Monday, April 13, 2009

Email 101

One of Derek Draper's defences in the smear email affair is that his email was 'hacked', implying that there was some great act of cyber-espionage involved and somehow this diminished the despicable nature of the messages. This is almost certainly not the case and shows either a complete misunderstanding on how email actually works or is yet more spin.

For those that don't know, email is an inherently insecure medium. Normal email is readable on the source computer, readable on any intervening email server and is readable on the target computer. If all three are within the same secure network then the potential readership is limited, but it the email crosses the internet, and most email between different domains, e.g. a to an, does, then it can be read just about everywhere. Encryption can prevent an email being read in transit, that is from an intervening email server, but of course email is always in plain text when it arrives. The key differential between email and, say, a phone call, is its persistence. Emails survive in inboxes, in folders, they can be further forwarded or copied. There have been plenty of instances of emails sent to a few people being forwarded and copied to a much wider readership than originally intended. In this case the emails were initially sent to a number of people, any of whom could have passed them on to anyone else. Given the content of the emails all that is required is for one recipient to be a reasonably normal human being and you have a whistle-blower. As for hacking, well, that would depend on the security surrounding each of the target computers and email accounts, numerous in this case. This again illustrates the insecurity of email. When you send confidential information you are dependent on the recipient's technology, processes and sense in order for it to be kept secret. Organisations that take communications confidentiality seriously spend a great deal on both technology and staff training. Is that true of all of the places the emails ended up? Even so, the word 'hacking' overstates what might have been a computer left unattended and running Outlook in a shared office.

My advice is simple. Don't send sensitive email unless it is encrypted and to someone you trust absolutely. If something is really sensitve use the phone, or look them in the eye.

No comments: