lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
From: TArseneault at counterpane.com (Tom Arseneault)
Subject: RE: [ISN] E-Mail Snooping Ruled Permissible

Jason,

First off your analogy is flawed. In snail mail final deliver is when it
get to the final address point. If it's a PO box then if delivered even
if you don't come and pick it up, if your in an apartment house then the
mailbox cluster is where the final delivery point is, in rural
communities the mailbox is on the main road and you have to drive to the
main road to pick up your mail. The point is that the "final delivery
point" is not always directly under the control of the user. In email if
your address is pointing to a pop3 mail server that is the end point,
the final deliver location, and the user than uses pop3 to pick it up,
in web based email the web server is the final delivery point and the
user uses the browser to pick it up. If you try and use some other
metric other than "email address" as the final delivery point I can just
imagine what a mess the laws will be in. 

Take for example web based email, if you read it with your browser but
the mail still resides on the web server, does that mean it's not
delivered? Does the act of reading it make it delivered? Pop3
connections do not have "email" addresses so what is used to define the
transaction, what if the user leaves a copy on the server? I found this
on the Internet: "An MUA, or Mail User Agent, is a software program that
acts on behalf of the user." which covers Procmail quite nicely. Also an
MTA is defined as "accepts mail for delivery and either holds it for
download by a client or passes it to another MTA for delivery". POP3 is
client software that downloads mail to a reader so it's not an MTA which
supports my contention that the final delivery point, as far as law is
concerned, is the final MTA and not the POP/HTTP connection where a user
read the email. 

Note: there was one line they did not go into any further "Often, a
separate Mail Delivery Agent ("MDA") will be required to retrieve the
e-mail from the MTA in order to make final delivery." So if you use this
definition then the POP connection would be the MDA and you would not
have made final delivery until the MDA transfer was complete. But this
is of no consequence because the issue was not one of where final
deliver was but in the very definition of "wire tapping"

The error of the court was not in their definitions of what constituted
final delivery but in saying that the emails were in "storage" at the
time. Whether it was in wires or on disk should have been immaterial to
the fact was that it had not reached the user mailbox and the MTA had
not terminated before the procmail script took over. I content that the
procmail, which was not written with the knowledge or consent of the end
user captured the email before final delivery and hence the mail was in
transit and should have been protected. The wire tap act needs to be
expanded **carefully** to include email (which would look like a
combination of snail mail and wire transaction laws). 

Thomas J. Arseneault 
Security Engineer
Counterpane Internet Security
tarseneault@...nterpane.com

