Full Text:

INTERNET INFO FOR REAL PEOPLE: E-mail Security

By Bob Brand

If you want to learn about secure e-mail, don't ask Monica Lewinsky. When it

comes to privacy on the Internet, the e-mail Monica sent to Linda Tripp was

not private.

While there have been rants and raves by the Civil Liberties Union and other

defenders of privacy, it is recognized that any e-mail sent from your

workplace is considered to be propriety and owned by the company or

organization. It is not unusual for corporate IS (Information Systems)

personnel to drop into e-mail boxes of employees in an attempt to find

material not related to company business. While some companies have written

policies about this, many do not. If messages were created on company

hardware, the company owns the contents. The sharp decline in data storage

costs allows companies to store information a long time. All responsible data

processing departments back up data (including e-mail messages) to tape

storage and store these tapes in a secure area. This means that e-mail sent on

the company computer could be around for a long time.

E-mail From Home

When sending e-mail from home, the message travels first to your ISP (Internet

Service Provider). Then it lands briefly at intermediate points (routers)

before reaching the e-mail-box destination. Anywhere along the way, a copy of

the message can be made and viewed. Since most of our e-mail is usually not of

a private nature, we may not care who reads the message. With the vast amount

of e-mail traveling through cyber-space, someone would have to be intent on

viewing your transmissions in order to trap the messages.

Should the FBI come into your home and grab your computer in an attempt to

find incriminating e-mail evidence, can they find messages deleted from the

mailbox? Maybe.

When messages (or files) are deleted from a hard disk, almost all of the

information stays on the disk. The operating system (Windows 3.1 or Windows

95) only changes the entry in the disk directory informing the system that the

"deleted" space is available for a fresh message or file. Often, that space is

not over-written because when new messages arrive, the computer is instructed

to find other areas where the data should be stored. This means that the FBI

can recover the messages on the disk if they were not over-written. Frankly,

this is easy to do with a commercial software tool like Norton Utilities.

However, once a defragmentation has been performed on your disk, the deleted

messages are unlikely to be recovered. My guess, Monica Lewinsky does not know

how to "defrag" a hard disk.

How Safe Is Encryption?

Fully clad PGP encryption (using a 2048 bit key) is uncrackable. This means

had Monica used PGP software and encrypted the messages with Linda Tripp's

public key (if she has one), anyone intercepting any encrypted messages would

not be able to unscramble them into a readable form. The situation changes if

someone has access to the computer that generated the encrypted messages.

Had Monica been using PGP when the FBI seized her PC, messages can be

unscrambled by guessing her pass-phrase. The pass-phrase is used by the PGP

software to create the private key (used in combination with the recipient's

public key) that encrypts each message. People who use PGP are encouraged to

have complex, hard to guess pass-phrases. (Examples: "This is the time for all

good men," or "mary had a little lamb its fleece.")

The Ultimate in Security

For the totally paranoid, the only absolutely secure way to send one secure

message is to destroy your computer after sending the PGP encrypted message,

followed by a visit to a hypnotist who will erase the pass-phrase from your

memory. That gets expensive in a hurry.

However, you can, also, buy software to do the job for $50 to $100. They carry

names like Shredder, Norton Utilities, Nuts & Bolts, BC Wipe, and others.

These programs will delete files from a hard disk so that even the FBI, CIA,

KGB, or Mossad cannot recover the information.

URLs (Uniform Resource Locators) of interest:

http://www.symantec.com/

(Norton Utilities) http://www.stratfor.com

(Shredder software) http://www.helixsoftware.com/ (Nuts & Bolts)

http://www.jetico.sci.fi/ (BC Wipe)

(This is the 97th of a series of elementary articles designed for surfing the

Internet. Next, "Real Talk" is the subject on tap. Stay tuned. Until next

week, happy travels through cyberspace. Previous issues of Internet Info for

Real People (including links to sites mentioned in this article) can be found:

http://www.thebee.com. Please e-mail comments and suggestions to:

rbrand@JUNO.com or editor@thebee.com.)