Home > Security > WTB Standardized Email Encryption. PST

WTB Standardized Email Encryption. PST

February 15th, 2009

Today I received an email from an undisclosed relative who works for an undisclosed company. Suffice to say that the relative works for a very large Australian company. In the footer of the email was the following message (identifiable information removed):

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender immediately.

This email has been scanned by the MessageLabs Email Security System for the presence of computer viruses.

Pretty much every company I’ve dealt with that I can think of has one of these retarded footers in their emails. Normally I just ignore them but today I’m grumpy so I’m going to complain about it.

To start with, the first sentence basically screams FOR THE LOVE OF GOD WE NEED STANDARDIZED EMAIL ENCRYPTION! Seriously. How long has it been since the introduction of S/MIME and PGP? Surely every modern email client supports encryption of some form or another, and surely if something were standardized all the products that didn’t would be fixed pretty quickly if they valued their customer base. Right? I mean, do you really think that a message saying “oh noes, if you got this on accident please delete it” is going to do anything if an unscrupulous individual receives a message that wasn’t intended for them? No. Its just plain pointless.

Second, even if the contents of the email aren’t sensitive enough to warrant full blown encryption signing is surely something that should be encouraged given the amount of identity theft that is going on at the moment. Is the corporate world really so behind the times that they think a little message in the footer is good enough protection?

I’m sure some people will be protesting that email encryption is unnecessary and annoying but think of it this way. If you were dealing with a law firm, your accountant, your bank, or some other corporation that has access to some of your very sensitive data (which I might add the company that the aforementioned relative works for does) wouldn’t you feel safer knowing that only you and the other party you’re dealing with could read your emails and that if they accidentally emailed the wrong person that there would be no compromise of security? Heck, I think if you explained to people WHY they had to go through the process they would appreciate it and be more likely to want to deal with the company in the future because they know that the security of personal data is a priority.

Then of course we have the “this message has been scanned by X anti-virus product” footers. Has it not occurred to the makers of these products that a worm could just copy that message verbatim into any infected emails it sends out? Teaching people to think “oh there’s a totally unverifiable piece of text here that says the email is virus free so I’m sure it’s safe to trust” is stupid. Whilst I realize it’s free advertising it’s also irresponsible. If the AV companies really cared about their customers they wouldn’t be teaching them such idiotic lessons. ALWAYS scan emails for malware, and even when emails are “clean” be wary of strangers bearing gifts because AV software is far far far from perfect.

Sigh, that’s my rant for the day.

Note: If you don’t understand the title of the post it’s because it’s using WoW jargon. ‘WTB’ = ‘Wanting to Buy’, ‘PST’ = ‘Please send tell’ or in other words ‘Please contact me for details’.

Cypher Security , , , , ,

  1. Gamer
    February 15th, 2009 at 15:36 | #1

    Hehe, I agree. I have a relative who works for the Australian Defence Force, and every email comes with one of these.

    IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the Crimes Act 1914. If you have received this email in error, you are requested to contact the sender and delete the email.

  2. February 15th, 2009 at 22:40 | #2

    I think the system was set up by people like this:
    Why are there school?

  3. shclmupf
    February 17th, 2009 at 04:36 | #3

    Standarized Email Encryption?

    I lold. And how far are we from a standarized email DEcryption?

    Do you really think that some encryption will protect your data?

  4. February 17th, 2009 at 06:30 | #4

    shclmupf do you even know the first thing about encryption?

    Its not security through obscurity, they are tried and tested algorithms. The NSA has sanctioned the use of AES for example for data classified “Top Secret”. Do you really think they’d do that if it was insecure?

    http://en.wikipedia.org/wiki/Advanced_Encryption_Standard

    The main weakness of symmetric-key cryptography is that a key needs to be exchanged securely. That changes with public-key crypto (i.e. what is used for email signing and encrypting) because you have a key PAIR. You have a public key which is pushed to key servers which anyone can download, and you have a private key which only you have access to.

    Your public key can be used by people to verify signed emails or encrypt data to send to you. But it can NOT be used to reverse either of those processes. They can not sign emails or decrypt data using your public key.

    I suggest that you do some research next time before going “lulz u think encryptiun will protekt ur dataz”. Yes it will if you’re using a secure pass-phrase with a well-implemented algorithm.

  5. February 17th, 2009 at 06:34 | #5

    Actually. I’ll give you a wager. Given you think that encryption is so pointless in protecting data (because hey, you know better than thousands of mathematicians who are at the top of their fields) you can show off your awesome crypto-breaking skills.

    Give me an email address to contact you on and I will encrypt the source code of all of my projects (including the private ones) along with all of my financial data. I will then send you the encrypted file. If you can break into it then you can do whatever you want with the data.

    I think you’ll find that as soon as you actually do some researching into what you’re “loling” at you’ll see that you are in fact an idiot.

  6. sku
    February 17th, 2009 at 07:22 | #6

    I’d really love to see your prime number factoring algorithm schlumpf. (One that doesn’t take millennia)

  7. February 17th, 2009 at 07:43 | #7

    As would I sku. Too bad there isn’t a Nobel Prize for Mathematics, he’d win it for sure. It would be the mathematical breakthrough of the century.

  8. shclmupf
    February 18th, 2009 at 04:23 | #8

    I did not state that I can break anything. This is what you mistake all the time. I just said, that someone may break it. And everything is crackable. You should know about that. And with rising CPU power we wont take thousands of years for prime number factoring. I did _NOT_ say, that I will decrypt all your dataz in my mind. I never said anything like that. But just because something is secure at the moment, it does not mean, that it will be secure in the future.

    And Cypher: If someone states, that something is possible, he does not say, that he can do it himself.

  9. February 18th, 2009 at 07:43 | #9

    “And with rising CPU power we wont take thousands of years for prime number factoring.”

    You’re obviously still clueless and have done zero research. Please go pick up a book on cryptography (Applied Cryptography by Bruce Schneier is excellent), and you’ll see you’re absolutely wrong. Its far from thousands, the scale of the numbers with which we’re working is staggering, and thousands is waaaaaay off.

    Even if we project well into the future in terms of CPU power, as long as no mathematical breakthrough is made that suddenly changes our understanding of factoring extremely large numbers, the chances of a well implemented algorithm with a strong key being cracked in the time before the information becomes useless is practically zero.

    Yes its “possible”, just like its “possible” for me to grow wings and fly, but because the chance of such an event occurring is so small its usually ignored, except by stupid nitpickers who don’t understand what they’re talking about and have no better argument than “lulz itz teknikally pozzible” (ie you) [Preempting Nitpicking: I was paraphrasing you].

  10. shclmupf
    February 18th, 2009 at 09:27 | #10

    There is a 0% chance of you growing wings. There is a 0.*% chance of it getting cracked. The one thing is mathematically, logically, etc. impossible, the other one may be but can be ignored. Thats still a difference.

  11. February 18th, 2009 at 10:34 | #11

    Actually whilst you can be almost certain that I won’t grow wings you cannot dismiss it altogether. To do so would be unscientific. Just like no one can say with 100% certainty “there is no god”, no one can say with 100% certainty that I will not grow wings.

    I am an atheist, but even the most staunch atheiests (for example Richard Dawkins) are open to new evidence. That’s part of the scientific method. To dismiss something altogether without the adequate proof is ignorant.

    Thank you for proving your lack of knowledge on both this subject and in general.

  1. No trackbacks yet.