Month: April 2017
Encrypting Email, It’s Not Just For Criminals
In March I blogged about my “almost disposable email“. I still have improvements to make when dealing with external sites and services. Overall that model works pretty well.
When thinking about my personal email, my dilemma changes a bit. Unlike most people who use the Internet send and receive email for personal use I have changed my address multiple times over the years. Friends and family of mine have commented about the fact that I change probably too often. In reality it’s only once every 3 or 4 years. That apparently is to much for most people. Of course some the people commenting may still be using AOL addresses from the 90s.
In 2014 I blogged about My sudden allergic reaction to all things Google. In that post I wrote about migrating from Google hosted mail to a hosting provider in Switzerland. The Swiss-based provider I selected offers much greater privacy protection vs a US-based company. For what I was looking for the price difference was nominal. By moving to a Swiss-based provider wasn’t a magic bullet. All my data on my website and email stored on their servers is still not encrypted at rest. In other words I am still exposed just less likely to get snooped on by a government. Even that statement has caveat. Let’s say I am better off than before. I still have much to do.
With my mail being hosted in Switzerland I have relatively good level of privacy protection. That means if someone wants to get a hold of my mail they would need some sort of court order. The fact that there is a request should be disclosed to me. That is unlike US hosting providers that would not need to inform me if they were asked to spy on me. To go a step further and make it impossible for anyone to get my email on the mail server I would need to encrypted my email at rest with the hosting provider having no knowledge of the encryption keys. The reality is this is important however not my threat model. I’m more concerned about personal details being intercepted via an unsecured network.
To address both of these problems I have been investigating two different secure email providers. Protonmail & Tutanota. Both in theory provide the same service. They allow you to encrypt email and send it. They also encrypt email at rest on their systems and have no knowledge of how to decrypt. Email sent between two people on let’s say proton mail has the email encrypted completely. If however I am on protonmail and I send an email to someone not using that system messages secure however there is a caveat. What really happens is an email is sent to the recipient telling them that there is a secured message waiting for them and it provides a link to that message. I can send along a password hint if I want as well. The recipient can then click on the link and read and respond to the email. It secure however not super user-friendly to what most people are use to. I experienced similar systems when I briefly worked at a health benefits organization that had to comply with HIPPA rules in the US.
My threat model concerns sending and receiving of secured information via email. I do realize that the use case is not required for most emails i send. In most cases what I’m sending can go “in the clear”. Having the ability to encrypt as needed is the big value to me.
Having stored mail encrypted at rest with the provider having no knowledge of the decrypt keys also makes me feel more comfortable when I am not hosting the data. ProtonMail & Tutanota both offer this fundamental security feature. The challenge with both providers that neither currently have a way to import or export email. I am a person who has most if not all of my mail going back to 1996. For years I was proud to have that stash of mail. I also have gone back to really old messages for information. In today’s world however having that much personal data sitting on a typical mail server is too big of a potential risk and a major liability.
I no longer keep that archive of mail on a live mail server. Instead it is encrypted on a personal computer in a database. At least I still have it. To use ProtonMail or Tutanota would mean I would no longer have correspondence that goes into the system. That limitation is given me a little bit of pause. Since I started playing around with the system late last year proton mail has announced they will be launching a secured IMAP option. I am assuming that will enable me to offload mail from their system. That would make their solution much more viable for me.
As I continue to play around with both systems I have been favoring ProtonMail over Tutanota. I’ve not yet jumped into using one for my personal mail however I am leaning towards protonmail. One of the hesitations I have is that protonmail is not cheap. It costs about half of a full hosting package I have per year. Tutanota is as cheap as one dollar a month per user. Protonmail is around five dollars per month for what I initially need it for. Protonmail also does not allow me to move my entire family using a specific email domain onto an account unless I use a much more expensive account than the five dollars per month plan. Tutanota will let me set up multiple family mailboxes for one dollar per mailbox per month. That makes Tutanota an option if I wanted to continue using the same email domain I currently use for my personal email.
The solution to this issue is for me to switch domain names i use. I have a few other ones I own i can start to use however that brings me back to how I started off this post. I don’t want to change my address, however it is a price i am willing to pay if other factors are positive.
I could make my life easy and just use Tutanota and move my family over to it also. The challenge is I like protonmail much better. The UI is nicer on both the web and iOS app. The iOS app loads faster. It has a few more nifty features versus Tutanota such as tagging. Overall I just get a better feeling about it.
Knowing myself what I likely will end up doing is change my personal email so I can use a different domain name that I have that isn’t being used for anything else and point that the proton mail. I would then leave my existing mail domain where it is and allow my other family members to continue using it.
For now I’m still waffling a bit on what to do. If your friend or family member of mine and you are reading this, you know why in a few months you might get a notice that I changed my mail address yet again. Of course if you read this far kudos to you.
The W Sisters & The Story About Doka in The Ear
This was a story that happened back in February. I am finally getting around to writing about it.
