Second Sight
Dave Birch
Thursday January 27, 2005
The Guardian

There have been some great stories about email security over the years, but surely one of the best has to be this month's news about a US secret service agent who was investigating a hacking attack on T-Mobile USA.

The agent, Peter Cavicchia, was using his own T-Mobile handheld to send and receive email, so the alleged hacker, Nicolas Jacobsen, could read his messages. The hacker wasn't just targeting the agent, of course - although according to court records he did obtain confidential Secret Service documents. He appears to have had complete access to T-Mobile's servers and could therefore read messages by anyone using handhelds for email. The hacker even had access to photographs that some celebrities had taken with their camera phones. What fun!

Email security is a joke. What with spam, phishing, hacking and so on, it is becoming dangerously close to unusable. With better email security, life would be easier in so many ways - and digital signatures, as I've often said before, are the way to do it. Not only would individual and corporate privacy be enhanced, but spamming and phishing would be undermined.

Yet there doesn't seem to be much progress in this area. Microsoft is re-issuing its anti-spam Sender Policy Framework (SPF), and a new IETF group on Message Authentication Signature Standards (MASS) is considering proposals from organisations such as Yahoo (DomainKeys) and Cisco - Identified Internet Mail (IIM) - but it could be some time before the industry evaluates these and shifts to a common position.

What is really odd is that working message authentication has been around for years. It is based on the 25-year-old technology of public key cryptography and the standards for using it with email are well established: S/MIME and PGP. These provide an end-to-end solution, so if I want to send a message to my friend, then I encrypt it with his key and sign it with mine. We do not care what networks or servers the message passes through. I know only he can read it. He knows only I could have sent it.

It is not complicated to get started. I work in a mixed (Apple and Wintel) environment, so I know that sending encrypted and signed emails across platforms between Apple Mail, Outlook and Entourage works fine. All of these widely used email packages have S/MIME built in, and PGP integrates well with them as well.


  • School guard fired for using security camera to watch cheerleaders
  • The public has the right to the truth
  • Home Security Cameras Servies
  • Al-Jazeera airs new Bin Laden video
  • Pixels and Protocol
  • Europe tightens travel checks
  • The X10 Mechanic
  • A brush with the hawk
  • Spy camera debate fires up
  • Why Labour stands condemned
  • Data day
  • Home Security Camera Background