Slashdot Mirror
Department of Defense Now Blocking HTML Email
oKAMi-InfoSec writes "The Department of Defense (DoD) has taken the step of blocking HTML-based email. They are also banning the use of Outlook Web Access email clients. The DoD is making this move because HTML messages can easily be infected with spyware and executable lines of code that enable hackers to access DoD networks, according to an article in Federal Computer Week by Bob Brewin . A spokesman for the Joint Task Force for Global Network Operations (JTF-GNO) claims that this is a response to an increased network threat condition. The network threat condition has risen from Information Condition 5 to Information Condition 4 (also called Infocon 4). InfoCon 5 is normal operating conditions and Infocon 4 comes as a result of 'continuing and sophisticated threats' against DoD Networks. The change to Infocon 4 came in mid-November, after the Naval War College suffered devastating attacks that required their entire system be taken offline, but the JTF-GNO spokesman claims there is no connection."
Reduced bandwidth, less entry vectors, less spam entering mailboxes. I guess the only losers are the people who send those annoying Flash giftcards through email.
~ C.
This I guess will just show my age, but I am soooo OK with this. Email should be just text, period. I personally believe that people should spend more time using complete sentences which includes punctuation and correct capitalization.
I guess I should get back to chiseling my notes on stone slabs now.....
At least then people will know why their email never got through. So many people use HTML email without being aware of it and don't realize that's what makes formatting possible.
Although the focus is on Outlook, it seems like there's an outside chance there may be other clients and web interfaces (namely all of them) that are vulnerable to most of the same problems....
I find HTML email useful for sending friends pictures with annotations, and I find numbered and bulleted lists useful visual aids for organizing information.
That said, Javascript should obviously be banned, and I wouldn't care if CSS wasn't supported. (CSS can be used to hide things deceitfully.)
Basically, I'd like to see BBCode used for emails, lol!
That's stupid. The problem is not with HTML mail (which is generated by many people unknowingly). They could just standarize in a safe mail program, with some mandatory defaults. They could force the use of a modified version of Thunderbird forcing the (already existing) oprion of "Disable JavaScript" off. Another interesting Thunderbird feature is the ability to "sanitize HTML", that is, remove from the HTML view anything that isn't strictly formatting (paragraphs, bullet lists, etc.).
however stripping HTML would be a better option as emails are usually sent as text/plain and text/html combined
blocking is just too drastic , perhaps IM would be a better option
If the DoD cannot find a solution to this kind of email, they should outsource its management to countries like India and Russia. Isn't it true that a good amount of our defense contracts are outsourced?
That's as obvious as the department of homeland security closing the borders!
I applaud the effort, but why did they take so long to wise up even this much?
Lynx.
Get rid of IE.
Although vanilla access to OWA is being blocked, there are still ways to get to your email from outside of the network (mainly what OWA was used for, anyhow). You can VPN into the network, log on to OWA using your CAC (common access card, smart card, etc), use your Blackberry (assuming your rank is high enough to get one ;)).
So instead of just plain old OWA sitting out there waiting for anyone to type in a username and password, they've upped the security a little bit. Yes, it's making us jump through hoops a little (for myself, need to stand up an ASA5510 as a VPN concentrator to receive outside connections), but it's not impossible.
Besides... not being able to check your work email from home can only be a good thing, no?? I know, I know, it's for people on travel, leave, etc. too...
As for the "blocking" of HTML email, can't say that I've seen that at all. Maybe it's only for emails that originate from outside of the network since we use HTML email all the time from within Outlook (formatting is useful in this case).
---John Holmes...
As long as stupid users dictate policy (and it always seems to be the most idiotic, uninformed, timetable pounding and ego-blinded of all users usually are in the upper echelons of an organization), security problems do to software choice will prevail. This is how microsnot products usually get pushed into an organization. Score one for the DoD getting rid of freaking html-mail and outhouse web access. One can only hope they s**tcan ms-exchange while they're at it.
Way too much email formatting is pointless and does not enhance communication. Links work fine in plain text and images/complexly formatted data can be attached. This is a giant leap forward. Does anyone have MUTT client for windows?
When I was young, I had to rub sticks together to compute.
