Pretty Good Privacy, Pretty Crap Interoperabillity

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Email sucks.

Once there was a time when the personal computer did not exist. A time when there were only mainframes and terminals to access them. Some bright spark eventually decided it would be a neat idea to connect them together. After a bit of this another luminous individual thought hey, wouldn’t it be cool if we could send funny little messages between them. Thus email was born, and therein lies the problems with it. The creators of the simple mail transfer protocol had no idea the extent to which the whole of society would eventualy come to depend on their technology.

Email, like so much of the framework of the internet, is a forty year old hand me down, patched and mended so many times there isn’t a shred of original cloth left. It is a garment that no longer fits – we have outgrown it.

A few April Fool’s Days ago I wanted to play a joke on my friend Ben, so I sent him an email. In it I mentioned that I was being investigated as a suspect for creating the NetSky computer virus, that I was currently under government surveilance and would soon be arrested. I sent him this email, but not using my own address – to ben the sender appeared to be from AusCERT, the Australian Computer Emergency Response Team. Convinced that the law would soon be beating down my door ben gave me call and began to read the email back to me in hushed tones… as soon as I heard the word “AusCERT” I pretended to panic, told him I had to go, and hung up the phone. After letting him sweat for five minutes I called him back and let him off the hook.

Sending email is about as insecure as it gets. Spend five minutes on google and you too can play practical jokes on your friends. Have them each confess their secret and undying love for each other then sit back and enjoy the show. Why not invite all their friends to an orgy while you are at it?

Fear not for your inbox – although spoofing a from-address is easy, actually breaking into someone else’s inbox and reading their mail is more difficult. If Ben had chosen to reply to my fake email, the message would have gone to the real AusCERT. That’s not to say that vulnerabilites don’t exist. Everytime you send an email to someone that email is stored on your computer, the computer of the person you are sending it to, at your ISP, their ISP and every single step in between. it is stored in plain text that anyone can read so long as they have access.

The solutions to these problems already exist. I have set up my Thunderbird email client to digitally sign every message I send, using the GNU Privacy Guard. That way the recipient can verify that I was really the one who sent the message. I can also choose to encrypt the entire message so that only the recipient can read it. That way even if the message is intercepted by a third party it will just look like gobble-de-gook to them.

The Chinese government wouldn’t be too happy about that. Any form of personal encryption is illegal there – the government likes to know what you are up to. But that’s a story for another day. If you are interested in the political motivations behind cryptography go and learn all about cypherpunks and crypto-anarchism from the equally cool sounding cyphernomicon.

Of course the problem with securing my email system is that you need to set up your email system in the same way. Otherwise you won’t be able to verify that the messages really come from me, and I won’t be able to send you encrypted messages at all.

Setting up such a system is complicated and beyond the ability (or patience) of most people, so naturally it has not gained much popularity. If it had there would be a lot less spam in your inbox right now. The problem is that all this security should not be the user’s responsibility – it should all be happening behind the scenes, automatically. It should work similarly to the way internet banking uses cryptography, where the end user only needs to keep an eye out for a little padlock icon in the bottom right hand corner of their browser. This kind of integration cannot happen in the current hand-me-down email system. The time has come to discard the old, and bring in a new standard. Email, IPv4, the x86 instruction set, I’m fucking sick to death of backwards compatibility. Nothing makes an IT worker cringe more than the word “legacy”.

In the meantime I have little choice but to keep sending those digitally signed emails just in case someone, somewhere is actually verifying them.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32) - WinPT 1.0.0

iD8DBQFFD9tmoYlj6HJS2ckRApUXAJ4xvJG1Oz0/6AN79Htm4RhH9puPNACbBt00
3gwnU+duNUttGESJbH20GlE=
=kQaa
-----END PGP SIGNATURE-----