For almost as long as she could talk and sentences T has spoken about Her friend Doka. I don’t remember if I journaled about him/her before. At first Doka was just a friend that was a baby. Then she became her baby. Consistently she has been very small and resides and T ear. Since as long as T is been her mommy she’s been living into T ear.
Later on T started saying that she has 10 children. Doka was always discussed first. Recently she went from having different names for each of the kids to all of them being named Doka. Only one of them lives and her ear, the original one.
Today while looking at my photo screensaver on my laptop T commented that a baby did not have any hair. She then said that no babies have any hair. I corrected her and said some babies have a little bit of hair and that she had some when she was a baby but not much.
After telling her that she told me that Doka in her ear has no hair. She offered to show me and came over and turned her head so I can look into her ear. I moved her hair away from her ear and looked inside and put my finger right at the edge of her ear and said oh yeah I see Doka. T smiled and stepped away and then told me that when I touched Doka she giggled.
I Have Given Up (Sort of) On Activity Bands
Ever since before I decided to lose it weight I was tracking my activity. Originally I used a Jawbone Up. I went through several versions of them and then I try to Fitbit for a while. I ended up going back to jawbone and then again back to Fitbit. For about a year I have been using a Fitbit Alta.
That was until last month I stopped using an activity tracker during the day. The annoying clanking of the band against my watch finally drove me to stop using an activity band altogether during the day. I did some basic research and I found that the accelerometer on my iPhone is relatively comparable four step count to a wristband activity tracker. The downside I read were you don’t always have your phone with you so the phone doesn’t always capture your total activity. For me I generally do carry the phone with me most of the time and the level of accuracy the phone would give me versus wristband was worth the trade-off.
Several weeks into this change my step count seems pretty consistent. I still use my Fitbit to track sleep however I stopped wearing it during the day. Generally pretty happy about that decision since having my watch and a wristband was always annoying. It was worth it when there was an alternative however now that I found a decent one I don’t see going back to wearing a dedicated wristband with the feature set that are currently offered.
Paint chalk
We took the girls to the playground this morning and tried out some paint chalk. We learned why there has not been any innovations in chalk technology in ages. It was extremely messy.
Yes Your Internet Provider Can and Might Be Spying on You
In late March Congress repealed regulation that the FCC set up that prevented Internet service providers from collecting and selling information about their customers without their consent. Rightfully many people are pretty upset over this. Security blogger Brian Krebs points out that this repeal changes nothing day today. That is because as of right now the rules that were repealed never actually took effect yet. I would go a step further and say if someone is only now concerned about this issue they likely won’t take the right steps to protect themselves anyway.
I applaud people’s concerns. They should be concerned. That being said several people have recently asked me questions about VPN setups. That might solve issues regarding your ISP collecting data about you however it does not prevent all the other companies that are collecting data about you.
When I talk about this topic with anyone I always recommend that they watch the documentary Terms and Conditions May Apply. I’m not sure how many of my friends had actually seen the documentary. It’s a disturbingly fascinating view of how your information is being collected. Thanks to my friend Andrew who pointed his documentary out to me last year.
I just finished reading The Art of Invisibility by Kevin Mitnick. I previously wrote his book the art of deception and liked it a lot. In the art of invisibility Kevin goes over the details of what you would need to do to become invisible online. In the end there’s no way I’m going to take all the steps necessary to do that. It was disturbing just to read the extent of what you would have to do in order to become truly invisible. For me I outlined in a previous post some of the steps I do to minimize my exposure.
When people ask me about what VPN provider to get or some other way to secure themselves online the question I usually ask is what is their threat model? What’s the problem they’re trying to solve specifically? I have a few threat models depending on the situation for my online behaviors. I know that I am light years ahead of what most people do however I’m also aware there are several key improvements I need to make in how I use the Internet.
I use a VPN however I don’t use it as often as I would like to. When out of my apartment I try to use it all the time unless I’m at work on my work equipment. At home I have set up my router to tunnel everything through the VPN. The challenge is I don’t use it. I have a consumer router running an open source firmware. It suffers from the same problem all other consumer routers do, it has a relatively lightweight CPU. When I run a VPN client from a computer of mine I may get near line speed of what I would get without the VPN. When I run the VPN the my router I was getting 4-8 times slower connection. This is all due to CPU constraints on the router.
To solve this problem I need to either by a commercial grade router or build my own using a computer. I’m going opt to use a low-end Zotak fanless computer and build my own router. One of the guys at work pfsense. It looks pretty good and I’m going to give it a try. Now I need to just find the time to work on it.
My recommendation to my friends is yes get a VPN. Preferably one incorporated outside of the US. I personally have been using NordVPN for over a year and have been pretty happy with it. I have recently been trying out AirVPN.. They have less options for entry points in the US however they offer some unique features with their VPN client. I also like the history of the organization and why they became a VPN provider.
I also recommend if you’re serious about your privacy to read one of the books I suggested or just watch the movie. Most people understand that stuff they’re doing online is being tracked however I don’t feel like most of my friends or the general public truly understands the extent at which you are being tracked.