Good! HTML email is very annoying. Most of the time it doesn't display as intended anyway. Many clients will only support a safer reduced set of html thus only parts of the page will display properly. This makes the page even harder to decipher. HTML email is really only useful for spammers and advertisers usually anyway. If something needs to be that heavily formatted, attach it as a word processor document. If you can't get a basic idea across in plain-text, then the problem probably isn't because you are missing your bold tag.
If an officer ever threatens to taze you, say you have a pacemaker.
good, no reason to have flashy html junk- especially in an environment that needs security!
This appears to be a temporary measure based on the current threat level.
If the Infocon levels work anything like the other readiness levels in the DoD, then a shift to Infocon 4 requires a change (temporary) in policy. So it seems that a shift back to level 5 would mean HTML e-mail is no longer blocked.
It's like after 9-11, when all DoD installations had much stricter physical access rules and extra guards at the gates.
Which is a shame, because saying goodbye to html email entirely would be fine by me.
If moderation could change anything, it would be illegal.
I work as a contractor to the Navy, and we received e-mails a few weeks back saying that HTML e-mail would no longer be allowed. However, they weren't blocking it, merely converting anything that was HTML to plain-text or RTF. I've not tested by sending an HTML e-mail to my .mil address (gonna try that in a few minutes), but I don't think they're actually blocking it.
After arguing this with people whos knowledge of email extends to clicking the correct buttons in their GUI client, I've given up. The more convincing arguments were always the ones about those who have trouble using email. They weren't a convincing argument for HTML email, they were just a convincing argument that some folks shouldn't be using computers.
Yes that is all they are doing. In fact, if the formatting comes across screwed up, there is an option to restore html view. Not sure just what rules are applied and how the emails are being affected. I do know I sent a table copied another M$ product and sent it to my supervisor, which he replied back to me. The table was completed screwed up in plaintext mode. However, I did have the option of viewing the 'original format' or something close to it that put the table back the way it was.
I determined a couple of years ago that in order for the small IT department of one (me), to be able to keep up with potential Outlook security problems, I had to filter HTML down to Plain Text. When you've got a program that can be used to infect a computer just be previewing a message, you have to do _something_. Now that we've install Exchange (bleh), internal messages are no longer filtered, but thankfully the old filters for stuff going in (and out) of the company remain in use.
If you know how to use HTML, you should know how to be able to write an email without using any HTML.
If you don't know how to use HTML, you shouldn't use it, period.
Once I was a four stone apology. Now I am two separate gorillas.
HTML wouldn't be such an exploitable thing with e-mail if Microsoft's mail software weren't so full of holes. If Outlook/Exchange is really that important to some organizations, why not offer support for [b]internal[/b] mail to be sent in Microsoft Word format?
Screw the rules, I have green hair!
All I can say is, the war in Iraq must be going really badly if the DoD is this desperate for additional recruits.
If the content of the message is changed, isn't the digital signature invalidated?
Or is the DoD just skipping the concept of digitally signing email?
I block html email myself simply because it is annoying and 90+% is spam anyway. Why is this a problem?
and what about those cute little Microsoft Office pictures? How will I ever be able to get my point across using just words?
Just not without CAC. If you have CAC, you can use it.
Well if you are DOD and you are not blocking/converting html emails then you are in violation of standing DOD directives. And no you are not allowed to simply stand up a VPN without going through the proper approvals either. So what command are you in, so we can shut down your NIPRNET connections. After all you appear to be part of the problem that they are trying to correct (ie incompetent system admins who put priority on easy of use instead of security).
Yay! How profound that what we've always known finally made it into the heads of the military. If you mix code into your data, you're screwed eventually. No way around it.
That said, it's the JavaScript, not the HTML - formatting is data not code.
Now if only they would figure out the same about Word/Excel.
- Adam L. Beberg - The Cosm Project - http://www.mithral.com/
If the HTML is stripped from the body of the message, that means that the content of the message has changed from the context of the digital signature.
Therefore, the digital signature will no longer reflect the "data" portion of the message and will be invalid.
the only losers are the people who send those annoying Flash giftcards through email
Don't worry, they were already losers!
In the free world the media isn't government run; the government is media run.
I still receive all the HTML email I did previously - it's just converted to text formatting. A great deal of it is virtually illegible as some of the places I would receive email from had elaborate background files to their emails - now I just get a jumble of URLs at the start of those emails and have to search for the actual content.
