Sun, 11 Oct 1992 14:36:26 +0100
|
On Sun, 11 Oct 1992 06:33:36 EDT Elliott Parker
<[log in to unmask]> said:
> I know it is possible, but can someone give me a rough indication of
>how much knowledge would be needed to do it?
It is very easy once you know how. You need an IQ of about 80 to
understand what needs to be done, the only difficulty (if you can call
that one) is to know which RFC you need to read to find the recipe. And
that only if you are unlucky enough not to have a mail user interface
which lets you send from the address you want simply by editing the
header or activating some obscure option.
> And is there anything I can tell the person to minimize the chances
>of it happening again?
There is nothing that can be done about it, Internet mail is insecure -
intrinsically. One is supposed to use encryption if one wants a nonzero
amount of security. There are IETF groups working on that, unfortunately
it seems that with current computer technology one can reach at most the
equivalent of 64kbps of bandwidth when encrypting messages with a modern
dedicated workstation using the selected algorithm (RSA). Of course
computers will get faster, but networks get faster as well and it is not
a given that the computers will catch up. Furthermore crypto-analysis
experts are starting to claim that RSA isn't that difficult to break
after all, so you may want not to hold your breath for too long. Even if
all technical problems are solved, the legal issues are a can of worms
outside the US/Canada trade zone. You first have to get the US to
authorize software manufacturers to export the secret RSA technology
(which newspapers claim you can buy on the black market in Russia for 5
bucks a diskette), then you have to take into account local encryption
laws in many european countries.
One may be able to trace the forgeries by examining mailer logs, but at
best this would give you a hostname. There is no way presently to
associate a userid with Internet data transfer (that is why anonymous FTP
servers ask you to tell them your userid, but you can type anything you
want of course - at best they can check the hostname).
Eric
|
|
|