Fist off I would like to apologize for the delay in my posting, things have been manic in my world, however shifting back onto track.  I would like to talk today about offering security to users.  I'm not talking about strong passwords or viruses, I'm talking about encryption.

Is it possible for hosting companies (especially those based in the US) to offer real encryption to the end user?  With all of the issues circulating in the news these days about the current administration and the US government agencies, this has to have an affect on the hosting community.  I know personally it has an affect on what I do and the way I do it.

If you were to offer encryption to your end users and clients, how far would you be willing to go for them should their information become of interest to certain agencies?  Is it worth your business to stand for this?  Is it a larger issue than business?  Is it easier to just not offer it so it doesn't have to be dealt with?  Do  you think it should be offered so the data can be obtained?  All of these are simple questions that have not so simple answers.  I feel each of us has to reach pretty far down to reach a decision about this, most certainly not material that is to be taken lightly.

Is it OK to allow your clients and end users to use encryption at all?  What if you offer an email service that has POP or IMAP access.  Will you allow your users that use Outlook, Apples Mail utility or Thunderbird to use one of the plugins available to encrypt and send their messages?  Would you encourage this?  What are the implecations of this kind of offering?  Are you really passing the responsibility of this on to your end users if you choose this route?  There are more than the actual messages that are useable when it comes to retreiving data.

So this was more of a precurser to what I want to talk about in the next couple of weeks.  Loads of questions just kind of thrown out there to put some ideas into some heads so we can maybe create a dialog about what's going on.  I'll continue next week with a more complete look into just what is available for use by people that want to extract information and what may be a good idear and what may not be if you want to play this game.  If there is anything specific around this topic you may want to discuss or see looked into, please let me know.  This is something that is of great interest to me and something I think all of us should be aware of.

Thanks for listening....

JB 

How many of you reading have a gmail account?  OK, maybe it would be easier to ask how many of you don't have a gmail account?  Pretty much what I thought.  Most everyone I talk to has a gmail account (at least one) and a good number of them use this exclusively. Do I have a gmail account? :-$ Yes, I am actually slightly embarrassed to say I do.

I have been using Google for finding information since it was first available.  I absolutely love having that kind of information at my fingertips.  But I really think this comes at a cost.  Now I can have a Google email account, a Google calendar, a Google home page and a slew of other offerings.  Now whenever I search for something I get a small pit in my stomach as I see the targeted ads on the right hand side of my browser window get closer and closer to accurate.  The first time I noticed that the content of these ads changed if I was logged into my gmail account, I created a script on my machine that ran in the background and alerted me every ten minutes to the fact that I didn't log out.

Now comes the era of the corporate level Google hosted solutions.  Yeow!  This is the reason I don't get supermarket and hardware store discount cards.  At some level, this presents an obvious conflict.  How is it that I can be sooooo eager to love the information at my fingertips and yet cringe at the amount of data they are accumulating?  It could be that I can just bend the story to fit my mold, but I see a very defined line between reading a post in a forum about SMTP servers that I find linked to in Google and getting bombarded with ads for washer and dryer combos because I had an email conversation with my mother about getting a new washing machine!!!

Google's offerings work, the plain and short of it.  Their calendar is what most people are looking for in a calendar, their storage restrictions are almost not there, they are always online, the provide hooks into their stuff so others can develop plug-ins and such.  Working in the email industry, I see all of these things as having a positive spin.  This has certainly raised the bar for what the end user expects in their web experience.  This certainly drives me and I would hope others (especially in the hosting industry) to produce a product that makes someone go "Yes!  That is just what I was looking for" when it comes to a web based offering.  This is the positive spin, the negative side of this seems obvious to me......  er.....  WHY DO THEY WANT ALL OF THIS DATA?

Money?  Power? Both? Maybe they just want to offer a quality service to better the well being of all humans?  Only they really know and we can only speculate.  You can read many many online (as well as print) articles about Google and the government being in bed together.  I'm not so sure I buy this.  What concerns me more is that they are in direct competition with some of those three letter governmental agencies.  In my opinion, this should plainly scare the hell out of all of us.........

