[opensuse] Off-Topic: sending details (in)securely via email
Just a quick gauge on people's thoughts on this. My employer recently asked everybody for an updated ID document. For most of their French employees this would be their identity card, but me being British I don't have one, so it would have to be my passport. They want me to send a scan of it to them via email. In the past I've refrained from sending scans of such sensitive documents by an inherently insecure system, so I've been holding off these last few weeks. Since I won't be passing by the office in person anytime soon, aside from putting a photocopy in the post, what would you advise? I'm certainly not going to delve into the complex, murky world of email encryption just for them, and besides, I don't rate the ability of the receptionist at the other end to fathom out anything more exotic than an attached jpeg. Any attempt to send by other means may be in vain since she may forward it by email to head office. Should I commence a lecture about safe communications practices or just swallow and hope my identity doesn't get stolen? gumb -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/29/2016 01:05 PM, gumb wrote:
Just a quick gauge on people's thoughts on this.
My employer recently asked everybody for an updated ID document. For most of their French employees this would be their identity card, but me being British I don't have one, so it would have to be my passport.
They want me to send a scan of it to them via email. In the past I've refrained from sending scans of such sensitive documents by an inherently insecure system, so I've been holding off these last few weeks.
Since I won't be passing by the office in person anytime soon, aside from putting a photocopy in the post, what would you advise? I'm certainly not going to delve into the complex, murky world of email encryption just for them, and besides, I don't rate the ability of the receptionist at the other end to fathom out anything more exotic than an attached jpeg.
Any attempt to send by other means may be in vain since she may forward it by email to head office.
Should I commence a lecture about safe communications practices or just swallow and hope my identity doesn't get stolen?
gumb
What are the risk points? Do you have an account on their mail server with SSL/TLS connections? If so, the email will be encrypted en route and plain text only on the server. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
gumb wrote:
Just a quick gauge on people's thoughts on this.
My employer recently asked everybody for an updated ID document. For most of their French employees this would be their identity card, but me being British I don't have one, so it would have to be my passport.
They want me to send a scan of it to them via email. In the past I've refrained from sending scans of such sensitive documents by an inherently insecure system, so I've been holding off these last few weeks.
Yep, completely agree, I wouldn't do that either.
Since I won't be passing by the office in person anytime soon, aside from putting a photocopy in the post, what would you advise?
Recorded mail. Alternatively, maybe making a copy available on a website with encryption and password protection. A bit like an escrow site. -- Per Jessen, Zürich (14.6°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/29/2016 12:05 PM, gumb wrote:
Just a quick gauge on people's thoughts on this.
My employer recently asked everybody for an updated ID document. For most of their French employees this would be their identity card, but me being British I don't have one, so it would have to be my passport.
They want me to send a scan of it to them via email. In the past I've refrained from sending scans of such sensitive documents by an inherently insecure system, so I've been holding off these last few weeks.
Since I won't be passing by the office in person anytime soon, aside from putting a photocopy in the post, what would you advise? I'm certainly not going to delve into the complex, murky world of email encryption just for them, and besides, I don't rate the ability of the receptionist at the other end to fathom out anything more exotic than an attached jpeg.
Any attempt to send by other means may be in vain since she may forward it by email to head office.
Should I commence a lecture about safe communications practices or just swallow and hope my identity doesn't get stolen?
gumb Brits don't have a "drivers License"?
If you do, does it have a picture? That might qualify. In the USofA our drivers license acts as a government issued ID. -- Fast is fine, but accuracy is final. You must learn to be slow in a hurry. -Wyatt Earp- _ _... ..._ _ _._ ._ ..... ._.. ... .._ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 29/05/16 19:16, Billie Walsh wrote:
Brits don't have a "drivers License"?
If you do, does it have a picture?
That might qualify. In the USofA our drivers license acts as a government issued ID.
The French don't generally accept a driving license as ID. I've run into this a few times. That might start to change as they have just in the last year, finally, begun issuing EU-style licenses with photos. Previously they looked at my credit-card-sized license with complete mirth. Identity card or passport are often the only accepted items. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 29/05/16 19:14, James Knott wrote:
What are the risk points? Do you have an account on their mail server with SSL/TLS connections? If so, the email will be encrypted en route and plain text only on the server.
I don't have an email account supplied by the employer. It would be sent from one of my private accounts. My main email provider offers nothing more than 'Password, transmitted insecurely'. Another account does provide SSL/TLS, but I really didn't want them linking that particular account to me! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/29/2016 01:31 PM, gumb wrote:
On 29/05/16 19:14, James Knott wrote:
What are the risk points? Do you have an account on their mail server with SSL/TLS connections? If so, the email will be encrypted en route and plain text only on the server.
I don't have an email account supplied by the employer. It would be sent from one of my private accounts. My main email provider offers nothing more than 'Password, transmitted insecurely'. Another account does provide SSL/TLS, but I really didn't want them linking that particular account to me!
That's a strange account that doesn't support SSL/TLS. Well, as someone else mentioned, put it online somewhere and provide a link. Google Drive will do what you want. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 29/05/16 19:15, Per Jessen wrote:
gumb wrote:
They want me to send a scan of it to them via email. In the past I've refrained from sending scans of such sensitive documents by an inherently insecure system, so I've been holding off these last few weeks.
Yep, completely agree, I wouldn't do that either.
Since I won't be passing by the office in person anytime soon, aside from putting a photocopy in the post, what would you advise?
Recorded mail. Alternatively, maybe making a copy available on a website with encryption and password protection. A bit like an escrow site.
I've considered both these. Recorded mail will be 4 euros. After which she'll probably scan it and email it to HQ. As for the latter option, I imagine it isn't going to improve relations. She already considers me to be at times awkward! But it might be more practical. I'll look into James' suggestion of Google Drive. Not that I particularly want Google manhandling my private info either, but evils, lesser, etc.. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 29/05/16 19:35, James Knott wrote:
On 05/29/2016 01:31 PM, gumb wrote:
On 29/05/16 19:14, James Knott wrote:
What are the risk points? Do you have an account on their mail server with SSL/TLS connections? If so, the email will be encrypted en route and plain text only on the server.
I don't have an email account supplied by the employer. It would be sent from one of my private accounts. My main email provider offers nothing more than 'Password, transmitted insecurely'. Another account does provide SSL/TLS, but I really didn't want them linking that particular account to me!
That's a strange account that doesn't support SSL/TLS. Well, as someone else mentioned, put it online somewhere and provide a link. Google Drive will do what you want.
