Security, backdoors and control.

WttWColorEye_forBlogThe FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control. Apple letter to customers

Encryption is a way to keep private information private in the digital world. But there are government actors, particularly here in the US, that want access to our private data.
The NSA has been snooping our data for years. Backdoors have been snuck into router encryption code to make it easier to break.
Today at M3AAWG we had a keynote from Kim Zetter, talking about Stuxnet and how it spread well outside the control of the people who created it.
I commend Tim Cook for his stand against the US Government and his insistence on protecting the data of all iPhone users. The feds are strongly arguing the encryption breaking code would only be used for This One Phone. But can we really trust them with our data or believe they wouldn’t use this in another situation? Or as a way to access data that they can’t currently access through the NSA surveillance program?
It’s a little strange for me to be stating this. It feels weird. I grew up in a suburb about 10 miles outside of DC. My father worked as a civil servant for the DoD. My Friend’s dads were diplomats, senate-confirmed federal appointees and secret service agents. A CIA agent lived across the street and I regularly swam in their pool. Generals were regular visitors to our house. My first job out of high school was in a federal regulatory agency. Government wasn’t bad. It was, on the whole, a force for good. Even some of the dumb seeming things ($1000 hammers) weren’t fails, they were reasonable if you understood the context.
Government wasn’t the enemy and generally had a good reason for the things they did.
Now I’m not as sure as I was then. The government has done some things I don’t really understand. And even when I try and put them in the context of the environment I grew up I still don’t think it’s a good thing. Pervasive monitoring is bad and I don’t think our digital property should be any less secure than our physical property.
I understand and can even sympathize with why the FBI is asking for what they want. But I also support Tim Cook and his efforts to protect all iPhone users. Maybe the FBI would only use the code for this phone. But what about other governments? What about other players in the space? If Apple provides this for the US government, what’s to prevent other governments from getting their hands on it? If the RSA can be hacked and have their root keys stolen then we’re all vulnerable. Apple had one of the iPhone 4 prototypes stolen out of a bar.
If you leave a backdoor unlocked anyone can use it. Putting backdoors in code, sharing keys and creating software to allow one person to compromise security only makes all of us less secure. Stuxnet tells us that malicious software spreads further than we expect and once it exists it can easily escape any control.

Related Posts

January 2016: The Month in Email

Jan2016_blogHappy 2016! We started off the year with a few different “predictions” posts. As always, I don’t expect to be right about everything, but it’s a useful exercise for us to look forward and think about where things are headed.
I joined nine other email experts for a Sparkpost webinar on 2016 predictions, which was a lot of fun (see my wrap up post here), and then I wrote a long post about security and authentication, which I think will be THE major topic in email this year both in policy and in practice (see my post about an exploit involving Trend Micro and another about hijacked Verizon addresses). Expect to hear more about this 2016 continues.
My other exciting January project was the launch of my “Ask Laura” column, which I hope will prove a great resource for people with questions about email. Please let me know if you have any questions you’d like to see me answer for your company or your clients — I’ll obscure any identifying information and generalize the answers to be most widely applicable for our readers.
In other industry news, it’s worth noting that Germany has ruled it illegal to harvest users’ address books (as Facebook and other services do). Why does that make sense? Because we’re seeing more and more phishing and scams that rely on social engineering.
In best practices, I wrote about triggered and transactional emails, how they differ, and what to consider when implementing them as part of your email program. Steve describes an easy-to-implement best practice that marketers often ignore: craft your mails so the most important information is shown as text.
I re-published an older post about SMTP rules that has a configuration checklist you might find useful as you troubleshoot any issues. And a newer issue you might be seeing is port25 blocking, which is important if you are hosting your own email senders or using SMTP to send to your ESP.
Finally, I put together some thoughts about reporting abuse. We work closely with high-volume abuse desks who use our Abacus software, and we know that it’s often not worth the time for an individual to report an incident – but I still think it’s worthwhile to have the infrastructure in place, and I wrote about why that is.

Read More

Thoughts on Data Hygiene

zombieemailOne of the big deliverability vs. marketing arguments has to do with data hygiene and dropping inactive users. Marketers hate that deliverability people tell them to let subscribers go after a long time of no activity from the subscriber.
Data hygiene is good. Email is not permanent and not forever, and the requirements for data hygiene in the email space are very different than the requirements in the postal mail space. There is no such thing as “dear occupant” in email. I mean, you can sent to occupant, but the occupant can then hit the this is spam button. Too many emails to “occupant” and mail goes to bulk instead of the inbox. These are real risks.
With that being said, there are a lot of things to consider when putting together a data hygiene program. You’re looking to remove people who are no longer interested in your brand as much as they are no longer interested in your mail. You’re trying to suss out who might have abandoned the email address you have for them. It’s complicated.
I’ve worked with a lot of clients over the years to implement data hygiene programs. Sometimes those programs were to deal with a bulk foldering issue. Other times clients have been trying to address a SBL listing. Still other clients were just looking for better control over their email and delivery. In all cases, my goal is to identify and classify their recipients into 3 groups: addresses we know are good, addresses we know are bad, and then addresses we don’t know about.
Good addresses get mailed. Bad addresses get dumped. The challenging bit is what do we do with the unknown addresses? That’s when we start looking at other data the client may have. Purchases? Website visits? What do we have to work with and what else do we know about the people behind the addresses. Once we’ve looked at the data we design a program to take the addresses we don’t know about and drop them into either the good or the bad bucket. How we do that really depends on the specifics of the company, their program and their data. But we’ve had good success overall.
There’s been a lot of discussion on hygiene this week, after Mailchimp published a blog post looking at the value of inactive subscribers. They found something that I don’t find very surprising, based on my observations across hundreds of clients over the years.

Read More

Is your data secure?

Not just secure from outside forces, but also secure from employees?
In a recent survey published by Help Net Security, approximately half of all employees said they would take data, including customer data, when leaving a job.
This has major implications for ESPs, where employees have access to customer data and mailing lists. There are at least 2 cases that I am aware of where employees have walked out of a company with customer mailing lists, and I’m sure there are other incidents.
ESPs should take action to prevent employees from stealing customer data.

Read More