Slashdot Mirror

← Back to Stories (view on slashdot.org)

Department of Defense Now Blocking HTML Email

Posted by Zonk on from the nuke-them-from-orbit-only-way-to-be-sure dept.

oKAMi-InfoSec writes "The Department of Defense (DoD) has taken the step of blocking HTML-based email. They are also banning the use of Outlook Web Access email clients. The DoD is making this move because HTML messages can easily be infected with spyware and executable lines of code that enable hackers to access DoD networks, according to an article in Federal Computer Week by Bob Brewin . A spokesman for the Joint Task Force for Global Network Operations (JTF-GNO) claims that this is a response to an increased network threat condition. The network threat condition has risen from Information Condition 5 to Information Condition 4 (also called Infocon 4). InfoCon 5 is normal operating conditions and Infocon 4 comes as a result of 'continuing and sophisticated threats' against DoD Networks. The change to Infocon 4 came in mid-November, after the Naval War College suffered devastating attacks that required their entire system be taken offline, but the JTF-GNO spokesman claims there is no connection."

44 of 262 comments (clear)

  1. Good call by MostAwesomeDude · · Score: 4, Insightful

    Reduced bandwidth, less entry vectors, less spam entering mailboxes. I guess the only losers are the people who send those annoying Flash giftcards through email.

    --
    ~ C.
    1. Re:Good call by Anonymous Coward · · Score: 3, Informative

      I for one certainly don't miss the annoying pink backgrounds and purple text. But, you forget that a lot of internet based applications send out emails. So you should really include the developers in the losers category here.

      I don't know how many email templates I've gone though in the past week converting them to be plain text (where necessary). This mainly applies to processes that include sending tabular data to a person.

    2. Re:Good call by xdc · · Score: 3, Interesting

      Yes, this was absolutely the right choice. I just wonder what took them so long!

      I also wonder when other organizations will follow suit.

    3. Re:Good call by 1u3hr · · Score: 2, Informative
      you like your Italics, no?

      Bad typing. There's actually a <?i> instead of </i> at the end of the first line. Preview is pretty slow, I usually just wing it.

    4. Re:Good call by cluckshot · · Score: 4, Interesting

      If you are DOD and you want to get Commercial Off the Shelf (COTS) products to resolve your problems without hiring the massively expensive solutions of 1 off stuff built to design, you must be able to accept attachments such as .zip and html mail. Sorry but the commercial guys cannot even tell you what they are doing anymore without this stuff. DOD costs just got higher!

      I worked one DOD site where we had to email files of code. The volume of the attachments was beyond the Email limits so we had to zip the files. The filters blocked .zip. So we renamed the files .aaa or something like that. Then the filters didn't catch the files. That way we could get the emails. We had to break our own security just to do our job. This stuff is a real problem.

      The US DOD needs to can Microsoft. If they were to run Linux or Apple systems and then to sandbox all emails and web browser stuff under the OS a lot could be done and things would be much more secure. The basic problem is a Microsoft logical design construct. Microsoft thought that they should own your computer and you should rent it from them. Under these conditions they wanted "their" computers to be remotely controlled by various means. The means they designed into their constructs also leave sucking security holes which hackers and other malware designers just walk right through.

      There is a real reason most DOD people stick like glue to Microsoft. For Network security people in the DOD they are as worried that some subordinate might actually control his machine as they are of having foreign control. (Foreign to their system) As such they must keep central control. This is the Microsoft construct at a second level. The DOD system I worked on had an entire base having one root password that didn't change folks because of this demand. Linux etc doesn't conform to this as naturally as MS systems. Another level of this sticking like glue to MS systems comes from the fact that most of the people who program (contractors etc) for the Government like to keep their jobs. MS systems do not support legacy software well. As such they are continually "re-inventing the wheel" so to speak and it makes for lots of jobs that last a lifetime. It holds the DOD hostage to continually hiring the same contractor because his software is proprietary and cannot be easily "reverse engineered" without risk of software copyright violations. In the end this synergy of profits and control leaves the US DOD bleeding money, never able to do its job as effectively and wedded to MS systems.

