Superconductor

Here's a dot-com era story that I was telling one of our engineers this morning. They suggested that I put it here, so here it is.

Back in the dot-com era, I worked for the information security group at a large accounting firm. It was called a "Big 5" accounting firm back then, before the troubles at Arthur Andersen reduced it to the Big 4. At this accounting firm we used Lotus Notes for email and other forms of collaboration, and Notes happened to give you the ability to sign or encrypt emails. This capability wasn't actually that useful because it really only worked inside the company, but that's a limitation that pretty much any email encryption product that uses digital certificates to manage public keys has.

In any event, the partner who ran the security group was very concerned that by digitally signing emails we were creating legally-binding contracts. Everyone in his group tried to explain to him how this wasn't true, but he either didn't understand what we were saying or decided not to follow our advice.

The result was a policy forbidding us to use digital signatures.

And because it can be hard to get policies changed at large organizations, I wouldn't be at all surprised if this particular organization is still forbidden from using digital signatures.

Maybe that's not quite true.

The people in this particular organization seemed to quickly figure out that their management didn't quite understand information security and there was soon a mass exodus of very talented people. I seem to recall that the group went from roughly 30 people to less than 10 people over a period of a month or two as people quickly quit and moved on to other jobs. The partner in charge of the group was quickly reassigned to a position that focused on just accounting, so it's entirely possible that his policy on digital signature use disappeared with him. But you never quite know with these sorts of policies.

The first paper that described what we know know as the RSA cryptosystem was published back in 1978, or 33 years ago. The article "Electronic Mail" by Robert Potter that was published in the March 1977 issue of Science might give us an idea of what things were like back then.

Here's how Potter described the world that seemed ready to try electronic mail:

Several systems on the market today use electronics for communication of information, that is, forms of electronic mail. The telegraph and telegram (though fading rapidly because of the newer and more advanced forms of electronic communication) were early means of transmitting information electrically. Teleprinter systems, telex/twx, and mailgram, more modern forms of electronic mail, are now used throughout the world. Mailroom and point-to-point facsimile are becoming widely accepted electronic systems for inter- and intracompany mail service. Large interconnected computer centers are used to transmit messages to and from computer terminals. The use of communicating typewriters, word processors, various keyboard terminals, and other electronic devices is predicted to grow rapidly because of their high efficiency in transmitting alphanumeric characters.

 *** Only 23 spaces left ***

Voltage Security invites you to "Voltage Security Live 2011" at Bridgewaters in New York City on November 9, 2011. This customer summit will focus on data-centric security and will feature several leading Voltage customers, such as American Express, Wells Fargo, State Street and others, who will discuss how they have implemented encryption projects for email encryption, data-centric encryption and end-to-end payment encryption. Also presenting will be Eric Ouellet, research vice president with Gartner Group, who is currently working on a new analysis of how companies use encryption. The goal of the summit is to enable Voltage customers to network with each other and pick up valuable best practices.

Stop Press: Thanks to our sponsors - Coalfire, OpenPath, Teradata and Thales, we are able to offer registration for eligible particpants at no cost.  Register now at www.voltage.com/live

Join Voltage customers including: ADP, American Express, Bank of America, AT&T, Citigroup, Deloitte, Deutsche Bank, Elavon, Fidelity Investments, Heartland, JPMorgan Chase, McGraw-Hill, UBS and Wells Fargo. 
.
Highlights of the agenda include:

• CxOs Panel – Business dynamics for data-centric encryption security – How to get your security project funded
• Key Note – Eric Ouellet, Vice President Research, Gartner Group                      
• How to maximize customer adoption – Kim Mroczkowski, Wells Fargo
• 4. How to structure a data-centric encryption project – Emily Mossberg, Deloitte
• 5. “Birds of a Feather” Networking lunch
• 6. Tracks: Customer and Best Practices – American Express, State Street, Thales, PwC, Coalfire 
• 7. Security Leadership Panel – Gartner Group, State Street, American Express, Wells Fargo

Stop Press: Thanks to our sponsors - Coalfire, OpenPath, Teradata and Thales, we are able to offer registration for eligible particpants at no cost.  Register now atwww.voltage.com/live 

Later today, at 10 a.m. Pacific/1 p.m. Eastern, our marketing people are having another of their popular 60-minute webcasts. This one's called "How Top Wall Street Companies Protect Their Email Comminications," and is being sponsored by FS-ISAC.

Here's a description of the content of this webinar:

In the financial services industry millions of emails are sent throughout the world everyday between customers and business partners as well as within the firms themselves. With increasingly advanced attacks on data, information security teams continually face major challenges in providing protected and secure communications. Whether for external or internal communications that contain sensitive, private or personal information - regulated or not - securing the data itself is a challenge and a must.

In this webcast, we do a deep dive into how leading financial institutions – a top credit card issuer, a leading Wall Street bank and a leading international financial services firm – have handled this challenge. Through real world scenarios you'll see how these companies started with one set of security challenges and, in rapid succession, quickly leveraged their security investments to create a comprehensive corporate data security program. For many firms the roll out starts with protecting third party email communications and is quickly followed by protecting sensitive corporate communications internally. In addition the speakers will describe a new trend to locate email infrastructure in the cloud – such as Microsoft BPOS/Office 365 – and how those emails can be protected – internally and externally.

By attending this webcast you'll learn how to:

• protect all email, documents and images whether in transit, stored or in use – externally and internally
• ensure secure communications in the Microsoft Online Services/BPOS/Office 365 cloud environment 
• achieve and maintain regulatory compliance without disrupting existing email services or business processes

If this sounds interesting, you can sign up for this event here.

At the J.P. Morgan Technology Innovation Symposium, yesterday afternoon, JPMorgan Chase inducted Voltage Security into its Innovation Hall of Fame in front of hundreds of Silicon Valley executives. 

Only two vendors were selected in this year's awards which recognize top emerging technology vendors for business impact, measured in terms of driving value for the firm, disruptiveness of technology and the overall quality of the partnership. Voltage was selected by top IT executives at JPMorgan Chase for its innovative data-centric encryption approach for protecting structured and unstructured data across datacenters, the cloud and mobile devices.

In the June 2011 Symantec Intelligence Report, there's data that shows that the amount of spam sent these days is a a relatively low level, at least by historical standards. Here's a graph from this report that shows the number of spam messages sent over the past few years:

On the other hand, I've noticed that more and more spam is getting past our spam filter. Last year, I'd see only a spam message or two per week. Now, I'm seeing several spam messages every day. So from my unscientific and limited study of this topic, I'd guess that the spammers are getting smarter to make up for the decrease in the number of messages that they're sending.

Over the past 10 years, IBE has become the one of the fastest deployed encryption technologies as measured by the commercial adoption of Voltage SecureMail™ and the use of IBE as a general purpose key management solution used across the Voltage Security product line. Since its commercial launch 8 years ago, Voltage SecureMail has become one of the most widely adopted secure email products in the world with over one billion secure business emails sent annually and over 50 million worldwide users; those numbers are expected to double by 2014.

IBE was first introduced on Tuesday August 21 at the 2001 Crypto conference in a seminal paper by Dan Boneh, Stanford University, and Matt Franklin, University of California Davis. The paper, entitled “Identity-Based Encryption from the Weil Pairing,” set forth a simple but powerful approach for encrypting information with identity-based keys. This cryptography breakthrough became the founding technology for Voltage Security that was incorporated in 2002 by three Stanford students working with Professor Boneh: Matt Pauker, Rishi Kacker and Guido Appenzeller. In July 2003, the new company launched Voltage SecureMail, an email encryption product using IBE to secure messages without the difficulties and expenses of traditional certificates.

Key metrics in the 10 year history of IBE:

• 50 million Voltage SecureMail users worldwide.
• Approximately one billion IBE secured business emails will be sent in 2011.
• By 2014, it is estimated there will be 100 million Voltage SecureMail licensed users and over two billion secure emails will be sent that year.
• All the messages protected by IBE in 2011, if printed out, would circle the globe seven times.
• Nearly a third of the world’s 20 biggest public companies (per the Forbes Global 2000) have standardized on Voltage SecureMail.

