1995-02-01 - How the cypherpunks nearly got me fired (long)

Header Data

From: dmandl@panix.com (David Mandl)
To: cypherpunks@toad.com
Message Hash: 08cc12e55d41efbf359fc9352b890387d97fabe5f1dd6a11c6a5a8a291ff81ea
Message ID: <v01510101ab54c32859a7@[166.84.250.21]>
Reply To: N/A
UTC Datetime: 1995-02-01 06:10:16 UTC
Raw Date: Tue, 31 Jan 95 22:10:16 PST

Raw message

From: dmandl@panix.com (David Mandl)
Date: Tue, 31 Jan 95 22:10:16 PST
To: cypherpunks@toad.com
Subject: How the cypherpunks nearly got me fired (long)
Message-ID: <v01510101ab54c32859a7@[166.84.250.21]>
MIME-Version: 1.0
Content-Type: text/plain


This is a true story.

Yesterday, I found out that the mail at the company I work for is being
read by SAs on a regular basis.  The company is so ignorant about the net,
so stingy, and so paranoid, that they're terrified by the possibilities of
our internet access (which is crippled: email only, with a misconfigured
sendmail, no less; no ftp or telnet; no Usenet).  People receiving email
from outside could be receiving JPEGs or sound files--all
non-business-related, and therefore wasteful of company resources and
valuable employee time.  This in a biggish and very profitable Wall Street
firm.  These people are serious dinosaurs.

So they installed a pathetic scanning program.  Since the evil filetypes
are "usually uuencoded," their scanner greps all incoming mail for
"^begin"--no kidding--and stops the message right there if it's found.  I
found this out yesterday when my boss got a call from an SA: turns out he'd
been mailed a PostScript file from a vendor (some documentation we were
waiting for), and a "begin" statement in the file triggered the alarm.
After my boss assured him that it was just a user's manual, the SA let it
through.

Today, I was sitting in my boss's office in a routine meeting when _his_
boss (let's call him Larry) came by.  He said that _his_ boss (this is now
my boss's boss's boss--let's call her Mary) wanted to talk to me.  I had no
clue what she wanted, and neither did my direct boss, which seemed
particularly strange.  One thought that crossed my mind was that they were
going to give me a promotion, which I deserve and which it had been
obliquely suggested I might be getting soon.  Ha.

I walked with Larry over to our other building, four blocks away.  We went
up to Mary's office, and there she was, sitting with another woman I'd
never met.  The latter was introduced to me as--oh, let's call her "Paula."
There was a printout on the table.  Glancing at it out of the corner of my
eye, I noticed that it was a piece of email and got a chill.  Had they
intercepted email from me to a friend telling him how much the company I
work for sucks (which, ironically, I'd done just yesterday when I found out
about the mail-scanning)?  Would these three execs actually call me on this
and ask me to explain it?  I was very nervous, even though they had a piece
of MY PRIVATE CORRESPONDENCE in their hands.

Paula started off by explaining to me that they'd just installed this nifty
scanning program to catch illicit or potentially dangerous software coming
in from the outside.  Here was a piece of email, sent to me, containing a
uuencoded binary file inside of it (actually, it was just C source code, as
the header plainly stated).  From the comments at the front of the message,
it was clear that this was a piece of software intended to circumvent
firewalls, breach network security, and intentionally mask the identity of
the culprit.  (I'm more or less quoting from memory here; I only got to
glance at the comments, so I don't know exactly what the code does; it was
posted by Matt Ghio a day or two ago).  Why was I having a program like
this mailed to me?

I explained that it was sent to a mailing list that I subscribe to.  The
mailing list is concerned with encryption and data security.  This is just
something that someone on the list happened to post.  I have no control
over what people post to the list.  I read and save what's of interest to
me on the list and trash the rest, like everyone else does.

Why did I have this message forwarded from my private account to my work
account? she wanted to know.  Because I have all my mail from that
particular ("techie") list forwarded to my work account, the same way that
I keep all my other technical documentation at work--my Perl manual, my
Unix manuals, etc.  She actually pointed out that she saw the word
"cyberpunk" on the message (that's right, she can't even read), and this
also caused her concern.  (I would have been interested in hearing her
explanation for that.)

She started huffing and puffing about how this all made her very very
worried.  If there's no way to control this kind of thing, she'll just have
to turn everyone's internet access off (or just mine).  I said, "Look, I'll
turn off the forwarding when I get home tonight and not have any of this
stuff forwarded to me here any more."  She said, "Yes, naturally."

The discussion ended with her asking ME what they can do to assuage their
fears and prevent evil programs like this from being sent to employees of
the company.  I said that there wasn't much they could do; this stuff is
freely available, and if it isn't emailed in, people can still bring it in
on floppy discs.  It also could be mailed un-uuencoded (why was it
uuencoded anyway?)--and then what would they do, scan everyone's mail for
'{'?  What I didn't feel like saying at that particular place and time was
that people could just as easily bring sledgehammers in, or trash databases
using their legitimate access.  Unfortunately, the company has just got to
trust its employees.  I didn't actually say any of that because I just
wanted to get out of there.  I was getting bad flashbacks of being sent to
the principal's office in third grade.

My internet access at work is probably history; maybe everyone else's, too.
(Our access is so crippled that there are probably only four people who
even get mail from the outside; and as I said, there's no news or
ftp/telnet access.  I use it for nothing more than reading cypherpunks,
actually.  The system is so badly maintained that I'd never trust it for
personal email.)  I now have to start receiving and reading cypherpunk mail
at home, which presents a problem because my personal time is very limited,
whereas at work mail trickles in during the course of the day and is easily
managed.  This may mean I have to unsubscribe soon, after two and a half
years (almost since day one of the list).  I love Big Brother.

P.S.: I've tried to avoid injecting my personal politics into this story.
Yes, I know that as the owner of the connection, they've got the right to
do whatever they want (and this seems to be borne out by the ECPA
documents, which at a friend's suggestion I read as soon as I got home--too
bad, because I'd have seriously considered legal action).  I just thought
you might enjoy this little story, and would want to keep it in mind if
you're ever considering employment at Bear-Stearns.

   --Dave.

--
Dave Mandl
dmandl@panix.com







Thread