How Not to Screw Up Your Email

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

first let's start with the proper premise so everything is understood in context email is not safe there's no other way around that there are plenty of other secure messaging options such as encrypted messaging apps but when people need to contact us quickly unfortunately in this society we cannot escape without email even when we give grandma an iphone to play with her children will typically set her up on an email account for an apple id and no one else might remember that email ever again but even grandma needs it to log in for the rest of us functioning in society requires an email it's a form of identification on internet platforms but email brings a lot of risk with it email can be used to track us it is possible to get your exact location even with just spam email email is used to profile us by finding out who our friends and associates are plus what our thoughts are email is read and collected by so many third parties and not just the recipients there's very little you can do to have effective encryption for most of our email communications because we cannot encrypt the metadata i'm going to teach you how to mitigate the security and privacy risks of email nothing is perfect with email but doing nothing means extraordinary privacy risks stay right there when you need better search results like those from google but don't want the google tracking check out privacy search engine startpage.com it does not collect or share any of your personal data so you can search anonymously my company offers a vpn service bytesvpn the google phones vpn routers and now we offer a braxmail email service these products are made to protect you from big tech and their tricks to profile us if you're interested in them they are on my app brax me the link is in the description instead of a global story about what we need to do with email i'm just going to attack the problem at the micro level we'll just lay out each topic with the risks and then we'll see what the solution is let's start first with the beacon attack one of the worst things that can happen with email is the very common beacon attack this attack is typically done by retailers sending us bulk marketing mail using hidden html code in a message the email will ping the sender that the email was opened that html code is hidden and it's not really detectable this then gives the sender feedback that the message was received i wrote an example beacon attack code for a video before you can go look for my email videos you simply provide a link to a fake image in the message but the fake image link is actually just an invisible pixel and even that image link is really a call to a server there is no actual image now what's not obvious from this beacon attack is that this inserted link in an email actually reveals your device information and also your ip address that ip address can then be used to look up an exact location using one of the paid location databases providing a reverse ip lookup service and if you're the average person that hasn't thought this through your email will then reveal exactly where you are at that moment this is not perfect it doesn't provide as much information if you're on mobile data but if you're on wi-fi then you are completely zocked let me tell you what's interesting about this beacon attack first on many email clients like those standard on devices like outlook apple mail and windows mail the location beacon will be activated even if you do not open the email so all that has to happen is to spam a target and the messages being received will return an ip address the reason this can happen is because email clients like apple mail outlook and windows mail want to demonstrate that email is fast they don't want to give you the impression that it's downloading email so they download the email in advance and caches it on your device and to make a display even faster they pre-process the email so html images are pre-downloaded in other words they triggered the beacons in advance this is because all it takes to trigger a beacon is the act of downloading an image this is no mystery to apple google or microsoft i think they are complicit with the marketer so they do nothing to stop this potential privacy risk the solution to this is simple stick to products that have been tested to not be vulnerable to a beacon attack the only product that i've tested that i've never been able to attack with a beacon attack is thunderbird the thunderbird email client from mozilla fortunately works on windows mac and linux so you can use this on any computer platform what i haven't sufficiently tested are all the mobile platforms i already know that the standard clients that ship with phones are all flawed i tested them before on an android i use the k9 email client instead i still have to fully test this out but i did not finish it in time for the video i'll announce a test result later on the only defense against a beacon attack without switching over to a safe email client like thunderbird is to always be on vpn or be on lte data this way the ip addresses can never reveal a location big tech profiling many people choose to ignore the fact that your email is used to profile you data is collected about all your emails by google yahoo microsoft for profiling apple claims not to use it for marketing profiling but still they have access to all your existing emails some of you have 20 plus years of email still accumulated on gmail in fact i know of lawyers that use gmail as their case filing system so all the detail of everything they do and plan to do are kept on gmail this is a double threat first a platform like google can already read incoming and outgoing mail so they can process that information about you with messages in transit but the second threat which is actually even easier for big tech to implement is just to read your inbox since the average person doesn't empty out their