 World’s Biggest Companies Standardize on Voltage SecureMail

Nearly 30% of the world’s 20 biggest public companies (as listed by Forbes Global 2000) have standardized on Voltage SecureMail powered by IBE including four of the world’s largest global financial institutions; one of the world’s largest retailers, one of the largest U.S. managed healthcare providers and several large regional healthcare providers.

Notable Voltage SecureMail customers from the last year include:

• One of the largest Wall Street banks with over 230,000 employees standardizes on Voltage SecureMail
• A major Wall Street bank and Fortune 100 financial services provider with global operations chooses Voltage SecureMail for its 100,000 employees around the world.
• A major credit card brand with over 60,000 employees standardizes on Voltage SecureMail
• An award-winning regional health care organization replaces a non-functioning email security solution from one of the largest technology companies in the world with a policy-based encryption solution from Voltage SecureMail

• A Fortune 50 global financial services company deploys Voltage SecureMail to over 320,000 internal and several million external users across 86 countries, replacing an aging PKI-based encryption technology.

In addition, over 1000 enterprise companies have standardized on Voltage SecureMail, and thousands of mid-size to smaller business use the cloud-based Voltage SecureMail Cloud™ solution to protect private and confidential information.

More information at www.voltage.com

I was reading a recent edition (PDF) of Symantec's MessageLabs Intelligence report when I came across this interesting bit of information:

This month, MessageLabs Intelligence uncovered evidence of spammers establishing their own fake URL-shortening services for the first time. Shortened links created on these fake URL-shortening sites are not included directly in spam messages; instead, the spam emails contain shortened URLs created on legitimate URL-shortening sites. Rather than leading directly to the spammer’s final Web site, these links actually point to a shortened URL on the spammer’s fake URL-shortening Web site, which in turn redirects to the spammer’s final Web site.

So services like TinyURL are apparently so useful that spammers have created their own versions. That's probably the best endorsement that TinyURL could get. As Charles Caleb Colton once said, "Imitation is the sincerest of flattery."

There's been some discussion recently about exactly what a recent court ruling means about merchants' ability to send credit card numbers over email. Like in most of these cases, lots of what's being said isn't supported by the facts. Here's what really happened and what it probably means.

Dimitriy Simonoffs received an email receipt from travel web site Expedia that contained the expiration date of the credit card that he used for a purchase. Believing that this violated the Fair and Accurate Credit Transactions Act of 2003 (FACTA) (PDF), he filed a suit against Expedia. This suit eventually made its way to the United States Court of Appeals for the Ninth Circuit, which issued an Opinion on Simonoffs v. Expedia on May 24, 2011. Simonoffs claimed that FACTA's provision that

no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction. 

applied to email receipts as well as physical receipts. The court disagreed, finding that the wording of FACTA clearly does not apply to electronic receipts:

In enacting FACTA, Congress did not use language that would have clearly extended FACTA’s protection to electronically mailed receipts. For example, Congress could have applied FACTA to "electronically printed or transmitted" receipts, to "electronically printable" receipts, or to "electronically displayed" receipts. See Simonoff v. Kaplan, Inc., No. 10 Civ. 2923, 2010 WL 4823597, at *7 (S.D.N.Y. Nov. 29. 2010). Congress, however, chose not to do so, even though it has referred to digital methods of communication and commerce in numerous other statutes. See Shlahtichman, 615 F.3d at 801-02 (canvassing various other federal statutes that use terms such as "Internet," "Internet websites," "electronic mail," and "online service," among others). We can’t fill in the blanks with words that Congress didn’t supply.

In other words, it looks like Congress probably wasn't very careful when they wrote FACTA, and this is reflected in the fact that the wording that they used omitted coverage of electronic receipts even though other laws have addressed them.

That seems fairly straightforward.

Does this mean that merchants can't print credit card numbers but are now free to send credit card numbers over email?

No. Not even close.

The PCI DSS clearly says that that's not allowed. So even if there's an oversight in the wording of FACTA that makes it legal, merchants still can't do this. So if anyone tells you that Simonoffs v. Expedia means that merchants are now free to send credit numbers over email, they probably either haven't thought about it very carefully or are hoping to get their 15 minutes of fame by misrepresenting the facts.

I was recently talking to a former coworker about how the information security industry is doing. My former coworker claimed that the success or failure of the industry was correlated with the recent financial crisis because so many big consumers of information security technology are financial institutions.

I wasn't convinced that this was the case, so I looked at some of the data on the US financial system that's available from the US Federal Reserve. In particular, I looked at the H.8 data, Assets and Liabilities of Commercial Banks in the United States, and the H.3 Historical Table 5 data, Aggregate Reserves of Depository Institutions and the Monetary Base. When I plotted the amount of loans at commercial banks and the monetary base over the past few years, here's what I found. Both tell different stories. Together they tell a entirely different story, but that's probably getting to far off topic.

 

I don't think that there's a correlation between either of those sets of data and how the information security industry has done. Instead, I'm fairly sure that the demand for information security products has been driven by the need to comply with the data security and privacy laws and regulations that have proliferated in the past several years.

Dan Brown recently wrote a paper that described what he calls "identity-based decryption." Here’s how he describes this in this paper’s abstract:

Identity-based decryption is an alternative to identity-based encryption, in which Alice encrypts a symmetric key for Bob under a trusted authority’s public key. Alice sends Bob the resulting ciphertext, which Bob can send to the trusted authority. The trusted authority provides Bob the symmetric key only upon verifying Bob’s identity.

I’m not quite sure that this is really a new idea. It’s very similar to what existing implementations of identity-based encryption currently let you do.

Products like Voltage's SecureMail that use IBE to encrypt email let you do the IBE either with or without client software. If you have client software installed, they work like you’d expect:

1. Alice encrypts a message with a symmetric key
2. Alice encrypts the symmetric key with Bob’s IBE public key
3. Bob gets his IBE private key from a key server
4. Bob decrypts the symmetric key with his IBE private key
5. Bob decrypts the message with the symmetric key

But if Bob’s in an environment where he can’t install client software or his IT department won’t let him install any client software, a slightly different approach is used. In Voltage's SecureMail, we call this the Voltage Zero Download Messanger. Here’s how it works:

1. Alice encrypts a message with a symmetric key
2. Alice encrypts the symmetric key with Bob’s IBE public key
3. Bob sends the encrypted message to a secure server
4. The secure server gets Bob’s IBE private key
5. The secure server decrypts the symmetric key with Bob’s IBE private key
6. The secure server decrypts the message with the symmetric key
7. The secure server sends the decrypted message to Bob

That’s extremely close to Brown’s IBD. It just does an additional step or two for Bob.

And by using IBE to do this instead of IBD, you get some important advantages. The biggest of these is probably the fact that you don’t need to securely archive any private keys. This makes an IBE system very simpler to buy and operate, and that gives the technology a big advantage when it’s compared to other alternatives.

So IBD looks like an interesting idea, but I doubt that it would ever get the commercial acceptance that IBE has seen. The last numbers that I saw said that there are somewhere between 40 and 50 million users of IBE worldwide, and I’d guess that most of those users use it because some CISO liked the fact that systems that use it are much cheaper to buy and operate than the alternatives.

You can test your ability to tell phishing email from legitimate ones in the SonicWall Phishing IQ test. Because bogus emails seem to be a fairly effective way to get people to install malware, I'd guess that average people wouldn't get 10 out of 10 on this test.

The Securities and Exchange Commission recently had a data breach that was caused by the failure of their email encryption product to actually encrypt when it was supposed to. This breach resulted in the exposure of the Social Security numbers and other payroll information of over 4,000 of their employees. 

Here's what the story in the LA Times about the breach said:

The May 4 email was sent by a contractor at the department's National Business Center, which manages payroll, human resources and financial reporting for dozens of federal agencies, Malcomb said. Interior Department policies require that sensitive personnel information be encrypted when emailed.

But the contractor neglected to encrypt the email, and the software in place to catch such errors did not work properly, Malcomb said.

