[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PGP Employee on MKR





Bill Stewart <[email protected]> writes:
> At 02:38 AM 10/27/1997 -0800, [email protected] wrote:
> >Really? I seem to recall Jon Callas saying my system 'redesigned CMR' 
> >but was simpler than theirs. The mere fact that CMR requires an enforcer 
> >implies that it's a convoluted and hasty design. 
> 
> Not true - you can't implement CMR without a mail enforcer unless
> you can stop your employees from using non-CMR versions of PGP,
> which is nearly impossible.  Even with an enforcer, of course,
> you can't stop the determined employee from double-encrypting and
> steganizing and otherwise getting their outbound bits past your enforcer
> or Pointy-Haired-Boss randomness, 

If the corporate is serious about preventing encrypted messages
leaving their net that they can't read, the simple solution is to
disallow employees from using encryption -- have the enforcer encrypt
it.

Even if you were to use CMR, it is dumb, dumb, dumb, to allow the
snoop key to remain after the message has passed the enforcer -- it
should strip it off on the way out.

> but they could also carry a floppy disk out the door or beam
> infrared out the window from their Newton.

Attempting to compress the plaintext helps -- if it won't compress
(much) you get suspicious.

Pointy-Haired-Boss randomness always works -- compresses well and can
encode anything.

> Similarly, on incoming mail, you can't stop people from sending your
> employees non-CMRed mail without an inbound-mail enforcer and
> can't stop your employees from reading it with their own warez.

Even with enforcer and CMR it's possible to get past it,
super-encryption, garbage in CMRK second recipient field, and
Pointy-Haired-Boss randomness.

Simpler, safer, and more effective to just escrow the employees
company use key -- that ensures there is only one recipient on the
message passing over the internet.

> More importantly, though, PGP isn't a mail program, it's an encryptor,
> and if you're trying to stop people from sending encrypted mail
> back and forth, you've got to control the mail system as well as the
> encryptors, 

So ultimately prevention largely falls back to controlling what
software people are running inside the building -- no laptops in or
out, no floppies in or out, no installing software, metal detector at
door, body scan, the works.


Detection of sending encrypted mails is easier -- just try to decrypt
everything and have all keys necessary escrowed.  Anything which can't
be read doesn't make it in; anything sent which can't be read results
in a sacked employee.


Companies which aren't after this level of paranoia, but just want to
be able to recover company business mails queued when employee is away
-- fine have separate personal use keys attached to the same
signature key.

Adam
-- 
Now officially an EAR violation...
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/

print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`