Mask Your Emails with SimpleLogin

Mask Your Emails with SimpleLogin

Ricky: So today, I’m going to be interviewing Son Nguyen, the founder of the masked email service simplelogin.io. In a previous video on why you should use a different email address for every account, we showcased AnonAddy, and how you can use it to secure your online privacy and personal cybersecurity. SimpleLogin is an alternative service that you can use as well. And this time, we have the honor of speaking with the founder himself. Son, so glad to have you on the show. Son: Hey Ricky: So let’s just get right into it. In all transparency, I’ve never used SimpleLogin before for my personal use. I kind of got started off with a lot of these different forwarding services in the past.

So, maybe walk me through setting it up. Son: Yeah. Ricky: Okay, so Son, tell me, what do I need to do? Son: Yeah, so actually there’s different ways of using SimpleLogin. I think the most simple one is to use SimpleLogin browser extension. Can you go to SimpleLogin.io? Ricky: Okay, so I’m on simplelogin.io. Get SimpleLogin for Firefox using a plug-in? Son: Yeah. Ricky: So for convenience sake, I already created an account ready to go. But if I were to create a new account, we would just put our email and password there, correct? Son: Yeah. Ricky: Alright, so let’s get started. I already have an account that I created. What software stack did you use to develop the web app? Son: SimpleLogin is based on Python. Ricky: Gotcha. So what is this step all about? Son: SimpleLogin will display a small icon on every email field, so you can quickly create a new email alias. In order to do that, SimpleLogin needs to have a permission.

So this permission is not obligatory, you don’t have to allow SimpleLogin to have this permission in order to use SimpleLogin. If you don’t allow this permission, then you wouldn’t have the small icon display on the email fields. But you can still create new alias by right clicking on the website. Ricky: Awesome. So in this case, I’m going to just approve. So now all we have to do is click this icon? Son: Yeah. You can also create a new alias by opening this add-on. Ricky: Okay, so let me create this alias. Let’s go sign up for a Reddit account. From name should be maybe the name if I’m going to respond to an email, is that correct? Like the name to display? Son: Yeah, exactly. Ricky: Okay, I’ll call it Groucho Marx. Save and back and now we have a reddit.com email registered. So if I go to Reddit, and I click sign up. So as you can see, we have a SimpleLogin email here, the icon. So if I click on that, it will automatically populate? Son: Yeah. Ricky: How is it able to detect that email for this site?

Son: So actually, what happens behind the scenes is, SimpleLogin scans the website and finds the input element, and it will add the small icon in this element, so we can click on it. Ricky: So this generated a new email for me based off of the URL. If I wanted to use the one that I generated myself manually, I would have to open this click to copy. Son: Yeah. Ricky: And then put it in there. Son: Yeah. Ricky: I see. So let’s go ahead and just continue with the new one it generated. For the username… Son: Actually, we can click on the right. So Reddit, proposes some option for username. Ricky: Okay, click on the username there to populate that. Password, let me generate whatever that password is. Everybody can see that, super strong. I like how you use hCaptcha for SimpleLogin rather than reCAPTCHA because reCAPTCHA has gotten very annoying over the years. Son: Yeah, I hate the reCAPTCHA. It’s slow, it’s hard to get right.

And it’s unpredictable, like sometimes they ask for reCAPTCHA like for no reason at all. And that’s why I look for an alternative and hCaptcha seems to be better. It’s also more privacy friendly. Ricky: Okay. So now, I’m signed up. If I want to go to this SimpleLogin website. You also have a web portal for me to manage these emails, right? Son: So actually, we have different versions of SimpleLogin; on the web, via extension, on mobile application. And the web version, it actually is the most complete version. That’s why you can find advanced options like custom domains, adding new mailboxes, directories, enabling Yubikey. Ricky: Ah, so you can authenticate with a security key, like the U2F FIDO standard? Son: Yeah. Ricky: So, pretty straightforward. Any particular settings or tabs you wanted to go over or highlight? Son: Yeah, I will suggest going to settings, and at least enable multi-factor authentication. Because it’s always more secure. Ricky: So I’m not going to set that up right now. But you have the code or even better is using a security key. Son: Yes, this one is even better. Ricky: Okay, can you talk about the domains? Son: So by default when creating a new alias, we’ll use SimpleLogin domains. So you have a bunch of domains that SimpleLogin offers.

But you can also create alias with your own domain. So let’s say if you own a domain called ricky.com, you can create alias like contact@ricky.com or hi@ricky.com, so you don’t have any limit when creating new aliases. Ricky: So in terms of mailboxes, you had mentioned earlier, we can create multiple mailboxes to set for forwarding these emails to. So you can have multiple people receive a copy of the messages. Son: Yeah, and actually, that’s how we manage emails in our company as well. So for each team member, they have their own mailbox. And when creating a new alias, we can choose the team member who will receive emails for this alias. So we can create, for example, iOS@simplelogin.io, which is forwarded to the iOS guy. Another one, support@simplelogin.io, and all emails sent to this address will be forwarded to the support person. Ricky: So we have some how-to-use instructions there.

  Cyber Crime and Hunting Cyber Criminals

For the aliases, can I create a custom alias rather than our randomly generated one? Son: Yeah, you have two ways of creating new alias. You can create a custom alias where you can customize the alias depending on whether you have your own domain or not. If you don’t have your own domain, there’s always a random string added to the alias to avoid people taking all the nice aliases. But if you have your own domain, then there’s no random bit, and you can name the aliases the way you want. Ricky: Got it. And so if you use a custom domain, you also avoid maybe these domains being blocked by the sign-up provider. Son: Yeah. Ricky: But at the expense of being more unique because if everyone’s using these ones, you get some extra privacy benefit. Son: Exactly. Ricky: Yeah. So Son, that was really cool. Thank you for the walkthrough. Because I’m looking into using SimpleLogin for some of my accounts as well. When did you start SimpleLogin and why did you build it? Son: Yeah, so back in 2019, I watched the Snowden movie, and I became more conscious about protecting my online privacy.

And I see that we usually use the same email address everywhere. So email address is like our online identity. So if we use a single online identity on all websites, we can be tracked easily on the Internet. And that’s why I created SimpleLogin, with the goal of helping users to create a different identity for every service, for every website. Let’s get into some of your personal recommendations for cybersecurity in general. What are some things you do personally to stay secure? Son: Yes, actually for protecting my security, the first thing I recommend is to use a password manager, so that you can create a different password for every website because it helps you to create a different password very easily. And it also helps you to remember the username and password you use for each website, so you don’t have to remember yourself. SimpleLogin is rather for protecting your privacy, and not directly security.

But actuallly, when you have your privacy protected, your security will be improved as well. An example is, when you have different identities for each website, then it’s hard to know about your online behavior. And it’s really hard to create a phishing attack, for example. And actually, phishing attack is the most dangerous, I would say, hacking technique for companies, for corporations. Ricky: Got it. So, back in the day, privacy and security, they may have been two separate things that were kind of related. But as we’re becoming more digitally intertwined, those two things are slowly coming together. So in order to maintain a strong security, you also have to maintain a very strong privacy as well. And to be able to compartmentalize all those email addresses is a really good way to help you do that. Because as we all know, companies suffer data breaches all the time, and your email is going to get out there eventually.

Son: Yeah, exactly. And if you want to check whether your email has been lost, you can use a service called, “Have I Been Pwned.” And most of the time, you will see that your emails is already lost to a spammer. and the second thing, I think the most important thing about security is to be careful, like do not click on any links that you receive. When you receive something that you don’t expect, do not open any file, or run any script that you copy from the Internet. For my parents, what I recommend is to talk to them about security risks, so that they know that there are a lot of risks on the Internet. And we have to be cautious when we talk with someone over the Internet because we don’t see that person. And that person can be anyone, can be a bad guy who tries to steal our information, or our credit card. And I also ask them to basically to be cautious, like, whenever they receive an email that seems a bit strange, don’t click on it. Right click on the link, copy the link somewhere.

And most of the times they will see that the links are not pointing to the website as it claimed to be. Ricky: Awesome. So one huge concern is children who are studying or going to school from home, and they’re online now. Especially with the kids who are just growing up with iPhones and iPads in the crib, do you see SimpleLogin as maybe a tool that parents could use to help their kids stay secure online until they’ve grown and developed the maturity to protect themselves? Son: Yeah, so actually SimpleLogin is used by a lot of students. The premium plan is free for students, and I think it’s a good idea to start protecting our online privacy as soon as possible. So why not talk about some basic measures to protect our online privacy to our children, so they can start to be more cautious Yeah, it’s possible you can have multiple… we call that mailboxes in SimpleLogin, so one for yourself and you can set maybe another one for your child. So any email that is sent to the alias will be forwarded to your email and to your child’s mailbox. Ricky: So there’s also a lot of people who have a defeatist mentality. And they say, “Oh, no, my information’s already out there and they… I just can’t do anything about it.” What is your response to those people? Son: Yes, actually, it’s like the most frequent arguments that people give when they talk about privacy. It’s very similar to saying, “I don’t have to protect my privacy if I have nothing to hide.” And that’s actually wrong because privacy is a right. It’s like free speech, you have the right to privacy by default. And if you don’t protect your privacy, some bad person can use your data to make you do things that they want. And obviously we want to be in control. We don’t want to be told to do things by someone else. And the last thing is, if people don’t care about their privacy, they just give me their Facebook account, or their bank account because they have nothing to hide, right? So why not give me the credentials? That’s how I try to convince people to be more conscious about privacy. Ricky: So how is SimpleLogin different from a lot of the other burner email address services out there? Son: SimpleLogin uses a concept called email alias. An email alias is different than the burner email address. When an email is sent to an email alias, the email is forwarded to your personal mailbox, whereas with a burner address, the burner address will disappear after a short period of time. An email alias exists forever just like a normal email address until you disable them or delete. Ricky: So the difference between SimpleLogin and many other masked email address services is that, SimpleLogin gives you actual aliases, which you can send and receive, they’re tied to your account. Whereas the other services, they are kind of just throw-aways that they might be recycled or disappear. So if you sign up for anything, you might not know if they’re still going to be around, as I understand. Can you talk us through some of the most requested features for SimpleLogin, and maybe some of the ones you guys have implemented and are really proud of? Son: Yeah, actually we have a lot of requests from users because we have an open roadmap that anyone can go and vote on to the features that they want to see happen in SimpleLogin. And the features that gets a lot of requests was to support PGP encryptions. If you have PGP email address, you can upload your PGP public key into SimpleLogin. SimpleLogin will encrypt the email with your public key, so that the email stays encrypted. And even your email provider cannot read your email. So this feature is very tricky to implement because PGP support is still quite sparse even for Python. In order to use PGP, we pipe the input and the output to the GPG binary. So GPG is an implementation of PGP. So because we do the piping, it’s not really reliable. Sometimes it can fail. Sometimes we can have errors that we cannot catch. And that’s why for PGP, we need to have a fallback in case like the default PGP encryption doesn’t work. Yeah, so let’s say you are using Gmail, and you know that Google can read your emails too, as it analyze your emails in order to send you personalized advertisements. But if you enable PGP in your Gmail, which is quite easy with some Chrome or Firefox extension, emails can only be read by you and Google. If somehow Google loses these, a bad guy cannot decrypt the email, so only you can read your emails. Rick: Got it. So when you enable PGP, all of the emails that get forwarded to your main inbox are actually encrypted. So you won’t be able to read them, unless you have a way to just natively decrypt it inside of that client, or you download it and decrypt it manually. Son: Exactly. Yeah, you can read it only if you have the private key. And you can either read the emails inside your browser; if you install some PGP browser extension, or if you download the emails locally via an email client like Thunderbird, or the Mac mail application, you can enable PGP locally. Ricky: Do you see any spammers or people abusing your service just by threat actors? Because with any service or utility, you can use it for good or bad. It’s all in the intention. What are you doing about it? Son: Yeah, that’s a really good question. So for any email service, we got a lot of attacks from spambots, people who want to send spams from your email server, so that they can send spam to a lot of people. And you have to be careful to block these attacks. You also have people who try to use your service, or they sign up for your service, and they try to send emails, spam emails, from your service to other people. And in order to deal with this kind of abuse, we have different layers of security. We also have some automatic email scanning to avoid spam getting out of SimpleLogin. So we use an open-source software called SpamAssassin to scan for spam. And we also set up a lot of filters in Postfix. So Postfix is a popular email-sending program. We set up a lot of filters in Postfix to reject