"It was a twofold thing," he said. "The contractor forgot, and then the software failed or malfunctioned." 

I don't know which email encryption product the SEC was using when this incident happened, but it might be what Linda Ronstadt was singing about in this YouTube video.

The FBI announced earlier today that people need to watch out for emails saying that they contain either pictures or movies of Osama bin Laden's death. Instead of a picture or movie, you'll be getting malware that will proceed to steal your PII.

Hackers don't waste any time at all in taking advantage of newsworthy events, do they?

Was the recent disclosure of millions of names and email addresses from email outsourcing giant Epsilon really a data breach? The people at the Open Security Foundation don't seem to think so. Here's what they say about this on their web site:

We have received a few emails from people asking us how we could have missed the Epsilon breach and why it isn't on our site. Well, it actually is on the site as we do follow incidents such as this, however, it is listed as a Fringe incident. Why “Fringe”? From what we can tell so far, the breach (while unacceptable) is contained to Names and Email Addresses. We do recognize that this information may increase the risk to customers as targeted spearphishing attempts may be more successful, however, there is no loss of PII. We have debated this topic for years and instead of not including them in DataLossDB, they are now just labeled Fringe. There will be more debate on the severity of this incident for sure. Some think it is critical and others merely say that their email address was never meant to be private anyways. There are good arguments supporting both sides of the debate.

On the other hand, here's how NIST describes PII in their SP 800-122, "Guide to Protecting the Confidentiality of Personally Identifiable Information (PII):" (PDF)

The following list contains examples of information that may be considered PII.

• Name, such as full name, maiden name, mother‘s maiden name, or alias
• Personal identification number, such as social security number (SSN), passport number, driver‘s license number, taxpayer identification number, patient identification number, and financial account or credit card number
• Address information, such as street address or email address
• Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address or other host-specific persistent static identifier that consistently links to a particular person or small, well-defined group of people
• Telephone numbers, including mobile, business, and personal numbers
• Personal characteristics, including photographic image (especially of face or other distinguishing characteristic), x-rays, fingerprints, or other biometric image or template data (e.g., retina scan, voice signature, facial geometry)
• Information identifying personally owned property, such as vehicle registration number or title number and related information
• Information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, weight, activities, geographical indicators, employment information, medical information, education information, financial information).

Note that email addresses are listed in the third bullet of that list. So even though the people at the OSF may not believe that PII was exposed in the recent Epsilon data breach, the people whose opinion matters when it comes to deciding if laws and regulations have been violated seem to disagree with them. So I'd have to say that PII actually was exposed in this particular case.

In today's Forbes CIO Blog, Voltage co-founder, Matt Pauker, shares his vision for how corporations can reduce the risks associated with sensitive data being in the hands of 3rd party cloud/service providers - insist on a mandatory data encryption clause in all service provider contracts.

As you will have read or watched in every media outlet today, Epsilon, a company that provides some of the top brand name companies with email marketing services had a data breach that uncovered the names and email addresses of millions of customers. These customers as reported in the New York Times and other blogs such as Byron Acohido's "The Last Watchdog", will now probably suffer from further attempts on their private information - Here's some resources that will help you make sense of the data breach and ensure that your company is not the next Epsilon:

		What do you need to know about the Epsilon Data Breach?
		By now, everyone has read about a company named Epsilon. In fact, many people most likely have direct involvement, having received one or more emails from companies they do business with warning them to be very careful after a recent incident. These notifications stem from Epsilon Interactive, a third-party service provider of managed email, getting compromised and having some of their 2,500 clients customer emails stolen. Epsilon provides email and customer loyalty services to more than 2,500 corporations, including seven of the top 10 Fortune 100 companies. The company sends more than 40 billion emails annually on behalf of these clients. So even if you haven't heard of it before, chances are high that your bank or your favorite retailer or hotel chain is using Epsilon for email and other services. The company touts itself as the world's largest permission-based email marketing provider and is believed to store more than 250 million email addresses. A list of companies whose customer data has been breached can be found at http://datalossdb.org/incidents/3540 and http://krebsonsecurity.com/2011/04/epsilon-breach-raises-specter-of-spear-phishing/ – these lists are being updated as companies send out their data breach notifications.
		What to tell your customers and employees to do now?
		If you yourself have received data breach notifications from companies that you do business with then chances are your own email was amongst those breached – here's some basic guidelines on how to avoid follow-up fraud from the perpetrators of this data breach: Don't open emails from people you don't know Don't respond to emails asking to verify your password or other personal details Hang up on phone calls from the bank or others who call asking to verify personal info Don't open email attachments - even 'Data Breach Notification' letters - if do you make sure anti-phishing countermeasures are active Do change your passwords - go direct to company website - don't click on a link in an email
		How to protect your data?
		Like most companies Epsilon had extensive security measures in place – however, sophisticated criminals found a way to breach those defenses. Once inside they were able to make off with millions of emails, because this type of data was lying around in the clear – no one thought the data was at risk. The best defense is to protect the data itself. That way, even if hackers force their way into your systems, the data itself is useless. The solutions to accomplish this – typically encryption or tokenization are widely available and are used extensively by payment processors, retailers, financial institutions and healthcare organizations to protect sensitive data – wherever it goes. In fact, the best approach is to encrypt information as quickly as possible and keep it encrypted for as long as possible until it is actually needed – this is often referred to as End-to-End Encryption. Voltage has provided some of the largest brand name companies in the world with solutions to protect emails, information stored in databases and used by applications – inside and outside the cloud. To learn more click on one of the following links: In addition: Consumers need to know what data is being captured, what it is used for, and how it is being protected as a matter of corporate policy Corporations must demand that their business partners and IT secure personal data so it cannot be exploited in this all to easy manner as illustrated by the Epsilon attack Protect non-regulated personal data – Email may not be a regulated field in regulations like PCI, but if it's being captured, it can be exploited Access to personal data within a corporation needs to be locked down – on a need-to-know basis – reducing access to e.g. the last 4 fields of an SSN instead of a whole one, or using encryption and tokenization to reduce the exposure of real data to employees, partners and customers. Communication with consumers and business partners needs to be secured and trusted – use a secure email solution but make sure it has anti-phishing countermeasures activated. Avoid using live data in test systems by de-identification and masking to reduce exposure outside production controls Learn how a top financial services firm protects sensitive data
		Making sure your 3rd party service providers protect your data
		The other big lesson to learn from the Epsilon data breach is that while you may implement safeguards to protect sensitive data within your datacenters, your third-party service providers must also do the same – it is critical that your sensitive information is protected via encryption or tokenizaton by the third party. In fact many in the industry are calling for contractual clauses that insist on data encryption by 3rd parties. Learn how a top insurance company made sure its service providers protected its data
		Consumer Data Protection Manifesto
		In order to safeguard sensitive customer information many customer advocates are calling for new rules that force companies to certify that they have adequate data protection in place to protect data even in the event of a breach – similar to Sarbanes-Oxley, this would bring board level visibility to a critical issue in the minds of consumers. Secondly to protect data that is being used by 3rd party service providers, companies should insist on a data protection clause in their contract that mandates the use of encryption of all consumer data. Data transferred to a service provider should be encrypted in line with making sure that consumer information is encrypted at the earliest opportunity and remains encrypted until needed. See Voltage co-founder, Matt Pauker's, Op Ed in Forbes on the subject.

I received yet another odd spam. This one invited me to submit an article to the journal Mental Illness. Here's part of the email:

Dear Reader,

We are writing you to bring to your attention a recent article appeared in Mental Illness. We think that you might be interested in this manuscript below about schizophrenia symptoms.

A new nosology of psychosis and the pharmacological basis of affective and negative symptom dimensions in schizophrenia
Costa Vakalopoulos
Mental Illness 2010; 1:e7

Towards the bottom of this email was the following:

[You are receiving this message because your address came up in a specific literature search; it was not included in any mailing lists, and is used for a single advice].

