Freddy's Ramblings

Email has been discussed a lot lately. Perhaps it's because we all rely on it more during this period of lockdown. Maybe it's due to Hey being released? Or are we all realising that email is an old technology and we need to move on? Whatever the reason may be, people are talking about email; heres my take on it.

To start we should figure out what email is. According to Wikipedia:

Electronic mail (email or e-mail) is a method of exchanging messages (“mail”) between people using electronic devices.

Now that the definition is out of the way, what problems are there? In his article, Kev Quirk suggests three main aspects that I am going to focus on:

Spam

Privacy

Workflow management

Spam

Spam is a problem that exists on every communication platform. The supposed issue is that the amount of spam is greater on email than on other platforms. As we have established, email is just an electronic version of mail. Just like mail, email is susceptible to spam, and even with filters some will always slip through.

However, there are ways to prevent this. Email cloaking services protect your personal email being given away when you sign up for something. You can use spamgourmet or a disposable email services when signing up for online accounts anywhere that you don’t trust. Similarly, you can use an email client like Thunderbird which has additional spam filters built in. As Kev mentioned, you can also train your spam filter to make it better at identifying what is and isn't spam.

Privacy

While some providers allow you to sign up anonymously on Tor, email will never be private. It will also never be as secure as platforms like Signal or Briar. You can improve the privacy of emails by encrypting their contents or using a provider that encrypts account data at rest. Email is not private and shouldn't be treated as such. Instant messaging is more secure and private than email, but email still has many benefits.

Workflow management

Everyone uses email differently. Your children might use email to submit their homework; while you might receive emails about your next meeting. I may use an encrypted email provider; you may use Gmail. I may use an email client; you might use webmail. You may prioritise ease of use over security; I might not. It doesn't matter. For this reason workflow management is a very subjective matter and hence its not for me to say whether email has got this right or wrong. Everyone has a different situation, so making generalised statements doesn't achieve anything.

Because of its decentralised nature, email allows for large amounts of flexibility. When it comes to workflow, you can customise email for your needs. If you developer wanting to use email with git you can use aerc. If you are concerned about privacy you can use a privacy respecting email provider. If simplicity is all you are after then Gmail or Outlook might be worth a look. If you want to shake things up a little then try Hey.

A few other points

Email is a very good way of getting important updates to people. Its relatively fast and efficient, and doesn't rely on people creating new accounts (like on a forum). It probably isn't the best discussion platform because it wasn't what email was intended for.

While NeoMutt is great for mailing lists, I wouldn't recommend it for most people. This brings us back to the customisation that email allows for, because everyone is viewing the message differently, you shouldn't optimise it for one client.

Conclusion

Email is the most widely used, decentralised online platform. There is no correct way to do email. That's a part of its beauty. It's also incredible that products created in the 1960's are still in active use today. It would be futile to try and replace email, and although it has its problems, it is certainly not broken.


I’m publishing this as part of 100 Days To Offload. You can join in yourself by visiting https://100daystooffload.com

#100DaysToOffload – Day 19/100

Today Zoom acquired Keybase. It came as a shock to me at first; but, it shouldn't surprise us.

Zoom has been having a rough time with the security and privacy community. There have been countless articles on Zooms many problems. They have had 2 Windows Zero Day vulnerabilities, along with a Mac exploit that could allow hackers to take over a Zoom user’s Mac. To make matters worse, they use the worst form of AES encryption which allows the original image still to be partially visible. Zoom has a problem that requires a hefty solution.

The simple answer is to acquire a company that can improve your encryption for you. Google has been doing similar things for years. Keybase is unlikely to grow because cryptography is a niche market; the only users they have don't pay for the product. It is logical for this to have happened. With all the new money Zoom has now that most people are in lockdown, why not use it to improve your biggest flaw?

For Zoom users, this is could be a major advancement. If Keybase implements everything correctly then the security of Zoom calls will hugely increase.

For Keybase users, this should have been expected. A centralised platform that relies on closed source servers was bound to have problems. Additionally, the team behind Keybase aren't exactly known for privacy. This was their first venture into the area, and it was mainly because they saw a gap in the market.

The debate on centralised versus decentralised still continues. Some may have used Keybase as their centralised messaging platform, potentially because of concerns with Signal.

Keybase initially started as encryption key management tool, so what should we use now? Keybase proofs were a simple way to prove an identity, it will be interesting to see if something similar gets made. Already, a former Keybase developer has made his own platform keys.pub. Equally, Keyoxide and Wiktor's decentralised proofs are two interesting new projects.

The world won't end because of this. It's still unclear as to how Keybase will change because of this. Even so, there are plenty of alternatives including federated options like Element, who today announced end-to-end encryption by default.

I'll be using Riot until I know a little more about the plans Zoom has. But, it will be intriguing to see the developments that happen in the coming weeks.


