A better approach to security

[Faramir <faramir.cl AT gmail.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

El 21-08-2012 17:15, Pim Veld escribió:
> Hello Don,
> 
> I have read your blog-post.

> In principle you are right. If someone with a network sniffer
> monitors your network line at the right time he/she can see your
> mail password. And not only your password but also the whole
> contents of your email.

  The whole content of an email is bad, but people not caring about
privacy might don't care about it, after all, people post all sort of
things at their facebook or twitter accounts. But losing control of
the email account (even for a short period of time) probably is very bad.

> That is not a very likely event unless it is worth a lot for
> someone to learn you ‘secrets’. The same is true for anybody with
> sufficient rights

  Not sure about that, people near the email user may have reasons to
do it other than money. I mean, the guy that wanted to date the girl
the email user is dating, and so on. And some people have a very
strange reason to do some things: "because I can". They will paint
graffiti on your walls, they will take your website down and replace
it with an "Owned" picture, and so on. Taking control of your email
account and then watching your face as it gets filled with anger maybe
the enough motivation to do that, and while your home network may be
secure enough, with laptops and open wifi access, you want to make
things as hard as possible to attackers.

> on the in-between mail servers relaying the message. Fortunately
> most people with sufficient rights have busy jobs and not enough
> time (nor reason) to go specifically after you.

  Indeed, they don't know you. The guy sitting on next table at
university cafeteria is a different matter.


> This is true since the beginning of e-mail and I see no special
> reason now to go mad about the plain text password. And certainly
> not blame

  At the beginning of times, we didn't have antivirus, now they are a
must have tool. Things that used to be good enough before now require
improvement. And since some free email providers offer secure login,
paid providers should do the same, if not, what is the point in
providing lower quality products to your customers? ISPs provide email
boxes because they either can charge an extra for them, or because
they see them as an added value that will make their customers happier
and will prevent them from moving to another provider.

...
> minority. In fact I would sooner be worried about paranoia 
> government-body’s reading my mail.

  Government can get subpoenas, or they can try to sniff all they want
to sniff, but I would not care too much if some FBI guy reads my plans
for my friend's bachelor party. However, I would be very upset if
somebody takes control of my email account and delete my messages
before I can read them.


> If you are worried about ‘third parties’ reading your e-mail than
> it is a very good idea to encode it. The decoding can only be done
> on the

  Yes, sure, but that won't prevent 'third parties' from stealing the
email account, deleting your messages, or subscribing you to a
bestiality porn mailing list.

> But to my surprise I read in your blog: “Oh, sure, you can use
> tools like GPG or PGP to encrypt your e-mail messages.  Apparently,
> though, that stuff is only for paranoid geeks and spies.  After
> all, how frequently do you exchange encrypted e-mail messages with
> your family and friends.  And, if you are silly enough to suggest
> encrypting e-mail messages, you will probably be considered 
> paranoid, if nothing else.”

  I didn't read that paragraph. But sadly, it is true, not because
only a paranoid person would care about using encryption, but because
most people don't care at all, and they WILL consider you paranoid if
you suggest it. I learned about S/Mime and PGP/Mime 4 years ago, and
I've never been able to convince any of my friends to use them. Only
one of them tried it, and just to learn how to do it, but not for
daily use.

> And therefore I wonder why you are looking for support from us
> ”silly paranoid geeks and spies”.

  Since he is on this list, maybe that paragraph is sarcastic.
Probably he tried to suggest encrypting e-mail messages and got the
"sure, and I might also start wearing a tinfoil hat!". Anyway, as I
said, that measure won't prevent the attacker from catching the login
password.


> Finally, if you are so worried about your plain text password, why
> don’t you use Gmail exclusively. Gmail also works with local
> clients and there is no need to use Roadrunners email service at
> all.

  Sure! And there are other reasons to do that, like keeping your
email address if you move to a different ISP. But since it is very
likely the ISP charges for the email box, they should improve its
quality, or make discounts if the customer decides to don't use it.

  Best Regards

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBCAAGBQJQNCg1AAoJEMV4f6PvczxANpUH/2uvZGUFUraSfNTdWS+hXl6T
NljGveundZddfJaNTWXDalJac3upC2A7kpnqX5R4HRMXPEaW7AELdQ0fOQXy976/
j8V343ERq4/SbTKXSKha5V4WCPSpkOcEBGQBGCVvWr0wXm3OroqrzJmVyTccNY6C
cn/Zmifn8XsHVTtyVeDbMdKYHBBeqet4F+lvK11XPhcXTn6xsUbzQeXAfhom6Qwl
fOBcEjc1vQQI+kXEeqp9Ernx96xAPAPnYFkt+4ZkyzKPZ95xYNNhSVMm+qGfw7HB
GtvePdjmsEvsqPpnT55qJNE++Y/d3zvSjuqk+LE5QBym+zzxwp1dYJUlKF1P6W0=
=6Vsa
-----END PGP SIGNATURE-----