Now I've written a lot of stuff about cryptography, information security and risk management. Even a little about economics. But I don't recall ever writing anything related to schizophrenia. So is this just an odd spam, or do the editors of Mental Illness know something that I don't know? And why do they think that I would be interested in schizophrenia symptoms?

A very unusual spam managed to get past our filters recently. Here's what it said:

I can't quite figure out what this particular spammer wants. If they're trying to use this email to defraud people of money, they certainly need to work harder. Maybe they try to sucker you into paying some sort of charge to help process the "to and fro" air fare that they provide you, but I doubt that anyone would actually believe that this message is genuine. Maybe they're just trying to set a record for the least effective spam ever.

According to the Kaiser Family Foundation, kids in grades 7 through 12 spend an average of 1:35 (an hour and 35 minutes) per day sending or receiving text messages. That's more texting than I've done in my entire life, but then the average time that the same kids spend on social networking sites (22 minutes per day) is also more than I've ever spent texting.

On the other hand, I've probably spent more time writing assembly language than they'll ever do. And I still prefer it to texting.

The first spam is generally throught to be the message that was sent by DEC saleman Gary Thuerk to 400 unsuspecting users of the ARPANET back in 1978, but the history of spam may actually go back much further than that. Apparently as early as 1864, people were sending unsolicited commercial telegrams. Here's how The Economist described what may be first time that this was done:

ON A May evening in 1864, several British politicians were disturbed by a knock at the door and the delivery of a telegram—a most unusual occurrence at such a late hour. Had war broken out? Had the queen been taken ill? They ripped open the envelopes and were surprised to find a message relating not to some national calamity, but to dentistry. Messrs Gabriel, of 27 Harley Street, advised that their dental practice would be open from 10am to 5pm until October. Infuriated, some of the recipients of this unsolicited message wrote to the Times. “I have never had any dealings with Messrs Gabriel,” thundered one of them, “and beg to know by what right do they disturb me by a telegram which is simply the medium of advertisement?” The Times helpfully reprinted the offending telegram, providing its senders with further free publicity.

If we can actually trace spam back to 1864, the 150th anniversary of the first spam will be here in only a few years. Could this be a good excuse for a big industry-wide event to discuss the evolution of spam and other spam-related topics?

I just learned that Despair.com, the people who are probably best known for their parodies of corporate motivational posters, sells calendars that you can customize. In addition to picking which demotivational poster appears for each month, you can also customize each day with up to 120 characters so that you'll never miss important events like National S'mores Day or Hug Your Cat Day. A better use might be to label every day as Send an Encrypted Email Using VoltageSecureMail Day. At only 68 character (counting spaces), that's well within the allowed limit for a customization string.

(When I ordered my custom calendar, I didn't actually have every day as Send an Encrypted Email Using Voltage SecureMail Day - I had April 1 marked as Send an Encrypted Email Using XXX Day, where XXX is actually the name of one of our competitors.)

It took the US Postal Service quite a while to admit that email was affecting their First Class Mail business. It looks like publishers are admitting that e-books are affecting their business much faster.

If you walk into any of the big bookstores these days you'll see a fair number of horror books, but that won't be the case for long. The Leisure Books imprint of Dorchester Publishing, the only line of horror books from a US publisher, is officially moving to an e-book model. They'll no longer be publishing mass-market paperbacks. That particular niche of the publishing market is essentially gone and it's unlikely to return any time soon.

It's hard enough to make a living by being a fiction writer. It looks like it's going to get even harder in the future.

Our marketing people issued an interesting press release last week. There was some stuff in it about a huge growth rate, lots of consecutive quarters of profitability, and similar things, but what I found the most interesting is that we now have over 4.5 million licensed users of our SecureMail product.

Note that that's 4.5 million licensed users. Our sales guys typically license our email product to an enterprise by the number of internal users, so the actual number of users is actually much greater than that. Perhaps even much greater. So although it's impossible to get an accurate estimate for how many users we really have, it's not hard to believe that there are probably over 20 million users of SecureMail now.

That's a lot of users.

Research in Motion has been in the news a lot recently. The governments of the United Arab Emirates and Saudi Arabia don't like the fact that RIM encrypts traffic to and from the ubiquitous BlackBerry phones and have threatened to shut down BlackBerry service unless RIM provides them a way to bypass the encryption.

In last Thursday's Wall Street Journal, Michael Lazaridis had the following to say about this:

This is about the Internet. Everything on the Internet is encrypted. This is not a BlackBerry-only issue. If they can't deal with the Internet, they should shut it off.

There's no easy solution to this problem. Governments want to be able to spy on people and people want privacy. You clearly can't have both.

I've received lots of spam emails recently that tell me that I've been selected for inclusion in some sort of Who's Who book. As far as I can tell, all of these are scams designed to get you to give them your credit card number so that they can charge you for expensive books that you didn't order. On the other hand, maybe there's actually a good use for these scams.

I have to wonder if being included in one of these books would help your chances for college admission these days. Imagine being able to add the following to your college application:

• Received first pre-approved credit card offer at age 2
• Included in Cambridge's Who's Who at age 4

Could that be the additional padding that will separate you from the other applicants at the more selective universities?

I received another one of those annoying spam emails from one of those operations that will include you in their exclusive Who's Who book because of your significant contributions to your field (i.e., having a valid email address). This particular spam, however, was apparently from "Satellite TV Quote." So it looks to me like some spammer couldn't quite keep his scams straight and included text from one scam in a message designed for another scam.

Come on, spammers, at least make a reasonable effort to make your messages look legitimate.

Spam and the uncertainty that spam filters cause has dramatically reduced the effectiveness one of the most popular uses of the Internet. Maybe it’s time for a different approach to filtering email.

Phones and email are both about equally useful: given the choice between giving up their phone of giving up email, people are about evenly divided. When comparing e-mail to other Internet technologies, however, it's no contest. Given the choice between giving up email and giving up browser-based web access, people cheerfully give forgo the web in favor of email. The web may be nice to have, but email is a necessity, and most businesses really can’t function without it.

Unfortunately, almost all of today’s email traffic is spam so it’s necessary to separate the spam from the legitimate messages before they get to users’ inboxes. If you don’t do that, users are quickly overwhelmed by the sheer volume of spam that they receive.

Spammers are clever, however, and quickly find a way to get around the latest updates to spam filtering software. That’s possible because filtering applications use the latest models of what spam looks like to help them decide whether or not to let a message pass. Once spammers learn what filters look for, they quickly invent a way to get their spam past the filters.

Maybe an entirely new approach to filtering email is needed, and the fact that most email is actually spam may be the insight that we need for this. In particular, instead of trying to identify spam, why not try to identify legitimate email messages instead?

Note that this is entirely different from white-listing. With white-listing, an approved list of names, domains or IP addresses is used to allow incoming email. Instead, this approach looks at the content of an email and tries to decide if a particular message is legitimate. White listing doesn’t look for valid email messages. An entirely different model may be needed to do that.

Information security vendors have spent lots of time and effort over the past several years developing ways to identify spam. The benefits of this research have been temporary at best because spammers quickly learn to avoid the most recent versions of anti-spam filters. But while the arms race between spammers and anti-spam vendors has led to all sorts of unusual messages that are designed to pass filters undetected, the format of legitimate emails hasn’t changed much at all, and because of this, identifying legitimate emails may be a better strategy than identifying spam.

Looking for legitimate emails seems to be very simple to implement because it can be done with a minimal change to existing networks. All that’s needed is different logic on anti-spam filtering products. Everything else can stay the same. That seems much simpler than some of the alternatives that have been proposed. Simple is definitely good. It might even be effective.

I haven't heard of this approach being used. Maybe there's some obvious reason why it won't work.

Voltage is known for its innovative encryption technologies, but we're also known for how easy our products are to use. Not too many years ago, it was extremely hard for the average person to encrypt their email. The classic paper "Why Johnny Can't Encrypt" describes exactly how hard this can be for a typical user and anyone interested in the usability of encryption should read it.

With Voltage's SecureMail, on the other hand, a user doesn't have to do anything more than click on the "Send Secure" button instead of the "Send" button. If you're implementing SecureMail at a gateway appliance, they don't even have to do that – it can just happen automatically. Decrypting is just as easy.

