Slashdot Mirror
Locally Secure Email Clients?
Mattcelt asks: "I share my PC with my roommates, two of whom don't have their own PCs. In order to keep things simple, I have Windows98 running on it - they are used to the interface; it runs the programs they need to run from the University; and I refuse to pay the money to Microsoft to upgrade to a newer Windows OS. Unfortunately, there are some issues with privacy, and though I trust my roommates, there are work-related things I wouldn't want them to stumble into. Has anyone seen an email client other than Outlook that has -local- file security? Outlook has a feature to allow the password protecting of .pst files on the local drive, but it seems that every other email client figures that once the mail is on your machine, you don't need it protected any longer. Is there another email client with integrated password protection?"
Just set thunderbird up to store your mail in a subdirectory of the root thunderbird dir, and encrypt it from there recursively.
Perhaps you should look for a more general solution instead of one focused on email clients: Encrpyting/Password protecting folders on your computer.
- Encryption/Security-Encryption-45.htm
This way, you could store all your sensitive files on the encrypted/protected folder, and have it only be unlocked when you are there.
Here are some links:
http://www.passtheshareware.com/c-encryption.htm
http://www.globalshareware.com/Utilities/Security
http://www.everstrike.com/protect-folder-98.htm
sig? uhh, umm, ok
--
Evan "IMAP/Kontact user myself"
"$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien
Under what obligation are you expected to share a PC with them (unless they're of the appropriate sex and you're getting laid)? Why can they afford tuition but not a PC? Why aren't they paying you for "IT support" which could probably add up to the purchase price of separate computers anyway. Dump the freeloaders and make them buy their own computers. Sheesh, talk about self-inflicted masochism.
The Bat
If you buy yourself a copy and let everyone else stick to outlook, the app won't open until the proper password is supplied. The mail folder itself is meanwhile encrypted (I think, but let me double check).
I would guess that most programs (I know that Outlook let's you do this) will let you specify where to place the datafile with all the e-mails and such. All you do is have it put the file on another disk. The idea is that you use a USB key that you keep with you. The data file is stored on the key so only when you're at the computer and it's plugged in is the data accessable. Hard to get more secure than not having the file on the computer at all.
If the program objects to having the file on a removeable drive, you could make batch scripts and keep them on the desktop. The one you run after inserting the key would copy the file from the key to the hard drive in the apropriate place. The one you run when you're done moves the files off the hard drive back onto the key. They you remove your key and go.
Seems like about the best solution you'll get.
Note: also that there are some USB Keys (I seem to remember seeing one on Tom's Hardware reviewed once) that have functionality like this built in somehow. They contain their own e-mail client or other software to make doing this kind of thing easy. Look around, you're not the only person who would like to be able to do something like this.
Also note: for the ultimate in security, get one of the USB key drives that has a thumbprint sensor as an added layer of security.
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
Install linux.
I know, I know "My apps don't run in linux, and wine is teh sux0r5" blah blah blah.
Well then, do a dual boot. I know, I know "reboot to check my mail, hell no."
Install XP. I know, I know "Paying M$ for an upgrade, hell no."
Well, I know you don't want to hear it, but as long as you are using 98, you're fucked - UNLESS, you use yahoo or something similiar to store your pop mail. You have to get it off of the machine for it to be hidden from users that have local access to a machine that thinks it's you - unless every email is encrypted. Sorry bro, sucks to share, but jesus, the freeloaders can go get a decent machine off ebay or http://www.craigslist.org/ for a couple hundred bucks. Shit, I just picked up a dozen sparc stations from a guy - FOR FREE. This scenario is bs, there is no excuse not to have your own PC.
ymmv
Why not have your roomates have their mail forwarded to something like a yahoo account. Let them use a browser to read their email and you can still use Outlook.
If you don't trust them, no e-mail client is going to help. What's to stop them installing a keystroke logger and getting your IMAP credentials/PGP passphrase/shell account details? Running a cracker over the PST encryption? Shoulder surfing your password?
Say you install a more secure, multi-user OS like Linux or FreeBSD or (gasp!) Windows 2000. Even if they can't learn your password, they can boot Knoppix or similar, mount your partitions and crack your box that way.
The bottom line is that if they have physical access to your box, you're pretty much screwed. Either trust them and find some other way to separate work from home, or lock your box away in a cabinet they can't get to, install Linux/BSD, keep them patched against local root exploits, and don't let them get you drunk/stoned/in a state where you might divulge your passwords.
Some of the things in my mailbox are sensitive, and my roommate and friends use my PC sometimes. I don't download my business mail at all, I use terminal sessions with my employers Citrix server or even Outlook Web Access in a pinch. This has a nice side effect of allowing me to get into my mailbox from anywhere, not just home. Data is encrypted in transit and never stored locally. Obviously this is only an option for those with corporate web mail or terminal servers available, but it works great for me.
