jcurran: How did you get a hold of that information! The Kablooey Electrode Mind Wiper bundle is still in the experimental stages. We haven't married it to the 1950's era black and white spinning hypnosis wheel of mind control imaging system yet, and no one is supposed to know about it!I love digg...:)
@blacksh33p"Yes, you can take a real camera and photograph the screen. However that is not the real data, nor is a digital version ala .bmp the real message either. They are facimiles that could be easily faked. We are speaking in the context of using this for legal purposes..." etc.*cough*For a 'cutting-edge' tech company, you should use the spell check function*cough*Yeah, I'm pretty sure if I use the video output on my video card to a DVD recorder, it'll hold up in court, showing the headers and all. I could include in the output the direct data feed of my network card, showing the data transferred (and if it's over SSL, it's encrypted with your service's key, if not over SSL, you can get ISP cache logs), so yes, it is very easy to prove 100% by any expert witness, in court, under oath, and threat of their private parts being severed, what the content was."But again, the article painted only one picture of us. The other features serve their purpose too..." You mean confirming receipt of email? That's ridiculously simple, by just creating a service that embeds a linked file, like an image on a remote server, and logs its access. I was creating emails with hidden CGI counter images over a decade ago, so that I could see how many reads my emails were getting (my use was for group mailings).Yeah, I've heard this mantra again and again and again. The two holy grails of email: spam-free, secure from prying eyes.Services promise one or both, none yet deliver. But yeah, develop all you want. You'll always have naive business people to dupe. The easiest ones to dupe are ones like this patent lawyer: '"I really need it to be easy for the client on the other end," says Mr. Currier, who says that leaked information could be disastrous for one of their patent applications. "People don't appreciate just how vulnerable email is."'They think because they have concern, and took action that most didn't, that they are somehow on the cutting edge and "in the know". These same people are duped by used car salesmen who talk them up about the importance of timing belts and oxygen to fuel ratios, making them think they are smarter than they really are.Hook - Complete control who reads your email.Line - Simple and requires no software.Sinker - It's all smoke and mirrors.
@blacksh33pHaving thought about this in some more detail, the attack surface is huge.Your own mail server uses TLS where available, this is good, but far from good enough. There is no guarantee that the original submission to your server will come from a system that supports TLS and it is pretty unlikely that the mail client of the user will have its own digital certificate to encrypt the transfer between the client and the user's own mail server. Result, a determined party has a good chance of being able to grab the original message before it even reaches your service.Once they reach your servers, are the messages stored in an encrypted format. If not, they are open to insider attacks which are the most common type of attack. If they are encrypted, who has access to the keys and can they be implicitly trusted?When forwarding the link to the stored message, your server will again use TLS if it is available. If it is not available, then it could be intercepted anywhere along the path between servers. Even if this part is encrypted, you have no guarantee that the server you delivered it to is the final destination and if it will encrypt any onward forwarding of the message to get it to the receiver. At least interception at this stage would be obvious to the intended receiver as the message would already have been viewed, but your secrets are now in the hands of an unknown party.The only way that your system could stop these attacks is by ensuring that the original message and the link to the message stored on your server are encrypted end-to-end, but in order to achieve that, you're almost certainly going to have to build a system that isn't compatible with existing SMTP clients.Finally. Yes, the current email system needs a major rework, but better minds than us have been thinking about the problem for years without coming up with a viable solution that remains compatible with existing infrastructure. The likelihood that a start-up company is going to come along with /the/ solution is fairly small.
vanmeir: Thank for the input, especially since it is in such a constructive manner. Perhaps the wording on the website is too strong, and will certainly take that under advisement. On the certification feature, the message is stored so the message remains available and is included with the affidavit. It actually logs from the web level through the message viewer, so we can determine it was opened and displayed, and what precisely was displayed. This is the design...during the "BETA" which other people seem to look over and fail to realize, we are testing the design, making improvements, getting excellent input like yours, and making the necessary adjustments. The options are not inherent to one another, and its up to you to configure how the message goes out. That is where we are going with the control aspect.bsee: Very valid points indeed, and you hit the nail on the head. It adds an extra layer. In civil litigation, I think it would certainly help to have that extra layer, which translates into less time and less money being paid to the lawyers. Thanks again all...
Great to see all the energy being poured out over this idea of outbound email security. As this article describes the preloaded software on our computers does a fair job of protecting us from spam and inbound email, but makes not attempt at protecting the outbound email we send. Think about the information we include in our outbound emails! And with no security measures, its crazy! In any case, it is great see people begin to step up and take action towards greater security and email freedom. I would like to spread the word about another product available to business and even home consumers. Essential Security Software's Taceo performs all of the various functions described in the other three programs discussed in the article and offers a free trial. Check it out at <a class="user" href="http://www.essentialsecurity.com/">http://www.essentialsecurity.com/</a>
scheperAug 31, 2006
if you disable javascript after opening the email, it couldn't self destruct anymore.
rauzAug 31, 2006
I agree. People who digg you down are just uninformed.