It's an account I've had for donkey's years with a UK-based ISP. I have three domains, including the one I use for work, linked to it and it costs next to nothing. Unfortunately, despite promising for about a decade that they are 'looking into' the possibility of providing secure email, that has never come to fruition. And being abroad I can't route my mail directly via their relay server, I have to use the one of my French ISP with no authentication. I suppose then that if I use Google Drive or some such and send the link in an email, I'll have to transmit any associated password/key by some separate means? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 29.05.2016 um 19:35 schrieb James Knott:
On 05/29/2016 01:31 PM, gumb wrote:
On 29/05/16 19:14, James Knott wrote:
What are the risk points? Do you have an account on their mail server with SSL/TLS connections? If so, the email will be encrypted en route and plain text only on the server.
I don't have an email account supplied by the employer. It would be sent from one of my private accounts. My main email provider offers nothing more than 'Password, transmitted insecurely'. Another account does provide SSL/TLS, but I really didn't want them linking that particular account to me!
That's a strange account that doesn't support SSL/TLS. Well, as someone else mentioned, put it online somewhere and provide a link. Google Drive will do what you want.
That one made me laugh. Is there anything in the universe that offers less privacy than google tools? Send it per whatsapp, they claim to offer end-to-end encryption :-) -- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com room in Barcelona: https://www.airbnb.es/rooms/2416137 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
gumb wrote:
On 29/05/16 19:16, Billie Walsh wrote:
Brits don't have a "drivers License"?
If you do, does it have a picture?
That might qualify. In the USofA our drivers license acts as a government issued ID.
The French don't generally accept a driving license as ID.
Most countries don't - the driver's license isn't sufficiently "reliable".
I've run into this a few times. That might start to change as they have just in the last year, finally, begun issuing EU-style licenses with photos.
We've had those for 15 years - they're accepted as ID at the post office when picking up parcels and recorded mail, otherwise not.
Identity card or passport are often the only accepted items.
Yup. -- Per Jessen, Zürich (15.4°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
gumb wrote:
On 29/05/16 19:15, Per Jessen wrote:
gumb wrote:
They want me to send a scan of it to them via email. In the past I've refrained from sending scans of such sensitive documents by an inherently insecure system, so I've been holding off these last few weeks.
Yep, completely agree, I wouldn't do that either.
Since I won't be passing by the office in person anytime soon, aside from putting a photocopy in the post, what would you advise?
Recorded mail. Alternatively, maybe making a copy available on a website with encryption and password protection. A bit like an escrow site.
I've considered both these. Recorded mail will be 4 euros. After which she'll probably scan it and email it to HQ.
This where I'd usually say - "you've got to trust someone sometime", ones employer is probably not the worst place to begin :-) -- Per Jessen, Zürich (15.4°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott wrote:
On 05/29/2016 01:31 PM, gumb wrote:
On 29/05/16 19:14, James Knott wrote:
What are the risk points? Do you have an account on their mail server with SSL/TLS connections? If so, the email will be encrypted en route and plain text only on the server.
I don't have an email account supplied by the employer. It would be sent from one of my private accounts. My main email provider offers nothing more than 'Password, transmitted insecurely'. Another account does provide SSL/TLS, but I really didn't want them linking that particular account to me!
That's a strange account that doesn't support SSL/TLS.
I agree - it means userid+password are sent in cleartext, that's not right. -- Per Jessen, Zürich (15.4°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 29/05/16 20:20, Per Jessen wrote:
gumb wrote:
On 29/05/16 19:15, Per Jessen wrote:
gumb wrote:
They want me to send a scan of it to them via email. In the past I've refrained from sending scans of such sensitive documents by an inherently insecure system, so I've been holding off these last few weeks.
Yep, completely agree, I wouldn't do that either.
Since I won't be passing by the office in person anytime soon, aside from putting a photocopy in the post, what would you advise?
Recorded mail. Alternatively, maybe making a copy available on a website with encryption and password protection. A bit like an escrow site.
I've considered both these. Recorded mail will be 4 euros. After which she'll probably scan it and email it to HQ.
This where I'd usually say - "you've got to trust someone sometime", ones employer is probably not the worst place to begin :-)
This is the same employer who sends out mails with hundreds of employees' private addresses all CC'd for everybody to view. Many of the recipients are temps who only spend weeks or even days in the job. That's why I really don't want them getting hold of another of my email addresses. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
gumb wrote:
On 29/05/16 20:20, Per Jessen wrote:
gumb wrote:
On 29/05/16 19:15, Per Jessen wrote:
gumb wrote:
They want me to send a scan of it to them via email. In the past I've refrained from sending scans of such sensitive documents by an inherently insecure system, so I've been holding off these last few weeks.
Yep, completely agree, I wouldn't do that either.
Since I won't be passing by the office in person anytime soon, aside from putting a photocopy in the post, what would you advise?
Recorded mail. Alternatively, maybe making a copy available on a website with encryption and password protection. A bit like an escrow site.
I've considered both these. Recorded mail will be 4 euros. After which she'll probably scan it and email it to HQ.
This where I'd usually say - "you've got to trust someone sometime", ones employer is probably not the worst place to begin :-)
This is the same employer who sends out mails with hundreds of employees' private addresses all CC'd for everybody to view. Many of the recipients are temps who only spend weeks or even days in the job. That's why I really don't want them getting hold of another of my email addresses.
Umm, point taken. I guess you're sure you want to work for these guys? :-) -- Per Jessen, Zürich (15.4°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-05-29 20:12, Daniel Bauer wrote:
That's a strange account that doesn't support SSL/TLS. Well, as someone else mentioned, put it online somewhere and provide a link. Google Drive will do what you want.
That one made me laugh. Is there anything in the universe that offers less privacy than google tools?
For sure. My ISP. Telefónica.es. The IMAP server doesn't. The SMTP server uses "Untrusted TLS" according to postfix. Some time ago I looked and they were using a private certificate, using the example certificate form of the software, not even filling their own data. I haven't looked recently: <2.6> 2016-05-20 14:52:55 Telcontar postfix 13750 - - Untrusted TLS connection established to smtp.telefonica.net[86.109.99.70]:25: TLSv1 with cipher RC4-SHA (128/128 bits) To verify the certificate I have to increase log verbosity.
Send it per whatsapp, they claim to offer end-to-end encryption :-)
Yes, that's what I use with a client of mine. Normally I use PDF with password, but this one claims to be unable to read them. I think he uses some Apple thingie. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 2016-05-29 20:35, Carlos E. R. wrote:
On 2016-05-29 20:12, Daniel Bauer wrote:
The SMTP server uses "Untrusted TLS" according to postfix. Some time ago I looked and they were using a private certificate, using the example certificate form of the software, not even filling their own data. I haven't looked recently:
To verify the certificate I have to increase log verbosity.
