this-is-fine.eml

This is a legitimate email from a Legitimate Financial Institution that I was expecting, but I don’t know what I could change it to make it look more like a phishing scam.

We’ve spent the last 20 years teaching people not to open email attachments but I guess Raytheon’s Cybersecurity company didn’t hear about that?

I did open the attachment in an isolated browser after reading the source. Inside was a button that takes you to their secure messaging site’s onboarding flow. There’s 90K of data POSTed in hidden fields, so I suspect the constraints that led to this were:

  • Our security platform generates 90K of data to authenticate that the source of this request is legitimate.
  • That’s too much to add as query string parameters on a GET request, but it works for a POST.
  • Support for forms in email clients is poor, so we need to put the form into an HTML attachment.

Each step solves the previous problem, but at no point did anyone with the power to fix things step in and stop it. They didn’t say “90K is too much, find another way to authenticate the source of the request, preferably less than 2K.” If I had to guess, the people who had the information about how bad the implementation is were completely removed from the people setting the requirements.

All of that exists, too! If you follow the mobile instructions and forward the email to that unknown email address, it generates a very reasonably sized link, that takes you to an HTML page hosted by them, where you can POST 90k of hidden data and read your secure message.

Despite how awful this system is, I’m still glad that Legitimate Financial Institution is using some secure messaging service to collect my loan documents (I’m getting a loan to buy solar panels) and not asking for them to be faxed or emailed plain text.

Secure Email Meme

Oh boy, a chain blog entry! Dave Walker called me out to talk about securing email; who am I to refuse?

You should secure your email. Am I done?

OK, so that’s not the best supported argument. If everyone secured their email there would be virtually no spam, but any system that doesn’t show benefits at even 10% participation is more or less doomed. However, the benefit of securing email kick in much earlier when dealing with phishers.

One thing I worry about is whether my relatives are able to tell spoofed emails from real ones, and that they don’t provide personal information to any site emailed to them. If large companies start taking security seriously, if they start signing their emails and educate their users to look for their signature, we’ll start to see a dent in phishing. If Amazon, eBay, PayPal and various banks start, they’ll influence the smaller companies to start doing it.

To help influence the influencers, you can (and should!) start signing your emails today. There are two ways to get started, and they aren’t exclusive. Many people use both signatures in their emails. Either one will take about 15 minutes, much less than getting your first email account set up probably took.

The first is to get a free S/MIME certificate from a company like thawte. I did this a while ago but I lost my certificate and had to try to retrieve my password. It was a frustrating process; I assume registering in the first place was as well since I used “Which company is pissing you off right now?” for my 5th security question. However, I still recommend this method as easier and tech support was very helpful.

There’s an amazing guide for OS X Mail, as well as instructions for Thunderbird on Windows, and these signatures work for virtually all email clients. As soon as you get your certificate installed, your emails will start showing up as secure. How cool will that make you look, when your clients see your email in their inbox highlighted as secure?

Answer: moderately to not at all cool, but they’ll still be impressed with the geek mystique.

Continue reading “Secure Email Meme”

Give to CitizenSpeak (and me!)

CitizenSpeak is a site that allows people to create email campaigns targeted at change, like the ultra-successful EFF campaign to stop the Broadcast Flag (that the EFF runs, not CitizenSpeak). It’s a tool that anyone can use, and activists at any level can use it to focus their community’s voice. And it’s free.

If you went to the CitizenSpeak site you might notice it sucks a little. There are frames and popups and non-obvious permalinks. I say that because I’m actually working on changing that.

I’m rebuilding the CitizenSpeak site with the main functionality going into a CivicSpace module, which we’ll be releasing under an open source license. That means that sites running CivicSpace (and Drupal) will be able to host their own campaigns, customized to the needs of the site. And yeah, the CitizenSpeak/CivicSpace thing does get confusing sometimes.

But here’s the thing: I need to make (some) money on this. You see, I’m a contractor now and need to occasionally feed and clothe myself. CitizenSpeak is looking for people who want the module to help them fund me. You can make a tax deductible donation to help pay for the development work. You can also see the development plans at the CitizenSpeak development wiki, and when I’m ready for input from people I’ll post the link to my development there too.