Passwords – the Gremlins of Cyberspace

Passwords – the Gremlins of Cyberspace


Meet Juanita Smith

On November 18th, John Smith was suddenly hit by a bus while texting to a friend about the merits of eating tuna. He left behind his wife and two children. Aside from the shock of losing a loved one, life did not stop. The wife, named Juanita, looked at a stack of bills that her husband always paid on-line. She had never accessed the bank account and she had no idea of the password. She was a co-signer of the account, she had a few checks still in the check book, but soon ran out. She solved that problem when a friend reminded her that she could call the bank for assistance.

What she did not know was that John had also paid several bills using e-mail or simply tracking his bills on-line. She was not aware that student loan payments were not paid. She missed the first notification that the cell phone bill was ready, and failed to receive notice that two credit card statements were ready for viewing. With all the trauma of sudden death and loss, she would not realize that something was amiss until two months later when her credit card was rejected at the grocery store.

Suddenly thrown into her lap was the full responsibility of managing the finances of the family. Sarah, their youngest, cut her knee requiring stitches. Juanita had no access to the health insurance account, no idea of how things were covered because, alas in this paperless economy, there was nothing in the files. Even though John had been diligent in keeping a will up to date, she had no quick way to obtain even the basic information. Fortunately they shared a password to the Wii, Amazon Prime and the router.

The situation just described happens every day. It illustrates how important it is that passwords are managed well. It not only affects your security and the confidentiality of the information you wish to protect, it also has implications for those you love.

Passwords – the word people love to hate.

Passwords. They may be too weak, whatever that means. They may be too many, each having to conform to a password standard of a particular web site. They are forgotten, confused and yet hacked by somebody out there. What is it with passwords? Can we master these little devils?

As a security geek and an economist (a behavioral science), I am intrigued about how people respond to passwords. You would think that the older people would be tripped up by passwords, but password klutzes come in all ages. And it knows no IQ standard. I have seen the smartest people do the dumbest things with passwords (like doctors or some political advisors that I will not name). Passwords are the vital signs of security, how they are handled is indicative of the security culture that surrounds a person. Yes – it is cultural. Security is not all technology. It is us. It was John Smith. It is Juanita Smith.

I recall the early days of the PC. Passwords were almost an afterthought, rarely encountered. But as the personal computer evolved into the business workstation, the password problem began to emerge. It really wasn’t all that complicated. All a person had to remember was 1) their login password to the network and 2) another password for an application they may have been using. Two passwords. Yet even at that level, I had to deal with many users who complained about two passwords, and some who rebelled by simply writing them down on their deskpad!

Then came the Internet – and the rest is history.

Today, I maintain a listing of passwords that cover 13 pages, double-columned! Passwords range from the bank to ESPN. They have been accumulated over seventeen years of Internet activity. For the person who tells me “I use the same password for everything,” I say “Impossible!” I know of people who have tried to accomplish that goal and soon learned that everyone had a different set of rules regarding the login ID and the passwords.

This article will focus on how you can manage passwords. It is like caging gremlins. You will find a lot of workable suggestions below, but you will also have your own personal demons to engage, what transforms you from the sweet person you are to a cursing, talk-to-yourself ogre. Whatever you are, the goal of this article is to avoid what happened to Juanita.

Login IDs

First, it is appropriate to address the problem of login IDs. It is one reason why the list of passwords and IDs grow. Some sites want your e-mail address. Others want you to use an ID, preferably your name. And there are sites where you would prefer to use an alias. All I can say is use common sense. With the advent of the cloud, your e-mail account is used more often for various services like Yelp or Uber. But your bank, the IRS, and stock trading site will usually require an ID that resembles your name. After the list grows to a certain size, however, rarely visited sites are tough to recall and you forget your login ID and/or password.

Passwords – Why Make it Complicated?

As a security specialist I can relate to the tendency of human beings to use passwords that are easy to remember, such as your grandmother’s first name or the name of your first son. Guess what. Hackers know this and have had some surprising success accessing even the most sophisticated systems, simply because they looked up a guy’s grandmother’s name! Such amateurism was soon dispelled by large enterprises, constructing what is called the “complex password.” They set up rules that would force users to create passwords of a certain length, with capital and small case letters, some numbers and symbols.

