Slashdot Mirror
Aussie PM Office Calls For Government Ban On Gmail, Hotmail
aesoteric writes "The Australian National Audit Office has called on all Australian government agencies to block free web-based email services like Gmail and Hotmail to mitigate security and information integrity risks. The auditor noted that such public email services 'should be blocked on agency IT systems, as these can provide an easily accessible point of entry for an external attack and subject the agency to the potential for intended or unintended information disclosure.' Not surprisingly, the move is seen by some as an attempt to prevent a WikiLeaks-style disclosure from occurring."
Now seriously guys, there are bad titles, and there are pathetic ones. This takes the cake as the prime of the prime on the latter camp. You make it sound like they want to ban it on Australia as a whole, while the truth is much more simple and in fact, valid. They simply urged the agencies to not use those services. The puzzlement should come from why are they using it anyway?
This was an audit performed on the security of Government data and not an exercise on quashing free speech. FFS aesoteric and samzepous, this was so pathetic that it wasn't even funny.
--- "When you gotta do something wrong. You gotta do it right. (Fighter)"
In the private sector I have been doing this for years, because of security. If a user want to access his Gmail/private mail he can use his mobile not via my network and if management agrees I would place a shared system in areas that is on a separate network for such uses.
True, but if someone needs gmail to do their government job, someone is not doing their job correctly.
:)
The real problem with gmail, yahoo, msn or whatever is that it isn't the government's server, and there are lots of requirements for archiving and providing an audit trail for government business that gmail cannot (and shouldn't) provide.
IT is more than just putting up a webpage and sending messages, it is also insuring accountability and security. Free web mail is fine and even preferable for private stuff, but when it comes to government work we demand a certain accountability and security, and rightly so. Perhaps people do private messages at work, but this is damn hard to filter and in general on tax-payers time you have no right to be doing private correspondance on government payroll and equipment.
From the workers point of view it might seem a hassle, but try to look at it from the administrator's point of view. Those blocks are there for a reason, and the audit trail is there for a reason. Remove the audit trail and it would be close to impossible to make any sort of investigation on who stole the last 10,000 $ from the government till, and who influenced who in the last bid, and who approved what by which contacts.
People aren't perfect, company and government policies even less so, but there is often a reason for the policy even if it is implemented wrongly.
Go and hug your IT admin today, you'll find it easier to get your job done
A real world example.
It is 100% possible and it is done ever day.
The proxy terminates the https request and then creates a new https request going out. So yes you can tell if there is POST event. You can tell if it is a file. You may not be able to read the file as it may have separate encryption.
Remember Sarah Palin and her webmail that somebody got into by just answering some incredibly easy "security" questions? If I was in government IT security I'd be recommending that nothing remotely important was sent to or from hotmail etc.
There's also the archiving problem. An important email sent to or from hotmail may disappear into a black hole never to be seen again within a year so you are out of luck if you want the information in it after that date.
Then there's the "paper trail". We wouldn't have had so much on Poindexter and North selling weapons to terrorists (Hezbolla via Iran after Hezbolla killed all those US Marines) if their emails hadn't been on the backup tapes. That's one reason why places have rules about not using hotmail etc.
Finally, gmail may be stable but if you are a University that has outsourced your students mail to hotmail and a stupid internal Microsoft DNS error prevents them getting email your trouble ticket gets put in a queue for a week before it gets fixed. That's for paying customers. Lost mail and no access for over a week. Now consider how those on free accounts are going to get treated when things go wrong.
It really is quite stupid to rely on it for anything work related if you want to pretend to be any sort of professional organisation.
Personally I think the first thing that they should do prior to disabling gmail or hotmail is disable USB keys from working on the computers in the network... I'm surprised at how many places haven't locked this down... What's the point of locking down the services if they can just copy whatever information and then email it from home?
Or maybe they should look closer at how they are operating first and try to mitigate the risk by running a clean house and educating staff of the finer points of netiquette "no Jill, we do not open executable attachments from outside, even if you think it might have been from Jack". Better still, disable users from running untrusted executables! So many things they could start with, why bother with webmail?
Cheers, Chris
This is why nerds will never rule the world. We see an article about Governments blocking mail services with the intention of silencing would-be whistle-blowers, and the first thread is about "wouldn't this be a better way to accomplish that?" :)