-Lod
Multiple accounts each with access to their own protected userspaces. Also, it's easy to upgrade, and if you're on campus, you might already qualify for your university's WindowsXP/2000 site-license. Meaning it's free for you, and you're running an OS which is still officially supported.
-Christopher Wu
http://www.christopherwu.net/
I know that with some MUAs one can specify certain folders for local mail storage, and you can do this with Eudora in particular (you can probably do it with The Bat or maybe even Outlook; I've used neither of those, so I can't say). So install Eudora, and create your shortcuts for each user like in the link. You'll want to create folders on a different drive letter for each user. User #1 gets h:\mail, User #2 gets i:\mail, etc.
Now, install BestCrypt. You have three users, so create three container files. Have each roommate type in their own passphrase. Open each one, mounting each on the drive letter where the icon shortcuts above point to. Ensure that Eudora can get/send mail (look for mtimes on the .toc files for the inboxes if nothing else).
Now create three small batch files, one for each Eudora shortcut from above. In each, you'll have a line with the command for that user's bcrypt container mounting command, then the text in the "Target" from the Eudora icon above after that. Edit the properties of each icon, and point them to the appropriate batch file.
When User #1 clicks his Eudora desktop icon, BestCrypt will fire off, asking him for a passphrase. Then once the container with User #1's mail folders is mounted, Windows will start Eudora, pointing it at the newly mounted drive. It'll check mail, and store everything. When User #1 is done reading his mail, he can either leave his mail container moutned, or right-click the system tray icon and unmount it. (You could alternately create a batch file that shuts down Eudora and then unmounts the container.)
It sounds like a lot of work, but it should take more than 5-10 minutes to set up. And it'll be secure. You can pick many different algorithms with BestCrypt. Using Blowfish with a 256-bit key ought to be just fine for your needs. An alternate solution would be to go on ebay and find some cheap used laptops for your roommates' mail needs. Then you can encrypt your entire filesystem.
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
Sometimes I wonder why I don't filter 'Ask Slashdot' questions entirely... Sigh...
1. Get a real OS and dump Win98! ASAP If you don't want to pay MS for their software then run Linux.
2. Run Linux, get multiple logins for each user and they are effectively isolated from each other.
3. If you must run 'Windows' then run a more modern OS that can handle multiple accounts with NTFS file security such as WinNT/Win2k/WinXP.
4. Tell your leaching roomates to get their own damn computer(s) and stop using yours. How any so called 'student' cannot have a computer for at least 'word processing' is beyond me. What the heck do they do? Fight for lab space? Go to the library? Sheesh in the age of the gaming console I doubt many would want to leave their dorm room to use a computer. Just get one already! And don't even think about bitching about the cost, they are cheaper then they have ever been in the past and you can always buy a slightly used one for much less.
5. If you won't run Linux, consider an Apple with Mac OS X! Look for the eMac if money is tight or find a used iBook 800Mhz or something on eBay. You can isolate users under Mac OS X as well.
Win98 has zero security whatsoever and you are just asking for trouble by running an MS OS that is six years old! There must be a bazillion security holes and stability issues with Win98! Time to join the next century!
This is Slashdot, where practical solutions are impossible.
Here's a Slashdot answer:
I suggest upgrading to Linux. If some apps don't work, suggest to the developers that they port their apps.
Conformity is the jailer of freedom and enemy of growth. -JFK
However, it's overkill for your situation.
Instead, set a BIOS password, and tell your roomies to get their own @#!! computer.
I think you are demanding too much to that w98 of yours. Without REAL filesystem permissions (in the filesystem), the only way of really achieving that is using encryption.
Your situation could be seen in two ways:
1.You share your machine and wouldn't want your roommates to see your files, but they are not trying to mess with your stuff on purpose.
In that case you could just use mozilla as you've been told in the other posts. I do that here and it works, it's even better considering that you can also separate the browsing histories. Don't bother searching for a complete solution.
2.Your roommates are trying to read on purpose you mail.
In that case, your only option is encryption. Get Gnupg and WinPT and start encrypting (you can use enigmail for sending and receiving encrypted mail but I don't know of any plugin to encrypt the folders, a cheap way is to forward your sensitive mails to yourself using enigmail).
Looks like situation 1 mostly applies to you. My suggestion: get mozilla, make separate accounts and encrypt only your really sensitive stuff.
GPG 0x1B479C78
"...and I refuse to pay the money to Microsoft to upgrade to a newer Windows OS."
