Chris-Linfoot.net

1. People who use it when sending email to someone they have chosen not to trust - if you don't trust someone, don't send the email.
   
   
2. People who mistakenly think $KeepPrivate is a security feature and have discovered the bug that permits its circumvention.

I contend however that correctly used, $KeepPrivate does have its uses...

Well, one use anyway. I know. I use it this way.

It is sometimes necessary to send an email to all or a large subset of all users, warning about some new security issue. This should very rarely be called upon - you should certainly not email all users just because there's a new variant of Sobig (1) circulating - but it cannot be ruled out entirely.

The most recent occasion on which we had to send a mass notification in this way was in early January this year. At that time, prior to the official WMF patch, we were quarantining all images in email and so wrote to all users telling them so and asking them to contact the helpdesk to have required images released from quarantine (2).

It was necessary in that message to give a brief explanation of why we had taken the action of blocking images and this information was generally relevant at the time but obsolete very quickly (3).

This is where $KeepPrivate comes in.

By marking messages like this with $KeepPrivate, we are not saying "we don't trust you". Nor are we deluding ourselves that $KeepPrivate is in any way a substitute for encryption. We are simply saying "we'd prefer you not to forward this (inside or outside the organisation)".

Why is this important?

Well, this is how hoaxes and chain letters get started. There are enough people out there adding to the random noise of spurious virus warnings, many of which have been circulating largely unmodified since before the turn of the century, without us making a contribution to that load. In any case, system administrators at remote sites will have implemented their own process for handling this sort of event and we don't want to pre-empt them.

Human nature being what it is though, left to his own devices many a user will see an opportunity in one of these internal security memos to be a hero to friends and family and before you know it, your internal memo is being circulated globally and being improved through the addition of purple prose all the while ("sources inside Microsoft" "very new virus, not detected by McAfee (4)", "will destroy sector zero of your hard disk (5)"...).

Of course, if people are determined to forward this type of message they can with a little work, but in my experience the added hurdle of having to defeat $KeepPrivate is simply too much and people just don't bother.

See? It works as a deterrent. That's what it's for.

1. Substitute name of malware du jour
2. Very few users actually did request images from quarantine because most are useless (just company logos and the like)
3. We also set an expiration date on these messages in the near future - we don't need to keep them indefinitely
4. Or whichever authority the hoaxer thinks most credible
5. And may also eat your last Rolo

Category: SnTT
Technorati: Email+Security Lotus+Notes Show-n-Tell+Thursday ShownTellThursday SnTT

1. Scott14/06/2006 00:02:09

For communications like this we use a simple communication tool.

We send an email with a link to the 'email' and include the form with the email but launch the first doc link on the form - so the user gets what looks like an email but in fact just opens a document in a database that is very 'in your face'. This is most often used for major annoucements and of course virus warnings.

In this case they could forward the email - but this wouldn't accomplish much if sent to the internet. Works well for use where most of the user base is desk bound (not that many laptops in use)

Just another take on things (we should probably still implement the $KeepPrivate field at any rate).

Unable to post a comment? Please read this for a possible explanation...