I am going to continue to use Google for finding data online and occasionally for testing some email setups, but I am going to continue to be cautious about the information I give out.  There is certainly something larger going on here.  I urge the rest of  you to do the same.

Thanks for listening...

jb

Initially tonight I was planning to write a bit about the need to improve email services in terms of scalability, redundancy, and performance given today's demanding environment and increasing email volume. As I was thinking about how to approach such a topic, it became clear to me after a moment of cat inspired meditation, that this was a pretty broad topic to try to cover in one post. (In case you were wondering, cat inspired meditation can happen when the cat has wandered across one's power strip button. At this time, one may find herself on her hands and knees, under the desk, thinking about life and small fur hats.)

So I started thinking about email volume. After returning from under the desk, I ran across many websites predicting that email volume will only be increasing more in the next few years. Every day more and more businesses depend on email communication. More and more people receive electronic billing statements, use email based support, get email confirmations for online purchases, and so on. However, what really struck me was how many websites are predicting that beyond this, a big problem in the future of email will have to do with increasing attachment sizes.

More and more people and businesses want to use email to send each other videos, large presentations, PDF manuals, software demos, and so on. Some websites predict that soon people may well expect to be able to send 200MB attachments, or possibly larger, via email. I have started to see this more and more lately myself. At @Mail, we regularly have requests from customers for ways to tune the system so that they can send larger attachments than the default of 16MB. Also, many of the companies that I have consulted for have requested large attachment support.

This is a huge nightmare from an administrative point of view for many reasons. Here are just a few, but the list goes on and on (really, I could rant about this for hours.)

1. Email is really not designed to be effective as a large file transportation system. It was not built for this, and no one who writes SMTP servers is interested in changing this, for many good reasons.
2. Sending a large attachment, especially to a lot of people, generates a huge amount of load on an internal network.
3. Often, a mail server will time-out before an attachment of a very large size can be sent, either at the sending, or at the receiving end.
4. Most mail servers out there have limits to attachment sizes for incoming messages, so even if you allow and tune your systems so that users can send large attachments, the mail may be rejected.
5. The sender may inconvenience a receiving party who is on a limited speed connection trying to download their email, especially if that person is paying on a per bandwidth basis.
6. If the mail server accepts really large attachments, it becomes massively vulnerable to DOS attacks.

Despite all of this, many businesses still really want to have some way to email around large files, and do not want to bother with setting up an FTP site, or some other sort of secure file sharing tool. You can explain to people why this is a bad idea until you are blue in the face, but it does not change the fact that from a user-friendly point of view, people would really like the process of sending a file to be as simple as putting it in an email message.

A few companies are now starting to provide appliance solutions that sound like a nice way to strike a compromise that will keep end users happy, and avoid all of the problems of sending huge email attachments. These appliances essentially grab large attachments from emails after the user has sent them, and replace them with a secure download link, so that the email going out is just a link that the receiver can click on to download the attachment. All this happens transparently to the sending users, and makes it really easy for everyone involved. Accellion and Intradyn are examples of companies selling such appliances, but I am sure there are others.

I did some more searching, but so far have not found any open source software solutions that someone could put to use to accomplish this task yet. It would not be that difficult of a thing to do with a SMTP proxy and some exciting plugins, or possibly even with a simple script that messages get sent to when they are over the attachment limit set in the MTA.

Hopefully I will have the time to look into this further myself, as I think this would be a great solution for many of my clients. And if anyone reading has already done this, it would be great to hear from you.

My cat and I would be very grateful.

Leah 

    So many concerns today about our precious information.  Who has legal rights to what?  How am I going to get my email history if the lawyers get involved? Can they get my information before I can? Can I get my log files too?  Information is too precious to not know the answers to these questions.

    This is the biggest reason I am a proponent of managing your own email system in house whenever possible.  If the computer is in your office (or office building), you know where that information is. 

    The cost vs. bennefit for doing this is complicated and as Leah pointed out, often times doesn't make sense for the small business. The cost of consultants to set this up and maintain the system is often times high, keeping up with the best hardware on the market is also a daunting task.  But what happens if you invest your time and money in a less expensive hosted email solution?  Who is running the email hosting, really?  Have you done your homework?  Is your data being stored in a high end datacenter or is it being stored in someone's basement?

