Slashdot Mirror
Self-Shredding E-Mail
yoink! writes: "I just read an article on CNN.com describing a self-shredding e-mail system. With all the persistent e-mail documents gathered by the Government in the MS Anti-Trust case, and the massive shredding of paper documents by parties in the Enron fiasco, it's no wonder people have been looking for an electronic solution to a material problem solved years ago with some cutting tools, a motor, and a garbage bag." One of the companies highlighted here was called Disappearing, Inc. when it was mentioned a few years ago, but now several others have joined the fray.
How bout not sending anything that could get you in trouble? Common sense should prevail here. But in the wake on Enron, I am sure they will do well.
One thing I did not see in the article, what happens if the person on the other end saves the email as an attachment, or saves it? I doubt it would be able to "shred" that. This is a very niche market item imo. Once again, DON'T SEND IT IF IT COULD GET YOU IN TROUBLE.
Sent from your iPad.
I think that instead of devising ways to destroy damaging emails that you send we should instead focus on not sending damaging emails. Bill Gates sent out memos that the DOJ is now using against him. That'll teach him. If you have something that important to say it's probably best said in person.
People still will be able to print out messages, or make screenshots of their MUA - ESPECIALLY when they know that the mail is going to self-destruct. So these expensive systems still won't guarantee against a copy surviving (especially if it's something hot that could be used to blackmail somebody, such as the order to shred all records...).
;-)
In short: Why waste money on a system that prevents Email from getting read by Law-enforcement-officers? Why not simply do nothing illegal?
Why not use outlook. It does that whenever it wants on my Unverity (randomly).
I fear however that they might be in for a surprise when the apparently "self shredded" messages pop up at all those likely and unlikely places like backup tapes, swap files, printouts and the like.
It's probably safer to employ a clean and transparent corporate culture, then getting kicked in the but by embarassing messages popping up on ol' backup tapes.
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
With a traditional document (esp. in the case of sensitive items) versioning is kept to a minimum, and hence the total destruction of a 'mail chain' would be possible. With digital documents it is too easy for multiple versions to exist - using the email example you could have multiple vendors and multiple sysadmins with mailbox backups, many of which could be unknown to the individuals concerned.
With digital documents there will always be an tension between the desire to be able to fix a system that breaks (using backups) and to digitally shred sensitive items. This will probably mean that there will never be as much certainty with digital shredding as traditional shredding.
have nothing to hide. I don't think shareholders would see an email shredder as good news. Sure, you've reduced "liability," but you could further reduce it by having a higher set of moral codes. If I was a shareholder, I'd probably dump the company if news that the company needed to protect itself from itself.
Its too bad that company execs won't see things that way. I guess the most valuable thing then to have as an investor is the list of Dissapearing, Inc's clients.
I Browse at +4 Flamebait
Open Source Sysadmin
When encrypting a message with PGP you can use the -m option (or sellect the 'secure viewer' if you are using one of the windoze versions) Doing this prevents the recipiant from saving a plain text version on their disks
No, it isn't as good as "shreading" and there are ways to cercumvent this if the recipiant was so incliend, but it is a good substitute providing you trust the recipiant.
If you dont trust the recipiant then WTF are you doing sending them such an e-mail in the first place!
Anyone quoted by a reporter knows how little they understand
Don't believe what you read is the truth.
Still corporations and individuals fail to understand a simple rule: Whatever you can see, you can store and copy. They failed to understand that with copy-prevention mechanisms, and the fail to understand it here. No crypto will help prevent seeing something that you already saw.
And no, hardware protection still can't help. In the worst case - take a camcorder and tape your screen contents. They can't overcome that!
Make even shorter URLs - 8LN.org
Even if the self-shredding software disables printing, copying and screen-capture functions, nothing will stop a determined person from photographing the screen or jotting down the information by hand.
I can see it now. Interns' job descriptions will now include handwriting received email in addition to coffee-fetching, photocopying, and (in the case of Washingtonians) sexual favors...
"Self-expiring" email schemes work essentially the same way: a trusted key authority generates and stores encryption keys for any and all email. Reading an email requires authentication to the key authority, which either returns the key or decrypts the email. After a preset time, the key authority purges the encryption key, after which the email encrypted with that key is theoretically unreadable.
These schemes have several practical problems and weaknesses:
1) These are closed email systems. Composing, sending, receiving and reading all protected email *must* take place within the system. Communication outside the system typically involves a web-based email solution-- you don't actually send the email, you send a URL to a server that hosts the email for the recipient, and a one-time authenticator to access it.
2) There is no protection for email that is removed from the system. Screen captures, saving as text, etc. all remove the email from the "expiry" system, rendering it moot.