The other problem is that (at least at my agency) we are still forced to create emails in Outlook RTF even though official policy was to switch Outlook to creating text-formatted emails (the option is locked thanks to our user settings). So our emails never get to where they are going looking the way they did when we sent them as they lose all formatting.
well, you already know the answer. Too bad nobody at the DoD is willing to step up and ask why their *nix systems are not having these problems.
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
Instead of facts, we get just another bash Microsoft thread. Figures.
Any here that are forced to use the NMCI (Navy/Marine Corps Intranet) network know that reading any email at all can be a challenge.
A NMCI laptop takes over 10 minutes to boot and load the dozens of background processes and roving preferences. Once booted the machine is near useless performance wise.
Most, including middle management, refer to NMCI as No More Computing In-house.
In order to get idea just how bad things are, upper management conducted "customer satisfaction surveys". Even though the NMCI program office controlled the content, distribution, and analysis of the survey the results indicated overwhelming dissatisfaction. The NMCI program office has declined to release the raw data from the survey, instead issuing a release about the results. Rear Admiral J. B. Godwin III said releasing the results would challenge the "integrity of our data." Hmmm....
Most Navy labs that are under the burden of the NMCI contract maintain two networks, the legacy and the NMCI - the one to get work done on an the other to read email. This leads to double the costs and double the vulnerability exposure, and halves the resources to concentrate on security and usability.
Worst I hear that the Navy just extended the contract to 2010. Your tax dollars at work.
This little beastie got into an offline nuclear reactor and blanked their control of it for four hours. The same bug shut down monitoring on a CSX rail line, causing just as much concern.
How many years ago was all this? Sounds like the paperwork just got filed.
Good move.
--- For a good time mail uce@ftc.gov
Haha! I love it! Only about ten years before everyone else banned it and a mere fifty years before all the morons of this world (including David 'don't tell me I can't send HTML mail' Pogue) decide they're not going to give it up anyway.
And just a reminder that AutoDesk John Walker YEARS ago called HTML mail 'the hallmark of the clueless'.
Hooray.
I remember getting an RTF-formatted email from my ISP back in 1995, when you would actually see RTF in the wild.
I chose RTF as the format for my reply. I thought that was reasonable. (I forget what mail client I was using- maybe Eudora.)
They wrote me back, again in RTF.
"WTF is this? We can't open it."
No, not WTF.
Microsoft RTF.
Yes, I have to go through the proper approvals for VPN. It's still a valid option for getting back into the network from outside for the right people with the right approvals. That's all I was saying. Or OWA with CAC or Blackberries.
;)
Unless my DOIM is lying to me... they wouldn't do that, would they?
---John Holmes...
USAF uses INFOCON and FPCON (Force Protection) Alpha, Bravo, Charlie, and Delta (Alpha lowest & Delta highest). The article sounds like it was written in the THREATCON days when they went "backwards" in order...
u ct.asp?cat=sub&code=VA
http://www.e-publishing.af.mil/mastercatalog/prod
It sounds like DoD IT people hate users' freedom! Sounds like we've found an Al Quida sleeper cell right in the DoD!!!
I encode all my emails using WingDings font, so absolutely no-one can read them :) I can't do that in plain text!
How Dare they mention the fact that Outlook Web services can be exploited. Now Where did I put that suitcase full of Campaign contributions ?
I hate to say it, but this isn't anything new. The USAF has been moving in this direction for quite a while, with a service wide mandate that came down back in June. I don't recall the exact date, and since I'm not at work, I don't have access to the email which contained the policy. Additionally, There's also been a DoD wide move towards a 'Standard Desktop Configuration'.
All in all, DoD is moving towards more secure networks, and making things a lot harder for the user to screw up on their own, as well as making it harder for people on the outside to get in and do much the same. Will it be effective? I'm not sure, although I personally think that it's not going to happen as long as they're set on remaining largely windows based. Moving to Vista isn't going to happen anytime soon, so any improvements there aren't going to be available for the near future.
I have no regrets, this is the only path.