> -----Original Message-----
> From: Jason Coombs [mailto:jasonc@...ence.org] 
> Sent: Tuesday, July 06, 2004 5:38 AM
> To: bugtraq@...urityfocus.com
> Cc: isn@...rition.org; isn@....org; full-disclosure@...ts.netsys.com
> Subject: Re: [ISN] E-Mail Snooping Ruled Permissible
> 
> Anyone who has not read this appeals court decision should do so now.
> 
> http://www.ca1.uscourts.gov/pdf.opinions/03-1383-01A.pdf
> 
> The stipulated facts make it clear that the government failed 
> to hire an expert witness who knows how SMTP, POP3, sendmail, 
> procmail, DNS, MTA, MUA, HTTP, Web browsers, computers, hard 
> drives, software, RAM and the Internet actually work.
> 
> Take, for instance, page 3, where both parties stipulate that 
> the following is true:
> 
> "Once the e-mail is accessible to the recipient, final 
> delivery has been completed."
> 
> Every person who is reading this message should be able to 
> stipulate that final delivery was not complete until a Mail 
> User Agent retrieved it from temporary storage on the mail 
> server. If you're using Webmail then your browser is your MUA 
> and it speaks HTTP rather than POP3. That was the case with 
> Interloc e-mail accounts.
> 
> Yet the court and the parties managed to agree that final 
> delivery is complete any time the message is in the 
> possession of an MTA that happens to consider itself to be 
> the last hop in the delivery route. 
> Never mind that there must be one more delivery step where an 
> MUA under user control receives the message on behalf of the user.
> 
> The fact that the mail server may arbitrarily expire old 
> messages and take other actions that disrupt the final 
> delivery to an MUA was clearly of no concern to anyone in this case.
> 
> I can't imagine ever stipulating that once my mail messages 
> are touched by procmail final delivery is complete. That's 
> like saying once the incoming mail truck arrives at my local 
> post office and the mail sort is done and my mail is placed 
> in a stack with a rubber band around it that final delivery 
> is complete. All I have to do now is go to the post office 
> and remind them that they didn't bother to deliver my mail 
> today and I'll be given access to the stack, right? Therefore 
> final delivery is complete once the stack is created that has 
> my name on it?
> 
> Nobody cares about getting the message delivered to a program 
> that is under the control of the recipient, apparently.
> 
> The only storage location that can be considered to be final 
> delivery of an e-mail message is a storage location that is 
> under the control of the recipient. An inbox on the 
> recipient's hard drive would be a fine indication of final 
> delivery. To even approach a proper stipulation of facts with 
> respect to the subtle distinction between Web-based e-mail 
> services, which are closer to post office boxes, and 
> POP3-based e-mail services, which are closer to conventional 
> postal mail delivery to your home, requires mention of POP3 
> and the role of the MUA, both of which are missing from the 
> stipulation made by the parties.
> 
> The dissenting opinion, page 18, includes discussion of MUA 
> but it asserts that the MUA in this case was procmail. One 
> would hope that the voice of reason would at least get its 
> facts straight when everyone else was lost or confused. Too 
> bad in this case the voice of reason was clueless, too.
> 
> The court correctly points out that Congress intentionally 
> exempted stored electronic communication from the definition 
> of "electronic communication" in section 2510(12) of 18 
> U.S.C. There is no other reason than this intentional 
> exemption that the appeals court ruled as they did in this 
> case, and given the facts as they were presented by the 
> parties the ruling was proper.
> 
> However, an e-mail message goes from electronic storage on a 
> hard drive to electronic storage in RAM and then back to 
> electronic storage on a hard drive again by passing through 
> wires. The government should have argued that the procmail 
> program intercepted electronic communications by causing 
> stored electronic communications to once again be transmitted 
> over wires. But for stimulating that transmission over wires 
> the procmail system would not have been able to access the 
> second set of stored electronic communications THAT THE 
> PROCMAIL PROGRAM ITSELF CAUSED. In reality the procmail 
> program was creating an echo and capturing the echo. That you 
> cannot do this in other wiretap scenarios and thereby avoid 
> the Wiretap Act should have made the court examine this more closely.
> 
> This case should have set the precedent that causing a stored 
> electronic communication to be transmitted over wires to a 
> different electronic communication storage temporarily 
> "on-demand" in order to circumvent the Wiretap Act is not 
> acceptable. The exemption on stored electronic communications 
> that came from Steve Jackson Games v. U.S. Secret Service 
> should not be applied to "live" electronic communications 
> systems that can be induced to "echo" stored electronic 
> communications but rather the Steve Jackson Games precedent 
> should apply only to "dead" storage that must be reactivated, 
> powered up from an off condition and examined directly, 
> without causing an echo, in order for the stored electronic 
> communications to be accessed.
> 
> Steve Jackson Games should continue to exempt forensic 
> investigators from prosecution or civil liability, and keep 
> true "stored electronic communications" accessible to law 
> enforcement and the prosecution in criminal cases. It is 
> necessary for there to be some exemption otherwise it would 
> be impossible for law enforcement to ever look at any hard 
> drive without obtaining a wiretap authorization that 
> specifically names every party whose stored communications 
> are found on the drive when it is analyzed. However, the 
> exemption that this court ruling suggests we must learn to 
> live with is not an exemption that is sensible or that is 
> consistent with the full truth of the matter.
> 
> The court in this case was not given the opportunity to 
> consider this view because the technical stipulations of fact 
> were so badly flawed. I would be satisfied with the outcome 
> of this appeal had the technical stipulations and reasoning 
> been proper, yet they were not. We still do not know how a 
> court might rule if the correct and true technical 
> stipulation is made in a similar case. We do know that it 
> will be more difficult to get another appeal heard on the 
> matter, as other courts will tend to defer to this appeal 
> unless somebody intelligent manages to explain these issues 
> clearly at just the right time.
> 
> It is disturbing to see how poor the quality of computer 
> expert testimony is in court, and how little effort is put 
> into clarifying the reality behind technical issues. When the 
> parties stipulate to things that are not the truth, or when 
> either side is technically inept, it causes courts to make 
> errors. Then we end up with bad precedent.
> 
> Sincerely,
> 
> Jason Coombs
> jasonc@...ence.org
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