Why is that? One technique that hackers use is called a brute-force attack. There are programs out there that can guess your password, often engaging a form of brute-force referred to as a “dictionary attack.” In other words, if your password is a word, it is relatively easy to break. But when you add random small case/ large case letters and mix in numbers and symbols, the time required to guess the password lengthens considerably. Sites that enforce complexity are usually those that pertain to your finances. But it is a good rule to follow in any situation. If you have four-letter passwords, even for presumably unimportant sties, you are highly vulnerable. Some of the most interesting hacks I have observed commence with somebody breaking into a presumably unimportant site that you visit. From that intrusion they can begin to construct a profile, which only improves their ability to predict your behavior at other sites.

Another thing I need to dispel is that the brute-force attacks that you see on such shows like NCIS are purely fiction, much to the tragic realization of “script-kiddies” who try to break into a city government network to control stop lights. Networks not only regulate the length and complexity of your password, they can also establish how many attempts you have to enter the correct password. Most high-security sites give you three attempts before you are locked out. Another thing to note is that most high-security sites have intruder detection systems that flag unusual behavior, like repeated attempts to access a particular account.

In conclusion, get in the habit of using passwords of about 12 characters in length. Mix up small case and large case letters, add numbers and symbols.

Dividing Passwords into Groups

The protests would be loud and frequent if I required my family to enter a highly complex password whenever they wanted access to the home router, Wii or family e-mail accounts. To avoid that problem, reserve the most difficult passwords for your financial sites. Recognize that family members ( and some guests ) will appreciate passwords that are relatively easy to remember. I call this grouping.

Easy passwords are what you encounter at the local coffee shop. They are simple enough for the barista behind the counter to share and for the customer to apply. On the opposite end of the spectrum are passwords that are not easily remembered because of their complexity. In the middle are lower risk sites that may or may not warrant highly complex passwords. The important thing is to have passwords that are different based on risk. If you are using the same password to access your router as you do the bank, you are highly vulnerable. One exploit of that password, and your goose is cooked. Imagine sharing with your twelve year old son the router password so he can tell his friend, and using that same password to access your bank.

How Often Do I Change Passwords?

Another cause of complexity is that everyone has a different set of rules regulating how often you need to change your password. As a consumer I rarely encounter a request to change my password. But most intranet operations ( i.e. business enterprises ) have expiration dates on passwords. Another cause of forced password changes may be when a company or government agency is compromised and there is concern that hackers have obtained your login ID and password. When that happens, they send you notification that your account may be at risk and the best way to resolve that problem is changing your password.

Most security experts recommend changes every 30 or 60 days. The average human being will find that advice as insane. They will keep using the same passwords to get into their e-mail or sports network account until the day they die. How can we improve on this?

First, make it a point to change passwords of critical accounts at least annually.

Second, change your password whenever you receive a notification that your account may have been compromised.

Third, get in the habit of changing passwords to ALL accounts on a regular basis, at least annually.

One suggestion is to keep a spreadsheet that lists the account description, the login ID, the password, the frequency of a password change, and last date of a change. You can create a formula that will calculate the next scheduled date for a password change. You can then sort the list of passwords by change date. Once a month you can go over the list and change passwords that are scheduled for a change.

Fourth, keep your eyes open regarding login failures after you change the password. If you change your password and shortly after receive an alert from that web site, you may have had your account compromised before you made the change. If that occurs you may need to contact the site and report the incident. If it is financially related, you may want to look over your financial records to assure that no damage was done.

Is it Safe to Write Down your Passwords?

Yes – if you read the rest of this article. Hackers use a social engineering trick I call desk surfing, also known as eavesdropping. I recommend that supervisor’s enact the “janitor test.” If I were a janitor, working in the evening, what could I discover without touching a thing? You would be surprised. Read Alan Henry’s blog on The Most Common Hiding Places for Workplace Passwords and you will get a good laugh – probably at yourself!

The simple truth is this – there are too many passwords to relegate them all to memory. It is impossible. People write them down. So the question is whether there is a safe way to write down passwords. There are a number of tools out there that enable you to record passwords such as encrypted password vaults that come with browsers, and several apps that provide password storage services.

