This past weekend, I had to take a long road trip to help somebody with an interstate move. As I often do when I’m struggling to keep my eyes open after many hours on the road, I tuned in some talk radio. As luck would have it, I managed to catch a half-hour or so of Glenn Beck’s daily radio program. On this occasion, Mr. Beck was spending a good portion of his time selling a new e-mail service — one which he claimed would “never, ever, ever” surrender any content to Uncle Sam unless the government first came armed with a warrant. For this privilege, Mr. Beck expected listeners to subscribe to his TV channel, for the modest annual fee of $99.95.
Let me make one thing perfectly clear: I am not writing this blog post to discuss Glenn Beck’s politics, or even his (considerable) marketing acumen. No, I’m reserving my precious blog column-inches to call Glenn Beck out for something that is well within my professional wheel-house: the fact that he is misinformed about how e-mail service providers are actually obligated to work with law enforcement, and, more importantly, the fact that he is not helping in the effort to get the NSA out of America’s e-mail inboxes.
To be fair, Glenn Beck is promising one thing that is under his control (though there are any number of e-mail service providers who offer it without the $99.95/yr price tag): that his service will not scan its customers’ e-mail accounts for the purpose of serving ads that match content included in those e-mails. However, Mr. Beck’s other claim — that his e-mail service will only yield to government inspection upon presentation of a warrant — well, let’s spend a moment looking at that more carefully. We’ll start by examining how Glenn Beck himself describes his offering, in a recent online “broadcast”:
(Note: I’m not going to provide any links to Beck content in this blog post. It’s easy to find plenty of Glenn Beck-sanctioned information about his e-mail offer with a simple web search.)
Beck says: “Everybody is scanning your e-mails, so they can… target you for the Feds…”
We say: The NSA scans a portion of all internet traffic, large enough that it could possibly contain most or all e-mail traffic sent inside the United States. This is being done without the consent of ISPs, web hosts and other e-mail providers. In addition, all e-mail service providers/web hosts are required, by law, to surrender any e-mail content they may have if they are served with a warrant by law enforcement. In fact, as detailed by our COO, Christian Dawson, in this post, there are circumstances where law enforcement can force e-mail service providers to hand over your old e-mails without a warrant. You cannot avoid the NSA scanning, or law enforcement searches, no matter how much you pay Glenn Beck.
Beck says: “The NSA and Google (scan your e-mail), and they’re in bed with each other.”
We say: Beck is conflating things here. Gmail does scan its users’ e-mail accounts, in order to serve them with targeted advertising — which they see as the price users of its e-mail service pay to get Gmail for “free.” Separately, documents released by Edward Snowden suggest that the NSA has been eavesdropping on e-mail traffic headed into and out of the Google network, completely unbeknownst to Google. In addition to that, Google, like all e-mail service providers, is required by law to respond to warrants and legal, warrantless requests requiring them to share e-mail content, if they have any. These things are not related to one another.
Beck says: “We’re not surrendering any lists, any emails, anything, without a warrant…”
We say: As I mentioned before, there is nothing Glenn Beck can do to prevent the NSA from “reading” his customers’ e-mail, or to avoid legal warrantless demands for old e-mails — so there’s not much to that promise.
So what’s the takeaway here? If you want to protect your e-mail from unlawful inspection by the government, sending Glenn Beck $99.95 won’t accomplish anything. But a few minutes of your time might. Our COO has written two recent blog posts about things you can do that won’t cost you a dime, and could make a huge difference: supporting the USA FREEDOM Act and keeping abreast of developments surrounding ECPA. Do yourself, and your country, a favor by checking these posts out and contacting your congressmen to urge their support as required. Glenn Beck is right about one thing: unauthorized, extra-legal snooping into e-mail accounts is unethical, un-American, and just plain wrong. We just wish he would use his considerable influence to help change things for the better.
In a previous article, SSH Key Authentication, I explained how to generate an SSH key so you could automatically log into your server instead of using a password. This is convenient for you (no more typing the password) and very inconvenient for potential hackers. If you turn off password authentication (because you’ll no longer need it), no amount of password guessing will let a hacker in.
The previous article showed you how to add the key to your cPanel server, but what if you’re not running cPanel? Don’t worry, the process is just as easy for no-panel servers. I’ll show you how.
Adding the Key Read more
The USA FREEDOM Act: NSA Data Collection, the Escalation of Encryption, and Curbing the Digital Arms Race
On October 29, 2013, the USA FREEDOM Act was introduced to end the mass gathering of phone record data by the NSA.
H.R.3361/S.1599 is a bipartisan effort authored by Sen. Patrick Leahy (D-Vt.), chairman of the Senate Judiciary Committee, and Rep. James Sensenbrenner Jr. (R-Wis.) that seeks to curb the mass targeting of communications by American citizens by clarifying the language in Section 215 of the USA PATRIOT Act.
How does this affect you?
ServInt supports the USA FREEDOM Act because the same limitations that the bill places on the phone surveillance activities of NSA apply to other forms of communication, specifically Internet traffic. Not only should this bill get the NSA out of your phone calls, it should get them:
• out of your inbox
• out of your search history
• out of your text logs Read more
A great way to keep potential threats at bay and make your server more secure is to employ TCP Wrappers. TCP Wrappers are a form of access control you can use – in conjunction with a firewall – to lock out unwanted users and increase your server security.
