Slashdot Mirror
Aussie PM Office Calls For Government Ban On Gmail, Hotmail
aesoteric writes "The Australian National Audit Office has called on all Australian government agencies to block free web-based email services like Gmail and Hotmail to mitigate security and information integrity risks. The auditor noted that such public email services 'should be blocked on agency IT systems, as these can provide an easily accessible point of entry for an external attack and subject the agency to the potential for intended or unintended information disclosure.' Not surprisingly, the move is seen by some as an attempt to prevent a WikiLeaks-style disclosure from occurring."
Now seriously guys, there are bad titles, and there are pathetic ones. This takes the cake as the prime of the prime on the latter camp. You make it sound like they want to ban it on Australia as a whole, while the truth is much more simple and in fact, valid. They simply urged the agencies to not use those services. The puzzlement should come from why are they using it anyway?
This was an audit performed on the security of Government data and not an exercise on quashing free speech. FFS aesoteric and samzepous, this was so pathetic that it wasn't even funny.
--- "When you gotta do something wrong. You gotta do it right. (Fighter)"
In the private sector I have been doing this for years, because of security. If a user want to access his Gmail/private mail he can use his mobile not via my network and if management agrees I would place a shared system in areas that is on a separate network for such uses.
Once this session is in HTTPS how do you determine what's a POST for someone sending text and someone sending data?
The only way to do it would be in the browser and not anywhere in the rest of the network. Simply from a management perspective, this just isn't possible.
Curiosity was framed; ignorance killed the cat. -- Author unknown
Good luck detecting what is an attachment and when you just "copy/pasted sensitive information in the very body of the email".
Even when blocking gmail/yahoo, still not addressing leakers using :
a. a HTTP proxy (e.g. to access gmail).
b. a private mailserver
c. a combination of the above (one can arrange for tunneling through HTTP a totally different protocol).
Questions raise, answers kill. Raise questions to stay alive.
it is not unusual for companies to block webmail. I don't see why government departments shouldn't do it either. As others have pointed out anyone who is determined will get information out anyway, but it does prevent the "casual" release, either accidental "There's a lot of hassle in the office, I haver heard people say the merger might be off" deliberate but non-malicious "I'll email this document home and I can finish it this evening" or malicious "I'll email this home then if I don't get my pay rise.....".
True, but if someone needs gmail to do their government job, someone is not doing their job correctly.
:)
The real problem with gmail, yahoo, msn or whatever is that it isn't the government's server, and there are lots of requirements for archiving and providing an audit trail for government business that gmail cannot (and shouldn't) provide.
IT is more than just putting up a webpage and sending messages, it is also insuring accountability and security. Free web mail is fine and even preferable for private stuff, but when it comes to government work we demand a certain accountability and security, and rightly so. Perhaps people do private messages at work, but this is damn hard to filter and in general on tax-payers time you have no right to be doing private correspondance on government payroll and equipment.
From the workers point of view it might seem a hassle, but try to look at it from the administrator's point of view. Those blocks are there for a reason, and the audit trail is there for a reason. Remove the audit trail and it would be close to impossible to make any sort of investigation on who stole the last 10,000 $ from the government till, and who influenced who in the last bid, and who approved what by which contacts.
People aren't perfect, company and government policies even less so, but there is often a reason for the policy even if it is implemented wrongly.
Go and hug your IT admin today, you'll find it easier to get your job done
The main reason we're given is record keeping acts. How do you archive work documents being sent through gmail, hotmail and so on? We're now getting requests to distribute official documents through Dropbox. Once we peeled the records manager off the ceiling, we said no.
A real world example.
I don't have to mention how much of nothing this solves.
The real issue is non-IT people making IT decisions.
It is 100% possible and it is done ever day.
The proxy terminates the https request and then creates a new https request going out. So yes you can tell if there is POST event. You can tell if it is a file. You may not be able to read the file as it may have separate encryption.
Remember Sarah Palin and her webmail that somebody got into by just answering some incredibly easy "security" questions? If I was in government IT security I'd be recommending that nothing remotely important was sent to or from hotmail etc.
There's also the archiving problem. An important email sent to or from hotmail may disappear into a black hole never to be seen again within a year so you are out of luck if you want the information in it after that date.