Whatever you do – DO NOT RECORD PASSWORDS IN PLAIN TEXT, UNPROTECTED FILES. Word processors and spreadsheets have password protection options. Use them. Studies have shown that this level of password protection is not considered high-level, most particularly subject to brute-force attacks. A hacker can download the file and conduct unlimited attempts to break into the file. But it is better than no protection.

Below is an example. In prior versions of Word, the password option was provided under the “Save As” screen. But recent versions of Word place the password controls under “Tools” and then “General Options.”

While password storage apps may provide the best protection, I have found they do not store other information that may be handy to write down, such as your bank account number, PIN used for the bank card, airline frequent flyer numbers, etc. And then there are the security questions that they want you to use. As you can see, it can get messy.

Here is an example from the Firefox browser, where you can save passwords.

Another trick is to only record the first and last few letters of a password. This will require some discipline on your part because it depends on something that only you know. But if you build complexity at the ends of the password, the center can be a pattern you know. So you would record in the document something like A@C …. 789. Only you know what lies between C and 7. So in the event someone obtains your password file and cracks the password and gains access, they will only get a hint of what the entire password may be. They may eventually discover the password, but you have made the effort much more time-consuming and complex and have increased the odds of detection by security considerably.

What Happens if you Die?

We now return to the sad fate of John and his surviving spouse, Juanita. I’ll be honest. I have never heard anyone discuss this subject at a security conference. But it is obvious to any lawyer or trust manager who has to handle estate settlements. And it doesn’t have to be death. You could simply be traveling and someone at home needs to access an account. With more and more financial activity being conducted on the Internet, there is often few clues in your paper files at home. Financial firms are often in the forefront of “sustainability,” i.e. the use of e-mail rather than paper and snail-mail. The only evidence that you have a bank account or a stock trading account are the e-mailed statement notifications. For someone to access that account they would need to know the e-mail address and the password. The old fashioned way of transferring assets upon death still are required, but it may mean the difference of one day versus one to six months before you can access the account information.

The impact of your loss, however, will be felt most by the everyday things you do over the Internet. Consider how many bills you pay on-line. Does your spouse know those IDs and passwords? Consider all the services you use that may require a periodic password entry: Hulu, Netflix, You-Tube, Facebook, the cell phone provider, resolution of medical bills with the insurance provider. The list can go on and on.

One way to reduce the confusion and chaos for the beneficiaries is to provide the list of passwords and IDs in printed form, filed away in a safe location, preferably in a safe or safe-deposit box. If all involved are cyber-sophisticated, you may find it practical to keep a digital copy of the password file with a beneficiary, or simply place a thumb drive of critical documents in a safe.

Finally, use a shredder. Any piece of trash that contains an account number or, heaven forbid, your passwords, can be used against you. Shredders are not that expensive and handy to have around.

Sliding Doors

A fun movie is Sliding Doors which explores the consequences of one decision, tracking the subsequent events of a person’s life. Let’s return to John Smith, and go back four years. John, seeing how important it was to document passwords, decided to record IDs, passwords, PIN #’s, account numbers, etc. in one password-protected document. He named the document “Grandma’s Recipes.docx”. He printed out the document and placed it into the safe. Juanita, not being cyber-friendly, barely provided enough attention to recall John’s remarks about the document. She squirreled away the safe combination in her wallet.

On hearing the tragic news of John’s death, she fell into shock. The coming days passed before her like a bad dream. Friends provided meals. Her parents and John’s parents all converged at their home, providing comfort and support. But the time came when she had to live again. She saw the bills sitting on the counter, which reminded her that they needed to be paid. She recalled John used on-line banking and rarely used checks. She then recalled John describing this document that he placed into the safe. The safe! Where was the combination? She remembered she placed it in her wallet. There it was, worn thin, the numbers barely visible. She went to the safe and breathed a sigh of relief when the door opened. There it was, the document listing all the passwords. At the top was the password to the file on their computer. She went down the list and found their bank. She got online. The ID and password worked! She studied the page and learned how to track transactions. She noticed there was a button on the upper right portion of the screen labeled “Bank Online.” She found the utility bill. She paid it. She sighed in relief. She then noticed a credit card bill being paid last month. She never recalled seeing a credit card statement in the mail, so she found the ID and password to the Visa card. To her relief, it also worked and she saw that the bill would need to be paid soon. She printed out the statement and looked it over. She returned to the on-line bank and scheduled a payment. “Yes,” she said to herself. “I can do this.”