      If the taxpayers get involved they will ban such OS like Microsoft because this is completely contrary to the interest of the taxpayers. It however; requires the US DOD to recognize that its only true security lies in the loyalty of its people. In doing so it will have to retract from foreign (non-USA) suppliers and contractors. It will have to seriously look into who it is hiring and it will have to weed out those it has on payroll who are being more selfish than loyal. Let me assure you that if this situation is dealt with properly it will be a top to bottom 10 on the Richter Scale earthquake in US Government operations. Imagine if you will actually not being able to have the management read every document in someones computer without them knowing. Imagine having someone who works for you who you actually have to be able to trust! Imagine real government security! (WOW!)
      --
      Never Politically Correct ~ I prefer the facts If you don't like what I say, get a life, or comment yourself.
  2. As They Should by deKernel · · Score: 5, Insightful

    This I guess will just show my age, but I am soooo OK with this. Email should be just text, period. I personally believe that people should spend more time using complete sentences which includes punctuation and correct capitalization.

    I guess I should get back to chiseling my notes on stone slabs now.....

    1. Re:As They Should by theMerovingian · · Score: 4, Funny


      Email should be just text, period.

      In my day email was dashes and dots, and we liked it that way.

      --
      "If you think you have things under control, you're not going fast enough." --Mario Andretti
    2. Re:As They Should by MobileTatsu-NJG · · Score: 4, Interesting

      "Email should be just text, period."

      Personally I'd miss the formatting features of HTML. Bold, Italic, etc. I'm a little surprised there hasn't been a middle ground estbalished at some point. You know... pretty text, no exploits. Well, I can dream. In the mean time, gotta give kudos to GMail. One of my favorite features is that it disables images until you turn them on. That's a feature Outlook 2000 could have used.

      --

      "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

    3. Re:As They Should by pchan- · · Score: 2, Funny

      But I just finished writing this inspirational xmas email in 32-point Comic Sans font with animated gifs of kittens and reindeer and attached 30-meg screensaver that I was going to sent to Everyone@dod.gov

    4. Re:As They Should by Anonymous Coward · · Score: 5, Funny
      Personally I'd miss the formatting features of HTML. Bold, Italic, etc. I'm a little surprised there hasn't been a middle ground estbalished at some point. You know... pretty text, no exploits. Well, I can dream.



      I think that you have /really/ hit the nail on the proverbial head there. To make plain text emails usable we need a STRONG and well defined _SYNTAX_ for visually communicating "text style". Until then, this email thing will _never_ catch on.
    5. Re:As They Should by dkf · · Score: 2, Interesting
      Personally I'd miss the formatting features of HTML. Bold, Italic, etc. I'm a little surprised there hasn't been a middle ground estbalished at some point.
      You should be aware that there has been such a format for quite a while, using the MIME type of text/enriched. I used to receive quite a few emails that used it (no, I don't remember what the originating client was and I'm not interested in looking it up right now) but it never seemed to catch on more widely. (At a wild guess, that's because Outlook didn't generate it; yet another opportunity missed by those geniuses at Microsoft...)
      --
      "Little does he know, but there is no 'I' in 'Idiot'!"
    6. Re:As They Should by xTantrum · · Score: 3, Insightful

      you know i use to read /. for the interesting perspectives of the fellow geeks on here, but i've given up. I now read it for the comedians. wish i had my mod points.

      --
      $action = empty(PHP) ? backToC() : unset(PHP) ; "when the concrete cases are understood, the abstractions are readily
    7. Re:As They Should by __aaclcg7560 · · Score: 2, Funny

      Especially since each one cost eight bits to send. ;)

    8. Re:As They Should by value_added · · Score: 2, Interesting

      I think that you have /really/ hit the nail on the proverbial head there. To make plain text emails usable we need a STRONG and well defined _SYNTAX_ for visually communicating "text style". Until then, this email thing will _never_ catch on.

      LOL. If the OP wants bold and underlining in his emails, I'd suggest he starts with reading

      T^HTh^Hhe^He M^HMu^Hut^Htt^Ht E^HE-^H-M^HMa^Hai^Hil^Hl^HCl^Hli^Hie^Hen^Hnt^Ht

      Personally, I'd find that annoying, like every other attempt to be interesting, or creative or otherwise expressive. Look folks, many of us read hundreds of emails per day. Subscribing to few mailing lists and we're looking at thousands.

