Bill Ryan's Other Blog

My main purpose with my previous post was merely to inform you about the realities of email privacy.  It’s practically an oxymoron.  Most of us don’t talk about stuff so sensitive that we need to worry much about it.  However if you search through your email for financial information, or other private stuff along those lines, I bet you’ll find it.  The longer you have an account, the more likely you are to have such information stored in it.  Keep in mind that if you had an adversary that didn’t like you and they could get access to your primary email account, they’d have in all likelihood, mounds of information they could use against you, all stored in one nice semi-organized place.  It’d even be in digital form so they could search it easy.  They wouldn’t directly be able to do a lot with it without getting in trouble, but just knowing secrets and details about your life could cause you more misery than you’d ever imagined.  The best solution is to not have any enemies.  But even then, there are hackers and all sorts of other miscreants out there who just like making trouble.  Instead of working on their own marriages and lives, they put all their energy into destroying others, destroy destroy destroy destroy I say.

Encrypting is a pain and it’s not always necessary.  Even if you are willing to encrypt everything, chances are most of your recipients won’t so that’s a dead end right out of the gate. At least at this point in time.  The main thing though is to be aware of the risks.  It’s one thing to keep every email and never encrypt anything b/c you don’t have anything of concern in your emails.  It’s another to think you have safety and privacy.  The last thing I want to do is scare anyone – we have way too much irrational fear about ‘hackers’ as it is.  Hollywood makes it look like every 15 year old with a laptop can hack into banks and missile installations in 10 seconds.  That’s not the case.  But technology isn’t usually the point of failure.  Look at the Palin hack.   The technology didn’t enable it to happen, bad security policies on Yahoo’s end did.   So if you do your part, you can rest assured that you’ll probably never encounter a data breach.  If you do, it’ll be a fluke, like getting hit by lightning.  As computers get more powerful and the internet gets more prevalent, you can rest assured the government is going to do all it can to get access to anything you have stored digitally – if they need it.  And if they can access it, there will be loopholes and failures so other not so good guys will be able to .  A little bit of knowledge goes a long way here and not believing in myths gets you pretty much 99% of where you want to be.  So hopefully this post helped do that for a few folks.

Until the db.singles.org incident, I used strong passwords, changed them every few months and didn’t think much about it.  After that incident, I changed my thinking a lot.  I started segregating accounts so that if someone breached one, they would only be able to get a limited set of data.  I started archiving my data too.  I’d pull out the older stuff, encrypt it and store it on a password protected drive.  By segregating things and archiving, that limits the damage that could happen if my accounts got hacked.  That’s not to say that someone still couldn’t cause me a lot of problems by getting full access to one of my accounts. They could. But it’s a lot less than what it was before I saw the light.  I never posted the full details of the fallout from db.singles.org but I know of a few people that really suffered bad from it. They never thought for a second their information wasn’t safe.  And they never thought (at least I don’t think they did) that a breach in the db.singles.org account would have led to breaches in PayPal, Facebook, Gmail, Yahoo and everything else. I’m sure they also had an expectation that a service they paid for would guard their information. It was repeated screw ups that allowed things to happen as they did.  Think about it though, when someone can write a script on the fly, to pull down all that information for every account, in under a few minutes, something is seriously wrong.  What’s worse, db.singles.org didn’t do squat afterward.  They didn’t even let the people know what happened.  It was shameful, particularly for a site that fancies itself Christian in nature.  But that stuff happens.  They aren’t the only people who’ve handled stuff like this poorly. They aren’t the only ones who tried to brush it under the rug. They aren’t the only ones who tried to dodge responsibility.  The Data Loss Database is a frightening testimony to how widespread data breaches are.  Don’t take my word for it, look for yourself. Read through a few and see how common this is. Look at how frequently it’s not a technology failure rather, a human is the point of failure.  I bet if you go through it and compare it to how frequently you hear about breaches, you’ll see a big mismatch.  And look at how frequently it’s the GOVERNMENT That has the breaches.  That’s the same government that has all sorts of sensitive information of yours. And it’s not just our government or US corporations, it’s widespread.

The fact that you can do some very simple things to add a huge layer of security to your data is very reassuring.   I’d offer  a few of my own.

If someone ever gets access to your email account, they have enough information to make your life hell.  This isn’t an opinion, it’s a fact.  This is why Plaintext email is so dangerous.  If it contains anything sensitive, you don’t want it stored in plaintext indefinitely. I know, it’s a huge convenience.  I know, email services don’t provide encryption with a few exceptions.  I know, much of the sensitive information in your email account will be attached to stuff sent to you – not the other way around.  I highly encourage you to read the whole db.singles.org drama (I covered it in depth, but you can Bing Operation Jesus for more information).  If you can’t keep sensitive information out of your email archives for practical reasons, use a password for your email that you don’t use for any other account.  Use fake answers that you specifically distort for your Password Reset Challenge questions (Sarah Palin can tell you why).  Use big long strong passwords and change it regularly. Never write it down and don’t give it to anyone.  Three people can keep a secret if two of the people are dead.  You may trust your spouse, mother, father etc to never do anything malicious to you, but that doesn’t mean they’ll never do something careless that could put you in really hot water.  Don’t give out your password, ever. If you have to for some reason, change it immediately.

The fewer people that know a secret, the less likely it is to get out.  There’s no reason for anyone else to know your personal account passwords, ever.  If you need shared access, then like I said, create a shared account that is limited to only information both people need.  Accidents happen and even the best intentioned people might mess up and breach the password.  That’s the thing, no one ever intends to give away  a password yet it happens. No one ever means to compromise security, but it happens.  No one needs to know your passwords. If they do, create a new account you both have access to and only use it to forward those emails/documents that you both need. 

Please don’t fall for the “We’re a couple, we share everything” thing as a reason to share passwords.  That’s beyond silly.  No couple shares everything.  I’ve heard people argue this before but it’s simply not true. Do they share a toothbrush?  Do they share undergarments? Do they share all of their clothes? Do they share a purse?   Do they share a jockstrap? Do they share shoes? (Ok, for a same sex couple sharing might be a little more feasible, but even there, no one shares everything).  Would you share cancer medication if only one person had cancer? Of course not.  So get past the whole “We share everything”.  It was cute back in high school, but in real life, it doesn’t fly.  By the time you’re married, you should already know if you can trust your spouse or not. If you don’t know, then passwords are the least of your problem.  

I keep all of my passwords in Password Safe. I have a big long password for it that I only use for it.  Kim knows it.  So if she needed to get into one of my accounts for some reason, she could.  Password Safe is a great utility and is very helpful if you want to stop reusing passwords and want to use strong passwords wherever possible (again, not everything needs locked down – but if you’re going to give something a pass, make sure there’s NOTHING that can be problematic).  From a ‘sharing everything’ POV, I do think that I should be willing to share everything with my wife if need be.  So if she needed my password and I wouldn’t give it to her, that’s a problem. But the # of times someone needs access to your email is so rare, this isn’t really an issue – I’m actually shocked I hear people bring it up so much b/c it’s about as much of a non-issue as I can think of.

[tags]Password Safe, Email Security, Online Privacy[/tags]