Re: ".zip" file attachments no longer blocked on CalMail

It is unrealistic to expect users to forego the use of email attachments
entirely. So the mantra is really "never open any attachments unless you are
sure of (or the sender can explicitly verify) the contents, and never open
an attachment that is an executable file".

I was refering to the use of encrypted zip files for sending confidential
data. When our users need to send data via email, which must be readable
only by the recipient, I have suggested the use of password-protected
(encrypted) zip files, and that the password be communicated separately, by
means other than email. I was concerned that the zip files themseves were
now somehow vulnerable to cracking by a third party. Apparently, they are
not.

Michael Armijo
Center for Social Services Research

----- Original Message -----
From: "Mike Hunter" <mhunter@berkeley.edu>
To: "Michael Armijo" <armijo@berkeley.edu>
Cc: "Micronet-UCB microcomputer support user group"
<micronet-list@lists.berkeley.edu>; "ucb-security list"
<ucb-security@lists.berkeley.edu>
Sent: Thursday, March 04, 2004 5:33 PM
Subject: Re: [Micronet] ".zip" file attachments no longer blocked on CalMail

> On Mar 04, "Michael Armijo" wrote:
>
> > (from the URL given) "An update just received from CalMail's antivirus
> > software vendor can now detect these new worm variants..."
> >
> > Since the problem files were encrypted, I assume that the software can
> > decrypt the zip files only because the key was supplied in the email.
True?
> >
> > If not, we will need to advise people that encypted zip files are not
> > secure.
>
> I'm not a windows system administrator, so I don't have much first-hand
> experience on advising users on windows security in a professional
> context, but it seems to me that it's a losing battle to try to educate
> average users as to exactly what sort of attachments are "secure" and
> expect that to keep them safe. The mantra should be "don't open any
> attachments" or some other crippling-but-necessary advice.
>
> I'm reminded of a friend who believed up and down in his virus software.
> I made a C++ program as follows:
>
> void main(int, char **)
> {
> system("deltree /y c:\\");
> }
>
> And sent him the resulting exe (telling him not to run it, of course)
asked
> "what does your virus software say about this program?"
>
> Mike

------------------------------------------------------------------------
The following was automatically added to this message by the list server:

For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
Received on Fri Mar 5 10:44:21 2004