We’re falling behind on system security updates and Google and Apple are to blame

Security updates on personal devices are critical. But many people don’t do them. Now, limiting the blame to just two companies is understating the issue, and if all this sounds a little harsh, stick with me, and I’ll explain, beginning with an analogous scenario.

We have updated your car

We have updated your car, patching security problems, improving performance, and adding exciting new features we think you will like. Sedan Coupe blendYou are driving to work, and it is your day to carpool. You drive your 4 door sedan and pick up 4 people. While on your drive to work you find out that your car needs to be updated to fix a major security problem. Seems someone can remotely turn on your turn signal without you knowing about it, making you the person driving down the road for 30 minutes without changing lanes or turning. Well, you certainly don’t want that so, when you reach work and park your car, you push the update button and walk into work with your car pool buddies. At the end of the day, though, your whole crew comes out of the office, ready to go home and discover that the update has also changed your 4 door sedan into a 2 door sports coupe. Sure, the blinker can’t be turned on remotely, anymore, but, seriously?!

Time goes on, your buddies found their own ways home, they have finally stopped giving you grief for updating your car, and you’ve learned to live within the limitations of the 2 door sports coupe. It does, after all, have some handy features. Now, however, you’re back on the road, heading out on date night with your significant other, and you hear that there is a major security flaw affecting your car. Turns out your cars brakes can be remotely applied. Now, this worries you, and you’d like to apply update that fixes this, but, you don’t actually apply it. Sure, it leaves you vulnerable to unexpectedly stopping, maybe even causing an accident, but, if you do apply the update … what else is going to happen? Will you return to your car and find out that it is now a freight truck?

Combining GUI and security updates is the real culprit

If you followed the analogy, it’s pretty much the same on your phone or tablet. Basically, your device offers you an update, and you refuse to apply it for months, even years, even though you want to fix the security flaws, because you have learned, by now, that updating also affects the way that your device looks and functions – the GUI, or Graphical User Interface. And this is what Google and Apple have yet to learn – combining GUI and security updates is the real culprit. If the general public is going to willingly apply fixes for major security flaws in a timely fashion, then those fixes MUST stand apart from the graphical user interface updates. Otherwise, every time someone settles into their comfy device, they’re going to want to stay there, without the risk of it changing to something unfamiliar.

Time marches on – we must move with it

While it is absolutely true that time marches on, and, yes, we must move with it, there is also a limit to the rate at which people can change. Exceed that speed and people become overwhelmed, and they sprint back to an earlier state of being as rapidly as possible. Consider how long Microsoft Windows XP was the primary operating system on desktop pcs – 2001 until 2015 (later in some cases). Why? In part, it is because people get comfortable with the way things look. Updating from Windows 95 to XP was easy – they looked, and felt, the same. Updates to that operating system did not impact that overall feel. Contrast that with the change in Microsoft Office between 2003 and 2007, and people still haven’t stopped complaining about the change in the interface.

In the world of smart phones and tablets, however, change has been a constant. It’s hard to go more than a month before something on a device is changed, assuming regular updates. Each of those changes affect privacy settings and the overall feel of applications. The constant changes, and time involved in updating, impacts our lives, our flow, our schedules, and the efficiency with which we can operate. Anything that impinges on that flow is something that we, as human beings, put off as long as possible. Major phone vendors typically recognize this, and they change the basic function of the operating system, whenever possible, to limit the number of changes that occur when a security patch is rolled out. Unfortunately, they, too, are becoming part of the problem, as they are so slow to roll out the updates, that devices are left vulnerable for extended periods of time.

Ok. So, what’s the fix?

In the short term, there’s very little we can do to influence the major companies to change their basic operating procedures. That said, Google seeks Feedback, and Apple Feedback is possible, too. Of course, you can also turn to social media to publicly post your feedback, or turn to a larger platform, like Change.org, and create and promote, or participate in, petitions. In the meanwhile, I do encourage you to update your devices. It’s a tough pill to swallow, I know, but it’s one that is necessary, at least until the security patches are finally separated from the comfortable look and feel of the apps we know and love.

