One of the key catch-phrases of the classic “Hitchhiker’s Guide to the Galaxy” (https://en.wikipedia.org/wiki/The_Hitchhiker%27s_Guide_to_the_Galaxy) is “Don’t Panic”, which appears on the cover of the book in “large, friendly letters”, and is familiar to anyone who has read the books, listened to the radio show, watched the TV series, or any of the movies, stage shows, video games, audio books, comic books, or other media through which the work has been presented over the years.
It really is a good part of any philosophy, and helps you react a bit more appropriately to anything which happens.
It’s also why I did NOT freak out when I received a notice informing me that: “You're one of 125,698,496 people pwned in the LinkedIn Scraped Data data breach”. This was a notification from Troy Hunt’s (https://www.troyhunt.com/) service “Have I been Pwned?” (https://haveibeenpwned.com/), which I believe I have mentioned previously, and whose work I highly recommend, including his podcast (https://www.til-technology.com/my-playlist).
Instead of panicking, I had a look at the details provided, and then shrugged and went back to other things (until it occurred to me that this might be something useful to comment on...).
The details of the specific “breach” can be found at https://haveibeenpwned.com/PwnedWebsites#LinkedInScrape, and I’ll add a few comments/reactions:
It should be noted that this issue was NOT a breach. As I understand it, the data in question was “scraped” data from profile pages of LinkedIn users. This raises some interesting questions regarding how we should manage our social media, but is not a breach per se.
The biggest threat associated with a data breach is actually credential stuffing, which I have described previously (https://www.til-technology.com/post/infosec-basics-credential-stuffing). In this case, there was no password breach, but if there were, using unique credentials for each site would limit your exposure to that site, and using a strong password (eg, via a password manager) and multi-factor authentication (https://www.til-technology.com/post/infosec-basics-multi-factor-authentication) would minimize your overall risk.
Interestingly, in his weekly update (https://www.troyhunt.com/weekly-update-263/), Troy Hunt also commented on a new partnership between 1Password and Fastmail (https://support.1password.com/fastmail/), which allows for the creation of new email addresses when signing up for new services. This provides the ability to create (and manage) dedicated email addresses / account identifiers for every site you access, and further reduces the risk of issue if an account (or site) is compromised.
While certainly interesting, this actually got me thinking more about “secure” email, which most email services are not. Generally, the term refers to email services which are “end-to-end encrypted”, meaning that the service provider is not able to read the contents of the transmitted email.
After reading several articles and watching a few videos, I did an informal survey of the rankings I found, in order to find one or two candidates for further investigation. Please note that I do NOT consider that “research” – see my comments on “The Answer” (https://www.til-technology.com/post/the-answer) to see why.
I found it interesting that most of the articles were assessing not only the technology, but also the business, legal, and political environments in which the companies operate. For example, many of the reviews noted whether any form of identification was required to set up an account, whether crypto-currencies were accepted as payment, and whether the company running the service was in a country participating in an intelligence alliance such as the “Five Eyes” (ie, Australia, Canada, New Zealand, United Kingdom, and the United States).
I also saw a number of comments about the degree to which nation-state intelligence services might be able to access these services or “break” their encryption. Depending on the treatment, comments of this nature can be informative, amusing, or frustrating, depending on the degree of practicality or paranoia involved. Ultimately, the reason for using “secure” email varies from one user to another, but most of us will be most concerned about criminal actors of various sorts, rather than nation-state actors. If you’re seriously concerned about nation-state actors, you will probably want to take a number of other steps to protect yourself.
All of the articles I found ranked ProtonMail (https://protonmail.com/), all ranking it in the top three, and most of them as #1. None of the other services I saw were on all of the lists I found, though Tutanota (https://tutanota.com/) came a fairly close second. Most of the other services appeared on fewer lists, or had poor reviews. Also, ProtonMail and Tutanota have “free” plans, which makes it easier to sign up and learn a bit more about them, and maybe learn about what sort of questions to ask.
Cheers!
Comments