Untrustworthy Internet providers

Sun Sep 12 16:57:52 UTC 2004

On Sat, 12 Sep 2004, Sean Donelan wrote:

> The folks with the tinfoil hats are going to need extra shielding.

http://www.politrix.org/mgz/tinfoil.jpg

> If you believe your provider is untrustworthy, mail storage is a small
> part of your problems.  An untrustworthy provider doesn't need to run
> the mail server to watch the traffic to and from it.  Encryption helps a
> little, but that's true even if you used a provider's mail server.
> Encryption is difficult for most people to do well.  If you put a
> personal server in a co-lo, remember the co-lo provider potentially has
> physical access to your equipment on their premises.

In regards to having one's server in co-lo facilities, one can ensure
their server is guarded by either having the machine startup with a
password. Should some provider attempt to reboot into some form of shell
it would still take some time to break a password and get in the machine.
By the time (if the right measures were taken) your server went down, if
you had proper monitoring on the machine, you would know and hopefully you
would go on to auditing your machine. Otherwise it would take minutes to
reproduce your disk which is threatening considering anyone possibly a
competitor could access some sensitive information using tools small
enough to hide under their arm.

(http://ics.forensic.e-symposium.com/computerforensics/)

This reminds me of the security at what used to be Exodus in Jersey City.
Back in 1996 I worked for one company through 1999. In 99 I went to work
elsewhere for a company with co-lo machines in the same facility. Of
course I went through the rigorous ID'ing of proving who I was, where I
worked along with all the fax information etc., and wouldn't you know it,
short of stopping to take DNA samples, Exodus staff badged me with my
previous employers information. When the keys were handed over I responded
I no longer worked there. Go figure.

> On the other hand, if your trust your provider enough to believe it will
> conform to the law and contractural arrangements, you may make a
> rational choice to rely on the service provider to maintain a mail
> server instead of trying to maintain one yourself.  Some people hide
> their money in a mattress in their house, other people keep valuables in
> a safe deposit box at a bank.

If it's your own business, I personally feel you should take your own
steps to ensure your data is protected. No one else will do the job you
want. You might get all of the soupy sales talk, but the work will to some
degree be subpar. One of my petpeeves with my current location is they're
relying on Postini for filtering. Sure Postini does so and so filtering,
but 1) they don't even use SSL, 2) they're configured to know our users'
passwords and usernames which is horrible. I argued about doing our own
RBL's and filtering even blocking entire subnets but some of our loony
customers have called with even loonier comments such as "Is there a
problem on your network today? I haven't gotten my spam" (not kidding)

Being I'm just your *.Corp lacky and have become tired of rambling on, I
laugh it off when poop hits the fan with a silent "told you so."

> US law may still be developing in the area of stored electronic
> information in comparison to physical storage. US Supreme Court
> Justice Marshall said in Couch (1973) "Placing [records] in a safe
> deposit box is different from letting them remain for many years with an
> accountant."  In the electronic world how different is storing a file
> on a floppy disc in a physical safe deposit box of a bank for more
> than 180 days different than storing the same file online in an
> "electronic vault" of a Internet service provider for more than 180
> days?

If I'm not mistaken Sarbanes Oxley placed some really harsh standards
for providers. I started reading through some of the issues on the tech
side of that law, but am still catching up on CALEA, CHIPs, and other
fuzzy little acronym(aged) laws that sprout up like nasty weeds

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
GPG Key ID 0x51F9D78D
Fingerprint 2A48 BA18 1851 4C99

CA22 0619 DB63 F2F7 51F9 D78D
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D

sil @ politrix . org    http://www.politrix.org
sil @ infiltrated . net http://www.infiltrated.net

"How can we account for our present situation unless we
believe that men high in this government are concerting
to deliver us to disaster?" Joseph McCarthy "America's
Retreat from Victory"