 

Network Attached Storage for Backups Reviews and Recommendations

An existing customer asked me to recommend a Network Attached Server (NAS) for use in backing up their primary computer and, rather than keep the recommendations to just them, I thought I’d share a few thoughts. The limitations of this review are that I haven’t physically handled most of them, and this not be a comprehensive review of the options out there as there are altogether too many to choose from, so this will only cover a few select units. Also, there is no way in a review like this to cover all of the features offered in each unit.

Our goal here is to back up a a single computer using Acronis True Image Home, and there must be capacity for multiple copies of backups, going back a month. The system to be backed up is a typical small office computer, with about 250GB of hard drive space used. A NAS is preferred, because it can be placed in a physically different location, reducing the risk of theft during a break in.

Qnap TS-251+ 2-Bay, 6TB(2x 3TB NAS Drive) Intel 2.0GHz Quad-Core CPU (TS-251+-2G-23R-US)

Bottom Line : I DO recommend the QNAP TS-251+2G for very small businesses and people at home

Prices found online : $340 plus your choice of hard drives

GOOD BAD
2x Gigabit Ethernet
Hot Swappable drives
Quad Core Processor Celeron J900
2GB RAM
Raid 1,0
SATA III (6Gb/s)
Firewall
Supports Encryption
User based Sharing
Manufacturer Virus Scan/Security Software No Third Party Security Software
Installable SSL Certificates

QNAP TS-251 2-Bay Personal Cloud NAS, Intel 2.41GHz Dual Core CPU with Media Transcoding (TS-251-US)

Bottom Line : I DO recommend the QNAP TS-251 for very small businesses and users at home.

Prices found online : $250 plus your choice of hard drives

GOOD BAD
2x Gigabit Ethernet
Hot Swappable drives
Dual Core Processor Celeron J1800
1GB RAM
Raid 1,0
SATA III (6Gb/s)
Firewall
Supports Encryption
User based Sharing
Manufacturer Virus Scan/Security Software No Third Party Security Software
Installable SSL Certificates

The choice between the TS-251 and 251+ is really about the processor. If you’re willing to part with the extra $90, you’ll definitely get farther with the 251+ . In either case, I do wish the NAS manufacturers would go ahead and move into the i series processors, even if it does cost a few extra dollars to do so.

Synology DS216j Diskless System NAS DiskStation

Bottom line : I DO recommend this system for very small business and home use. I wouldn’t use it with more than 2 computers at once, but it is a solid device with a lot of positive features.

Prices found online : $170 Plus your choice of hard drives

File format is EXT4.

GOOD BAD
Gigabit Ethernet
SATA III
512MB RAM
Dual Core Processor
Supports Encryption
User based sharing
RAID 0,1 Drives NOT hot swappable
Firewall
Manufacturer Virus Scan/Security Software No third party security software
Installable SSL Certificates

Syno_UsersGuide_NAServer_enu.pdf

WD My Cloud 3 TB

Bottom Line : I do NOT recommend this for business or personal use, except in very specific circumstances.
My customer picked this up (model WDBCTL0030HWT-NESN) , quite inexpensively and, from its spec sheet, it seemed like a good option. Once we started using it, however, its reality fell far short of expectation. As a result, its review is considerably shorter than those I do recommend.

GOOD BAD
Easy Setup Poor Security
Low Cost
Drives are included and installed

Drives are not hot swappable

While I only had my hands on this unit briefly, the security problems I ran into were as follows :

  • Returning to the setup screen in any web browser allowed immediate ability to edit the configuration of the NAS, without being challenged for a password.
  • UNC (\\servername) from a Windows based computer allowed full, unchallenged access to the data stored on the NAS. This makes the data vulnerable to intentional or unintentional deletion by an employee, or worse due to malware, ransomware and infiltrators.

Even at home I have serious reservations about this device, and I wouldn’t recommend it to anyone until the company updates the firmware to ensure basic security is in place first.

