Fog Creek Software
Discussion Board




Encryptian of Emails

I suspect the server admin is viewing my emails via the server side. The problem is a serious invasion of privacy. There is no hard evidence to prove to the manager that his doing it, but the fact that comments slip out of his mouth during lunchtime conversations and he was even fired from his former workplace for the same reason suggests alot.
My point is not seeking to find out if he is or not reading my emails. I want to be able to encrypt my emails so he definately cannot view it. Does encryptian actually hide my emails from being viewed via the smtp server?.
Any recommendations anybody?
We are using Microsoft technologies,
Ms Networks and Outlook.

Thanks for reading my ordeal..

Linda
Monday, May 26, 2003

Get PGP it will plugin to Outlook, those you correspond with will also have to be able to decode them but its pretty much a transparent operation.

Simon Lucy
Monday, May 26, 2003

Your target person needs to have a PGP key and tools. Then you can download or buy PGP (I use the free gnuPG + a windows frontend) and use his/her public key to encrypt the mail. After that it's just rubbish for anyone (even you) but the person you send the mail. No admin power will help the intruder ;)

Sebastian Wagner
Monday, May 26, 2003

of course if this is at work on your employer's email/computer system, they have every right to monitor your email.

apw
Monday, May 26, 2003

apw - do you know Linda, and from what country she is posting?


Monday, May 26, 2003

The only way to do this (and I don't even know what's the point) is to use web-based mail account. It means the tunnel you use to view your incoming email (or to send outgoing) is secured (I use the word cautiously here) from snooping from your administrator. This is assuming you can ensure your company PC is free if spyware or keystroke recorders and you know better than to put y4jw0c1 on a post-it(TM).

The reason it's point-less is because all communication sent between A and B using normal email technology is normally sent in plain text. Free for all to see. Anyone from the IRS to some geek with an ethernet tap can pretty much read anyone's email who's unfortunate enough to share their bandwidth.

But if your end goal is lessen chance people you know know what you are up to in  your email... web mail will do it.

You'll have to do more than this to get a completely secure thing going. (I.E. Ensure you clear Internet Explorer cache, but most webmail know better than to cache anyway)

-- David

Li-fan Chen
Monday, May 26, 2003

To apw.
I'm in australia, and as far i know, its not legal to monitor an emplyees email without their awareness.
And another thing, the server admin is not my employer, his an employee like anyone else in the department, unfortuantely, he abuses his skills.

Linda
Monday, May 26, 2003

David, I thought of that too...but the problem is, internet access is blocked. I can Only access email via outlook.
But on the positive side, I can install any program on the machine, even if it be an encryptian program, I wont require the server admins authorisation

Linda
Monday, May 26, 2003

Only way for you to communicate with the rest of the world is Outlook pointing to a corporate mail transfer agent like MS Exchange? In that case you gotta encrypt your outlook email then, or learn telepathy...

Li-fan Chen
Monday, May 26, 2003

Ok, David, I'll learn telepathy :)
I'm currently on the download.com site browsing the different encryptian programs, i know pgp is a good one, but come on, there must be something new and refreshing on the market.

Linda
Monday, May 26, 2003

It's easy to learn the ins and outs of an encryption standard for email or a new secured email reader. But it's hard to get thousands of other users to learn the same. This is one of many reasons we are stuck with PGP and other name brands.

The cipher used in the latest PGP is no different from other newer readers on the market.

People tend to stick with one security standard even if it's old because it takes upwards of decades for cryptographers and programmers to get all the insecure bugs out.

Li-fan Chen
Monday, May 26, 2003

Unfortunately, if you really have a "rogue admin" then there is very little you can do to be certain that they are not spying on you. 

Encryption is not a panacea.  If the roguean read your mail, odds are good that he can also learn your password, install monitoring software on your workstation, etc.

Eric Lippert
Monday, May 26, 2003

The solution is to not discuss anything via email that you don't want others to know. If there are no juicy stories in your email, your sysadmin should get bored with it pretty soon.

Big B
Monday, May 26, 2003

Why not do a sting? Put some super-juicy stuff in there that he just will not be able to resist acting on or talking about.

Better yet, talk quietly to a senior manager with the power to fire him, suggest the sting, and then feed the target some nice, juicy bait he'll go for. Examples: spreadsheet with fake salary numbers, or perhaps something to a friend like "Boy, you should have seen the letter I found on the printer today - if everyone saw it, all hell would break loose! Lucky I found it and put it safely in my files before anyone saw it. Wonder what I should do with it?".

Pest extermination: It's every bit as fun as it looks.

PS: Linda, you are correct - under Australian law, you do have a reasonable expectation to privacy. I'm given to understand it's exactly the same as phone calls - i.e. an employer cannot tap your private phone calls. If an employee was found to be tapping someone's phone, that would be a serious offence (if I recall correctly, the relevant legislation is covered under the Commonwealth Crimes Act).

