[ On Friday, January 7, 2005 at 17:00:32 (-0800), Marc Perkel wrote: ]
> Subject: [exim] Securing Email for the prying eyes of any government
>
> Lets assume we have a powerful and corrupt government who wants to read
> incoming email of a nonprofit organization trying to fight government
> corruption. If the org has a server for it's email - the governmet could
> tap the closest router and see all the unencrypted email coming in - and
> most email is unemcrypted. So - how would this org prevent this?
They simply _MUST_ refuse all un-encrypted mail. Really.
If you/they are that interested in securing privacy for e-mail
communications then you/they really must insist that _all_ your
correspondents use PGP (or something as good).
There is nothing else truly sufficient -- your scheme is easily bypassed
and you should not under-estimate the ability of such a foe to get their
prying eyes on anything and everything readable if it crosses any public
network in un-encrypted form.
(of course once all the public network traffic is secured then physical
_and_ systems security of the internal network and computers becomes
ever more parmount as they are the only remaining juicy targets, other
than the humans involved, of course; but then the internal security
should already be extremely important)
Note though that it would be possible to achieve some level of security
that might be sufficient if one could host one's IMAP/POP server in some
location that's guaranteed to be out of reach of the spies and then to
always use IMAP/POP over SSL to read the mail.
The best solution might be some combination of those two though.
Initial contacts could be made via the remote mail server(s) so that PGP
keys could be signed, etc., then all ongoing communications would
continue using PGP. It is most critical that _all_ communciations, not
matter how mundane, always be encrypted. Even then the information
leaked in headers, etc., about who talks to whom is extremely valuable
to anyone gathering intelligence on an organization.
There was a documentary film made (and broadcast here in Canada)
recently about some computer science students from the University of
Toronto who visited South American (IIRC) to learn about activism
(IIRC), and to volunteer their skills to help secure the computers and
computing procedures being used by various groups they met. In the film
they mentioned the fact that they were quite stunned to find that many
of the computers they encountered had almost certainly been penetrated
by "unfriendly" foes.
FYI, I myself worked for a time for NIRV/Web Networks (web.net), the
Canadian APC.org affiliate, back in the early 1990's. Web faced similar
issues then (and probably still does), though as the communications
facilitator for NGOs Web was not usually directly involved with those on
the "front lines" so to speak.
--
Greg A. Woods
H:+1 416 218-0098 W:+1 416 489-5852 x122 VE3TCP RoboHack <woods@???>
Planix, Inc. <woods@???> Secrets of the Weird <woods@???>