If you have more than 2 computers to backup, or are planning to use the NAS as a primary file server, then you should consider a 4 Bay NAS, like the QNAP TS-453A. More on that in another post.

Text messaging for business correspondence is bad business practice

Text messaging is an invaluable tool. We use it regularly for a wide variety of applications including notification of deliveries, appointments, quick messages to family and friends, queries about arrival times, alerts for banking, system problems, and so on. In business it has practical applications for alerts of system downtimes, equipment failures, power outages, intrusions, delivery confirmations, and, occasionally, a quick ping to someone to see if they’re on their way to a meeting. Beyond that, however, text messaging is just bad business practice.

How do you know when text messaging crosses the line?

Here are a few general guidelines to follow :

  • If your text message has paragraphs – stop and move to email
  • If your text message will need to be referred back to at any time – it should be an email
  • If the message contains sensitive information, especially in a regulated industry (such as healthcare, or finance) – stop texting and use an encrypted communication method.
  • If your text message is becoming a business conversation – call, or email
    • If you can’t finish the text message exchange in 4 brief texts back and forth, it’s time to stop
  • If you don’t know, with 100% certainty, that the recipient is available (there is no vacation notification for text messaging)

What are the alternatives to text messaging?

Phone and email are generally the defacto methods of business communication. Which one to use generally depends on the circumstance, but, if you don’t need to have a record of the details for later, just pick up the phone and call.

More sensitive information may need to be transferred via secured documents on a local server, or through encrypted methods such as Google Drive.

Email may or may not be encrypted. So, unless you’re absolutely certain that the email will be encrypted, when confidentiality is critical – don’t use email. That said, businesses in regulated industries typically have email archives as required for compliance purposes. This becomes important in any number of legal disputes, or compliance audits. If information leaked out, your best protection is to prove that you didn’t leak it by having a searchable copy.

Calling on the phone? Leave a message!

If you do call, and you reach voicemail instead of the person, leave a brief message, just enough to let them know the topic, timeline, and that you do need them to call you back. Unless the person you are calling specifically asks you to do otherwise, leave out the minute details as long voicemail messages usually just result in a callback anyway.

That said, leaving a message is critical, because it tells the recipient that your call is important enough to return. If you don’t leave a message, your call will likely go unanswered, because most businesses receive too many calls in a day, for the recipient to simply return every missed call. In addition, your call may have been accidental, or, by the time they do call you back, if may have been addressed via an email, in person, or by someone else.

As an extra incentive to leaving a message, many voicemail systems today will transcribe your message for you and send it to the recipient as a text or an email. Bear that in mind if you are leaving a message that relates to confidential matters, and leave only enough information to clue the recipient in as to the importance of calling you back.

What’s the takeaway?

Text messages are great for alert purposes, or asking your friends if they’re bringing the pizza. Beyond that, if you’re in a business, use the phone or email. Avoiding texting is both good etiquette and sound business practice.

ECLAT.TECH Proud to support Sean’s Run for ARROAutism – 2016

Runners and Walkers Prepare for Sean's Run for ARROAutism on a sunny Oregon day
On Saturday, August 20th, ECLAT.TECH will once again be on site for the annual Sean’s Run for ARROAutism.

The annual event, largely a 5K/10K walk/run raises money for families in Multnomah, Washington and Clackamas families during the holidays.

How Sean’s Run Helps Oregon Families

Until this year, most families in Oregon did not have access to insurance covered treatments for Autism. Indeed, many treatments are still not specifically covered. Thanks to the efforts of a number of volunteers, the late Senator Alan Bates, Senator Edwards, Autism Speaks, Autism Society of Oregon and Paul Terdal, families in Oregon finally have some breathing room when it comes to the medical costs associated with helping an Autistic family member.

While that is a tremendous help, finances for Autism families are often still severely strained, with one family member often having to quit work to help tend to younger children, recently diagnosed on the Autism Spectrum, but also due to lost work days, uncovered medical costs, additional expenses incurred to address the unique needs of some individuals with Autism, and, of course, all of the other costs associated with every other aspect of modern, American, human existence.

