A better approach to security

[Don Parris <don AT dcparris.net>]

On Tuesday, August 21, 2012 08:30:45 PM Faramir wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> El 21-08-2012 17:15, Pim Veld escribió:
> > Hello Don,
> > 
> > I have read your blog-post.
> > 
<SNIP>
 
> > That is not a very likely event unless it is worth a lot for
> > someone to learn you ‘secrets’. The same is true for anybody with
> > sufficient rights
> 
>   Not sure about that, people near the email user may have reasons to
> do it other than money. I mean, the guy that wanted to date the girl
> the email user is dating, and so on. And some people have a very
> strange reason to do some things: "because I can". They will paint
> graffiti on your walls, they will take your website down and replace
> it with an "Owned" picture, and so on. Taking control of your email
> account and then watching your face as it gets filled with anger maybe
> the enough motivation to do that, and while your home network may be
> secure enough, with laptops and open wifi access, you want to make
> things as hard as possible to attackers.
>
I am with Faramir, on this point.  And others have reported recent e-mail 
account cracking - not sure the reasons, but the targets were not necessarily 
VIPs, but average business people.  People have all kinds of reasons to crack 
systems.
 
<SNIP> 
>   At the beginning of times, we didn't have antivirus, now they are a
> must have tool. Things that used to be good enough before now require
> improvement. And since some free email providers offer secure login,
> paid providers should do the same, if not, what is the point in
> providing lower quality products to your customers? ISPs provide email
> boxes because they either can charge an extra for them, or because
> they see them as an added value that will make their customers happier
> and will prevent them from moving to another provider.
> 
Again, Faramir is right on point.  I am paying for a service.  I believe I 
should expect better - especially given that the same provider offers a 
secure 
web mail interface.  Why force me into the web mail interface, which I hate?

<SNIP>
>   I didn't read that paragraph. But sadly, it is true, not because
> only a paranoid person would care about using encryption, but because
> most people don't care at all, and they WILL consider you paranoid if
> you suggest it. I learned about S/Mime and PGP/Mime 4 years ago, and
> I've never been able to convince any of my friends to use them. Only
> one of them tried it, and just to learn how to do it, but not for
> daily use.

Yes, my tongue was planted firmly in cheek here.  Even though I have created 
a 
GPG key pair, I have yet to exchange e-mails with anyone - family, friends, 
fellow Linux users... using encrypted messages.

> > And therefore I wonder why you are looking for support from us
> > ”silly paranoid geeks and spies”.
> 
>   Since he is on this list, maybe that paragraph is sarcastic.
> Probably he tried to suggest encrypting e-mail messages and got the
> "sure, and I might also start wearing a tinfoil hat!". Anyway, as I
> said, that measure won't prevent the attacker from catching the login
> password.
> 
No one ever told me that, but I assume that will happen since most of the 
people I know think I already have my tinfoil hat for using GNU/Linux systems 
to begin with.  

> > Finally, if you are so worried about your plain text password, why
> > don’t you use Gmail exclusively. Gmail also works with local
> > clients and there is no need to use Roadrunners email service at
> > all.
> 
I do use GMail, but many people worry about their privacy with Google.  I 
actually now forward my e-mail to another account, which I can check 
securely.  
It is also an account which I can maintain regardless of my ISP.  But 
stopping 
an e-mail accout is a bit complicated.

In my zombie-fied state, I have been using the POP account for many of my 
personal business dealings.  Bank accounts, travel, on-line purchases, 
subscriptions to various things...  It will be impossible to change all of 
that overnight.  I will have to settle for forwarding my mail until I can 
change all of the numerous accounts I've created.

But I also think it is important to raise awareness of the problem.  And one 
part of the problem is that most of us never really think about these things. 
It took actually seeing my password in Wireshark to make me realize how easy 
it really is for someone to crack my account. That may not be true of most of 
this list, but even other techies I know seem to have been caught a little 
off 
guard by this.

I greatly appreciate the comments both of you have offered.  You both are 
helping me see the problem a little differently.  And that's huge.

Don
-- 
D.C. Parris
980-230-1204
http://dcparris.net/