My whole life has been "UNLIMITED BLADE WORKS"
It's not security, it's not size.. it's the bleedin' fact that every sodding day some bellend asks me how they insert >picture/video/stupidlink< into their email. I'm fed up with it! I'd rather feed their bones to pigs!
:o)
Merry Christmas by the way.
Incidentally, if those bloody angle brackets are the wrong way round - blame the sodding HTML! Merry Christmas again... and yes, I've been out getting lathered, deal with it!
Stupidity is like nuclear power, it can be used for good or evil. And you don't want to get any on you.
And that is that the web browser is designed specifically to deal with html. New html security holes are dealt with by web browser patches on a regular basis (for the good browsers anyway). Email clients read html as an extra; their main function is to send and receive email -- hopefully they will be updated regularly too when new security threats arise, but it's more likely to be an afterthought. That's another reason why I'm a proponent of having clients do what they are supposed to do and then pass the other protocols on to other clients rather than trying to do everything within a client that was primarily designed for one protocol. Why have a web browser read email and an email program handling HTML?
What do you think of the DoD's banning HTML email and going back to plaintext?
1. OMG! How am I supposed to share my baby pictures?
2. They're overreacting to a problem with readily available and easily implemented solutions.
3. Told you so! Told you so! Told you, told you. told you so!
4. Send in Cow-Rambo-y Neal!
It shouldn't be rocket science to display a piece of formatted text while disallowing network connections or scripts.
The fact that none of the major E-mail clients can be trusted to do this is a testament to the sad state of software engineering.
Too bad this policy is unenforceable. I work for one of the DoD branches and I got this message a few weeks back. I asked a friend who worked at the Dept of Info Management how they expected to enforce people from sending out HTML emails because everyone I knew sent HTML emails. His reponse was that it couldn't be enforced so there's nothing they could really do.
A lot of folks are going to say that this is overkill. A safe email client, patches, scanners, etc. should be "good enough". Well, if I was American (as opposed to Canadian), I'd say that this move by the DoD is a good one. Who cares if the risk is "small"? There is a higher risk with HTML email than plain text, and only marginal benefit. We are talking about an organization that needs to operate at very high levels of security.
A NMCI laptop takes over 10 minutes to boot and load the dozens of background processes and roving preferences. Once booted the machine is near useless performance wise.
That is so true. The Navy needed technical standards, not NMCI. The organization is too big and diverse for a one-size-fits-all solution. Application development has all but stopped outside of San Diego and EDS is running...or should say ruining...most of that. Layers of process and bureaucracy between the users and a usable product. What used to take months and cost thousands, now takes years and costs millions.
One example project...a working system built by just three developers in less than a year, part of the way through deployment when EDS moved in to take it over. Now there are 30 people on the project and they're scoping requirements...of a completed product in the middle of roll out. It's taken them almost two weeks to set up a test server.
When you take the billions invested, then add the man-hours wasted with people waiting on the help desk line the cost would be staggering. And I've never called when they weren't experiencing higher than normal call volume. When you have to play that message all the time, that means the normal call volume exceeds your capacity.
I will say this, though, after the 20-30 minute normal wait to get to a help desk operator, I've been very satisfied with them. That's the one part of the program that does work but doesn't justify the cost. I consider NMCI one of the great defeats in Naval history and casualties are 250 million US taxpayers.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
...The trouble is, they should've done this ten years ago. At least the HTML mail... It's a bit scary that the DoD is taking so long to get reasonably secure. Department of Defense, people!
Don't thank God, thank a doctor!
From: Donald Rumsfield
To: General Whosit
Subject: My final Orders
This email contains a computer trogan.
You are so pwned!!!
Sincerely
Osama Bin Ladin.
____
Yeah... Typos are on purpose
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
HTML emails are still allowed internally which most email is internal anyway. It's not about the web access it's the fact you need an ID card to log on making outlook web access useless.
Why don't they simply add some format conversion feature on the border e-mail gateway ? That way, HTML messages gets converted plain text before delivery.
Then again, maybe they use Exchange, and can't implement something of this sort. I know it is, if not trivial, relatively easy to implement on many F/OSS MTAs (namely exim).
morcego
Dude here is correct. I work at the Staff war college that the article mentions. We set up a seperate CAC enabled OWA footprint and when one got turned off we flipped the DNS switch to the other. Install some middleware and use your CAC card. Much more secure and really no big deal to do.
