Re: Impact of Netscape kernel hole

[Bill Stewart <stewarts@ix.netcom.com>]

At 06:08 PM 6/13/97 -0700, Eric Murray wrote:
>Of course that's IDEA-encrypted (or maybe something better in PGP 5) so
>the attacker would need a lot of compute power to brute-force the key.
>I wouldn't worry too much about someone getting my secring.pgp.  However
>I would worry about them getting my mail folder, my .rhosts, my
>/etc/password, etc.

This is one area where evil mail reader clients like Microserf Mail
do better than decent mail clients.  The MSMail mailbox is one huge file,
structure undocumented, encrypted with an algorithm strong enough to
defeat Stacker/Doublespace and prevent you from repairing the file
if it's corrupted* but not strong enough to keep the NSA out.
MSMail encourages you to send MSWord attachments and Powerpoint graphics
instead of just writing text, so it's not uncommon to have a 
100MB mailbox in a typical corporate marketdroid environment.
If someone steals my Eudora mailboxes, they'll need to snarf a few MB
of accumulated mail (though much of the good stuff will be saved
in files), but even if they only get part of the file, it's readable.
Someone who steals my MSMAIL.MMF will get 100+MB of noise,
hiding a relatively small amount of signal, and if they only get
part of it before losing the connection, it'll probably be corrupt.

[*Actually, my MSMAIL.MMF _is_ corrupted - MSMail has a self-repair /
garbage collector feature enabled by hitting magic keys at startup,
which on my mailbox is a bit overenthusiastic -- it deletes all the
attachments, leaving only the headers/text of messages and the
icons for the now-missing attachments.  So I can't use it...]

#			Thanks;  Bill
# Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com
# You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp
#   (If this is a mailing list or news, please Cc: me on replies.  Thanks.)