R.I.P. email. Well nearly. While the number of email accounts continues to grow rapidly, I'm predicting that email, as we know it today, will fade away as the world's most pervasive form of digital communications—possibly within three to five years. It’s not just that there are other ways by which people are communicating, it’s also because email is increasingly a risky way to communicate.
Let’s start at a simple level. Sending an email in the way that most of us do today is much like sending an old fashioned letter, one that is paper clipped to the outside of the envelope. The general population either doesn't know, or doesn't care much about whether anyone sees what in their email.
There are some professions who could, and probably should, protect their communications when sending them across the public Internet. The protection that most email users rely on is simply the sheer mass of emails being sent on a daily basis. And that their ISPs do the right thing and adequately protect their communications in transmission and in storage.
Unfortunately neither proposition holds up. Firstly, while going through the sheer mass of emails is a gargantuan task, it’s not impossible and email doesn't make it hard to search or parse if you have a clear idea of what you are looking for. Secondly, there are no industry standards as to how digital communications should be stored and what safety parameters should be put around that storage.
A significant number of users use POP mail, which most likely means the email is eventually offloaded on to the user's PC or device. It’s generally not the most secure environment.
There is a sense of security if the transmission of the email is encrypted (most devices and servers are (and should be) capable of talking to each other via SSL or TLS.) but that doesn't really address the issue of the storage of those emails. So how about we just encrypt email?
Savvy users know about creating and registering PGP keys. They know how to share their public keys to other savvy users. They can send encrypted emails as well as receive them, but at the moment, setting up good PGP encryption on your email is hard. It is essentially out of the technical reach of most users. PGP encryption is made hard by the lack of support for it from many email programs (usually it’s via an external plugin). And, of course, it will only work if the other party to your email is doing the same thing. Most larger corporate have no excuse, but they're still not doing it.
As a primary communications protocol, you wouldn't exactly call normal email systems secure.
We should also consider, of course, the issue of email as a tool of malevolence. Spam accounts for about 80% of global email traffic. The majority of malware and trojan systems that infect vulnerable PCs and devices are, by far, delivered via email either directly as a payload or through a phishing link.
Many service providers (including ourselves) offer email filtering as a standard part of our commercial email offerings, but nothing is 100% foolproof and not all email systems are filtered adequately. Email filtering is essentially a catch up exercise—putting preventative measures into place once you have found something bad permeating through email.
In-house corporate mail servers, especially those operating under a desk in an SME's business, are notoriously variable in the protection they offer. (For corporates using cloud based mail services, the news is getting better, but it’s not perfect. There are increasing concerns about which jurisdiction(s) corporate email resides in, and who is capable of accessing and analysing them.)
Email filtering is a complicated and resource intensive activity. Our filtering systems do a barrage of tests on every single email that attempts to come in, ranging from a preliminary check of the destination, to granular inspection of the content. One of the first lines of defence introduced is a cross check of Realtime Blackhole List (RBL) databases. Does the sending IP address show up as a spam source in any of these databases? Yes? Then the mail server doesn't even complete the handshake and the email never leaves its source.
Eighty to 90 percent of all email delivery attempts are rejected by our systems at this point. We rely heavily on a number of those RBL databases out there and they are very effective—for now. With the advent of IPv6, while we have not seen a huge surge in spam across IPv6 protocols yet, the bottom line is that the sheer number of IPv6 addresses out there will mean that literally every single spam email could have its own IP address. A different approach will be needed. A lot of organisations are putting their minds to the issue but until email via IPv6 becomes mainstream, we don't have all the answers.
As stated by Spamhaus, one of the leading RBL database providers:
“We expect that unforeseen scalability issues can be addressed incrementally as they start to make themselves apparent. Current traffic in the nascent world of IPv6 email today is of little use to predict what will happen when people start "using it for real".
Now that's before the email gets into the systems themselves. After that, a veritable and ever-changing barrage of form, header and content checks are done. Many are done against filters that are updated hourly. Anything that doesn't pass muster gets quarantined. Out of the 10 or 20 percent or so of emails that do get into the system, around 10 to 15 percent end up in quarantine.
Overall, legitimate emails account for a small minority of email traffic. Clearly email is still an effective vehicle for delivering badness of many kinds, whether it’s phishing scams or payloads for malware and/or botnets.
Putting this in perspective, corporates are sending lots of their main communications down information highways that look more like combat zones. But there are many signs of change.
In the health and medical field, secured, encrypted messaging is non-negotiable. Companies such as Argus Connecting Careprovide essential point-to-point encrypted messaging for medical practitioners, specialists and hospitals.
Increasingly, government procurement portals provide ways in which businesses and non-profit organisations can submit tenders, reports, schedule events and activities and correspond. And, of course, there are a plethora of cloud-based groupware and project management systems such as Basecamp that provide complete end-to-end management, document handling and communications systems. Email is in many cases an optional function.