HTML email is no loss. Folks can still send word docs or use rich text. We improved out security posture significantly.
People can still VPN is as well, again using their CAC card.
I myself have cut back on checking email from home as I usually leave my CAC downstairs and am simply too lazy to go down there and get it to check email.
Why are they blocking the html totally?
Why can't they just have a white-list of allowed tags that are known to be harmless? (<p>, <b>, <i>, etc.) and then strip out all the others?
I am a DoD employee and saw them take this step a few weeks ago (without any notice, of course).
They don't block HTML mail specifically, but every email is "converted to plain text" by outlook. A very, very big hassle, especially when the boss likes to highlight and bold text in his emails. He can still do this because Outlook doesn't force you to compose in plain text. However, when it gets to the employees it can be confusing due to the conversion process (especially to the "old" folks who can't figure out how to convert it back to HTML).
They actually have disabled many of the options in Outlook so there is no way to allow Outlook to always show emails as HTML. A major pain, in my opinion. I always have a need to format tables of infomation and embed them in my emails. Oh well, time to change my ways - life goes on.
If god wanted us to write e-mails in html, He would have said
I read all my e-mail as "plain text". After all, HTML is plain-text too.
95% of the time that is all you need. Yeah, I can see they marked it italics or bold, but they are the same words.
If, after looking at the "raw" text, and I really think the formatting will convey some additional info, I might look at it as "html". Looking at the raw text gives you a pretty good idea if there is anything sinister about it.
In my experience, most HTML mail that "needs" HTML is junk mail, office jokes and the like.
Real business correspondence works on typed pages and plain text. No HTML needed to get your message across. Oh, but please do use a spell checker.
This issue is a bit more complicated than you think.
Outlook did me the favor the other day of removing the "extra" line breaks, screwing up the already limited formatting I was stuck with. People will get around this by attaching a Word or Excel document. So the bandwidth costs are only temporary, till they figure out how to get back the formatting capability they had. The search function will be severely limited, unless Outlook will search through attachments.
I think forcing plain text is a bit severe. I understand the vulnerabilities of HTML, but allowing a reduced subset of HTML function to provide for text formatting would be a better (as in more useful for the end user) option. If the IT folks are the only ones whose convenience is being considered, I guess plain text is fine, and for that matter we should still be using diskless VT terminals. I don't often use the "threw out the baby with the bathwater" cliche, but I think it fits here. Allowing tables and italics isn't going to kill us.
There is a reason why the Army networks are the most hacked of all the DOD networks. It starts with local command DOIMs (equivalent of local CIO for those wondering what that meant) not bothering to even read, much less implement JTF-GNO directives. Whether you are implementing a secure architecture is not the point. It's the fact that it's not consistent across commands. When a new zero-day exploit comes up, way too much time is wasted trying to figure out who or what is affected. A consistent standardized architecture is a well understood set of risks and tradeoffs. Often times, vulnerabilities go unaddressed because no-one higher up realizes that joe-admin at command xyz stood up their own non-standardized VPN that is now a giant hole in their network.
I concede your point, mostly. But my bosses want tables. I need the ability to copy/paste tables and queries from Access into an email, and limiting my emails to plain-text means I have to copy/paste the text, then manually format the table into pretty columns. And the first time a boss forwards my email to someone else, the formatting is screwed up again. I don't need the full spectrum of HTML capability, but tables are useful. Give me the tabular environment from Latex, or something. People will just adapt by sending attachments, and the entire plain text of the email will be "see attached." Does Outlook's search/find function work on attachments?
most of the computers i have at home are set up to NOT accept html email. they've been set up that way for years. the DOD should have done this years ago. the also should have dumped MS Outlook years ago. these are the people (the DOD) who are supposed to keep us safe?
I like the way Kmail does it. It displays the silly html as text, with a button that asks you if you want it rendered. A quick scan shows you who it's from and if the thing is legitimate. Clients that are all or nothing and riding on an OS that's full of holes are the cause of the problem.
Friends don't help friends install M$ junk.
The Air Force has been banning all webmail sites, save for GI Mail, since 2002.
"Install some middleware and use your CAC card"
CAC. *CAC!* Say it with me: "CAC." Does "Common Access Card card" make sense to you?
