This is a true story. Yesterday, I found out that the mail at the company I work for is being read by SAs on a regular basis. The company is so ignorant about the net, so stingy, and so paranoid, that they're terrified by the possibilities of our internet access (which is crippled: email only, with a misconfigured sendmail, no less; no ftp or telnet; no Usenet). People receiving email from outside could be receiving JPEGs or sound files--all non-business-related, and therefore wasteful of company resources and valuable employee time. This in a biggish and very profitable Wall Street firm. These people are serious dinosaurs. So they installed a pathetic scanning program. Since the evil filetypes are "usually uuencoded," their scanner greps all incoming mail for "^begin"--no kidding--and stops the message right there if it's found. I found this out yesterday when my boss got a call from an SA: turns out he'd been mailed a PostScript file from a vendor (some documentation we were waiting for), and a "begin" statement in the file triggered the alarm. After my boss assured him that it was just a user's manual, the SA let it through. Today, I was sitting in my boss's office in a routine meeting when _his_ boss (let's call him Larry) came by. He said that _his_ boss (this is now my boss's boss's boss--let's call her Mary) wanted to talk to me. I had no clue what she wanted, and neither did my direct boss, which seemed particularly strange. One thought that crossed my mind was that they were going to give me a promotion, which I deserve and which it had been obliquely suggested I might be getting soon. Ha. I walked with Larry over to our other building, four blocks away. We went up to Mary's office, and there she was, sitting with another woman I'd never met. The latter was introduced to me as--oh, let's call her "Paula." There was a printout on the table. Glancing at it out of the corner of my eye, I noticed that it was a piece of email and got a chill. Had they intercepted email from me to a friend telling him how much the company I work for sucks (which, ironically, I'd done just yesterday when I found out about the mail-scanning)? Would these three execs actually call me on this and ask me to explain it? I was very nervous, even though they had a piece of MY PRIVATE CORRESPONDENCE in their hands. Paula started off by explaining to me that they'd just installed this nifty scanning program to catch illicit or potentially dangerous software coming in from the outside. Here was a piece of email, sent to me, containing a uuencoded binary file inside of it (actually, it was just C source code, as the header plainly stated). From the comments at the front of the message, it was clear that this was a piece of software intended to circumvent firewalls, breach network security, and intentionally mask the identity of the culprit. (I'm more or less quoting from memory here; I only got to glance at the comments, so I don't know exactly what the code does; it was posted by Matt Ghio a day or two ago). Why was I having a program like this mailed to me? I explained that it was sent to a mailing list that I subscribe to. The mailing list is concerned with encryption and data security. This is just something that someone on the list happened to post. I have no control over what people post to the list. I read and save what's of interest to me on the list and trash the rest, like everyone else does. Why did I have this message forwarded from my private account to my work account? she wanted to know. Because I have all my mail from that particular ("techie") list forwarded to my work account, the same way that I keep all my other technical documentation at work--my Perl manual, my Unix manuals, etc. She actually pointed out that she saw the word "cyberpunk" on the message (that's right, she can't even read), and this also caused her concern. (I would have been interested in hearing her explanation for that.) She started huffing and puffing about how this all made her very very worried. If there's no way to control this kind of thing, she'll just have to turn everyone's internet access off (or just mine). I said, "Look, I'll turn off the forwarding when I get home tonight and not have any of this stuff forwarded to me here any more." She said, "Yes, naturally." The discussion ended with her asking ME what they can do to assuage their fears and prevent evil programs like this from being sent to employees of the company. I said that there wasn't much they could do; this stuff is freely available, and if it isn't emailed in, people can still bring it in on floppy discs. It also could be mailed un-uuencoded (why was it uuencoded anyway?)--and then what would they do, scan everyone's mail for '{'? What I didn't feel like saying at that particular place and time was that people could just as easily bring sledgehammers in, or trash databases using their legitimate access. Unfortunately, the company has just got to trust its employees. I didn't actually say any of that because I just wanted to get out of there. I was getting bad flashbacks of being sent to the principal's office in third grade. My internet access at work is probably history; maybe everyone else's, too. (Our access is so crippled that there are probably only four people who even get mail from the outside; and as I said, there's no news or ftp/telnet access. I use it for nothing more than reading cypherpunks, actually. The system is so badly maintained that I'd never trust it for personal email.) I now have to start receiving and reading cypherpunk mail at home, which presents a problem because my personal time is very limited, whereas at work mail trickles in during the course of the day and is easily managed. This may mean I have to unsubscribe soon, after two and a half years (almost since day one of the list). I love Big Brother. P.S.: I've tried to avoid injecting my personal politics into this story. Yes, I know that as the owner of the connection, they've got the right to do whatever they want (and this seems to be borne out by the ECPA documents, which at a friend's suggestion I read as soon as I got home--too bad, because I'd have seriously considered legal action). I just thought you might enjoy this little story, and would want to keep it in mind if you're ever considering employment at Bear-Stearns. --Dave. -- Dave Mandl dmandl@panix.com