ARROAutism Family Holiday Assistance Project

This is where Autism Research and Resources of Oregon is stepping up. Beginning in 2007. ARROAutism established a fund to help provide access to $100 worth of groceries, as well as a select number of toys, to help Autism families during the holiday season. This small sum makes an extraordinary impact on those families who so desperately need a small ray of light.

You can help bring that light, and, At Sean’s Run 2016, even enjoy rare access to normally closed off areas of the Columbia River dike.

You can join us!

Stretch of Columbia River Dike - Sean's Run for ARROAutism 2016

Stretch of Sean’s Run for ARROAutism 2016 – Closed off Area specially opened for this event.

Whether you want to volunteer, donate, or (best yet) participate in the run, you can!

Hope to see you at 9376 NE Sunderland Ave, Portland, OR 97211 on Saturday, August 20th, 2016 !

It’s 2016 – so what’s happening with Windows 7?

With all the hoopla surrounding the release of Windows 10, questions are beginning to arise about Windows 7, which has replaced Windows XP as the standard desktop environment for most businesses that were forced to replace WindowsXP, but still ran desktops or laptops and were uncomfortable with Windows 8/8.1. The biggest Windows 7 question has been – is it still supported? The simple answer is – yes – and it will be until 1/14/2020.

Why the confusion about Windows 7 support?

You can always be forgiven for being confused about Microsoft’s support and licensing. Pretty much everyone would like to see the folks in Redmond simplify all this a whole lot, and the Microsoft Support Lifecycle page, while useful, still demonstrates the overall complexity. To state it simply, though, all you have to remember is that Microsoft will continue producing updates that will be distributed through the normal Windows Update process until 14 January, 2020. For most people, that’s enough. For everyone else, there are IT consultants you can call for help.

Microsoft Windows Support until 2020

Don’t Fall for Domain Name Trickery

Owning a business has plenty of challenges. One of those is maintaining, and securing, your presence on the internet. I like to call that Web Presence. Once you’ve finally registered your domain name (somethingblahblah.com or .org or .biz etc) you have things to do, like create a website, get email addresses for yourself and/or your employees and so on. And, just as registering your business with the state opens pandora’s box of marketers, so, too, does registering your domain name. So, now you have one more item to add to your to do list :

SECURE YOUR DOMAIN NAME!

I can’t stress this enough. No-one, and I mean no-one, should be paying for your domain name other than you, as the owner of the business, or someone specifically dedicated in your company. Loss of that domain name means that everything you’ve built around it, your email addresses, website, inbound links, everything on letterhead, business cards, advertising campaigns etc. … it all gets lost.

And that’s not all. It’s easy to fall for the traps of seemingly legitimate notices – there are so many that come in the mail, and the internet. Here’s one you should watch out for :

Domain Name Expiration Notice

iDNS uses words like Domain Name Expiration and Failure to renew to trick you. Guard your Domain NameMost people register their domain names through one of a number of valid domain name registrars, including GoDaddy, Web.com, Network Solutions, 1and1, and the list goes on. Typical annual prices for a .com domain name registration range from $1 to $20, though some specialty domain extensions range in price, and there are a few predatory practitioners who register domain names and auction them to the highest bidder. Having finally registered your domain name, at some point you’ll undoubtedly start getting emails, phone calls, and snail mail solications. BE CAREFUL!

Here’s one example. I’ve highlighted some of the more glaring parts of this that should make the hair on the back of your neck stand up, and alert you to proceed directly to the shredder with that letter.

Quick Review of the things to look for

  1. Domain Name Expiration
    1. If this isn’t coming from the company you registered with, immediately regard it with caution. Also look at today’s date, and the date your domain ACTUALLY expires. If it’s more than a couple of months away, that’s a warning.
  2. Failure to Renew
    1. Notice how they’re trying to get your adrenaline going, striking fear into you if you don’t act. Typical advertising technique, and another red flag.
  3. This Notice is Not A Bill
    1. This isn’t always on documents, but it’s a clear indication that this should be considered solicitation to do business with someone you’ve never dealt with. Unless you’re extremely unhappy with whoever you have currently, take this letter directly to the shredder.
  4. Prices
    1. This was a real kicker for me. Most domain registrars have great low cost introductory rates, like $1 or $2 for the first year, with renewals ranging anywhere from $5 to $20 for subsequent years (though there will be some variability here). Notice on this letter that the first year is $45 USD! That’s crazy, and wreaks of fraud.

