CAT | Email Security
The House Judiciary Committee is going to be discussing the Electronic Communications Privacy Act. There is a chance that they will strengthen it.
This act was written decades ago, before there were any real cloud solutions. Email was downloaded by your email client, and immediately deleted from the server. They law assumed that any email left on a server more than 180 days had been abandoned, and so no warrant was required for law enforcement to obtain it.
These days, with services like gmail, we tend to keep our email on the servers for years, with no thought that it has been abandoned. Law enforcement is opposing reforms of this law because it would make their work more difficult. Doubtless it would, as does almost any civil liberty.
Earlier this month Zoe Lofgren introduced the Online Communications and Geolocation Protection act, amending ECPA. It would require a warrant to obtain cell phone location information. There is clearly some momentum for reform.
Welcome to Anonymizer’s inaugural episode of The Privacy Podcast. Each month, we’ll be posting a new episode focusing on security, privacy, and tips to protect you online.
Today, I talk about non-technical ways your online accounts can be compromised, focusing on email address and password reuse, security questions, and using credit card numbers as security tokens. In part two, I give power user tips for getting the most out of your Anonymizer Nyms account.
Hope you enjoy the first episode in our monthly series of podcasts. Please leave feedback and questions in the comments section of this post.
Download the transcript here
Forbs recently noticed that Facebook suddenly and basically without warning made @facebook.com your default visible email address on your timeline.
I had no idea that such an email address even existed! I certainly don’t check it explicitly. Emails to that address end up in your standard Facebook messages queue, which for me is mostly a black hole.
LifeHacker has a nice article on how to change the settings back to how you might want them.
You may not want some spammer to get that address and start filling up your Facebook messages queue.
Bruce Schneier on the real world effectiveness of a very simple domain name based man in the middle attack.
Here is a Wired article on the same issue showing how it was used to steal 20 GB of email from a Fortune 500 company.
While the technique would not allow them to identify your anonymous emails in an ocean of others, that is rarely the real world threat scenario.
In many cases there is a relative hand full of likely authors of a given email or group of emails. It is often possible to gather large samples of emails known and acknowledged to be from the likely authors. In that case this technique has a small group of targets and excellent training materials which allow for very high levels of accuracy (the authors of the paper claim 80% – 90%). That is probably enough to get a warrant to search your home and computers.
Unless you have been unusually careful, the gig is probably up by then. Remember, this might not be for criminal matters. It many cases this would come up in whistle blowing or other non-criminal situations.