She would later access his e-mail accounts, noticing that there were some bill notifications. She paid those as well. Yet as the months went by she noticed the other accounts he had listed. She recalled the memories of his love of sports, his uncanny ability to plan trips, and his diligence in providing insurance coverage. She would decide in the coming months to return to her hometown to be near her parents. With that list of passwords, she was able to access the travel accounts, transfer the accumulated points to her name and arrange the flights that saved her over a thousand dollars. Consulting with customer support, she was able to close out his unneeded accounts and update those she would continue to use. She kept his Facebook and Instagram accounts. She wept when she viewed the photos and his witty responses to his crazy friends. These were practically all that was left of him, the ghost in the machine.

Other Resources.

The Most Common Hiding Places for Workplace Passwords, Alan Henry, LifeHacker, November 13, 2012. Fun article for all the tricks people have tried to hide their passwords.

PC Magazine has a good article rating password vault apps.

The Best Password Managers of 2017”, PC Magazine, Neil J. Rubenking, December 13, 2016

Another source organizes the recommended vault applications by operating system, expanding your options if you have a non-Windows platform.

“Best Password Manager – For Windows, Linux, Mac, Android, iOS and Enterprise,” Swati Khandelwal, The Hacker News, July 29, 2016

Advertisements

Spam Filtering: Mastering Your E-mail

 

It is now a fact of life that e-mail traffic is largely spam, unwanted solicitations for your time and money, if not worse. I recall in the days of the mailbox that spam was the latest sweepstakes offer. That’s quite tame compared to the dozens, if not hundreds, of daily spam offers we encounter.  Spam cannot be avoided, but it can be controlled.

This does not have to be so. The most effective way to control spam is to note your internet behavior. Most people have one e-mail address, whether it corresponds to a friend, a bank or the guy needing money for his Nigerian grandmother. There is no better solution than to divide up your e-mail into unique e-mail addresses. (This is discussed at length in “A Method to the Madness.”)

This article focuses on how to effectively use spam filters. And it is a journey I have undertaken to understand spam filtering. Like just about everyone who reads this blog, I had one personal e-mail address. I was between jobs so I was hitting a lot of job sites on the web. It was then that I realized some were not quite what they appeared to be. When I began working at the University of Alaska (UAS) I had my personal e-mail address (which was used primarily for consulting work) forwarded to my work address. Before long the UAS account was being hammered by “job opportunities.” To add fuel to the fire, this was at a time when a faculty member’s e-mail address was posted onto a web page. Filtering, at this point, was a desperate battle of survival. Mix in about a 50-100 students, message management was a nightmare.

Introducing Filtering

Filtering has come a long ways since 2003 when I moved up to Alaska. I picked up on it quite readily. I started teaching the concept in security classes. I have seen various tools that provide filtering at different levels. For you, the average user, about all you see are the junk mail controls on your e-mail software. There is more to filtering than that. Filtering is done at several levels.

  • Your Internet Provider or Host
  • Your mail server
  • Your e-mail client software

 

For most folks, what they see day-to-day is their e-mail client software and they’ll see a folder called “Junk” or “Spam”. What they don’t see is that Internet providers and hosting services (like 1and1.com) have been utilizing anti-spam measures of their own.

  • Spammers need an e-mail server to do their work. The message must start from somewhere. That is getting harder to do these days using conventional channels. Mail service providers have been utilizing digital certificates to authenticate who they are, which it makes it more difficult to service traffic from rogue servers. Mail servers on the Internet send messages to “relay servers”, which in turn are capable of detecting spam traffic and blocking abusers.
  • Mail service squelching eliminates bulk e-mails. Most people do not encounter this problem until they volunteer to send newsletters to the 100 member gardening club. That’s when they discover an exciting new feature from the Internet provider – squelching. The messages start to drag, then get very inconsistent, and then get corrupted. You go to your provider’s web site and see in very fine print – “Send messages to as many as 50 recipients.” Once you go over that limit, the message delivery rate is sent to the bottom of the pile as messages may or may not be delivered. In other words, your Internet provider is not in the business of bulk mail.

