TIME How-To

How to Email Like Hillary Clinton

Hillary Clinton
Adam Berry—Getty Images Hillary Rodham Clinton, former United States Secretary of State, U.S. Senator, and First Lady of the United States, speaks during the presentation of the German translation of her book 'Hard Choices' ('Entscheidungen' in German) at the Staatsoper in the Schiller Theater on July 6, 2014 in Berlin, Germany.

Many people have at least two email addresses: There’s the one you get for work, then there’s the one you use for personal business. And you might even have one to give all the companies who will send you junk mail until the world ends.

But these accounts don’t physically exist in your office, home, or city dump, respectively. They’re typically off someplace in the cloud — unless, like former Secretary of State Hillary Clinton, you decide to host your own email service in your home. While heading up Foggy Bottom, the potential presidential hopeful exclusively used an email server registered to her home in Chappaqua, New York, according to the Associated Press and New York Times.

The situation has quickly became problematic for Clinton. Public officials are supposed to be archiving their correspondence under open records rules, so the revelations have raised questions over why Clinton opted to use a private email setup rather than the State Department’s service.

While Clinton’s move to use a private email solution might seem like an unusual choice, it’s technologically easy enough for most people to set one up — check out this explainer from Ars Technica for the wonky details. But few people bother with a private email server. Why not?

“The big caveat is that you must know what you’re doing in terms of setting it up securely, and that’s a fairly difficult, non-trivial problem for most people,” says Katie Moussouris, chief policy officer for San Francisco-based HackerOne, a company that works with friendly hackers to help organizations like Yahoo, Twitter, and even government agencies detect vulnerabilities in their own technology.

 

An outgoing email generally follows this route: It’s stored in a server, sent by a client (software ranging from Microsoft Outlook on your computer to the Mail app on your smartphone), and traverses various networks en route to its destination, where it’s received by the recipient’s client and stored by their email server. (And vice versa for incoming email.) Setting up your own email service lets you control the two closest parts of this path — your local server and client. That can help make your data safer, especially if you encrypt the data stored on your server and the messages you send.

But doing all this still means three-fifths of your email’s path runs through areas over which you have no control. In fact, the only way that emails sent to or from Clinton’s account would remain truly secure would be if they went to or came from accounts that were similarly locked down. Then “you would have all of the infrastructure under your direct control,” says Moussouris, who has more than 15 years experience in Internet security and has also worked as a hacker-for-hire.

Despite these security holes, there are still reasons that a person would want to set up their own email service. As that Ars explainer points out, if your email is hosted in the cloud —say, by Gmail — “it’s not yours.” If you control the servers, you own the content — though governmental policies surrounding transparency and police search and seizure rules certainly weigh in here.

But most people aren’t trying to protect sensitive State Department data. Instead, one reason people run their own email services is so they can use their own domain name in their email address. If this was a reason for Clinton, it was a foolhardy one, argues Moussouris. If being a high-value target for hackers is a reason for using an (allegedly) more secure private email service, choosing an domain name like clintonemail.com, as Clinton did, only gave her a higher profile.

“Such an obvious name would make it an interesting target for a hacker,” says Moussouris. “People with that high of a profile, whether it’s a politician, celebrity, or high-level executive, they should already be operating with that in mind.”

Besides, consumer-based services not only allow users to use their own domain name while hosting their emails in the cloud, they also provide end-to-end encryption, ensuring that their messages stay safe while traveling through the web.

But if you still want to email like Hillary Clinton, Moussouris recommends relying on an expert — if you can find one. “Qualified security people are very rare,” she says. And that’s one of the problems with this setup for Clinton.

“I couldn’t imagine a top-notch security person going to work for anyone in Washington, let alone an individual in, essentially, a non-technical function,” Moussouris says. “We have a scarcity of talent in the security industry, and we see this when we try to hire good people all the time.”

As a result, Moussouris assumes whoever set up Clinton’s private email server was a staffer, unless they were very well paid. And if that’s the case, the best way to email like Hillary Clinton is to spend a lot of money.