3) The key authority is a central point of failure. Reading any protected email requires that the key authority be online and available, and that it's keystore be intact. Any interruption in this services makes *all* email hosted by that service unavailable-- and this is (conceivably) all email in your enterprise.
4) If the key store is ever archived-- a typical response to worries about (3), above-- the archived keys can be used to access old mail that has otherwise "expired," or "shredded." There is nothing in the application of the encryption that prevents an archived key from being used past its valid date, should it be recovered from a backup or recovered forensically the key server's storage.
Just some thoughts.
-- Cerebus
Does anyone have information on how this idea works?
Okay, you have a remote encryption key (Me to keyserver: "Please make this key publicly available until 5/5/2002") which you can use to decrypt documents for a while.
But what is to stop people taking a copy of this key, or of the decrypted message? Do you have to run a "trusted software" reader to view the message?
Either way, it sounds like the equivalent of sending a Yahoo card - "Click here to view your message, which we will store for 3 months"
But then, screenshots are still admissable in court.
And we all know how overwhelmingly successful those have been at preventing copying...
The old bromide that "information wants to be free" is not just a statement about copyright. It's a statement about privacy as well - whether you want it to spread or not, once you set information in a digital form and send it to someone else, controlling it becomes well-nigh impossible.
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
Can I just go ahead and point out the obvious here. Self-shredding email or whatever you want to call it can only work with the consent of the recipient, which goes completely against the tone of the CNN article:
Senders can destroy messages either remotely or automatically, without a recipient's consent or cooperation.
Just like the whole digital-rights management problem, eventually you have to give access to the message to your recipient and they can store a copy. If it's displayed on your screen then even the most recalcitrant software can be bypassed with a screen-shot or at absolute worst, a photograph of your monitor.
All these schemes can do is make it less convenient to store the email you receive. Even so, the receiving software could be dissasembled (DeCSS style) and you could create tools that would store the plain-text like a normal email client.
Karma police, I've given all I can, it's not enough, I've given all I can, but we're still on the payroll.
Back in the distant mists of time, when we had cc:mail in house, messages were deleted from the server after 15 days. Since it was not pop3 and all messages were kept right on the server instead of downloaded to your hard drive, it meant that after 15 days it was gone for good. In theory, backups were made. But the person in charge of cc:mail and the backups had . . . issues with the backup, so itwas hit and miss anyway.
If people wanted to keep a message, they did what every one using these e-mail shredders will do: either print it directly or copy and paste it into word and print it from there.
In a properly DRM enabled OS *Cough* such options simply won't be available for that particular window. In B2 OSes, covert channels (Whereby you copy information you are not entitled to copy) has always been a major issue and channels as esoteric as conveying information by varying processor load have been developed and presumably defended against. The difference in the past is that the machine has been a centrally administered box where it could be assumed that the administrator was a trusted party. In the new DRM paradigm, the administrator is considered a hostile entity not to be allowed full access to the hardware he purchased.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Erm, how about your latest, not yet patented invention?
Or salary details? Or pretty much anything sensitive?
Admittedly you'd be best off not sending these bits of information, but if you have to then you'd best protect it.
On the other hand I for one can see no possible way a self shred system can work. Once you have information, it's yours. The original may be wiped, but you can use a screenshot, saved copy, hexeditor, memory dump etc etc
Maybe for personal email. But a corporate email system is the property of the company. Anything you create on corporate time becomes the property of the company. An email you send to your co-worker does not become the "property" of the co-worker. It's still part of the corporate network and is still the property (and responsibility) of the company. Thus they have every right to "shred" the message.
They have every right to tell you not to print it out and save it; but of course that's what people will do if they know the messages will be deleted after a certain time. I print out and save messages to cover my own ass.
Which brings up a point. I print out the stuff with full headers, with message ID and info when it was sent; however, does it really serve a purpose? I remembered thinking that while watching "Clear and Present Danger", when Harrison Ford prints out a memo and shoves it into the other director's face saying something like "here's the proof". What good is my printout if I don't have server logs to back up that the message was actually sent to me? What good is a backup of the server logs if I can't prove it wasn't tampered by myself? I know my boss will believe me if I used it as proof to protect my ass, but would a jury? Am I just wasting trees?
-- If god wanted me to have a sig, he'd have given me a sense of humor.
A lot more companies are probably going to be switching to AIM (and similar) to conduct business to avoid a lot of this mess.
Something that allows you to communicate, but without keeping records. No evidence, no worry, I suspect will be a requirement for future messaging systems.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
I wonder how this stuff interacts with spyware that logs keystrokes, viewed screens, email, etc.
