Interview: Nathaniel Borenstein, Chief Scientist at Mimecast

Before spending time with Nathaniel Borenstein, I had to clarify a few points with him – both that while he did co-create the Multipurpose Internet Mail Extensions (MIME) format, he did not in fact play a part in the foundation of the company where he now works – email security vendor Mimecast.

“The actual story is very funny: I had been at IBM for eight years and I saw an advert that was related to me for a company called Mimecast and my first response was ‘how can they do that, how can they use my standard’? So I checked the company out and thought they were really interesting and asked if there was anything I could do, but the downside is everyone assumes I am the founder!”

In terms of MIME, I was keen to learn about Borenstein’s theory on creating this, and he approved my vague description that it is about more than text emails, saying that one reason it worked at it met the needs of several different ‘constituencies’.

“I came from a background of building experimental multimedia and sound systems and when we showed it there were a steady streams of people coming to get demos, and one of them was Steve Jobs who was at NeXT Computer and tried to hire my whole team. I was fine with it, but what was disturbing is that his users could send each other pictures, so my motivation was the standard on multimedia.”

Borenstein said that one such ‘constituent’ was international users, as 7 bit ASCII was fine for the USA and in the UK it was almost fine, but in most places a set of characters appeared differently - so if a Japanese researcher went to Israel and received a message, it would appear as collection of Japanese and Hebrew characters.

“Another constituency was gateway as email gateways lost information, so we had to do that right,” he said, explaining that having worked with CERN ‘just as the web exploded’, all communities were invested in making it work.

"Spam pre-dates MIME and he knew there would be more problems, 'but I didn't anticipate the problem or the scope of the problem'."

Moving on to the current state of email security, I asked him if he looks at it and feels like it is in a good place while it remains prevalent. “So email security, it’s not an oxymoron but people often ask me whether we focused enough on security as we were trying to build something that everyone could participate in and didn’t need a central authority and so on, and to this day I believe that the only way we could have strongly secured and authenticated email would be to have an autocratic rule in government - which is probably not worth it.

“Email security has always been chasing the state of email and when scanning and viruses came along you had to figure out how to deal with them and with each innovation from the bad guys, the good guys have to keep up. I get asked a lot ‘why didn’t you keep up with the bad guys’ and the answer is that the bad guys could have gone in all sorts of ways.”

Borenstein said that now, we are addressing a vulnerability that no one knows about and we need to be concerned now, and that is an example of being proactive. If a variant on a phishing scheme comes in, we need to react to it right away.

Enabling attachments, is the source of ransomware set at the base of the MIME standard? Borenstein said that if you’re getting a million messages a day and ten are spam, and if in two years you reduce it down to one, Moore’s Law suggests that the spammer will send ten million a day and ten get through – ‘so Moore’s Law favors the spammers but it doesn’t favor people like us’.

“You can put in tons and tons of processing power. but it doesn’t really work as very often the basic concept is that if we have stopped nine out of ten USB attacks, if I were the bad guy I’d give away more USB sticks at conferences.

“This is why it is really important for companies with the most to lose to know that attacks hit the weakest target, and it is not possible that your email will be perfect but you just have to be better than other people as the bad guys not going to waste time on you.”

In terms of retrospectively fixing email, Borenstein said that spam pre-dates MIME and he knew there would be more problems, “but I didn’t anticipate the problem or the scope of the problem”.

He also said that he did not anticipate that companies focused on email security “could be big enough to go public”, but he did do some things to try and contain the problem including RichText, and that was replaced with HTML. “So a fair number of the problems that are around now come out of HTML, so anticipating it didn’t stop it”.

He said that one thing he used to say ‘in the bad old days’ about email security was that customers will pay any price for security, as long as it is free – when they find out if is $1 per user extra, they back off, while now we have crossed the threshold where people pay for the extras.

“How much extra will you pay for Gmail security? As Gmail offers a certain level of security for free, so it comes down to who is the target as if you are a financial institution you want the best security you can [get] as if your data is stolen you need to be able to say in court that you got the best protection possible as if you did not, it will cost you way more.

“If you want something to be kept secret, don’t put it on the internet! Another thing I’ve been saying for the past 20 years is one upside, the more we lose our privacy the more tolerant we become of another – the last thing that came out of Pandora’s Box was hope, so maybe we’re all nicer to each other.”

He concluded by saying that he felt it would be a long time before we have figured out all of the email attack vectors, as when MIME was developed there were 17 content types and now there are over a 1,000, and as long as there is innovation going on in how people communicate, there will be a role for email security.

“If you’re a fourth grader and everyone uses WhatsApp, you’ll use WhatsApp. When you get your first job and you say to your boss that you don’t use email and you want to use WhatsApp as it has become the common denominator for business.”

What’s Hot on Infosecurity Magazine?