Re: Encryption of .TBB Mailboxes?

2000-11-13 Thread Januk Aggarwal 

Hello Alexander,

On  Mon, 13 Nov 2000  at  15:41:42 GMT +0100 (which was 6:41 AM
where I live) witnesses say Alexander Turcic typed:

> So you are saying that only people who have in general sensitive data
> on their computer would appreciate a feature to encrypt their mails.

This was discussed in much detail many moons ago.  The general
consensus was that since there are so many different encryption needs,
it would be better for TB to stay out of the fray.  As someone else
pointed out, if something goes wrong with your TB installation, there
is a good chance that you'll lose all of your encrypted mail.  At
least with external solutions, the user has to assess that risk
themselves.

> See, I don't care if my roommate reads the paper I wrote on H.D.
> Thoreau, but I DO care if he reads in my mail how much my girlfriend
> misses me. And I DO care if he reads a lot of other things in my mail.
> Fact is that my mail contains the most private aspects of my life,
> more than anything else on my hard drive.

Ok, that might be true right now, but what if one of your contacts
sends you a very personal Word document or some other thing which you
might not want your roommate to read?  External solutions can provide
as much flexibility as you desire.

> And here another important point: Currently The Bat offers a feature to
> "lock" (is that the best-fitting word?) your mail account, so that
> without a password another user cannot "unfold" it inside The Bat.
> Excuse me, that is just exactly what Microsoft does for years:

This is what I was saying at the beginning.  Windows 9x passwords are
meaningless because you can hit the cancel button to get into the
root account.  TB is no better or worse.

> sell software that APPEARS to be secure. If there is really no
> desire for mail encryption, then why offer this pretence of
> protection?

I agree, TB should really warn the user that the password option
is not secure.  I think the password remains important if you use the
Group mode capabilities of TB.  It prevents accidental or casual
intrusion into your mail.  However, you seem to need more than just
casual protection.

> AND: Unlike you assert it, it is neither impractical nor inefficient
> for The Bat to encrypt the mail files.



Sounds good, but what happens if a mail database gets corrupted.  How
does the user recover their data?  The current mechanism gets the RIT
guys off the hook for such tasks.  Are there 3rd party recovery tools
that can help fix problems with this encryption scheme?

I think the other reason we're touting the 3rd party option is that
everyone seems to have their favourite encryption schemes.

But you said the one you mentioned is very easy to implement.  Are there
any public domain general purpose file encryption programs that use
the encryption scheme you mentioned?

> Thanks, I feel better now :)

I hope we're not scaring you off.  I am presenting some of the points
from earlier discussions on this same topic.  Also, remember that the
decision was to remove *weak* encryption.

Your option of adding stronger encryption isn't exactly the same.
Also the RITlabs guys seem to be moving towards security issues with
the focus on S/MIME.  So, perhaps your suggestion will fit into their
current vision.


-- 
Thanks for writing,
 Januk Aggarwal
 See header for e-mail address

 Using The Bat! 1.48 Beta/6
 under Windows 98 4.10 Build   A 

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   
To Unsubscribe from TBUDL, double click here and send the message:
   
--

You are subscribed as : archive@jab.org

Re[2]: Encryption of .TBB Mailboxes?

2000-11-13 Thread Alexander Turcic 

Hello Ming-Li,

Monday, November 13, 2000, 3:06:31 PM, you wrote:

ML> IMHO it's quite appropriate to leave this to third-party solutions.
ML> Typically users who are in need of encrypting their mail files have
ML> the same need for other documents or data files they have. It's
ML> neither practical nor efficient for every application to provide
ML> built-in encryption solutions.

So you are saying that only people who have in general sensitive data
on their computer would appreciate a feature to encrypt their mails.
See, I don't care if my roommate reads the paper I wrote on H.D.
Thoreau, but I DO care if he reads in my mail how much my girlfriend
misses me. And I DO care if he reads a lot of other things in my mail.
Fact is that my mail contains the most private aspects of my life,
more than anything else on my hard drive.
And here another important point: Currently The Bat offers a feature to
"lock" (is that the best-fitting word?) your mail account, so that
without a password another user cannot "unfold" it inside The Bat.
Excuse me, that is just exactly what Microsoft does for years: sell
software that APPEARS to be secure. If there is really no desire for
mail encryption, then why offer this pretence of protection?
AND: Unlike you assert it, it is neither impractical nor inefficient
for The Bat to encrypt the mail files. There is an option to "lock"
the mail folder, as mentioned above, right? For this the user enters a
password, right? So in respect to implementing the encryption all one
has to do is
a) Hash the user-password e.g. with SHA-2 to 256bit
b) Use the hash as the key to encrypt the mail files with a secure
cipher such as Rijndael (the AES winner) or Serpent.

This can be done in less than 20 code lines! And the code for this is
public domain. And the user has no extra burden, it is completely
transparent. For people who may object that there is some kind of
export regulation in some countries, you can always choose a less
strong cipher (e.g. decrease the keyspace to 128bit).

