Full Disclosure mailing list archives
Re: Hash
From: Tremaine Lea <tremaine () gmail com>
Date: Fri, 27 Jul 2007 09:05:23 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 27-Jul-07, at 7:49 AM, Valdis.Kletnieks () vt edu wrote:
On Thu, 26 Jul 2007 18:23:37 MDT, Tremaine Lea said:Apparently you've never heard of a mail administrator tagging outbound email for all users. It's pretty common. Of course, you may lack the experience of dealing with large companies.The fact a large company does it doesn't make it any less stupid. And you think a large company could afford their own mailserver rather than making their people use Gmail (now wrap your head around the concept of "confidential mail anywhere *near* a Google-owned server"... ;)
I was as amused by that as you.
To pick up on a part of the sig that Nick didn't rip into publicly:"and delete it from your system"Presumably, Tremaine, in his self-claimed role as "Security Consultant" *and* "Paranoia for hire", realizes that it quite likely sat on my site's main mail server for anywhere from several seconds to several hours (in fact, there are probably copies on *3* different servers in our mail cluster) - and that until some *other* piece of mail happens to land on those same blocks of storage, the text is quite easy to recover by any decent computer forensics practitioner.
Yes, I do realize this. Duh.
On the other hand, actually going in and overwriting the affected block(s) is quite challenging, especially when it's a 10 terabyte mailstore handling several million messages a day for 100K users. We'll be happy to do it - *IF* Tremaine's company is willing to indemnify us for the downtime.
Why would I (or the company I contract to) be interested in what you do to delete Sergio's email?
So there's 2 possible outcomes here: 1) The request has zero legal standing, and Tremaine's company is relying on the kindness of strangers rather than using PGP or S/MIME to actually secure their mail. This sort of thing is usually called "lack of due diligence", and I don't think any company wants to be flaunting it.
Speaking of due diligence... I'm pretty sure literacy and following a trail of information is basic to this field. As you've clearly missed, Sergio has nothing to do with me, the company I work with, or ... hell, who knows. I don't know the guy from Adam. Or you.
2) The request *does* have legal standing - in which case Tremaine's company may indeed have some liability to pick up any and all associated costs.
Again with the not being able to follow the bouncing ball.
Particularly interesting is the legal question of what happens when a "please delete all copies" request is attached to something that's sent to a company that is required to retain copies of *everything* for regulatory compliance (as is true for some financial-sector companies).....
That's the only really interesting thing you've contributed, and it's a good question. Any one know of any court cases on this? - --- Tremaine Lea Network Security Consultant Intrepid ACL "Paranoia for hire" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) iQEcBAEBAgAGBQJGqgm0AAoJEKGa22zRy9WCEvgIALax083+iHxWUphyIh+aXg7+ d9oqyw8CRe6iZ5Fe6GKYh1RHXO07PrJAx3kttMUyzvsIEupwsVmQdFtdzyGm7wPu U1MRBPMFV9pIMhr6BF5Q96mYLmNf8dRvmMCIAoEoo1HmXRp3KocKzliLd3RqNJ6G 7Rsp+WOtpZJHnX4O+2Hn2EVAjIZTP3kZ7wko7FNVUTQcTe703/Cx9h82eGDgVmVZ zaasGUsEX2Y9hgvPPFYdNebnX8EihkFZ1FjaLKpyXzl2aLBTGsmFKtoK0KdbS93Y YwgMPiDByvXKNqTCR1Ehzl9c/Y6KVUMgR34jyFs9OQCr8/Cr2ePKZ5WGdT+YCxk= =bgWU -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Hash shadown (Jul 26)
- Re: Hash Valdis . Kletnieks (Jul 27)
- Re: Hash Tremaine Lea (Jul 27)
- Re: Hash secure poon (Jul 27)
- <Possible follow-ups>
- Re: Hash Joey Mengele (Jul 26)