Because we worry so much about the usability of our products, I'm very interested in seeing any enterprise security products that might actually be easier to use than SecureMail. If we ever find one of these, we'll probably be able to learn a thing or two from it. That's why I got so excited when I recently learned of an application that may actually be easier to use than SecureMail. In this case, however, it's not enterprise software. It's the game Progress Quest.

Progress Quest is a massively multiplayer online role-playing game (MMORPG). Before I heard of Progress Quest, I had never actually played a MMORPG, but that didn't stop me from being a government expert on the topic. I say that because I was actually the invited speaker at a government workshop on MMORPGs a couple of years ago. Unfortunately, the fact that I had to sign an NDA for this event means that I can't say much more about it.

Here's how the manual for Progress Quest describes the game:

Progress Quest is a next generation computer role-playing game. Gamers who have played modern online role-playing games, or almost any computer role-playing game, or who have at any time installed or upgraded their operating system, will find themselves incredibly comfortable with Progress Quest's very familiar gameplay. Progress Quest follows reverently in the footsteps of recent smash hit online worlds, but is careful to streamline the more tedious aspects of those offerings. Players will still have the satisfaction of building their character from a ninety-pound level 1 teenager, to an incredibly puissant, magically imbued warrior, well able to snuff out the lives of a barnload of bugbears without need of so much as a lunch break. Yet, gone are the tedious micromanagement and other frustrations common to that older generation of RPG's.

You start Progress Quest by picking the class and race of the character that you'll be playing. After that, the game does everything else for you. I even created a Progress Quest character: Elrond Hubbard, a Demicanadian Ur-Paladin with a name that's almost funny. If you're more adventurous you can pick races like Double Wookiee or Enchanted Motorcycle and classes like Fighter/Organist or Battle-Felon. I wasn't.

If you let Progress Quest run, your character will gradually increase in power and gain useful magical treasures. As I write this, Elrond Hubbard is currently Level 60 and has +23 Fine Gilded Plasma Vambraces. I'm not really sure if that's good or bad, but I certainly didn't have to pay any $9.95 monthly fees to get my character to where he is now.

Surprisingly enough, or at least surprisingly enough to surprise to a one-time government expert like me, Progress Quest seems to be fairly popular. The good reviews of it dramatically outnumber the bad reviews. And that's for a game where the player does absolutely nothing.

I'm never surprised to learn that most people really don't want to worry about encryption at all - they're too busy doing their jobs to worry about fighting with software that's hard to use. But I never would have thought that people would actually enjoy a game in which they do absolutely nothing.

In any event, I suppose that the bottom line is that we haven't quite figured out what we can learn from Progress Quest that will help us make SecureMail better, but that doesn't mean that we won't keep trying.

(If anyone wants to quote me about Progress Quest, here's my position on it: "Of all the games available for the PC, this is one of them.")

I recently came across what I thought was an unusual requirement for an enterprise encryption product. I heard this from the CEO of a company that wasn't encrypting their email yet and didn't plan to do so until they could find a product that met all of the CEO's requirements.

The particular requirement that I found somewhat surprising was that the user of an email encryption product would automatically be notified if a hacker somehow managed to decrypt an encrypted message.

I won't say that this is impossible to do, because someone might actually invent a clever way to do this some day, but it certainly seems as close to impossible as you can get. I certainly don't know of a good way to do it. But because they couldn't find a product that had this particular feature, at least one company out there isn't encrypting email messages that contains sensitive information.

The use of encryption has become much more widespread than it was just a few years ago, but there are still lots of cases where it's not used much. I have to wonder how much the adoption of encryption is being slowed by requirements that really aren't very practical.

I received an interesting email recently that began like this:

Dear Luther Martin:

We would like to inform you that the final set of deadlines for submitting a paper/abstract in the area of "Operation Research and Management Science" (or other area) included in The 14th World Multi-Conference on Systemics, Cybernetics and Informatics: WMSCI 2010 (http://www.sysconfer.org/wmsci) to be held on June 29th-July 2nd, 2010 in Orlando, Florida, USA, is the following:

Papers/Abstracts Submissions and Invited Sessions Proposals: April 7th, 2010
Authors Notifications: May 5th, 2010
Camera-ready, full papers: May 26th, 2010

I was about to delete this email when I realized that this conference is the one that accepted the randomly-generated paper Rooter: A Methodology for the Typical Unification of Access Points and Redundancy that was created by the SCIgen tool. That didn't stop me from deleting the email, of course. It just made me take a minute to do this blog post about it. Then I deleted it.

I recently received an interesting targeted phishing message. It claimed to be from Voltage's CFO and asked me to download and run a progam (malware) that it claimed would provide input into some sort of insuance paperwork that Voltage needs to fill out. This phishing mail was interesting because it claimed to be from our CFO and had our CFO's real contact information at the bottom of the message.

I was surprised by how targeted this phishing was. Voltage has lots of large customers. The last I heard, we have roughly 1,000 enterprise customers and about 10 million users of our technologies, so there are probably lots of people out there who wouldn't be surprised to get an email from Voltage's CFO. On the other hand, the number of people who could reasonably expect an email from Voltage's CFO is fairly small compared to the number of people who have accounts at Bank of America or Wells Fargo.

So while I can understand why a phisher might think that it's reasonable to send out millions of phishing emails in an attempt to trick a few of the BofA or Wells customers into giving up their username and password, I can't quite understand why a phisher would think that it's worth sending out targeted phishing emails in an attempt to get a few Voltage employees to install malware on their computers.

Maybe this really indicates that Voltage is more successful than I've heard. I remember seeing a press release recently that talked about how we had something like 70% revenue growth last year, are profitable, generating cash from operations, etc. Maybe we're really doing even better than that. Why else would phishers try such a targeted attack?

There's apparently an add-on for Firefox that lets you do S/MIME-based email through Gmail. When I first saw this, my first reaction was something like Why on Earth is anyone doing this!?!?

According to the IETF's outcomes tracking database, S/MIME hasn't been a success. They somewhat charitably say that it has experienced "poor adoption."

For some reason, the heroic efforts of the S/MIME Working Group in creating the dozens of documents that they've finished so far remind me of the part of the Odyssey where Odysseus and his companions escape from the hungry Cyclops Polyphemus by blinding him and running away while his cries that "nobody (ουτις, or outis) was hurting him" were ignored by the other Cyclopes.

Maybe "Outis" is a good code name for the Firefox S/MIME add-on for Gmail. I expect that's who will be using it.

Intrigued by the possibility of becoming famous that I mentioned in the last post, I looked more closely at the email that invited me to get listed in some sort of prestigious publication and found a link that had my name in the URL. Once I saw this, I wondered how easy it would be for someone else to become famous. To test this, I removed my name from the URL and put in the name of one of my wife's stuffed animals.

Apparently Putsi Fischotter is also famous enough to get his name listed.

Maybe if I send these guys a picture of a stuffed otter dramatically staring off into the distance they'll add that image to their web site.

I recently received another one of those annoying emails that tell you that you're so famous that some publisher would like to include you in a book that lists other famous people and their accomplishments.

Here's what these guys said:

It is my honor to inform you that as of January 22, 2010 you are being considered for inclusion in our forethcoming [sic] edition of the 2010 directory representing the WHO'S WHO of Worldclass [sic] Professionals.

Our alliance is recognized by talented individuals who hold knowledge and experience in a particular industry, demonstrate a commitment to excellence, and seek career advancement or enhancement.

On behalf of the CEO and our esteemed staff, we wish you continued success.

I'm not sure how these emails manage to get past our spam filter, but they do it fairly often. I must get one of these at least once per week. I get them so often that I'm now convinced that the only criterion for getting listed in one of these books is having a valid email address. I'm not sure that counts as holding knowledge and experience in a particular industry. It's hard to see how that demonstrates commitment to excellence or seeking career advancement or enhancement, either.

I have to wonder if other talented individuals like sales@voltage.com and marketing@voltage.com are already listed in one of these fine publications.