Well, they changed that: <2.6> 2016-05-29 20:35:12 Telcontar postfix 16816 - - smtp.telefonica.net[86.109.99.70]:25: certificate verification depth=0 verify=0 subject=/C=ES/ST=MADRID/L=MADRID/O=Movistar/OU=Sistemas de Informacion/CN=smtp.movistar.es <2.6> 2016-05-29 20:35:12 Telcontar postfix 16816 - - message repeated 2 times: [ smtp.telefonica.net[86.109.99.70]:25: certificate verification depth=0 verify=0 subject=/C=ES/ST=MADRID/L=MADRID/O=Movistar/OU=Sistemas de Informacion/CN=smtp.movistar.es] ... <2.6> 2016-05-29 20:35:12 Telcontar postfix 16816 - - smtp.telefonica.net[86.109.99.70]:25: subject_CN=smtp.movistar.es, issuer_CN=Symantec Class 3 Secure Server CA - G4, fingerprint 22:6F:23:53:3E:7E:4B:E8:DF:4D:7C:9A:B7:0A:95:54, pkey_fingerprint=31:4F:CA:EB:09:5A:B1:AC:D7:D5:3E:02:3B:52:1E:A1 <2.6> 2016-05-29 20:35:12 Telcontar postfix 16816 - - Untrusted TLS connection established to smtp.telefonica.net[86.109.99.70]:25: TLSv1 with cipher RC4-SHA (128/128 bits) It appears to be a certificate from Symantec, dunno why untrusted. This is what they had some time ago: <2.6> 2012-06-18 00:48:17 Telcontar postfix 21900 - - certificate verification failed for smtp.telefonica.net[213.4.149.228]:25: untrusted issuer /C=US/O =RTFM, Inc./OU=Widgets Division/CN=Test CA20010517 <2.6> 2012-06-18 00:48:17 Telcontar postfix 21900 - - Untrusted TLS connection established to smtp.telefonica.net[213.4.149.228]:25: TLSv1 with cipher DH E-RSA-AES256-SHA (256/256 bits) Do you see the "RTFM" in there? LOL. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 29/05/16 20:35, Carlos E. R. wrote:
Yes, that's what I use with a client of mine. Normally I use PDF with password, but this one claims to be unable to read them. I think he uses some Apple thingie.
Ah, that's an idea. I could stick the scan in a PDF in LibreOffice and encrypt it. I think my employer uses some Windows XP thingie. Although, by current consistent reports, what they think they're using probably won't be the same thing as what shows up on their screen on Monday morning. 'Your system is downloading and installing the Windows update. Screw your company.' -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-05-29 19:40, gumb wrote:
As for the latter option, I imagine it isn't going to improve relations. She already considers me to be at times awkward! But it might be more practical.
Here (Spain) the request by your company could be denounced to the Data Protection Agency. Surely France has a similar body. They have to ensure that private data is transmitted and stored securely. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 2016-05-29 20:49, gumb wrote:
On 29/05/16 20:35, Carlos E. R. wrote:
Yes, that's what I use with a client of mine. Normally I use PDF with password, but this one claims to be unable to read them. I think he uses some Apple thingie.
Ah, that's an idea. I could stick the scan in a PDF in LibreOffice and encrypt it. I think my employer uses some Windows XP thingie.
And probably they will not know how to convert the PDF to a clear one, so you can be relatively confident that it will be stored securely.
Although, by current consistent reports, what they think they're using probably won't be the same thing as what shows up on their screen on Monday morning.
'Your system is downloading and installing the Windows update. Screw your company.'
LOL. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 05/29/2016 01:05 PM, gumb wrote:
Any attempt to send by other means may be in vain since she may forward it by email to head office.
You may as well put the JPEG of you passport up on your Facebook page, then. Once its out of your hands its out of you control. This whole thing is a recipe for disaster for all the employees. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 29.05.2016 um 21:42 schrieb Anton Aylward:
On 05/29/2016 01:05 PM, gumb wrote:
Any attempt to send by other means may be in vain since she may forward it by email to head office.
You may as well put the JPEG of you passport up on your Facebook page, then.
Once its out of your hands its out of you control.
This whole thing is a recipe for disaster for all the employees.
This is true, indeed. Also what Carlos said regarding data protection laws. If it is unavoidable to send *a* passport scan because you need the job and can't negotiate about such things with the company, I would fake the passport jpg: using gimp to alter the number, date and any data of the document that they wouldn't know and can't check, and blur the photo a bit ("sorry for poor scan quality"...), that would also hide your image manipulation... So should it go public somehow at least it would not reveal usable data to identity thieves... I know this is not correct, but what the company asks you is not correct, too. -- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com room in Barcelona: https://www.airbnb.es/rooms/2416137 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-05-29 22:47, Daniel Bauer wrote:
So should it go public somehow at least it would not reveal usable data to identity thieves...
I know this is not correct, but what the company asks you is not correct, too.
I don't know about France, but in Spain the ID number is filled by the employer on several forms that the authorities require. If they take the number from the photo, it would cause untold problems. However, scanning at low quality is not a bad idea. And black and white, not colour. They can't fake a document from a bad photo, but the data can still be read. In Spain at least the ID number is something that we are required to give pretty often, it is no longer that private. Knowing the number does not suffice to steal an ID. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 05/30/2016 01:05 AM, gumb wrote:
Just a quick gauge on people's thoughts on this.
My employer recently asked everybody for an updated ID document. For most of their French employees this would be their identity card, but me being British I don't have one, so it would have to be my passport.
They want me to send a scan of it to them via email. In the past I've refrained from sending scans of such sensitive documents by an inherently insecure system, so I've been holding off these last few weeks.
Since I won't be passing by the office in person anytime soon, aside from putting a photocopy in the post, what would you advise? I'm certainly not going to delve into the complex, murky world of email encryption just for them, and besides, I don't rate the ability of the receptionist at the other end to fathom out anything more exotic than an attached jpeg.
Any attempt to send by other means may be in vain since she may forward it by email to head office.
Should I commence a lecture about safe communications practices or just swallow and hope my identity doesn't get stolen?
gumb
I have used the free version of sendinc.com. If you only have to send something every once in a while, it is useful. However, the person on the other end, I think, also has to sign up for a free account to receive the secure email. I haven't been spammed because of it, that I know of, and I don't get promotional emails from them, so I think it is a good operation. -- George Box: 42.1 | KDE Plasma 5 | AMD Phenom IIX4 | 64 | 32GB Laptop #1: 42.1 | KDE Plasma 5 | Core i7-4710HQ | 64 | 16GB Laptop #2: 42.1 | KDE Plasma 5 | Core i5 | 64 | 8GB -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
On 2016-05-29 22:47, Daniel Bauer wrote:
So should it go public somehow at least it would not reveal usable data to identity thieves...
I know this is not correct, but what the company asks you is not correct, too.
