[I sketched that stupid thing. It is ok to steal, just mention where you stole it from]

Email is an archaic technology that has not been improved much ever since the protocols were created back in the early days of the Internet. Email is among the most frequently used least secured mode of digital communications today.

In general, emails are not encrypted. All emails are stored as open plain text in the server. Anyone (including your web administrator, internet service provider, web-hosting provider, server admins—depending on where it is hosted, and protocol/port it was transferred with) can read and also EDIT all your emails, without even having to know your password. This includes about 99% of emails we use, including Gmail, Yahoo, Hotmail and specially your office/university/work emails. Typically your work emails are hosted on servers with even weaker infrastructure and security, and they are managed by “semi-professional IT guys;”—yes, they can read and edit all your official emails, and they don’t have to know your password.

Any private communication that is not end-to-end (E2E) encrypted, falls into the shaky territory of trusting the guys who are running the servers. Email protocols—by the way they were originally designed—do not have E2E. Oftentimes, they do not even have a basic TLS (Transfer Layer Security—an encryption protocol that keeps your emails undecipherable “on the way” to and from the servers). No matter what, emails are readable and editable by the person(s) who has access to the server.

I always wonder, how and why emails are often held as authentic legal documents, whereas it is a completely unreliable technology with shabby security and authenticity. By the time a court subpoena an email, it can be already edited without leaving a trace.

Another big issue with email is its authentic ‘origin’—if the email actually came from where it claims to be coming from. There are very limited ways to verify that. You can literally send emails posing as anyone to anyone. A simple PHP mailer script will let you send emails to your friends as if the email is going from [email protected], and you offer them a billion dollar since you have too much money to keep. Over the time there have been some improvements in this front about verifying the origin of an email before it gets delivered to your inbox, however, they are not foolproof, and not universally enforced. These techniques include DKIM (DomainKeys Identified Mail—a method of using a public signature key for a domain to verify if the email is originating form that domain name, it does not authenticate an email at personal level though,) and SPF (Sender Policy Framework), if you are curious, search and explore more about these technology.

Given that, if you ever receive any email from a “friend” (generally someone using a friend’s email) asking for money or offering you money, asking for some password or OTP code or luring you into downloading and opening an unsolicited attachment, always verify it by an alternative mode of communication other than email, i.e: call them up to check. If they may have “lost their phone,” tell them to call you from a phone booth, before you take any action. “Any action” includes downloading/clicking/opening any attachment “they” send.

There is one not-so-easy way to encrypt your emails end to end, using PGP encryption. You can install OpenPGP package on your computer and email client to encrypt your existing email addresses. There are also some webmail services that has built-in PGP encryption like Protonmail or Tutanota, although they come with some inherent limitations, like the E2E works only if both parties—the sender and the receiver of an email have PGP enabled emails. If you would like to learn more about their encryption techniques comparing Protonmail vs Tutanota—check out this post. Both of these services also offer hosting your custom domain emails, i.e: you can move your business entire email to their encrypted servers.

The bottomline is, if you are communicating anything private or sensitive, do not use email to begin with. Use one of the end-to-end encrypted messaging services instead.

Meanwhile, if you want to learn more about the basics of the overall digital security and privacy for everyday use, sign up for the weeklong Digital Security and Privacy—101 course that I teach almost every other months.

[Stock photo stolen from TechCrunch]

Recently you may have heard about Zoom’s security issues. They are true. Zoom’s video calls are not secure, they are not fully encrypted. But the bigger truth is, neither the others!—except Apple’s FaceTime.

One-to-one video calls are secure on a few platforms (like Signal). But group video calls are difficult to encrypt end-to-end (E2E). Often it is not just about the will of the service provider, it is also a technology limitation.

If you know the concept of E2E, it is not supposed to reveal absolutely anything on the way to and from the recipients of data, not even to the servers—now think how group video calls are managed by an app, it zooms in or highlights the person who is talking, right?—it means the “server knows” who is talking!—hence it is most certainly not an E2E technology, and for the same reason, it is difficult to make a group video calls E2E in general, as the server needs to know who is talking when to organise the video streams and bandwidth allocation. In most cases there may be Transfer Layer Security (TLS/HTTPS) enforced, that encrypts the calls on the way to and from the servers, but the server itself can listen, record, archive the calls as open unencrypted videos, and most probably you have already given the consent for recording and also automated transcribing by clicking some “I agree” jargons that nobody reads. And those recordings can be subpoenaed by the government agencies depending on your local laws.

Now how to know if your conversation is secure:

—Is it a group video call? Then assume by default that it is not secure, and you should be careful about what you are saying. It does not matter if you are on Zoom, Google Meet, Facebook Messenger, WhatsApp, Skype, Viber, StreamYard etc.—nothing, nobody has E2E security on group video calls (except FaceTime).