Of course, talk about being hoisted by one's own petard:
Company X installs spyware on its machines - "to protect itself"; and the results wind up as evidence in a court trial, including "shredded" emails. Concievably, Company Y could send the email, and have it recovered from X.
I'm a consultant - I convert gibberish into cash-flow.
Automatic document shredding, unless specifically marked with the archive bit set to 1
It would sety a new standard for microsoft reliability.
"It is a greater offense to steal men's labor, than their clothes"
>"Self-expiring" email schemes work essentially the same way: a trusted key authority generates and stores encryption keys for any and all email.
>Reading an email requires authentication to the key authority, which either returns the key or decrypts the email. After a preset time, the key authority
>purges the encryption key, after which the email encrypted with that key is theoretically unreadable.
Now one must ask, is the encryption key truly purged, or merely taken offline? If the former, at what point does the FBI require that the keys NOT be purged, and be merely taken offline? Or for that matter, what about system backups that retain keys? You've got to backup your keys, in case of a true system failure, because unexpired messages MUST be read. But you then need to take care to purge backups of keyspace appropriately, as well.
And those are one two more points of failure, as well as the others people are mentioning.
Honesty is simpler.
The living have better things to do than to continue hating the dead.
The problem was, how does one create a system to help with document retention policies that a company creates? Up until companies like Omniva, there wasn't a software process to handle electronic documents where you can say "I don't have that document as it has been destroyed through our retention process".
BTW... These products are not just for large companies like Microsoft. Individuals can benefit through it. Email to your tax accountant would be examples of mail that you may want to disappear after you file your returns. A number of great example on how folks have gotten screwed by electronic documents can be found in Jeffrey Rosen's book, "The Unwanted Gaze : The Destruction of Privacy in America".
Companies and individuals destroy documents for a number of legal reasons. Such as keep the competition from seeing trade secrets, draft copies that are not ready for public release and to minimize discovery costs.
Many companies have document retention policies right now. Most paperwork can be destroyed at any time. Some paperwork may be required by federal, state or local law to be kept. For instance, companies that are regulated by the feds have certain paperwork that they need to keep around such as banks, airlines and radio stations. Some of these document retention systems will give you the ability to differentiate between the document you are creating and how long it is to stick around.
>>and (in the case of Washingtonians) sexual favors...
They're supposed to provide those? God damn. Why didn't anyone tell me!?
From a security standpoint, this is great, but from a historical perspective, this is an archivist's nightmare. How do you write a biography of a famous figure of the information age without their email to go through? (I know, insert MS trial email joke here.) How many current biographies of presidents, CEOs, entertainers, etc. are based on their mounds of personal correspondence squirreled away in six million shoeboxes in the family archives? With self-destructing email, the possibility of finding such a treasure trove in email form just got even smaller than it already was.
Was that out loud?
Shredding paper always gives me this warm fuzzy feeling.
The same feeling I get when I put body parts through the wood chipper.
Just use an encrypted filesystem and make sure you can trust the people you're emailing. Self-shredding documents will only work better if you're sending to someone you can't trust that doesn't know anything about computers.
In which case, I can automatically make chats logs of all my conversations.
Provided AOL actually lets me get into the system of course....
describing a self-shredding e-mail system.
Been out for years, described here. You can even get a demo version!
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Self-shredding e-mail is cool. But messages that kill themselves if they contain the strings "Get Out of Debt" or "Penis Enlargment" would really kick ass.
You were saying?
- Macintosh AIM logs. PC version has a Save option for each individual chat.
- ircle logs.
- BitchX logs.
- mIRC logs.
- pIRCh logs.
- And in programs that dont have a log or save feature, theres always select, copy, paste.
Need I say more?Liberty in your lifetime
A fundamental law of information sharing is this: if I can read (or watch or listen to) it once, I can read (etc) it forever. I have the message, and I have all of the keys necessary to view it. All I have to do is keep them. Even simpler, I can copy and paste text out of the document, or I can just print it. Faced with the knowledge that all of your e-mail will be deleted after N days, you are much more likely to print anything of lasting value.
For the recipient to choose not to copy, print, or keep the message, he is cooperating with you. There is no way to prevent re-readability when the recipient is untrusted. Period. Saying otherwise is like claiming to have discovered perpetual motion.
I titled the post "(Mostly) smoke and mirrors" because a self-deleting e-mail system works unless the recipient specifically subverts it. In a normal e-mail system, messages are saved forever unless specifically deleted. So the marginal improvement is one of default behavior, not one of security.
--Patrick
The Outlook e-mail shredder too often gets jammed and reboots.
