Hacker News new | ask | show | jobs
by snowwrestler 3564 days ago
Yes the thread says that, but they are wrong. No lawyer in the world thinks that Microsoft Exchange is some sort of legal chain of custody or inviolable vault of perfect information.

The reason Exchange does not have the functionality to redact email address is that people who need to redact information usually prefer to do it by hand, so it would be a waste of Microsoft's time to build a utility to do it.

But to think that an Exchange DB can't be altered... I mean, if you have root on a machine you can do anything you want to the information on it. And yes, the legal world knows that.
1 comments
001sky 3564 days ago
Notwithstanding your good points about it not being fool-proof, it is an important point that your email software doesn't essentially promote or enable corruption of the meta data in the way you describe.

As a business person, nobody would [buy/use] exchange if it was not reasonably secure from an audit trail perspective. The intergrity of the communications is required for many business's who have record retention policy and what not.

Think about an analogy for a bank's accounting system that allowed audit trails to be compromised. Its a huge problem for the purchasing people and the managerial layer that has to sign off on sarbox etc.

link
mjcl 3564 days ago
Exchange by itself is absolutely not secure from an audit trail perspective[1]. I've specifically had this come up where an employee edited an e-mail to try and CYA.

Even if you are using journalling, an administrator can open the journal mailbox and edit messages. If you want/need a reasonably secure audit trail, you need a 3rd party product in addition to Exchange.

[1] https://www.msoutlook.info/question/edit-message-and-subject

link
snowwrestler 3564 days ago
The combo of Active Directory + Exchange gives system administrators a lot of power to use permissions to limit who can alter or destroy critical data. But obviously someone has to be the master admin, and that person's power can't be limited by software.

Technological audit trails are trustworthy only to the extent that the admins running them are trusted.

link