PDA

View Full Version : OT how secure is email



jim davies
06-25-2005, 05:33 PM
Sorry for the OT, but how secure is email, actually? If someone knows your email address,
how difficult would it be to read it? Could they also read it at your service provider's website?

Kenb
06-25-2005, 06:30 PM
Email is 99.9% insecure.

Never write anything in email you wouldn’t want in tomorrow’s paper.


BTW If you want secure email - at least as secure as can be, google PGP, at least then only the NSA can read it.

[This message has been edited by Kenb (edited 06-25-2005).]

Fred White
06-25-2005, 06:34 PM
I know they can (and do) monitor e-mails at work if they suspect a problem with the employee. There was a recent article on CBS Marketwatch about employers legally monitoring e-mails and phone usage at work.

If someone wants to bad enough, they can read your e-mail, your computer, your phone, your conversations inside your house, etc....

PaulA
06-25-2005, 09:16 PM
From a simplified viewpoint, e-mail goes from your computer to your ISP's email server, to the recipient's ISP's email server to the recipient. It's possible that it may go through one or more intermediate servers. An administrator on any of the servers has access to the text of your e-mail. The servers may do backups with various retention times that may contain copies of your e-mail, which again could be looked at by anyone with access, or a reason to look.

Anywhere along the track, it's possible to search for key phrases or things like credit card numbers if you have access.

Using PGP at least encrypts the text and marks you out as a troublemaker .

Email is neither secure nor guaranteed to be delivered.

Kenb is right - don't put anything in a message that you wouldn't want published in tomorrow's paper.

J Tiers
06-25-2005, 11:38 PM
Thanks to our friends in the government, trying to help us, your ISP has to keep a lot of records on what URLs you surf, who you email, and when.

Work may also do that.

if they don't, the gov'ment does.

Every single thing you do on the internet must be assumed to be monitored by people who you would NOT like to get in bad with.

That would be our new Sicherheitsdienst, aka "homeland security", aided by the NSA, and whatever Admiral whatshisname is up to with "total Information Awareness".

dp
06-26-2005, 12:14 AM
One of my responsibilities is running the corporate mail servers. I'm also an ISP on the side and so run those servers, too. There's absolutely no security in this business. All along the way mail can be viewed and shared. The only thing preventing more of this is the shear volume of mail. Sometimes this is perfectly legitimate - mail breaks or gets stuck and it's my job to unstick it. My personal take is that I have to do all I can to avoid reading mail to do my job. I'm pretty good at it - haven't broken that promise in more than 15 years. It is the exception, tho - our M$FT Exchange people have no such discipline.

We've just been requested to copy and preserve all mail coming and going. That means all inbound mail that gets past the spam and anti-virus filtering is saved in a repository and also delivered to the recipient as before. Should they delete anything there's still another copy. Same with outbound mail. About 59% of all inbound mail now is spam. I'm catching 99% of it but some still gets through. If my filters were better we would get too many false positives. Much of what we do with email looks exactly like spam and is difficult to work around. Point is, all the spam that gets through has to be preserved, too. That's about 10,000/week (in a million+/week system). That's a lot of tapes in a year's time. All the mail that goes into the archive is subject to digital scanning for "interesting" content. This is a fallout of the Enron problem. Don't use office mail for anything except office business and assume it is being read by any number of people.

dp

zl1byz
06-26-2005, 01:36 AM
Of course you can encript your email message so that only the intended recipient can read it.

I don't know what is around these days but used to be programs like PGP. I thought that encription would be standard practice by now but it hasn't really caught on.

John.

dp
06-26-2005, 01:46 AM
PGP only works between cooperating mail users and compatible systems. As you observe it's essentially a non-issue and very impractical, IMHO. Mail transport between servers can be encrypted - my servers all offer ssl encryption, but again, this requires both ends to cooperate and many don't feel it's worth the effort and additional server load. Nearly all mail is exchanged between servers in the clear.

zl1byz
06-26-2005, 01:47 AM
<font face="Verdana, Arial" size="2">Originally posted by PaulA:

Using PGP at least encrypts the text and marks you out as a troublemaker .

</font>

Oops missed you already mentioned encription.

I have never used encription for emails. If anyone wants to waste a heartbeat reading any of my emails, then they need to get a life.

If the above statement is correct then perhaps we all should be using it. Hahahaha

John.

Evan
06-26-2005, 03:57 AM
Unencrypted e-mail is the same as a post card in snail mail. Anyone can read it. I run a mail server and any mail that is sent or received on my server can be read by me.

Wirecutter
06-26-2005, 11:55 AM
The rule of thumb I use for email and web stuff is this: don't send anything in an email that you wouldn't say in a crowded elevator. HTTPS just means that you're speaking Arabic in an elevator full of Japanese people. One of the Japanese might know Arabic, but it's not considered likely. Something like that.

jfsmith
06-26-2005, 12:39 PM
If you don't wanted your conversation recored or taped or overheard, then don't have it it.

Email can be read by lots of people, government, your ISP or any one who has the right programs.

Jerry

matkra
07-30-2005, 12:34 AM
There has never be a case where a specific piece of email has been intercepted. That is not to say a random intercept can not happen. Even the goverment has to intercept billions of e-mail and run it through a supercomputer to search for keywords. but even they would have a hard time trying to intercept just one specific message. I am a network/computer security analyst now. Formerly a commercial diver. and have done considerable research on this topic for the company that employees me. But encrypting confidential email is always a wise and prudent choice. But I have to ask what is totally secure, postal mail? nope,phone calls cell or landline? nope. Even here in Seattle, WA King county was tampering with mail in ballots. So its not only email the is not secure. However one can have total communication security by not talking to anyone and live in a cave. Companies do have the right to open and read employee's email which is not a problem if you are using is in compliance of corporate policy.
Matt

[This message has been edited by matkra (edited 07-30-2005).]