Gwebs Cryptographer

Social networking seems to be pop right now, how many people you know that they use / don’t use social network applications like Facebook, Twitter, MySpace, Orkut, XiaoNei (校内 in China), or other ones. Can you honestly say that you have never even heard of these applications ? Yeah, that’s what I thought.. These apps are integrating to our daily life, and eventually someone will ask “How we kept in touch with our friends before social networks?” Just like my friend’s kid asked me once that “What you were doing at work before internet?”. I think these questions will make people to think that how dependent they really are about technology and services.

But more interesting is that how many people really trusts into these open and free networks. Some time ago Facebook got so much publicity when they announced that all data what users have put in it will be theirs, so basically all the personal data, pictures, videos, etc. Then just a bit later, they told to users that there are no worries, that everything will be just fine. And now, hardly no-one even remembers that anymore.

It seems to be that internet is so full about different kinds of social networks and applications which are collecting users private data. And I think it will be only the matter of time when someone will steal all that data, ’cause normally these services are not having so strong security. One reason might be the money issue, although I guess nowadays quite many people will be interested to pay a bit for example the usage of Facebook, if they can be sure that all their data is secured. But on the other hand, there are plenty of users who think beforehand that what information they are willing to share and which information not. And just like Barack Obama advised kids, that be aware that once you post something into the internet, you can be sure that I will be digged up later, if it can be used against you. So maybe it will be nice to take a look for Facebook Etiquette as well, although most of these things are more or less self-evident, but I think still worth of reading through.

I read a couple of articles some days ago about privacy and security issues in social networks/webs, just like Facebook, MySpace, Twitter, and so on. (Links to the articles at the end.) These articles are mostly pointing out the same issues which I wrote above, that it’s really users own responsibility what to share and for whom to share it. So many instances are following social networks also like friends, colleagues and family, everybody you like but also quite many you maybe haven’t thought about. Like your boss, different organizations and companies, so basically if you’re planning to apply for a new job, it might be that your profile will be checked through before you will get invitation to the interview. And also talking about that in social network, might make your boss feel unease.

But that’s not everything about privacy issues, there’s also some other things to point out as well. Nowadays, it seems to be that mobile phones are getting closer to laptops and vice versa, so it’s quite normal to update social network profiles through mobile phone. And for up-to-date user it might be self-evident to have anti-virus software also in a mobile phone, but I can tell for sure that most of the users don’t have, any kind security software in their mobiles “I don’t need it, this is Just a phone”, but anyway the users are using all the same programs and applications as with computers. So, basically all the data what user is keeping in secret in his/hers computer, user will freely use in mobile, without thinking that the same “evil”-internet is waiting there as well.

The thing which I brought up the mobile phones into this also, is that what makes people think that if they use one secured system in one place, it won’t be useful, if they use same data with non-secured systems elsewhere. And this includes everything, not only social networks, but emails, contacts, files, pictures, etc.

A while ago there was news about new type of identity / private data phishing, basically there are some applications within social networks, which are collecting different kind of data from users. And then some identity thiefs have been using that data to create virtual-friends for users. So the main idea is that these virtual-friends are sharing something common with user, belonging to same groups or have same interests, then they’re sending friend requests to users. And if user will accept their request, then they will collect all data from that user, what they think is useful for them. Maybe email addresses, phone numbers, street addresses, photos, videos, etc.  So nowadays it’s really recommended for people to check what kind of information they are sharing from themselves and are they really willing to tell all their secrets or thoughts to everyone.

I personally like social networks a lot, and I like that there’s some place where I can enter almost from anywhere to check how my friends are doing and letting them know what’s up in my life as well. I haven’t paid much attention for security issues in social networks, but now after reading these articles, I might take another look for some apps properties and privacy options.

Some of you might think now, that what will be my result to solve these privacy issues, well frankly speaking there is no solution. I can only encourage everyone to think twice before posting anything to social networks,  text, comments, pictures, video, files, etc. what ever is on your mind. Sometimes you might think that with this post your friends appreciate you more or you will get publicity, but be aware that all that data will be saved somewhere and it might pop-up later, when you cannot expect it to happen.