Got Rhinos?
Oh - and it is the next thing to impossible to sue a district attorney for malicious prosecution.
Ha ha.
sPh
sPh
- If it is truly meant to make incriminating e-mail disappear, it will fail. Recipients of incriminating e-mail are likely to make durable storage copies, with a camera if nothing else. The crypto software cannot possibly prevent this.
- If it is only meant to make casual e-mail disappear, then it is a great deal of fuss for something that can be handled by simpler means, such as corporate policy, leaving e-mail on mail server spools, and having the system administrators delete it.
Crispin----
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc.
Immunix: Security Hardened Linux Distribution
Available for purchase
first, the already-hammered screenshot effect. Some systems (infraworks comes to mind) disable various features (cut, copy, paste, screenshots, etc) in the filesystem (which restricts it to Windoze) (but doesn't address the person with a video-out card recording on a VCR, or photos of the screen, etc.
Secondly, this means that the private keys to your documents are stored on a server accessible via a website! Boggle! Have we not learned anything about the general security of most web services? And even presuming it has technical security, how secure is their identification scheme? Passwords, mostly, with no out-of-band ID system. Hi, I'm Santy Claus. My password is 122502 .
Sigh. All these wonderful sounding ideas, and me without my cluestick.
Returned Peace Corps IT Volunteer
How easily they forget the fundamental axiom of copy protection: if the user can see it, the user can record/copy/save it.
I could just point a camera at the screen and take a picture....
Unlimited growth == Cancer.
I Browse at +4 Flamebait
Open Source Sysadmin
Maybe saving all traffic through a mail server is a good thing. This could prevent someone from forging a mail or a reply. It's not hard to craft a mail message. The mail servers at my last company were all screwed up IMHO. They used HP Openmail servers with Outlook clients. You could craft emails to look like anyone from the company to anyone at the company with absolutely no tracking from the client end. All you had to do was send an Internet email with a From: header that someone in the company had, like some_user@company.com. When it got to our mail servers, it would recognized the From: field as an internal user, attach all the associated Openmail routing stuff, remove the SMPT stuff and send it to the specified recipient. Result? A forged email that appears in every instance to have come from an employee at the company, to an employee at the company and sent internally (no indication that it was sent from the internet and sent via SMTP). You could send mail from one supervisor to another explaining how you thought they sucked and no one would know the difference, we had >50000 employees so you could find other useful things to do with it. Hell, I don't even work there anymore, have no access to their network and I could still send mails between employees. I never got involved with our Openmail setup but I assume that it was configured that way by our headquarters and not the default behavior. I for one would like to think that logging and backing up of email would prevent someone from getting away with this or being blamed for something they did not do.
Bad boys rape our young girls but Violet gives willingly.
Yet again, someone with little real-world experience reduces this to a simple moral issue. The comment of "If you don't send anything incriminating, you have nothing to fear" demonstrates only that the speaker has never been on the receiving end of a subpoena.
I'll say it once more, in simple language, for everyone who hasn't been in this situation, so pay attention.
A document retention policy (with document destruction schedules) is necessary even for a company that adheres strictly to the moral "up-and-up" to prevent lawsuits from inflicting huge cost and manpower burdens. For example, let's assume that you keep your records forever, so you have five year's worth of emails. Let's also assume that you don't have anything incriminating in these emails. Someone presses a sexual harassment lawsuit against you and subpoenas all of your email records relating to the lawsuit. Now, even though you didn't do or say anything wrong, you (not they) get to pay your IT person to dig through every email sent by every employee for five years (and an attorney to sit with him/her, fending off the plaintiff's attorney, who will also insist on sitting with him/her) just to prove that there's nothing there that relates to the lawsuit. Sounds expensive, doesn't it? With a retention policy that says email is to be destroyed after six months, you can answer the judge by saying, "our policy for email includes destruction after six months, so we have no records farther back than that" and thereby limit the scope of a subpoena (and the time and money spent fulfilling it). There are other reasons, including taking comments out of context and such, but as you can see, even companies with a perfectly sterling record benefit from such policies.
Virg
> > Shredding paper always gives me this warm fuzzy feeling.
> The same feeling I get when I put body parts through the wood chipper.
Really? I'd think that would hurt a lot. And you can really only do that four times (or five, if you're a fellow) before you'd run out of parts.
Virg
A better way to do it is to have a system where all the emails are anonymous - and at the end of the message a one time SSL url (possibly javascript) that would allow the recipient to verify it once against it's md5 sum. This way it wouldn't matter what the email said, because anybody could have faked it. Only the person who checked knows for sure if it's real.