to move into the cloud you’d need to think about security again, everything changed in the last years, the way internet service providers work, how they collect their revenue, the security level of the services offered specifically the way privacy is interpreted differently.
First, you can’t hide on the internet. If you want to hide, do it offline, off the beaten track, away from vigilant camera systems, etc. If it’s your full-time job, you may be able to hide for long on the net, if you’re an average User you just can’t. And the same happens with your data, you only can secure it very strongly, very, but never forever 100%. Innovation happens everywhere, in algorithms to crack the best algorithm will arise every once in a while. Be ready to change your setup in the cloud every 2-5 years (as a User) and every month or sooner as a hiding person.
1) all your mails on the big consumer mail providers will be scanned for virus, spam, ad-relevant words, and more. All revenue relevant information will be sold from those providers databases as in catalogs of information to any web-agency in the world that pays a hundred bucks for 30.000 personalized records or similar. Those providers are typically Google, Microsoft, Yahoo, AOL, Mail.com whatever global player and the larger national players, i.e. 1&1, Strato, Web.DE in Germany.
While those mail services may be convenient to use, they are pure scanning services, where the user is contributing content for free to the Ad-world and any other who thinks that this information might be useful, credit, insurance information hunters, … Those are the most hacked Mail-servers, too.
2) Then there are smaller providers, technical idealists, who sell their technical services for Server operation and maintenance (domain, web hosting, co-location, small cloud solutions). Local, regional ISPs with a bunch of employees 5-12. Yes you can’t trust them either, but they just don’t have enough relevant information on their servers, so that it might be interesting for sale to the ad-world. 5000 customers give them 10 USD per month of revenue in total, at max. They’ll scan your mail, too, but technically for virus, spam and that’s about it. They’re targeted at business customers, from the smallest to the mid-range regional corporation. They just can’t afford to sell customer data to anybody without loosing significant reputation immediately.
Is your mail more secure there? No, because mail is not secure anywhere, it’ll be scanned on any mail-relaying server, if they’d like to.
We use mail to:
– communicate (comfort)
– exchange web-service account information/confirmation (single use)
I’d like to talk now about web-services you will most likely do one or the other shop at amazon, read the new york times subscription, sell on eBay, relate with friends on Facebook, show pictures on instagram, …
All these services require registrations, some with a free to define username, most with an e-mail address they’ll use for all activities: ad, payment, contact, newsletters, cross-connect with other apps, etc.
As you’ve used 1 or 2 mail accounts in the past you may have collected a hundred registrations most of them with the same e-mail firstname.lastname@example.org the others with the same free username “luckygirl59”.
This was a valid approach in the early 90s, when only 1 or 2 services have been used with registration. Now every website wants to register, know you and sell your data off. Yes they claim, they don’t, but that’s simply not the case in a free service consumer market, even paid, “all” consumer services share their data to big ad-providers.
Get yourself a Password generator/storage tool. Better get two. One for administrative passwords, the other for the hundreds of Online-Services. Look up for last pass at Lastpass.com and schneier.com for passwordsafe. Lastpass is by far the more comfortable solution, best suited as app, web-service, desktop application to be used in all environment. Both are free, last pass pro provides good added services. 1password or other tools might do it, too, with different usage comfort levels. Check this podcast Script of Steve Gibson for password managers you should/not use: http://www.grc.com/sn/sn-347.pdf, http://www.grc.com/sn/notes-005.htm. I’ve choosen a mix of encryption tools: lastpass premium, passwordsafe, truecrypt and scrambls.
Now for security reasons, disconnect each account from any other. Give every registration its unique mail address. Register with a local business ISP for 1 domain with 1 e-mail account and unlimited mail aliases and a Web mail access to it. You won’t use POP3, IMAP, Apps, never. Use any domain you like, better use a password generator to create a complicated domain address name to make sure you’ll never use this for any other reason than for online-service registrations.
i.e. 7snf8nap987bpb89p.org may do it. Then create with that same password generator set to 24 or more bits 100 mail names. Use the first as the mail address, where all others, as aliases point to.
Generate a strong password for this Registration, too.
Now you can use 99 (only the aliases) for 99 different online services. You need more? Just add more aliases to your domain mail service.
These mails are only used to get registration confirmations with links to re-confirm back to the service, that you are you and to receive any new service and contractual information and your invoice notices for all these services. Never use a consumer domain/mail-provider for this kind of information.
Check frequently via web-interface with automatic login using your administration password tool for any data, save-externally all important data immediately and delete all inbox, spam, sent and trash folder content. Why only web-interface? I don’t want insecure apps keeping my user-credentials without extra safety (i.e. Apple in the iCloud, they’ve proven to be big masters in securing it – NOT!). On the web interface all happens on demand, only in that moment your secure credentials will be opened and inserted automatically, no key logger or screen capture can snatch it from you.
You’ll find a similar process in the next posts, when I’m going to describe standard mail and important data handling.
The mail-adress ist not useable as a login-credential for anything else as the service it’s being used to. This is because it’s not directly attached to a mailbox, it’s an alias only. If one gets corrupted, just create a new one. It does not allow anybody any additional access to any other service you’re using.
for now, this should be enough of a headache…