 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
John Chambers wrote: > [...] Case in point: For much of the past three years, I've done > some consulting work for a big comm company (which one isn't > relevant here), and I did much of the work at home. The team was > scattered around the world, so at the start there was some > discussion of which email addresses we should use. If your communications are *at all* sensitive, why oh why aren't you using something like PGP or VPN to protect them the entire way, rather than just to the next hop? To think you've gained anything by such partial protection seems a bit dangerous, don't you think? > [...] This isn't a trivial concern. We've already seen such things > as: The "child protection" filters routinely block not only porn, > but also web sites of the filterers' competitors. Are you referring to an ISP, or an enterprise? Different rules apply for each. > [...] And last year, msn.com was caught extracting things (mostly > images) from their customers' email and using them in ads. Hadn't heard about that one. Do you have a URL with details? > [...] In any case, the concern is obvious: If an ISP can intercept > messages to/from tech workers like me, they have a very good tool to > find out what their competitors are planning. Again, if you're doing work via email that's even remotely sensitive, why aren't you using any of the readily available tools to protect those messages in transit? Isn't the whole argument that having to go through your provider's mail server consitutes a compromise of security is off-base? Yes it is, but then so is every successive hop the message takes. Unless you're certain every member of your teams runs their own SMTP server (and is the MX for their domain), your entrusting the security of your project to any number of "other" servers anyhow. And even if each team member DOES operate their own SMTP server, set up as MX for their domain, anybody who's played with the dsniff suite, or even rudimentary network tools such as tcpstreams has seen the simplicity of capturing tcp streams on the network. If I'm truly up to no good, and operate a network that competitors might use, setting up a capture for SMTP traffic en-route is no big deal. The fundamental problem is that SMTP is insecure. > This gives them advanced warning so they can take steps to block > their competitors' intrusion into their market. This is a great idea > if you think that communications should be under the control of a > private monopoly. If you're not encrypting, you're fooling yourself to think you're protected in any way, or from any party! > If you want to be able to communicate as you wish, or if you like to > have alternative ISPs, you might give the subject a bit more > thought. If you want to communicate *securely* with others, I'd suggest the same. > [...] I've recently received spam messages that were > invitations to conferences dealing with just this topic. The hot > new idea is using IM as a source of commercially-useful information. > This is easy, because IM almost always goes through a > corporate server. The technical challenge is that IM contains less > information than email. Again, why oh why are you using IM to communicate sensitive information when secure (or at least "more secure") alternatives are readily available. - Bob
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