 

From data I gathered during my days at UAS I detected that the UAS mail filter (which was my “Internet provider” so-to-speak) was filtering about 1500 messages a week for my account! They provided faculty and staff with a tool to check theses messages which provided a great deal of insight regarding the volume of spam. And that holds true for what your Internet provider these days encounters. Messages, which are unambiguously spam, are zapped before it ever gets to your mailbox.

The second layer of filtering is with your e-mail server. Most people have only an Internet provider, but if you have a hosted site ( like for your personal web page or business ), you will notice that your e-mail service has a filtering feature that affects all the people who are listed under your domain. If you had an address such as juneauflowers.com, and you had 12 employees, you can set spam filtering that affects all employees. This can remove another significant level of messages in which your employees may be tempted to open. You may also note that tools like SpamAssassin may be employed at the server-level.

 

1and1_spam_filter

No one is more aggressive at doing this than government web sites and high-security business sites. In my work with volunteer organizations, I implore people, over and over again, do not list your government office e-mail address. Invariably, newsletters are blocked by mail filters. If you subscribe to an e-mail server, you can also control quite specifically the type of traffic that comes to your employees.

The third layer is your e-mail client, the software you use on your computer or smartphone. You may have noticed that your mailbox may have a folder called “Junk” or “Spam”. These folders are used to collect spam and deposit into Junk folders. You usually get a message with a summary of the filtered messages. If you discover this is an error, you can right-click on the message and mark it “Not Junk”. Below is an example how you configure Thunderbird to filter junk mail, as well as decipher e-mail scams and messages with viral payloads.

thunderbird-1

What is interesting about this layer is that you are introduced to the fact that an e-mail client is “trained” to identify junk mail. In reality, the spam filters of your e-mail server are also “trained,” albeit at a different level. Your spam filter is asking you to move into the Spam/Junk folder any message you do not trust or want. The next time that message arrives, it may see a similar message in the Spam/Junk folder and automatically mark the message as spam. Be patient. It may take a while for the software to learn. Another thing to note is read carefully which messages are being filtered in the event a sender you care about gets marked as “junk.” For example, my health care insurance provider had, for some odd reason, their messages filtered. The solution was to right-click over the message and mark it as “Not Junk”.

The fourth layer are “rules”. Thunderbird, my e-mail software, calls it “Message Filtering” while Outlook calls it “Rules”. In both cases, you have the ability to filter out messages based on who they come from or specific phrases. This is the last defense of filtering where all other measures fail. This feature is not only for spam, but for doubtful messages, or for general, routine messages that clutter up your mailbox and you wish to keep them out of the Inbox. As an enterprise administrator, my mailbox is pounded by automated messages. These are all handled by rules, which direct these messages to specific folders. This enables me to communicate more effectively with my colleagues while also tracking notifications.The final filter is yourself. Be smart. If the message is unsolicited, use common sense. What do you know about a grandmother in Nigeria? Are there links in the message which are different than the sender. Is their an attachment from somebody you do not know. When in doubt, delete it.

thunderbird-2

In Conclusion

As I said at the beginning, learning the art of spam filtering is a journey. Take some time, beginning with your e-mail software. See which features it provides for filtering and virus protection. See which features your Internet provider employs for spam filtering. Make one change at a time and measure how it affects your e-mail traffic.

E-mail: A Method to the Madness

Memo to the Clinton Campaign:  How We Use  E-mail Determines the Risk

I had finished writing this piece when the latest blow-up over the Clinton e-mails grabbed the headlines.  I’ll speak on that later because what I wrote below pertains to them as much as to you.  Needless to say, whether you are Sarah Palin or Hillary Clinton, how you handle e-mail has significant repercussions.  

