[Esd-l] A sticky problem???

John Hardin jhardin at impsec.org
Wed Jun 12 21:42:02 PDT 2002


On Thu, 13 Jun 2002, Brent Wallis wrote:

> 1. In my mind, data interchange via SMTP is like using a butter
> knife to cut spread concrete...it works, but there are far better
> and more efficient ways. SMTP is for messaging between users, not
> unattended data interchange. Does everyone agree? or do I have
> that wrong?

Email is absolutely not guaranteed reliable. It is only a
"best-effort" system. Some of the hazards are:

  1. Delivery is not guaranteed.
  2. Timeliness is not guaranteed.
  3. Privacy is not guaranteed.
  4. By itself it provides no authentication of the sender's identity.

Basing critical business functions on email is at best stupidity, at
worst negligence.

> 2. Anyone that tells me they have invented an encryption algorithm
> that no-one knows about just tells me they are full of crap and
> alarm bells start ringing....what do you think?

To misquote Bruce Schneier: anybody can invent a crypto system that
they themselves cannot break. This, of course, says nothing about the
true security of the system.

  Why Cryptography Is Harder Than It Looks:
    http://www.counterpane.com/whycrypto.html

  Tune your bullshit detectors:
    http://www.counterpane.com/crypto-gram-9902.html#snakeoil

> I should point out that this is not a call to have something
> changed in the sanitizer.

I'd be willing to take a look at their pseudo-MIME and see if it's
salvagable or not...

> It's just fine and works well, I am more focussed on whether or
> not I am on the right track and would appreciate comment from any
> angle.

Do you think they're at all open to rational discussion of the
shortcomings of their method? If not, you're probably wasting your
time.

> This is very important in terms of what I am having to deal with
> in the e-Commerce sector, and I want my facts absolutely
> correct(and real world anecdotes from you guys) before taking the
> next step, which would be informing the other 400 or so businesses
> that use this program that they have a security issue to deal with

Suggestion: If it's that easy to crack, then crack it, show them that
you can crack it, and tell them that you'll publish the details on
bugtraq in two weeks (or a month if you're feeling generous) unless
they make honest efforts to address the security problems.

I would see it as my responsibility to not allow others to unknowingly
rely on a system with provably bad security.

> John my appologies if this is off centre, but the sanitizer is a
> part of this and I would be interesetd in other experiences that
> may be similar to this...

Not at all. This is the "Email Security Discussion" list, not the
"Email Sanitizer Discussion" list.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
 "To disable the Internet to save EMI and Disney is the moral
  equivalent of burning down the library of Alexandria to ensure the
  livelihood of monastic scribes."
                                    -- John Ippolito of the Guggenheim
-----------------------------------------------------------------------
   345 days until The Matrix Reloaded

[demime 0.98e removed an attachment of type application/pgp-signature which had a name of signature.asc]



More information about the esd-l mailing list