Suppose I have something complicated, like a bunch of database
files or a report from an outsourced monitoring service, that I want
to email to someone. Then I might want a self-extracting, secure
'blob'.
I think this is secure:
- pre-distribute a public key (cert, whatever) that you trust
- install decryption/sig checking software on the target machines
(I think this is necessary)
- when the blob is transmitted, send a signature (detached) and the
executable self-extracting encrypted blob
- when the blob is received, you need to check the signature (yes,
requires neural activity at receiving end. or civil software than
has a UI that helps with this...)
- AFTER you checked the signature, execute the extractor/decryptor.
Sure, people 'are stupid', but that's no execuse to not try to find a
software solution that mitigates the problem.
Sure, 'push this button to broadcast confidential data on internet' is
a problem. but business processes can be put in place to deal with this
(e.g. "if you bring in a diskette from home and insert it in a
corporate pc, please sign out when you finish your termination interview")
if that's they way you want to go. or, you can train your users. or,
you can run gateways that enforce this, or other things.
At 01:59 PM 7/21/00 -0700, David Honig wrote:
>At 02:36 PM 7/21/00 -0400, Meyer Wolfsheim wrote:
> >Nope, you are definately not the only one. I usually recommend to my
> >customers that they block all executable attachments at the mail
> >server. Problem solved.
>
>What about *compressed* .exes? (and .bat and .vbs and .doc-macros etc) I
>suppose a mail server could decompress and look for executables. Do any?
>
>No substitute for educated humans. No excuse for executable content
>in .docs.