Here are the links for the articles I mentioned earlier:
Fast Company’s article: Privacy and Security Issues in Social Networking
Computer World’s article: Protect your privacy on Facebook and Twitter

Some other articles related to this topic:
Google Warns of Privacy Issues on the Social Web
Exclusive: U.S. Spies Buy Stake in Firm That Monitors Blogs, Tweets

Security, email, personal, privacy, software application, email, Facebook, Mobile, myspace, orkut, privacy, Security, social network, software, twitter, xiaonei

Back at the old times, when I was a active student I used to use email a lot, for writing to my study-mates for setting up groupworks, to my professors to ask questions, for my family to keep in touch. Email started to be one of the main communication way. It was just so easy, fast and convenient. You don’t have to wait that the other person is available, you can write it a bit, save it and continue later, so you don’t have to bother someone many times to get all the information you really need. You can use email almost anywhere, especially if you’re using any kind of webmail, just have internet connection - log in and handle your mails.

Now when I’m looking back in time, it was really like that. But nowadays when all kinds of social networks and instant messengers (IM) are available, I can see that I’m not really using email so much anymore. It seems to be “too slow” way to contact people. I guess this technological awareness is really taking place in today’s daily life. People are getting so used to use different methods to keep in contact immediately. If one cannot reach you from any IM or social network, it might be that the person will give you a call or send a SMS. Just because they want to exchange the information now.

Sometimes I feel that it’s really distressing, that you have to be reachable always, because of projects, work, friends, family, etc. And if you are not reachable people will feel annoyed, it just seems that no-one is not allowed to have their own time anymore. And I’m not talking about vacations now, normally vacation time is sort of “holy-time” of course this depends pretty much that what kind of job you’re doing and what’s your responsibilities in the company. And who can say that after a couple of weeks vacation the email-inbox is empty ? I can tell you for sure, that mine is not. If there’s less than 100 emails I can be happy.

I made a little enquiry within our staff, that how they feel and use their email, encryption software and other software. This research was quite interesting, because the most of our staff is Chinese and I was quite amazed about some of the answers.

According this enquiry, I think usage of email is culture related, more or less. With this amount of data it would be close to impossible to hand out any inclusive report. I think that peoples’ opininions are anyhow quite different here in East that they are at West, I mean opinions among tech-related people. I won’t analyze the results themselves, just take a look and make your own judgement.

Well, here are the questions what we asked and also the results what we got. The results are in blue, that it will be easier to follow.

Enquiry -  We asked for short answers with arguments and here’s the conclusion.

Habits of e-mail usage ?
For what kind of communication you are using e-mail ?
For most of repliers e-mail is mostly used for work or business purposes, sending data, files, documents and pictures when the receiver is not reachable with instant messenger (IM).

How fast you’ll expect that the recipient will answer you  ?
The most of the people wish to get a reply within a same day, some even within one hour. Only a couple of answerer were satisfied if they will get reply within 2 or 3 days.

Do you check your email daily ? hourly ? weekly ? sometimes ?
Almost everyone is checking their email daily or several times per day.

How important e-mail is for you ? Can you live one week / one month without e-mail easily ? If you’re not able to check your emails will you go crazy ?
Here the answers were basically divided into two, approx. half of the repliers told that they use email only for work or business, so they can live easily without it, and they won’t go crazy if they cannot check their email (of course depending if they will work that time or not). Then the other half seems to be more dependable about email, and they will go crazy if they cannot check their email even once within 3 days.

What did you expect when you first time used any kind of e-mail encryption software ?
Did you think that it will make your life more secured ? (From what?)
Almost everyone told that they feel more secured when they use email encryption, and the most common reason was privacy. They don’t like the idea that someone is snooping and reading their emails.

Did you thought that what might happen if you lose your encryption/decryption keys ?
Here also the answers were basically divided into two, the first group admitted that they didn’t thought that what might happen if they lose their keys. The other group seemed to have some experiences about this already and it seemed to be that someones are getting angry for the software for losing those keys, even if the fault was their own. And this normally led for changing the encryption software.

