What is Zero-Knowledge/End-to-End Encrypted Email & Why Do You Need It?
Encrypted email is a bit of a misnomer. Technically all emails are “encrypted” using technologies such as TLS but in this context I'm specifically referring to “end-to-end” encrypted (sometimes called “zero knowledge”) email providers. This means that the provider can’t read your inbox, which is – in my opinion – a must-have for any person who values their privacy and security. Many people argue that zero knowledge email providers are overhyped – or worse – because you’re only securing half of the chain. If I’m emailing someone at a Gmail address, the contents are still exposed on Google’s servers. However, in my opinion, that’s still cutting your attack surface in half. If we’re both using Gmail – or if one of us is using another provider like Yahoo – that’s just twice the opportunity for a data breach, warrants, or an insider threat. Sure, you may not get the full benefit without both parties using encryption, but it still counts for something. See my past post about how privacy is a spectrum for more on that logic. Today, I’ll be taking a look at a newcomer in the encrypted email provider and giving my thoughts on them. A lot of people have been asking for my opinions on them, and they’ve generated quite a bit of buzz. But how does Skiff stack up to the tried and true competitors?
I'm not a fan of Elon Musk for a variety of reasons. I've been relatively open about that. But even a broken clock is right twice a day, and shortly after the first Twitter Blue catastrophe, Musk tweeted something that I respect: to summarize from memory, he basically said “over the coming months, we're going to try a lot of different things at Twitter. Some will work, some won't, and some will look stupid from the outside. That's just how business goes. You have to try things.” I respect that, because it's true (and also I respect when people are vulnerable, human, and admit they don't have it all figured out). At The New Oil, I have tried a lot of different things. Some worked, like TikTok and making videos. Some have yet to be seen, like Discord and Reddit. And some were failures, like Patreon and Tumblr. That's just how it goes. You have to experiment and see what works.
If you dig a little deeper into privacy – beyond the basics like encrypted communications, password managers, 2FA, and Linux – you'll start to hear scary stories about the Intel Management Engine – or ME. To hear the internet tell it, ME is this scary backdoor built into all Intel processors (such as the i7) that will render all your hard work at being secure pointless, allowing expert hackers and cybercriminals to compromise your device at the most basic, privileged level – basically giving the attacker full control of the device the moment it boots before the operating system even loads – making everything else wide open and exposed to them. Every password entered, file opened, and packet sent is theirs to see.
Ben Bowlin, Matt Frederick, and Noel Brown cohost one of my personal favorite podcasts, Stuff They Don’t Want You To Know, which is about taking a fact-based approach to conspiracy theories ranging from Bigfoot and haunted houses to political coverups and mysterious deaths. It’s a podcast I’ve come to rely on – not as truth and gospel, but rather as a critical-thinking-based approach to learning about various goings-on (both recent and historical) and getting an additional educated opinion on the matter. I highly recommend it if you’re a podcast person.
The book was published late last year, and being a fan I was quick to preorder it to support the work. What was contained within was 9 chapters spanning over 200 pages covering everything from the history of biological warfare and human experimentation in the US to mass surveillance and propaganda and more.
A more advanced strategy that comes up often in the privacy community is that of “custom domains.” These tools can provide a wide variety of protections from proactively defending against slander and “revenge porn” to simply ensuring you always get your emails. Yet, as “common knowledge” as custom domains are, I still regularly see a lot of confusion and questions about the best way to use them, so this week I’d like to offer my thoughts. Don’t click away just yet if you’re not a techie or have a low threat model because I think there’s value in this tool for you, too.
Disclosure: The New Oil is sponsored by IVPN. Per the terms of this agreement, IVPN does not have any input on our review, but we want to disclose any possible conflicts of interest up front. You can read all of our guidelines for sponsorships here.
What is IVPN?
A VPN – or Virtual Private Network – is a service that creates an encrypted tunnel between the device and the provider's server, protecting all your traffic from prying eyes along the way like your Internet Service Provider (ISP) or whoever owns the router (think public Wi-Fi, for example). After reaching the provider's server, your traffic continues on to your desired destination like normal. IVPN is one such service.
It’s a new year, and for most people that means “new beginnings.” Humans are naturally drawn to specific milestones in our lives because they feel like opportunities to start over fresh or rebuild from the ground up. The new year isn’t the only such milestone, it could also be a birthday, holiday, new week, etc. That’s why we get so excited about an – objectively speaking – arbitrary day. It’s a new chapter, a chance to redefine ourselves and do anything we want. In some cases, this could mean getting shape, finding love, finishing a book, any number of things. But it could – and should – also meaning a revaluation: where are you now? Where do you want to be? What can you do better? In privacy and security, I believe we should always be striving to take the next step and do better, but it’s always wise to check back and make sure you’ve got the basics covered. So in the spirit of new beginnings and revaluation, I’d like to present a few tips to help you check your privacy and security basics and set yourself for up a successful 2023.
2FA is an abbreviation for “two-factor authentication,” which is basically what it sounds like. Usernames and passwords are a form of authentication; if you don’t know the username and/or password, you cannot be authenticated, or prove that you are authorized to access whatever it is you’re attempting to access. Of course, that’s not totally true. Data breaches expose usernames and passwords all the time. Hence the need for more than one method of authentication at the same time. When you combine more than one form of authentication, you get “multifactor authentication,” or MFA. All 2FA is MFA, but not all MFA is 2FA.
“What a year.” My annual catchphrase. I always say that this project has exploded in ways I never expected, and that never stops being true. So where are we now?
Cathy O’Neil is an American mathematician and data scientist. She got a Ph.D in math from Harvard, and later taught at MIT. In 2007 she left academia to work in the finance industry, an experience she talks about in the book that left her disillusioned with the role of data collection and algorithms and the way that they can harm the outliers. This ultimately led to her publication of Weapons of Math Destruction in 2016.
The saying goes that if you want to cook an omelet, you have to break a few eggs. Weapons of Math Destruction focuses on those eggs who have become casualties on the way to algorithmically modernize the world, using big data to make decisions that are – on the surface – more objective, fair, and accurate. However, O’Neil explores how this is frequently not the case and the flaws with our current approaches to using Big Data to this end.