blacksh33pAug 31, 2006
jcurran: How did you get a hold of that information! The Kablooey Electrode Mind Wiper bundle is still in the experimental stages. We haven't married it to the 1950's era black and white spinning hypnosis wheel of mind control imaging system yet, and no one is supposed to know about it!I love digg...:)
ikioiAug 31, 2006
@blacksh33p"Yes, you can take a real camera and photograph the screen. However that is not the real data, nor is a digital version ala .bmp the real message either. They are facimiles that could be easily faked. We are speaking in the context of using this for legal purposes..." etc.*cough*For a 'cutting-edge' tech company, you should use the spell check function*cough*Yeah, I'm pretty sure if I use the video output on my video card to a DVD recorder, it'll hold up in court, showing the headers and all. I could include in the output the direct data feed of my network card, showing the data transferred (and if it's over SSL, it's encrypted with your service's key, if not over SSL, you can get ISP cache logs), so yes, it is very easy to prove 100% by any expert witness, in court, under oath, and threat of their private parts being severed, what the content was."But again, the article painted only one picture of us. The other features serve their purpose too..." You mean confirming receipt of email? That's ridiculously simple, by just creating a service that embeds a linked file, like an image on a remote server, and logs its access. I was creating emails with hidden CGI counter images over a decade ago, so that I could see how many reads my emails were getting (my use was for group mailings).Yeah, I've heard this mantra again and again and again. The two holy grails of email: spam-free, secure from prying eyes.Services promise one or both, none yet deliver. But yeah, develop all you want. You'll always have naive business people to dupe. The easiest ones to dupe are ones like this patent lawyer: '"I really need it to be easy for the client on the other end," says Mr. Currier, who says that leaked information could be disastrous for one of their patent applications. "People don't appreciate just how vulnerable email is."'They think because they have concern, and took action that most didn't, that they are somehow on the cutting edge and "in the know". These same people are duped by used car salesmen who talk them up about the importance of timing belts and oxygen to fuel ratios, making them think they are smarter than they really are.Hook - Complete control who reads your email.Line - Simple and requires no software.Sinker - It's all smoke and mirrors.
graemelAug 31, 2006
@blacksh33pHaving thought about this in some more detail, the attack surface is huge.Your own mail server uses TLS where available, this is good, but far from good enough. There is no guarantee that the original submission to your server will come from a system that supports TLS and it is pretty unlikely that the mail client of the user will have its own digital certificate to encrypt the transfer between the client and the user's own mail server. Result, a determined party has a good chance of being able to grab the original message before it even reaches your service.Once they reach your servers, are the messages stored in an encrypted format. If not, they are open to insider attacks which are the most common type of attack. If they are encrypted, who has access to the keys and can they be implicitly trusted?When forwarding the link to the stored message, your server will again use TLS if it is available. If it is not available, then it could be intercepted anywhere along the path between servers. Even if this part is encrypted, you have no guarantee that the server you delivered it to is the final destination and if it will encrypt any onward forwarding of the message to get it to the receiver. At least interception at this stage would be obvious to the intended receiver as the message would already have been viewed, but your secrets are now in the hands of an unknown party.The only way that your system could stop these attacks is by ensuring that the original message and the link to the message stored on your server are encrypted end-to-end, but in order to achieve that, you're almost certainly going to have to build a system that isn't compatible with existing SMTP clients.Finally. Yes, the current email system needs a major rework, but better minds than us have been thinking about the problem for years without coming up with a viable solution that remains compatible with existing infrastructure. The likelihood that a start-up company is going to come along with /the/ solution is fairly small.
spacebar14Aug 31, 2006
If you use webmail it won't work I'm betting...
blacksh33pAug 31, 2006
vanmeir: Thank for the input, especially since it is in such a constructive manner. Perhaps the wording on the website is too strong, and will certainly take that under advisement. On the certification feature, the message is stored so the message remains available and is included with the affidavit. It actually logs from the web level through the message viewer, so we can determine it was opened and displayed, and what precisely was displayed. This is the design...during the "BETA" which other people seem to look over and fail to realize, we are testing the design, making improvements, getting excellent input like yours, and making the necessary adjustments. The options are not inherent to one another, and its up to you to configure how the message goes out. That is where we are going with the control aspect.bsee: Very valid points indeed, and you hit the nail on the head. It adds an extra layer. In civil litigation, I think it would certainly help to have that extra layer, which translates into less time and less money being paid to the lawyers. Thanks again all...
Closed AccountSep 18, 2006
Great to see all the energy being poured out over this idea of outbound email security. As this article describes the preloaded software on our computers does a fair job of protecting us from spam and inbound email, but makes not attempt at protecting the outbound email we send. Think about the information we include in our outbound emails! And with no security measures, its crazy! In any case, it is great see people begin to step up and take action towards greater security and email freedom. I would like to spread the word about another product available to business and even home consumers. Essential Security Software's Taceo performs all of the various functions described in the other three programs discussed in the article and offers a free trial. Check it out at <a class="user" href="http://www.essentialsecurity.com/">http://www.essentialsecurity.com/</a>