Feeds

The Bastard goes email snooping

Easy if you try

  • alert
  • submit to reddit

Top three mobile application threats

Episode 12 BOFH 2002: Episode 12

"But how do we

KNOW

that they're not reading our email?" a geeky type from payments asks The Boss over an evening beverage at the company bar.

"Because the software doesn't let them" The Boss replies, dipping a tentative toe in technology for a second.

"Yes, but how do we know that they don't change that software to allow them to do it anyway?" he persists.

"Numbers," The PFY chips in sagely.

"Numbers?"

"Yes. There's what, 600 people working here - all getting email from people all over the country and the world. To look at their email, we'd have to go through each and every mailbox checking all their messages. We just wouldn't have the time to do it!"

"Yes, but you could if you only wanted to read ONE person's mail."

"Well I suppose we COULD, but we'd have to have some sort of reason. You know, something that would make us wonder what a person is hiding..."

"Right, yes, OK! Well I suppose that covers it! Drinks anyone?" he responds hastily.

***MENTAL NOTE TAKEN***

... The next day dawns, and even The Boss is showing an interest - wanting to know if the person in question has a skeleton or two in the closet...

"..and what you're looking for is files which look like they should be there, but really are out of place. Like.... THAT ONE!" The PFY explains, pointing at a folder on the screen.

"PAYSHD.ZIP! Won't that be a Pay.... Schedule file or something? Hardly worth looking into.."

"That's just what he wants you to think..," The PFY murmurs disparagingly. "But your average beancounter doesn't even know his trouser zip exists, let alone Winzip. No, this is progress! 20 megs of premo smut I'd wager!"

"You don't know that!"

"Know it - no. But after a while you get a nose for these things. That baby is just out of place. But don't take my word for it >clickety< >click<. Ah-HAH!"

"What? It's just an encrypted zip file?"

"Yes indeed, and encrypted file, full of smut!"

"It could be ANYTHING!"

"Yes, you're right. Our user has an encrypted ZIP file, which contains an encrypted zip file - and there's nothing suspicious about that..."

"He might just be being cautious."

"Oh, I think you're right there. But lets just see. First, unencrypt the contents >clickety< using his >clickety< NT password."

"I thought passwords were stored encrypted!!!"

"Normally, yes, but for our users, no,"

"Why not?!?"

"It'd make their using their email harder for a start."

"You login to their accounts and read their email!!!?!?!"
.
"Of course not!"

"Oh!"

"No, we use the ADMIN tool to read their email - it's much faster."

"So how having their password it make email reading easier?"

"Oh, well, we can login as them and SEND email - you know, to get more email to read. For instance, I might send one from you to that woman from personnel you were chatting up last week - suggesting a quick candlelight dinner somewhere."

"YOU SENT EMAIL FROM MY... What did she say?"

"No no, I was just using it as an example."

"Oh."

"Mind you, I wouldn't develop a nervous twitch in your eye when you're talking to that big bloke from stores as he's definitely... not interested."

"!" he half gasps.-0

"Sorry about that, just testing the interface."

"But my email is electronically signed with that key you got for me!"

"Indeed it is, but THAT key in turn is signed by an authority just a whisker away from being what's known as a 'trusted' authority."

"A whisker?"

"Well.. more like a beard."

"Which company was that then?"

"Trusty Amal's Key Registry Services. Two quid for a 64-bit key issued for 50 years!"

"Isn't 64 thingies a little bit.. insecure?" The Boss asks remembering something from technology nursery school.

"In the banking world, yes, but for your correspondence, no."

"Why not?"

"Well it's a risk reduction thing."

"How does it reduce risk?"

"You don't have to take the risk that someone will torture it out of you some day. Sort of a proactive escrow."

"So you were thinking of me the whole time?"

"Of course."

The Boss decides to cut his losses here and move on.

"So why are we continuing looking through this user's files if we've found something?"

"Well, it was too easy. And when you're a sad beancounter type, you're sort of expected to spice up your life with a couple of pictures of Barbara Cartland taking on a midget wrestler or two. No, this guy's really hiding something.."

"Like what?"

"Oh something that he doesn't want anyone to know about. Cutting Edge Porn, Dirty Stories, A Train Spotter mailing list!"

"Isn't that illegal?!"

"I don't know about the first two, but I'm fairly sure the last one is, and we should be able to find out.... >clickety< veerrrry shortly, as he's used the same password twice."

"What is it?" The Boss gasps.

"It's a pay Schedule file - amounts, people, etc. What a bust."

"So what was he hiding?"

"Well there are several different train timetables in his inbox.." I murmur.

"I'll call the cops!" The PFY says.

Two hours later the police have left, after being most unhelpful. Of course they questioned the bloke concerned, but with the liberal laws these days, people can get away with trainspotting without charge. Personally, I blame the government.

Still, The PFY and I while away the intervening hours thinking up ways to cement The Boss's relationship with that bloke in stores, while the bloke concerned (after the first message anyway) whiles away the hours thinking up ways to cement The Boss in stores.

It's a funny old world. ®

High performance access to file storage

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Kingston DataTraveler MicroDuo: Turn your phone into a 72GB beast
USB-usiness in the front, micro-USB party in the back
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Inside the Hekaton: SQL Server 2014's database engine deconstructed
Nadella's database sqares the circle of cheap memory vs speed
BOFH: Oh DO tell us what you think. *CLICK*
$%%&amp Oh dear, we've been cut *CLICK* Well hello *CLICK* You're breaking up...
Just what could be inside Dropbox's new 'Home For Life'?
Biz apps, messaging, photos, email, more storage – sorry, did you think there would be cake?
Amazon reveals its Google-killing 'R3' server instances
A mega-memory instance that never forgets
Cisco reps flog Whiptail's Invicta arrays against EMC and Pure
Storage reseller report reveals who's selling what
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.