Memo to the Clinton Campaign: How We Use E-mail Determines the Risk
I had finished writing this piece when the latest blow-up over the Clinton e-mails grabbed the headlines. I’ll speak on that later because what I wrote below pertains to them as much as to you. Needless to say, whether you are Sarah Palin or Hillary Clinton, how you handle e-mail has significant repercussions.
The Curse of Spam
There was a time when e-mail was king, so much so that Time-Warner paid billions for AOL, a large dial-in portal. It was AOL, combined with the likes of Tom Hanks and a blockbuster film You’ve Got Mail, that symbolized that small moment in history when anybody could have their own e-mail address, and it usually ended with @aol.com. The social trends of that time showed people of all ages infatuated with exchanging messages, much as folks do today with Twitter and Facebook.
I come from a time prior to that phase, when “being connected” was simply having this thing next to your computer called a modem that enabled you to send messages through what was called a “bulletin board service.” The BBS often included chat rooms where like-minded people could exchange messages that were reasonably spontaneous. It was technology like this that spiced up films like Tron and War Games.
There was a time when e-mail was falling under it’s own weight as common folks saw their accounts swarmed by unwanted messages, some of which infected their computers, even to the point of duping some of their money. It was given a curious label: spam.
When Facebook arrived on the scene, folks were given the possibility that connecting with friends provided a safer way to exchange messages. As a technology, Facebook has been very successful in providing that environment. Socially, however, people discovered that opinions and photos passed amongst friends would eventually be observed by not-so-friendly faceless observers.
Twitter, while currently popular, is Facebook on steroids. Here, people exchange short messages and photo snippets. What emerges from this is a generation of younger people who are now beginning to realize that “adulthood” is when you discover that you want your own life. Shut off Twitter, ease up on Facebook. Read a good book, the kind with paper.
E-mail has matured. For commerce and government, it serves as a valuable way to communicate with customers and citizens. Yet this medium of communication is still filled with risk. For average people, it is very frustrating. I have personally seen how the trust-issue in e-mail has made communication through e-mail very unreliable for non-profit groups. Let’s just say it is far less reliable than the US Post Office.
While teaching security at UAS* I designed an experiment to evaluate where spam came from. I set up a “honeypot” mail server. It was here that I began to experiment with e-mail servers, accounts, and e-mail forensics. The first thing I learned was that it was only a matter of one day before my server was being probed for open relays (using the server as a conduit for spam). The fun part was tracking back the requests. I often wondered why a software company in Calcutta was so interested in my server. Another attempt was traced back to a law firm in the southern part of Memphis, Tennessee. Their e-mail server had apparently been hijacked by spammers.
Yet what really got my interest was how our behavior affects our exposure to spam. It was then that I started using e-mail accounts for specific aspects of activity on the Internet to measure how the usage of an e-mail address generates spam. It was intriguing to see how my “internet behavior” affected my security. In conclusion, how we use our e-mail accounts determines the degree of exposure to spam. From this experience, I began to change the way I use e-mail.
The Solution: Multiple E-mail Accounts
There is nothing sacred about having just one e-mail address. Yet I often get this quizzical look from people when I give them an e-mail address. It is clear that many people cannot understand why I use multiple e-mail accounts. For less than $15 a month you can actually register your own domain (like for your family), obtain your own website and get with it up to 600 e-mail accounts. ( See ionos.com ) Otherwise, you can set up multiple accounts with Gmail, Hotmail, Yahoo and your local internet provider.
- First, the most important e-mail activity you conduct is with businesses. Not just any business. The big boys, like the bank or your stock trading provider. Use this account rarely and wisely.
- Second, in answer to the question, “So why do you use the same e-mail for your bank as you do when you visit some strange website to send a greeting card to your daughter?” Much of our activity on the Internet is high-risk. Many of these sites ask for your e-mail account as the account name or as a way to confirm changes to your account or as a way to advertise. I use an e-mail account reserved for what I view as the high-risk activity. This account is used whenever I visit a website and wish to register but remain uncertain it is safe. In my experience, this account will be hit hard. I often cycle through a new account every two years because the volume of spam gets annoying.
- I reserve an e-mail account for friends and family. This does not guarantee reduced risk, but it makes it easier to identify messages from those closest to you. Spam really sticks out like a sore thumb for this type of account.
