know when the review is published, probably later this summer.
And if you want to re-read a semi-serious blog post that I wrote last year where I thanked the NSA for enabling all sorts of activities, here you go.
For the past three and a half years, I have been meeting occasionally with a nice young man named Aaron Witt who has a startup software business called ConvertMyEmail.com. Aaron is smart, he is earnest, he works hard, and he is making a modest amount of cash from the company. The business is one in an area that I happen to know a lot about (email software), and I think I have been mostly helpful in getting it going.
When we get together for our periodic mentoring sessions, Aaron is hyper-organized. He comes with a solid agenda; we go through it point by point. He has PERT charts that track his goals and what he has to accomplish when, and takes them to heart. He goes through during our session his stickiest points that he is wrestling with at the moment. He listens well and takes careful notes, and then more often than not acts upon them. As a mentee, he is one of my favorites because he has all these process things down pat. From the outside, it looks like he is making progress.
There is just one thing, almost Shakespearean in terms of a tragic flaw: he lacks focus.
When we began our sessions in late 2009, he had a full time job where he had to travel around the world for his company. As you might imagine, that took a lot of his time and I couldn’t really blame him for wanting to stay with the regular paycheck. But as it happened, another firm bought out his and he became redundant and was cut loose last year. Aha, I thought. Finally, time where he can really get behind his business and make it sing.
It hasn’t happened, although he is doing all the right things. Why? Because of his lack of focus.
We met this week for another mentoring session and an update, and he gave me the bad news. Well, he didn’t initially see it that way. “Did I mention that I am thinking about starting another company?” he asks. Oy vey, I am thinking. Here we go again. We discussed this new company – which has at its core a dandy idea – and I am beginning to think, he just can’t stay on company #1. I told him my feelings, and that he needs to stick with the first business and give it his all, otherwise he will be responsible for two failures. “That is what my wife tells me.” Yes, maybe I should give her a call (although there is something sacrosanct about the mentor/mentee confidence, similar to a confessional booth almost).
Coincidentally, I met another young entrepreneur this week for the first time. He was all over the map: in addition to working a full time job, he was starting a new company and volunteering at several charities. Focus, I told him. (It is like that line about plastics in The Graduate. You don’t need to say anything more.)
In all my years of coaching and mentoring entrepreneurs, focus is Job 1. Not raising capital (although that can be tricky). Not hiring the right programmer (ditto), or building the right set of Web sites and social media entities, or nailing customer satisfaction, or the hundreds of other things that can swallow a startup and quickly sink it. It is staying focused. Take your eye off the ball, and someone takes your ball away.
Sending and receiving encrypted email with sensitive data should be a lot easier to do. But it ends up being something painful, and as a result we tend to avoid this protection. Haven’t we all been schooled that sending emails in plain text is like having a post card plastered to the wall of your local coffee bar? Haven’t all the various exploits with stolen credit cards and hackers breaking into various Web-based email services been warning enough? Apparently not.
Oddly, this summer marks the eleventh year anniversary of identity-based message encryption with more than a billion secure messages being exchanged annually. But that still pales in comparison to the many insecure messages containing sensitive data being exchanged in the clear. You can read my whitepaper that I prepared for Voltage Security here.
Sending and receiving encrypted email with sensitive data should be a lot easier to do. But it ends up being something painful, and as a result we tend to avoid this protection. Haven’t we all been schooled that sending emails is like having a post card plastered to the wall of your local coffee bar? Haven’t all the various exploits with stolen credit cards and hackers breaking into various Web-based email services been warning enough? Apparently not.
Today I will be part of a webinar showing the issues surrounding mobile email and the solution that Voltage has with its product. You can tune in here. You can also watch a short three minute video screencast review that I have done showing how their iPad and Android app works here.