An open-source platform called Jitsi is now gaining traction, you can use their Jitsi Meet platform for group video calls (still not fully encrypted, but they are testing E2E option for group calls). Good thing about Jitsi is calls on their platform is often routed peer to peer avoiding a central server. Jitsi can be also scaled and hosted independently in your own server, which makes it more secure by eliminating the issue of trusting third party servers for storing and routing video calls.

The bottomline for everyday practice, remember, group video calls are not secure in general; it does not matter which platform you are using.

In the wake of an epidemic of hacked Facebook accounts, here are my suggestions about saving your account from getting “hacked”

Understanding:

1. Often, your Facebook doesn’t get hacked, it is not about your Facebook’s password either, rather possibly it is your email or your phone that gets ‘hacked’. It simply begins with asking Facebook to reset your password using your name, username, your most commonly known email address etc. Then the password reset key is sent to your email or 2FA codes to your sms. These get stolen by hacking your email or spoofing your phone.

2. Oftentimes, these “hackings” are done by people who somehow know you, i.e: people who might possibly know some information about you, like your email address, phone number, date of birth etc. verifiable information. This group include people who have a copy of your NID or passport—like a stupid concert that asked for ID for entry, a Facebook group or page you shared your information with, a security guard whom you gave your full name, phone number and email address to enter a building, the IT support guy who helped you install your anti-virus, all of them are your possible attackers. Hacking an absolutely random, unknown account is way more difficult than accounts of whom you have certain information about.

Here is the most effective way to prevent your Facebook account from being hacked as far I have tried and tested:

Pre-requisites:

1. Install Authy for Two Factor Authentication (2FA) code generation. Ideally, use a password manager app, I recommend: Dashlane, or Bitwarden.

2. Immediately turn on Two-factor Authentication [on Facebook, go to Settings > Security and Login > Two-Factor Authentication]. Use Authy for generating code, avoid codes by SMS.

3. Go to Facebook settings > Apps and Websites, ideally remove everything from here, or keep only the apps/services/games that you must keep. Give up on the habit of “log in with Facebook” completely, use your email address for opening accounts in various websites and services.

4. Do not leave your computer or phone open, EVER, not at home, not at work, religiously lock your computer before you leave your desk (on Windows it’s Windows+L, on Mac it’s ⌘+Control+q to lock) even if it is for a few seconds. On your work machines insist for a personal account on the computer, do not share its password with anyone; your office’s IT team can have their own admin account on the computer for maintenance, but they never need your personal account’s password. If your employer disagrees about it, quit the job.

5. Do not login to your account from random computers/phones, not even of your friends’, family’s or your office computers unless you already have a “computer user account” on that machine. If you don’t, and if you must use your Facebook, then use a “Guest” account on the machine, or at least an incognito/private window, and be sure to carefully check the address bar of your browser if it is with a lock sign and the URL is exactly https://www.facebook.com/ and nothing else at the end or middle (if the full URL is not visible, click on the address bar to see the full form of the URL), to make sure you are not putting your ID and password in a fake phishing website.

Steps to Secure Your Facebook:

1. Create a new encrypted email address dedicated for Facebook. Use Protonmail for making the new address. Ideally do not share this email address with anyone, avoid using it publicly.

2. Go to Facebook settings > General > Contact. Add your new Protonmail address as the primary email. You must remove every other email address from your account.

3. Check where you are logged in, remove any unknown, or unnecessary device from the list.

4. On Protonmail go to Settings > Security: Turn on Two Factor Authentication, as always use Authy, avoid SMS.

5. (On Protonmail) now go to Settings > Keys: Click the dropdown arrow next to your email address, click on Actions: Export, select “Public Key.” It will download an ASC file. Open the ASC file with Notepad (or TextEdit on Mac). Select all, copy everything from the file.

6. Now, go to Facebook settings > security and login > scroll down to Encrypted notification emails. Paste the text here. Check in the box for “Use this public key to encrypt notification emails that Facebook sends you?” Save.
It might send a test email to your Protonmail to check if the encryption key is working. This email might land in your spam of Protonmail. Click on the “Yes, encrypt notification emails sent to me from Facebook.” to confirm.
Now your Facebook settings for Encrypted notification email should show “On”.

7. Memorise your Protonmail login password, or use Dashlane to save your password. Now go to Protonmail settings > Account > Disable the “Allow password reset” option. Remember that, it means, if you forget Protonmail password, it is not recoverable, you are screwed. But this is the final layer of security.

You are all set. It will now be super-duper difficult for anyone to hack into your Facebook account.

If you need any further help about this write to [email protected]
I recommend you take the Digital Security and Privacy—101 course that I conduct, almost every other month for one week.