- I have also used a unique e-mail account for organizations, such as the local Rotary Club or my church. With the advent of mail services like Constant Contact, more and more organizations are able to deliver mail that is safe. Yet the greatest vulnerabilities are from organized groups that are small enough to use their personal e-mail accounts with a couple of dozen other folks added. Each Reply-to increases the odds that at least one of those accounts will be compromised, at which time all the other addresses will be targeted. Once again, spam looks strangely out of place.
- Another idea to explore is dedicated e-mail addresses. These addresses can service special-purpose sites like E-Bay, Facebook or Craig’s List. Notice how these sites represent a fundamental shift in how you use the Internet, which exposes you to more unknowns.
After almost ten years, I have had to change only one e-mail address. That was the one associated with the highest risk traffic. The other accounts have been providing safe, reliable messages for several years.
As noted above, registering your own domain is probably the easiest way to rationalize your e-mail addresses. Services like ionos.com provide low-cost services for setting up your own web page and e-mail service. If your name is Jane Smith, you will probably be the 4,368th Jane Smith on Gmail. But if you register a domain like JaneSmith.name, all your addresses will have the same ending. You may create an e-mail for web surfing like AlaskaGirl@JaneSmith.name. For the bankers and stock brokers, you probably want to keep it simple, like MrsSmith@JaneSmith.name. And one more important thing – high security e-mail usage should require the most complex, unique password.
The important objective is controlling your e-mail. Having official or personally significant messages buried in spam traffic risks financial confusion or loss, as well as missing that important note from your best friend.
What About Google?
I think everyone on the planet will have a Gmail account some day. What is attractive about Gmail is that it is only one part of “the Google cloud” experience. Once you start poking around you will discover the G-Drive, a calendar, a chat service, etc. etc. If you have the propensity to use Google services, then be careful. Once a Gmail account is spammed, it can make all those other services difficult to enjoy. For that reason, I still consider the Google cloud an experiment. One rule of thumb I follow is whether the use of a cloud service will enhance the intuitive interaction of applications I frequently use. I enjoy watching You-Tube channels. My Google account makes it easy to move from my desktop to my tablet or smartphone. That same intuitive experience, however, can make it just that easy to compromise all those services.
So how do I protect myself using Google services? Simple. Use it for entertainment. Use cloud services in much the same way as you diversify e-mail. Diversify where you put your photos and documents. Nothing about my finances or taxes is kept on the Google Drive. Yet I love it for the not-so-serious things. It’s great for moving documents and photos between devices and people. Travel is another great use of cloud services like Google. But I do not use my Gmail account for banking nor do I use it for high-risk Internet activity. The Gmail account is important enough to me that I do not wish to see it spammed to death, but because of its versatility it is too risky for financial services.
And what about the Clinton e-mails?
The bombshell is how John Podesta’s e-mail was hacked. Their troubles are the result of being unbelievably naive and amateurish on the use of e-mail. Clinton’s use of a private server was probably discovered long before the FBI knew about it. The black hat community is quite observant of activity on the Internet, especially when the search string is “clinton.” It is also apparent that they had the bad habit of using the same address to exchange campaign strategy and ordering out Chinese. Finally, it is interesting to note that Podesta got tricked through his use of the Google cloud service.
The other lesson we learn from the Clinton affair is that every person you send messages to provides one more portal into your world. It is virtually impossible to conceal yourself or the messages you send to others. It has been my experience that I often discover the oddest things while doing ordinary tasks. I can only imagine that any officer of the law can attest that intelligence in the cybersphere expands three dimensionally. While investigating one matter they discover information affecting a different case. This is what happened with Clinton when emails were discovered while investigating Anthony Weiner. The private server was revealed through a Freedom of Information request regarding the Benghazi affair.
In Conclusion
E-mail is safe to use if used wisely. If you can’t master more than one e-mail account, can not differentiate messages from the quilting club from a notice from your bank from a Nigerian who needs money for his grandmother, then you will be in serious trouble. But I believe most everyone reading this essay can have more than one e-mail address and use all of them judiciously. Diversify your use of the cloud as well. Don’t put all your eggs in one basket.
Happy e-mailing everyone.
* UAS — University of Alaska Southeast
© Copyright 2016 to Eric Niewoehner.