Former NSA employee looks to make email more secure

Former NSA employee looks to make email more secure

Virtru is one of a number of companies tackling the tricky problem of making email encryption easier

Email, perhaps still the most widely used Internet application, has about the same level of security as a postcard. But unlike postcards, it's widely depended on by businesses.

It wasn't designed with security in mind. It was just designed to work. But following disclosures of large-scale spying by the U.S. as well as other nations over the last several years, a variety of companies, including Wickr and Silent Circle, see commercial opportunities in making encrypted messaging products that are easier to use.

Joining those companies is Washington, D.C.-based Virtru, co-founded by the Ackerly brothers. John, 38, has a background in private equity, and his younger brother Will, 34, joined the U.S. National Security Agency out of college in 2004.

Their fledging venture aims to solve usability problems around using email encryption software, which can be finicky to set up. With Virtru "you can send to anybody, and then they can get access to it without having to have a PhD in computer science," Will Ackerly said.

Virtru's big advantage is that it works within the Gmail, Outlook and Yahoo webmail interfaces and doesn't need an external client, which was no small engineering feat, Will said.

For example, content typed in the body of an email is immediately encrypted so that Gmail, which periodically saves a draft of a new messages, only sees encrypted content.

Senders, however, must install a browser extension, which manages the encryption and decryption of content. Those crucial processes occur on a person's computer or a mobile device, which means those webmail providers would only see scrambled content. Recipients can opt not to install the extension and read the decrypted content within a browser window.

The body of an email message is encrypted in the Trusted Data Format (TDF), which Will authored a paper on in 2008 while working for the NSA. The open-source format is akin to a secret ZIP file and is widely used in the U.S. intelligence community. Unlike other encryption program such as PGP, TDF also allows attachments to be encrypted.

Saying something is encrypted sounds good, but there are fine technical points that must be spot-on for the highest level of privacy and security.

The small Dallas-based company Lavabit, believed to be former NSA contractor Edward Snowden's email provider, lost a court battle with the U.S. government that forced it to turn over its SSL (Secure Sockets Layer) key.

That encryption key secured communication between customers and Lavabit's servers. With the key, the U.S. government could have descrambled the email of not just Snowden but all Lavabit users, which many found unnerving.

To get around that weakness, Virtru uses elliptic curve Diffie-Hellman ephemeral key exchange, a mouthful that means Virtru generates a new key every time a user starts a new email session.

The key is discarded at the end of the session. If Virtru's credentials were obtained, either by a hacker or through court orders, "someone would not be able to decrypt past communications," Will Ackerly said.

Another key point with encryption products is who holds the decryption keys. As configured now, Virtru uses its own centralized key management server to distribute the keys to recipients so they can decrypt the content.

That raises questions of how fiercely Virtru would go to bat if it received a government order, such as a National Security Letter or law enforcement request.

Virtru has put funds aside for such a battle and is prepared to fight "bulk" data orders or ones not based on a standard of probable cause, said Timothy Edgar, a paid advisor to Virtru and an adjunct professor of law at Georgetown University Law Center.

"We hope we don't have to do that," said Edgar, who is also a privacy expert.

Plans are in the works to allow organizations to run their own key servers using Virtru's software, relieving administrators of the anxiety that comes with someone else managing their keys.

A central key server offers advantages: a Virtru user can block access to a message by revoking its key, although a recipient could always quickly take a screen shot of a message during the period in which they had access. The key revocation feature also allows senders to set messages to expire. Also, people who are forwarded a message wouldn't be able to read it unless they are authorized.

Virtru's basic features, such as email encryption, revocation of messages and the ability to control forwarding will always be free, said John Ackerly. The company hopes to make money by licensing its key management software to businesses, as well as offering other management and access visualization tools for encrypted email. Mobile clients are in the works as well, for Android and iOS.

Will's background with the NSA might raise some eyebrows. He worked in data security there for eight years, leaving about 10 months before the first Snowden leaks in June 2013.

"I think the heritage of the company is something we are very aware of," he said.

To overcome suspicions, Will said Virtru will release the source code for its extension and key management software. It also has outlined an open source strategy on its blog for other software components.

Joseph Lorenzo Hall, chief technologist for the Center for Democracy and Technology, a think tank, said the people within the NSA, including code breakers and those figuring out how to undermine security, are also in the best position to build more secure software.

"That's the only hope we have," Hall said.

Send news tips and comments to Follow me on Twitter: @jeremy_kirk

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags securityVirtruencryptionCenter for Democracy and Technologydata protection



Educating from the epicentre - Why distributors are the pulse checkers of the channel

Educating from the epicentre - Why distributors are the pulse checkers of the channel

​As the channel changes and industry voices deepen, the need for clarity and insight heightens. Market misconceptions talk of an “under pressure” distribution space, with competitors in that fateful “race for relevance” across New Zealand. Amidst the cliched assumptions however, distribution is once again showing its strength, as a force to be listened to, rather than questioned. Traditionally, the role was born out of a need for vendors and resellers to find one another, acting as a bridge between the testing lab and the marketplace. Yet despite new technologies and business approaches shaking the channel to its very core, distributors remain tied to the epicentre - providing the voice of reason amidst a seismic industry shift. In looking across both sides of the vendor and partner fences, the middle concept of the three-tier chain remains centrally placed to understand the metrics of two differing worlds, as the continual pulse checkers of the local channel. This exclusive Reseller News Roundtable, in association with Dicker Data and rhipe, examined the pivotal role of distribution in understanding the health of the channel, educating from the epicentre as the market transforms at a rapid rate.

Educating from the epicentre - Why distributors are the pulse checkers of the channel
Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow Electronics introduced Tenable Network Security to local resellers in Sydney last week, officially launching the distributor's latest security partnership across Australia and New Zealand. Representing the first direct distribution agreement locally for Tenable specifically, the deal sees Arrow deliver security solutions directly to mid-market and enterprise channel partners on both sides of the Tasman.

Arrow exclusively introduces Tenable Network Security to A/NZ channel
Show Comments