How did you felt when you used one (software) ? Did it effect immediately, giving you the emotion of security ? Or all the worries, “What if ?”
For everybody the first feeling was very positive, strong feeling that “now I’m secured”, but some of the repliers admitted that later they start to wonder with “what if?”-questions and also feeling annoyed of all inconveniences with the software, like reading email in many places, all the time feeling worried about the keys and so on.

When you tried some encryption software, did you think that “this is it!” I’ll use this forever or did you tried to find a better one, more secured one ?
The most of the answerers have been searching better ones after trying the first one. A Few told that they don’t mind to change their software but the current one is just fine too.

How do you feel about Free and Not-free software will it cause you feeling of trust/mistrust ?
All repliers think that free software is basically just for testing it and seeing the main features. And that the not-free ones are better, more reliable than free ones.

When you see free software, will you think how nice, there are still some kind people to offer this kind of tool free ? Or will you think that is there something behind “hidden” ? Will this company use my data for something else ? Maybe illegal activities ?
Quite many replier thought that there has to be something “hidden”, but still most of these repliers were not so interested if the company uses their data for something or not. Someones thought that the software can be free, ’cause the company will get funding from advertisements or from some foundations.

By which criteria you choose the software which you are using ? Free ? Well known ? Easy to use ?
Every single replier told that the most important things for their software is that it’s well-known and easy to use. If it is free of charge, even better, but someones said also that if the software is good enough, they will gladly pay for that it makes their life easier and more secured.

How you can trust that free software is really free ? or how you can trust that the software (what was SO expensive) is more trustworthy than the free one? Can you?
This question was made in purpose to be familiar with the earlier one. This question raised up the idea what I was willing to see.
If the company offers only   software which is free of charge the most of people don’t trust for it, but if they have for example products for individual use for free and for business use chargeable ones, then it’s fine. Then it’s the interesting part, the most of the repliers also thought that if the software is free of charge and open-source then it must be trustworthy, because basically anyone can check and modify the source code. Although, within security softwares this rarely happens, ’cause otherwise the hackers can see it too and then it’s not safe anymore.

Does the cost of software give you any kind of idea how good it might be or how trustworthy it is ?
The most of the repliers thought that the amount of money or cost is not really related for that how good it is. Quite often the most expensive one is having already so many features that it won’t be easy to use anymore.

Will you use any software which is delivered by government or other authority ? Why ?
Only one of the repliers is using software delivered by government and only because it’s required by the other business partner. Other ones thought that they won’t use any software which is delivered by government, because the software might include some spy-ware.

Gwebs, Security, email, encryption, privacy, software email, encryption, enquiry, Gwebs, IM, privacy, Security, social network, software

I guess most of the people have been following the news about “Bank screws up and sues Google”, which is very interesting news related to Email security. When I read this news at the first time, I just shaked my head and thought “This can only happen in USA”. And the worst thing here was that those emails were not secured at all, just basic emails full of customers’ private data.

I really cannot understand about the result that Judge orders Google to deactivate some random users accounts because of someone made a mistake, humane mistake. Especially one, whom these random users are not related to. I can say that I might go crazy if one day my email is de-activated without noticing it before, just because someone has sent some email to my email address which doesn’t belong to me.

The situation is easy to compare to non-digital world. Let’s think that post is delivering to your postbox someones bank statements, without being in a letter. Just papers to your postbox, will you feel safe ? Will you think that is that the common policy of this bank ? Anyone can read that information on the way, the staff at post office, the delivery guy and anyone who is just on the way. Will you also consider that it’s reasonable that the Bank will sue the owner of your postbox, because they made the mistake ? And even worse, do you think that it’s reasonable that they will vanish/seal up your postbox, ’cause there is some information that doesn’t belong to you.

For me, this all sounds so ridiculous. If someone needs to be sued or punished the person will be within the bank staff. Also I really feel unsafe for this bank, that they didn’t use any encryption for those emails. Anyway, I assume that they are using letters when posting bank statements to their customers, so why not using encryption when data is in digital form ?

