
Goldman Sachs Demanding E-Mail be Deleted - CapitalistCartr
https://www.schneier.com/blog/archives/2014/07/goldman_sacks_d.html
======
wglb
Why not post the source article:
[http://www.reuters.com/article/2014/07/02/us-google-
goldman-...](http://www.reuters.com/article/2014/07/02/us-google-goldman-leak-
idUSKBN0F729I20140702)

Bruce isn't adding very much here.

~~~
mpclark
Bruce "just" added the right audience to get the story picked up on HN --
nothing wrong with that.

~~~
chaz
from ~11 hours earlier:
[https://news.ycombinator.com/item?id=7981002](https://news.ycombinator.com/item?id=7981002)

------
jarman
> to avoid the risk of unnecessary reputational damage to Goldman Sachs

What horrible injustice, being known as failure in security for being failure
in security. Poor Goldman Sachs.

~~~
vehementi
Isn't the reputational damage already done? The leak happened.

------
tensafefrogs
They shouldn't be emailing around "highly confidential brokerage account
information" in the first place. It should be locked down in some internal
system. Poor practice from GS that caused it all in the first place.

~~~
twistedpair
Having worked at a similar iBank, I can assure you most people don't give a
rat's ass about proper procedures until they're caught. Why it was even
possible to send an email to an external address with such an unencrypted
attachment is a bigger question. I hope the lucky recipient finds a high
bidder for said information.

------
snowwrestler
I'm having a hard time getting outraged at either party.

We give companies a hard time for lax security practices. GS recognizes an
error and is trying to take steps to reduce the likelihood of a data breach.
What's wrong with that?

Google wants to protect its users from unnecessary interference in there email
accounts, so it asked for a court order. What's wrong with that?

~~~
probably_wrong
I'm not outraged, either, but curious. What if this had happened with physical
mail? Does it make any difference whether it was read or not? Can the
destination account argue and keep it?

There are many interesting questions raised here. It could be interesting to
see how it plays out in the end.

~~~
snowwrestler
Google should be able to tell whether the email has been opened or not, or
whether the receiving account is active or has been logged into recently.

It's interesting to think about this email landing in my Gmail inbox. I'm
pretty sure I'd reply and inform the sender that they screwed up and ask if
they want me to delete it.

------
hluska
Update: Google has apparently blocked access to the email.

source - [http://www.reuters.com/article/2014/07/03/google-goldman-
lea...](http://www.reuters.com/article/2014/07/03/google-goldman-leak-
idUSL2N0PD2R620140703)

------
peteorpeter
In the early 2000's I worked in a school system that used a faux-email system
where un-sending messages was completely possible. Any user could un-send
messages that no recipients had read, which was _great_ as a user. Only sys-
admins could un-send read messages. The only time I remember the latter
happening was after someone got fired and flamed their way out the door. It
was a bit chilling if you did read their messages before all evidence of their
outburst erased by the invisible hand of the sys-admins.

~~~
cliveowen
Frankly I've never understood why email doesn't work this way, it looks
backwards to me. As long as the recipient hasn't read the email the sender
should have the right to delete it. Even if the client has already delivered
the email in the recipient's inbox there should be a way for the SMTP/IMAP
server to notify the client and remove it.

Even Whatsapp works this way: once you've sent a message, you can't unsend it.
The message is first relayed to their servers and then relayed to the client,
but even if the recipient isn't online and the message is only on the server,
deleting it only removes it from _your_ conversation. You'd think that in 2014
we would have addressed these kinds of flaws.

~~~
arethuza
Outlook/Exchange does allow emails to be recalled - but I think this only
works within the same Exchange organisation.

It is weird to see an email sitting in your Inbox disappear as you watch!

~~~
mpyne
It seems to vary though; you can configure Outlook to not obey message
recalls, although that might be at the discretion of an admin group policy.
Either way, my last DoD network allowed you to avoid deleting emails based on
recall requests, which was a very nice feature (or policy omission, not sure).

------
SatoshiPacioli
I use GPGTools when sending sensitive client information, to avoid situations
like this.

GS has zero excuses, they could very easily code a Microsoft Outlook version
of it that is seamlessly integrated. Instead they fail at proper risk
management and rely on government intervention, sound familiar?

~~~
smackfu
Do you also use encryption when sending information internally to a colleague?
That's the situation here: it was an internal email accidentally sent to GMail
instead of Goldman Sachs.

I bet a lot of firms fail in this case.

~~~
eru
Internal email should be easier to encrypt, if anything. Because the company
can control both end-points, so can make the encryption automatic.

~~~
yebyen
And how would it help to automatically encrypt internal e-mails when an e-mail
accidentally gets an external delivery address because someone fat-fingers?

~~~
SatoshiPacioli
Do you understand how PGP encryption functions?

~~~
yebyen
Yes, I understand (on a superficial "don't actually use it on a day-to-day
basis, but have encrypted e-mails before" level)

I am imagining this program that looks through your To: field for recipients
in your address book that have shared their public key with you. If it finds
any, those people get a copy sent to them which is encrypted and only they can
read...

Now what happens if you accidentally try to send mail to someone not in your
address book?

I guess hopefully you get a big popup that says "Warning: mail will not be
encrypted!" Maybe not?

I've used the command-line tools to encrypt files and send encrypted
attachments. It's nothing like "automatic" and it's certainly not an envelope
for the whole message.

------
wes-exp
Understandably GS is not a very sympathetic figure, but in general I don't
think it's unreasonable to wish for an email "undo" if you fat-finger the
recipient address and realize it immediately.

~~~
glandium
Microsoft Exchange has that feature, exposed in Outlook. The fun thing is that
IIRC it sends a special email to trigger it. So if the recipient is not using
an Exchange server, he sees both emails.

~~~
ggambetta
A reply to the email with a single line saying "recall", IIRC. I got one of
these from a business partner years ago... it was intended as an internal
email between them, not as a response to us. It was kind of hilarious. I was
very tempted to reply "no" :)

------
cjslep
I assume the email forgot to include the standard legal disclaimer and
"delete-if-unintended-recipient" footer notice? Would that actually protect
them if that was present on the email?

~~~
UnoriginalGuy
Those things don't do a darn thing. I've Googled it extensively and the only
justification I can find is: "Why NOT include it? It does no harm and it might
help."

I'm yet to find a single legal case where an email signature made or broke the
case. It strikes me more as legal mumbo jumbo voodoo at this point than
anything of merit.

Not least of all as a contract is between two parties, the recipient cannot be
auto-magically placed into a contractual position just by receiving the email.

That would be like me sending a snail mail letter to someone with the words
"By reading this mail you agree that all your stuff is now mine" and
pretending like any court in the world (any country) would take that
"contract" seriously.

That's essentially what these signatures do. Try to set up a contractual
arrangement with one party "agreeing" to that arrangement just through the
virtue of receiving an email?

------
alandarev
That is why a 30 minutes delay before sending emails feature is a must-have in
any email client.

The reason I used "The Bat!" for ages, and now prefer Thunderbird/Postbox-inc.

------
burncycle
Whoops.

[http://www.mcsweeneys.net/articles/whoops](http://www.mcsweeneys.net/articles/whoops)

