Slashdot Mirror
Locally Secure Email Clients?
Mattcelt asks: "I share my PC with my roommates, two of whom don't have their own PCs. In order to keep things simple, I have Windows98 running on it - they are used to the interface; it runs the programs they need to run from the University; and I refuse to pay the money to Microsoft to upgrade to a newer Windows OS. Unfortunately, there are some issues with privacy, and though I trust my roommates, there are work-related things I wouldn't want them to stumble into. Has anyone seen an email client other than Outlook that has -local- file security? Outlook has a feature to allow the password protecting of .pst files on the local drive, but it seems that every other email client figures that once the mail is on your machine, you don't need it protected any longer. Is there another email client with integrated password protection?"
Just set thunderbird up to store your mail in a subdirectory of the root thunderbird dir, and encrypt it from there recursively.
Perhaps you should look for a more general solution instead of one focused on email clients: Encrpyting/Password protecting folders on your computer.
- Encryption/Security-Encryption-45.htm
This way, you could store all your sensitive files on the encrypted/protected folder, and have it only be unlocked when you are there.
Here are some links:
http://www.passtheshareware.com/c-encryption.htm
http://www.globalshareware.com/Utilities/Security
http://www.everstrike.com/protect-folder-98.htm
sig? uhh, umm, ok
--
Evan "IMAP/Kontact user myself"
"$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien
The Bat
If you buy yourself a copy and let everyone else stick to outlook, the app won't open until the proper password is supplied. The mail folder itself is meanwhile encrypted (I think, but let me double check).
I would guess that most programs (I know that Outlook let's you do this) will let you specify where to place the datafile with all the e-mails and such. All you do is have it put the file on another disk. The idea is that you use a USB key that you keep with you. The data file is stored on the key so only when you're at the computer and it's plugged in is the data accessable. Hard to get more secure than not having the file on the computer at all.
If the program objects to having the file on a removeable drive, you could make batch scripts and keep them on the desktop. The one you run after inserting the key would copy the file from the key to the hard drive in the apropriate place. The one you run when you're done moves the files off the hard drive back onto the key. They you remove your key and go.
Seems like about the best solution you'll get.
Note: also that there are some USB Keys (I seem to remember seeing one on Tom's Hardware reviewed once) that have functionality like this built in somehow. They contain their own e-mail client or other software to make doing this kind of thing easy. Look around, you're not the only person who would like to be able to do something like this.
Also note: for the ultimate in security, get one of the USB key drives that has a thumbprint sensor as an added layer of security.
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
Why not have your roomates have their mail forwarded to something like a yahoo account. Let them use a browser to read their email and you can still use Outlook.
If you don't trust them, no e-mail client is going to help. What's to stop them installing a keystroke logger and getting your IMAP credentials/PGP passphrase/shell account details? Running a cracker over the PST encryption? Shoulder surfing your password?
Say you install a more secure, multi-user OS like Linux or FreeBSD or (gasp!) Windows 2000. Even if they can't learn your password, they can boot Knoppix or similar, mount your partitions and crack your box that way.
The bottom line is that if they have physical access to your box, you're pretty much screwed. Either trust them and find some other way to separate work from home, or lock your box away in a cabinet they can't get to, install Linux/BSD, keep them patched against local root exploits, and don't let them get you drunk/stoned/in a state where you might divulge your passwords.
Some of the things in my mailbox are sensitive, and my roommate and friends use my PC sometimes. I don't download my business mail at all, I use terminal sessions with my employers Citrix server or even Outlook Web Access in a pinch. This has a nice side effect of allowing me to get into my mailbox from anywhere, not just home. Data is encrypted in transit and never stored locally. Obviously this is only an option for those with corporate web mail or terminal servers available, but it works great for me.
-Lod
Well then, do a dual boot. I know, I know "reboot to check my mail, hell no."
That's exactly what I do: I've got Linux, with an ext3 partition that Windows doesn't have a clue about, for my "sensitive files", and a Windows partition for when my brothers want to play games on the machine -- after all, it's the only computer in the house fast enough to play modern games.
If you're using Win98, you don't even need to re-partition the hard drive. Use something like LoopLinux to have a Linux system resident in a disk image on the FAT32-formatted disk.
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
I know that with some MUAs one can specify certain folders for local mail storage, and you can do this with Eudora in particular (you can probably do it with The Bat or maybe even Outlook; I've used neither of those, so I can't say). So install Eudora, and create your shortcuts for each user like in the link. You'll want to create folders on a different drive letter for each user. User #1 gets h:\mail, User #2 gets i:\mail, etc.