TIME Security

Uber Data Breach Put 50,000 Drivers’ Info at Risk

Berlin's Taxis As German Court Considers Uber Technologies Inc. Ban
Bloomberg—Bloomberg via Getty Images A passenger holds a HTC Corp. smartphone displaying the Uber Technologies Inc. car service application (app) as they sit in a taxi in this arranged photograph in Berlin, Germany, on Monday, Nov. 24, 2014.

But it isn't aware of any foul play as a result

A data breach at Uber last spring put tens of thousands of drivers’ personal information at risk, the company said late Friday.

Uber said it first realized its systems may have been breached by a third party in September of last year. After an investigation, the company found an “unauthorized access” by a “third party” occurred on May 13 of last year, which resulted in the names and license numbers of 50,000 drivers being leaked.

The car-hailing company didn’t specify who the third party was. However, Uber says it has since blocked further access to the database in question as well as alerted affected drivers.

Uber isn’t yet aware of any identify theft or other foul play as a result of the breach. It’s also offering one year of fraud protection to the drivers involved.

“Uber takes seriously our responsibility to safeguard personal information, and we are sorry for any inconvenience this incident may cause,” a blog post from Uber Managing Counsel of Data Privacy Katherine Tassi said. “In addition, today we filed a lawsuit that will enable us to gather information to help identify and prosecute this unauthorized third party.”

TIME Security

U.S. Offers $3 Million Reward for Information on Russian Hacker

Bogachev Russian Hacker FBI
FBI

The FBI says it's the most ever offered in a cybercrime case

The United States announced a $3 million reward Tuesday for information that would lead to the arrest and/or conviction of a suspected Russian hacker, the largest bounty it has ever offered in a cybercrime case.

Evgeniy Mikhailovich Bogachev, one of the FBI’s most wanted cyber criminals, allegedly participated in a “major cyber racketeering enterprise,” according to the State Department, which involved using a malicious software known as “Zeus” to grab sensitive information from victims like bank account numbers, passwords and PINs.

The FBI said its investigation of the “GameOver Zeus” computer network began in September 2011 and is responsible for some 1 million computer infections, resulting in more than $100 million taken from online bank accounts. Bogachev, known as “lucky12345″ and “slavik,” was indicted by a federal grand jury in August 2012 for charges like bank fraud, conspiracy to violate the Computer Fraud and Abuse Act and aggravated identity theft. In May 2014, another federal grand jury indicted him under his real name for charges including wire fraud, money laundering and computer fraud.

Bogachev is believed to be at large in Russia.

TIME Social Media

Facebook Unveils Its Plan to Strike Back at Hackers

Facebook ThreatExchange Hackers
Bloomberg via Getty Images

It's a new social hub for companies to share info about security threats

Facebook pushed out a social network on Wednesday to ramp up the fight against hackers.

ThreatExchange joins together several high-profile companies in a platform where they can share information about cyberattacks or hacking threats with one another, but also between select groups or specific individuals, according to ThreatExchange. Early partners for ThreatExchange include Bitly, Dropbox, Pinterest, Tumblr, Twitter and Yahoo.

“Threats like malware and phishing typically go after multiple targets, and a successful attack at one place usually makes it easier to take over systems elsewhere,” according to Facebook. “We share in each other’s fate.

TIME Security

Why This Security Researcher Just Posted Millions of Passwords

TIME.com stock photos Computer Keyboard Typing Hack
Elizabeth Renstrom for TIME

It's for your own good

A security consultant just published 10 million password and username combinations, and one of them might be yours.

The security researcher, Mark Burnett, isn’t an ill-intentioned hacker. Rather, he’s published millions of online credentials in the hopes of better researching password security. Posting the information could allow other security researchers to gain a better understanding of how we choose passwords and usernames, and ultimately make us safer.

Burnett picked up the passwords from a random sampling of dumps already dotted around the Internet, so he’s not hacking accounts and stealing credentials. Instead, these passwords are already out there. Plus, many of them are already obsolete, Burnett says.

Still, some might argue Burnett is breaking the law by publishing the credentials, and he runs the risk of running afoul of law enforcement for publishing credentials.

