REPLY: 2:240/8002@fidonet 5a68b6b8
MSGID: 2:250/1@fidonet 5ecbdec2
CHRS: UTF-8 2
TZUTC: 0100
TID: MBSE-FIDO 1.0.7.13 (GNU/Linux-x86_64)
Hello Niels!

Monday May 25 2020 13:44, you wrote to me:

 > Vincent Coen wrote to Niels Haedecke:
 VC>> Hello Niels!
 VC>>
 VC>> I thought that setting a echo to private no one see content other
 VC>> than the

 VC>> sender and
 VC>> recipient.
 VC>>
 VC>> Are you saying that is NOT the case and if so under what
 VC>> circumstances, i.e., dany user logged into the system or a remote
 VC>> user via internet or QWK packets ?
 VC>>
 VC>>

 > Hi Vincent,
 > sorry for the very delayd reply. So here's what user "test" (who is a
 > non-sysop user) sees when he is querying the local, private echo:

 > #     From                 To                   Subject


 > 1     amiganer             niels haedecke       Hi


 > 2     lodger               amiganer             Re: Hi



 > So as you can see, the user I'm logged in (test) can see that there
 > are private messages between amiganer and lodger. He can even see the
 > subject of any private message. This should not be possible. When
 > querying the local, private echo, user "test" should not see any
 > messages listed he is neither sender nor recipient of.

 > However, when user "test" is then trying to read one of the two
 > messages he was shown, he gets:

 > "This is a private message; only the owner and addressee can view it."

 > So is this the expected behaviour and could this be fixed so you can't
 > "spy" on other conversation topics and participants by running the
 > Quickscan command.

Can you confirm that user test cannot see the content of these messages .

Clearly from your testing it looks like the content SHOULD be private but the
msgs lists are not.

I must admit I am in two minds on this, but leaning that this behaviour is
correct.

It is the content that must be private.

The information provided by seeing a list of from, to, subject is not
confidentaal.

In my system areas that are secure cannot be seen by any one who does not have
the required level let alone any form of content.

These are areas for the military seperated by country ie., USA and UK.

They are set so even I cannot look at some of them but there is encryption
turned on so unless you have the key you cannot see them any way.

This is done on purpose to protect to a very high level all content now matter
who you are and that includes police, security forces etc as allowing them 
such
access would in itself be a breach of the official security act sections 1 & 2
(for the UK) and similar for the USA.   The system also supports the mititary
of other countries but using similar encryption all using 128 byte keys and in
some cases larger.

I guess you are not worried to this level ?

Vincent

--- Mageia Linux v7.1 X64/Mbse v1.0.7.13/GoldED+/LNX 1.1.5-b20180707
 * Origin: Air Applewood, The Linux Gateway to the UK & Eire (2:250/1)
SEEN-BY: 1/123 18/200 90/1 120/340 601 123/131 226/30 227/114 702
SEEN-BY: 229/101 424 426 452 664 1014 240/5832 249/206 317 400 292/854
SEEN-BY: 317/3 322/757 342/200 633/280
PATH: 250/1 261/38 218/700 103/705 280/464 229/101 426