The Bearer of Bad Tidings
By David Shamah, The
Every day brings its own surprises. Today's was a
12-foot submarine sandwich, "a sumptuous medley of cold cuts, fresh garden
vegetables, and your choice of condiments, pickles and salad, a gourmet banquet
suitable for up to 25 friends," according to the brochure from the deli
that sent it over.
Only one problem: I'm not having a party, I don’t
like cold cuts – and I didn’t order any giant sandwich! Today it was a
sandwich; yesterday it was a salesman who showed up at my door with a fancy
vacuum cleaner for a "free demonstration, just like you requested."
Two days ago, it was an encyclopedia salesman. Who knows what I'll get
tomorrow?
The worst "surprise" in recent days was
when the taxman showed up at my door. It seems I enrolled in some sort of
"amnesty" program where I promised to pay back taxes I said I owed.
Of course, I don’t owe anyone anything – but now that they've gotten to know me
a little better, they are going to do a thorough background check, just to be sure!
Why am I getting all these surprises? Apparently
someone out these "has it in" for me, and I bet I know whom, too.
See, I got a nasty e-mail a few weeks ago that threatened to "get me"
if I didn’t give a good write-up to some drecky piece
of software the guy was promoting (writing this column is not all fun and games
– it can get very treacherous!)
So, apparently, my nemesis has started on a campaign
of petty harassment – by submitting my name to all sorts of "service
providers" for all sorts of stuff I would never order on my own (I thought
I was the one who thought up that scam!).
But how? The only thing this person knows about me is my
e-mail address. I note that all the "services" I am being inundated
with have my e-mail address on the receipt. They probably got my real address
from one of those Internet directories - with business slow, they'll follow up
on even a hint of an order these days!
E-mail can be very dangerous. It's easy to
"spoof" an address, so that it appears that an e-mail was sent by
you, even if it wasn't –there are plenty of easily downloadable applications to
do this at hacker sites. And once they've forged your address, your identity
has been compromise. You are now subject to the whims of your nemesis, and
there's not a thing you can do about it – except pay up when the big guy from
the deli shows up at your door with a meat cleaver, describing just how they
get the meat into those little hanging cold cut tubes (hint, hint).
Even if you manage to stay on the deli man's good
side, you could be victimized by a hacker out to harvest personal info. I'm not
even talking about a gang interested in credit card numbers (although that's a
problem, too); what about e-mail messages you send out that have sensitive
personal or business information? I hate to say it, but there are lots of, how
shall we put it, creeps out there; unfortunately, many of them have nothing
better to do than make your life hell. Here's an interesting little statistic:
"Law enforcement agencies estimate that electronic communications are a
factor in from 20 percent to 40 percent of all stalking cases."
http://www.legal-database.com/email-harassment.htm)
They don’t even have to steal your information to
"get" you. If you post to public mailing lists or newsgroups, or even
if you advertise your business e-mail address, you may be making it easy for
all sorts of nuts to bug you – personally, not as part of a spam campaign, but
with special messages, just for you!
Oy vey! Here's yet another
cyber-sorrow for us to worry about. But never fear; I've got just the thing for
you to be able to send e-mail to friends and colleagues safely and securely,
and ensure that only the people who need to see your communications see them!
Although the cyber-world is a virtual Wild West in
terms of safety and data security, data encryption will probably prevent 99% of
unauthorized access of your communications, and if you aren’t head of a
multi-billion global company or a James Bond clone, “signing” you documents
with a digital signature is an easy, sure-fire solution.
Any message sent out from your computer has a number
of parts. There is the message itself (the body) of course, and then there is
the header – the addresses in the to and from box.
This is the information you enter, but your computer and mail server add all
sorts of other arcane information about routing, servers, and security. If
you’ve ever had an e-mail message bounce, you’ve probably seen a whole long
list of information you didn’t type in the original message – your computer and
ISP attached it to the message in order to ensure that it gets where it needs
to go.
Digital signatures are another element that your
computer can automatically add to your message. A digital signature consists of
an electronically scrambled set of text (a “hash”) that gets sent over the
Internet in an encrypted form. It also comes with a decryption key (called a
Public Key) that was generated along with the sender’s Private Key. The two are
created in such a way so as to make it impossible to read the hashed message
unless the two keys match. For example, I create a public and private key and
send you the public key along with my message. You get the message and your
e-mail software studies the public key in order to figure out the correct way
to decipher my encoded message. Unless the public key has the same secret code
as the private key, it just ain’t gonna
work.
So, this whole key thing proves that a) I sent you
the message, and b) the message has not changed since I sent it to you. If the
message had been compromised in any way, it would be unreadable.
In order to overcome these restrictions, a hacker
would have to either steal or forge my private or public keys (the public key
is “public” because that’s the one I send to my friends; I do not just
cavalierly post it on public bulletin boards!). Could these keys be forged?
Again, it’s not likely, but we computer types like to be thorough and cover all
the bases. And this base is covered by an item called a Digital Certificate.
A Digital Certificate is a special document issued by
a big-time encryption company that contains your public key, a serial number,
and other information that indicates that you are truly you. The certificate
confirms that the public key I sent you was really generated by me; without
certification, the key will be rejected by your e-mail software. And since the
certificate was issued by an objective certifying authority, using high-level
encryption methods, the chances of the certificate being duplicated or hacked
are almost nil.
So, there is a two-tier level of protection with
digital signatures. First, there is the private/public key pair that works in
tandem to ensure security. And then there is the digital certificate – without
which the public key won’t work, anyway! All this
works behind the scenes, by the way; as far as you and the recipient are
concerned, sending, receiving, and reading e-mail is exactly the same, at least
for POP server accounts that you use Outlook Express to download mail from.
It may not be 1000% foolproof, but it will do for the
hoi polloi like you and I. Once you’ve got your digital certificate, you can
use the Encrypt and Digitally Sign commands in programs like Outlook Express
(on the Tools menu), and you will be on the fast track to safe and secure
e-mailing. Once you have the certificate, the private and public keys are
generated automatically, and by choosing Encrypt or Digitally Sign, the
appropriate security baggage will be sent together with your message.
Only one question remains (we save the best for
last); just where do you acquire these magical certificates and keys? From
whence shalt come our digital salvation?
Keep in mind that these certificates are high-level
encryption tools that are manufactured and registered with Internet security
companies. The term “commercial” should tip you off; they usually cost money,
which is a good sign, because if businesses are willing to shell out good money
for these things, they probably work. Digital certificates can cost anywhere
from $20 up to many thousands, but I do have a great solution for those who
want top quality protection without having to shell out for it.
A wonderfully generous organization called the Comodo Group is giving away free digital certificates,
suitable for use with e-mail programs! The SSL (super secure) certificate
generated by Comodo especially for you will ensure
that you can create public and private keys, and ensure that they remain
secure. You can surf to the Comodo site and click on
the appropriate link (http://www.comodogroup.com)
or use this direct link: http://www.omegasphere.net/ssl-certificate/free-e-mail/.
Sometimes, when a company gives away a freebie, it’s
stuff nobody wants. Not this, though; this you want. Unless
you really, really like big deli sandwiches.
Questions and Comments to ds@newzgeek.com