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.5 (MingW32) - WinPT 1.0.0

mQGiBEUN9MQRBACgYiZ381Mf08O+p1RNt4LzlR+gHtW6ZekETZdhB3VX1iaEKsnQ
eZ3w6YojyRLSLL/UZe91ZL9ibFdhrAzM7DVYZFOSBozziNrWV7Hds+WaKbRfaOpJ
vsUd7HrdFTZSsaXLanVdOp2tqfuoMWg5kNiIy5rNx/a3wmVkpB8lCZeymwCgjVcA
bo5Eurmc4NfxZk0SRtnuIGMD/2bUo+vWW7/GevXXjOTD7/XOwLJqJAfj9UGr1kco
UGvGqJhYL3SPex5GzxUHZRtBoZO/EWtMFWIFPXi4pnlEIGcn4zOeT4bXKxM0VYOn
q2AMnlJ4gkO8p2hDdDOFayx//5udgVeAjS3v/72RZuKAYPzQV/CJ/UAu6eBbF0+1
tvedA/4pZpsBKAeNivpsmf77fWKZX8dGlNujViYUnoG5uL1w5cHI+Pr51R/VFaZl
UwSLu3VfAFhKuejACf0bZXh9cAeVYQXQPu6JhCbfnEIE2hHd7WMwYofe+y5LC8Jb
iRk+yEEjcGp6TaGcRcvDKvyAekY6P6Lapm45a+w18hSwjvJBN7QpRGFuaWVsIEtp
bnNtYW4gPGRhbmllbC5raW5zbWFuQHN5Yml6LmNvbT6IYAQTEQIAIAUCRQ30xAIb
IwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEKGJY+hyUtnJycwAn0CerknspBXY
MNXoBeAaZ6MQQ1DEAJ9D3Q1XIbg7ZIreQVIpJve31F4UmLQoRGFuaWVsIEtpbnNt
YW4gPGRhbmllbGtpbnNtYW5AZ21haWwuY29tPohgBBMRAgAgBQJFDfdsAhsjBgsJ
CAcDAgQVAggDBBYCAwECHgECF4AACgkQoYlj6HJS2cn6gwCeNIP8sLk+wi66wOcx
/hOYJKvggvUAnAkvwtoBuHJ1GJvXk6/4zL/sKjQBuQENBEUN9MUQBACEYDon7XBj
AS1WaFuaip3EDpcIzeNHZE/6ep1biWFIoq2AYItk8zw5K4ZvOBH1WcJWvNEk8xVt
VhXfNF3mg9w69yU9rsqslLjgOIlxQxrcQaIa1upuPnUtnW7I2lu1L5DevWr23zi8
fuzAUk812D0k2B2WI4Q3wLRuJVhZ0kdCLwADBQP/b0pxuF0zvNuHsSFq35vREaSk
jTZtO4oT1tSM813eT7+5Lpyr5hkZhD/xByDKJ2wTZzhCQC4NL28v+ut3eZNBgmC2
EN1I3wum09vnNf04yv0dh4NM5ElWpgJsNOA3qo4n8DnbmGEDU5fBJVd41weUPm0j
ESjBcK/1YeFS5Nrovn+ISQQYEQIACQUCRQ30xQIbDAAKCRChiWPoclLZyZMnAJ90
xW6VeorLUO7Zt6yOel+s4Q7EUgCeMLtYd7WgBwBXJ11BorrxXExox80=
=WGc/
-----END PGP PUBLIC KEY BLOCK-----
Advertisements

2 thoughts on “Pretty Good Privacy, Pretty Crap Interoperabillity

  1. Nice work, my friend. I can’t help but think of the analogy between crytohiding your emails and being able to speak a foreign language: on the whole, most people email each other about fairly boring stuff, nothing that would set AusCERT’s goons hurtling through your window on bungy cords, laying waste to your new LCD screen and googlies. That’s why no one cares greatly about hiding what they communicate with each other about. Sure, eighteen IT heroes between me and Dad can read the email I send him, but they’re looking for hard evidence of criminal activity, rather than tips on Beijing nightlife (I could be wrong on that one though).
    The people we don’t want hacking and cracking our email are usually people who, like you said, either can’t or won’t bother.
    However, if what you say is true about cutting back on spam, then start the revolution.

  2. Yeah, most people don’t need their email to be private, they just aren’t interesting enough. Of course businesses and organazitions are the ones who do (or should) care about this stuff – occasionally on the news you’ll hear about leaked emails causing some scandal or other, say between politicians. If they were using cryptography it wouldn’t be a problem.

    The main benefits to using cryptography on a personal scale are behind the scenes stuff that only people like myself are interested in. If all email was digitally signed it would significantly reduce the spread of spam, 419 scams, and email worms.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s