ML> Well, ask around and you'll find most people think their wishes
ML> "should go fairly quick". :)

True, I acknowledge that, and therefore, if necessary, I can offer a
sample code written in Delphi (the language of The Bat).

ML> So I'm not really against your wish.)

Thanks, I feel better now :)

Greets,

 Alexandermailto:[EMAIL PROTECTED]



-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   
To Unsubscribe from TBUDL, double click here and send the message:
   
--

You are subscribed as : archive@jab.org

Re: Encryption of .TBB Mailboxes?

2000-11-13 Thread Ming-Li 

On Sunday, November 12, 2000, 10:28:53 PM, Alexander wrote:

JA>> It is now up to the user to get a 3rd party program to encrypt
JA>> their data.

> Well, I don't think that this is the appropriate solution. [...] I
> find it a bit drastic to install something like PGPDisk (with all
> its drivers) just to encrypt a few mail files.

IMHO it's quite appropriate to leave this to third-party solutions.
Typically users who are in need of encrypting their mail files have
the same need for other documents or data files they have. It's
neither practical nor efficient for every application to provide
built-in encryption solutions.

> So please, makers of TB, I know you have a lot on the users' wish
> list, but implementing encryption of the mail files should go
> fairly quick.

Well, ask around and you'll find most people think their wishes
"should go fairly quick". :)

(While I think this is better left to third-party solutions, I
certainly don't mind should RIT decide to take it upon themselves.
So I'm not really against your wish.)

-- 
Best regards,
Ming-Li

The Bat! 1.48 Beta/6 | Win2k SP1

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   
To Unsubscribe from TBUDL, double click here and send the message:
   
--

You are subscribed as : archive@jab.org

Re[2]: Encryption of .TBB Mailboxes?

2000-11-12 Thread Alexander Turcic 

Hello Januk,

Sunday, November 12, 2000, 10:59:40 PM, you wrote:

JA> No.  TB used to use some encryption, but that was very weak, so they
JA> removed all encryption.  It is now up to the user to get a 3rd party
JA> program to encrypt their data.  Some other members have said that
JA> PGPDisk works well for them.  I have not used it myself.

Well, I don't think that this is the appropriate solution. I am myself
a cryptology freak and it is more than easy to implement a secure
block cipher in CBC mode like Rijndael or Serpent. Dr. Brian Gladman
published optimized implementation sources as public domain on his
page
(www.http://www.btinternet.com/~brian.gladman/cryptography_technology/)
I find it a bit drastic to install something like PGPDisk (with all
its drivers) just to encrypt a few mail files.

JA> That's exactly right.  It is not meant to be any more secure than the
JA> Windows password you enter on Win9x.  It is very easy to work around.
JA> The password is only meant to keep casual peepers away, such as
JA> coworkers while you're on a coffee break.

Uhm, sorry I have to disagree. It is true that you can break the Win9x
password with relatively little effort, but only because MS did a bad
job in implementing a good (RC4) cipher. .pwl files where well suited
for a known-plaintext attack as the 20 first bytes are completely
predictable. RC4 is a stream cipher, it generates a long pseudo random
stream that it uses to XOR the data byte by byte. This isn't
necessarily weak encryption if you don't use the same stream twice:
however Win9x does, every resource is XORed with the same pseudo
random stream. What's more the 20 first bytes is easy to guess.

JA> moderator nag sent by Marck D. Pearlstone on November 10, 2000?  It
JA> isn't in the archives yet, but I can send you a copy off list if you
JA> like.

well sorry, next time I got that right :)

So please, makers of TB, I know you have a lot on the users' wish
list, but implementing encryption of the mail files should go fairly
quick.

-- 
Best regards,
 Alexandermailto:[EMAIL PROTECTED]



-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   
To Unsubscribe from TBUDL, double click here and send the message:
   
--

You are subscribed as : archive@jab.org

Re: Encryption of .TBB Mailboxes?

2000-11-12 Thread Mark Aston 

Hi Alexander,

Sunday, November 12, 2000, 4:24:59 PM, you wrote:

AT> I am curious if there is an option (planned?) in TB that encrypts the
AT> mailbox files.
AT> The password feature to secure access to a mailbox is well meant, but
AT> it is more or less useless if anyone with access to the .tbb files can
AT> read those using any ASCII editor.

Better to stick to plain text Unix style mail boxes, at least if
things go wrong you have a reasonable chance of recovering your mail,
if an encrypted M$ style mail box gets corrupted you lose the lot.

If someone has access to your PC there is no *real* security with any
system.

-- 

Mark Aston   mailto:[EMAIL PROTECTED]


http://www.gunfleet.com
http://www.gunfleet.com/LinuxGuide



Using The Bat! 1.48 Beta/6
Under Windows NT 5 0 Service Pack 1 2195

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   
To Unsubscribe from TBUDL, double click here and send the message:
   
--

You are subscribed as : archive@jab.org

Re: Encryption of .TBB Mailboxes?

