Shostack + Friends Blog Archive


Email Security Myths

My buddy Curt Hopkins is writing about the Patraeus case, and asked:

I wonder, in addition to ‘it’s safe if it’s in the draft folder,’ how many
additional technically- and legally-useless bits of sympathetic magic that
people regularly use in the belief that it will save them from intrusion or
discovery, either based on the law or on technology? 

In other words, are there a bunch of ‘old wives’ tales’ you’ve seen that people
believe will magically ensure their privacy?

I think it’s a fascinating question–what are the myths of email security, and for the New School bonus round, how would we test their efficacy?

I should be clear that he’s writing for The Daily Dot, and would love our help [for his follow-up article].

[Updated with a fixed link.]

7 comments on "Email Security Myths"

  • ED says:

    Most legal “disclaimers” at the end of emails requiring confidentiality. useless!

    • Curt says:

      ED: Can you (or anyone else) expound on why legal disclaimers at the ends of emails are useless? Writing a new story on that topic, if it turns out it’s substantial enough. Thanks.

  • ?? says:

    Thinking email will be gone forever when you press delete.

    Forgetting that everything you have ever sent is saved in your sent items folder.

    Thinking you must get some kind of warrant or get some kind of notification if the feds search your email on the cloud. Or thinking your email provider might tell you your account had been searched (even if they wanted to, they might not be allowed to).

    Thinking that an email account hosted outside the country might be safer from people spying on you.

    Thinking your social network or email is private because you don’t have a Facebook/Gmail/etc. account. These sites can build your social map in reverse, even without your help, because all your other friends with accounts on those services who have tried to connect with you or who have had email conversations with you.

    Thinking you’re the customer when using GMail, Facebook, etc. You’re not the customer, you’re the product. Why do they want your real name, birthday, cell phone #, etc. so bad? If you’re not paying for privacy, you’re being sold to advertisers. Since Google is a repeat offender in the privacy arena, the feds have given themselves permission to monitor all their data. Don’t spy, the government hates competition. If the feds aren’t a VIP customer, what explains Schmidt being willing to dress up in a flak vest and fly into the green zone to do a song and dance about how great it is that Iraq is now open for business. (Youtube)

    Thinking the special backdoors these services provide to governments and law enforcement to read your email when they do have a warrant could never be hacked into by people who don’t have a warrant. (read Bruce Schneier’s blog about the time Google got hacked)

    Thinking its safe to open a PDF file or click on a link to a web page with flash, or that it couldn’t affect your privacy.

    Thinking it is impossible for someone to track when or where you open an email. Or not realizing that these aspects of your privacy could be compromised by your simply opening an email.

    Thinking it’s OK to use the same password for years and years on the same email account.

    Thinking it’s OK to use a weak password for your email account. When all your other online accounts can be reset if someone has access to your email.

    Thinking nobody can gain access to some other external web application if all they have is your email address but your email account password is very secure. (Ask Skype)

    Thinking it’s OK to use the same password for your email account as you use at any other online website. When that website gets hacked, your email and password could be compromised online – ask LinkedIn.

    Thinking your email is private because you used SSL to log in. (Firesheep)

    Thinking it’s safe to read email at a coffee shop (learn about network spoofing and DNS hijacking)

    Thinking the Obama administration must have finally made things right for the digital privacy of US persons after Bush’s administration and the NSA trashed the spirit of civil rights with unreasonable domestic wiretaps and then granting immunity to telcos complicit in the act. Obama gave Bush’s attacks on the 4th amendment his blessing and appears to be building on them. And how patriotic is the USA Patriot Act which he also extended? This is a message maybe only independents can handle, but unfortunately they are an impotent minority. So say it with me: Dude, you’re getting a drone! (

  • This is a subject that makes me chuckle and grimice at the same time. I chuckle because we have known, since the dawn of the technology, that e-mail is insecure in countless ways. I grimice because I was part of a failed e-mail security start-up around the turn of the century.

    It’s a great subject with a lot of various perspectives and a lot of different use cases to represent. Commercial stakeholders and their users, the general public with “free” e-mail services. In-house e-mail vs. outsourced e-mail (cloudy??). Security operations vs. IT operations (I really wish they weren’t so segregated today).

    I’m sure there are a ton of “Old Wive’s Tales” out there. But, I think there’s a higher-order problem. We’ve known about e-mail insecurity since, as I pointed out, the inception of the technology. It’s been a matter of how much people care about securing e-mail. And, I assert that people generally don’t care about e-mail security because, aside from the occasional sensational news story (i.e. the Patraeus case), nothing really bad happens from e-mail. Or, so much badness happens that it’s no longer newsworthy (I don’t believe this is the case).

    When was the last time we saw IP leaked via an insecure e-mail? When was the last time we saw a divorce publicized because of insecure e-mail? When was the last time a data breach was reported due to insecure e-mail? Put another way, when was the last time e-mail eavesdropping was reported (i.e. someone sniffing packets and seeing the e-mail from that perspective)? When was the last time someone reported an intercepted and altered e-mail?

    I’m not asking about authentication related access breaches (that seems to be a different problem); rather, I’m referring to e-mail in transit or storage.

    If there’s a master list of related breaches, I’d love to see them.

  • Ian Lyons says:

    This is a great question, and obviously one with far-reaching implications. The thing is, email security in and of itself is a myth. Unless every single best practice is followed to a T — and with large companies with less-than-tech savvy employees, that’s nigh impossible — there will be breaches.

    There was also a good webinar on this last year, done by a few security guys, including Google’s Adam Swidler. Pretty interesting.

  • David R. Braden says:

    East Asia, Taiwan – 19 yrs: Different here: Most folks don’t care. Privacy isn’t a social value.

  • Curt says:

    How is email processed by email providers? How does that process differ between an overtly Web-based email provider, like Google, and something like Comcast or another ISP-provided email account, if it differs at all?

Comments are closed.