Luckily, I’m not a customer of this bank, and I feel safe with my own bank accounts. Banks that I’m using are really investing money for security and also offering the best service for their customers. Of course the situation is currently better in Europe than it is in Asia, but Asia is growing fast, very fast. About USA I really cannot say, I always feel unsafe about money issues there. The credit card policies are so loose and all the security issues seemed to be popping up all the time. I guess it’s only the matter of time that people are getting annoyed for so bad and unsecured service.

But luckily on the mean time suing in US is so easy and convenient so why not suing everybody and make people suffer about mistakes, maybe the ones they couldn’t prevent at all, ’cause that’s what it’s all about. I’m really happy about Google’s services so far, but this case is just a bad example how vulnerable this huge company is also for crazy laws and policies in US.

Although, I don’t know where is better, maybe in Europe. I’m currently living in China and getting so frustrated about governmental actions to limit access to “out there”, I mean the Chinese Great Firewall (GFW) is really bugging my nerves all the time. But that’s another story.

Here is the case file for you to make your own judgement “The Rocky Mountain Bank Vs. Google” (pdf-file).

Security, email, encryption, google, privacy bank, email, encryption, google, privacy, Security

This guide will help you understand the basic facts about email security — what it is and why you need it.

What is Email Security?
On one level, email security is ensuring that your emails are secure: that is, it involves the maintenance of the basic information security concepts:

• Integrity - ensuring that your message has not had unauthorized alteration
• Confidentiality - ensuring that no unauthorized person (or process) has viewed the content
• Accountability - being able to prove who wrote the email
• Availability - ensuring that the email can be sent/received
• Non-repudiability - being able to prove that the recipient really did receive it

But more than the email itself is involved in email security. It also involves:

• Ensuring that you neither receive nor send malware hidden within the email or any attachments
• Minimizing the receipt of spam, scams, phishing expeditions and illegal content
• Ensuring that staff neither accidentally nor with malicious intent allow or send confidential, sensitive or illegal content within or outside of the company

Why do I need Email Security?

You need email security simply because failure to do so has both commercial and legal ramifications. An example that can illustrate both aspects would be infection with a highly destructive and virulent virus. Let us assume that your own systems are infected, and the virus payload is delayed but destructive: that is, you manage to infect, say, a competitor before this virus destroys your system.

The commercial implication is obvious: loss of your systems, data, records, etc. will be severely damaging if not fatal. But on the legal side, many lawyers believe that you could be held liable for any loss suffered by a third party that you infect, whether intentionally or even knowingly or not. If that third party were a competitor, then it would have little incentive not to sue the elbow off you.

And the history of internet litigation is already strewn with examples of both staff and competitors suing companies that have allowed compromising information to circulate within, or worse, to escape from, the company network.

It would be much safer to ensure your email is secure rather than risk the potential problems of insecure emails.

What do I need in Email Security?

Since so much is involved in email security, it is not surprising that you will be lucky to find everything you need in a single product. Just on the basis of the above discussion, you will need:

• Anti-virus software (to ward off viruses and worms)
• Anti-spyware software (to ward off trojans, adware and spyware)
• Anti-spam, -phishing, -scam software (to cut down on wasted staff time)
• Content security software (to make sure confidential, sensitive or illegal content is neither circulated within nor leaked from the company)
• A company email usage policy (to reduce staff misuse of the email, and give you some redress for when they do misuse it)
• And last but not least, a secure email (as opposed to email security) capability

The secure email system is possibly the hardest of all. The problem is that it inevitably involves encryption - and the only form of encryption that does not create administrative problems between the sender and the receiver is a Public Key Infrastructure (PKI). But PKI is expensive to run and administer - and gets you involved with even more requirements. For example, if you operate a PKI, then you need to consider identity management software and provisioning software. Nevertheless, if you are a large company with lots of sensitive data, then PKI is the obvious route. For single user RSA (which stands for Rivest, Shamir and Adleman who first publicly described it) encryption method is a bit simplier and lighter to use. Quite many free encryption softwares are using RSA instead of PKI. The encryption is still “hack-proof”, which means that cracking it, it takes more than 100 years.