I’m publishing this as part of 100 Days To Offload. You can join in yourself by visiting https://100daystooffload.com

#100DaysToOffload – Day 13/100

If you've been following the news recently then you've probably heard someone tout “the new normal”. It suggests that this new lifestyle is now normal and may continue to be normal even once the pandemic is over.

Many advancements have been made during this period of lockdown. Jobs, that were previously thought impossible to do at home, are being done. Venice's famous canals have never been cleaner, according to many reports. Countries might even meet their (unrealistic) lower carbon emission goals on time. The environment in general has had a break from our constant torment of pollution. A lot of good has come out of this crisis and could stay with us afterwards.

While there are positive connotations, there are also bad implications for our liberties. It allows for temporary measures put in place to fight the pandemic to stay in place well after because they are considered normal. Unfortunately, it's happening all over the world right now.

Prime Minister Benjamin Netanyahu of Israel recently authorised the Israel Security Agency to deploy surveillance technology normally reserved for battling terrorists to track coronavirus patients. When the relevant parliamentary subcommittee refused to authorise the measure, Netanyahu rammed it through with an “emergency decree”.

(Source: Yuval Noah Harari: the world after coronavirus)

Countries implementing contact tracing apps have received a backlash from the privacy community. Concerns about the usage of the data has lead some not to install the apps. In my last article I talked about Covid Tracer, the kind of product that this pandemic needs. It goes to show how we can combat the virus without invasive technologies. Laws can stay in place long after their use: for example, the right to drive sheep and cattle over London Bridge requires Freedom of the city. This ancient law is useless as no-one does this anymore, yet it is still implemented.

Historically, it has been proven that Governments tend to maintain surveillance methods in pandemics long after the crisis is over. When the Patriot act was passed after 9/11 it was set out to “deter and punish terrorist acts” as well as “enhancing law enforcement investigatory tools”. It had good intentions, but it is now used for many other reasons.

PATRIOT gives sweeping search and surveillance to domestic law enforcement and foreign intelligence agencies and eliminates checks and balances that previously gave courts the opportunity to ensure that those powers were not abused.

(Source: EFF)

At the time, it seemed like a great idea. Ed Snowden himself says that he joined the army after 9/11 to serve his country in his book Permanent Record.

We can all be mislead in times of crisis. Hindsight is only an option when the problem has already happened.

This is why we must continue to watch our governments. We must keep a keen eye on what they do to help stop the spread of the virus. We must adapt to the constant changes, and ensure that steps in the right direction are kept.

Equally as important, we must make sure that the surveillance they are doing now is continued, much like how it has been before.

I’m publishing this as part of 100 Days To Offload. You can join in yourself by visiting https://100daystooffload.com

#100DaysToOffload Day 7/100

Over a third of the world is in lockdown; now is the perfect excuse to sort out your privacy. Here are my 6 tips:

#1 – Browser

There is no excuse to use Google chrome or Safari.

Firefox does everything they can do with built in privacy protection. Switching is as simple as going onto their website and clicking download. On top of this you should download these add-ons:

If you are feeling extra technical then this is a collection of privacy-related “about:config tweaks” that will further enhance the privacy of your browser.

I would also recommend going into the settings and setting your DNS provider to NextDNS. Just go onto the settings, search and search for “DNS”.

#2 – Search Engine

Now that you've installed Firefox, you're going to need a search engine. PrivacyTools has a great list to chose from, as well as searchengine.party's great spreadsheet.

#3 – Email/Messanger

If you use an email provider like Outlook or GMail I would advise changing to a more privacy respecting service like ProtonMail. PrivacyTools has a good list of email providers.

Whatsapp and iMessage are two of the main instant messaging providers, yet I wouldn't trust either of them for my private communication. Signal is a very similar alternative on the surface, apart from its use of end to end encryption. Both Dan Arel and Niek de Wilde have written good articles if you want other options. PrivacyTools also has a very through list.

#4 – Password Manager

According to SplashData, 123456 was the most common password in 2019. It's highly likely that you are using a weak password or the same password for multiple accounts. To prevent this, use a password manager like BitWarden. They can help generate strong passwords that can look something like this:

uzvcDV*6@CJ&D8ssETm^QtNkYaADsxjfUumfrtF*cP7QAkKiiMsSAd*pcpqc

They also store them, and allow them to copy and paste them at will, meaning you only have to remember one password. ThePrivacyGuide has a good article on password managers to help you choose.

#5 – 2 Factor Authentication (2FA)

While 2FA isn't the most fun process, for just a little effort it adds a lot of privacy and also increases security. Even if you have 'bullet proof' passwords, adding an extra layer of protection is always sensible. ThinkPrivacy has a helpful list to chose the best option for you.

#6 – Do you really need... ?

