Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!lot!ables From: ables@lot.ACA.MCC.COM (King Ables) Newsgroups: comp.mail.misc Subject: Mail security Message-ID: <899@lot.ACA.MCC.COM> Date: 1 Aug 90 20:43:19 GMT Organization: MCC ACT Program, Austin, TX Lines: 83 This topic started in news.misc, but seems more appropriate here. Our story so far.... From article , by karl_kleinpaste@charcoal.com: > Richard.Banks@ohiont.fidonet.org writes: > How do not we know that system administrators on uucp machines are not > reading our mail as travels to its destination ? > > You don't; you trust that the postmasters between Hither and Yon are > worthy of their position. Pat McGregor/UMich took a survey on > postmaster ethics, asking 130-odd postmasters, and getting 69 > responses. A paper on the subject, "Averting One's Eyes -- Ethical > approaches to Postmastering," is the result. You can find a copy via > ftp in tut.cis.ohio-state.edu:pub/sendmail/postethics, or via uucp as > osu-cis!~/sendmail/postethics. > > --karl I don't even read news.misc but came across a reference to the paper that someone forwarded to comp.archives (I love that group!) so I grabbed the paper and read it. As a former postmaster I am very interested in this subject. I am also disappointed to see the assumptions made from information obtained in this survey. Basically the paper says "we think everybody is pretty much honest." But these results are based on only those responses from postmasters honest to actually ANSWER the survey request! There is a statement that the author hope this doesn't slant the results... Not only does it slant them, it makes them almost useless. I have personally known several postmasters who took a look at mail whenever they felt like it. Some even went so far as to have hooks in mailers to grab "interesting" messages. Now before anybody calls for my head, I do *not* believe that this is a majority or even a very signficant minority. I have nothing against postmasters, some of my best friends are postmasters. ;-) Hell, I was one (and still am from time to time). But different people have different ideas about what a postmaster should and should not do. My idea is different than others' (I am one of the strict privacy at all costs believers). But if my mail goes through a site where the postmaster doesn't play by the same rules, then all bets are off. I have seen places where the "company" takes the attitude that all mail is business oriented and takes place on "their" equipment, therefore it all belongs to the company, therefore having a properly designated person (i.e. postmaster) reading it is perfectly acceptable. Blech. But as long as the employees know those are the rules, then OK, that's their choice. And since (then and there) there was no external access, that is ok for the rest of us. But if they had been connected and I, as an outside user, sent mail through there, expecting it to be private, guess what? As for the survey, unfortunately, there is no good way to get a good cross-section of all postmasters (both with different levels of ethics as well as different rules of confidentiality within their environment). The ones who feel they are taking advantage of their position (i.e. behaving in ways that might not be acceptable to some) aren't going to respond. So naturally the conclusion drawn will be that everything is fine. In practice, most places you send your mail will maintain the confidentiality (i.e. it will pass through or go to its recipient without being seen by others). But it is misleading to conclude that there is nothing to really worry about. It depends greatly on the sensitivity of the information. The user has the ability to encrypt and select the text of a message. Anything that shouldn't be seen by eyes other than the recipient's should be encrypted or sent another way. Whether seen intentionally by some snooping privileged user with nothing better to do, or accidently by some busy postmaster during debuging of a faulty mailer, seen is seen. Once the information is out, it doesn't really matter how it got there. ----------------------------------------------------------------------------- King Ables Micro Electronics and Computer Technology Corp. ables@mcc.com 3500 W. Balcones Center Drive +1 512 338 3749 Austin, TX 78759 -----------------------------------------------------------------------------