      Do we really need or want anything other than standard messages? The content of an average message is just a few sentences. What people send out, on the other hand, is somewhere between unecessary and absurd. And all of it (at least in a corporate setting) gets stored and archived.

    9. Re:As They Should by HaveNoMouth · · Score: 2, Funny
      In my day email was dashes and dots, and we liked it that way.

      Dashes? You had dashes? You had it easy. We only had dots. And we liked it!

    10. Re:As They Should by CyberNigma · · Score: 2, Funny

      didadidit dadada didadidit

    11. Re:As They Should by freakxx · · Score: 2, Informative
      gotta give kudos to GMail. One of my favorite features is that it disables images until you turn them on.


      well, Kmail also does similar thing. But unfortunately, no Kmail for windows. I really miss Kmail a lot when use Windows.
      Thunderbird is also good but it hasn't implemented maildir format yet and mbox is a big pain in ass :-(

  3. Better yet, just pitch all the email...... by banerjek · · Score: 2, Insightful

    At least then people will know why their email never got through. So many people use HTML email without being aware of it and don't realize that's what makes formatting possible.

    Although the focus is on Outlook, it seems like there's an outside chance there may be other clients and web interfaces (namely all of them) that are vulnerable to most of the same problems....

    1. Re:Better yet, just pitch all the email...... by Sepodati · · Score: 4, Informative

      It still makes it through, it's just converted to plain text according to the article.

      ---John Holmes...

  4. Stupid by Nicopa · · Score: 3, Interesting

    That's stupid. The problem is not with HTML mail (which is generated by many people unknowingly). They could just standarize in a safe mail program, with some mandatory defaults. They could force the use of a modified version of Thunderbird forcing the (already existing) oprion of "Disable JavaScript" off. Another interesting Thunderbird feature is the ability to "sanitize HTML", that is, remove from the HTML view anything that isn't strictly formatting (paragraphs, bullet lists, etc.).

    1. Re:Stupid by Beryllium+Sphere(tm) · · Score: 4, Insightful

      But even without Javascript there are still web bugs, image file parsing exploits, and remember what engine is probably parsing the HTML on a Windows client. A "safe" email client is one that disables most of the features of HTML, and unless it's guaranteed to catch everything dangerous then it's safer to prevent HTML in the first place.

      Up-to-date patches would mitigate those, but do you think somebody might be saving some zero-days for the DoD?

    2. Re:Stupid by mackyrae · · Score: 3, Interesting

      There are ways in HTML email of inserting 1-pixel transparent gifs which have unique load addresses based on who opens the email so that the sender know which people they mail read it. That's how spammers know if you open the spam they send. It's a sort of tracking cookie image.

      --
      look! it's a bird, it's a plane, it's....a girl? yes, a girl browsing Slashdot on Linux
    3. Re:Stupid by kernelpanicked · · Score: 3, Insightful

      Wow. Everytime I read a comment like the stupid trash you just posted it makes me want to scream DO YOU KNOW WHAT THE FUCK EMAIL IS? Why do Windows users feel it necessary to cram 50 different applications' functions into one super crappy, insecure piece of bloatware and then rave on about how superior it is? Me, personally, I'm using mutt in an enterprise environment because I'm just crazy enough to believe you should read email with, you know, a fucking email client.

      --
      Ubuntu: If at first you don't succeed, blindly slap a sudo in front of it
  5. That's pretty obvious! by erroneus · · Score: 3, Funny

    That's as obvious as the department of homeland security closing the borders!

    I applaud the effort, but why did they take so long to wise up even this much?

  6. Still ways to get email from outside the network by Sepodati · · Score: 4, Interesting

    Although vanilla access to OWA is being blocked, there are still ways to get to your email from outside of the network (mainly what OWA was used for, anyhow). You can VPN into the network, log on to OWA using your CAC (common access card, smart card, etc), use your Blackberry (assuming your rank is high enough to get one ;)).

    So instead of just plain old OWA sitting out there waiting for anyone to type in a username and password, they've upped the security a little bit. Yes, it's making us jump through hoops a little (for myself, need to stand up an ASA5510 as a VPN concentrator to receive outside connections), but it's not impossible.

    Besides... not being able to check your work email from home can only be a good thing, no?? I know, I know, it's for people on travel, leave, etc. too...

