RE: [exim] Securing Email for the prying eyes of any governm…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Exim User's Mailing List
Date:  
À: Jan-Peter Koopmann
CC: Exim User's Mailing List
Sujet: RE: [exim] Securing Email for the prying eyes of any government
[ On Wednesday, January 12, 2005 at 08:03:36 (+0100), Jan-Peter Koopmann wrote: ]
> Subject: RE: [exim] Securing Email for the prying eyes of any government
>
> On Tuesday, January 11, 2005 9:06 PM Greg A. Woods wrote:
> > Virus and spam filtering gateways have had a clearly and
> > obviously limited potential right from day one.
>
> Correct. So does end-point security in the form of one virus scanner
> etc. on a users client (especially windows client). All I am saying
> is: Currently you cannot have both.


Cannot have both of what?

BTW, I wouldn't put any form of virus scanner in any category anywhere
even remotely related to security tools; and especially not the kind
that go about scanning files on the client system looking for supposed
"signatures" of malware. It's completely the most bass-ackwards way of
going about the task there is and it's ultimately doomed from the start.

Virus scanners of all types are just "management pacifiers" in the end.
They don't really solve any problems, and they get in the way more often
than not, and they can waste enormous resources.


> > Expect more, lots more, and with lots more variations.
>
> We do which is why we usually do not accept password encrypted ZIPs etc.


How far are you willing to go with that kind of approach? Will you be
willing to reject all PGP and S/MIME encrypted messages too?

(I have been known to reject all ZIP files, not just encrypted ones, but
that was only to prevent overload on the servers, not to protect anyone
downstream or upstream. :-)


> Again I tend to agree but it's not that simple (knowing your answer
> will be "yes it is"). But from my point of view a system must still be
> simple to use.


There's a big difference between making a user-interface that's easy to
use and dumbing down a system so that the underlying implementation is
"easy to use".

> You and I will get along with a more complicated system
> but most users are simply not capable. So either there is a solution
> which works automatically or one that is darn easy to use and does
> _not_ get in the way of simplicity and easy of use.


Proper attention to security awareness doesn't have to impede ease of
use one iota either. Belief that it does it part of the problem.

Of course some people just don't even want to think about security
issues, let alone see them brought into their awareness, but those
people _must_ go the way of the dinosaur if the rest of the world is to
retain any degree of security and privacy.


> Sure there is. Depending on your/the customers need. If you trust your
> internal network/mail server there is no real problem.


Huh? We're talking here about security over public networks, not what
might happen once the mail has been received (though to some extent
that's quite important too).


> Moreover in
> many cases you do not want to allow real end-to-end user
> encryption. E.g. it would make stealing company secrets and sending
> them of to others to easy. Or the employer is fired and you need
> access to his data. I know about advanced decreption keys etc. but
> depending on your definition that again breaks total security.


Yeah, covert channels, escrow keys, etc. Wonderful stuff.

Any corporate security officer who even dreams of stopping covert
channels isn't worth even a penny of what he or she is being paid and
they'll ultimately do more damage to their company than good.

As for escrow keys, well yes they might work inside the firewall and
have some value there, but for public key encryption they're the
antithesis of what we're talking about here. It's those prying eyes of
many governments who would dearly love to force everyone to use
encryption with back-door holes for them to peep through.

Really, you should give Schneier's book a read. It's well worth the
investment of time and it's not a difficult read (i.e. it's not anywhere
near the kind of book his "Applied Cryptography" is). And it is all
about the very real world of big business and entertainment and personal
use of computers and networks.

-- 
                        Greg A. Woods


H:+1 416 218-0098  W:+1 416 489-5852 x122  VE3TCP  RoboHack <woods@???>
Planix, Inc. <woods@???>          Secrets of the Weird <woods@???>