Feeds

The Bastard goes email snooping

Easy if you try

  • alert
  • submit to reddit

Build a business case: developing custom apps

Episode 12 BOFH 2002: Episode 12

"But how do we

KNOW

that they're not reading our email?" a geeky type from payments asks The Boss over an evening beverage at the company bar.

"Because the software doesn't let them" The Boss replies, dipping a tentative toe in technology for a second.

"Yes, but how do we know that they don't change that software to allow them to do it anyway?" he persists.

"Numbers," The PFY chips in sagely.

"Numbers?"

"Yes. There's what, 600 people working here - all getting email from people all over the country and the world. To look at their email, we'd have to go through each and every mailbox checking all their messages. We just wouldn't have the time to do it!"

"Yes, but you could if you only wanted to read ONE person's mail."

"Well I suppose we COULD, but we'd have to have some sort of reason. You know, something that would make us wonder what a person is hiding..."

"Right, yes, OK! Well I suppose that covers it! Drinks anyone?" he responds hastily.

***MENTAL NOTE TAKEN***

... The next day dawns, and even The Boss is showing an interest - wanting to know if the person in question has a skeleton or two in the closet...

"..and what you're looking for is files which look like they should be there, but really are out of place. Like.... THAT ONE!" The PFY explains, pointing at a folder on the screen.

"PAYSHD.ZIP! Won't that be a Pay.... Schedule file or something? Hardly worth looking into.."

"That's just what he wants you to think..," The PFY murmurs disparagingly. "But your average beancounter doesn't even know his trouser zip exists, let alone Winzip. No, this is progress! 20 megs of premo smut I'd wager!"

"You don't know that!"

"Know it - no. But after a while you get a nose for these things. That baby is just out of place. But don't take my word for it >clickety< >click<. Ah-HAH!"

"What? It's just an encrypted zip file?"

"Yes indeed, and encrypted file, full of smut!"

"It could be ANYTHING!"

"Yes, you're right. Our user has an encrypted ZIP file, which contains an encrypted zip file - and there's nothing suspicious about that..."

"He might just be being cautious."

"Oh, I think you're right there. But lets just see. First, unencrypt the contents >clickety< using his >clickety< NT password."

"I thought passwords were stored encrypted!!!"

"Normally, yes, but for our users, no,"

"Why not?!?"

"It'd make their using their email harder for a start."

"You login to their accounts and read their email!!!?!?!"
.
"Of course not!"

"Oh!"

"No, we use the ADMIN tool to read their email - it's much faster."

"So how having their password it make email reading easier?"

"Oh, well, we can login as them and SEND email - you know, to get more email to read. For instance, I might send one from you to that woman from personnel you were chatting up last week - suggesting a quick candlelight dinner somewhere."

"YOU SENT EMAIL FROM MY... What did she say?"

"No no, I was just using it as an example."

"Oh."

"Mind you, I wouldn't develop a nervous twitch in your eye when you're talking to that big bloke from stores as he's definitely... not interested."

"!" he half gasps.-0

"Sorry about that, just testing the interface."

"But my email is electronically signed with that key you got for me!"

"Indeed it is, but THAT key in turn is signed by an authority just a whisker away from being what's known as a 'trusted' authority."

"A whisker?"

"Well.. more like a beard."

"Which company was that then?"

"Trusty Amal's Key Registry Services. Two quid for a 64-bit key issued for 50 years!"

"Isn't 64 thingies a little bit.. insecure?" The Boss asks remembering something from technology nursery school.

"In the banking world, yes, but for your correspondence, no."

"Why not?"

"Well it's a risk reduction thing."

"How does it reduce risk?"

"You don't have to take the risk that someone will torture it out of you some day. Sort of a proactive escrow."

"So you were thinking of me the whole time?"

"Of course."

The Boss decides to cut his losses here and move on.

"So why are we continuing looking through this user's files if we've found something?"

"Well, it was too easy. And when you're a sad beancounter type, you're sort of expected to spice up your life with a couple of pictures of Barbara Cartland taking on a midget wrestler or two. No, this guy's really hiding something.."

"Like what?"

"Oh something that he doesn't want anyone to know about. Cutting Edge Porn, Dirty Stories, A Train Spotter mailing list!"

"Isn't that illegal?!"

"I don't know about the first two, but I'm fairly sure the last one is, and we should be able to find out.... >clickety< veerrrry shortly, as he's used the same password twice."

"What is it?" The Boss gasps.

"It's a pay Schedule file - amounts, people, etc. What a bust."

"So what was he hiding?"

"Well there are several different train timetables in his inbox.." I murmur.

"I'll call the cops!" The PFY says.

Two hours later the police have left, after being most unhelpful. Of course they questioned the bloke concerned, but with the liberal laws these days, people can get away with trainspotting without charge. Personally, I blame the government.

Still, The PFY and I while away the intervening hours thinking up ways to cement The Boss's relationship with that bloke in stores, while the bloke concerned (after the first message anyway) whiles away the hours thinking up ways to cement The Boss in stores.

It's a funny old world. ®

Build a business case: developing custom apps

More from The Register

next story
Sysadmin Day 2014: Quick, there's still time to get the beers in
He walked over the broken glass, killed the thugs... and er... reconnected the cables*
Auntie remains MYSTIFIED by that weekend BBC iPlayer and website outage
Still doing 'forensics' on the caching layer – Beeb digi wonk
Microsoft says 'weird things' can happen during Windows Server 2003 migrations
Fix coming for bug that makes Kerberos croak when you run two domain controllers
Cisco says network virtualisation won't pay off everywhere
Another sign of strain in the Borg/VMware relationship?
VVOL update: Are any vendors NOT leaping into bed with VMware?
It's not yet been released but everyone thinks it's the dog's danglies
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.