   Of course I am fully biased on this issue as I work with email and web software every day, as well as have access to both hardware and bandwidth.  To me this only drives my point home.  If your information is important to you, you need to step up and be accountable.  Find the kid in the mail room that is spending a couple hours a day playing Zork on company time, give it the latest linux distro and see how it goes!  OK, this may be the opposite end of the spectrum..... 

     My point is do your homework and find the right solution for your business.  To not think about how your going to get your information if you need it is irresponsible.  For many a hosted solution is going to be the best solution.  I just think if you can manage your email system on your own and still sleep at night, it is worth serious consideration.

 Thanks for listening.

Leah, here, reporting from the Great White North (which is currently somewhat rainy and less white that usual.)

Today I would like to say a few words about email systems and small business. As a consultant, I have worked with a number of small businesses who are still running servers, often sitting behind DSL or cable Internet connections, to host their own email. Usually this happens for one of the following two reasons:

• Legacy : Often small businesses have their own email systems, well, because they have always had their own email systems.
• Control : There is a feeling of control over the email traffic coming into and out of the site.

I realize that I am mostly speaking to a hosting community here, so you may well be wondering where I am going with this. To put it in a nutshell, it is my opinion that most small businesses should run, not walk, to a hosting provider and get their email hosted by a responsible third party. I hope that my perspective as a consultant may provide hosting providers some useful ideas to market email hosting services to the small business. Also I hope to provide insight into what the small business may be looking for, to provide inspiration to email hosts.

Over the years, I have helped many small businesses set up their own email servers, manage spam, and customize them to fit their environments. Eventually, I have helped nearly every customer I have dealt with to move to a larger email hosting provider. Here are the reasons why:

• Cost : The reality is, that it is a good deal cheaper to pay someone else to deal with spam, security, hardware, and other issues these days, then it is for a small business to have to hire a consultant to come in and deal with every singled small support issue, every hardware failure, every upgrade, etc.
• Reliability : A larger host is able to provide redundant servers, off-site backup, and fail-over paths that would simply not be possible for a small business to emulate. The average small business' email recovery plan involves everyone using a Gmail account until the system is back online.
• Spam Control : A small business is generally not in a position to keep up with the constant updates and tweaks needed to keep ahead of the latest spamming and virus pushers.

In order to maintain a decent quality of service level, the average small business is well advised to move to a managed email solution, provided by a third party. This is pretty obvious.

But the reality is, there are still a huge number of small businesses out there that are not willing to make this leap, despite it's obvious benefits. The previously mentioned arguments should take care of most of the small businesses that are still running their own email for legacy reasons. But what about the other companies?

Now we come to the issue of control.

The email hosting company that can give the client a good feeling of control over what is happening is going to really be able to win in this market. People want to be able to add, disable, delete, and otherwise manage email accounts within their company themselves. People want to be able to say that their employees can not use email during certain hours, or possibly that they cannot send email to certain domains. People want to be able to have an archive account where all email in and out of their domain is logged, so that it can be reviewed.

To many of us, this level of control may seem strange, or even illegal, but these are features that would really make the difference for the average small business owner when he considers making the jump to hosted email.

Whow!  I don't even have a pet goat (no matter what Leah may say).......  Every one of us that uses electronic mail has had to deal with spam at some level.  Why does it persist? 

My name is Jason Brown and I will be alternating with Leah to bring another opinion to the world of email and electronic communications.  Stepping out of the office here in Big Sky Country, it is easy to get lost in the world and want to forget all about that growing spam folder eating up disk space and taking valuable CPU and RAM from starving MTA and related processes.  Let's dig in a little and talk about why we even have to deal with it (at least in my opinion).

I see two distinct major person(s) that are in the spamming industry.  I know there are others out there, but I'll stick to just two.

