Maybe that it's difficult to capture an e-mail in transit, I don't know. But something that is very easy for almost anybody is to send an e-mail pretending to be somebody else. This can be done with nothing else than a TELNET. It does NOT requires a password. So, I can send an e-mail to your ISP asking for a password change pretending to be you. In most cases, the recipient does not have a method to determine whether the sender is who pretends to be. There are some clues in the e-mail header, but not much. Regards, Andres Tarzia Technology Consultant, SMART S.A. e-mail: atarzia@smart.com.ar -----Original Message----- From: Peter [mailto:peter@KITSRUS.COM] Sent: Wednesday, December 15, 1999 21:50 To: PICLIST@MITVMA.MIT.EDU Subject: [OT] hysteria about email Don McKenzie and I have had 'problems' with our ISP in the USA. They suddenly required every user to change their passwords for general and secure site access (without notice I might add.) OK, that I accept. BUT trying to do the change has proven a nightmare. Central to the problem has been the fact that they will not accept ordinary emails containg the new passwords. Now, forget urban myths & armchair opinions: is there a proven case where a pass word or credit card number has been hacked from an email in transit? Is there any justification for the hysteria out ISP is showing about normal email? This is 12/99 after all. I have been using email since 10/95. In 4 years I have never read a case that ordinary email is unsecure when sent from a single user to the Internet. Comments? regards, Peter Crowcroft DIY Electronics (HK) Ltd PO Box 88458, Sham Shui Po, Hong Kong Voice: 852-2720 0255 Fax: 852-2725 0610 Email: peter@kitsrus.com Web: http://kitsrus.com ----------------------------------------------------------------------