Because I'm on the program committee for the 2010 Key Management Summit, I knew that there's a Google AdWords campaign happening now to increase awareness of the event. Despite this, I was surprised to see the following ad when I last read my Gmail:

Key Management Summit - 2010.KeyManagementSummit.org - IEEE Conference on Encryption Lake Tahoe, NV. May 3-7 2010

While I'm probably the right kind of person to target with this ad, I have to wonder exactly how Google chose to show it to me. I don't get work-related email at my Gmail address, and the email that's in my Gmail Inbox right now is stuff like announcements of end-of-year sales that various small presses are having (up to 75 percent off in some cases), information about my kids' Boy Scout camp for next Summer, and confirmations that various Christmas gifts have shipped. There's nothing there that's even remotely related to encryption or key management.

Maybe the logic behind AdWords is even more clever than you might first think. Or there might be terms like "encryption" or "key management" hidden somewhere in those emails about Christmas gifts.

How serious is phishing? According to a paper by Cormac Herley and Dinei Florêncio of Microsoft Research, it may not be as serious as we're led to believe. Here's what they say about this.

We find the oft-quoted survey-based estimates of phishing losses unreliable. In particular the victimization rate found in most surveys is smaller than the margin of error, and dollar losses are estimated by averaging unverified self-reported numbers. We estimate that recent public estimates overstate phishing losses by as much as a factor of fifty.

In other words, they claim that the victimization rate for phishing is statistically indistinguishable from zero and that estimates of the losses due to phishing are wildly inaccurate. Herley and Florêncio then try to make their own estimate of the annual losses due to phishing and come up with the figure of $61 million, which is much lower than we're usually led to believe. If that estimate is accurate then it's essentially not worth doing anything about phishing because any industry-wide effort to fight it will cost more than the $61 million in losses it could prevent.

If phishing is really not as lucrative as we're usually led to believe, why do people keep doing it? Herley and Florêncio have an answer for that too:

Repetition of questionable survey results and unsubstantiated anecdotes makes things worse by ensuring a steady supply of new entrants.

In other words, people keep trying it because they're mislead into believing that they can make money doing it. If this is the case, the best strategy is to ignore phishing and it will probably go away.

Which is true? Is phishing as serious a threat as we're often led to believe, or is it essentially not worth worrying about? Unfortunately, there's not enough accurate data to answer this question, so we'll have to keep making decisions about how to deal with phishing based on our own experiences and the data that's available.

I recently received an e-mail from Thawte that explained how they are going to discontinue their Thawte Personal E-Mail Certificates and Web of Trust. Here's how they explained this:

Over the past several years, security compliance requirements have become more restrictive, while the technology infrastructure necessary to meet these requirements has expanded greatly. Despite our strong desire to continue providing the Thawte Personal E-mail Certificate and Web of Trust services, the ever-expanding standards and technology requirements will outpace our ability to maintain these services at the high level of quality we require. As a result, Thawte Personal E-Mail Certificates and the Web of Trust will be discontinued on November 16, 2009 and will no longer be available after that date.

The Thawte Personal E-mail Certificates implemented an interesting idea. They assumed that all you can really verify with an e-mail exchange is an e-mail address, so that's all you could have for your identity until you had your identity verified face to face by one or more WOT notaries. Once enough of these notaries vouched for your name, that name could be included in the certificates that you got from Thawte. I was actually one of these notaries, which is why Thawte sent me this message.

The Thawte root CA certificates were in the commonly-used browsers, so this provided an easy way to get a useful, yet free, certificate, and Thawte Personal E-mail Certificates were one of the more common certifictates that you'd see used to sign and encrypt e-mail. It's a pity that we won't have them any more.

You'll still be able to buy certificates with your name and e-maill address in them, of course. Maybe that's really what this was all about.

Last week, I heard something interesting about credit card numbers. Someone that I was talking to claimed that a recent study showed that over 95 percent of people can be tricked into thinking an email is actually from their bank if the email includes the first four digits of their credit card number. We're used to seeing the last four digits being used this way, and that makes some sense, but the first four digits really aren't suitable for being used this way. 

In a 16-digit credit card number, the first six digits form the issuer identification number (IIN) that identifies the bank that issued the card. The next ninedigits are the account number, and the last digit is a checksum that's calculated from the previous 15 digits. In most cases, it's fairly easy to guess the IIN. There's a list of known prefixes to IINs here, and some of these are very easy to guess. In some cases, the first four digits are actually the same for fairly broad categories of cards.

I haven't been able to find the paper that this discussion was based on, but I wouldn't be surprised if it does exist. People in the payments industry know the structure of card numbers and know that the first four digits of a card number isn't a good way to authenticate someone. The average guy on the street probably doesn't know that, however, but that might need to change. Apparently, it's becoming necessary for people to learn more about payments processing than they really want to know.

A few days ago, I received what must be the lamest spam ever. Here's what it said:

Hi Sir, You have a wonderfull offer to getting world wide companies. Please. If you are increase your bussiness then me. Regard's Thomes

It's somewhat amazing that this message made it past our spam filter, but what's even more amazing is the fact that someone actually thought that he could make money off his email campaign that sent out this message.

I've seen some poorly-designed spam over the past few years. Some spammers didn't even take the time and effort to make the content of their spam consistent. Like messages that claim to be from one bank yet tells you that your account at an entirely different bank has been suspended and that you'll be unable to access your balance unless you click on a link that installs a virus on your computer.

At least that spam made a better effort. It at least had flashy graphics that made a reasonable effort of making the message look like it really came from a big commercial bank. This message from "Thomes," however, makes no effort at all to even try to look legitimate. It must the lamest spam that I've ever seen.

I predict that some day we'll notice that very few consultants encrypt their email. This will be because of the secure email products that they were forced to use when they worked at larger companies. My experience with ice cream leads me to believe this.

When I was a kid, we would frequently get ice cream on the way home from school. I always wanted to get a clown cone, a scoop of ice cream in a sugar cone that's decorated with candy to look like a clown. Clown cones don't actually taste that good because they've usually been sitting out for quite a while before you buy them, but they certainly look good, and that's why I always wanted one.

My parents, however had different ideas. They knew that clown cones don't actually taste very good, and they never let me get one. After years of being cruelly denied clown cones, now I'm the dad, and nobody (except my wife of course) can tell me that I can't get one. I do this every time I take my kids out for ice cream, cheerfully ignoring the fact that the clown cones really don't taste that good as I do it.

Now consider the people who have to use email encryption on the job. Many of these people aren't lucky enough to be using Voltage's SecureMail, which is extremely easy to use. Some of them even use PKI and S/MIME to protect their email. They probably hate every minute of this, but are forced to use S/MIME anyway.

Some of these people are going to become consultants one day. They'll be their own boss and won’t have a security department to force them to use S/MIME. I expect that many of these people will rebel against their terrible experiences with S/MIME by intentionally avoiding using encrypted email as much as they can, ignoring that fact that they really should be protecting sensitive information.

What's the solution to this? Use Voltage's SecureMail, of course.

It’s sometimes convenient to divide communication systems into the end points that attach to a network and the network itself. This provides the framework for thinking about the end-to-end principle. This tells us that whenever possible, operations should take place as close to the end points as possible instead of being implemented in the network. Conventional wisdom tells us that the closer we follow the end-to-end principle, the easier it is to create reliable systems. This principle has guided the evolution of the Internet for many years. Is it still appropriate today?

There are certainly some cases where it’s proved to be useful to violate the end-to-end principle. It’s usually not practical to do content scanning and filtering at end points, for example. These work better when they’re implemented in the network instead, like at a gateway appliance or a firewall. That's where these functions are typically carried out these days, although it's also common to have the same functionality at the end points. An example of this is how virus scanning is often done at both an anti-virus appliance in the network as well as on a user's desktop.

Some types of encryption also work better when they’re implemented in the network instead of at an end point. This frees users from the burden of managing cryptographic keys, and can make technologies like encrypted email much easier to use. This has also proved to be a useful alternative to end-to-end encryption, and most encrypted email today is encrypted at a gateway appliance instead of at an end point.