The Curse of Spam

The E-mail Symbol: By Fabián Alexis - https://github.com/fabianalexisinostroza/Antu, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=49947397

There was a time when e-mail was king, so much so that Time-Warner paid billions for AOL, a large dial-in portal.  It was AOL, combined with the likes of Tom Hanks and a blockbuster film You’ve Got Mail, that symbolized that small moment in history when anybody could have their own e-mail address, and it usually ended with @aol.com.   The social trends of that time showed people of all ages infatuated with exchanging messages, much as folks do today with Twitter and Facebook.
Hayes External Smartmodem
I come from a time prior to that phase, when “being connected” was simply having this thing next to your computer called a modem that enabled you to send messages through what was called a “bulletin board service.”  The BBS often included chat rooms where like-minded people could exchange messages that were reasonably spontaneous.  It was technology like this that spiced up films like Tron and War Games.

There was a time when e-mail was falling under it’s own weight as common folks saw their accounts swarmed by unwanted messages, some of which infected their computers, even to the point of duping some of their money.  It was given a curious label:  spam.

When Facebook arrived on the scene, folks were given the possibility that connecting with friends provided a safer way to exchange messages.  As a technology, Facebook has been very successful in providing that environment.  Socially, however, people discovered that opinions and photos passed amongst friends would eventually be observed by not-so-friendly faceless observers.

Twitter, while currently popular, is Facebook on steriods.  Here, people exchange short messages and photo snippets.  What emerges from this is a generation of younger people who are now beginning to realize that “adulthood” is when you discover that you want your own life.  Shut off Twitter, ease up on Facebook.  Read a good book, the kind with paper.

E-mail has matured.  For commerce and government, it serves as a valuable way to communicate with customers and citizens.  Yet this medium of communication is still filled with risk.  For average people, it is very frustrating.  I have personally seen how the trust-issue in e-mail has made communication through e-mail very unreliable for non-profit groups.   Let’s just say it is far less reliable than the US Post Office.

While teaching security at UAS I set up an experiment to evaluate where spam came from.  I set up a “honeypot” mail server.  It was here that I began to experiment with e-mail servers, accounts, and e-mail forensics.  The first thing I learned was that it was only a matter of one day before my server was being probed for open relays (using the server as a conduit for spam).  The fun part was tracking back the requests.  I often wondered why a software company in Calcutta was so interested in my server.  Another attempt was traced back to a law firm in the southern part of Memphis, Tennessee.

Yet what really got my interest was how our behavior affects our exposure to spam.  It was then that I started using e-mail accounts for specific aspects of activity on the Internet to measure how the usage of an e-mail address generates spam.  It was intriguing to see how my “internet behavior” affected my security.  In conclusion, how we use our e-mail accounts determines the degree of exposure to spam.  From this experience, I began to change the way I use e-mail.

The Solution:  Multiple E-mail Accounts

There is nothing sacred about having just one e-mail address.  Yet I often get this quizzical look from people when I give them an e-mail address.  It is clear that many people cannot understand why I use multiple e-mail accounts.  For less than $15 a month you can actually register your own domain (like for your family), obtain your own website and get with it up to 600 e-mail accounts. ( See 1and1.com )  Otherwise, you can set up multiple accounts with Gmail, Hotmail, Yahoo and your local internet provider.

  • First, the most important e-mail activity you conduct is with businesses.  Not just any business. The big boys, like the bank or your stock trading provider.  Use this account rarely and wisely.
  • Second, in answer to the question, “So why do you use the same e-mail for your bank as you do when you visit some strange website to send a greeting card to your daughter?”  Much of our activity on the Internet is high-risk.  Many of these sites ask for  your e-mail account as the account name or as a way to confirm changes to your account or as a way to advertise.  I use an e-mail account reserved for what I view as the high-risk activity.   This account is used whenever I visit a website and wish to register but remain uncertain it is safe.   In my experience, this account will be hit hard.  I often cycle through a new account every two years because the volume of spam gets annoying.
  • I reserve an e-mail account for friends and family.  This does not guarantee reduced risk, but it makes it easier to identify messages from those closest to you.   Spam really sticks out like a sore thumb for this type of account.
  • I have also used a unique e-mail account for organizations, such as the local Rotary Club or my church.  With the advent of mail services like Constant Contact, more and more organizations are able to deliver mail that is safe.   Yet the greatest vulnerabilities are from organized groups that are small enough to use their personal e-mail accounts with a couple of dozen other folks added. Each Reply-to increases the odds that at least one of those accounts will be compromised, at which time all the other addresses will be targeted.  Once again, spam looks strangely out of place.
  • Another idea to explore is dedicated e-mail addresses.  These addresses can service special-purpose sites like E-Bay, Facebook or Craig’s List.  Notice how these sites represent a fundamental shift in how you use the Internet, which exposes you to more unknowns.

