Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Sunday October 15 2017, @07:22AM   Printer-friendly
from the so-you-can-read-it-easier dept.

Submitted via IRC for Bytram

Attention anyone using Microsoft Outlook to encrypt emails. Researchers at security outfit SEC Consult have found a bug in Redmond's software that causes encrypted messages to be sent out with their unencrypted versions attached.

You read that right: if you can intercept a network connection transferring an encrypted email, you can just read off the unencrypted copy stapled to it, if the programming blunder is triggered.

The bug is activated when Outlook users use S/MIME to encrypt messages and format their emails as plain text. When sent, the software reports the memo was delivered in an encrypted form, and it appears that way in the Sent folder – but attached to the ciphered text is an easily human-readable cleartext version of the same email. This somewhat derails the use of encryption.

"This has been a rather unusual vulnerability discovery," the SEC team said in an advisory on Tuesday.

Source: https://www.theregister.co.uk/2017/10/11/outlook_smime_bug/


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Interesting) by Justin Case on Sunday October 15 2017, @01:16PM (6 children)

    by Justin Case (4239) on Sunday October 15 2017, @01:16PM (#582622) Journal

    This is the kind of crap you get when your entire design strategy is keeping the users ignorant by hiding what is actually happening.

    Microsoft pioneered this concept, but most other software shops have copied it.

    Users should be insulted. "We think you are too stupid / frightened / lazy to see what's under the hood, so we'll protect your pwetty widdle sensitive eyes by hiding it."

    Another example: browsers hiding the "http" at the beginning of URLs. Stop hiding stuff! If you let people see what's going on, some of them will actually learn something!

    Oh right. People with clue don't need to pay $89.95 for a "package" to do something the native CLI can already do, effortlessly.

    Never mind. Go back to tricking your customers. They don't care. So long as it looks good. And hey, the icon looks like this is an encrypted email, so it's encrypted, right?

    Starting Score:    1  point
    Moderation   +3  
       Interesting=3, Total=3
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 2) by LoRdTAW on Sunday October 15 2017, @05:54PM (4 children)

    by LoRdTAW (3755) on Sunday October 15 2017, @05:54PM (#582680) Journal

    You underestimate the ignorance of users. Most PC users don't even remotely know how computers work at the most basic of levels. Just ask them: "How much memory does your PC have?" Typical answer: "are those mega bytes? Or gigahz? is that the hard drive or the dvd? I dunno" That's your typical PC user. Dumb as bricks. But that's okay because not everyone has to know this shit. They just want to click stuff and get a desired result. That's the job of the developers. And they haven't been doing a good job. At all.

    Mobile is another great example of dumbing the computer down for the user. Hiding stuff is their way of herding the dummies into happy sunshine computer land where everything is so easy to use, so long as you spend another $1.99 here and there.

    • (Score: 4, Insightful) by Arik on Sunday October 15 2017, @06:19PM (2 children)

      by Arik (4543) on Sunday October 15 2017, @06:19PM (#582689) Journal
      "That's your typical PC user. Dumb as bricks. But that's okay because not everyone has to know this shit. They just want to click stuff and get a desired result. That's the job of the developers. And they haven't been doing a good job. At all."

      Developers have done an absolutely horrible job of it consistently for decades. It's insanity to think that's somehow going to change itself.

      A general purpose computer is a very powerful and complex tool. It's NOT ok to put a powerful and complex tool in the hands of someone who is 'dumb as bricks' and determined to stay that way. That's a powerful stupid idea, in fact, and it always was.

      People like that should be using thin clients that can't be screwed up so easily. The web, HTML, provided the basis for making exactly that, which is why interested parties worked so hard and so early to shit it up with scripts and presentation-layer tags and plugins and now HTML5, to prevent that from happening.

      --
      If laughter is the best medicine, who are the best doctors?
      • (Score: 2) by LoRdTAW on Sunday October 15 2017, @06:30PM (1 child)

        by LoRdTAW (3755) on Sunday October 15 2017, @06:30PM (#582697) Journal

        A general purpose computer is a very powerful and complex tool. It's NOT ok to put a powerful and complex tool in the hands of someone who is 'dumb as bricks' and determined to stay that way.

        I can agree with you on the first half, "It's NOT ok to put a powerful and complex tool in the hands of someone who is 'dumb as bricks'".

        Here's the problem part: "and determined to stay that way." They don't stay ignorant on purpose. I honestly think some people just don't have the wit to operate or understand these things. I can't blame them for being cast in front of a PC tasked with just using a few applications to do their job. You cant expect a secretary to know how to understand or fix every problem they have.

        • (Score: 3, Interesting) by Arik on Sunday October 15 2017, @06:49PM

          by Arik (4543) on Sunday October 15 2017, @06:49PM (#582705) Journal
          "They don't stay ignorant on purpose"

          I believe you are wrong, in many cases they do. https://en.wikipedia.org/wiki/Rational_ignorance

          "I honestly think some people just don't have the wit to operate or understand these things. "

          That's true too, but that is a different set of people. At least ten percent of the population is probably mentally incapable of the task even if they're willing and conscientious, and the lack of a sane system actually hurts them the worst of all.

          "You cant expect a secretary to know how to understand or fix every problem they have."

          In my experience the secretary is often much better with computers than the boss, or anyone else in the office, ymmv I suppose ;)

          --
          If laughter is the best medicine, who are the best doctors?
    • (Score: 3, Informative) by maxwell demon on Sunday October 15 2017, @06:36PM

      by maxwell demon (1608) on Sunday October 15 2017, @06:36PM (#582699) Journal

      Ignorant != dumb.

      --
      The Tao of math: The numbers you can count are not the real numbers.
  • (Score: 3, Insightful) by darkfeline on Sunday October 15 2017, @09:25PM

    by darkfeline (1030) on Sunday October 15 2017, @09:25PM (#582769) Homepage

    This is why I prefer to deal with email plain, with the headers and mime parts together in plaintext.

    Once you do, it becomes painfully obvious that email should instead be called epostcard, and even normal people begin to understand why PGP exists.

    --
    Join the SDF Public Access UNIX System today!