Then there's the "paper trail". We wouldn't have had so much on Poindexter and North selling weapons to terrorists (Hezbolla via Iran after Hezbolla killed all those US Marines) if their emails hadn't been on the backup tapes. That's one reason why places have rules about not using hotmail etc.
Finally, gmail may be stable but if you are a University that has outsourced your students mail to hotmail and a stupid internal Microsoft DNS error prevents them getting email your trouble ticket gets put in a queue for a week before it gets fixed. That's for paying customers. Lost mail and no access for over a week. Now consider how those on free accounts are going to get treated when things go wrong.
It really is quite stupid to rely on it for anything work related if you want to pretend to be any sort of professional organisation.
It's the Australian Prime Minister.
I assume this was article was submitted by an Australian, and to that person I would say you need to get a little self-respect.
It's not insulting, it's a compliment.
I'm an Aussie, and I bear the term proudly. I am also proud of our long, rich heritage of not having sticks up our collective arses. Now an expat, I often refer to home as "Oz" and fondly tell stories like that of Bob Dwyer having to apologise to the Queen in 1991.
But, refering to the highest office in the land or any other official goverment entity for that matter as being 'aussie' is just insulting.
PM or not, she bloody well better be an 'Aussie' first.
No, you would refer to him as the US President or more likely just the President, or Obama, even if you hated his guts. To do otherwise is to insult the American people.
According to large portions of the American people, Obama is a terrorist and G.W. Bush was retarded, so I'm not quite sure what you're trying to convey to that Australian who needs "a little self-respect".
As a proud Aussie myself, I have never met another Australian who feels the term "Aussie" is in any way degrading or rude. Some Americans may feel that way about the term "Yank" but I can say with complete confidence that "Aussie PM" gets used ALL THE TIME in Australia, by people and on TV.
More accurately the whole concept is that all email leaving or entering government departments adhere to similar principles of snail mail. That it adhere to the standards set forth by each department, with regards to record keeping and content.
Bit of a miss of private email but then that is the quirk of employer supplied email versus employer supplied snail mail. With snail mail, you wrote in on company time, pilfered a stamp but you used non letter head paper and a blank envelope, nobody really cared didn't cost that much and kept worker morale up and it was clearly non-company correspondence.
Catch with email is it is very difficult to separate non company email from company email using the company servers and in government because of communications audit responsibilities just using web-based services is not quite enough separation.
Of course with smart phones and netbooks, there really is no excuse not to use your own stuff and keep your privacy unless of course you are banned from carrying those items into the work place. Then of course companies might have to consider setting themselves up as ISPs to achieve legal separation from the communications they allow their workers as part of the salary package.
Chaos - everything, everywhere, everywhen
And scan all email for viruses and malware? I've never so much as had a peep from anything I've gotten in GMail in 5 years.
I can definitely say, as an Australian Federal Public Service employee that web-based email is completely blocked. It is actually cause for immediate dismissal if you try to access them.
Remember the Second Law of Thermodynamics: Let the Lord of Chaos Rule
Personally I think the first thing that they should do prior to disabling gmail or hotmail is disable USB keys from working on the computers in the network... I'm surprised at how many places haven't locked this down... What's the point of locking down the services if they can just copy whatever information and then email it from home?
Or maybe they should look closer at how they are operating first and try to mitigate the risk by running a clean house and educating staff of the finer points of netiquette "no Jill, we do not open executable attachments from outside, even if you think it might have been from Jack". Better still, disable users from running untrusted executables! So many things they could start with, why bother with webmail?
Cheers, Chris
Blocking webmail services is like whack-a-mole. There's likely to be one somewhere that you'll miss, and when the potential leakers (henceforth known as patriots) find it, you're back to square one.
-- Even if a god did exist, why the fsck should I worship it?
Amusingly, the nutjob opposition leader is even more unpopular.
-- Even if a god did exist, why the fsck should I worship it?
And it, like everything else, is vulnerable to the "analog hole". Yes, I know that at high security installations people are searched upon entry for cameras and audio recording devices, but unfortunately, the advance of technology makes it likely that it will eventually be trivial to conceal such devices from most kinds of search equipment (in general, the smaller something is, the easier it is to conceal it).
Ah yes, the good ol' a-hole vulnerability. And a micro-SDcard dipped in vaseline.
This is why nerds will never rule the world. We see an article about Governments blocking mail services with the intention of silencing would-be whistle-blowers, and the first thread is about "wouldn't this be a better way to accomplish that?" :)