Here’s Burnett on his blog (hat-tip to Gizmodo):

Although researchers typically only release passwords, I am releasing usernames with the passwords. Analysis of usernames with passwords is an area that has been greatly neglected and can provide as much insight as studying passwords alone… In the case of me releasing usernames and passwords, the intent here is certainly not to defraud, facilitate unauthorized access to a computer system, steal the identity of others, to aid any crime or to harm any individual or entity. The sole intent is to further research with the goal of making authentication more secure and therefore protect from fraud and unauthorized access.

TIME Security

The World’s Most Popular Site for Pirated Downloads Is Back Online After a Long Outage

A search is performed on The Pirate Bay Web site on a comput
Adam Berry—Bloomberg/Getty Images

Pirate Bay had been offline since December

The Pirate Bay, the world’s most popular file-sharing site, came back online Saturday after Swedish authorities had shut it down in December.

The site’s relaunch, complete with a new logo of a phoenix, was expected, as a countdown clock had been displayed on the domain, VentureBeat reports. The relaunch is reportedly a slimmed-down version, not requiring several former administrators and moderators.

The Pirate Bay’s offices, based in Stockholm, were raided two months ago by Swedish officials after complaints from an anti-piracy group, resulting in the site’s longest shutdown ever. The premises were previously raided in 2006 and 2010, but the page had been brought back online within a few days.

[VentureBeat]

TIME privacy

What Uber Still Won’t Say About Your Data

Travis Kalanick, chief executive officer of Uber Technologies Inc., gestures as he speaks during the Institute of Directors (IOD) annual convention at the Royal Albert Hall in London, U.K., on Oct. 3, 2014.
Chris Ratcliffe—Bloomberg/Getty Images Travis Kalanick, chief executive officer of Uber Technologies Inc., gestures as he speaks during the Institute of Directors (IOD) annual convention at the Royal Albert Hall in London, U.K., on Oct. 3, 2014.

A privacy audit left some questions unanswered

Uber, the massively popular car-hailing company, has acquired a reputation for being overly cavalier about data privacy. Last November, Uber vice president Emil Michael suggested investigating journalists critical of Uber to find dirt in their “personal lives.” A venture capitalist said his private location data was broadcast to a large audience at a Chicago Uber launch party. And a Buzzfeed reporter in November was tracked on her way to an interview with New York’s top Uber executive.

Uber has since refocused its attention on riders’ privacy, rewording its data policy and hiring an outside attorney to conduct an investigation.

“At Uber, protecting the personal information of riders is a core responsibility and company value,” said Uber CEO Travis Kalanick in a Friday statement. “Delivering on that value means that privacy is woven into every facet of our business, from the design of new products to how we interact with riders, drivers and the public at large.”

The results of that audit were released Friday. The investigation, led by Harriet Pearson, a Washington, D.C. attorney at Hogan Lovells with an impressive history of arbitrating privacy and security issues, agreed with Kalanick’s own assessment: Uber has a strong privacy policy. Her six-week investigation at Uber involved reviewing hundreds of documents and interviewing Uber’s leadership. It ultimately resulted in an exculpatory report that Pearson called “comprehensive.”

“In our view, Uber has dedicated significantly more resources to privacy at this point in its age as a company given its sector and size than other companies that we’ve observed,” said Pearson in an interview with TIME. Uber is about six years old, it’s valued at more than $41 billion.

The saga has raised important questions about how private companies access our personal information, from our credit card data to our precise location. A lot of Uber’s data can be really useful: The company uses it to settle internal disputes, fix bugs or help cities plan traffic patterns, as it has done in Boston, for example.

But in the age of the Snowden National Security Agency revelations, consumers are particularly sensitive about how their personal information is used. Uber has promised to follow the report’s recommendations, such as expanding employee training and making its policies more transparent. But the audit still left some questions unanswered, according to Bruce Schneier a fellow at Harvard University’s Berkman Center for Internet & Society.

“I saw nothing in their statements” to alleviate privacy concerns, says Schneier of Uber’s report. “Anytime you put this kind of surveillance power in peoples hand, they look up their enemies and friends… If the culture is not, ‘we don’t do this,’ than you do it.”

Here’s what we still want to know more about.

How many employees at Uber can see my personal data?

Uber says access is limited to employees who have a reason to need it, like those investigating fraud, answering user-driver inquiries or conducting trip analyses, said Katherine Tassi, Uber’s managing counsel for privacy, in an interview. But Tassi doesn’t have an exact figure.

