Craig Brozefsky on Thu, 21 Oct 1999 18:12:32 +0200 (CEST) |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: <nettime> (fwd) [email protected]: Risks Digest 20.62 {excerpted] |
t byfield <[email protected]> writes: > [<...> = omissions. i'm glad someone finally noticed that this > supposedly 'self-destructing email' from disappearing inc. is > subject to a *very* subtle attack: cut and paste. and then of > course there's that famous security hole that hackers exploit > every day: 'Save As...' ([X] Include headers). must've been a > wily venture capitalist who invested in that one. --cheers, t] Nearly every crypto system has this problem. This is also knows as the sabateur problem, and as I mentioned before, it is not something which DI is attempting to solve. The RISKS letter had a much more subtle critique than what you are implying above. That is, that the requirement that I contact a remote server to decrypt the email is friction introduced into the system, which the user will attempt to minimize. For workstation on a LAN with a reliable connection to the key server friction is quite low, almost unnoticeable. For a jet-setting execs, or anyone else who handles mail offline (most users outside the united states where local calls are time), the friction can be quiet great. They don't have a permanant connection to a server wheneve they want to read a DI messge, and so they might save local copies of the decrypted version, anticipating they will be operating unconnected for awhile. This differs from PGP or other crypto systems where keys are stored locally, because with PGP you can always decrypt the message, even 35k feet above Germany in a 747. In these situations, users may agree to the policy DI is trying to enforce, but as anyone who has attempted to set network usage policies, you cannot make policy what you cannot enforce. It remains to be seen wether a system with these limitations can still be a succesful legal tool. My hunch is that this may be enough for the CTO to deny that they have any copies of old email when the subpeonas come, but common-sense is dangerous when thinking about the US legal system. The issues there are much different than in the realm of security. I'm interested in seeing the legal attacks against DI, as that is where it's attempting to operate, and it's success hinges on that primarily. -- Craig Brozefsky <[email protected]> Free Scheme/Lisp Software http://www.red-bean.com/~craig "riot shields. voodoo economics. its just business. cattle prods and the IMF." - Radiohead, OK Computer, Electioneering # distributed via <nettime>: no commercial use without permission # <nettime> is a moderated mailing list for net criticism, # collaborative text filtering and cultural politics of the nets # more info: [email protected] and "info nettime-l" in the msg body # archive: http://www.nettime.org contact: [email protected]