inbox if i were google or yahoo or microsoft the easiest way for me to extract data from a user would be to read the inbox it would be hard to profile data from incoming and outgoing mail since it means extraneous copies of the messages have to be analyzed the most efficient way would be to just read your inbox now if you pay close attention to what i just said the conclusion would be that if your inbox were kept empty then would follow that your risk of email being profiled would be lessened there are a couple of ways of emptying out your inbox first is to change the email protocol from imap to pop3 if this term is new to you let me explain back in the old days the standard for receiving mail was the use of the pop3 protocol pop3 picks up mail from the email server then deletes the mail after acknowledging that the mail has been received so pop3 means that emails are kept locally on your device nothing is left on the mail server the more popular format is now imap imap keeps the files on the mail server on google this means the inbox is retained by gmail and when you connect to gmail you are simply downloading a copy or making sure your copy matches although it is easy to say that pop3 would be the obvious security choice since it doesn't leave your email out in the open for long periods the problem is that we now have multiple devices and for this reason it is impractical to shift to pop3 we want to see much of our email on multiple devices like our phones and computer so what i will suggest is a hybrid solution first i believe that long-term storage of email should be done on a computer that way you do not have large numbers of old emails 20 years worth for google to read or some other platform but admittedly having access to current emails via a mobile device is needed for practical purposes this is what i propose use an email client like thunderbird on a computer then when an email reaches a threshold of time where you will not need to actively refer to it on mobile you drag the email to a different folder two possibilities you can drag the emails to a local folder it would make it visible only to that particular computer an even more flexible choice is to drag the emails to another email account that is not run by a profiling big tech platform for example i now offer a brax mail email service which i'll talk about more later so let's say you use my email service you can then set up both the gmail account and the braxmail account on your thunderbird client you can simply drag the contents of gmail into some other folder on the braxtmail account it could be a new private folder this would still be accessible to your other devices since it is still imap but it will disappear from your inbox on google such a simple step with such positive consequences and very easy no need for any fancy backup and restore procedures just drag the emails over and of course you can drag as many emails as you want though it may take time to transfer pretty neat tip right anyone doing this it's so simple but i doubt if many actually thought of doing this leak of your ip address on send now this is related to the beacon attack though no attack is being performed basically most of you are willing to reveal your private location information simply by sending email which is crazy in the email header as i show you here you are sending your ip address so if i wanted to know where you live and even who you are and you sent me email i just plug that ip address into a reverse ip lookup database and i'll get your gps coordinates assuming that you sent the email using wi-fi then that will be your home or office location accuracy of the reverse ip lookup location is usually around 200 feet the solution to this is simple if you're already using a vpn anytime you use email then you're already covered this is why having a vpn router is a godsend because you don't have to set up your computer to do this your network can always be on the vpn the other potential solutions including using only webmail now this is a plus and a minus the webmail provider like gmail will still know your ip they may just not send it in the email header another solution which is more of a fallback is to send email only when on lte data not while on wi-fi fortunately i thought of an even more practical solution my new braxmail service does not put the ip address in the header so it doesn't matter whether you're on a vpn or not in this case the responsibility for protecting your ip is in the hands of the email provider and if you use a thunderbird email client you're protected from your ip being revealed by a beacon attack as well emails for app logins this is something i've been explaining over and over in several videos now and i will re-emphasize it again since it's very important you need many email addresses you need to ensure that whatever you use for app logins are not the same email known to your friends and associates let me explain the basis of this instruction currently your friends family and associates have put you into a contact list the contact list will have your phone your name your email and possibly addresses and birthdates this has been uploaded by a huge number of your contacts to the big tech platforms so every platform has a built-in public directory where they can look up an email a phone number and a name and know exactly who is connected to whom each big tech platform not only requires you to provide an email but also now forces you to give them a phone number for two-factor authentication thus even adding more data to the contact list but the danger of the contact list is that it groups us into little cohorts of families and associates that will typically identify a belief and since the average person is already heavily profiled by big tech then associated contacts will have a derived profile by association in other words the email address itself by being widely distributed it's a big profiler and it will not be possible to have an alternate identity