Online Fraud

My MPP, Yasir Naqvi has been in the news complaining that someone “stole” his identity, and sent out an email mis-representing his views. Nevermind what his views are.

http://www.yasirnaqvimpp.ca/pressreleases.aspx?id=61

http://www.ontla.on.ca/web/members/members_detail.do?locale=en&ID=7097

Mr. Naqvi’s identity was not stolen — he is clearly still him. If it was stolen, then he would no longer have it.

His email account was not “hacked” — someone simply set up a new identity on gmail claiming to him. But really, there are dozens of higher-tech ways to impersonate him. In fact, ANYONE CAN IMPERSONATE ANYONE on the Internet.

The press have repeatedly written the story wrong. http://www.vancouversun.com/news/politician+livid+after+fake+mail+sent+list/2732203/story.html

“On the Internet, nobody can tell you are a dog”, was the comic from over a decade ago.

The real question is, why, in 2010, 12 years after S/MIME became a standard (1998) and 14 years after PGP was documented (1996), our governments and representatives are still completely in the dark about what it means to be online.

http://www.rfc-editor.org/info/rfc1991 http://www.rfc-editor.org/info/rfc2311

And there are lots and lots of further documents about PGP, OpenPGP, and S/MIME. My email has been signed with PGP since about 1994. Think about this: I’ve been signing my email longer than the kid serving you at McDonald’s has been alive.

“Poor planning on your part does not constitute an emergency on my part”.

You were warned. MANY MANY MANY TIMES.

Provincial governments and federal governments have very clear, centralized IT support and services, and they could trivially roll out email security.

Have they done so? Why haven’t they? It seems like NEGLIGENCE to me.

I documented above when the standards were written, but in fact that is 3-8 years after the technology became available — so it’s more like 20 years since you could have started using PGP.

It’s not like S/MIME is not ubiquitous — it’s one of the major reasons that I’ve been told that government organizations HAVE to run Outlook: Nothing else has been evaluated by the CSE for use in government work. (Why that is, is another rant)

SO WHY ARE THEY NOT USING IT?

This is not a rhetorical question. I want to know. What part of “email is not secure” did they not get? Maybe they were not there that day in class.

Shame on you Mr. Naqvi. Go do some learning and start asking some real questions.