Pest Exterminator
Monday, May 26, 2003

I've seen some programs that will encrypt your message/binary package in one of the following ways:

It encrypts it into a .exe and the other person must know the password to extract it - this is similar to winzip. You could just winzip your messages (as .doc for example) and password protect them. Sure your boss could crack winzip (there are numerous tools to do so) but would it be worth his/her time to do so?

The second encrypts an html page using javascript, and the recipient must know the passord to decrypt it. IN addition, to ensure that they get the whole package and their e-mail program doesn't disable the javascript components, you probably have to it as an attachment, but that may be worth it.

Have you considered setting up a message board somewhere? One where you have to approve everyone who enters the board. Alternately, if you prefer secrecy, there must be some sort of private messaging software that allows members to send private messages to other members on the server. Sort of like a friendster, but for just your friends.

trillian, the instant messaging client, allows you to set up encrypted IM sessions.

You could rot13 it, but your boss might be able to see through rot13:

http://www.marktaw.com/technology/Rot13EncoderDecoder.html

V zrna, fbzrbar zvtug erpbtavmr gung lbhe zrffntr rapbqrq hfvat ebgngvba guvegrra. N ybg bs crbcyr xabj jung vg vf, vg'f orra nebhaq sberire. Naq bs pbhefr lbh pbhyq arire fnl "ebg13" orpnhfr gung'f n qrnq tvirnjnl.

It would also help if everyone involved had a rot13 encoder/decoder on their desktop so there weren't suddenly a lot of hits to a rot13 page that your boss could notice in the server logs. There are other simple cyphers out there... Keyword cyphers take some work to decrypt.

As far as bosses monitoring your transmissions... I had one that was working on a program to monitor his employees browsing. The system existed in the company, but he wanted to be able to print out reports.

www.MarkTAW.com
Monday, May 26, 2003

What kind of company hires a server admin that was sacked from his last job for abusing his position as admin?

Darren Collins
Monday, May 26, 2003

PGP is the standard when it comes to Email encryption. It's secure and it's easy. No reason not to use it. And you don't even have to pay for it.

http://www.pgpi.org/

Rasmus
Monday, May 26, 2003

I suppose if you wanted hard evidence, you could try the spammers techniques to see who is reading your e-mail. If your admin is using outlook to read you mail, you just need to send a few HTML formatted mails with  links to, say, a transparent image from a webserver you own.

Of course this rather depends on your admin using outlook to view your mail, or some other mail client that supports HTML.

cdavies
Monday, May 26, 2003

cdavies that's a great idea :)

Li-fan Chen
Tuesday, May 27, 2003

To implement cdavies' idea try this:

Create an asp script on your desktop.

Start Menu > Run ... > CMD > IPConfig (WinIpCfg) To find out your ip address...

To generate a one pixel transparent pixel.. use the Hex of

"47494638396101000100800000FFFFFF00000021F90401000000002C00000000010001000002024401003B"

And push it out using the content type of "image/gif".

While you are doing all this.. write a cookie, capture the accessor's ip address. Actually, if you want to build a case against your admin--make it convincing, grab as much information as you can in this transaction. Write down the browser type (maybe your Admin has the tendency to use Opera 4.0.2.3.5 Patched with v.2 AntiMicrosoft Cipher)

Ask the guy who manages your admin to buy something like KeyGhost. But that's like fighting privacy invasion with privacy invasion.

-- David

-- David

Li-fan Chen
Tuesday, May 27, 2003

keep your mails off the server as much as possible.

Store them in PST's on your local machine.

tapiwa
Tuesday, May 27, 2003

Ways to discover whether he is reading mails are interesting in themselves, but Linda said she wasn't interested in that, just in preventing him reading them.

Simon Lucy
Tuesday, May 27, 2003

Pest Exterminator, you don't know what you're talking about. Employers in Australia DO have the right to read employees' email, and many do so.

They are required to notify employees that this might occur, and usually do this in some vague way.

Reading of employee communications is much more common that people think, at both a corporate level, and at a casual level by sys admins. I wouldn't bother complaining.

echidna
Tuesday, May 27, 2003

lol, Thanks for the creative ideas, currently i type up my email in a word doc, and zip it and password protect it.,,then i email it off.
Echidna, I'm not usually a defender of the Federal governments practices, but I highly doubt there is a law that allows for snooping. In any case, it is not the manager that is spying, but another colleague.

Linda
Tuesday, May 27, 2003

On the legality of monitoring work email:

Acutally, yes I do know what I'm talking about - I looked into this a few years ago and recall finding legislation to cover this. Although, I'll quite willingly admit that I can't remember the specific legislation that covers monitoring of personal communications in the workplace (that would involve wading through the telecommunications act, commonwealth crimes act, and relevant state legislation).  The problem is that few businesses actually know, let alone follow, the relevant legislation -- but that doesn't make the monitoring right or legal.

In any case, I think it is reasonable to assume that the actions of the sys admin are not being ordered nor sactioned by the company. Given proof, almost any employer would immediately dissmiss a sys admin caught doing this -- at least, I hope so.