Sorry. Pet peeve o' mine. But I live this field.
-- Cerebus
This is exactly what they are implementing (converting HTML mail to plain text).
So I guess you're a huge supporter of the single-DOIM concept and all of these regional centers that hold and control all of our data for us? So the entire force can just be a thin-client off of these, basically?
:)
This will work great when I tell the CG he can't get to his mail and even as his G6 I can't fix anything... "Let me make a few calls Sir and submit a trouble ticket. I'll get back to you." Or even better when we're deployed and half of our systems depend upon a regional hub that we have no control over? "Sorry you can't see that predator feed Mr. Brigade Commander. Let me submit a trouble ticket."
I'm not saying it's a totally bad idea, but I don't think it works for everyone. We'll see over the next year, I guess.
Merry Christmas.
You know... something like 12 tags and that's it.
bold, italic, underline, list.
More like when html started.
Formatting can help you to understand content.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
For the general purpose, internet-facing networks I do support a centrally organized and managed system. NMCI is great on paper and a sound concept, but it's downfall seems to be crappy contracting letting EDS get away with supplying the bare minimum service levels. For the stuff you're talking about, central control is not as important because it's not facing the constant barrage of external and internal attack vectors. For example, you don't have to worry about trojaned email installing malicious software that quietly ships all your sensitive data out via innoccuous looking http connections. But you do have to worry that every single wireless or vpn setup is done properly.
Wireless is on my list from my boss, too. IP radios, SECNET-11s and 54s, secure deployable cell phone networks...
;)
Then you've got G4 running all over with their CAISI systems...
You must not sleep well at night.
Merry Christmas
What's wrong with asterisks? Nothing. But you should realize that HTML is _not_ formatting instructions. HTML describes structure. HTML does not "add bullets". List mark-up is used to inform the user agent that what we have here is an (unordered) list. It's up to the UA to interpret that and show that structure in an appropriate way. For example, a UA that is designed to be listened to by a blind user (not render on a display that is seen by a sighted user) will necessarily be unable to indicate a list with small round black marks.
Email communication tends to be informal and doesn't in most cases require to be formatted - or structured. However, if the contention is that it is actually *not possible* in the 21st century to approach the standard of typography of 18th-century books (choosing an appropriate font-family and font size and making use of headings, italics, and smallcaps) then the situation is more absurd that it is generally recognized to be and deserves more comment that it usually gets. If we can't go _beyond_ that and mark up a email, so that it will be more easily understood by persons using non-graphical user agents, then it doesn't say much for the industry.
Simply allowing text helps server loading, but if the cycles are available, allowing selected, whitelisted HTML tags helps readability. The tags that make the whitelist should be benign formatting tags not unlike those allowed by /. (see "Allowed HTML" on the /. comment entry page.) ...to which I'd add 'pre', 'font' (only Courier, Helveticia, and Times), and those necessary to support tables of data. It wouldn't hurt to have such a list standardized so it is clear what will and will not be accepted.
I'm a network administrator/network security & vulnerability tech on an lhd and it's my job (and mine alone) to ensure the ship complies with the new infocon level. Looking at all the responses most of you have no idea how government networks work, it's not as easy as just sanatizing HTML or using modified versions of programs. My ship, for example, is a program of records ship. A very sexy/rich lady jumped through a million hoops so she could get access to the windows source code (nt4/2000) and modify it for the DoD. She changed a bit of this, and a bit of that and wrapped it up into a nice neat package with many strict rules we as information system technicians must abide by.
We'd love to just say "well, this program simply doesn't cut it for me. Let me load up the new version of "Bells-N-Whistles 2007", it works so much better." Unfortunately, there is a list of software we are allowed to use (detailed, down to the program version) and if the new Bells-N-Whistles 2007 ver 2.3 isn't on the list, we can't install it. Of course, we could always fill out the paperwork and propose the software for use, but i'd have more fun shoving wooden matches under my fingernails and lighting them on fire. After the paperwork, the proposed program must first be tested in a controlled environment that resembles our network and certified that it wont cause any negative effects on our network. In semi-short: we have deadlines to meet for each portion of the infocon switch. And if the answer is forcing the use of untested software DoD wide, then we open all the doors and windows to the very thing we are trying to stop by switching infocon levels in the first place.