Now, I don’t know anything about this particular company, Internet Domain Name Services (idns). However, there are plenty of people calling me about the notices they’re receiving from this company, and companies like them. I’m tell you what I tell my customers – run the letter through the shredder! Whether they’re a legitimate company or not, they’re charging way too much, and there’s too much at stake to take a chance on a company like that. You might find that you’ve just paid something, for nothing – and that’s never a good way to run a business.

A Few Other References

I did a quick search for iDNS and found a number of other people reporting similar issues with exactly the same letter I just showed you. Feel free to review if you’d like a little more information.

Do NOT punish employees for being victims

 Joseph Granneman believes victims should be held accountable for the actions of criminals

Phishing

Phishing is when someone tries to convince you to click on a link and enter information on a website that is pretending to be something else, for the purposes of obtaining confidential information about you for an unknown, and probably illegitimate, purpose.

Punish the Victims?

An article, published on TechTarget​, proposes to punish the people who click on these phishing links. Punishing victims is wrong : even if the intent is to help people to learn how to identify these threats.
In fact, the analogy used by the author is flawed, too. He writes “Employees would be held accountable if they let a criminal into the office and they caused physical damage.” If we look at this analogy critically as it equates to an email phishing attack, then, the employee who actually allowed the “criminal” into the office would really be the one who allowed the email to arrive in an inbox, not the one who clicked it. This would be akin to punishing an Administrative Assistant for working with a criminal who was vetted and hired by someone in Human Resources, or allowed entry by the security guard.

Dissecting the Opinion

Here are some of the flaws in the analogies used in the article :

Users are either not understanding the message or they have developed an apathetic attitude toward the training because there are no personal repercussions for not following through on it.

Actually, users are very busy people, who sometimes rush through their day and, maybe, click something before they realize it, or are using mobile devices that sometimes do things the user didn’t intend. Furthermore, most phishing scams target personal information – in which people who fall victim are suffering very real personal repercussions, because their personal and financial data is often being stolen.

Phishing is still successful because organizations do not hold employees accountable. Speed limits would not be followed either if there were no enforcement.

The driver of a car is causing problems when they speed; not the passengers, or the drivers of surrounding cars. The author also assumes that people only follow rules if they agree with them – which is not at all true. There are many reasons people DO follow rules, much of which starts with understanding rules, and their intent. But criminals are those who knowingly break the rules with the intent of doing harm. In this analogy, the enforcement should be applied to those who are creating the phishing scams, not those who are stuck in a traffic jam because of those who have been speeding.

It is time for a new approach to information security because we are not winning this war.

Based on what metric? Most data, like this report from APWG, shows the number of attacks – not the number of victims.

A Better Way

Phishing is the result of technological, and the solution should come from technology, too. A far better way of handling phishing attacks would be for security software vendors to improve methods of looking at email links, analyzing their destinations, and popping up a message telling you there is a mismatch and giving you the choice to either proceed, or not.

Regardless, at the end of the day, it’s important to remember that criminals will continue to get more sophisticated in their methods of attack, and that, while we can educate people to help them avoid a negative outcome, it is never the victims’ fault.

 

Farewell to Internet Explorer – Hello Edge

Introducing Windows95 Microsoft PressThe year is 1995. AOL rules supreme as the internet service provider of choice, and Microsoft has just released a new operating system called Windows 95, a replacement for Windows 3.11. Personal computers were few, and far between, and those few people had were treated like gold. And, for good reason. A top of the line Compaq computer with an 80286 processor, 8MB of RAM and a 100MB Hard Drive, a dial up modem and Windows 95 and a handful of applications like Borland WordPerfect could set you back an easy $2000 or more, especially if you went with a large, 17″ Full color CRT monitor with .33 DPI.