Bummer. The upgrade from 98 to 2k or XP would become worth the money in well under a week. Not only could you set up better permissions for stuff, but they're also harder to break accidentally. I'd point ya that way even though you don't want to, but it doesn't directly solve the problem you specfically asked about.
"Derp de derp."
When I said "separate accounts", I meant "separate profiles" (as in "mozilla profile manager")
My mistake, sorry.
GPG 0x1B479C78
You can go all the way to using Linux + Win98 running on VMWare.
Not sure if qemu is stable enough, but if it is good enough to boot WinXP...
You'll be limited to the size of the drive, but a 256 or even 512 meg size one isn't that expensive anymore. You just set your profile to use that drive, and the mail client won't work without the drive plugged in.
Since you're using windows 98 try Scramdisk.
I used it some years back in my Win9x days and it was very reliable (well version 2.02h was anyway). I used Eudora for email, but any email program that isn't so tied to the registry is good - e.g. uses ini files and you can tell the program where to find the ini and mails.
Here's how I did it:
Create a scramdisk container (encrypted file which you mount as a drive) big enough to hold your emails and other stuff.
Mount it as say M: (or z: or whatever - don't clash with local, cdrom or network drives)
You can install eudora on the M drive - or leave eudora on C: for them to use. Then you create a shortcut for your own use which points to "C:\Program Files\Qualcomm\Eudora\Eudora.exe" "m:\mymaildir"
Eudora is smart enough to use m:\mymaildir as the maildir when you launch it that way.
Note you can even put the scramdisk container on a network drive which is what I did at my office - that way I can mount my office mail from any LAN machine and access it, and the data goes over the network encrypted.
I've also had scramdisk and a scramdisk container on a CD-R to store my remote admin SSL certs.
Scramdisk does not work with NT/W2K/WXP you have to buy the author's next version for that.
"their own protected userspaces"... so long as everybody promises not to try to get into anyone elses "protected" space, since it's a trivial matter to do so with physical access to the machine, and depending on the exploit of the month it may not even require that...
any file sitting on a windows box is accessable to someone who really wants it, sometimes it's a cakewalk and sometimes it takes a couple minutes. you can encrypt it, protect it with ACLs, write only in pig latin, etc... it's still accessable in one way or another.
PS not trying to bash Windows specifically too much, other OS's have alot of the same easy exploits. the best idea is not to store anything on your PC if you can't tolerate it being accessed by others. use removable media with strong encryption and check your system image for tampering before mounting the media... that might work.
One option that comes to mind, assuming you're willing to tinker and have more time than money:
Find an old (eg, first generation pentium-I) computer, and set it up in the closet running a trim linux or BSD distro. For something between free and $20 US, plus the cost of a hard-drive and two network cards (and or a hub), you can put together a nearly secure storage system. You could also turn it into a cheap firewall while you're at it, which could be a very good thing once security updates for win98 stop happening, if they haven't already.
For example, set up a samba server on the old computer with individual users for everyone in the house. Then just keep all your personal files there. If you want it to be more secure (eg - somewhat protected from people who might use a rescue disk to boot into your server box), then set up an encrypted filesystem for each user using loop-aes for linux or bsd's built in vnd encryption. SSH into the second machine and unencrypt your directory every time you want to use it. There's probably some way to set up the ssh client on windows to log in automatically and run a script, so that you can be one click away from the encryption password.
If you're really paranoid, note this doesn't protect you from someone desperate to get at your stuff - they could still pull out your hard drive and add a keystroke logger or file copier, but it would protect you from a casual browser. Basically, if you think they'd be willing to use screwdrivers, then you need a better solution, like a usb drive. You could also encrypt the whole drive on the server box, which would allow at least one person to know it is secure, but since they could just as easily add malicious stuff to the windows box to spy on you, it probably isn't worth it.
This is all assuming that it's possible to make windows forget samba passwords without rebooting. It's been years since I've used windows, and I've never messed with samba, so I'm just guessing that it is.
Of course an easier solution may be a usb flash drive, or an external hard drive, which you can lock in a drawer when you're away.
If you're using OE (not sure if Outlook has the same feature), you can use OE's Multiple Identites feature to password protect your identity so one can't just launch OE and browse through your mail. Since we're talking about people you trust and I presume aren't very savvy, this will prevent casual browsing. The mail storage on local disk (%systemroot%\Application Data\Identities\CLSID\Microsoft\Outlook Express) is in a db format, not easily read by non-savvy people.
Best part is you don't have to do anything besides implement an existing feature if all you want to do is prevent casual browsing by non-savvy people.
"Why do you consent to live in ignorance and fear?" - Bad Religion
An encrypted filesystem is not, repeat, is not, any kind of defense against untrustworthy people with ongoing physical access to the hardware. If you've got a laptop and you're concerned about it being stolen, an encrypted filesystem makes a lot of sense. But in this situation it makes almost no sense at all.