I don't know about France, but in Spain the ID number is filled by the employer on several forms that the authorities require. If they take the number from the photo, it would cause untold problems.
gumb would be sending in a copy of his passport, which presumably just has a passport number, not an ID number as such. Besides, what would a French system do with a British ID number? :-) -- Per Jessen, Zürich (14.7°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, 30 May 2016, Per Jessen wrote:
gumb would be sending in a copy of his passport, which presumably just has a passport number, not an ID number as such. Besides, what would a French system do with a British ID number? :-)
Here in France a foreign number will be written into the space reserved for foreign numbers. I wonder if the "ḧuman identifiable" database formed by the collection of all this employee data in machine processable form has been declared to the french national CNIL as required by law in France. I expect not. If someone complains, often an employee union, the employer faces a fine. gumb should ask for the CNIL number of the database. The CNIL have a form to fill in to make the request. If you read french, see https://www.cnil.fr/webform/nous-contacter Roger
On 30/05/16 09:58, Roger Price wrote:
On Mon, 30 May 2016, Per Jessen wrote:
gumb would be sending in a copy of his passport, which presumably just has a passport number, not an ID number as such. Besides, what would a French system do with a British ID number? :-)
Here in France a foreign number will be written into the space reserved for foreign numbers.
I wonder if the "ḧuman identifiable" database formed by the collection of all this employee data in machine processable form has been declared to the french national CNIL as required by law in France. I expect not. If someone complains, often an employee union, the employer faces a fine.
gumb should ask for the CNIL number of the database. The CNIL have a form to fill in to make the request. If you read french, see https://www.cnil.fr/webform/nous-contacter
Roger
Thanks for the link. I had a look through some of the documents on the site but can't see anything relating specifically to collection/treatment of ID. However, this is in danger of becoming a war between me and my employer. I'm principally concerned just with the transmission of the info, since that's something partially within my direct control. What they then do with it is their responsibility and I can only influence by quizzing them and citing regulations, which isn't going to win me any favours. Their original email request doesn't state anything about the reason or intended use of the information, which some of the documents on the CNIL site suggest should have been made clear, so when they send the next reminder I might ask for clarification. gumb -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, 30 May 2016, gumb wrote:
However, this is in danger of becoming a war between me and my employer. I'm principally concerned just with the transmission of the info, since that's something partially within my direct control. What they then do with it is their responsibility and I can only influence by quizzing them and citing regulations, which isn't going to win me any favours.
Their original email request doesn't state anything about the reason or intended use of the information, which some of the documents on the CNIL site suggest should have been made clear, so when they send the next reminder I might ask for clarification.
If the business is sufficiently large then your "délégué du personnel" is your friend. Don't stick your head out. It's their job to ask the questions. If you can provide the question and the regulatory reference, then you are helping them. Roger
On 05/30/2016 02:17 AM, Per Jessen wrote:
Carlos E. R. wrote:
On 2016-05-29 22:47, Daniel Bauer wrote:
So should it go public somehow at least it would not reveal usable data to identity thieves...
I know this is not correct, but what the company asks you is not correct, too.
I don't know about France, but in Spain the ID number is filled by the employer on several forms that the authorities require. If they take the number from the photo, it would cause untold problems.
gumb would be sending in a copy of his passport, which presumably just has a passport number, not an ID number as such. Besides, what would a French system do with a British ID number? :-)
Its not that. or not just that. Or not just that alone. A passport is adequate ID for many things such as getting a social insurance number, opening a bank account, or, as I have done, and yes with a photocopy of of a passport, tell a lawyer in a foreign country to carry out actions legally binding affecting large sums of money. I went through this after my parents died. Last year I attended a presentation about Identity Theft. A lawyer gave it; she had been the victim. Someone had get a copy of her driving licence and used it as ID. They had, very amateurishly, pasted another photo over and changed some data fields, using a different font. I can't see how anyone could have accepted this, but apparently a bank did, and accessed the EQIFAX records based on this and gave the thief a mortgage on a house which she promptly flipped, but left the lawyer with the mortgage payments. Along the way, the thief also sold the lawyers house from under her. That poorly modified driving license was used to get other documents and access. As the mass of documents in the ID thief's hands built up they became ore convincing. So when I sent out my photocopy of my passport I wrote across it that it was for use only by the lawyer setting the estate in the setting up of the executor account. The issue isn't what the French firm or the French authorities would do with the image and information. Its what would happen if this leaked into the hands of others. If the secretary puts it in a publicly accessible dropbox rather than attaching it to email (as we do on this forum). If she leaves the photocopy lying around. if she FAXes it and the recipient doesn't take it immediately and someone sees it in the FAX hopper and makes a copy. I'm not a hacker, I don't have a hacker mentality. These are just examples that I've read about or been told about. I'm sure a malicious hacker could think of many more, possibly - no probably - has practised many more. The issue isn't what SHOULD happen what the OK LEGALLY PERMISSIBLE things are, but what the the malicious illegal things are. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-05-30 15:09, Anton Aylward wrote:
So when I sent out my photocopy of my passport I wrote across it that it was for use only by the lawyer setting the estate in the setting up of the executor account.
I like that idea. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 05/30/2016 09:37 AM, Carlos E. R. wrote:
On 2016-05-30 15:09, Anton Aylward wrote:
So when I sent out my photocopy of my passport I wrote across it that it was for use only by the lawyer setting the estate in the setting up of the executor account.
I like that idea.
It's not perfect by any means. It is possible for an ID thief who has possession of it to scan it to a hi-reg JPEG and then carefully replace the bit of the text with what might be behind it. A lot of guess work, a lot of careful image manipulation which can only partially be automated. If I was to be the target of a serious State-Actor hack, then this expenditure of effort would be justified, but to hijack the passport image for anything under $millions, well, there easier, "low hanging fruit". Someone might do it if they had a personal grudge, but my ex- isn't that tech-savvy. YMMV. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
The thread was TL:DR, but for the initial request, I send encrypted
zip files as attachments fairly often.
If the email sending won't allow that, I upload the encrypted zips to
a website in a temp folder and leave it there until the recipient says
they have it.
Greg
--
Greg Freemyer
www.IntelligentAvatar.net
On Sun, May 29, 2016 at 1:05 PM, gumb
Just a quick gauge on people's thoughts on this.
My employer recently asked everybody for an updated ID document. For most of their French employees this would be their identity card, but me being British I don't have one, so it would have to be my passport.
They want me to send a scan of it to them via email. In the past I've refrained from sending scans of such sensitive documents by an inherently insecure system, so I've been holding off these last few weeks.
Since I won't be passing by the office in person anytime soon, aside from putting a photocopy in the post, what would you advise? I'm certainly not going to delve into the complex, murky world of email encryption just for them, and besides, I don't rate the ability of the receptionist at the other end to fathom out anything more exotic than an attached jpeg.
Any attempt to send by other means may be in vain since she may forward it by email to head office.
