“a minimal site with prewritten emails”–Canned Emails
Nice way to ease yourself into the philosophy of five.sentenc.es. Still, you have to use your judgment. Email isn’t always the best medium, e.g., don’t break up with someone over email or text.
“To examine our inboxes is to examine our lives: our desires and dreams, our families and careers, our status, our networks and our social groupings, our projects, our commerce, our politics, our secrets/lies/fetishes. Inboxes are anthropological goldmines, textual archives, psychological case studies, waiting to be plumbed and probed for the expansive cultural, ethical, epistemological, and ontological insights lurking therein.
On second thought: they are probably not waiting to be probed, but actually being probed, scanned and algorithmatized, by Google, Amazon, the National Security Agency, the Russians, Julian Assange, employers, ex-lovers who remember your password, current lovers who install surveillance software on your laptop to monitor emails to your ex-lover/next lover, hackers who create fake networks on any public wifi you log onto, and/or anyone else who cares to discover whatever “secrets” you are secreting into the tubes.
It makes more sense to assume your email is a public document than to cling to improbable expectations of privacy. The Post Office made a point of delivering our letters sealed, intact. But the email overseers can read through our inboxes at will without us being any the wiser, and they let others look too…”—Randy Malamud, “The Inbox: A Scattered, Ad-Ridden Archive of Our Lives.” Literary Hub. October 9, 2019.
Every time I see something like this I can’t help wondering: does this person not realize that you can pay for email and by doing so, you can eliminate advertising and have a reasonably secure email archive? Off the top of my head, Protonmail, Posteo, Tutanota, and Lavabit are all reasonable choices for an email provider.
The OpenBSD’s mailing list page netiquette section is excellent. It is a distillation of how to communicate online, i.e.:
Using only plain text is extreme outside of email. But, the idea that formatting should not get in the way of content is good. Know what you are talking about. Help others to understand. Give them all the relevant information. Trim out anything that does not move the discussion forward or is confusing. Treat everyone with respect.
It’s good advice for any kind of communication and for life. It’s relevant to writing an email, a newsletter, a blog post, an article or anything else you may do.
“Are you the sort of person who needs to read and file every email they get? Or do you delight in seeing an email client icon proudly warning of hundreds or even thousands of unread items? For some, keeping one’s email inbox with no unread items is more than just a good idea: it’s a way of life, indicating control over the 21st century and its notion of productivity. For others, it’s a manifestation of an obsessively compulsive mind. The two camps, and the mindsets behind them, have been a frequent topic of conversation here in the Ars Orbiting HQ. And rather than just argue with each other on Slack, we decided to collate our thoughts about the whole ‘inbox zero’ idea and how, for those who adhere to it, that happens.”
—”Inbox zero and the search for the perfect email client.” arstechnica.com. May 13, 2018.
There is no perfect email client. You have two choices.
1. Let things sit in your inbox and deal with new email as it comes in.
2. Configure filters, file and delete email, so you don’t have email collecting in your inbox.
There is a right answer. The ability to manage email is a basic 21st century skill. Maybe artificial intelligence and your email client will one day do it for you, but currently, it is a skill you just need to learn.
“[Email tracking] tech is pretty simple. Tracking clients embed a line of code in the body of an email—usually in a 1×1 pixel image, so tiny it’s invisible, but also in elements like hyperlinks and custom fonts. When a recipient opens the email, the tracking client recognizes that pixel has been downloaded, as well as where and on what device. Newsletter services, marketers, and advertisers have used the technique for years, to collect data about their open rates; major tech companies like Facebook and Twitter followed suit in their ongoing quest to profile and predict our behavior online…
…To prevent third-parties from leaking your email, meanwhile, Princeton’s Englehart says “the only surefire solution right now is to block images by default.” That is, turn on image-blocking in your email client, so you can’t receive any images at all.”
—Brian Merchant. “How Email Open Tracking Quietly Took Over The Web.” Wired. December 11, 2017.
As discussed in my post A Text Only World there is no surefire way to stop this kind of tracking. Even if you use text only email, which isn’t a bad idea, you will still be tracked if you follow links and so forth. But, sticking with text over HTML is often a more secure and less convenient option.
“Security-conscious users must demand that their email providers offer a plain-text option. Unfortunately, such options are few and far between, but they are a key to stemming the webmail insecurity epidemic.
Mail providers that refuse to do so should be avoided, just like back alleys that are bad places to conduct business. Those online back alleys may look eye-pleasing, with ads, images and animations, but they are not safe.”
—Sergey Bratus and Anna Shubina. “The Only Safe Email is Text-Only Email.” The Conversation. September 10, 2017.
Taking the position that “the only safe email is text-only email” is problematic for two main reasons:
To see the problem in this position, let’s logically extend it to a more radical position. Why stop with email? Why not also advocate for the use of text-only web browsers?
I exclusively use text-only email and use text-only browsers on occasion. I think they are great. They are faster. They cut down on advertising, tracking and other nonsense. For users with visual impairment, they are an obvious choice and work better with text-to-speech software.