After almost ten years, I have had to change only one e-mail address.  That was the one associated with  the highest risk traffic.  The other accounts have been providing safe, reliable messages for several years.

As noted above, registering your own domain is probably the easiest way to rationalize your e-mail addresses.  Services like 1and1.com provide low-cost services for setting up your own web page and e-mail service.  If your name is Jane Smith, you will probably be the 4,368th Jane Smith on Gmail.  But if  you register a domain like JaneSmith.name, all your addresses will have the same ending.  You may create an e-mail for web surfing like AlaskaGirl@JaneSmith.name.  For the bankers and stock brokers, you probably want to keep it simple, like MrsSmith@JaneSmith.name.  And one more important thing – high security e-mail usage should require the most complex, unique password.

The important objective is controlling your e-mail.  Having official or personally significant messages buried in spam traffic risks financial confusion or loss, as well as missing that important note from your best friend.

What About Google?Gmail Logo, By Fabián Alexis - https://github.com/fabianalexisinostroza/Antu, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=49947844

I think everyone on the planet will have a Gmail account some day.  What is attractive about Gmail is that it is only one part of “the Google cloud” experience.   Once you start poking around you will discover the G-Drive, a calendar, a chat service, etc. etc.  If you have the propensity to use Google services, then be careful.  Once a Gmail account is spammed, it can make all those other services difficult to enjoy.  For that reason, I still consider the Google cloud an experiment.  One rule of thumb I follow is whether the use of a cloud service will enhance the intuitive interaction of applications I frequently use.  I enjoy watching You-Tube channels.  My Google account makes it easy to move from my desktop to my tablet or smartphone.  That same intuitive experience, however, can make it just that easy to compromise all those services.

So how do I protect myself using Google services?  Simple.  Use it for entertainment.  Use cloud services in much the same way as you diversity e-mail.    Diversify where you put your photos and documents.    Nothing about my finances or taxes is kept on the Google Drive.  Yet I love it for the not-so-serious things.    It’s great for moving documents and photos between devices and people.   Travel is another great use of cloud services like Google.  But I do not use my Gmail account for banking nor do I use it for high-risk Internet activity.  The Gmail account is important enough to me that I do not wish to see it spammed to death, but because of its versatility it is too risky for financial services.

Can of Spam

And what about the Clinton e-mails?

The bombshell is how John Podesta’s e-mail was hacked.  Their troubles are the result of being unbelievably naive and amateurish on the use of e-mail.  Clinton’s use of a private server was probably discovered long before the FBI knew about it.  The black hat community is quite observant of activity on the Internet, especially when the search string is “clinton.”  It is also apparent that they had the bad habit of using the same address to exchange campaign strategy and ordering out Chinese.  Finally, it is interesting to note that Podesta got tricked through his use of the Google cloud service.

The other lesson we learn from the Clinton affair is that every person you send messages to provides one more portal into your world.  It is virtually impossible to conceal yourself or the messages you send to others.  It has been my experience that I often discover the oddest things while doing ordinary tasks.  I can only imagine that any officer of the law can attest that intelligence in the cybersphere expands three dimensionally.  While investigating one matter they discover information affecting a different case.  This is what happened with Clinton when emails were discovered while investigating Anthony Weiner.  The private server was revealed through a Freedom of Information request regarding the Benghazi affair.

In Conclusion

E-mail is safe to use if used wisely.  If you can’t master more than one e-mail account, can not differentiate messages from the quilting club from a notice from your bank from a Nigerian who needs money for his grandmother, then you will be in serious trouble.  But I believe most everyone reading this essay can have more than one e-mail address and use all of them judiciously.  Diversify your use of the cloud as well.  Don’t put all your eggs in one basket.

Happy e-mailing everyone.