“There’s no one particular number of employees that have access to user data,” she said.

How does Uber prevent its employees from looking at my data?

Uber gives employees access to customer data based on their responsibilities, while others are locked out through technical controls. “We noticed those kinds of controls at various levels” at Uber, said Pearson.

The report indicates Uber uses a combination of passwords, informal rules and employee monitoring to restrict access. In any case, according to Pearson, the company has a well-developed system for monitoring who is accessing your data and when.

So has Uber explained its recent privacy missteps?

Not fully. “We’re not going to comment on those specific instances that were in the press, but in general, we’re an organization of human beings and human beings make mistakes,” says Tassi. Pearson says her investigation only examined Uber’s privacy program and its structure, not particular incidents. So we don’t actually know how common it is for Uber employees to tap into your data, despite the company’s policy.

Do Uber employees ever get in trouble for doing fishy things with users’ data?

Uber won’t say. We know that Uber “disciplined” New York executive Josh Mohrer in November for tracking that Buzzfeed reporter’s ride, but we’re not sure how. Other than that, we don’t have any evidence Uber employees committed any other privacy violations.

Are Uber employees taught not to spy on me?

Uber talks informally with its employees about protecting customer data. Employees get “communications” from the senior team on handling riders’ data, Tassi said, and new Uber hires have to accept the company’s data access policy.

But when pressed, Uber didn’t say whether there’s a formal training program for employees, merely saying it was “in early stages of development.” That training “needs further formalization,” said Tassi.

TIME How-To

How to Hide Anything on Your iPhone

TIME.com stock photos Social Apps iPhone
Elizabeth Renstrom for TIME

You have a right to privacy. Here’s how to protect it.

The eyes may be the window to your soul, but your iPhone is the peephole into your daily life. Who you contact, which apps you use, which selfies you snap — it’s all right there. So if you care about your privacy, it’s worth taking some simple steps to protect it. Here are seven ways to keep digital snoops at bay.

Pair Touch ID With a Complex Password

If you’re already using your fingerprint to unlock your iPhone, you’re on the right track. (If not, tap Settings >Touch ID & Passcode and add it now.) Here’s another trick: add a complex password to enter each time you power up your phone. (Tap Settings > Touch ID & Passcode, disable Simple Passcode and follow prompts). For a stronger passcode that’s quick to enter, stick to all numbers and aim for up to 12 digits. That won’t stop a dedicated hacker, but it’s tougher for an unwanted onlooker to figure out than a standard 4-digit password.

Nix the Notifications on Your Lock Screen

Hide your notifications by going to Settings > Notifications and toggling off the Show on Lock Screen slider. Alternately, you can also fine tune this setting so that only certain apps can place notifications on your lock screen using the options right below this setting. You can even block notifications from individual message threads: go into the message, tap the word Details on the upper right hand corner of your screen and slide the Do Not Disturb Button to the left. Voila.

Hide Clandestine Contacts

There’s no built-in setting for hiding individual contacts, but there are some smart workarounds. The simplest way is never to save the person’s name so only their number appears in your recent calls list. To hide all your recent and favorite contacts in the App Switcher – which appears atop your screen when you press the home button twice – tap Settings > Mail, Contacts, Calendars > Contacts > Show in App Switcher and toggle off Phone Favorites and Recents.

Deep-Six Secret Texts

This one’s easy – just delete them. Swipe left on the Messages screen to delete entire exchanges at once. If you only want to nix certain parts of a thread, hold your finger on the offending text bubble, tap More when it pops up, select each bubble you want to delete using the check marks at left, then tap the trash icon at the bottom left of your screen.

Zap Photos and Videos

Here’s one case when you’re better off using a third-party app instead of the iPhone’s built-in option. While you can hide any photo from your camera roll by holding your finger on it, then selecting Hide, the Hidden Album is not password-protected. Instead, try a free app like KYMS or Private Photo Vault, which require a password to access. Just remember to permanently delete the originals from the default iPhone photo app afterwards.

