"Everything Else Is Insecure"
Meet Nomx.
The "patent-pending nomx protocol provides secure, encrypted e-mail, messaging, audio and video communication services through a platform-agnostic protocol." This innovative protocol is delivered to you via a physical device that "allows users to transmit and receive secure communications using traditional email or messaging client."
Nomx: Everything else is insecure
Would you buy this product? Think it over...I'll wait.
What if I told you that inside that Nomx box was a Raspberry Pi? Are you still impressed? Okay and then...what if I told you Nomx's special protocol was outdated versions of Postfix and Dovecot running on Raspbian?
Are you beginning to understand where I'm headed now? If you guessed "Nomx is full of sh**", you guessed correctly. Scott Helme, a UK-based security researcher was asked by BBC to examine the Nomx device because a lot of people were getting pretty excited about it. The company was claiming that they were the most secure because Google and Yahoo had already been hacked and they could guarantee that user's emails wouldn't be hacked. Scott Helme found that Nomx was largely underwhelming. I won't rehash it all here, but if you're interested check out his write up on his blog.
"SSL's that actually protect you are very expensive and have a long process"
Next up, shortly after the ISP legislation everyone began to seriously consider using VPNs for all of their browsing needs (except for Netflix). During that period of time, a company called MySafeVPN popped up to get in on the action. There were a few problems here. The first problem is that MySafeVPN presented itself as an affiliate of another company called Plex. Plex vehemently denied having any ties to MySafeVPN.
Crazy? It gets crazier, MySafeVPN's billing site (which oddly took you to myvpnhub.com) was not secure. A lack off HTTPS on a VPN site doesn't inspire confidence. The quote above was their response when asked about the missing SSL certificates. Well things went down hill from there. Turns out Plex had a data breach a few years ago that revealed email addresses, so that explains how Plex customers all received an email saying this new VPN service was associated with Plex. The whole ugly situation devolves into a twitter battle between security researchers and MySafeVPN, a racial slur, and a sketchy phone call.
You can read about it on Troy Hunt's blog. MySafeVPN's Twitter account is now suspended (probably because of the racial slur or the lying and using stolen email addresses to promote their business, it's hard to tell).
Nothing is 100% Secure
Companies, like Nomx and MySafeVPN, rely on the fact that you more than likely have no idea how encryption, networking, hacking, etc. works. They throw together a bunch of really technical terms that sound like they make sense and pray you can't tell the difference. ("Our billing site doesn't need SSL because we actually send that traffic back through our own VPN encrypted hyperloop tunnel" Did I do it right?). They feed on your fear that you can be hacked at any moment while telling you that you're powerless unless you buy their product.
Don't be fooled by their claims, there are things you can do to avoid being tricked into buying mediocre security services
- Do your research on a product before you buy it. Chances are someone (probably a security researcher) has already reviewed it and written about it.
- Don't trust any company that says it wrote its own encryption algorithm. Seriously. Just don't. Ever.
- Be wary of any company claiming to be World's Most Secure thing. The truth is, 100% security is a myth and anyone who tells you otherwise is playing you like a violin.
We have this saying in security, "It's not a matter of 'if', but 'when'" when we talk about a hack or a data breach. It happens to everyone, both companies and individuals, on differing scales and differing degrees of impact. In your personal life and at work, you are your best defense against a breach. Taking the time to inform yourself of a risk before taking action is the best way to protect yourself.
Check out Matt Kiser's The Normal Person's Guide To Internet Security for tips.
Top comments (9)
Very good article. In addition to shady companies preying on uninformed people, I think we also see legitimate companies using security as an excuse/catch-all. You can't paste passwords because security. End of discussion. All facts not provided by us are now irrelevant, because security.
Then there's HP that sent out a "security update" (I have no idea whether it really had security improvements or not) that made their printers no longer accept non-HP ink cartridges.
Loud shouting of "security" is often a sign of a hallow argument.
I use security as an excuse to not have to support old browsers.
Security has become the digital equivalent of "won't someone think of the children!"
Good article. It's very true as well. Most people can be safe from about 90% of threats out there by changing some behavioral habits. Use a decent password manager, only pass info to websites with a certificate, keep your computer and antivirus up to date. Delete emails from sources you don't know or weren't expecting anything from, use two password authentication on every account that will allow it. Plus many more.
Interesting to know this ain't happening only in our part of the world.
Some years ago, someone claimed he had built the "first African OS", and the "first African Browser". This, someone, was even referred to as the "Mark Zuckerberg of Africa" by Forbes ( the article was written by someone in search of the rich in the world).
This same person was later touted as "Larry Page" of Ghana.
Recently, another person rose up claiming to have built a 'Search Engine' that will be a Google and Yahoo and YouTube Killer.
The last I checked, YouTube has NO RIVAL anywhere in the world, and yet, a sociology student from a mass-production-graduate university somewhere in West Africa claims to have built something to rival YouTube, Google, and Yahoo combined! That must be some balls there!
In fact, it was just a metasearch engine. This so-called search engine accumulated millions of subscribers in just a short period of time.
To the extent that, this TV presenter who had/has NO idea what he's talking about, took up the false mantle!
My point is, considering the growing number of dumb people in the world, individuals and business are gonna exploit them via tergiversate terms, and throw dust in their eyes more and more.
Unfortunately, the end game is always that, those who try to shine a light on it are considered 'Jealous' and 'haters'. I've been called a Naysayer once!
In our part of the world, many, have, through this means, made headways into levels unscrupulously. Of course, their lies will carry them ahead a bit, but their deeds will fall them.
We are lucky because we know stuff, working in the field.
Like Neil D.Tyson said, being literate helps you keep the bullshit away.
I can't expect non tech ppl to know the difference between a VPN and WiFi or hashing, but when they have questions they can do research. They first appeal to someone more technical, hopefully that guy is not so biased and can guide them to other resource.
That's what "health" companies, programs, and authors do too! Except with biology and pseudo-science.
This is a great article and you dove in to just the right amount of technical detail to make this accessible for a broader audience. Time to give this article to a few people I know. :)
Because I am a reflexive contrarian to any absolute statement, wouldn't Open Whisper Systems / Signal be a good exception to this rule? Or do they not count because they're not asking for your money?