[My apologies for the delay in my response, but circumstances prevented my from giving this a proper reply until now.]
On 1/24/06, Fred <[EMAIL PROTECTED]> wrote: >> I've been told all sorts of things by all manner of sales reps over >> the years. I'm sure you have, too. Then when push comes to shove, >> they say, "I'm sorry, sir, the representative you were speaking to was >> mistaken." Verbal assurances are not worth the paper they're written >> on. > > I know. As I said, I don't trust them, but I'm willing to give then another > chance for now. You will find no end of people on this list (or off it) willing to testify that a verbal promise from Verizon is worthless. I admit to being mystified as to why you'll encrypt your email to keep "Them" from spying on it, but think vague reassurances from a corporate salesdroid on an actual deliverable service are worth anything at all. >> You repeatedly state your Internet feed is of a critical nature. If >> you really mean that, I suggest obtaining a written SLA (Service Level >> Agreement) guaranteeing what you need. I'd be willing to bet Verizon >> will refuse to provide such. > > Interesting idea, and you are probably correct. However, let me see. That was more rhetorical then a serious suggested course of action. The primary difference between a "consumer" feed and a "business" feed -- aside from price, of course -- is the SLA. Check the fine print. Consumer feeds are basically "best effort". If it stops working, or doesn't work the way you want it to, the provider will try to fix it, but isn't making any promises. If they don't like what you're doing, they'll cut the feed and won't look back. When you buy a business feed for orders of magnitude more money, you're mainly buying a written contract that spells out acceptable usage on your part, and acceptable performance on the provider's part. The SLA will state things like uptime, packet loss, and round-trip-time, and provide legal penalties against the provider if they fail to deliver. That's the big difference, and one that a lot of people fail to appreciate, until their $50/month consumer feed stops working and they can't do anything about it. Again, this normally doesn't matter much, but you have repeatedly emphasized the critical nature of your Internet connection, and specified that you want a reliable connection with a fairly liberal AUP. Did you really mean that, or was that just idle talk? >> More then likely, after they discovered an open listener for a >> well-known service they explicitly forbid. ISPs run sniffers all the >> time. This should not be a surprise. > > That they do sniffing does not surprise me. That they singled me out in > particular, especially since I had that port open for *years* does. You say they singled you out in particular. Do you have any evidence for that statement, or are you just assuming that since your phone is the one that rang, they must be persecuting you in particular? It's rather more likely they finally (after being asleep at the wheel for years) got around to checking to see who is doing what, and found a few people whose usage pattern didn't fit the norm (i.e., downloading email, porn, and music via HTTP, POP3, and/or the Napster-clone-of-the-month). Since your usage pattern was one of those, they investigated, and found you violating their ToS. I know others who have been ToS'ed from Comcast; you're hardly unique in that. Getting away with a violation for years doesn't mean it isn't a violation. >>> Besides I can download them with >>> BitTorrent if I must. >> >> Given the current legal climate with the media cartel suing everyone >> they can find, you might want to think twice before posting about >> downloading pirated content in a public forum such as this one. > > Of course, I did not say it was illegal. For all you know I might be > talking about something on NPR or the like. The statement about using BitTorrent was immediately preceded with commentary on cable television. It's reasonable to assume that "then" was referring to what you were talking about, not random other things. Remember: Defending yourself to the list's regular readership isn't needed; it's the MPAA (which is engaged in a public, well-documented campaign to target such activity) legal hounds you have to worry about. Sure, they would lack hard evidence, but they can afford more and better lawyers then you. On 1/24/06, Fred <[EMAIL PROTECTED]> wrote: [regarding encrypting the path to your SMTP relay] > What I am really concerned about is some "ganster agency" using a blanket > sniffing technology like "Carn1v0re", for instance, to do a broad sweep of > packet gathering so they can sift through it later. That's what confuses me. You're not protecting against that. Encryption is not a silver bullet. You have to break it down into threat/countermeasure analysis. For this discussion, the proposed countermeasure is "encrypt the path to my SMTP relay". It is assumed that things will be cleartext from there. Threat: Arbitrary parties monitor email communications. Analysis: Arbitrary parties continue to monitor from points past that first hop; no gain. Threat: General, untargeted government surveillance. Analysis: If the TLAs have their hooks in ISPs all over the country, one must assume that includes the ISPs of your server in California as well. No gain. Threat: Specific survalance targeted at you (be it by government, big business, space aliens, whatever). Analysis: Any such surveillance would quickly discover that your server in California is your effective entry point, and focus their surveillance there. This might actually make their job easier, since that server is a fixed point, and your Comcast/Verizon/whatever feed is likely to by dynamic. So, at best, no gain; possible loss. Threat: Surveillance (targeted or wide) of arbitrary party you are communicating with. Analysis: Connections to their MX from your server are in the clear; no gain. Threat: Local ISP is monitoring your email. Analysis: By using an SMTP relay located outside of their network, and encrypting the relay to that point, you prevent this monitoring. Successful countermeasure. Hooray. However, you state this is not what you're concerned with. Threat: Arbitrary surveillance. Countermeasure: All parties (you and your associates) use your private server as a communications hub, and encrypt all channels to it. Analysis: Prevents surveillance via communications links. However, your server then becomes a high-value target. Further analysis would require more specific information. Theat: Arbitrary surveillance. Countermeasure: Encrypt channel to your server, and use anonymizing techniques on your server. Analysis: Unless you have a large number of people conducting unrelated activities using the same anonymizing techniques on your server, your server still acts as a unique identifier Arguably, more so, since you've authenticated your connection to it. I think that covers most or all of the possibilities. I really only see one threat (local ISP targeting you in particular) you're defending against. Certainly not Carnivore or Echelon or any other effective, wide-area surveillance program. >> If securing email is the goal, then the email message should be >> encrypted at the start, and decrypted by a trusted recipient at the >> end. > > Yes, and the big problem with that is the technical knowledge currently > required to handle to encryption technology like, say GPG. Outside of us > geeks, it's simply beyond the average person. You're absolutely correct. However, the reasonable conclusion is, "email is not suitable for communications which must remain confidential", not "throwing random SSL at the problem is almost as good a solution". > I have certain things in mind I want to protect against, to reduce the > probably of, to make more difficult than just running ethereal at the local > ISP. If it clears out 90% of the threat, I'm happy for now. See threat/countermeasure analysis above. I don't see any reasonable 90% of anything. -- Ben _______________________________________________ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
