click here to find out more about us













Spies like us

Who watches your e-mail?

All stories by CHAN LEE MENG

A FEW weeks after the Americans entered the Pacific theatre in World War Two, the US military found it tough to to prevent the Japanese from anticipating their moves.

The problem was that every communications code used by the Americans was broken by the Japanese. The Americans tried using new codes, but these were also broken almost as soon as they were introduced.

As a result, crucial communications were being intercepted by the Japanese and they had access to important data like troop locations, and attack positions and times.

In desperation, the US military decided to take up a suggestion from Philip Johnston, an engineer who was raised on a Navajo Indian reservation.

Johnston had suggested using the Navajo language as a basis for a new code.

Building on the complex syntax and tonal qualities of the Navajo language, a team of Navajo Indians substituted words, created new phrases, and eventually came up with a new Navajo code language.

They were then enlisted as special communications agents and referred to as Code Talkers, where they were stationed at key installations and served in many campaigns in the Pacific theatre.

The Marines used Code Talkers to coordinate many crucial military operations and transmit sensitive military information. The Japanese were totally baffled by the new code, and their expert codebreakers reportedly could not even transcribe the sounds they heard, much less decipher their meaning.

Military analyst agree that the Navajo code played an important role in the US victory in the Pacific during World War Two, and it may have been the only unbroken code in the war.

War against snoops

While most e-mail users don't discuss anything as important as troop movements or aircraft carrier positions, they face a different kind of threat -- the invasion of their privacy.

The widespread use of e-mail and our increasing dependence on it already provides eavesdroppers with unprecedented abilities to monitor our communications.

Recent developments in Malaysia, notably the arrest of four people for ``cyber rumour-mongering,'' have also given local users the feeling that they are constantly being watched while online.

Like the battling sides of World War Two, Internet users want a secure means of communications to ensure their messages don't fall into the wrong hands, and more importantly, to protect their privacy.

In this focus, we will examine the inherent security and privacy risks when using Internet e-mail, and the use of cryptography to counter these risks.

Then we'll look at the differences between conventional cryptography and public-key cryptography, and we'll compare the two leading e-mail encryption technologies used on the Internet, S/MIME and PGP.

In addition, we'll look at the role of certificate authorities (CAs) and their importance in secure e-mail and e-commerce.

Who's watching

E-mail usually has to pass through a number of mail servers on the Internet before reaching its final destination, and it may be intercepted at any of these points.

Security consultant Dinesh Nair compares Internet e-mail to writing messages on a postcard -- anybody who gets hold of a postcard can read its contents.

``Anyone in control of these mail servers can potentially read your e-mail,'' Dinesh says.

Furthermore, e-mail messages are just stored in plain text, which means they can be read with any text editor or word processer (like Wordpad for instance).

E-mail users who don't encrypt their messages can only hope for ``safety in numbers,'' that is, there will be too much Internet traffic for the eavesdroppers to analyse, or that they will simply pick on somebody else.

Still, it is possible for a sophisticated snooper to set up a special filter program on e-mail servers that will look for certain keywords or e-mail addresses, and save copies of these messages for later analysis.

``The general feeling most people have is that their messages are secure; they don't realise is this is a pipe dream,'' says Dinesh. ``E-mail messages may be intercepted for a variety of reasons: curiosity, malicious intent, or even by accident.''

One way to get past this security hazard is to use cryptography, which basically involves scrambling up or encrypting messages to make them unreadable to unauthorised users.

``People should learn to use encryption to protect their privacy,'' Dinesh says.

The authorised receiver will then decrypt (unscramble) the message before reading it.

The idea here is to make messages unintelligible to any snoopers, or at least present a formidable barrier to them because of the need for codebreaking.

Why so secretive?

Some users may be wary about cryptography because of its cloak-and-dagger overtones. Cryptography or ``secret writing'' has always been associated with espionage and clandestine activities.

After all, the argument goes, why use encryption if you have nothing to hide? Why would regular users even need to encrypt their e-mail?

For most people, it is a simple need for privacy.

Perhaps you want to discuss a highly personal matter with a family member, or maybe you want to send intimate messages to a special someone (we're not just talking about secret romances here).

And if you share a computer with other users at home or at the office, who's to say someone else isn't peeking at your e-mail?

It is not just other users you have to worry about either; bored or curious system administrators have been known to browse through users' e-mail.

Unlike regular postal mail, e-mail is not even guaranteed a minimum standard of privacy.

As noted earlier, e-mail is sent in plain text, and it passes through a number of mail servers, where it may possibly be intercepted.

On the other hand, if we write a letter, place it in an envelope, and mail it, we can be reasonably certain that only the intended receiver will read it.

Also, if someone steals your letter or opens its envelope, you would most likely know about it.

In contrast, there is practically no way of knowing if your e-mail is being intercepted or copied.

``People want to maintain their privacy, so they use encryption for the same reason they put their letters in envelopes,'' Dinesh says.

Proponents of encryption say that users are merely asserting their basic right to privacy, and are not trying to be secretive or to evade responsibility.

Phil Zimmerman, creator of the Pretty Good Privacy (PGP) encryption program, once wrote, ``If you are really a law-abiding citizen with nothing to hide, then why don't you always send your paper mail on postcards?

``If you hide your mail inside envelopes, does that mean you must be a subversive or a drug dealer, or maybe a paranoid nut?''

Big User is watching

Recently, there has been an unsettling trend among governments to monitor Internet communications. Besides the Orwellian implications of these actions, most users resent these intrusions into their privacy.

Colin Charles, a student from Petaling Jaya, uses PGP because he is a strong advocate of privacy.

``I believe every user is entitled to privacy. No one should violate anyone else's privacy,'' he says.

Charles runs a small LAN in his house and has installed PGP on every terminal ``just in case.''

Adrian Tan, an IT consultant from Kuala Lumpur, is a longtime user of PGP, but he usually uses it only once in a while. In the past few months though, he has started using it regularly.

``With the advent of current issues and concerns about Internet privacy, I have again taken it up and use it whenever I feel it is necessary,'' he says.

MYOB

The Internet is becoming increasingly important for business and commercial use. Already, e-mail is used to communicate business plans, financial data, pricing information, negotiations and other important matters.

Unfortunately, most of this information is sent unencrypted.

For businesses, secure e-mail it is not just a matter of privacy; if their competitors intercept crucial e-mail, it could be used against them. After all, business resembles war in many ways, hence the popularity of Sun Tzu's Ancient Art of War among businessmen.

In addition, insecure e-mail could also expose the retailer to fraud and abuse. Concerns about Internet security have been cited as one of the major factors that is holding back e-commerce.

``After all, secure communications is the cornerstone of e-commerce,'' Dinesh says.

Internet retailers without secure websites already discourage users from sending credit card information through regular e-mail. Instead, they encourage customers to use ``analogue'' technologies like fax and postal mail.

And for the most critical financial, contractual or legal matters, businesses still resort to plain old paper or the older electronic data interchange (EDI) technology.

Rest easy

Encrypting e-mail allows us to keep our communications private and secure in the face increased monitoring and security threats.

However, users will have to commit some time and effort if they want to get encryption to work properly, and they will also need to make some minor changes in the way they use e-mail.

Both S/MIME and PGP users have to spend some time understanding the concepts of public-key cryptography, and the important features of these encryption programs.

In addition, S/MIME users will also have to pay an annual fee to a certificate authority.

But these minor inconveniences and costs are a small price to pay to safeguard your privacy and peace of mind.

© In.Tech, Star Publications (M) Berhad.
All Rights Reserved
e-mail intech@thestar.com.my