    As for the "blocking" of HTML email, can't say that I've seen that at all. Maybe it's only for emails that originate from outside of the network since we use HTML email all the time from within Outlook (formatting is useful in this case).

    ---John Holmes...

  7. Re:I like some HTML email by commodoresloat · · Score: 3, Insightful

    Put the pictures on a web page and send your friends a link to the web page. I can't stand getting pictures via email. If you must show me a photo of your new kid, put it on a website and send me the link. I still won't look at it, but I'll respond telling you how cute he/she is and we will both feel better. As for bulleted lists,

    * what
    * the
    * hell
    * is
    * wrong
    * with
    * asterisks?

  8. Good! by porkThreeWays · · Score: 4, Informative

    Good! HTML email is very annoying. Most of the time it doesn't display as intended anyway. Many clients will only support a safer reduced set of html thus only parts of the page will display properly. This makes the page even harder to decipher. HTML email is really only useful for spammers and advertisers usually anyway. If something needs to be that heavily formatted, attach it as a word processor document. If you can't get a basic idea across in plain-text, then the problem probably isn't because you are missing your bold tag.

    --
    If an officer ever threatens to taze you, say you have a pacemaker.
    1. Re:Good! by Xugumad · · Score: 2, Insightful

      No, not a word processor document, please attach it as as PDF!

  9. Temporary? by Bluesman · · Score: 4, Interesting

    This appears to be a temporary measure based on the current threat level.

    If the Infocon levels work anything like the other readiness levels in the DoD, then a shift to Infocon 4 requires a change (temporary) in policy. So it seems that a shift back to level 5 would mean HTML e-mail is no longer blocked.

    It's like after 9-11, when all DoD installations had much stricter physical access rules and extra guards at the gates.

    Which is a shame, because saying goodbye to html email entirely would be fine by me.

    --
    If moderation could change anything, it would be illegal.
  10. Blocking? Looked to me they were just converting. by MysticOne · · Score: 2, Informative

    I work as a contractor to the Navy, and we received e-mails a few weeks back saying that HTML e-mail would no longer be allowed. However, they weren't blocking it, merely converting anything that was HTML to plain-text or RTF. I've not tested by sending an HTML e-mail to my .mil address (gonna try that in a few minutes), but I don't think they're actually blocking it.

  11. There's no excuse for it by thewils · · Score: 2, Insightful

    If you know how to use HTML, you should know how to be able to write an email without using any HTML.

    If you don't know how to use HTML, you shouldn't use it, period.

    --
    Once I was a four stone apology. Now I am two separate gorillas.
  12. Doesn't that break digital signing? by khasim · · Score: 4, Interesting

    If the content of the message is changed, isn't the digital signature invalidated?

    Or is the DoD just skipping the concept of digitally signing email?

    1. Re:Doesn't that break digital signing? by WED+Fan · · Score: 2, Informative

      If the content of the message is changed, isn't the digital signature invalidated? Or is the DoD just skipping the concept of digitally signing email?

      The content doesn't change, just the rendering.

      --
      Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly and applying the wrong fix.
    2. Re:Doesn't that break digital signing? by emurphy42 · · Score: 3, Insightful

      How many people do you really think there are who (1) write HTML messages and (2) even know what digital signing is, much less use it?

  13. And the problem with this is? by imasu · · Score: 2, Interesting


    I block html email myself simply because it is annoying and 90+% is spam anyway. Why is this a problem?

    1. Re:And the problem with this is? by fluffy99 · · Score: 2, Insightful

      Because 10% is not spam?

  14. The HTML determines the rendering. by khasim · · Score: 3, Insightful

    If the HTML is stripped from the body of the message, that means that the content of the message has changed from the context of the digital signature.

    Therefore, the digital signature will no longer reflect the "data" portion of the message and will be invalid.

  15. Too late... by myowntrueself · · Score: 3, Funny

    the only losers are the people who send those annoying Flash giftcards through email

    Don't worry, they were already losers!

    --
    In the free world the media isn't government run; the government is media run.
  16. Slashdot strikes again......sigh. by LibertineR · · Score: 4, Informative
    Folks, the DOD is NOT blocking HTML mail, just converting it to plain text and disabling scripts, something ANY Exchange admin should already be doing in addition to Sender ID.

