Slashdot Mirror
Aussie PM Office Calls For Government Ban On Gmail, Hotmail
aesoteric writes "The Australian National Audit Office has called on all Australian government agencies to block free web-based email services like Gmail and Hotmail to mitigate security and information integrity risks. The auditor noted that such public email services 'should be blocked on agency IT systems, as these can provide an easily accessible point of entry for an external attack and subject the agency to the potential for intended or unintended information disclosure.' Not surprisingly, the move is seen by some as an attempt to prevent a WikiLeaks-style disclosure from occurring."
Why not just block uploading/download attachments from those services. That seems like it would solve the problem for the most part, even if you could hand type or copy/paste sensitive informtiation the time to do so would be prohibative.
Now seriously guys, there are bad titles, and there are pathetic ones. This takes the cake as the prime of the prime on the latter camp. You make it sound like they want to ban it on Australia as a whole, while the truth is much more simple and in fact, valid. They simply urged the agencies to not use those services. The puzzlement should come from why are they using it anyway?
This was an audit performed on the security of Government data and not an exercise on quashing free speech. FFS aesoteric and samzepous, this was so pathetic that it wasn't even funny.
--- "When you gotta do something wrong. You gotta do it right. (Fighter)"
In the private sector I have been doing this for years, because of security. If a user want to access his Gmail/private mail he can use his mobile not via my network and if management agrees I would place a shared system in areas that is on a separate network for such uses.
These types of blocks are easy to work around for the determined and extremely annoying for people just trying to do their jobs.
"I assumed blithely that there were no elves out there in the darkness"
If I want to get a file off a computer with Internet access, it WILL happen.
I have to block webmail services and all it means is that when I want to investigate data leakage, I have no idea where to start.
We permitted personal mail access in the past, and that made it much easier to hold people to account, as the poor sweet dears always imagined they were being dead subtle uploading the stolen files to a draft on gmail or wherever. Now, there are a million places in their browsing histories I have to check to see if they have an upload or post capability.
The Aussies are deluding themselves if they imagine this'll stop civil servants making off with secrets...
Obviously they can't come out and say directly that Google doesn't protect your from CIA BS, nor from the CIA's Wikileaks media outlet. They would be considered conspiracy nuts (as you consider me after reading this).
Australian Government employee here. (Posting as AC, of course.)
Our agency allows Hotmail, Gmail, etc. Just not from your desktop; you have to go through a special DMZ machine, and if you've received messages that you need for business, forward it to your official account.. The given reason is a lot more mundane than Wikileaks: to keep malware, viruses, etc. out. (Although the use of these DMZ machines are, no doubt, monitored for leaks of unauthorised stuff too.)
The "official" agency e-mail servers are highly filtered for malware. Presumably Hotmail, Gmail, etc. are just as good at filtering... but by policy, we can't (and shouldn't) rely on something out of our control like that.
There are literally more than 290.000.000 of ways to upload data to the internet. Blocking 2 gets you a list of 289.999.999 ways. On top of that, people can use his phones, usb drives, etc.
Proper safety stuff is *nothing* like that.
Anyway could be a first step in a "defense in deep" protection, to achieve a 2% or 5% more protection.
-Woof woof woof!
it is not unusual for companies to block webmail. I don't see why government departments shouldn't do it either. As others have pointed out anyone who is determined will get information out anyway, but it does prevent the "casual" release, either accidental "There's a lot of hassle in the office, I haver heard people say the merger might be off" deliberate but non-malicious "I'll email this document home and I can finish it this evening" or malicious "I'll email this home then if I don't get my pay rise.....".
I don't have to mention how much of nothing this solves.
The real issue is non-IT people making IT decisions.
Hi, I'm an Australian IT Security Administrator (thankfully not responsible for any of the agencies which recently got audited) but having these websites added to a blacklist doesn't just mean a technical block (which we all know can be bypassed) but it also means a clear IT Security policy decision saying "Accessing this website is against IT Policy". With this policy decision, actions can be taken against workers who attempt to bypass the block as we can say "It was clear in our policy and in it's enforcement that the website was blocked, you have no excuse for accessing said banned services". This is important seeing as at the moment it is not as clear and punitive measures are somewhat limited. Although users tend to be a bit thick, I've found that a large majority of them in cases such as using unofficial web mail services for official purposes can be resolved through user education of the dangers of using said services. Not only that but if IT departments in these agencies actually listen to their users, they'll probably find the reasons on why users favour them over the existing solution (ease of use is usually the answer) which can also be addressed.
Remember Sarah Palin and her webmail that somebody got into by just answering some incredibly easy "security" questions? If I was in government IT security I'd be recommending that nothing remotely important was sent to or from hotmail etc.