all emails that look suspicious. Ricky: Can you talk about a little bit about your background, and how you came about to become a software engineer? Son: I came from Vietnam. So back in high school, I studied a lot of mathematics. And and when I moved to France to start my university, I picked computer science because I’m very interested in playing around with computers. So I played around with different Linux distributions. I love typing in the terminal, doing some hacking things. So I think it’s quite obvious for me to become a software engineer. I worked on several different roles in software development. So right out of school, I worked as a back-end engineer in an advertising company. So that doesn’t suit me well, so I left the company. Advertising is very challenging in terms of technology because we have a lot of data to deal with. And the response time is very small, you have to stay under 100 milliseconds in order to win a place to show your ad. However, you learn a lot about privacy as well when you work for an advertising company. You know that it’s quite easy to track users. You just use an iFrame on a website and then you can track their behavior, you can know what they are seeing. You can buy data from other companies or you can create an SDK. The SDK will send back to you the data that users see when the SDK is integrated in a mobile application. And after that, I only worked for startups. I worked as architect, as DevOps. And after that moving a bit towards a lead developer, project manager, and then human manager. Ricky: Where do you feel like you got the most development and learning? Was it in school or working and coding, and trying things out on your own? Son: Yeah, I learned a lot when creating a product from scratch. Because in school, we don’t practice enough. And in big companies, most of the time, we do a lot of maintenance. And we try to add small features, incremental features. But when you work on a product from scratch, you have to learn a lot, you have to learn about grinding the backend, maintaining the database, protecting the server against attacks, etc. You learn much more when working on a project from the beginning. There’s a lot of things to consider. So first of all, you need to create an API on top of the tool to expose the data, so that the client can use. And after that you have to think about whether you want your tool to be used by somebody else. In this case, you might need to add a bit of authentication to your web application. Depending on the tool, you also need to think about what libraries that you have to use. For example, if your tool provides a lot of graphics of charts, for example, then you might need to look at some JavaScript libraries for displaying charts inside the browsers. On the back-end side, you have a lot of choice because there’s a lot of language that you can use to do the backend, you can use Java, Python, Ruby, etc. On the front-end side, it’s a bit easier because you just need to learn HTML, CSS, and JavaScript. But then in JavaScript, you have a lot of frameworks like React, Vue, Angular, that you don’t have to learn in order to do front-end. Actually, it is even better that you first create the front-end without using any framework, and little by little. A little bit of maybe React too, to add some new features. And by doing that, you will learn much more about the front-end. Ricky: So your path towards becoming a webapp developer was a little bit formal academic training, but you realize that didn’t really expose you to all of the universe of what you needed to actually become very proficient. So how do you go from one to maybe where you are now like ten? Son: Yeah, I don’t think, I’m a 10 right now, maybe 5 or 6. But I think, life for me is, the way to learn is to try different projects. So I work on a lot of different side projects, or even startups, ranging from a web application to mobile application to machine learning. And by doing that, I learned lot of things about software development. Ricky: So as I understand, you’re in France, Paris, specifically. What’s the tech and start-up scene they’re like or cybersecurity world? Son: Paris is actually a start-up hub in Europe along with London and Berlin. So there’s a lot of start-ups that come from Paris. And before COVID, there were a lot of meet-ups, conferences, about how to start your start-up, how to raise funds, and actually, the government also give a lot of help to start-ups. However, in terms of security startup, I don’t think there’s a lot of startup in France who focus on security. Ricky: What are some things you do apart from tech stuff and SimpleLogin? I understand that this is a startup and your time is mostly spent on it, but maybe some hobbies or things you do on the side? Son: Yeah I love to travel, especially after quitting my previous job to work on SimpleLogin, with my wife, we kind of traveled around the world before COVID. Now that the COVID becomes a little bit more difficult to travel. So now most of the time, I either watch football or badminton games. And if the lockdown is lifted off in France, then I go to the gym to play badminton. Ricky: Is Paris lockdown over there right now? I saw like pictures of like massive traffic jams of people just leaving. Son: So it’s the second lockdown. The first one finished in May, I think. But after that they realized that the number of cases doesn’t start to decrease, so they decided to start the second lockdown. Ricky: Wow, I hope everything is going well there. It’s not like as tech guys. You need to go outside every once in a while. But not not that often, so I’m sure you know you’re doing fine. Son: Yeah. Son: Yeah. Ricky: So Son, thanks so much for coming on the show, and sharing with us your project, SimpleLogin. I think it’s a fantastic tool, and the work that you and your team are doing. And thanks so much for coming on, and hope to see you soon! Son: Yeah, big pleasures.

  How to Fail a Cybersecurity Interview
You cannot copy content of this page