lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 27 Jul 2007 09:05:23 -0600
From: Tremaine Lea <tremaine@...il.com>
To: Valdis.Kletnieks@...edu
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Hash

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 27-Jul-07, at 7:49 AM, Valdis.Kletnieks@...edu wrote:

> On Thu, 26 Jul 2007 18:23:37 MDT, Tremaine Lea said:
>
>> Apparently you've never heard of a mail administrator tagging
>> outbound email for all users. It's pretty common.  Of course, you may
>> lack the experience of dealing with large companies.
>
> The fact a large company does it doesn't make it any less stupid.   
> And you
> think a large company could afford their own mailserver rather than  
> making their
> people use Gmail (now wrap your head around the concept of  
> "confidential mail
> anywhere *near* a Google-owned server"... ;)

I was as amused by that as you.


>
> To pick up on a part of the sig that Nick didn't rip into publicly:
>
>> "and delete it from your system"
>
> Presumably, Tremaine, in his self-claimed role as "Security  
> Consultant"
> *and* "Paranoia for hire", realizes that it quite likely sat on my  
> site's main
> mail server for anywhere from several seconds to several hours (in  
> fact, there
> are probably copies on *3* different servers in our mail cluster) -  
> and that
> until some *other* piece of mail happens to land on those same  
> blocks of storage,
> the text is quite easy to recover by any decent computer forensics  
> practitioner.

Yes, I do realize this.  Duh.


>
> On the other hand, actually going in and overwriting the affected  
> block(s) is
> quite challenging, especially when it's a 10 terabyte mailstore  
> handling
> several million messages a day for 100K users.  We'll be happy to  
> do it - *IF*
> Tremaine's company is willing to indemnify us for the downtime.

Why would I (or the company I contract to) be interested in what you  
do to delete Sergio's email?


>
> So there's 2 possible outcomes here:
>
> 1) The request has zero legal standing, and Tremaine's company is  
> relying on
> the kindness of strangers rather than using PGP or S/MIME to  
> actually secure
> their mail.  This sort of thing is usually called "lack of due  
> diligence",
> and I don't think any company wants to be flaunting it.

Speaking of due diligence...  I'm pretty sure literacy and following  
a trail of information is basic to this field.  As you've clearly  
missed, Sergio has nothing to do with me, the company I work with,  
or ... hell, who knows.  I don't know the guy from Adam.  Or you.


>
> 2) The request *does* have legal standing - in which case  
> Tremaine's company
> may indeed have some liability to pick up any and all associated  
> costs.


Again with the not being able to follow the bouncing ball.

>
> Particularly interesting is the legal question of what happens when a
> "please delete all copies" request is attached to something that's  
> sent to
> a company that is required to retain copies of *everything* for  
> regulatory
> compliance (as is true for some financial-sector companies).....

That's the only really interesting thing you've contributed, and it's  
a good question.  Any one know of any court cases on this?

- ---
Tremaine Lea
Network Security Consultant
Intrepid ACL
"Paranoia for hire"


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iQEcBAEBAgAGBQJGqgm0AAoJEKGa22zRy9WCEvgIALax083+iHxWUphyIh+aXg7+
d9oqyw8CRe6iZ5Fe6GKYh1RHXO07PrJAx3kttMUyzvsIEupwsVmQdFtdzyGm7wPu
U1MRBPMFV9pIMhr6BF5Q96mYLmNf8dRvmMCIAoEoo1HmXRp3KocKzliLd3RqNJ6G
7Rsp+WOtpZJHnX4O+2Hn2EVAjIZTP3kZ7wko7FNVUTQcTe703/Cx9h82eGDgVmVZ
zaasGUsEX2Y9hgvPPFYdNebnX8EihkFZ1FjaLKpyXzl2aLBTGsmFKtoK0KdbS93Y
YwgMPiDByvXKNqTCR1Ehzl9c/Y6KVUMgR34jyFs9OQCr8/Cr2ePKZ5WGdT+YCxk=
=bgWU
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