The Information Highway

Now, as revolutionary as Windows 95 was, it was something embedded in Windows 95 that would really turn the world on its ear.  You see, this forefront leader in the technology world had seen the future, and it was going to be ruled by this very new thing called “The Information Highway” Very few people knew what the internet or World Wide Web was, let alone had any clue of its origins in DARPA, and, certainly, no-one knew what it would become. Back then, those few true internet fans were dialing up, enduring the squaking sounds, and pursuing ever baster baud rates while chatting with friends on bulletin board systems (BBS were the effectively original “online forum.”). But Microsoft knew, and if there’s anything that Microsoft has accomplished, it has been to put usable computers into the hands of the general public. To that end, Microsoft knew that the Internet could flourish only if people could reach it, and use it, and few people who walked into a computer store and paid $2000 or more for a PC were willing to spend still another $50 for Netscape Navigator just so they  could pay yet another $9.95 for a measly 5 hours of online access at 9600-28800 bits per second (compared to today’s 1.5 million bits per second bottom of the line broadband internet) while tying up their only in house phone line. But, if the ability to surf the internet was already on the computer, for FREE, then, maybe people would start to wonder what it was. And so, stunning the world, Microsoft included something called Internet Explorer IN their installation of Windows 95. And they hooked it to as much of the operating system as they could. Help files launched Internet Explorer to display information, updated content could only be obtained through an internet connection. But that wasn’t the end of it. No, Microsoft took it one step further and announced that Internet Explorer would be —- FOREVER FREE!Internet Explorer logo from 1995

Casualties of a Revolution

And so it began. With that announcement, Microsoft cut the feet right out from underneath one of the most popular browser of the time, Netscape Navigator, by changing the landscape of Internet Browsers from being a program that you paid for, to something that was your right to have, free of charge. Now, for Microsoft, even Apple, this was a cost that could be easily absorbed. But for Netscape, a company that paid its employees (including programmers, receptionists, help desk staff, owners etc) with the money from sales of their products, the ability to compete with a product that was readily available for free (and, in some cases, better than their own product), it spelled the end – casualties of a revolution. But they would not go down easy.

Justice Department Weighs In

In fact, the announcement also laid the path for another significant event : a 1998 justice department antitrust investigation that alleged “Microsoft set a zero price for its browser for the purpose of depriving Netscape of revenue and protecting its operating system monopoly.” As part of its defense, Microsoft reported that Internet Explorer was, in fact, “part of the operating system.” The intent of including an internet browser into the operating system was for the operating system (Windows) to be “the gateway to the information highway.”

“The Internet provides an incredible opportunity for Microsoft to effectively explore large-scale networks from many levels: customer needs, technical challenges, quality-of-service issues, electronic commerce and information-browsing technologies.”  – J Allard, 1994

The justice department suit dragged on for more than a decade, a veritable eon in the rapidly changing landscape of technology, and was finally settled on May 12, 2011 with the expiration of a consent decree that :

“barred Microsoft from entering into Windows agreements that excluded competitors from new computers, and forced the company to make Windows interoperable with non-Microsoft software. In addition, an independent technical committee would field complaints that might arise from competitors.” – Seattle Times

Microsoft Edge Internet Browser App Logo 2015Introducing Microsoft Edge in Windows 10

Of course, the expiration of the consent decree arrived well after the emergence of another technological powerhouse – Google, whose search engine revolutionized the internet, paving the way for the distribution of another well known free browser – Google Chrome, and its internet capable Chrome Operating System. Along the way, other free internet browsers have also sprung up, including Apple’s Safari, Mozilla’s Firefox, and Opera Software’s Opera browser. But the significance of the expiration is that it finally freed Microsoft to pursue their original mission – to make “Windows the gateway to the information highway;” which brings us, at along last, to Windows 10, which will include Microsoft Edge – the replacement for Internet Explorer.