Now, install BestCrypt. You have three users, so create three container files. Have each roommate type in their own passphrase. Open each one, mounting each on the drive letter where the icon shortcuts above point to. Ensure that Eudora can get/send mail (look for mtimes on the .toc files for the inboxes if nothing else).
Now create three small batch files, one for each Eudora shortcut from above. In each, you'll have a line with the command for that user's bcrypt container mounting command, then the text in the "Target" from the Eudora icon above after that. Edit the properties of each icon, and point them to the appropriate batch file.
When User #1 clicks his Eudora desktop icon, BestCrypt will fire off, asking him for a passphrase. Then once the container with User #1's mail folders is mounted, Windows will start Eudora, pointing it at the newly mounted drive. It'll check mail, and store everything. When User #1 is done reading his mail, he can either leave his mail container moutned, or right-click the system tray icon and unmount it. (You could alternately create a batch file that shuts down Eudora and then unmounts the container.)
It sounds like a lot of work, but it should take more than 5-10 minutes to set up. And it'll be secure. You can pick many different algorithms with BestCrypt. Using Blowfish with a 256-bit key ought to be just fine for your needs. An alternate solution would be to go on ebay and find some cheap used laptops for your roommates' mail needs. Then you can encrypt your entire filesystem.
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
This is Slashdot, where practical solutions are impossible.
Here's a Slashdot answer:
I suggest upgrading to Linux. If some apps don't work, suggest to the developers that they port their apps.
Conformity is the jailer of freedom and enemy of growth. -JFK
"...and I refuse to pay the money to Microsoft to upgrade to a newer Windows OS."
Bummer. The upgrade from 98 to 2k or XP would become worth the money in well under a week. Not only could you set up better permissions for stuff, but they're also harder to break accidentally. I'd point ya that way even though you don't want to, but it doesn't directly solve the problem you specfically asked about.
"Derp de derp."
Install Windows 2000 Professional instead of WinXP - it is much less resource intensive (more likely to run (semi-well) on a machine that was current when Win98 came out.) And it is free (not free as in beer, nor free as in herpes - more like free as in pirated.)
... it was designed to do.
Give each of your buddies regular 'user' accounts so a) they can't install crap, b) they can't directly access your files, and c) they can't screw it up. Each user has a profile and when they run whatever email client they want the files are stored in their profile. Sort of like
Glonoinha the MebiByte Slayer
One option that comes to mind, assuming you're willing to tinker and have more time than money:
Find an old (eg, first generation pentium-I) computer, and set it up in the closet running a trim linux or BSD distro. For something between free and $20 US, plus the cost of a hard-drive and two network cards (and or a hub), you can put together a nearly secure storage system. You could also turn it into a cheap firewall while you're at it, which could be a very good thing once security updates for win98 stop happening, if they haven't already.
For example, set up a samba server on the old computer with individual users for everyone in the house. Then just keep all your personal files there. If you want it to be more secure (eg - somewhat protected from people who might use a rescue disk to boot into your server box), then set up an encrypted filesystem for each user using loop-aes for linux or bsd's built in vnd encryption. SSH into the second machine and unencrypt your directory every time you want to use it. There's probably some way to set up the ssh client on windows to log in automatically and run a script, so that you can be one click away from the encryption password.
If you're really paranoid, note this doesn't protect you from someone desperate to get at your stuff - they could still pull out your hard drive and add a keystroke logger or file copier, but it would protect you from a casual browser. Basically, if you think they'd be willing to use screwdrivers, then you need a better solution, like a usb drive. You could also encrypt the whole drive on the server box, which would allow at least one person to know it is secure, but since they could just as easily add malicious stuff to the windows box to spy on you, it probably isn't worth it.
This is all assuming that it's possible to make windows forget samba passwords without rebooting. It's been years since I've used windows, and I've never messed with samba, so I'm just guessing that it is.
Of course an easier solution may be a usb flash drive, or an external hard drive, which you can lock in a drawer when you're away.
That's nice, only 2000 is pretty easy to break by default. Make sure you secure it. Because last I checked, numerous public computers at the school I go to were running 2000 with an NT domain, that didn't mean shit because you had write access to most of C:, and the admin (once I told him how it works) was reluctant to change that, because some programs might need write access to their installation directory.
And there's the fact that no Windows OS was all that secure anyway, last I checked. Lots of viruses, and I saw a show on PBS where people claim they can break a SATA (as in, controls physical things) system running a Microsoft OS in under 2 mins. I wouldn't doubt that Microsoft is doing this intentionally.
Which reminds me of something I want to Ask Slashdot about...
Don't thank God, thank a doctor!