Antoinette Maria
Hi I'm Antoinette but my friends call me Toni. I work in network security for a financial institution and run a non-profit called Reboot Iowa to promote technical literacy
"Everything Else Is Insecure"
Meet Nomx.
The "patent-pending nomx protocol provides secure, encrypted e-mail, messaging, audio and video communication services through a platform-agnostic protocol." This innovative protocol is delivered to you via a physical device that "allows users to transmit and receive secure communications using traditional email or messaging client."
Nomx: Everything else is insecure
Would you buy this product? Think it over...I'll wait.
What if I told you that inside that Nomx box was a Raspberry Pi? Are you still impressed? Okay and then...what if I told you Nomx's special protocol was outdated versions of Postfix and Dovecot running on Raspbian?
Are you beginning to understand where I'm headed now? If you guessed "Nomx is full of sh**", you guessed correctly. Scott Helme, a UK-based security researcher was asked by BBC to examine the Nomx device because a lot of people were getting pretty excited about it. The company was claiming that they were the most secure because Google and Yahoo had already been hacked and they could guarantee that user's emails wouldn't be hacked. Scott Helme found that Nomx was largely underwhelming. I won't rehash it all here, but if you're interested check out his write up on his blog.
"SSL's that actually protect you are very expensive and have a long process"
Next up, shortly after the ISP legislation everyone began to seriously consider using VPNs for all of their browsing needs (except for Netflix). During that period of time, a company called MySafeVPN popped up to get in on the action. There were a few problems here. The first problem is that MySafeVPN presented itself as an affiliate of another company called Plex. Plex vehemently denied having any ties to MySafeVPN.
Crazy? It gets crazier, MySafeVPN's billing site (which oddly took you to myvpnhub.com) was not secure. A lack off HTTPS on a VPN site doesn't inspire confidence. The quote above was their response when asked about the missing SSL certificates. Well things went down hill from there. Turns out Plex had a data breach a few years ago that revealed email addresses, so that explains how Plex customers all received an email saying this new VPN service was associated with Plex. The whole ugly situation devolves into a twitter battle between security researchers and MySafeVPN, a racial slur, and a sketchy phone call.
You can read about it on Troy Hunt's blog. MySafeVPN's Twitter account is now suspended (probably because of the racial slur or the lying and using stolen email addresses to promote their business, it's hard to tell).
Nothing is 100% Secure
Companies, like Nomx and MySafeVPN, rely on the fact that you more than likely have no idea how encryption, networking, hacking, etc. works. They throw together a bunch of really technical terms that sound like they make sense and pray you can't tell the difference. ("Our billing site doesn't need SSL because we actually send that traffic back through our own VPN encrypted hyperloop tunnel" Did I do it right?). They feed on your fear that you can be hacked at any moment while telling you that you're powerless unless you buy their product.
Don't be fooled by their claims, there are things you can do to avoid being tricked into buying mediocre security services
- Do your research on a product before you buy it. Chances are someone (probably a security researcher) has already reviewed it and written about it.
- Don't trust any company that says it wrote its own encryption algorithm. Seriously. Just don't. Ever.
- Be wary of any company claiming to be World's Most Secure thing. The truth is, 100% security is a myth and anyone who tells you otherwise is playing you like a violin.
We have this saying in security, "It's not a matter of 'if', but 'when'" when we talk about a hack or a data breach. It happens to everyone, both companies and individuals, on differing scales and differing degrees of impact. In your personal life and at work, you are your best defense against a breach. Taking the time to inform yourself of a risk before taking action is the best way to protect yourself.
Check out Matt Kiser's The Normal Person's Guide To Internet Security for tips.
Very good article. In addition to shady companies preying on uninformed people, I think we also see legitimate companies using security as an excuse/catch-all. You can't paste passwords because security. End of discussion. All facts not provided by us are now irrelevant, because security.
Then there's HP that sent out a "security update" (I have no idea whether it really had security improvements or not) that made their printers no longer accept non-HP ink cartridges.
Loud shouting of "security" is often a sign of a hallow argument.
I use security as an excuse to not have to support old browsers.
Security has become the digital equivalent of "won't someone think of the children!"
That's what "health" companies, programs, and authors do too! Except with biology and pseudo-science.