Pest Exterminator
Tuesday, May 27, 2003

Linda: By the way, don't rely on password-protected ZIPs to protect your messages - they are vulnerable to brute-force cracking. You might deter casual browsing, but that's all. If anything it might just make for a juicier target for your resident spy.

(Fun tip: Are the feds intercepting your email? Worried that they'll try to cryptanalyze your encrypted email? Just send messages containing nothing but pure random noise. They will waste MONTHS trying to cryptanalyze your mail!)

Pest Exterminator
Tuesday, May 27, 2003

Pest Exterminator - You're absolutely correct, zip is vulnerable to brute force attacking. Making the passwords non-words will help prevent a dictionary attack. Also mixing in letters & numbers might help. Caps and lowercase, etc. Most brute force attacks start with the dictionary. Also the longer the password the better. Try not to get two characters in a row that are identical, etc.

I realize there are programs to "recover" passwords from .zip files, and the sysadmin may have a spare computer lying around to do this to night and day, but after a while it's just not worth his time.

It's all a matter of their time v. their desire to see your message. Unless you're trading gov't secrets, or are really afraid of the latest TIA/DARPA efforts, zip protection should be fine for your boss/office gossip.

I believe that with PGP you can create a file that's encrypted and the receiver will need a password to decrypt it. Am I correct here? If so, this might be worth your effort as well... I haven't seen any tools for brute forcing a PGP file, though I'm sure they exist.

There was a thread a while back on creating secure passwords... It might be of interest to anyone who need to keep a lot of passwords.

www.MarkTAW.com
Tuesday, May 27, 2003

Mark, I dont think he would even bother trying to crack the zip file, afterall, he does have work to attend to.
If he does, then his a real sad case.
But also, the reason i didnt want to use pgpfreeware 8.0 because on the download.com website,,,,many users in ratings section have strongly advised against installing it on an XP machine because it creates many problems.
So unless anyone here uses pgp on xp, and its not the case with them, then please inform me otherwise.

Linda
Tuesday, May 27, 2003

Pest Exterminator, I'm sorry but you're wrong. Employers in Australia do have that right. All they have to do is notify the employees that they're doing it.

http://bulletin.ninemsn.com.au/bulletin/eddesk.nsf/All/49ACCD9FF9CFB325CA256CCC00007480

"While it is against the law for companies to intercept email, they can read it once it sits on a server or a hard drive. But the union movement says the internet is a public asset, not something an employer owns. As such, employees should expect some right to privacy in its use.

Workplace authorities were shocked when a February 2000 survey of employers by law firm Freehill Hollingdale & Page revealed that 76% of Australian companies monitored employee emails. Of this, 65% did so secretly."

echidna
Tuesday, May 27, 2003

echidna - Wow. I remember that.

www.MarkTAW.com
Wednesday, May 28, 2003

echidna, oh my god, that is disturbing. :(
Well, I'm going to have to modify the content of my emails. Once again, I stress that the server admin is not an employer and his not in any managerial position, his no different from me, and he has no right to do what his doing.

Linda
Wednesday, May 28, 2003

Echidna: Yes, but if you read the article, you'll notice this is actually quite a grey area - my interpretation was based on the fact that intercepts of communications are illegal without a warrant (as they point out in the article). I'm not a lawyer, so I quite readily concede that I could be wrong.

In any case, my own view is that unless the organization is an intelligence agency, monitoring employee email is not only unethical, but a waste of resources.

Pest Exterminator
Wednesday, May 28, 2003

>In any case, my own view is that unless the organization
>is an intelligence agency, monitoring employee email is
>not only unethical, but a waste of resources.

The company I worked for made it clear that e-mail was to be used for business purposes only, and they reserved the right to snoop through it. It's amazing the things empoyees will put up with... I also had to sign something that said they could fire me at any time for no reason.

www.MarkTAW.com
Wednesday, May 28, 2003

PE, no, it's not a gray area at all. Employers can and do read employees' email. They cover themselves with the usual paragraph on page 4 of your employment contract or some memo sent around at Easter time.

FWIW, I have been involved in IT management and seen how this goes on. You have no idea.

Some advice: while you're working for a company, just presume anything you send might be put up on a noticeboard or appear in a court one day. For sensitive things, wait till after work or use PGP.

echidna
Wednesday, May 28, 2003

[This is not legal advice]

Just to clarify for everyone here:
Your employer may be allowed to intercept emails. Employees are NOT allowed to do so. If the sysadmin is reading email without authorization from the company, then that is illegal. What makes it really cool is that in the US it would technically break federal computer security laws.

He is exceeding his authority as a sysadmin, and has as much right to do so as a cop would have to randomly search people while he's on vacation in Hawaii.

Philo

Philo
Thursday, May 29, 2003

Ok, this is all interesting.
But my question is, has anyone used pgp on windows xp without any problems at all?

Linda
Saturday, May 31, 2003

*  Recent Topics

*  Fog Creek Home