On Wed, May 12, 2010 at 5:57 AM, James Rankin <[email protected]> wrote: > I received the email below from a public sector entity we work with, who are > maintaining that for "security reasons" they now send out certain documents > as encrypted .exe files ...
Ah, that crap. When possible, I've requested the sender encrypt without including the executable self-decrypt package. It's often PGP or WinZip or something, and we have all the software we need to decrypt those. If we can't get cooperation, IT uses an isolated VM to run the executable and extract the files. The VM is reverted immediately after. Cumbersome, but in this day and age, we're not going to run random executables received via email. > ... sending the password for the encrypted executable to our users via a > plain-text, unencrypted email ... We get that all the time. Often in the same message. Talk about unclear on the concept. I'm pretty sure this is driven by people issuing requirements like "thou shalt use encryption" without actually knowing or caring about what's involved. Because, of course, all you have to do to "make something secure" is sprinkle a little encryption on it. This message was encrypted with double-ROT13, so it's secure. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