There's also the archiving problem. An important email sent to or from hotmail may disappear into a black hole never to be seen again within a year so you are out of luck if you want the information in it after that date.
Then there's the "paper trail". We wouldn't have had so much on Poindexter and North selling weapons to terrorists (Hezbolla via Iran after Hezbolla killed all those US Marines) if their emails hadn't been on the backup tapes. That's one reason why places have rules about not using hotmail etc.
Finally, gmail may be stable but if you are a University that has outsourced your students mail to hotmail and a stupid internal Microsoft DNS error prevents them getting email your trouble ticket gets put in a queue for a week before it gets fixed. That's for paying customers. Lost mail and no access for over a week. Now consider how those on free accounts are going to get treated when things go wrong.
It really is quite stupid to rely on it for anything work related if you want to pretend to be any sort of professional organisation.
It's worse than that. "Aussie PM Office". What they're actually talking about the "Department of the Prime Minister and Cabinet", the department which holds a sort of higher-level overview position within the Australian Public Service rather than being dedicated to one particular area of government. (Like the Prime Minister herself) Hence the presence within that department of the National Audit Office, which does cross-department audits.
As for "Aussie PM" itself, that's not about self-respect. It's merely a failure to distinguish between levels of formality in speech and writing for an audience. She's the "Aussie PM" (or colloquially just "the PM") in the same way that the Queen is "Madge". But when you write formally (i.e. not transcribing speech to retain specific effect as I just did, or taking notes for oneself) then they're the "Australian Prime Minister" and "Her Majesty, The Queen" respectively.
Certainly not written by a Canberran (the actual colloquial spoken form is "PM and C", not "PM Office") and I doubt it was an Australian submission so much as an attempt to emulate the Australian vernacular.
Then again, I'd have contracted "president" to "pres", not "prezo" myself. So our vernaculars may simply differ. ^_^
Paul "TBBle" Hampson
Paul.Hampson@Pobox.Com
It's the Australian Prime Minister.
I assume this was article was submitted by an Australian, and to that person I would say you need to get a little self-respect.
It's not insulting, it's a compliment.
I'm an Aussie, and I bear the term proudly. I am also proud of our long, rich heritage of not having sticks up our collective arses. Now an expat, I often refer to home as "Oz" and fondly tell stories like that of Bob Dwyer having to apologise to the Queen in 1991.
But, refering to the highest office in the land or any other official goverment entity for that matter as being 'aussie' is just insulting.
PM or not, she bloody well better be an 'Aussie' first.
No, you would refer to him as the US President or more likely just the President, or Obama, even if you hated his guts. To do otherwise is to insult the American people.
According to large portions of the American people, Obama is a terrorist and G.W. Bush was retarded, so I'm not quite sure what you're trying to convey to that Australian who needs "a little self-respect".
They should block Tor, SSL websites, applications with encryption too (almost all modern archivers support AES, not to mention TrueCrypt and similar products). And special Aussie Windows version without built-in encryption won't hurt.
Good luck with this mission impossible.
My company (Worldwide) has switched to Google Apps and Gmail and we find it to be a very secure system so far, and the Gmail spam filter is top shelf.
As a proud Aussie myself, I have never met another Australian who feels the term "Aussie" is in any way degrading or rude. Some Americans may feel that way about the term "Yank" but I can say with complete confidence that "Aussie PM" gets used ALL THE TIME in Australia, by people and on TV.
And scan all email for viruses and malware? I've never so much as had a peep from anything I've gotten in GMail in 5 years.
given the state of disrepair of our university email system, many of us - staff included - are considering switching to something like gmail, to 'fix' things. probably quite a few government email systems are in no better shape.
-
My wife works for the FSA and cannot access gmail/yahoo there.
Mod parent up +1 Informative. Would do it myself (I have points) but I already posted on this thread.
the Australian PM is hugely unpopular (think Bush near the end of his reign) ..
And besides what email system IS secure?
I can definitely say, as an Australian Federal Public Service employee that web-based email is completely blocked. It is actually cause for immediate dismissal if you try to access them.
Remember the Second Law of Thermodynamics: Let the Lord of Chaos Rule
Blocking webmail services is like whack-a-mole. There's likely to be one somewhere that you'll miss, and when the potential leakers (henceforth known as patriots) find it, you're back to square one.
-- Even if a god did exist, why the fsck should I worship it?
Most people would've shortened that to "Yank Prez" and it's a perfectly cromulent way for a foreigner to refer to a US president, since we ourselves often refer to the president as "da prez" informally.
I'm sure Australians rarely refer to the "australian X" in their government though, since it's quicker to just say, "the X" Adding the qualifier when it doesn't really need to be qualified seems a little patronizing.
Can you be Even More Awesome?!