In particular, PKI and RSA can demonstrably provide four of the five security basics we noted at the outset of this article: integrity, confidentiality, accountability, availability, non-repudiability (availability is the one not specifically provided by PKI).

Where do I get Email Security?

If you are looking for email security software then you have a basic choice: you can look for best of breed point products in all of the above; you can look for an email security specialist that bundles different aspects within a single product or suite; or you can go for a hosted service. Or then you can just download our MailCloak-software from our company’s website (www.gwebs.com/mailcloak.html). Yes, it’s free!

Other related topics:

Encryption for Dummies
http://opsec.spaces.live.com/blog/cns!62F870188540FB1E!1097.entry

Public Key Infrastucture, PKI, encryption for dummies
http://www.networkworld.com/news/64452_05-17-1999.html

Public Key Infrastructure, PKI (Wikipedia)
http://en.wikipedia.org/wiki/Public_key_infrastructure

RSA encryption (Wikipedia)
http://en.wikipedia.org/wiki/RSA

Terminology and encryption algorithms
http://www.easeus.com/resource/encryption-algorithms.htm

Gwebs, PGP, Security, email, encryption, how to, personal, privacy email, encryption, guide, MailCloak, PKI, RSA, Security

I guess everyone who is using Gmail and/or other Google Apps have heard about this new Google Wave, which suppose to be mind blowing and transform the concept of email. Well, so far it’s a bit too early to say will this happen, because the release date of Google Wave will be at the end of this month, Sep 30th.

According several blog writings and articles Google Wave won’t put Gmail or Google Apps aside, at least not yet. It just seems to be Gmail with some extra features. So far, I have been using Gmail, G-talk (also with voice and video), Google Docs, calendar and other functions too as well. So when I’m watching the picture, it doesn’t seem to be SO different than Gmail. It just that all the functions and features are in a same box, inbox.

At the beginning this seems to be a bit confusing, but unfortunately the pictures or videos are not giving the whole truth. For me, I really want to experience it by myself before making any judgement.

Some other concerns, mostly about our business, is that will Gmail change too much when Google Wave is released, I mean that will our product MailCloak still work with this new concept of email. Like said, too early to say, because we didn’t get developers’ access to the Wave. Of course, we are going to test Wave immediately when it’s released so we can check the functionalities and see if our software is adaptable enough, or should we make some changes.

I guess, the biggest change will be the “waves”, that in what kind of concept they really are. And how easy it will be to secure all that data which is shared through those waves: Text, pictures, videos, links and other stuff.

Well, I go with the Google specialists’ comments “It’s very, very early to say..”. But we will see, in near future what’s gonna happen. I anyway assume that Gmail will still stand there for users at least for a while that the adaptation for the new system will be easy.

Thanks for Google’s official Blog and Gina Trapani about the pictures and all the information!

From the following links you’ll find more information about Google Wave:
http://googleblog.blogspot.com/2009/05/went-walkabout-brought-back-google-wave.html
http://smarterware.org/2021/google-wave-qa

Click the pictures to see them in full-size!

Gwebs, Security, email, google, privacy gmail, Google Apps, Google Docs, Google Wave, MailCloak, Security

Last night I was at the Beijing Tweetup and had an interesting conversation with Rebecca MacKinnon and Andrew Lih about NGO and journalist security needs, which got me thinking this morning - NGO’s and Journalists really need an easy-to use-security tool designed to provide them with 100% fail-proof anonymity and security - and MailCloak - our new encryption tool, is perfectly positioned to help them out.

Why is MailCloak positioned to help? Because MailCloak allows you to send email from Yahoo, MSN and Gmail, and protect your messages with strong encryption. Yahoo, MSN and Gmail - are these known for anonymity? Well, maybe they aren’t known for it, but they are great tool because you can create disposable email accounts freely and easily.

