Path: utzoo!attcan!uunet!cs.utexas.edu!lot!ables From: ables@lot.ACA.MCC.COM (King Ables) Newsgroups: comp.mail.misc Subject: Re: Mail security Message-ID: <902@lot.ACA.MCC.COM> Date: 2 Aug 90 15:20:14 GMT References: <21787@mvis1.com> Organization: MCC ACT Program, Austin, TX Lines: 133 In article <1990Aug2.003210.24459@cs.umn.edu>, iacovou@cs.umn.edu (Danny Iacovou) writes: > first of all not only the > postmaster but anyone with root permissions can read your mail. Yes, this is a big problem as well. Not everyone with root permissions may feel as strongly about privacy as the postmaster. This just magnifies the problem. > second staff > ethics prevents us from doing so. That's great as long as everyone follows the rules. Laws keep us from robbing banks, too, but funny thing, somebody keeps robbing them. > i am a postmaster, but i don't go reading > other peoples mail. sometimes when mail bounces my way i try extremely hard > to make sure i don't scroll the mail past the headers and into the body (i > honestly try not to read a word of mail). i think that this is probably true > for 99.9999999% of all postmasters (and staff members for that matter). I applaud you for your staff ethics. And I think your ethics are absolutely right. When I was a postmaster, I adhered to the exact same standards as you describe. However, I think your estimate of how many other places do this is a little high. I wish it were true. I've seen it, it's not. > secondly this point should be obvious to anyone who has been a system admin. > staff members just don't have the time to spend all day reaading mail which > doesn't concern them. This is true, too (I know, I've been there), but you're assuming that the sysadm in question is *doing his/her job* since, in your environment, they are. I've seen lots of sysadm people in various places who either aren't held accountable enough or just plain don't care about their quality of work and have plenty of time to sit around and play rougue or anything else. And some who really do work have nothing else to do and spend 16 hours a day at work. Either way, there's ample opportunity for someone so inclined. Certainly for someone with pride in their work, there is neither inclination nor time to do something like this. This is *not* to say this kind of behavior is the norm, I don't think it is. But to say that it never happens is to stick your head in the sand. ----- From article <21787@mvis1.com>, by sblair@synoptics.COM (Steven C. Blair): > Has anyone besides me see a copy of the "Electronic Privacy Act"???? > I'm almost sure (memory fades now), that electronically transmitted > material is *not public* domain. Nor does anyone but the FCC, and the > courts have the right to decide the context of the transfer media. But as I said above, just because we have rules that tell us how to act doesn't mean everyone will follow them. The rules only give us a means to prosecute someone who doesn't follow them. > I don't read your USMAIL because the postman on "our" street is too > lazy to learn to read addresses. It`s not *my business* !! Period. True. And that's why we shouldn't be reading ANY user's mail either. However, the analogy fails a little (as is stated in Pat McGregor's paper) when you compare a mail message to a letter. If someone opens your letter and reads it, generally you can tell (yes, they can steam the envelope, but let's not worry about that). Fear of detection of may help prevent it. If I were to *want* to read someone's USMail, it would be much harder because I'd have to: a) get it away from the postman b) open it in such a way as to be able to seal it up again c) get it back to the postman for delivery in order to read it without detection. Actually stealing mail is a seperate issue. But e-mail can be easily read from the mailbox without fear of detection by the user. [Humorous aside:] My neighboorhood has locked mailboxes now (newer ones do, I think). Apartments do. But I knew a woman in a small town where I lived as a teenager who *actively* went around during the day and *went through* people's mailboxes that were on the street to see what was in them. Nobody ever thought she actually opened things, she was just curious about what kind of mail they got. This was clearly wrong, but nobody felt very threatened (she was a bored old lady) so they let it happen. Some ordered (shall we say) exotic catalogs to give her a thrill. Yes, my big question here is "who would want to, I have enough problems of my own and enough mail to read of my own... and who cares?" Well, I think that's what most people think. But there is a section of society that really gets off to living vicariously through other people. Whether it's harmless vicarious thrills or actually spying to gather information, it's a problem. > If you know that you're going to be moving sensitive, confidential materials > between your site, and "foo", then take the time to setup UUCP *straight* This is good advice (and the major point I was trying to make initially-- if you have something that ABSOLUTELY shouldn't be seen by ANYONE else, don't send it with e-mail). The odds aren't HIGH that it will be seen, but they're not ZERO, either. Of course, even a UUCP connection is only as safe as the local phone company which we all know is almost like broadcasting your information. If someone is bound and determined to tap your UUCP link, they'll do it. Now of course, for e-mail messages about affairs between co-workers, I would doubt they'd go to the trouble. ;-) > Now, do we really have time to read your piddly message? No way. Like I said before, if you're doing your job, then no, you don't. I contend there are people out there who *make* time to read them. I even saw remnants of a filter added to a mailer to grep for interesting phrases and forward those messages. Such a filter would certainly cut down the amount of "uninteresting" mail one would have to wade through. Face it, a mailer only does what a system programmer tells it to do. ---- No, I don't think this is a wide-spread problem. But I think the problem exists and with connectivity as it is, many people can be affected by something that may itself be very isolated. The problem isn't that people *can* or *do* read a message not intended for them. The problem is that users send mail that they believe nobody will be able to see except the recipient. This assumption worries me for *their* sake. As long as users are aware that e-mail isn't 100% private and can live with it, then there really isn't a problem. Those who don't like that may find a way to influence future mailer designs and come with something they do like. ----------------------------------------------------------------------------- King Ables Micro Electronics and Computer Technology Corp. ables@mcc.com 3500 W. Balcones Center Drive +1 512 338 3749 Austin, TX 78759 -----------------------------------------------------------------------------