Um as an Aussie we don't feel the "Aussie" is in any way insulting.
As an X Canadian I also did not feel any shame in being called a Canuck.
I assume you must be a Yank. Cause if I was a Yank I would be insulted.
You're way off base there. "PM" is used throughout the former British Commonwealth as semi-official short-hand for Prime Minister, and Aussie is a badge worn with pride. "Aussie PM" in particular is published in newspapers every single day.
I'm sure the PM herself would be horrified at the suggestion that the term was anything to be ashamed of.
And they critisize Arab countries for the liberty of expression and the right to use telecomm means!
Not how it works in Oz, politicians are the lowest form of life, lower then ameoba, racists and Fremantle Dockers fans.
We like it this way, they tend not to get delusions of grandeur like pollies in the states.
Well that's how you get most articles published. How many articles go "Obama $ACTION $VERB $ISSUE"?
This aside, the headline is completely wrong, the PM or her office did not do this, it's the National Audit Office, who's job it is to Audit governmental data has recommended that webmail services should be blocked. Of course they are behind the times as most govt. depts already do this.
Her Ranga-ness, the Honourable Julia Gillard or the Department of the PM and Cabinet had nothing to do with it.
Calling someone a "hater" only means you can not rationally rebut their argument.
Have a look at Microsoft Forefront Threat Management Gateway (It's the renamed ISA Server)
It has full support for a man-in-the-middle HTTPS filtering module, with a wildcard certificate creation done for you as part of the wizard (the certificate is usually distributed in Active Directory to the clients)
It does however prompt you that there may be legal issues in your company should you enable the HTTPS filtering without notifing your users, and it also will prompt anyone using the client-side component with a balloon message saying that the HTTPS connection is being inspected.
Have you ever met, in person, an Australian Prime Minister? Back in 1988, I was a guest at the Parliament House Christmas party put on my the Labor Party for Parliament House staff. While I was having a cold beer, up comes an older man, magnificent head of silvery-gray hair, with a glass of orange juice and a big cigar.
"G'day mate, I'm Bob", he said, offering his hand
I shook his hand and replied, "G'day Bob, I'm Ken."
That's how Aussie PM's should interact with other Aussies. I would hope the current Aussie PM would react the same if I said "G'day, Julia, I'm Ken."
As an American I can say with the utmost certainly, we tend to get offended and any nickname given by someone other than a close friend, regardless of why it was given, term of endearment or insult.
I don't really know why, I've been wondering that for the last several years myself. It seems that our struggles with racism seem to focus more on the name calling than the actual bad things that were involved with it. I think it may possibly be because if we focus on the names we can trick ourselves into forgetting the real bad shit we did in the past to other human beings.
Thats just on theory I have anyway, but we definitely do have some retarded issue with name calling that seems to make any name offensive ... its almost like its just an excuse to move to physical violence. Maybe we have it so good that we have to create conflict where there is none?
*sigh* I really wish we could do what Rodney King said and just fucking get along with each other.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Or even more insulted if you were called a seppo.
Actually, I dropped the ball a little on this one. PM&C has a few "Offices" within in, but the National Audit Office isn't one of them, it's actually an arm of the Parliament under the Auditor General. >_
Paul "TBBle" Hampson
Paul.Hampson@Pobox.Com
Yank prez? I thought he was Chief Septic.
It's not clear to me how this improves security.
The only thing I can see that it stops is a user casually emailing a document off site. Leaks are more deliberate.
Unless your security policy also blocks most outbound ports, and does deep packet inspection on what it does let out, this appears to be just one sand bag in the stream.
Ways to move digital data offsite.
1. Media: DVD, CD, Memory Stick, portable hard drive. camera used as flash drive, phone used as a flash drive.
2. Standard file protocols ftp, ssh, sftp, http, https. The latter two would be hard to detect -- but the ratio of download to upload would be skewed for a particular host.
3. Sync files to/from my phone.
4. Teamviewer and the like. (Remote desktop protocols with file transfer capability.)
5. Tethered phone.
6. USB wireless + cantenna.
7. Running another OS in a virtual machine to evade locked down desktops.
8. In a windows shop, running 'portable apps'.
9. Embedding data in non-standard transports. E.g. Ping packets.
Stopping all of this is possible, even easy. Doing so in a way that people can still get any work done, and won't spit on IT people as they pass will be a bit more challenging.
Third Career: Tree Farmer Second Career: Computer Geek First Career: Teacher, Outdoor Instructor, Photographer.
Not really. The title is just syntactically ambiguous. The OP did not specify whether the "Government Ban" was the ban-by-the-government-upon-the-non-government-sector or the ban-for-use-by-the-government variety. Such ambiguity is the cost of using english instead of, say, lojban.