    Instead of facts, we get just another bash Microsoft thread. Figures.

  17. NMCI goes even further by truckaxle · · Score: 4, Interesting

    Any here that are forced to use the NMCI (Navy/Marine Corps Intranet) network know that reading any email at all can be a challenge.

    A NMCI laptop takes over 10 minutes to boot and load the dozens of background processes and roving preferences. Once booted the machine is near useless performance wise.

    Most, including middle management, refer to NMCI as No More Computing In-house.

    In order to get idea just how bad things are, upper management conducted "customer satisfaction surveys". Even though the NMCI program office controlled the content, distribution, and analysis of the survey the results indicated overwhelming dissatisfaction. The NMCI program office has declined to release the raw data from the survey, instead issuing a release about the results. Rear Admiral J. B. Godwin III said releasing the results would challenge the "integrity of our data." Hmmm....

    Most Navy labs that are under the burden of the NMCI contract maintain two networks, the legacy and the NMCI - the one to get work done on an the other to read email. This leads to double the costs and double the vulnerability exposure, and halves the resources to concentrate on security and usability.

    Worst I hear that the Navy just extended the contract to 2010. Your tax dollars at work.

  18. Re:I like some HTML email by commodoresloat · · Score: 3, Insightful

    I don't see the point of taking security risks and wasting bandwidth on email that "looks nicer." You want a nice looking email, format it as a webpage, and send your friend a link to the web page. Or print it out and stick it in the post box. My email program is instructed to display all email as text only and if it is full of crappy html that isn't filtered out, I hope it wasn't an important email because I deleted it. But I shouldn't have to bother; this junk should be filtered out at the server level and I'm glad the DoD at least recognizes that email security is more important than how nice it looks. I only wish my university would do the same :) Don't get me wrong, I love html, but it's not made for pretty-ing up email. It's made for hyper-text, which email should not be. Most email programs allow you to follow links that are part of an email message pretty easily, so what's wrong with sending the link to your browser?

  19. Why Treat Only Unknown Senders as Hostile? by darkonc · · Score: 2, Funny

    From: Donald Rumsfield
    To: General Whosit
    Subject: My final Orders

    This email contains a computer trogan.

    You are so pwned!!!

    Sincerely
    Osama Bin Ladin.
    ____

    Yeah... Typos are on purpose

    --
    Sometimes boldness is in fashion. Sometimes only the brave will be bold.
  20. My middle ground - both by NotQuiteReal · · Score: 2, Insightful
    As an old boss once used to say, when presented with options - "Do Both!"

    I read all my e-mail as "plain text". After all, HTML is plain-text too.

    95% of the time that is all you need. Yeah, I can see they marked it italics or bold, but they are the same words.

    If, after looking at the "raw" text, and I really think the formatting will convey some additional info, I might look at it as "html". Looking at the raw text gives you a pretty good idea if there is anything sinister about it.

    In my experience, most HTML mail that "needs" HTML is junk mail, office jokes and the like.

    Real business correspondence works on typed pages and plain text. No HTML needed to get your message across. Oh, but please do use a spell checker.

    --
    This issue is a bit more complicated than you think.
  21. not entirely by misanthrope101 · · Score: 2, Insightful
    My workplace recently did something similiar. I was never crazy about flashy colors and zillion font options. But I do miss the ability to send tables as part of the email. My job frequently involves info that is best represented in a table, and the ability to copy/paste a table into an email was very helpful. Even allowing for the limitations of plain text,

    Outlook did me the favor the other day of removing the "extra" line breaks, screwing up the already limited formatting I was stuck with. People will get around this by attaching a Word or Excel document. So the bandwidth costs are only temporary, till they figure out how to get back the formatting capability they had. The search function will be severely limited, unless Outlook will search through attachments.

    I think forcing plain text is a bit severe. I understand the vulnerabilities of HTML, but allowing a reduced subset of HTML function to provide for text formatting would be a better (as in more useful for the end user) option. If the IT folks are the only ones whose convenience is being considered, I guess plain text is fine, and for that matter we should still be using diskless VT terminals. I don't often use the "threw out the baby with the bathwater" cliche, but I think it fits here. Allowing tables and italics isn't going to kill us.