Entries in Tunnel X (1)


Lessons from Sony

The Sony hacking blow-up — with all of its aftershocks — surely has a lot to teach us. And it will be interesting to watch how various strains of corporate America — as well as non-corporate citizens — modify their habits in response.
I run a startup called Tunnel X that offers, for free, secure, private online conversation. Tunnel X takes a number of measures to help ensure that your online conversations aren’t read by anyone other than the person you intend.
I talk to people all the time about what we do — friends, industry people, fellow cocktail partiers — and overwhelmingly the response is, “that’s cool. But I don’t need that. I’m not a drug dealer or a terrorist or a cheater. Who cares what I’m saying?”  Well, I doubt many people at Sony, if any, anticipated what happened. Regular email and regular texting — not to mention social apps like Facebook and Snapchat — are simply not secure. Even if you are not being individually targeted, your account could be in a large group that get hacked and released to the public. How would you feel about every email, every text, you have written and received going out to the public domain? (Gizmodo has a good take on that here.)
Practices will have to change. I predict that by the end of 2015, things will look different. Security will be better (there will still be weaknesses, but security will improve). Encryption will be more widely implemented. And people will be more careful about what they send over the Net. I think people should be able to have a private conversation online. That’s why we created Tunnel X. 
How is Tunnel X different from, say, corporate email? (And of course this is a broad comparison — different companies have different policies and practices, and I don’t pretend to know how Sony operate their IT.) 
First, our focus is on security. Access to our servers is conscientiously protected. You might think, well, Sony is a big, resourceful company with an IT department — aren’t they protected, too? The answer is, you would think so. But we have seen again and again, at many companies, including Adobe, a software company, that security lapses are commonplace.
Second, all the messages stored on our servers, waiting for people to read them, are very well protected with state-of-the-art, 256-bit encryption. This is relevant to the Sony incident because the hacker team broke in and didn’t just intercept some messages coming through. They grabbed a huge number of stored messages. If someone manages to break in and steal all of our messages, they still won’t be able to read them. 
Third, access to individual accounts is notoriously easy for hackers to obtain. Even many of the secure messaging apps use basic username/password authentication. At Tunnel X, we use a long, 256-bit key to sign you in. On our web site, this is derived from a digital photo that you can recognize and keep safe on your computer plus a 6-digit PIN (on mobile we generate the image file for you and keep it in the app on your phone).
Lastly, Let’s remember the context in which you read and write messages. Your inbox sits on your computer screen most of the day. We read our texts waiting in line to order a sandwich and sitting in a conference room. Taking our more sensitive conversations out of the promiscuous stream of email and texts is a good move.