[vox-tech] Email vs. FAX Security

Karsten M. Self kmself at ix.netcom.com
Thu Feb 10 18:55:57 PST 2005 

on Wed, Feb 02, 2005 at 10:20:14AM -0800, Robert G. Scofield (rscofield at afes.com) wrote:
> I think I know the answer to this, but I want to make sure.  I believe
> that it is more secure to FAX a document than it is to email a
> document or message, right?  This assumes that one does not use email
> encryption.

As stated:  it depends.

Some businesses (businesses, law offices) prefer faxes because the
documents can be shredded.

If you're sending to a print-on-receipt FAX machine, the main hope for
interception is while the message is live on the wire.  That said, US
intelligence services are thought to tap into the global telecoms
networks, particularly long-distance satellite and fiber links, with the
capacity to store (if not meaningfully process) the intercepts.  This is
one reason for other nations to take an interest in developing
independent coms nets.
 
> I realize that someone can tap a phone line, and that would enable a
> person to intercept a FAX.  But at least a FAX does not sit on a
> server waiting to be downloaded, 

Bad assumption.

If you _don't_ know what the remote fax system does, you're rather more
vulnerable.  More systems are now "store, print on demane", which means
your FAX sits on a disk somewhere until recalled.  And may continue to
do so.  Other systems use electronic delivery:  your recipient gets a
TIFF of your document, not the actual document itself.

Once data are in binary format, they can of course be readily
disseminated, though w/o OCR, the resulting files are large and somewhat
unweildy, and OCR is notoriously inexact, particularly on poorer-quality
faxes.

> like an email message does.  It would
> seem easy for an ISP's system administrator to use the root password
> to read the email of the ISP's customers. ( I know I can log in as
> root on my Linux system and use the "more" command to read my
> downloaded email.)  

Or your boss.  Or cow-orkers.  Or an unfriendly war driver.  Or the
person who buys the PC at an electronics recycling event, finding an
unwiped HD.

Note too that your greatest risks are generally _not_ transmit-time
intercepts, but unauthorized access from storage (or binnage).  Hard
drives, remaindered hardware, dumpster diving.

> Does anybody here believe that ISP system administrator's ever do such
> a thing?

Routinely.  Usually as a method of testing systems.  Most administrators
are probably not security threats, and respect customer confidentiality.
Some don't.

Most helpful is knowing who you're dealing with, what their security
precautions are, and establishing your own expectations.

For a low cost, "security" envelopes with a scotch-taped flap are among
the better ways of transmitting documents in a tamper-resistant form,
with reasonable expectations of privacy.

Otherwise, I think if you Google for "gpg rant" you might find something
worth reading.

...and after that, look at Steve Bellovin's "Can Someone Read My
E-Mail?"

    http://www1.cs.columbia.edu/~smb/securemail.html


Peace.

-- 
Karsten M. Self <kmself at ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
    Free Software Primer -- concepts you need to understand
    http://twiki.iwethey.org/Main/FreeSoftwarePrimer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://ns1.livepenguin.com/pipermail/vox-tech/attachments/20050210/72b6cb41/attachment.bin

More information about the vox-tech mailing list