Should I commence a lecture about safe communications practices or just swallow and hope my identity doesn't get stolen?
gumb -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-05-31 05:40, Greg Freemyer wrote:
The thread was TL:DR, but for the initial request, I send encrypted zip files as attachments fairly often.
If the email sending won't allow that, I upload the encrypted zips to a website in a temp folder and leave it there until the recipient says they have it.
There is a problem with that. Once the recipient opens the zip archive (I have found some that do not know how to do this!), they will save the documents in clear in a folder, and possibly transmit it again to somebody else, in clear. There is thus some advantage with sending a protected PDF file instead, it will always be protected and saved that way. It did not occur to me to send photos of documents this way, though. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 29.05.2016 19:05, gumb wrote:
Just a quick gauge on people's thoughts on this.
My employer recently asked everybody for an updated ID document. For most of their French employees this would be their identity card, but me being British I don't have one, so it would have to be my passport.
They want me to send a scan of it to them via email. In the past I've refrained from sending scans of such sensitive documents by an inherently insecure system, so I've been holding off these last few weeks.
Since I won't be passing by the office in person anytime soon, aside from putting a photocopy in the post, what would you advise?
First, find out if you're even allowed to make a color scan of your passport. Some countries, Germany for example, treat passports and IDs like money: Making a color copy of them is legally considered counterfeiting. If the police finds out, they are obliged to come after you (I'm not sure of the actual legal terms) and you'll face at least a fine. The same can happen if the receiving part doesn't take care of this sensitive data; for example when all hotel employees have access to a room where passport photocopies are kept in an open tray. Many countries demand that copies must be kept closed, destroyed as soon as possible. In Germany, you can even black out parts of the copy which aren't strictly necessary to identify you (like your religion and the like). B&W scans might be safe. To transmit via email, put the image into an archive and encrypt the archive with AES and use a good password. Tell the company the password by phone. Related links: http://www.icaew.com/en/archive/members/practice-resources/icaew-practice-su... https://de.wikipedia.org/wiki/Personalausweis_(Deutschland)#Kopiereinschr.C3... Regards, -- Aaron "Optimizer" Digulla a.k.a. Philmann Dark "It's not the universe that's limited, it's our imagination. Follow me and I'll show you something beyond the limits." http://blog.pdark.de/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 01.06.2016 um 22:52 schrieb Aaron Digulla:
On 29.05.2016 19:05, gumb wrote:
Just a quick gauge on people's thoughts on this.
My employer recently asked everybody for an updated ID document. For most of their French employees this would be their identity card, but me being British I don't have one, so it would have to be my passport.
They want me to send a scan of it to them via email. In the past I've refrained from sending scans of such sensitive documents by an inherently insecure system, so I've been holding off these last few weeks.
Since I won't be passing by the office in person anytime soon, aside from putting a photocopy in the post, what would you advise?
First, find out if you're even allowed to make a color scan of your passport. Some countries, Germany for example, treat passports and IDs like money: Making a color copy of them is legally considered counterfeiting. If the police finds out, they are obliged to come after you (I'm not sure of the actual legal terms) and you'll face at least a fine.
The same can happen if the receiving part doesn't take care of this sensitive data; for example when all hotel employees have access to a room where passport photocopies are kept in an open tray. Many countries demand that copies must be kept closed, destroyed as soon as possible. In Germany, you can even black out parts of the copy which aren't strictly necessary to identify you (like your religion and the like).
B&W scans might be safe.
To transmit via email, put the image into an archive and encrypt the archive with AES and use a good password. Tell the company the password by phone.
Related links: http://www.icaew.com/en/archive/members/practice-resources/icaew-practice-su...
https://de.wikipedia.org/wiki/Personalausweis_(Deutschland)#Kopiereinschr.C3...
Regards,
Yeah. Since a long time I think Germany should refrain from printing millions and millions of law pages of what is forbidden, and instead print a credit card sized manual of the 5, 6 or maybe even 7 things that are allowed. SCNR Daniel -- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com room in Barcelona: https://www.airbnb.es/rooms/2416137 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 31/05/16 14:30, Carlos E. R. wrote:
On 2016-05-31 05:40, Greg Freemyer wrote:
The thread was TL:DR, but for the initial request, I send encrypted zip files as attachments fairly often.
If the email sending won't allow that, I upload the encrypted zips to a website in a temp folder and leave it there until the recipient says they have it.
There is a problem with that. Once the recipient opens the zip archive (I have found some that do not know how to do this!), they will save the documents in clear in a folder, and possibly transmit it again to somebody else, in clear.
There is thus some advantage with sending a protected PDF file instead, it will always be protected and saved that way. It did not occur to me to send photos of documents this way, though.
Marking this as 'resolved' since making a decision today on a workaround. As Carlos originally suggested I created a PDF from the scan in LibreOffice and encrypted it using a password, using the additional options in the PDF export dialog both to add a watermark expressing use only by the specified company, and restricting its printing to low-res 150dpi. Though I used a colour scan (didn't read Aaron's comment about the possible illegality of that until too late), the watermark would render it difficult to forge. Of course that doesn't stop some 'malfaiteur' merely using the information should they ever get their hands on it. I rang the office and gave them the password over the phone. Should a colour scan be illegal in France (my hunch would be that French laws won't be as stringent or indeed as sophisticated as German ones in that regard), I could surely point to the requesting email sent by my company which demands the scanning and emailing of the document without any further details on necessary techniques, nor of eventual usage / storage. And since dozens of other staff are likely to have replied by simply emailing a scan with no other protections, I find it hard to believe all such staff could face prosecution as if they're supposed to know the fine print of some obscure law. gumb -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 01/06/16 22:52, Aaron Digulla wrote:
First, find out if you're even allowed to make a color scan of your passport. Some countries, Germany for example, treat passports and IDs like money: Making a color copy of them is legally considered counterfeiting. If the police finds out, they are obliged to come after you (I'm not sure of the actual legal terms) and you'll face at least a fine.
The same can happen if the receiving part doesn't take care of this sensitive data; for example when all hotel employees have access to a room where passport photocopies are kept in an open tray. Many countries demand that copies must be kept closed, destroyed as soon as possible. In Germany, you can even black out parts of the copy which aren't strictly necessary to identify you (like your religion and the like).
B&W scans might be safe.
To transmit via email, put the image into an archive and encrypt the archive with AES and use a good password. Tell the company the password by phone.
Related links: http://www.icaew.com/en/archive/members/practice-resources/icaew-practice-su...
https://de.wikipedia.org/wiki/Personalausweis_(Deutschland)#Kopiereinschr.C3...
