I’ve neglected this blog a little bit for the past few days while I’ve been playing with my new toy (a Cingular 8125, basically a re-branded HTC Wizard). I should be back soon, with a neat post or two about the sort of tools a security geek might want on his or her Windows Mobile phone. I’ve had a lot of fun with it so far.
To tide you over until then, I ran across this post, by HD Moore, on the Full-Disclosure list today:
This is interesting for a couple reasons. One, it gets you thinking about the potential value ex-employee email addresses have to a company. The temptation to continue monitor incoming mail on these addresses is high. Is it legal? As you can tell by the discussion already on the list, it all depends on the agreements the employee has signed. Pretty soon you’ll start seeing clauses about post-employment on consent-to-monitoring agreements, if you haven’t already seen it.
Another reason this is interesting is that HDM pulled a neat, low-tech trick to verify that someone was reading mail to the address he was sending mail to. I’ve done this before, and it works fairly well . In a way it’s similar to the phish-baiting techniques that I’ve written about before on here. This is something you can add to your bag of tricks (also works well for other protocols: IM, IRC, etc.), and it’s something you can keep in mind when you’re given a link by someone in a situation like this.