Not all cases where it’s useful to violate the end-to-end principle involve security. Network address translation (NAT) is a useful technology that’s not implemented at end points but has nothing to do with security, but many of the examples where it’s useful to push functions away from end points seem to. Could this be a general principle: that security often needs to be implemented in the network instead at an end point? There seems to be a fair amount of resistance in the IETF to technologies that violate the end-to-end principle, so if this is true, we may never actually see standards for many useful security technologies.

The 2009 Ernst & Young business and risk report is now available. The predictions that E&Y has made in previous editions of this report have been fairly accurate, so I always look forward to seeing the next edition of it. Like the reports from previous years, this year's report has a few interesting things in it.

The first thing that I noticed was an obvious non sequitur by Edmond Escabasse. He's the CEO of Asialis and a member of the board of directors of ParisTech Telecom. He's also the person who wrote the section of this year's report that talked about how regulation, convergence and the evolution of economic models are important to businesses. Here's what he said.

In the complex world of telecoms, care needs to be taken to avoid confusing industry drivers with sector risks. Instability is driven by a number of factors, such as the capital intensive demands of infrastructure, constant technological disruptions and the rapid rate of service development. Taken together, they make for an industry that is as unstable as it is innovative.

He then follows with this totally unrelated statement.

In this light, regulation is key to ensure that all players get fair remuneration for their work, avoid economically unjustifiable network migration and are allowed to cooperatively evolve with other segments of the industry.

It's not at all clear to me why regulation is needed to ensure that companies make a fair profit, don't make bad investments and negotiate mutually-beneficial deals with other companies. Shouldn't successful companies do these things on their own? If they can't, they probably shouldn't be in business. Perhaps Mr. Escabasse's view of the world has been affected by the telecom bubble of 1997-2003. But even if this is the case, it's not clear why regulation will keep managers from making bad decisions, which was really what caused the telecom bubble.

One thing that's interesting in this year's report is the fact that there a new threat to businesses listed. This year "business model redundancy" is the 9^th biggest threat, and appears on the list of the biggest threats for the very first time. This is a threat because "technological change and industry transitions are making long-established business models obsolete, forcing industry-leading firms to reinvent their corporate strategies and structures."

This reminds me of the hearings before the Subcommittee on Economic Goals and Intergovernmental Policy of the Joint Economic Committee, back in June of 1982 when the Post Office tried to get their monopoly extended to cover email. The Post Office's pitch, "The future of mail delivery in the United States," is hard to track down these days, but it shows how they tried to justify this. Luckily, the Postal Rate Commission and the Federal Communications Commission didn't let them do it, and the use of email became widespread. And you didn't need to deal with the Post Office to get it. That's a bit of email history that's probably not widely known.

The recent large deployment of secure email at Wells Fargo that Voltage recently announced is just one of many large deployments of Voltage's SecureMail in the past year or so. This might be enough to make you wonder exactly where secure email is on the technology adoption life cycle. Has it crossed the Chasm that was popularized by Geoffrey Moore and entered the Early Majority phase yet? Or is it still stuck in the Innovators phase?

To understand this, it might be helpful to describe exactly what the technology adoption life cycle is. It turns out to predate Moore's book Crossing the Chasm by over 30 years, and its first version actually modeled the adoption of a fairly different area: it was actually first used to describe how farmers adopt new agricultural technologies. The first discussion of the technology adoption life cycle was the 1957 report The Diffusion Process, by George Beal and Joe Bohlen that was published as a supplement to Iowa's Regional Extension Publication No. 1, How Farm People Accept New Ideas. This model was then described in the 1962 book Diffusion of Innovations by Everett Rogers, where Rogers generalized the process to more that adoption of agricultural technology by farmers.

Beal and Bohlen modeled the adoption of new technologies by farmers as a process with five stages: Awareness, Interest, Evaluation, Trial and Adoption. In the awareness phase, people know about a new technology, but lack details about it. In the interest stage, people want more information about a new technology. In the evaluation stage, people think about a new technology and whether or not it will benefit them. In the trial stage, people start small-scale experimental use. In the adoption stage people have large-scale, continued use of a new technology. What's interesting in Beal and Bohlen's discussion of these five stages is how the most common way for people to learn about new technologies change at each step in this process. The most common ways to learn about a new technology in each phase are shown below.

We can summarize this by saying that when people move past just interest in a technology and start to evaluate it, then the source of their information changes from the media to people that they know. At that point, it seems reasonable to assume that the marketing efforts of technology companies should change. I don't know if sales and marketing people at technology companies use this model, but I wouldn't be surprised if they do. Curiously, salesmen come in dead last in every phase. Maybe they're never perceived as being a good source of information because they can probably be relied on to give information that's biased towards their products.

When it comes to individuals, Beal and Bohlen divided them into categories that are determined by how soon they adopt new technologies. This is where they divided people into the categories of Innovators, Early Adopters, Early Majority, Majority and Nonadopters. This is the model that Moore popularized in Crossing the Chasm, changing Majority to Late Majority and Nonadopters to Laggards when he did. Where is secure email on the technology adoption curve? Has it made it past Moore's Chasm?

Technologies reach Moore's Chasm in the Early Adopters phase. This means that if a technology is in the Early Majority phase then it's definitely past the Chasm. If it's still in the Early Adopters phase, then it might or might not have. People who are early adopters tend to take risks, but only to achieve very focused goals. They'll even work with start-ups to do this. People in the Early Majority are pragmatic. They don’t like the risks associated with new technologies but are willing to look at technologies when they've been tested by others.

Based on my experience at Voltage in the past five years, it seems to me that secure email entered the Early Majority phase in the past year or two. Before then, it was definitely only used by Early Adopters. Back then, Voltage's customers were ones that felt willing to take the risk associated with a small company and a new technology because the technology solved certain problems cheaper and easier than alternatives. More recent customers, however, seem to see secure email as an established and proven technology. They're now willing to deploy it widely, and Voltage now has several customers with over 100,000 users of its SecureMail products.

If Voltage's experience is representative of the entire secure email market, then secure email has crossed Moore's Chasm and is on its way to becoming used by a majority of businesses. That means that we'll probably see even more adoption of secure email in the future, and large deployments like the one at Wells Fargo should get more and more common. They might even become so routine that they're not even interesting any more.

Encrypted email is getting very popular these days. Voltage now has roughly 10 million users of its SecureMail product, for example, and other secure email vendors probably have similar numbers that they could cite. That's why I wasn't really surprised to see the counter on the Zix Corporation web site that shows how many users they have. When I checked this, the number was roughly 14 million. That's a respectable number, isn't it?

But as I looked at this web site, this number increased by one. A short while later it increased by one again. The number of users of Voltage's SecureMail typically increase by several thousand at a time instead of one by one, so this seemed a bit odd. To see what was really going on, I looked at the source code of Zix's web page. You can do this in Internet Explorer, for example, by going to the View menu and then selecting the Source option of the menu that appears.

When I did this, I was a bit surprised to see that the counter that shows how many users they have is based on the clock of the computer where the web browser's running and has no obvious connection to the actual number of users that Zix has! Here's part of what I found. This is the code that creates the number of users that is displayed on the Zix web site.

function ZixCount2()
{
    today = new Date ();
 startDate = new Date (2009,0,06);  //months in js run 0-11 (must reset when changing goal)
 startVal = 13885156;  //starting Value (must reset when changing goal)
 var one_day=1000*60*60*24;
 
 perWeek = 100000;  //set rate per week
 rate = 604800/perWeek;
 
 goalDate = new Date (2009,0,8);  //Set a Goal Date (months in js run 0-11)
 goalVal = 13996467;  //Set a Goal Value
 
 if (goalDate <= today){
  startDate = goalDate;
  startVal = goalVal;
 }
 
 currentVal = Math.round(startVal + (today.getTime() - startDate.getTime())/1000/rate);
 
 if (goalDate > today){
  daysLeft = Math.ceil((goalDate.getTime()-today.getTime())/(one_day));
  daysTotal = Math.ceil((goalDate.getTime()-startDate.getTime())/(one_day));
  dailyOffset = (goalVal-currentVal)/daysTotal;
  currentVal = Math.round(currentVal + (dailyOffset*(daysTotal-daysLeft)));
 }
 
 
 //document.write("Current Val = " + currentVal);
 //document.write("<br />");
 //document.write("daysLeft = " + daysLeft);
 //document.write("<br />");
 //document.write("daysTotal = " + daysTotal);
 ChangeValue(2, currentVal);
    timerID = setTimeout("ZixCount2()",rate) } // -->

So the number of users that the Zix web site shows doesn't really seem to be related to how many users they actually have. Instead, it's just based on what time it is. You can even change the number of users that the web site shows by changing the date and time on your computer's clock!