2000-11-12 Thread Manfred Ell 

On 12-11-2000 at 23:24:22GMT +0100 (which was 22:24 where I live)
Karin Spaink wrote regarding the subject of " Encryption of .TBB Mailboxes? "

> On 12-11-2000 at 22:59, Januk Aggarwal kindly wrote:
>> Alexander Turcic typed:

>>> I am curious if there is an option (planned?) in TB that encrypts the
>>> mailbox files.

>> No.  TB used to use some encryption, but that was very weak, so they
>> removed all encryption.  It is now up to the user to get a 3rd party
>> program to encrypt their data.  Some other members have said that
>> PGPDisk works well for them.  I have not used it myself.

> I use PGP disk and it works excellently. Previously, I used
> Securedisk; that also worked fine (but can't co-operate with
> WinNT, and is restricted to 0,5 GB. Version 1.4d can
> supposedly manage 2 GB, but I haven't tried it.)



> - K -


Hello Karin,

I can heartily recommend BestCrypt. It works perfectly in Win95/98/NT/2000
and Linux.

http://www.jetico.sci.fi/



Regards

-- 
Manfred Ell

using TheBat 1.48 Beta/6 on Windows 5.0 Build 2195 Service Pack 1, RC 1.1

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   <mailto:[EMAIL PROTECTED]>
To Unsubscribe from TBUDL, double click here and send the message:
   <mailto:[EMAIL PROTECTED]>
--

You are subscribed as : archive@jab.org

Re: Encryption of .TBB Mailboxes?

2000-11-12 Thread Karin Spaink 

On 12-11-2000 at 22:59, Januk Aggarwal kindly wrote:
> Alexander Turcic typed:

>> I am curious if there is an option (planned?) in TB that encrypts the
>> mailbox files.

> No.  TB used to use some encryption, but that was very weak, so they
> removed all encryption.  It is now up to the user to get a 3rd party
> program to encrypt their data.  Some other members have said that
> PGPDisk works well for them.  I have not used it myself.

I use PGP disk and it works excellently. Previously, I used
Securedisk; that also worked fine (but can't co-operate with
WinNT, and is restricted to 0,5 GB. Version 1.4d can
supposedly manage 2 GB, but I haven't tried it.)



- K -

-- 

"The feeling you had when you first played these old 
computer games as a ten year old down in the basement during 
the summer, back in the days that you knew it all and while 
your friends were hanging around at the pool you'd be saving 
the galaxy!"   - Menso on HfH, 1999-10-16 
"Oh, eh, thanks for saving the galaxy, by the way. You did a 
great job, Menso."   - Marcel on HfH, 1999-10-16



-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   
To Unsubscribe from TBUDL, double click here and send the message:
   
--

You are subscribed as : archive@jab.org

Re: Encryption of .TBB Mailboxes?

2000-11-12 Thread Januk Aggarwal 

Hello Alexander,

On  Sun, 12 Nov 2000  at  17:24:59 GMT +0100 (which was 8:24 AM
where I live) witnesses say Alexander Turcic typed:

> I am curious if there is an option (planned?) in TB that encrypts the
> mailbox files.

No.  TB used to use some encryption, but that was very weak, so they
removed all encryption.  It is now up to the user to get a 3rd party
program to encrypt their data.  Some other members have said that
PGPDisk works well for them.  I have not used it myself.

> The password feature to secure access to a mailbox is well meant, but
> it is more or less useless if anyone with access to the .tbb files can
> read those using any ASCII editor.

That's exactly right.  It is not meant to be any more secure than the
Windows password you enter on Win9x.  It is very easy to work around.
The password is only meant to keep casual peepers away, such as
coworkers while you're on a coffee break.

BTW, on another note, as one list member to another, have you read the
moderator nag sent by Marck D. Pearlstone on November 10, 2000?  It
isn't in the archives yet, but I can send you a copy off list if you
like.



-- 
Thanks for writing,
 Januk Aggarwal
 See header for e-mail address

 Using The Bat! 1.48 Beta/4
 under Windows 98 4.10 Build   A 

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   
To Unsubscribe from TBUDL, double click here and send the message:
   
--

You are subscribed as : archive@jab.org

Re: Encryption of .TBB Mailboxes?

2000-11-12 Thread Alexander Levenetz 

Hi,


> I am curious if there is an option (planned?) in TB that encrypts the
> mailbox files.

Good question, I would be interested in that myself.

And my additional question is if there is/will be a way to encrypt
(only) folders in an account (instead or even in addition of the
account)?

Thanks,

Alexander

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   
To Unsubscribe from TBUDL, double click here and send the message:
   
--

You are subscribed as : archive@jab.org

Encryption of .TBB Mailboxes?

2000-11-12 Thread Alexander Turcic 

Hi,
I am curious if there is an option (planned?) in TB that encrypts the
mailbox files.
The password feature to secure access to a mailbox is well meant, but
it is more or less useless if anyone with access to the .tbb files can
read those using any ASCII editor.

--
Best regards,
 Alexandermailto:[EMAIL PROTECTED]



-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   
To Unsubscribe from TBUDL, double click here and send the message:
   
--

You are subscribed as : archive@jab.org