Make Apps Disappear

Don’t want anyone who borrows your phone to know you’re on Tinder or have a Private Photo Vault? There are two ways around this. First, you can hide apps inside another folder like your “Extras” by holding down the app icon until it starts shaking, then dragging it into the desired folder. Second, you can hide app icons altogether by dragging them into the dock, then using Spotlight to access it. Get a detailed explanation for how to do both tricks here.

Hide Your Search History in Safari

If you just want to browse privately for a while, open Safari, tap the page icon in the lower right corner, then tap Private. To clear your entire browser history, go back to your phone’s home screen, tap Settings > Safari > Clear History and Website Data. Pro tip: download the DuckDuckGo search engine and use it instead. Unlike Safari, it never stores your search history.

TIME Security

Taylor Swift’s Instagram and Twitter Just Got Hacked

Taylor Swift arrives at the 16th Annual Warner Bros. And InStyle Post-Golden Globe Party at The Beverly Hilton Hotel on Jan. 11, 2015 in Beverly Hills, Calif.
Jon Kopaloff—FilmMagic/Getty Images Taylor Swift arrives at the 16th Annual Warner Bros. And InStyle Post-Golden Globe Party at The Beverly Hilton Hotel on Jan. 11, 2015 in Beverly Hills, Calif.

Hackers gonna hack hack hack hack hack

Taylor Swift’s Twitter and Instagram accounts were hacked Tuesday afternoon before quickly being recovered 15 minutes later.

The hacker wrote a tweet encouraging Swift’s 51 million fans to follow someone claiming to be the leader of the hacking group “Lizard Squad.”

Swift has the fourth most popular account on Twitter. After regaining access to her account, she tweeted the following:

 

 

“Never a dull moment,” the singer wrote on her Tumblr, adding the hashtag #hackersgonnahackhackhackhackhack.

TIME Security

Here’s How Obama Wants to Protect the U.S. Against Hackers

President Obama Delivers Remarks On Cyber Security
Getty Images U.S. President Barack Obama delivers remarks at the National Cybersecurity and Communications Integration Center (NCCIC) on January 13, 2015 in Arlington, Virginia.

Information sharing and better prosecution of hackers

President Obama unveiled a new proposal Tuesday aimed at protecting businesses and the government from hackers. The President’s plan would encourage public and private sector information sharing as well as expand law enforcement’s authority to prosecute digital criminals.

The proposal, announced at the National Cybersecurity and Communications Integration Center in Arlington, Virginia, comes in the wake of high-profile hacks against Sony, Home Depot, J.P. Morgan and other companies over the past year. A wide array of businesses and police groups have been calling on Congress to pass new cybersecurity legislation as a response to those incidents.

On the corporate side, Obama’s plan would require businesses to notify consumers if their personal information has been exposed to hackers, as in the case of the Target and J.P. Morgan hacks, for instance. Additionally, companies would be protected from liability for sharing digital threats with the Department of Homeland Security, which would then share those threats in databases accessed by the private sector.

For prosecutors, the White House’s package would let them better target the sale of identity theft software and computer networks used by hackers. It would also criminalize the overseas sale of U.S. financial information.

Both government representatives and private companies have long demanded many of the steps highlighted in Obama’s proposal. Just last week, Admiral Michael S. Rogers, director of the NSA and commander of U.S. Cyber Command, said Congress should pass legislation that improves coordination between U.S. intelligence and the private sector.

“We have got to create partnerships that bridge the divide between the private sector and the government,” Rogers said at a conference in New York City. “I don’t think it’s realistic for the private sector to deal with [cyber threats] all by themselves.”

A coalition of businesses, meanwhile, has already voiced support for the new plan.

“Collaboration between industry and government to share threat information is crucial in the fight against sophisticated and persistent cyber criminals,” said Nicholas Ahrens, vice president for cybersecurity and data privacy at the Retail Industry Leaders Association. A number of RILA members, including Walgreen, Target, Nike and JCPenney, began sharing data on cyber threats last May.

It’s unclear, however, if an Obama-backed cybersecurity bill will make it through the Republican-controlled Congress, which has in recent years failed to pass similar measures.

Your browser, Internet Explorer 8 or below, is out of date. It has known security flaws and may not display all features of this and other websites.

Learn how to update your browser