The Bearer of Bad Tidings

 

By David Shamah, The Jerusalem Post, May 21, 2004

 

Every day brings its own surprises. Today's was a 12-foot submarine sandwich, "a sumptuous medley of cold cuts, fresh garden vegetables, and your choice of condiments, pickles and salad, a gourmet banquet suitable for up to 25 friends," according to the brochure from the deli that sent it over.

 

Only one problem: I'm not having a party, I don’t like cold cuts – and I didn’t order any giant sandwich! Today it was a sandwich; yesterday it was a salesman who showed up at my door with a fancy vacuum cleaner for a "free demonstration, just like you requested." Two days ago, it was an encyclopedia salesman. Who knows what I'll get tomorrow?

 

The worst "surprise" in recent days was when the taxman showed up at my door. It seems I enrolled in some sort of "amnesty" program where I promised to pay back taxes I said I owed. Of course, I don’t owe anyone anything – but now that they've gotten to know me a little better, they are going to do a thorough background check, just to be sure!

 

Why am I getting all these surprises? Apparently someone out these "has it in" for me, and I bet I know whom, too. See, I got a nasty e-mail a few weeks ago that threatened to "get me" if I didn’t give a good write-up to some drecky piece of software the guy was promoting (writing this column is not all fun and games – it can get very treacherous!)

 

So, apparently, my nemesis has started on a campaign of petty harassment – by submitting my name to all sorts of "service providers" for all sorts of stuff I would never order on my own (I thought I was the one who thought up that scam!).

 

But how? The only thing this person knows about me is my e-mail address. I note that all the "services" I am being inundated with have my e-mail address on the receipt. They probably got my real address from one of those Internet directories - with business slow, they'll follow up on even a hint of an order these days!

 

E-mail can be very dangerous. It's easy to "spoof" an address, so that it appears that an e-mail was sent by you, even if it wasn't –there are plenty of easily downloadable applications to do this at hacker sites. And once they've forged your address, your identity has been compromise. You are now subject to the whims of your nemesis, and there's not a thing you can do about it – except pay up when the big guy from the deli shows up at your door with a meat cleaver, describing just how they get the meat into those little hanging cold cut tubes (hint, hint).

 

Even if you manage to stay on the deli man's good side, you could be victimized by a hacker out to harvest personal info. I'm not even talking about a gang interested in credit card numbers (although that's a problem, too); what about e-mail messages you send out that have sensitive personal or business information? I hate to say it, but there are lots of, how shall we put it, creeps out there; unfortunately, many of them have nothing better to do than make your life hell. Here's an interesting little statistic: "Law enforcement agencies estimate that electronic communications are a factor in from 20 percent to 40 percent of all stalking cases." http://www.legal-database.com/email-harassment.htm)

 

They don’t even have to steal your information to "get" you. If you post to public mailing lists or newsgroups, or even if you advertise your business e-mail address, you may be making it easy for all sorts of nuts to bug you – personally, not as part of a spam campaign, but with special messages, just for you!

 

Oy vey! Here's yet another cyber-sorrow for us to worry about. But never fear; I've got just the thing for you to be able to send e-mail to friends and colleagues safely and securely, and ensure that only the people who need to see your communications see them!

 

Although the cyber-world is a virtual Wild West in terms of safety and data security, data encryption will probably prevent 99% of unauthorized access of your communications, and if you aren’t head of a multi-billion global company or a James Bond clone, “signing” you documents with a digital signature is an easy, sure-fire solution.

 

Any message sent out from your computer has a number of parts. There is the message itself (the body) of course, and then there is the header – the addresses in the to and from box. This is the information you enter, but your computer and mail server add all sorts of other arcane information about routing, servers, and security. If you’ve ever had an e-mail message bounce, you’ve probably seen a whole long list of information you didn’t type in the original message – your computer and ISP attached it to the message in order to ensure that it gets where it needs to go.

 

Digital signatures are another element that your computer can automatically add to your message. A digital signature consists of an electronically scrambled set of text (a “hash”) that gets sent over the Internet in an encrypted form. It also comes with a decryption key (called a Public Key) that was generated along with the sender’s Private Key. The two are created in such a way so as to make it impossible to read the hashed message unless the two keys match. For example, I create a public and private key and send you the public key along with my message. You get the message and your e-mail software studies the public key in order to figure out the correct way to decipher my encoded message. Unless the public key has the same secret code as the private key, it just ain’t gonna work.

 

So, this whole key thing proves that a) I sent you the message, and b) the message has not changed since I sent it to you. If the message had been compromised in any way, it would be unreadable.

 

In order to overcome these restrictions, a hacker would have to either steal or forge my private or public keys (the public key is “public” because that’s the one I send to my friends; I do not just cavalierly post it on public bulletin boards!). Could these keys be forged? Again, it’s not likely, but we computer types like to be thorough and cover all the bases. And this base is covered by an item called a Digital Certificate.

 

A Digital Certificate is a special document issued by a big-time encryption company that contains your public key, a serial number, and other information that indicates that you are truly you. The certificate confirms that the public key I sent you was really generated by me; without certification, the key will be rejected by your e-mail software. And since the certificate was issued by an objective certifying authority, using high-level encryption methods, the chances of the certificate being duplicated or hacked are almost nil.

 

So, there is a two-tier level of protection with digital signatures. First, there is the private/public key pair that works in tandem to ensure security. And then there is the digital certificate – without which the public key won’t work, anyway! All this works behind the scenes, by the way; as far as you and the recipient are concerned, sending, receiving, and reading e-mail is exactly the same, at least for POP server accounts that you use Outlook Express to download mail from.

 

It may not be 1000% foolproof, but it will do for the hoi polloi like you and I. Once you’ve got your digital certificate, you can use the Encrypt and Digitally Sign commands in programs like Outlook Express (on the Tools menu), and you will be on the fast track to safe and secure e-mailing. Once you have the certificate, the private and public keys are generated automatically, and by choosing Encrypt or Digitally Sign, the appropriate security baggage will be sent together with your message.

 

Only one question remains (we save the best for last); just where do you acquire these magical certificates and keys? From whence shalt come our digital salvation?

 

Keep in mind that these certificates are high-level encryption tools that are manufactured and registered with Internet security companies. The term “commercial” should tip you off; they usually cost money, which is a good sign, because if businesses are willing to shell out good money for these things, they probably work. Digital certificates can cost anywhere from $20 up to many thousands, but I do have a great solution for those who want top quality protection without having to shell out for it.

 

A wonderfully generous organization called the Comodo Group is giving away free digital certificates, suitable for use with e-mail programs! The SSL (super secure) certificate generated by Comodo especially for you will ensure that you can create public and private keys, and ensure that they remain secure. You can surf to the Comodo site and click on the appropriate link (http://www.comodogroup.com) or use this direct link: http://www.omegasphere.net/ssl-certificate/free-e-mail/. Sometimes, when a company gives away a freebie, it’s stuff nobody wants. Not this, though; this you want. Unless you really, really like big deli sandwiches.

 

Questions and Comments to ds@newzgeek.com