Which brings us to the key point, security comes at a cost. If you choose a text-only email client/provider or browser, then many of the emails you read or the websites you visit will not work as the author intended. This can protect you from the occasional phishing website or email containing a virus from a criminal organization. But, it’s no guarantee. Further, for every email or website this protects against, there will be thousands of legitimate emails and websites that will not work as intended.
The reality is, by selecting text-only email, you’ll start to see many emails with text with the following: “If you have trouble viewing this email, read the online version: [link]”, and it will become second nature to copy and paste that link into a modern browser to see the “correct” version of the email. Changing to text-only email does provide a little more incentive to think about the link, but for most people, it will introduce a lot more inconvenience, and the change will have little impact on their security.
Update: August 2019. In August 2017, I wrote this post to document my process for getting gpg2 working on OpenBSD 6.1 after not finding a straight-forward explanation online. In the two years since, I have used these notes to set up mutt on both OpenBSD and several varieties of Linux, such as Debian derivatives, Arch and others. With a little work, I have managed to get mutt working on each of these systems.
In the update, I went through through and cleaned up the post a bit for clarity and fixed some formatting now that WordPress has better options for including code. If you are trying to get gpg/gpg2 working with mutt, hopefully, this will help you too. If you find errors, please feel free to comment below and I’ll try to fix them.
[OpenBSD] # pkg_add -i mutt gnupg
A series of options will display. Pick the current version of mutt-1.8.0v3-gpgme-sasl and gnupg-2.1.15p2.
[Ubuntu/Debian] # sudo apt-get install mutt gnupg
Change to the relevant package manager equivalent if you don’t use apt. You may also need to add cyrus-sasl to your package manager on linuxes without it baked in.
[OpenBSD] $ cp /usr/local/share/gnupg/options.skel ~/.gnupg/gpg.conf [Ubuntu/Debian]$ cp /usr/share/doc/mutt/examples/gpg.rc ~/.gnupg/gpg.conf
On Ubuntu/Debian, this step might not be necessary. If using gpg2, you’ll need to substitute gpg2 for all the gpg commands in the config file should you need it.
# Enable gpg-agent use-agent pinentry-mode loopback
This step seemed required on OpenBSD. On many varieties of Linux, it does not seem to matter. I’d guess gnome has something that automagically handles this in the background.
On some linux distros, this step may already be taken care of for you.
$ gpg2 --decrypt file.sec.gpg | gpg2 --import --batch
If you don’t have gpg keys yet, check out man for gpg or the Ubuntu privacy documentation for details about doing it.
$ gpg2 -K
Important step. It’s very easy during the import process to type in a key, password, or command wrong and not import your secret keys. I ended up troubleshooting my mutt configuration for a couple of hours before I figured out it wasn’t working because I didn’t have my gpg keys on my keyring. Save yourself this trouble and check.
set imap_pass = "yourpassword" set smtp_pass = "yourpassword"
Save this file to ~/.gnupg/email-password.gpg
$ gpg2 --encrypt /home/cafebedouin/.gnupg/email-password.gpg
Put the following in your ~/.mailcap file or create one if it doesn’t exist. Install lynx or another text browser of your choice. If different, change lynx to the alternative in the text below.
text/html; /usr/bin/firefox %s >/dev/null 2>&1; needsterminal text/html; lynx %s; copiousoutput; nametemplate=%s.html
# .muttrc # GPG # gpg.rc is unnecessary on some systems. # On OpenBSD, you're probably going to need it. # OpenBSD: /usr/local/share/examples/mutt/gpg.rc # # source ~/.mutt/gpg.rc set pgp_use_gpg_agent = yes set pgp_sign_as = 0O0ABCDZ # replace with your key set pgp_timeout = 7200 set crypt_autosign = no set crypt_replyencrypt = no # password: tell mutt where to find your encrypted # password, depending on what you installed, you # may need to change initial command to gpg source "gpg2 -dq ~/.mutt/email-password.gpg |" # mailbox configuration set imap_user = firstname.lastname@example.org # Only need the example.net if your root email address is different from server, otherwise just use your login set folder = imaps://email@example.com@example.com:993 set spoolfile = imaps://firstname.lastname@example.org@example.com/INBOX set smtp_url = smtp://email@example.com@example.com:587 set postponed = +Drafts set record = +Sent set trash = +Trash mailboxes = +INBOX set hostname = example.net set from = firstname.lastname@example.org # mutt configuration set ssl_starttls = yes set use_from = yes set postpone = ask-yes set delete = ask-yes set editor = "emacs -nw" # or vi set pager = lynx set charset = "utf-8" set visual = "emacs" set signature = ~/.mutt/sig.txt set alias_file = ~/.mutt/aliases set mailcap_path = ~/.mailcap set fcc_clear set noconfirmappend set hidden_host auto_view text/html # auto render html to text alternative_order text/plain text/enriched text/html # read html last # Reduce polling frequency to a sane level set mail_check=60 # keep a cache of headers for faster loading (1.5.9+?) set header_cache=~/.hcache set edit_headers=yes # Display download progress every 10K set net_inc=10
The line to decrypt your password activates the gpg-connect-agent daemon and will not ask for you to enter it again for the duration of pgp_timeout specified in the file.
This should get you to a working set-up to read and write email. If you are having trouble logging in, double check your encrypted password file, particularly if your password requires escaping special characters.