We all probably have too many apps in general. Take a look at your apps and ask yourself why did you install this and do you still need it? If the answer is no, then delete it. The aim is to minimise your digital footprint as much as possible. If the answer is yes, then try to look for open source alternatives.

Being private online takes time and effort. Now that you've got that time why not try and go the extra mile when it comes to privacy. Linked bellow will be some great resources to help you:

Most importantly stay safe. In these testing times it is important that we all try our best to support our governments. Remember that we will get through this crisis, and that life will eventually resume normality.

The overwhelming majority of people these days don't seem to care about privacy. They say things such as “why should I care about privacy, I have nothing to hide”.

There are so many things wrong with this statement.

Privacy is a basic human right, to quote Ed Snowden, the famous NSA whistle blower:

“Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say.”

Why would you not care about one of your human rights?

When asked if you have nothing to hide, it's not that I have nothing to hide, I simply don't have anything I would like to share, especially unknowingly. 

People that say you have nothing to hide often care the most about their privacy. For example Mark Zuckerberg spent $30m (£18.8m) buying four houses that surround his own home in California in 2016. “Why?” you might ask, because he cares about his privacy.

We all care about our privacy, though we might not know it. Thats why we lock the door when we go to the toilet or why we close the curtains to stop people looking into our homes.

If you look at dictatorships from all periods of time up to the present, they all rely on the basis that people can't know the truth if you don't give them it. This is censorship.

With no privacy there is no room for freedom of expression, without freedom of expression you can't give your own opinion, laying the path for limitation of the press which inevitably leads to censorship and the eventual fall of democracy.

We all need a place to be ourselves, whether that be our bedrooms or a quiet place in the woods, without that place we may not be able to truly discover ourselves. You wouldn't do experiment with something (like playing a guitar for the first time) in public knowing you'd be judged for it, but you would at home.

To conclude: Privacy Matters. It's undeniable.

So what can we do?

I have talked about this from a very non-technical standpoint, so if you care, and want to actively do something about your privacy then there are lots of great websites, tutorials and sub-reddits on the matter, so don't feel you have to suffer in silence.

Further Reading

https://github.com/cryptoseb/CryptoPaper#start-of-content

https://write.privacytools.io/freddy/ (bit of a plug)

It was originally used by the Greeks to keep the secret of Greek fire, but now it is used by people all around the world for lots of different reasons.

According to Wikipedia:

Compartmentalisation is the limiting of access to information to persons or other entities on a need-to-know basis to perform certain tasks.

I like to think of it as a floor of a house. You have different rooms for different purposes, and you don't mix things up. For example, you wouldn't sleep in the kitchen, nor would you cook in the bedroom. This is a good attitude to have when it comes to privacy.

This guide is going to cover very basic compartmentalistaion. The simplest way to do this is by having 3 compartments:

  • Professional
  • Personal
  • Other

Let's start with professional. This should contain everything you use for work, including your email, all of your files/documents (preferably on Libre Office), potentially your LinkedIn and so on...

The best browser for all your needs will probably be FireFox with these add-ons:

Be careful when adding extra add-ons. Always make sure its open source and that it actually respects your privacy.

This is a collection of privacy-related about:config tweaks that will enhance the privacy of your browser. Enter “about:config” in the FireFox address bar and press enter. Press the button “I'll be careful, I promise!” Then follow the instructions and hey presto!

Firefox partnered with NextDNS making it super quick to set then as your default provider. Just go onto the settings, search and search for “DNS”. The last thing you need to do is choose a search engine, I'd recommend SearX.

Next we want a browser for more personal matters. Communitcating with friends and using social media, for example. Our browser of choice is Vivaldi. I would advise setting your default search engine to Startpage or Qwant and to use the same set of add-ons as you professional browser.

Finally we have other. This is for anything else that doesn't fit into one of the other categories. The best browser for this is Tor. Before installing Tor their are a few things you need to know. Never log in to anything on Tor. I'd watch this video. For search engine I'd use DuckDuckGo. If you want more info on Tor then this article will help!

As for operating systems, it entirely depends on your threat model. Compartmentalision, regardless of the operating system, will almost always be an improvement privacy-wise, but if you want to take it further, then any of these will do.

You may be thinking that this all sounds rather complicated, but after a while, like everything, it gets easier. If you are stuck there are lots of great tutorials and sub-reddits on the matter, so don't feel you have to suffer in silence.

I have only touched on this subject very briefly. If you want to go the extra mile, Qubes was an operating system deisgned with compartmentalisation in mind. Snowden, the NSA whistleblower, used it and they even have a sub-reddit dedicated to helping you set it up. The operating systems you should run in your Qubes are up to you, but an example could be Debian for your professional, Ubuntu for personal and have Whonix for other. You can also compartmentalise email accounts, using different adresses (and perhaps even different providers or an email cloaking service) for each service you use. And that's just the tip of the iceberg.


This article was last updated on the 22nd of September, 2020.