As far as reduced bandwidth, we are never really strapped for bandwidth to begin with (smaller decks maybe, but not the big boys). The amount of bandwith we save is little to none, either way it goes unnoticed. And if by 'less spam entering mailboxes' you mean 'absolutely no change in the amount of spam entering mailboxes whatsoever' then you would be correct, sir!
And just because most 'normal' people don't use digital signatures doesn't mean that the military doesn't use them. There are parts to our communications that require digital signatures so they are actually used quite often, and the change hasn't effected the digital signatures at all.
The loss of OWA doesn't effect us at all since it's only authorized in select places anyway. And VPN is pretty much the same, you wont see it most places. These people saying there's always ways to get your work email from home sound like end users, not network admins. Of course there are always ways to get around everything, but it's probably against DoD policy. If your not working with us, your working against us, as is usually the case with admins vs. the end users.
HTML is not really needed if formatting is needed. People can just write the message in MS Word and attach the file if HTML is unavailable! Really good choice indeed!
I use FastMail.FM webmail to read my email. I always view HTML. The HTML produced is a subset of the full HTML and most tags are "defanged" (including images and forms but lots of other stuff too). That's the correct way to read email. Banning HTML completely instead of allowing a secure subset in a secure environment means people would opt for formats that are much worse than HTML.
http://www.defenselink.mil/news/dodnews.html
And so it goes, the world of Windows slowly but steadily moves forward in removing yet another piece of internet functionality, all in the name of security. Shame, isn't it, that because of Microsoft's swiss cheese products we can't seem to enjoy all the good things about the web that were promised?
If I didn't have absolutely NOTHING to do, I wouldn't be here.
It's not really a concern as far as the DoD is concerned.
.mil domain, then it will arrive with HTML intact. If the generals/admirals didn't have the ability to automatically indent and inject their [Username] when replying, they'd collapse in a fit of frothing and twitching.
If something needs a digital signature, then the person sending it is going to know how to configure their Outlook client to send in plaintext anyway. Our Outlook clients don't come "preconfigured" for signing, so the user has to know:
1. What a certificate is.
2. Configure ActivCard Gold on their machine to register the cert.
3. Navigate Outlook and find the security prefs.
4. Which cert to actually use with Outlook (there are 3 on each CAC card.)
5. To use THEIR cert, there are often more than just yours on any given machine.
From a DoD point of view, email coming in from "The Wild" from family and friends doesn't need a signature anyway, so it's not going to matter if a signature gets borked when the HTML is stripped. And if it's coming from a vendor who actually needs to use a signature, they'll be able to meet all five criteria mentioned above, and won't even use HTML.
OR...the NOC will simply add their domain to the whitelist and let it through.
Also, if the email is coming from a
The DoD really hasn't ramped up the whole digital signature thing quite yet. They talk a big deal, but when it comes down to the Nuts&Bolts implementation, the only ones using it are the geeks, not the grunts.
As usual.
[End Of Line]
Fixed tags:
Stupidity is like nuclear power, it can be used for good or evil. And you don't want to get any on you.
Thank you for the tip. Merry Christmas!
Media is supposed to be free. They can express their opinions if they want. They aren't supposed to only report news, because most people just can't understand more than one aspect of the news.
ilex paraguariensis for all
Indeed. Intel does the right thing here -- if I'm interpreting their NISPOM-equivalent manual correctly, not only will they not outsource IT, they don't even allow non-Intel employees to have root. The E-ring people definitely need to do something about the contractors who hire employees based solely on clearance and blood pressure, and the poorly-written contracts that allow them to get away with it.
You can still use Outlook Webmail with CAC (ID card) logon... as of Friday last week. It has been threatened several times over the past few months but it has yet to be taken away for the forseeable future.
I know, It'll take some getting used to.
I believe I speak for every mail system admin when I say "About bloody time".
It's only 10 years too late. It was about 10 years ago that the email viruses piggybacking on "active" content in HTML mail in Outlook and Outlook Express really started taking off.
I once peeked inside my Thunderbird's training.dat file. All the spammiest tokens were HTML tags. Good riddance.
"Knowledge is power. Power corrupts. Study hard. Take over the world."