if you use the same email the solution here is to never use an email address for big tech logins that your friends family and associates use the proper strategy is have a non-profiling email account for example a paid email account or your own server and then use gmail for app logins you can set up as many gmail accounts as you want for app logins you can use any of the free email providers for this outlook yahoo icloud but since the emails used for app logins are never used they can't really be used to track just don't give out those emails to your real contacts you can always start fresh with this strategy just keep your normal email out of bigtech and social media and then use a fresh set of emails for big tech emails for online shopping unfortunately whenever you shop online the online platform be it amazon ebay or the gap will email you information about your order which will then be used to profile you for ads if you don't want to receive this kind of irritating spam it is best to separate out emails for online shopping from your standard email that your friends and associates contact you on this is not as critical of an issue from a privacy point of view in my opinion but it is good practice to segregate your identity how many email addresses do you need based on what i've just said you would probably need at least four email addresses one for business use two for personal and financial use three for app logins and two-factor authentication four for online stores don't mix up their use assume that someone is always reading your emails but if you segregate them in this fashion then the chances of personal information leaking out becomes less transition strategy most people have been using a single email for everything i understand that and there's nothing we can do about the past but since leaving email out in an imap database opens you up to continuous surveillance and profiling it is time to migrate from the single email into a more planned email strategy chances are your single email has your real name okay cat's out of the bag of that so you're stuck with that but as i said before all you have to do is establish other new email accounts and then drag the contents from the older email accounts to the new email accounts hopefully the non-profiling ones it's not really a lot of work just a big piece of advice never use your full name on any new email so we will assume that the new email will be generic or maybe just be based on first name now the priority is to change the social media accounts to use the new email for app logins since google requires gmail for youtube and other google properties then it makes sense to just use gmail for a lot of the app logins if you use gmail for app logins you may have the option of using a google voice number for two-factor authentication which would work on non-google platforms if you were using an account with a real name just create a new account and stop using the old one or severely limit the use of the old real name account maybe to just official conversations with government and financial institutions as part of this transition strategy i would strongly advise you to not use your normal phone number that exists in contact list as your two factor authentication phone number plan on getting a different phone number just for two factor authentication or avoid using the phone for two-factor authentication if it is not required of you this is important because the old emails are likely associated with old phone numbers and you don't want to connect the old with the new there's no need to overthink this for privacy purposes over time the old data will become stale and not be material for tracking purposes why do you leave your emails to be read like i said earlier if you leave your old emails in your old inbox with 20 plus years of messages on there you're leaving yourself open to constant monitoring and surveillance so why is it that people keep their messages readable on gmail outlook yahoo and icloud is it because the emails are provided for free so free means they have permission to spy on you 24 7. pick up on what i'm saying here using gmail outlook yahoo and icloud for nonsense mail like app logins allows you to use their resources but with no privacy cost to you for real emails that matter the only real option is to use a paid service google makes money from the profiling but a paid service is making money from maintaining the service this is one of the reasons i started offering a braxtmail service i've explained this email issue for years but i've never been able to offer a solution at least not a good solution so hopefully i'll be able to offer more options now many of you have migrated to paid emails offered by encrypted email providers like protonmail 2100 and so on you can use those but like any other email provider having your data at any of these page sites offer no particular safety other than the fact that they're not selling your data and these sites are not good for use for app logins that would be a waste use free emails like gmail for that the main problem with the encrypted email providers is that they're a honeypot they attract a certain clientele with something to hide and so they become heavily targeted by law enforcement and logs are often collected as well as ip addresses protonmail was widely publicized for revealing an ip address of a customer the encryption on those specialized platforms is really limited to conversations that are intra domain meaning within their platform it does not extend to external mail and so you open yourself up to a platform that's heavily watched and where your email contents are openly readable since the normal inter domain mail is unencrypted and is kept in the inbox so for this reason i am not a big fan of encrypted platforms they offer such limited benefit for the risk of more noticeable metadata i offer my braxmail service on many domains so it doesn't stand out but it has equal benefits for normal mail