TCP Wrappers are similar to a firewall, in that you can allow and deny IPs or hosts, but different as they provide some additional options as well. TCP Wrappers use access rules in the hosts.allow file to allow or deny connections to network services that use the tcp_wrappers library, libwrap.
For example, you may want to allow someone access to FTP files to your server, but not want to allow them SSH, WHM, or any other kind of access. TCP Wrappers allow you to grant them access to FTP, or another specific feature, while denying them access to everything else. Read more
Over the weekend, my wife got a phone call from her parents telling her that her web site wasn’t working. When asked for clarification, her parents said that “Google has a big warning sign up where your site used to be.” Most of you already know what was going on: my wife’s site had been hacked. She called me to see what I could do to (cough) fix the problem.
What she didn’t know was that site hacks, while extremely common, aren’t necessarily easy to fix. Especially by me! For each hack, there are multiple phases of activity, each of which can be achieved via literally thousands of possible methods. Keeping track of them all is a job for which specialized technicians train their whole professional lives — so I hung up the phone and stuck my head into our Director of Network Compliance’s office.
“Hey, Mike,” I said. “I think my wife’s web site has been hacked.”
I was a bit disappointed by Mike’s I’m-not-surprised reaction — then again, he sees this stuff hundreds of times a day. But he was kind enough to spend a few minutes with me, explaining what might have happened, and how it fit in with well-understood patterns in hacking. Read more
All ServInt VPS and Flex accounts now come with free malware detection software from StopTheHacker — a service with an annual cash value of $120. Each customer receives one free subscription for each server they lease through ServInt.
The free StopTheHacker subscription for ServInt customers includes Basic STH service for one domain complete with a weekly scan utilizing standard malware detection measures.
The free malware detection software from StopTheHacker allows ServInt customers to determine whether the pages under monitored domains are being affected by known malware and viruses, and will also check to see if those domains are being blacklisted by major search engines. Read more
As you dig deeper into server administration, you’ll eventually need to log into your server via SSH as root. Logging into your server as root allows you to easily accomplish many tasks, but it demands a certain level of security precaution.
SSH root logins offer a huge potential security vulnerability. The root user is the administrative user of a server and has full access to the server. If compromised, the root account provides the malicious user with complete control. Anyone logged into a server with root access can write, erase, edit, upload or download any file. It is an all-access pass to your server, and simply guarding your root password isn’t enough to protect yourself.
There are two ways to mitigate this security concern. Read more
This week, ServInt was one of a dozen hosts to send a letter to the Senate Judiciary Committee to support updating the Electronic Communications Privacy Act, along with the i2Coalition which coordinated the hosting industry’s participation.
The government needs a warrant based on probable cause to search our mail or the documents in our homes. It’s one of our most fundamental rights, guaranteed in the 4th Amendment of the Bill of Rights. But because of this outdated law — the ECPA — which passed in 1986 before the commercial Internet even existed, law enforcement only need a subpoena (issued without a judge’s approval) to read emails that have been opened or are more than 180 days old. Under the ECPA, communications stored on a server over 180 days are said to be abandoned. This rationale has allowed the government to demand access to older electronic communications without a warrant issued by a judge.
That’s right… the government says it doesn’t need a warrant to search through your old email.
This year, Congress is finally considering updating ECPA. ServInt plans to directly engage in this much overdue process, offering its perspective and expertise in dealing with 18 years of serving customers online and dealing responsibly with law enforcement information requests.
We know that aiding law enforcement in responsible ways doesn’t need to come at the expense of our fundamental Constitutional rights. ServInt will be carrying that message, along with other i2Coalition members, up to Capitol Hill this year.
Stay tuned to the ServInt Source where we’ll keep you updated on the status of this and other important Internet legislation.Image by g4114is.
Since its passage in 2001, there has been a lot of media attention given to critics of the Patriot Act at home and abroad. Privacy and government accountability concerns have been raised over some of the provisions of the Act, and in recent years, these concerns have been co-opted by some European hosts who have twisted them into marketing propaganda. Basically, they claim that hosting in Europe is more “secure” than hosting in the US, which is complete and utter nonsense.
Part of the argument these groups make—captured succinctly here—is that not only do all customers of US hosts with data housed in US data centers fall under the Patriot Act, but those who house their data in foreign data centers operated by US companies fall under US law as well.
To be sure, some of this fear has come from statements made by American companies hosting data in Europe, including Microsoft, which — during its June 2011 launch of Office 365 in London — admitted that European data, stored or processed in Europe by Microsoft, would fall under the jurisdiction of the Patriot Act.
News of the reach of the Patriot Act has led many to believe that US companies — and their servers — are somehow inherently less secure than European hosts.
But those who cite this as reason to host with European providers, miss or ignore the facts of European law. Read more
One of the critical parts of administrating your server is being able to log into your server via SSH (or shell access) as root. By accessing your servers “on the command line,” you can roll up your proverbial sleeves and really dig in: installing software, changing system configurations, investigating problems, etc. But there is a server security concern when logging into a system with all that control when you’ve only got a single password protecting access. This is where key authentication comes in.
Instead of typing in a password, you can generate an encrypted key pair that is used to authenticate you when logging in. The server will look to see if you have this key file on your computer instead.
Key authenticaion is a great server security measure to implement as it allows you to control which systems can access your server. You can also turn password authentication off and your server will be immune to SSH password attacks. This is major step in security hardening and is highly advised.