Diversionary tangent: When I first got hold of a multifunction printer, I tested scanning and direct printing (using only the device not the computer) a UK ten pound note, merely for my own curiosity and as a first test of how well the unit performed. The result was remarkably good for a 2003 model device. Had I used the right form of paper, managed to pull off printing it double-sided and perfectly lined up, and possibly fathomed out some kind of fake watermarking / metal insertion, I could have made a small fortune (ten pounds, to be precise). The strange thing about it was (and this only serves to strengthen my occasional mind forays into semi-delusional beliefs that my every move is being monitored), later that same day I nipped up to the local mini-mart to buy something. The ten pound forgery rested at home on the printer. I paid with a regular, real ten pound note and the young trendy guy at the checkout, who I'd never encountered previously but who was in a buoyant mood that afternoon, checked it against the light, then went on a strange chuckling monologue about how modern domestic multifunction printers were so good at creating believable forgeries, terminating his patter with a question asking me if I'd ever tried it myself? It's the only occasion anybody has ever entered into such a conversation with me. One for my book of strange coincidences... gumb -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-06-02 02:41, gumb wrote:
On 01/06/16 22:52, Aaron Digulla wrote:
First, find out if you're even allowed to make a color scan of your passport. Some countries, Germany for example, treat passports and IDs like money: Making a color copy of them is legally considered counterfeiting. If the police finds out, they are obliged to come after you (I'm not sure of the actual legal terms) and you'll face at least a fine.
I never heard of that. But I'm not German.
The same can happen if the receiving part doesn't take care of this sensitive data; for example when all hotel employees have access to a room where passport photocopies are kept in an open tray. Many countries demand that copies must be kept closed, destroyed as soon as possible. In Germany, you can even black out parts of the copy which aren't strictly necessary to identify you (like your religion and the like).
Well, Spain has a data protection agency, so maybe we have this part at least. But I don't know what the actual regulations are.
B&W scans might be safe.
Not a bad idea. If one sends a B&W copy they can't easily forge the ID.
To transmit via email, put the image into an archive and encrypt the archive with AES and use a good password. Tell the company the password by phone.
How would one encrypt with AES? :-? And it has to be doable both in Linux and Windows. Oh, and Macs. And perhaps Android. The file has to be usable on all systems.
Diversionary tangent: When I first got hold of a multifunction printer, I tested scanning and direct printing (using only the device not the computer) a UK ten pound note, merely for my own curiosity and as a first test of how well the unit performed. The result was remarkably good for a 2003 model device. Had I used the right form of paper, managed to pull off printing it double-sided and perfectly lined up, and possibly fathomed out some kind of fake watermarking / metal insertion, I could have made a small fortune (ten pounds, to be precise).
The strange thing about it was (and this only serves to strengthen my occasional mind forays into semi-delusional beliefs that my every move is being monitored), later that same day I nipped up to the local mini-mart to buy something. The ten pound forgery rested at home on the printer. I paid with a regular, real ten pound note and the young trendy guy at the checkout, who I'd never encountered previously but who was in a buoyant mood that afternoon, checked it against the light, then went on a strange chuckling monologue about how modern domestic multifunction printers were so good at creating believable forgeries, terminating his patter with a question asking me if I'd ever tried it myself?
It's the only occasion anybody has ever entered into such a conversation with me. One for my book of strange coincidences...
LOL. You know the 500€ bill? Here in Spain they are called "bin ladens" because every body knows they exist, but nobody has seen them. Well, once I managed to handle one. Of course I scanned it! X'-) I don't expect to see another in my life. Inflation not allowing. I want to remember how it was, having one in my hands. But the EU has decided not to print anymore of those. They are very much used for illegal transfers (specially in Spain!). I don't know what's the biggest pound note in use :-? -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 02/06/16 11:44, Carlos E. R. wrote:
You know the 500€ bill? Here in Spain they are called "bin ladens" because every body knows they exist, but nobody has seen them.
Well, once I managed to handle one.
Of course I scanned it! X'-)
I don't expect to see another in my life. Inflation not allowing. I want to remember how it was, having one in my hands.
But the EU has decided not to print anymore of those. They are very much used for illegal transfers (specially in Spain!).
I don't know what's the biggest pound note in use :-?
The biggest regular British pound note in ordinary circulation is £50. But a few years ago there was a story about some swindle in the far east involving million pound notes. Like many others, I thought this was fabricated believing no such thing existed, but apparently such high denominations do exist, just not in the traditional form of colourful notes we are familiar with. The article went on to say how the person forging the million pound notes was caught because only a very limited number had ever been produced and hence those genuine ones could all be traced. As for the 500€ notes, I've never even handled a 200€ or a 100€ note. It's annoying enough when the cash machine gives me a 50€ bill. I recall some shops here in France refusing to accept them. On the other hand, on the rare occasion I've needed to draw a large sum in cash in either pounds or euros and I've asked for the higher denominations from the bank so as to carry less bulk, they've never adhered to my request and always given me a big clump of 20£/€ bills, as if to imply that I'm not big enough to handle the high value ones. gumb -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-06-02 13:07, gumb wrote:
On 02/06/16 11:44, Carlos E. R. wrote:
I don't know what's the biggest pound note in use :-?
The biggest regular British pound note in ordinary circulation is £50. But a few years ago there was a story about some swindle in the far east involving million pound notes. Like many others, I thought this was fabricated believing no such thing existed, but apparently such high denominations do exist, just not in the traditional form of colourful notes we are familiar with. The article went on to say how the person forging the million pound notes was caught because only a very limited number had ever been produced and hence those genuine ones could all be traced.
Curious!
As for the 500€ notes, I've never even handled a 200€ or a 100€ note. It's annoying enough when the cash machine gives me a 50€ bill. I recall some shops here in France refusing to accept them. On the other hand, on the rare occasion I've needed to draw a large sum in cash in either pounds or euros and I've asked for the higher denominations from the bank so as to carry less bulk, they've never adhered to my request and always given me a big clump of 20£/€ bills, as if to imply that I'm not big enough to handle the high value ones.
My bank told me that I had to request them the day before at least. Same for a big withdrawal. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 06/01/2016 08:41 PM, gumb wrote:
It's the only occasion anybody has ever entered into such a conversation with me. One for my book of strange coincidences...
Or maybe you're being watched! ;-) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 06/02/2016 05:44 AM, Carlos E. R. wrote:
Not a bad idea. If one sends a B&W copy they can't easily forge the ID.
"Easily" being the operative word. There's colorization software available ... -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 02.06.2016 um 11:44 schrieb Carlos E. R.:
On 2016-06-02 02:41, gumb wrote:
On 01/06/16 22:52, Aaron Digulla wrote:
First, find out if you're even allowed to make a color scan of your passport. Some countries, Germany for example, treat passports and IDs like money: Making a color copy of them is legally considered counterfeiting. If the police finds out, they are obliged to come after you (I'm not sure of the actual legal terms) and you'll face at least a fine.
I never heard of that. But I'm not German.
