While in Telecom I was auditing optical transport gear, and we adopted the practice of encrypting all of our audit reports to vendors. Of course, the chance of there being an eavesdropper (uh...other than NSA, that is) was a plank energy above zero, but it gave the vendors the imporession we really cared a lot about their intellectual property (if we determined a problem with their equipment, and if that info ever leaked, it could have a major impact on them).
That the mesages were decrypted I know for sure, and it was easy for the customers: we would verbally tell them the password for unpacking the encrypted file, and they merely typed it in a it extracted itself.
I think the encryption tool was installed directly into the file manager (or whatever it's called now), so it was easy to do.
From: Steve Furlong <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: What email encryption is actually in use? Date: Sat, 2 Nov 2002 12:41:55 -0500On Saturday 02 November 2002 12:09, Adam Shostack wrote: > An interesting tidbit in the September Information Security Bulletin > is the claim from MessageLabs that only .005% of the mail they saw in > 2002 is encrypted, up from .003% in 2000. > > ... Last month, about > 5% of my email was sent PGP encrypted, about 2% STARTTLS encrypted, > and about 25% SSH encrypted to people on the same mail server, where > POP and IMAP only function via SSH. > > I'd be interested to hear how often email content is protected by any > form of crypto, including IPsec, Starttls, ssh delivery, or PGP or > SMIME. There's probably an interesting paper in going out and > looking at this. Well, here's a datum for you: in the past four or five months, I have sent exactly no encrypted email. There are several reasons, notably that most of my email correspondents are business types who can't handle encryption even after several lessons and checklists and even when the tools are integrated into the MUA. Prior to that, the encrypted email I've sent in the past year or so has almost always failed, because of version incompatibilities, human error, changes of email address, and what-not. Or because the recipient simply isn't bothering to decrypt mail any more because it's more trouble than it's worth for the low quality of information conveyed. The only business environment I've ever worked in which successfully used encrypted email mandated specific versions of mail client (Outlook, ecch) and PGP (integrated into Outlook), had a jackbooted thug to make sure everyone's keyring was up to date, and had a fairly small (couple dozen), mostly technically proficient, user base. And even there, half the time the encrypted message wasn't sensitive enough to be worth encrypting nor important enough to be worth decrypting. I have signed a few messages in the recent past, but that was probably even less worthwhile than encrypting them. For all I know, not a single one has been verified. -- Steve Furlong Computer Condottiere Have GNU, Will Travel Vote Idiotarian --- it's easier than thinking
_________________________________________________________________
Unlimited Internet access for only $21.95/month. Try MSN! http://resourcecenter.msn.com/access/plans/2monthsfree.asp