Email messages need to convey information.
If I need to tell a student that
2
x
e is not integrable in elementary tame then you say I have to create a pdf document for this one sentence? Most people I know attach a word document to do it because they don't know any other way. Or I can write $e^{x^2}$ like mathematicians do and tell my students that hardly cope with their math that they need to learn TeX before they can learn math. Or I can write e^x^2 and make it ambiguous. Or I can do what I do and write e<sup>x<sup>2</sup></sup> and send it in a message with Content-type set to text/html and the student will be able to see it in any mime compliant email reader that is set to render a minimal harmless subset of html (sadly Slashdot doesn't think <sup> is a safe tag for me to use in formating a post making me use "code" formating to make sure this is rendered with fixed width font. In Email I don't even get the option to set fixed width font unless I use HTML or attach a file created in a word processor).
In real life most of the email I write is in Hebrew and there is no real plain text format that guaranties the recipient sees the same sentence I wrote. HTML provides the tools needed to control the way text is displayed without needing to create printable documents for every short note. When I compose English email I use plain text unless I need to convey information that needs html like math formulas or links.
1^{1/2} in HTML:
l l_example.html which actually has a cool equation editor :)
one way is: 11/2 and this is the way I would usually do it (with an html composer that has superscript/subscript buttons like all three different alternative composers in FastMail.FM's webmail interface).
Another way: 2
And another: 1½ (this is doable in fckeditor or in xinha using the "Insert special characters" button, see http://www.fckeditor.net/demo and http://xinha.gogo.co.nz/xinha-nightly/examples/fu
(I got the html entities from http://www.bigbaer.com/sidebars/entities/)
My student normally don't do these things. But then I can do the guesswork on what they mean, but I don't expect them to do the ame to understand what I say. Anyway most of my students use forums were they have an eqation editor that creates mathml (if they run winxp and can have admin privileges).
There's a fairly fool proof solution to all this that no one has mentioned on here.
It's really simple to block html email in outlook with a little bit of code since the functionality is built-in to outlook. Essentially, outlook/exchange already store a plain text copy of html email in some of the built-in Extended MAPI properties such as (see related PR_ properties). If you look at the bytes in any outlook/exchange message, you'll see that extended mapi always stores this information and thus it can be accessed not only via extended mapi, but custom c++, CDONTS, OOM, and more.
Having done some email/outlook related work for DoD in the past, I can tell you that they mostly use exchange anyway, so you just have to set a flag using extended mapi on the exchange server and outlook won't ever load up the html body. You can take it a step further by wiping out the html related garbage outlook stores in the compressed rtf stream to be sure. If someone has html email set, it won't matter because the message will just come up as plain text, so there is no need for any of this custom client or saved settings people keep talking about.
It seems most of the replies are from people that know nothing about how outlook/exchange read, store, and work with email. Btw, not every outlook client is the same, for example if you use word it's an entirely different ballgame, plus when you factor in outlook to outlook communication in RTF....
I still receive html e-mail from outside sources. The default view (and preview pane) have been changed to plain text - you right click on the banner telling you that and convert it back to html - poof, an html message again. I can't compose html though, only rich text, and if the recipient id a DoD person they'll have to go through the same rigmarole to see my original formatting.
From TFA: "the current threat level does not bar the use of attachments"
Now what was the problem again?
Regarding your claim that HTML mail is mandatory, I have a very hard time seeing that anybody would say: "The DoD don't accept HTML e-mail so we don't want them as customers".
Installed the Bubblemon yet?
Just today I found this cool tool that converts easy to type ascii notation for formulas ("simplied TeX") to mathml using javascript. And there are also visual tools to help.
There is a special page to make it easier to use in email: http://math.chapman.edu/email/
I prefer text mail but hardly anyone sends it any more. And outside the hacker community it seems you don't get much html mail...you get worse: a short note (e.g. "please see attached meeting summary") with a ONE PARAGRAPH WORD FILE ATTACHED!
mega-moronism. As a result the DoD will just get more word virus files and less html mail.
Pathetic....and in this case I don't mean DoD.
It is not so much HTML mail which has been blocked as access to all web-based email "clients" such as gmail, yahoo and of course the Outlook web client. HTML formatted MIME mail still is enabled- I just tested it.