The same can happen if the receiving part doesn't take care of this sensitive data; for example when all hotel employees have access to a room where passport photocopies are kept in an open tray. Many countries demand that copies must be kept closed, destroyed as soon as possible. In Germany, you can even black out parts of the copy which aren't strictly necessary to identify you (like your religion and the like).
Well, Spain has a data protection agency, so maybe we have this part at least. But I don't know what the actual regulations are.
B&W scans might be safe.
Not a bad idea. If one sends a B&W copy they can't easily forge the ID.
To transmit via email, put the image into an archive and encrypt the archive with AES and use a good password. Tell the company the password by phone.
How would one encrypt with AES? :-?
And it has to be doable both in Linux and Windows. Oh, and Macs. And perhaps Android. The file has to be usable on all systems.
Diversionary tangent: When I first got hold of a multifunction printer, I tested scanning and direct printing (using only the device not the computer) a UK ten pound note, merely for my own curiosity and as a first test of how well the unit performed. The result was remarkably good for a 2003 model device. Had I used the right form of paper, managed to pull off printing it double-sided and perfectly lined up, and possibly fathomed out some kind of fake watermarking / metal insertion, I could have made a small fortune (ten pounds, to be precise).
The strange thing about it was (and this only serves to strengthen my occasional mind forays into semi-delusional beliefs that my every move is being monitored), later that same day I nipped up to the local mini-mart to buy something. The ten pound forgery rested at home on the printer. I paid with a regular, real ten pound note and the young trendy guy at the checkout, who I'd never encountered previously but who was in a buoyant mood that afternoon, checked it against the light, then went on a strange chuckling monologue about how modern domestic multifunction printers were so good at creating believable forgeries, terminating his patter with a question asking me if I'd ever tried it myself?
It's the only occasion anybody has ever entered into such a conversation with me. One for my book of strange coincidences...
LOL.
You know the 500€ bill? Here in Spain they are called "bin ladens" because every body knows they exist, but nobody has seen them.
Well, once I managed to handle one.
Of course I scanned it! X'-)
I don't expect to see another in my life. Inflation not allowing. I want to remember how it was, having one in my hands.
But the EU has decided not to print anymore of those. They are very much used for illegal transfers (specially in Spain!).
If bin's are used for illegal transfers in Spain they must be used mainly by the corrupt government, no? So there would be no reason to prohibit them, in contrary.... The reason is not "illegal transfers" but to suppress any cash transfer in the end for the sake of a) total control and b) more money for the nice friends who handle the electronic transfers (credit cards, banks...). How those friends pay their facilitators to say thanks, when there are no more big cash bills is a mystery to me. Maybe with cocaine... -- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com room in Barcelona: https://www.airbnb.es/rooms/2416137 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02.06.2016 11:44, Carlos E. R. wrote:
To transmit via email, put the image into an archive and encrypt the archive with AES and use a good password. Tell the company the password by phone. How would one encrypt with AES? :-?
7z supports AES-256 on all platforms. http://www.howtogeek.com/203590/how-to-create-secure-encrypted-zip-or-7z-arc... Regards, -- Aaron "Optimizer" Digulla a.k.a. Philmann Dark "It's not the universe that's limited, it's our imagination. Follow me and I'll show you something beyond the limits." http://blog.pdark.de/
On 2016-06-03 22:30, Aaron Digulla wrote:
On 02.06.2016 11:44, Carlos E. R. wrote:
To transmit via email, put the image into an archive and encrypt the archive with AES and use a good password. Tell the company the password by phone. How would one encrypt with AES? :-?
7z supports AES-256 on all platforms.
http://www.howtogeek.com/203590/how-to-create-secure-encrypted-zip-or-7z-arc...
Ok. But then they have access to the document in clear. They would extract it, then forward it in clear to whatever department or agency requests it, on clear email. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 06/04/2016 07:23 AM, Carlos E. R. wrote:
On 2016-06-03 22:30, Aaron Digulla wrote:
On 02.06.2016 11:44, Carlos E. R. wrote:
To transmit via email, put the image into an archive and encrypt the archive with AES and use a good password. Tell the company the password by phone. How would one encrypt with AES? :-?
7z supports AES-256 on all platforms.
http://www.howtogeek.com/203590/how-to-create-secure-encrypted-zip-or-7z-arc...
Ok.
But then they have access to the document in clear. They would extract it, then forward it in clear to whatever department or agency requests it, on clear email.
The issue gets back to, on the one hand, how creative-tech are they and on the other, the old adage about God inventing better idiots as we try to make things idiot proof. I liked the idea about a password protected PDF of the image. At least that guarantees the file won't be forwarded in the clear, unless a recipient has the tools to remove the password protection. HOWEVER, it doesn't prevent the idiot secretary forwarding the password along with the file. HOWEVER, it doesn't prevent the idiot secretary printing out the image and FAXing that or scanning that. Personally I think there is no completely secure way to deal with this matter. Any "secure channel" you may think of, well the secretary amounts to a MitM "attack'. ============== Its one thing to give your SSN & bank account details to the payroll people (for direct deposit of you wages and for direct tax deduction); they are in a position to recognise their fiducial responsibilities. But HR & line receptionists/secretaries don't seem to understand that same, don't understand PII. Maybe it different your side of the ocean, but this side that segment of the corporation seems populated by post-millennial, or at least iPhone obsessed items that are young enough to be my grand-daughter. There are enough articles out there on how these ... don't have the same view of the need to protects PII that us "old codgers" (aka anyone born before 1995) do. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-06-04 15:13, Anton Aylward wrote:
On 06/04/2016 07:23 AM, Carlos E. R. wrote:
HOWEVER, it doesn't prevent the idiot secretary forwarding the password along with the file.
HOWEVER, it doesn't prevent the idiot secretary printing out the image and FAXing that or scanning that.
You can disable printing and copy permission in PDFs. Or you could use DRM. ;-) :-P
Its one thing to give your SSN & bank account details to the payroll people (for direct deposit of you wages and for direct tax deduction); they are in a position to recognise their fiducial responsibilities.
But HR & line receptionists/secretaries don't seem to understand that same, don't understand PII. Maybe it different your side of the ocean, but this side that segment of the corporation seems populated by post-millennial, or at least iPhone obsessed items that are young enough to be my grand-daughter. There are enough articles out there on how these ... don't have the same view of the need to protects PII that us "old codgers" (aka anyone born before 1995) do.
Well... here there is a data protection agency. When someone throws out the paper garbage with those private items so that anybody can pick them, they intervene. That secretary gets fined. This kind of things should be taught at schools. They tried here, "education for citizenship", but they got accused by the right side of trying to forsake the right of parents to choose the religion of their kids or something of the sort (don't trust me much in this), and the subject was removed from the curricula. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 06/04/2016 11:12 AM, Carlos E. R. wrote:
On 2016-06-04 15:13, Anton Aylward wrote:
On 06/04/2016 07:23 AM, Carlos E. R. wrote:
HOWEVER, it doesn't prevent the idiot secretary forwarding the password along with the file.