Perhaps what is noteworthy is that there are cultural changes in the way that we are communicating. There is now a generation of people moving into the workforce who were brought up on the Internet. Their primary form of communication is mobile and it’s social—and it’s one to one. Whereas you will receive email from anyone who has your email address whether you like it or not, with many forms of social media, you can choose who you want to talk to and how.
In the same way that smart phones are now used less and less for “traditional” phone calls, there's already clear evidence that email is falling out of favour with family and consumer users, which is from where this young generation is transitioning.
It’s interesting to reflect on the fact that email pre-dates the Internet as we know it and operated on hermetically sealed mainframe systems, where terminals were connected directly to it. In typical fashion, the innovators who integrated email into the Internet could scarcely have contemplated the explosion of its use by so many different quarters of the human population—or the dangers that would arise.
In typical fashion also, fixes, add-ons, extensions and myriad different technical adaptations of the original mail protocols have been applied to keep bad human behaviour and exploitation (and that's the heart of the problem really) at bay.
At the end of the day, it is a very hard job to keep emails clean and safe. I think we have to start questioning whether it’s viable or even worth the effort to keep breathing life into email.
This article is brought to you by Enex TestLab, content directors for CSO Australia.
Original Article appeared in CSO online in 2014
A voice in Mainstream media on NBN
Last Thursday, Renai LeMay, a well-respected national IT journalist who writes for Delimiter, paid me a kind and very generous compliment in one of his articles.
The article was a commentary on a radio interview I did with Tom Elliott on 3AW the night before. I was called by Elliott's producer a couple of hours beforehand and was asked if I knew anyone they could talk to who had been hooked up to NBN fibre. All of my senior tech team was but they all ducked for cover!
I was asked if I would go on and I said yes, as we had helped a number of clients set up their connections. I will concede that what really got my interest was a comment made by the producer about this $233 billion build figure for FTTP that had been thrown around in Mainstream Media (MSM).
I got to talk to Tom just after 5pm. I have done the occasional interview on 3AW in the past before and whilst I am always nervous about these things on commercial radio, we chatted, I put my views forward and it ended. I thought nothing more of it.
(Given Ballarat's regional positioning and its leadership role in the NBN's rollout in this region. I do get contacted periodically by mainly regional media to provide an opinion on things. I have been around long enough for people to know that they can usually squeeze a brief and possibly publishable comment out of me if they are stuck for a technical input. And I have been privileged to have been invited to a weekly guest spot with presenter Steve Martin on ABC Ballarat where we get to talk with people about technology and the Internet.)
Renai DM'd me via his Twitter account the next afternoon saying he'd heard the interview on 3AW. I was a little chuffed that someone like Renai had listened to it. But then my Twitter account started going off on my phone and I was soon to learn the reason why. Renai's article had gone live.
The reason I felt it was important to follow on with this post is that Renai has (as always!) made some significant observations about MSM. I guess this particular interview stood out because the majority of other people being interviewed on Elliott's show were not from the industry and as far as I could work out, had a tendency to make uninformed comments about what the NBN was really all about and how it actually worked. Left uncorrected, such commentary can and does compound the festering misconceptions about this important project.
Renai has pointed out that what happened in the interview was comparatively rare; he was celebrating the fact that someone had been called up to give a view from the technologist's side of things.
So what's the point here? It's plain and simple. There are plenty of people like me, in fact many more experienced, more talented and importantly * younger * than me, who are able to lend their voice to the media and assist in educating and informing. I am still scrolling through the many of you who contacted me on Twitter since Renai's article and it is patently clear from the brief profiles that you're out there :-)
I'd like to take the opportunity that Renai has afforded me to encourage you to do the same as me and some of my very talented colleagues on the board of ISOC-AU (we're all volunteers); occasionally step out of your comfort zone and instead of cursing at an uninformed comment you hear on the radio, consider what you're hearing and perhaps consider picking up the phone and seeing if you can add your voice to the debate, in a calm, objective and informed manner.
It is scary talking to people live, especially in the bull pit of drive time radio. I get nervous as hell every time. But it's really about having a one on one conversation with the presenter. As many of you pointed out to me on Twitter (thank you) it's about explaining things in simple plain English. If more of us were a little braver and did this, we would at worst, chip away at that unwelcome block of misconceptions and misinformation surrounding broadband and the NBN in this country. It's not about politics or sides, or even which technology we like better; it's just facts, science and experience.
If there are any main stream media stations reading this blog out there, please know that there are plenty of people like me with a little bit of shareable knowledge about NBN, it's technology and it's benefits, complexities and challenges. As Tom Elloitt's producer did, you can seek us out and we do generally respond positively and constructively. As I've indicated above, if you look through my twitter account, I think you will find a diversity of people with a diversity of knowledge and expertise, who are willing to share ... in plain English :-)
Once again Renai, thank you for your article. It's given me another chance to say something that is hopefully constructive, and it has given validation that we are heading in the right direction in doing what we do when we talk to MSM about the NBN.