Here are the steps, most of which I have previously documented:

1. Setup your proxy connection (and turn it on) to keep your IP address private when accessing services you wish to remain anonymous
2. Create a new free, disposable Gmail, Yahoo! Mail or MSN Live Hotmail account. Remember, don’t use any real personal information.
3. Download and install MailCloak on your computer, and have your contact do the same.
4. Exchange public keys and test MailCloak by sending trivial messages to make sure they go through encrypted. Only send important information after testing the encryption.

That’s it!

Security, email, email encryption, encryption, government Anonymous, email, NGO, proxy, Security

Sometimes you send and receive important email.

Do you know who is watching?

Your email can be viewed by anyone with access to the systems it passes through.

Check out this new video, and then start protecting your email!

MailCloak is compatable with dozens of email services. To learn more, check out Global Web Security’s Offical Website!

PGP, Security, email, encryption, privacy Email Encryption, global web security, gmail, gmail encryption, google, hackers, MailCloak, msn, protection, safety, Security, Video, yahoo

Today I was helping my mom setup new Gmail and AIM accounts, (now that gmail chat and AIM are linked, its essential to have an account on AIM and gmail, and to link them) and I was horrified to discover that she keeps all of her passwords, including her bank, email, credit card, web and domain hosting, and other crucial sites, in a word doc on the root of her laptop’s hard drive. AHHHHHA! What a recipe for disaster! “But what should I do?” she asked me. Her passwords are myriad, and all different (good), but she can remember none of them (bad!).

Here are several ways to keep your passwords safe (and the pitfalls):

1) Do like my mom, and keep all your passwords different, and in one “password file”, but encrypt that file with PGP, GWEBS WebmailSafety, or some other asymmetric encryption.

Pitfalls: A) You could forget your PGP password. B) You could lose your private key or your password file. C) Someone could steal your private key and your password file and guess your password. D) Someone could steal your password file and crack your private key.

Avoiding Pitfalls: A) Write down your pgp password somewhere, but don’t label it “PGP password” and keep it safe and long. B) Keep both a copy of your private key and your password file backed up and offsite, but not on someone else’s systems. C) Not likely, but again, you have to keep your password long and secure. D) Even less likely. Use a high bit rate algorithm. WebmailSafety, for example, uses 2048 bit RSA, and you would need to string together several of today’s most powerful supercomputers to crack that within your grandchildren’s life time.

2) Use a commercial password keeper, like Apple’s keychain or similar.

Pitfalls: these password keepers are only as secure as their implementations – and the user must decide which software to trust. Apparently Apple’s keychain is pretty secure, but you should always find out as much as you can about critical security software.

3) Use several passwords that you can remember, but different passwords on important or often-used sites. And never write any passwords down. For example Password A for email, password b for your online bank and password C for everything non-mission critical.

Pitfalls: The more you use a password, the less secure it is, and the more places you use, the less secure it is.

Avoiding pitfalls: For daily use and important passwords, choose long, strong, and hard to guess passwords, enter them manually and change them often. Daily use passwords are easy to remember because you are entering them all the time, and repetition breeds memories. Your non-mission critical passwords may be guessed, and if the intruder guesses one, they know them all, but again, these passwords are non mission critical, so this isn’t such a big problem.

Well, there are three solutions that I recommend. This is a big topic, so I look forward to user comments. Tell me what you do. How you keep your passwords secure, and if I missed some pitfalls, help me fill those in too!

PGP, passwords, personal, privacy encryption, IT, PGP, Security

Encryption is extremely important, but its overuse can also lead to problems.

Five to reasons to use Encryption:

1) You are dealing with important government, company, or personal data – especially on laptops, flash drives, or portable hard drives.

The news these days is riddled with stories of public servant or big company data theft, often due to laptop or hard drive loss. If big companies lose their data that often, little companies and individuals must do it all the time (more often, probably, because they don’t have encryption mandates) – they just don’t make the news. If you encrypt your data properly, data theft is virtually impossible. Note too that encryption doesn’t preclude data loss - you should back up your important data as well. Read more…

Security, encryption, privacy communication, data security, email, encryption, files, internet, IT, privacy, protection, Reasons not to use Encryption., Reasons to use Encryption, Security, TrueCrypt, WebmailSafety