HOWEVER, it doesn't prevent the idiot secretary printing out the image and FAXing that or scanning that.
You can disable printing and copy permission in PDFs.
Ah, yes, I forget about that. Maybe I should apply those to the resumes I send out, or somehow ...
Or you could use DRM. ;-) :-P
SHOCK-HORROR!
Well... here there is a data protection agency. When someone throws out the paper garbage with those private items so that anybody can pick them, they intervene. That secretary gets fined.
So, they have permanent crews that inspect everyone's garbage ALL THE TIME? No, I didn't think so. And one your PII is out there, fining the the secretary doesn't get it back. Is there going to be a court order that the secretary has to make up any losses you incur due to ID theft? not just the emptying of you bank account but raised insurance rates and refusals of loans and mortgages and cost incurred of establishing a new identity? In perpetuity? No, I didn't think so.
This kind of things should be taught at schools. They tried here, "education for citizenship", but they got accused by the right side of trying to forsake the right of parents to choose the religion of their kids or something of the sort (don't trust me much in this), and the subject was removed from the curricula.
There are people who confuse ethics and morality, and worse! They think that things like morality is and can only be a result of religious belief, something for which there is no evidence. The problem is that schools DO teach ethics; they teach socialization and other aspects of what is and is not considered acceptable social behaviour. "Education for Citizenship" is pretty broad; it should explain things like how a democracy operates, how courts work, the difference between civil and criminal law, how to appeal to your MP or city councillor and a lot of stuff like that as well. But lets face it, "property law", as in "what's yours is yours and what's mine is mine and lets keep it that way" begins in kindergarten. Extending that to PII shouldn't be difficult. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-06-04 17:55, Anton Aylward wrote:
On 06/04/2016 11:12 AM, Carlos E. R. wrote:
You can disable printing and copy permission in PDFs.
Ah, yes, I forget about that. Maybe I should apply those to the resumes I send out, or somehow ...
Or you could use DRM. ;-) :-P
SHOCK-HORROR!
LOL. But it is a fair use of it.
Well... here there is a data protection agency. When someone throws out the paper garbage with those private items so that anybody can pick them, they intervene. That secretary gets fined.
So, they have permanent crews that inspect everyone's garbage ALL THE TIME?
Oh, no. But people do and denounce it. It goes public in the telly sometimes, like once the health histories of a hospital went to the garbage. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Am Samstag, 04. Juni 2016 13:23 CEST, "Carlos E. R."
To transmit via email, put the image into an archive and encrypt the>>>> archive with AES and use a good password. Tell the company the password by phone. How would one encrypt with AES? :-?
7z supports AES-256 on all platforms.
http://www.howtogeek.com/203590/how-to-create-secure-encrypted-zip-or-7z-arc...
Ok.
But then they have access to the document in clear. They would extract it, then forward it in clear to whatever department or agency requests it, on clear email.
I saw your comment and I agree. It seems that the latest PDF versions support AES, so encrypted PDFs look like a good solution ... just don't forget to also disable "printing allowed" etc. or they will print and rescan. Or make a photo with a mobile phone while cursing you and all your descendants for the trouble which you're causing :-) Regards, -- Aaron "Optimizer" Digulla a.k.a. Philmann Dark "It's not the universe that's limited, it's our imagination. Follow me and I'll show you something beyond the limits." http://blog.pdark.de/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-06-02 15:04, Daniel Bauer wrote:
Am 02.06.2016 um 11:44 schrieb Carlos E. R.:
LOL.
You know the 500€ bill? Here in Spain they are called "bin ladens" because every body knows they exist, but nobody has seen them.
Well, once I managed to handle one.
Of course I scanned it! X'-)
I don't expect to see another in my life. Inflation not allowing. I want to remember how it was, having one in my hands.
But the EU has decided not to print anymore of those. They are very much used for illegal transfers (specially in Spain!).
If bin's are used for illegal transfers in Spain they must be used mainly by the corrupt government, no? So there would be no reason to prohibit them, in contrary....
Well, the order to suppress them comes "from Europe", higher up. Corrupt people in general. Any money transfer happening below the radar. It can be mafia (drugs, prostitution, etc), bribes to officials, extra price of things not in the papers (say, you buy a house for X, but you pay also Y). But it can also be legal transfers, like draw an amount in a bank, place it in another bank without paying the money transfer fee the bank wants.
The reason is not "illegal transfers" but to suppress any cash transfer in the end for the sake of a) total control and b) more money for the nice friends who handle the electronic transfers (credit cards, banks...).
Yes.
How those friends pay their facilitators to say thanks, when there are no more big cash bills is a mystery to me. Maybe with cocaine...
Who knows... -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 08/06/16 12:59, Carlos E. R. wrote:
On 2016-06-02 15:04, Daniel Bauer wrote:
Am 02.06.2016 um 11:44 schrieb Carlos E. R.:
LOL.
You know the 500€ bill? Here in Spain they are called "bin ladens" because every body knows they exist, but nobody has seen them.
Well, once I managed to handle one.
Of course I scanned it! X'-)
I don't expect to see another in my life. Inflation not allowing. I want to remember how it was, having one in my hands.
But the EU has decided not to print anymore of those. They are very much used for illegal transfers (specially in Spain!).
If bin's are used for illegal transfers in Spain they must be used mainly by the corrupt government, no? So there would be no reason to prohibit them, in contrary....
Well, the order to suppress them comes "from Europe", higher up.
Corrupt people in general. Any money transfer happening below the radar. It can be mafia (drugs, prostitution, etc), bribes to officials, extra price of things not in the papers (say, you buy a house for X, but you pay also Y).
But it can also be legal transfers, like draw an amount in a bank, place it in another bank without paying the money transfer fee the bank wants.
The reason is not "illegal transfers" but to suppress any cash transfer in the end for the sake of a) total control and b) more money for the nice friends who handle the electronic transfers (credit cards, banks...).
Yes.
How those friends pay their facilitators to say thanks, when there are no more big cash bills is a mystery to me. Maybe with cocaine...
Who knows...
A relevant article in today's local press in Lyon (in French): https://www.lyonmag.com/article/81254/lyon-une-figure-du-banditisme-paye-sa-... In short, a guy accused of drug trafficking has paid a bail of half a million euros, all in cash, supplied by 29 different people stuffing 500 euro notes into envelopes. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (11)
-
Aaron Digulla
-
Anton Aylward
-
Billie Walsh
-
Carlos E. R.
-
Daniel Bauer
-
Greg Freemyer
-
gumb
-
James Knott
-
Per Jessen
-
Roger Price
-
tech@reachthetribes.org