compared to the proton males of the world no one will be selling your data our focus is privacy and limiting metadata not encryption there may be other private email providers out there as well that you can use the lesser known ones are likely better since we don't want to stand out i'm happy to say though that braxmail may be the only one that can guarantee that no ip address will be on the sent email this is a major benefit now here's something i want to say that may not be obvious it's important to segregate email addresses for different purposes however it doesn't mean you need to segregate inboxes it doesn't matter if all your personal business and financial email all end up in the same one inbox if different email addresses are used for different purposes then the other party does not know that it goes to one inbox one of the things i built into my braxtmail product is that you can have multiple domains active at the same time currently i have five domains for each inbox so in reality you get the equivalent of five different email addresses so as applied to my earlier strategy of splitting email addresses you could combine all the emails into this one inbox as long as you separate out the app logins i recommend that app logins stay with gmail you're not going to have a choice anyway if you use a google platform in any way or use youtube emails are read in transit as emails traverse the internet coming and going from different email servers called mtas or mail transfer agents you must assume that your emails can be read some issues to consider email was originally designed as a plain text protocol so it had no consideration for encryption today certain likes of the email sending and receiving are encrypted by default these are normally the legs that involve connecting to your own mail server using imap or smtp from your email client that part is mostly locked down with tls and hackers and such don't really have access to that for example a hacker on a corporate or home network would not normally see that kind of email traffic anymore in this day and age what is still exposed and readable is the inter-domain leg which is when one server connects to another server and transfers mail although some amounts of emails transferred now use encryption to some degree using secure smtp it is optional mail servers are meant to receive traffic with or without encryption the fact that some encryption may occur has led some parties to believe that i'm a fear monger since in their minds we are all now covered by encryption but this is truly a misunderstanding of how email works or email threats i assure you that players like governments still have their fingers in the email mix email is not an end-to-end encrypted protocol the encryption is per leg the encryption ends when the target receives the message and the message is transformed to plain text it is a simple matter to add an additional lag with no encryption for a government man in the middle it would also be a simple matter for messages to be copied to a government server directly from the mta server itself and one more thing someone can downgrade it from encrypted to an unencrypted connection simply by intercepting the traffic my point is that we must always assume that mass surveillance exists with our email messages thus this means being circumspect about what you send an email there are messages that are probably best sent using other platforms such as my preferred one which are those using the xmpp protocol so think hard about what you put an email in my entire lifetime since email became a thing i've always been conscious of what i put in email often limiting my email responses someone always gets a copy of what you ever say i've been in depositions where my entire email history was in a large book for all to see if you've ever had this experience you will understand that email is an open messaging platform you're well known on it and someone always has a copy the recipient and likely plenty of parties in the middle hackers the main entry point for hacking your devices is through email unfortunately though some of this now is coming through texting but i would say email is the number one method it would take another video to go through it in detail but the main thread is the phishing attack and the targeted version called spear phishing where the attackers know some details about you and can personalize the attack i'm always suspicious about incoming email if something doesn't ring true the best way to protect yourself is by first using the view source option in thunderbird to examine the headers then look at the domains to see if the email is really coming from the actual source generally if i get a bank email that says there's some problem i don't open the email but i go to the bank website and look there there are many more but this is probably best handled in a live stream so there you are practical tips not perfection but at least you're not leaving yourself like a sitting duck vulnerable to attack from big tech or any third party wanting information about you if you enjoyed the video please click on that subscribe button and hit that notification bell as i mentioned in the video my braxtmail service is now live i created this product because of popular demand many of you been asked for that here and it's available now for fifty dollars a year on brax me you get to use the same account on multiple domains and all going to one inbox meaning you have at least five email addresses and guaranteed never to reveal your ip address and of course no one selling your data thank you for watching see you next time

Info

Channel: Rob Braxman Tech

Views: 60,730

Rating: undefined out of 5

Keywords: internet privacy guy, internet privacy, privacy, tech privacy, email risks, safer email, hacking email, email attacks, email profiling, gmail, outlook, yahoo, icloud mail

Id: Vix-gdA6sbU

Channel Id: undefined

Length: 26min 31sec (1591 seconds)

Published: Thu Oct 07 2021