I'm not sure why Zix did this. I don't doubt that they have millions of users of their email encryption product, but it certainly looks like the number on their web site doesn't really correspond to the number of users that they actually have.

The recent story by The Sunday Times about the energy cost of using Google for a search seems to have been revealed as an exaggeration. We'll have to wait a while and see which people remember more - the correction or the original inaccurate claim:

Performing two Google searches from a desktop computer can generate about the same amount of carbon dioxide as boiling a kettle for a cup of tea, according to new research.

That's not just wrong – it's obviously wrong. The Times eventually added a few extra words to their original article that tried to clarify what they actually meant, but it still looks like a case of people trying to use statistics who shouldn't be using them. The fact that this article created such a stir may tell us that one of the ways proposed to combat spam may be impractical due to environmental concerns. This is the idea that one way to stop spam is to force senders of email to pay a tax in the form of lots of computation when they send an email.

The problem is, of course, that the computation that would be needed to send an email could also be quantified in terms of carbon dioxide. Imagine the uproar if the following was claimed about this anti-spam technique:

Sending a single email can generate the same amount of carbon dioxide as boiling two gallons of water, according to new research.

So it certainly looks like the idea of paying tax in computing power won't fly as a means of preventing spam these days. It's never been a very popular idea, but it certainly looks like the anti-spam researchers need to come up with another idea or two.

Today, Voltage announced that Wells Fargo has dramatically increased the size of their deployment of SecureMail, Voltage's line of products that's used to encrypt email. The new Wells Fargo deployment will be hundreds of thousands of users. While this might have been a big deal a few years ago, these days, it's almost not even newsworthy. After all, there are roughly 600,000 SecureMail users at a large retail business and another 250,000 SecureMail users at a large health care business. Each of these deployment was fairly easy, and required minimal support from Voltage's support team. If you're new to secure email, this may not sound impressive, but if you've used it for a while, this is simply astounding. Just a few years ago, there was no way to realistically deploy secure email to a few hundred thousand users unless you were the US government and didn't mind spending a billion dollars or so.

I almost feel sorry for people who are just getting their first exposure to secure email these days, because it's not really very interesting anymore. Not long ago, it definitely appealed more to computer hobbyists who enjoyed tinkering with the secure email system to get it working much like ham radio operators enjoy tinkering with their radios to get them to work. Now, it's much easier and cleaner, and hobbyists have to find other ways to amuse themselves.

The people for who Voltage's SecureMail is their first exposure to secure email won't be able to tell stories to their coworkers one day about how they overcame seemingly insurmountable obstacles and actually managed to send an encrypted email. Some might not even know they're using it. There's still plenty of difficult software out there, though, so they won't miss out on the experience of fighting with it. This seems to be an unavoidable part of working in the twenty-first century.

Any security product needs to be very simple to use if it’s going to become successful. If they’re not simple to use then the cost of supporting difficult products can easily outweigh any benefits from them. That’s why Voltage’s SecureMail has the minimal level of user involvement. If a person sending an email can click on the "Send Secure" button instead of the "Send" button, the can use SecureMail. There’s nothing else that they need to do.

It’s probably possible for people to use more complicated secure mail systems. President Obama probably has no difficulty using secure email on his BlackBerry, but he has a fairly large staff to configure it for him. He probably has fairly good tech support too. Similarly, generals don’t seem to mind using digital certificate from the Department of Defense’s PKI to send signed and encrypted email, but they also have a staff to take care of any problems that might occur.

People that don’t happen to be the President of the United States or a general officer still need to encrypt email, however, and they normally have to do it on their own. In these cases, ease of use is critical.

There are also probably good reasons why people simply don’t want to use secure email that takes more effort than clicking on "Send Secure" instead of "Send." It’s probably very similar to the reason that many people don’t use the latest social networking application, or whatever the trend du jour is. This may be because they just have better things to do.

When you’re young, you tend to have lots of free time, but also don’t get paid much. This means that you have the time to do what you want to do but sometimes can’t afford to do these things. You’re resource constrained, not time constrained. Not too many years later, most people find that this situation has reversed. At that point, they find that they’re married, have children and that their job now carries more responsibilities than can easily be done in an eight-hour day. At this point, there are more demands on their time than there are hours in the day, and they’re now time constrained instead of resource constrained. When that happens, learning a new security technology is now competing with dozens of other priorities for the little time that’s available.

To most people, spending the time to learn a complicated security application never becomes a high enough priority that they decide to do it. There’s always something else that’s more important. This isn’t limited to security, of course. This may also explain why you see lots of younger people using the newest social networking applications while those that a bit older often don’t get around to using them: there's often a better use of their time.

There's a post on McAfee's web site that answers the question "Is information security compliance really a cost center?" like this:

No. Absolutely and unequivocally not. I am drawing the line in the sand. Business leaders need to understand there is no more need for proper security to justify itself over and over again. It saves you time and money (period).

Properly implemented information security provides business process improvement, technology improvement and threat reduction. Compliance controls that cover each of these areas to accepted “best practices” will save your organization money by the truckload and provide for expansion of your business tenfold if not more.

Far too often businesses require “measurable” savings when the cost reductions and business enablement is as obvious as a freight train hitting you while you are siting on the tracks. Below I will detail a simple walk-through of a compliance driven organization versus a non-compliant organization which makes it obvious that it is better and more efficient to be compliant as a business.

In most situations, the term "compliance" means regulatory compliance, or being compliant with data security and privacy laws and regulations. If this is how we interpret "compliance," then compliance is definitely a cost center, at least in many cases. Here's why.

Businesses tend to make investment decisions that maximize the benefits that they receive from the investments. They might be maximizing profit, or something else like market share. This means that when they decide to use a particular security technology, there's probably a good reason for doing so. It also means that when they decide not to use certain security technologies, there's probably a reason for that also. This means that you'll almost never hear discussions like the following:

CSO: We should encrypt the hard drives on our laptops. Our model shows a 60 percent ROI over a three-year period for the total cost of deploying and supporting full-disk encryption software.

CFO: Bah! I don't care about ROI arguments. Instead, we should wait for the government to mandate that we use that technology.

So it's reasonable to assume that investments that are made purely as a requirement for regulatory compliance are ones that wouldn't have been made on the basis of the value of the investment alone. This means that they don't make sense from a business point of view, and that mandating them forces businesses to make investments that they really shouldn't make.

Passing data security and privacy laws may force some security spending, but it's probably at the cost of other security projects that deserved to be funded instead. This means that the net result of data security and privacy laws may be just to reallocate spending from projects that had a good justification to ones whose only justification is to become regulatory compliant. That's probably not a good idea.

There are cases where it makes sense to do some of the things that are also required by regulatory compliance. Data breaches can be extremely expensive, for example, so it's often the case that there's a valid business case for using encryption. This means that there's a strong business case for using persistent encryption of sensitve information. There's also a strong business case for using encrypted email.

If you're really curious about the details of these business cases and don't mind slogging through some detailed risk models, you can take a look at Kevin Soo Hoo's doctoral dissertation "How Much Is Enough? A Risk-Management Approach to Computer Security." He did a careful analysis of the cost-benefit analysis of several information security technologies and found that the case for encryption is strong. The business case for encryption is still valid in the absence of the need for compliance. Other security technologies aren't as lucky.

Compliance may not always be a cost center, but in many cases it is.