1. People who allow others to use their bandwidth to send SPAM. 
   
   These folks are all too eager to accept the large amount of money that is available from people that want to actually send SPAM.  There is no question for this group that providing this service is a good thing.  Not only for their own pocket book, but they actually feel they are providing a quality service.  I had an opportunity to speak with Brian Coppola last spring and within the first 60 seconds of our conversation, he had introduced himself as a "spam king" and wanted to clarify that he was indeed the Brian I had probably heard about.
   
   How do you begin to do battle with this sort of attitude and thinking?  Taking peoples birthdays away went out in the forh grade, so that is probably not the answer.  Fortunately there have been stricter laws and legislation passed to make the penalty for this behavior much steeper.  This will not stop it.  There is a fundamental change that needs to take place here and it is a much larger problem than junk email.  I continue to give humanity the benefit of the doubt, we'll see where it gets me.
   
   
2. People who take other peoples bandwidth to send SPAM
   
   This is where I wanted to focus tonight though.  This is a problem we can actually do something about.  I was fortunate enough to hear professor Anthony Joseph lecture earlier this year and he made a number of very very good points.  Things I had seen over and over again and not related to the SPAM industry.  These mostly had to do with passwords.  I know, I know.....  everyone reading this article has implemented strong passwords on the systems they are responsible for.  Right, I said I give humanity the bennefit of the doubt, people are another story.  I have spent far too many hours cleaning up messes that could have all been avoided by a password that wasn't "changeme" or "password".
   
   Script Kiddie [skript] ['ki-dE]

   n. (Hacker Lingo) One who relies on pre-made exploit programs and files ("scripts") to conduct his hacking, and refuses to bother to learn how they work.

   These people are not after the data on your server, they are after the server itself.  This is not an act of attaining bragging rights, this is collecting as much bandwidth as possible in as short of a time as possible to use at a later date and time to make money.  If I am a company that is looking to send out mass quantities of SPAM, this is who I am going to seek out.  I can pay pennies per message and have them broadcast from thousands of machines (who I may add are legit mail systems, thus not blacklisted... yet) across the globe.  I can get my message out quickly and for about half the price of my actual PR firm.
   
   Setting strong passwords isn't difficult.  It isn't as convenient (I use this term with great caution) as setting it to "corn", but it isn't difficult.  I wish it was funny and I pulled those as examples from my imagination. Not the case, this is an actual administrator or super user level password I have seen in use.  If you can look it up in a dictionary, it shouldn't be used as a password.  If you ignore the builtin password checking utility of your system, please reconsider.  I wish it was as simple as saying "Oh well, you get what you have coming to you".  It isn't, you have taken upon yourself a responsibility, take some pride in this.

There are plenty of places online to get information about strong passwords, what to do and what not to do.  I would recommend starting where the skiddies are going to start:

• insecure.org  -- Fyodor knows what is up and his site is full of tools, tips, tricks and links to help.
  
  
• packetstormsecurity.nl  --  this is one place where you can find information about the latest and greatest vulnerabilities out there.  They have an RSS feed.
  
  
• Google  --  if it isn't here, you are most likely not dealing with a script kiddie.  I'm not sure who's bad side you are on, but good luck.

This all falls some where between rocket science and common sense.  We all know how important it is to have strong passwords, especially for admin level users.  This is a simple matter of being on the court or in the stands.  Come down out of the stands and start playing ball, it is your system.

Professor Joseph relayed a story about an admin password being posted on a sticky note on the monitor.  This was in a nuclear power plant.  The rationale being that in the event of an emergency (e.g. nuclear meltdown) the last thing they want is to be trying to track down an admin for the system at 2am to get a password to shut something down before disaster.  A good portion of us don't work in nuclear power plants and we don't have armed guards outside our facilities protecting the physical perimeter of our data centers.  We have systems connected directly to the internet and are only trying to keep the lines of communications open for our end users.

Most all of answer to someone, take pride in your work and in doing so expect your peers to do the same.  Implement the password schemes you know to be right and stand up for yourself.  It isn't difficult to find information online to back up your decision if you feel you need to do so (if you are having issues finding info to do this, please let me know and I'll help you find it).

 Thanks for listening,

 jason