Saturday, March 12, 2005

Email Privacy: No more baba...

The pakistani government has finally accepted the fact that it scans and stores all emails sent to and from pakistan for security reasons. The statement was made in the National Assembly this friday upon answering a question repeatedly put up by Muhammad Pervez Malik; a member of the National Assembly.

The CIA in the US is known to be doing the same to keep an eye on any upcomming security threats. After reading an article on SecurityFocus regarding email scanning, I now agree to the fact that the job carries a cosiderablly high price tag. I wouldnt disagree to know that the price is something near to a $100 million a month.

Well incase you are wondering how secure your email really is, its "zero" secure under normal conditions of our country.

The most vulnerable email addresses to date are the local POP3 addresses. Some of the following accounts are the easiest to trace for the government (infact anyone even working there) as they do not have a proper IS Security policy in place. Dont be surprised if you see one of your emails in the hands of a sweeper who happens to work there.

MOST Vulnerable (Local POP3s/SMTPs)

Many of us usually prefer to send the larger emails quickly by switching to our local ISPs SMTP, which normally doesnt ask for authorization if you are their custommer. But is it really secure enough? There is a 99% chance that it goes to the government too if you use the local SMTP.

However only a fraction of the internet users of this country use these POP3/SMTP accounts. They are mostly seen used at places where people dont have a permanent connection to the internet. So Rural and sub-urban places of the country have the most usage for these accounts. And atleast I wouldnt expect Osama Bin Laden to hide in the Karachi Marriot hotel! He would rather, goto a low profile area.

Most of the remaining crowd would stick to their hotmails, yahoos, gmail or any other web based email systems... Is it secure?

Yahoo Mail

Now thats a 50-50... When logging in, Yahoo Mail gives you an option to keep your entire session in SSL (Secure Socket Layer). SSL makes your connection extremely SLOW because of the heavy encryption going on, however if you use this option, there is not chance of anyone being able to read whats being sent and received from your Yahoo Mail. Only you, God and Yahoo would know whats in. (I havent seen anyone using this option to date but still its available).

Hotmail

I havent used hotmail that much, the last time I logged in was In 10th grade (6 years ago). I didnt have a hotmail account since then. But I registered this one to see if its supports SSL. The funny part about hotmail is that it does secure your login procedure (that means General Musharaf would not get to know your password). But he can read your emails. As Hotmail only secures the connection when u login, after ur in, hotmail invites Baba Musharaf to read your mail (Yes a copy is cached with baba Musharaf) as the communication after login is not secured.

GMAIL

The case of GMAIL is the same as Hotmail. It secures your login procedure using SSL (baba musharaf cant read ur password). But he gets what he needs, since gmail also doesnt encrypt your inbox/emails after ur logged in. So again a copy is most probably cached at the National Security Storage centre (Whatever that maybe).

It is not that GMAIL, Hotmail and Yahoo cant secure their connection. It simply descreases the loading speed by upto 10 times! Imagine If it takes you 3 seconds to login, it would take 30 seconds with an SSL connection. Security concious people always use the "Secure logon" option of Yahoo! Mail. Gmail and Hotmail should also provide similar options

My Choice for email security

  1. GMAIL POP3/SMTP (Check this) using ports 995 and 465/587 for POP3 and SMTP respectively
  2. Yahoo Mail with SSL login (Click Secure before login)

Yes, thats GMAIL POP3/SMTP on number one. The GMAIL's POP3/SMTP mail is the most secure email ive seen to date (unlike its web based counterpart). The GMAIL POP3/SMTP uses SSL even on POP3/SMTP connections and gives you the ease to manage your mail from Mozilla Thunderbird, Outlook, Incredimail or any other client...

posted by yasirmemon at 3/12/2005 01:13:00 PM

6 Comments:

Blogger Teeth Maestro said...

real good investigative reporting - I myself always had thought our givt logged all messgaes but looking at their effcinecy I really doubt they know how to effciently filter through all the messages more chances are it will get lost in the clutter og information.

It really has me worried - if these email are passed onto the US for allowing them to watch all pakistanis.

3/12/2005 10:43:00 PM  
Blogger S A J Shirazi said...

But are "they" capable of doing that? What happened to porno site blocking. . .

3/12/2005 11:42:00 PM  
Blogger Teeth Maestro said...

Porno site fiasco - that failed big time - but they did manage to block South Asia Tribune for some time.

They try to do it but how much can they accomplish is the question - I think they 'wish' to log all emails in and out of Pakistan but do they have the technology to store (hard disk may be cheap) but to filter through the data is no small task try going through 100 emails in your inbox its a nightmare in itself.

3/13/2005 12:31:00 AM  
Blogger yasirmemon said...

The government has already had a very bad track record of managing its NADRA database. I hope the emails archive doesnt end up in a datawarehose run on something like Teradata!

Since the statment has issued in the National Assembly, be it on purpose or by mistake. The fact stands that all emails by Pakistani citizens are being monitored.

Filtering something from an already stored email archive might be a difficult task. But if any monitoring is taking place it has to be through simple filters applied at run time. E.g. Filter out only emails containing the word "Bomb"...

Probably something like the filters we use in our email accounts ourselbes.... Tracing a few suspicious words and archiving such coppies wouldnt be no big deal, that too at a time when Pakistan has all the support it can have from the US.

I wonder how the government plans to track people who send emails using different encryption algorithms. Would they install key loggers on all the PCs in Pakistan?

3/13/2005 03:09:00 AM  
Anonymous Anonymous said...

Hi Yasir,

Read the story in Dawn and also your post with great interest. I am actually doing a story on the subject and was wondering if I could ask you a few questions related to it because you are running a software company and would certainly know more about it. Btw what is the name of your company? (hope I'm not prying :))

3/30/2005 05:23:00 PM  
Blogger yasirmemon said...

Yes, sure you may direct me your questions to

"ysm at aqualyzer dot com"
(Make sense out of it, it's an email address)

3/30/2005 11:05:00 PM  

Post a Comment

<< Home