Wait – What about My Internet Explorer!?

Now, this doesn’t mean that you will wake up tomorrow to find Internet Explorer suddenly no longer works, or that your core critical business application is going to have to be replaced tomorrow. Microsoft has a good track record of providing backwards compatibility in all of its core products. It does, however, put the world on notice : It’s not 1990 anymore, and the world of computing technology is a very different place. So, dust off your old list of computer technicians, consultants and programmers, call them and ask them to start looking into how this is going to change your business, so that you are prepared for what is to come. And, while you wait, kick back, and enjoy whatever browser you are using, and remember – you can thank Microsoft Internet Explorer for ushering in a new era of infinite Internet possibilities.

What do you mean my email is not secure?

Diagram showing the normal unsecure process of delivering email through a series of servers to its final destinationEmail security is a challenging topic to understand. While progress has been made to improve that security, there are many, many variables that make it impossible for you to know if the email you are sending is being delivered securely to its final destination. Yes, I did say impossible. Even a seasoned server administrator could not tell you that 100% of emails delivered by the servers they managed are being delivered securely, and have not been intercepted.

Emails Are Like Snail Mail

You can think of emails in much the way that snail mail is handled. There’s a fairly straightforward process that is followed. And it goes pretty much like this :

  1. You write a letter
  2. You put the letter in an envelope, and address the envelope.
  3. You put the letter in a mailbox
  4. The first postal carrier picks up your letter and takes it to their post office
  5. Another mail handler picks up your letter and decides if your mail stays in the post office, or goes to another post office
  6. If it goes to another post office, your letter goes on a truck to that post office
  7. That post office picks up your letter and decides if it needs to go to yet another post office.
  8. Eventually, your letter reaches the correct post office.
  9. A mail carrier picks up your letter, and delivers it to your mailbox
  10. The person receiving your letter retrieves it from the mailbox and opens it.

In this basic snail mail scenario, your letter has been handled by at least three, and up to dozens of people before it ever reached its destination. Anything could have happened to the letter along the way. Someone could have deliberately opened it. An equipment malfunction could have torn it open. Someone could have used something to read your mail without opening it.

Your Email Could be on one, or hundreds of servers

Just like in the snail mail scenario, when you write an email and send it off, there is a standard process that is followed, and it goes a little like this :

  1. You write your email and send it
  2. Your email program connects to the server you chose
  3. Your email server receives the email from you
  4. Your email server looks to see if you are sending the email to someone on the same server
  5. If not, your email server asks the world where their email server is
  6. If it finds their email server, your email server asks another server to help transfer the message
  7. That email server asks another server to help
  8. On and on it goes until the a complete chain is created, from your server to their server
  9. Then your email server starts talking to their email server, relaying the information through all the servers that helped it
  10. Piece by piece, your email is delivered, like a bucket brigade, through that chain of servers, up there in the cloud, to their server.
  11. The person you emailed opens the email.

While your server and their server have several different options for talking back and forth, usually, none of that information makes its way back to you – unless the process fails. So, you know very little – not even if the email was even successfully delivered.

But I have to use an email address and password!

When you use your email address and password to login and read your email messages, all you are really doing is telling your server whose mail you want to look at. It is even possible for your login ID and password to be sent in an unsecure way, along with any messages you are reading.

But that’s just the beginning. Your login id (usually your email address) and password is only between your computer, or phone/tablet etc., and your email server. That information is not used after your server gets the message you wants to send. This “NO PASSWORD” method of servers sending email messages is what allows you to send messages to so many different people. Otherwise, your server could only send email messages to the servers it knows about.

Is Secure Email Possible?