Although this relies on trusting the server admins. The longer info is on the server, the more likely it is that someone will also 'stumble' onto it. If this info is really confidential, they consideration should be made to encrypting it before emailing.
:) )
Storing the encrypted mails on the machine would mostly serve his purpose, if they were only decrypted for reading (tho remember the swap...
Storing the mails on the server is no more risky than using the server. You're one rule away from having a mirror of all email sent to you away being stored, and likely anybody you're using for email has a record dating back at least six months, if not years, of all the email you've sent and received.
--
Evan
"$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien
Calypso is the client for you.
Although development has stopped for it, U still can use it (for free).
It stores all mail in a single DB file, which can be password protected.
The DB file can contain mutiple acounts.
http://10xshooters.com/calypso-free/
http://www.rosecitysoftware.com/calypso/
You can still get the older versions for free bundled with pgp 6.0.something.
Create a container with PGPdisk, mount it as a drive, install email client to that drive.
You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.
install thunderbird or something, installing files to a usb keydrive, just lug in, load up and go. if these lusers of yours try opening t'bird sans keydrive, they get pretty error messages. :-)
sharing a box is inherently insecure, make them buy a cheap-o dell box or something (just make damn sure you don't do the support).
Logistical Chaos Officer http://www.slagg.org - LAN Gaming in Sarasota FL,USA
"there are work-related things I wouldn't want them to stumble into"
um... in other words, you don't want your roommates to see you're on the mailing list for tranny pr0n sites?
Pick up a 486 at a flea market, and use it as an SMB file server - set up domain logins, and store your profiles there.
Turnpike is a mail and news client which provides the functionality you are looking for. I think it was originally designed with small office in mind rather than home user, but had migrated to home user. Nonetheless, the mail files are encrypted separately for each user, who has their own password.
I use it personally and find it quite a good system for a windows environment. Spell checking, threaded emails, a "Windows-like" interface. Not free, except for users of Demon Internet, who won it, but I think has a 30-day trial. I like it
Consciousness is an illusion caused by an excess of self consciousness.
I would suggest an IMAP service provider like Fastmail, which I have used since Geekmail shutdown. Their webmail client is good enough that I no longer use Mac OS X's Mail.app, they support server side filtering, and the webmail interface eliminates the downloading of spam.
(I know that this sounds like an advertisement but I am just a customer.)
If these people can't be bothered to get their own computer (in fact, considering what they need to run, they could probably pick up an older system off Ebay dirt cheap), perhaps you should point them to the computer labs on-campus?
Sorry, but if I can manage to piece together a mid-range gaming system on nothing but a minimum-wage job, these people have little excuse why they can't go take an on-campus job for oh, say, two weeks, and pick up an old Pentium 2/3 that can handle the basics.
My advice to you is to give them a good idea of why they would want their own computer, before they take a mile, and they're eating your food and making tyou clean for them too (assuming this isn't the case already).
From a satisfied user of this and its predecessor. Go here -- http://www.rosecitysoftware.com/courier/ It can be your default MAPI client; and, it's also web-bug and email-worm-proof.
Give each of your buddies regular 'user' accounts so a) they can't install crap, b) they can't directly access your files, and c) they can't screw it up. Each user has a profile and when they run whatever email client they want the files are stored in their profile. Sort of like
For sure! I'm assuming that since they don't own their own computers, they're probably not too capable with them. They're not likely to break Windows 2000 (which is slightly more secure than Windows 98). Of course, they still can break it if they want to.
Go with Eudora for e-mail. It plays well in multiple-user systems, and there's a free edition with spyware-free advertising. I've been using Eudora for years on all my Windows boxes, and I wish they'd come up with a Linux version. I love it all the way down to the sarcastic user interface:
"Eudora got tired of waiting for the server to respond"
"Register your copy of Eudora and we'll erect a giant statue of you on the lawn of our corporate headquarters - (offer void on the planet Earth)"
"There has been an error transferring your mail. I said: PASS <shhhh! Don't tell anyone.> and then the POP server ($ACCOUNT@$SERVER) said: ERR [AUTH] Password supplied for blah is incorrect."
BLAH BLAH BLAH button to view message headers.
"Your message to $ADDRESS regarding $SUBJECT is the sort of thing that might get your keyboard washed out with soap, if you get my drift. You might consider toning it down."
Oh, and unlike Mozilla's mail client, this thing actually has a real (underlining, passive) spell-checker instead of one that bonks you in the face over and over and over for every word it doesn't know. Mozilla's spell checker is, like, so 1994. KMail fixed that over a year ago!
Fire and Meat. Yummy.