Yes! Secure email is possible. I will cover that more in depth at a later date. However, here are a few brief pointers

  1. If you are logging in to read your email using a web browser, like Chrome, Firefox, Safari, Opera, Internet Explorer etc., make sure the address at the top starts with https or has a picture of a lock. If not, you may be using an secured connection
  2. If you are using an email program, like on your phone or tablet, or a desktop/laptop program like Mac mail, Outlook, Windows Mail, or something similar, then check to make sure that your account is using SSL or TLS to connect to BOTH your SMTP (outbound – for sending) and POP or IMAP (inbound, for you to receive emails) accounts.
    1. If you find that your account is not using TLS, or says something about port 25, or port 110, then you are probably not using security (encryption) to send and receive emails. Contact your email provider to find out which settings to change.
  3. Contact an IT Professional if you are really concerned, and find out what you can, and cannot, do to secure your email messages.

Computers, smart phones, tablets, and our other high tech gadgets do bring us a great deal of benefit. Keeping the information on them secure, however, can be a challenge. You’ll have to decide for yourself how much to worry about just how secure your information is, and now important it is to address the issue. Even then, there will be limits to what you can do, or even a technical expert can do, and at a certain point we all have to accept that we’ve done what we can do. But if you haven’t yet done what you can, consider what “a bad guy” could do with the information in your email, and then decide what to do next.

Medicine, HIPAA, and the myth of the secure, private fax

ECLAT Technology Image of Fax Modems Perhaps you didn’t know this, but the Fax Machine has been around for a very, very long time. In a day of ever advancing technology, one displacing the next at an extraordinary rate, it’s actually hard to believe that the fax machine has endured for as long as it has. Consider, for a moment, that the fax machine was invented long before the Space Shuttle, and even the Space Shuttle has since been retired from use. So, why, then are we still using fax machines?

All it takes is a quick call to your doctor’s office to get the obvious (and wrong) answer : security, privacy, and HIPAA.

The Myth

Here’s how the myth goes. A Fax machine transmits directly from one fax machine to another, which makes it impossible to intercept. Emails, on the other hand, get routed through many servers and could be intercepted.

Okay, so, in concept, that makes sense. But what makes it wrong? Well, basically, just about everything. First and foremost, every phone call is routed through hundreds of switches, just like emails are. Watch any TV Crime or Espionage television (like I Spy from the 1960’s) and you can learn all you need to know about intercepting phone calls. Then, of course, there’s no actual identification on either end of the fax to verify the sender, or recipient, so all the sender has to do is plug in the wrong number and, if the other end has a fax machine, it still goes through – and no-one is the wiser. Since very few fax machines keep records (at least for very long) of these kinds of mistakes, there’s often no log that can be used to back track and find the error and determine what data went awry, or who it went to. Finally, of course, any paper based fax is simply available to anyone who happens to wander by and pick it up : no password required.

Faxes are Analog

Adding to the technical mumbo jumbo of faxes is the fact that it is an analog process, one largely dependent on analog phone services. While some phone service providers are catching on, and adding support for faxes, many still have trouble maintaining this older analog process on their increasingly digital phone networks. This, in turn, forces those who need faxes (hello doctors offices) to turn elsewhere to complete their faxing : Hello Outsourced Online Fax Services.

Online Fax Services

Online fax services have been around almost since the dawn of the internet age. In fact, dial up internet connections almost mandated their invention, since the phone line would be tied up during the internet use, blocking any inbound phone calls, including faxes. To get around this little problem, the fax would go to some other provider, whereupon it would be converted to a digital file, frequently a PDF or a TIFF file, which would then be e-mailed to the final destination.

Yep. You heard that right. Today, many (if not most) faxes often arrive at their final destination : as an email.

So, for all their supposed security and privacy, faxes are subject to all the same routing issues as any other phone call, are altogether too easily sent to the wrong number, have no security, are picked up by the wrong person, and often end up their lives as emails anyway.

Myth Busted

So, is a Fax, that is based on technology that is over 100 years old, more secure than an email? The answer is no, not really. It never actually has been, and today the waters are even more muddy than ever as phone providers go digital, and people outsource more and more services. It’s time that the world wakes up to these realities and deals with this very simple reality: Faxes are simply not secure. We need to accept this fact and start having a real conversation about displacing this old technology with its mythological properties and putting one in place that is real, and actually does the job. In the words of those highly entertaining television personalities : Myth Busted!