Slashdot Mirror

← Back to Stories (view on slashdot.org)

EU Parliament Blocks Outlook Apps For Members Over Privacy Concerns

Posted by timothy on from the network-hygiene dept.

jfruh writes Microsoft last week released Outlook apps for iOS and Android, but one group that won't be getting to use them is members of the European Parliament. They've been advised by their tech staff that the apps are insecure and that they shouldn't download them — and if they have, they should change their Outlook passwords.

24 comments

  1. The magic 8 ball by Overzeetop · · Score: 3, Funny

    The magic 8 ball could have told them that.

    --
    Is it just my observation, or are there way too many stupid people in the world?
  2. Why? by Anonymous Coward · · Score: 0

    Why make it download emails from a Exchange server and then reupload it to some out-of-organization server?

    Was this done on purpose to harvest advertising information? Incompetence? Can they really afford to have companies shy away from their products due to media exposure like this?

    1. Re:Why? by clorkster · · Score: 3, Informative

      Why make it download emails from a Exchange server and then reupload it to some out-of-organization server?

      According to the article this is not the reasoning that is being given for banning the app. As with any aggregator app that runs on a phone, there are many rather plain reasons why data such as emails and attachments would be temporarily stored on the app provider's servers.

      The real issue that is being objected to here is that the app double-encrypts login credentials for various email providers using both a unique-per-client key that they generate and a key that is derived from the specific piece of hardware accessing the data. This encrypted data is then stored in "the cloud". The counterpoint to this methodology is gmail's use of OAuth to avoid storing any credentials - regardless of the sophistication of the encryption scheme - in a public cloud setup.

    2. Re:Why? by Anonymous Coward · · Score: 0

      The article is partially wrong. The reasons were two: - Authentication stored in the Microsoft servers; - Messages, calendar events, address books, etc. "cached" (forever?) in Microsoft servers, with no way to delete them. That should be enough to make everyone avoid Microsoft Outlook apps, the only problem is that nobody at the EP seems to have realised that both issues also apply to Windows phones, which store all credentials with Microsoft, and seem to pass everything by their servers.

    3. Re:Why? by Anonymous Coward · · Score: 0

      The article is partially wrong. The reasons were two:
      - Authentication stored in the Microsoft servers;
      - Messages, calendar events, address books, etc. "cached" (forever?) in Microsoft servers, with no way to delete them.

      That should be enough to make everyone avoid Microsoft Outlook apps, the only problem is that nobody at the EP seems to have realised that both issues also apply to Windows phones, which store all credentials with Microsoft, and seem to pass everything by their servers. Oh well, it shouldn't affect more than 2 or 3 users...

    4. Re:Why? by Coren22 · · Score: 1

      I guess they don't use BlackBerry either, as they either store passwords on the carrier BES server, or run a BES server that has full access to the domain, and internet access (and forwards all email to the BES servers run by RIM).

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
  3. Pretty much a given? by gstoddart · · Score: 4, Interesting

    With all the news stories about how America can (and will, and does) force companies to hand over what's in their clouds ... why the hell any member of the EU Parliament would think that using anything from Microsoft isn't a stupid idea is beyond me.

    Unless you own every piece in that communication chain, you more or less have to start treating Microsoft as an entirely un-trustworthy entity ... because for legal and privacy purposes, they pretty much are.

    I think MS (and other American cloud providers) are going to start finding themselves very unwanted ... because they literally can't be trusted.

    They can't be trusted because they do stupid things like this, and because they want to monetize everything, and because they're more or less covered under the PATRIOT Act.

    In deeming themselves above everybody's laws, and entitled to all data ... America is essentially no longer trustworthy.

    --
    Lost at C:>. Found at C.
    1. Re:Pretty much a given? by drinkypoo · · Score: 0

      In deeming themselves above everybody's laws, and entitled to all data ... America is essentially no longer trustworthy.

      Was America ever trustworthy? The short answer is no.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:Pretty much a given? by cavreader · · Score: 2

      Please give an example of a country that is? And the EU (and a whole bunch of other countries)works hand in hand with the NSA collecting and sharing data. Why do you think the EU politicians stopped their vitriolic accusations in record time? Could it be that their own intelligence agencies pulled them aside and quietly told them they were cooperating with the NSA so shut the hell up? The naivety displayed by the people raging about the NSA in particular and America in general is breath taking. By failing to recognize that there are other very powerful and intrusive state security agencies involved in the mix makes any complaints are meaningless.

    3. Re:Pretty much a given? by james_gnz · · Score: 1

      I expect this was a quip, rather than serious. Was the USA ever trustworthy, going back to the formation of the Union between 1776-1789? I'm not an historian, but I'd guess they started out relatively trustworthy. I'm given to understand they had some high ideals. Power corrupts though, I suppose.

    4. Re:Pretty much a given? by drinkypoo · · Score: 4, Insightful

      I'm given to understand they had some high ideals.

      That's mostly propaganda, and a misunderstanding of the nature of the founding fathers. A small handful of them clearly had high ideals. But how can you take people seriously when they declare that all men are created equal and declare that they are starting a democracy, then fail to give the vote to over half the population? The truth is that they were creating a government in which they themselves (and their ilk) would hold the reins of power, and to this day the nation (like the world) is controlled by those who are both wealthy and racially privileged. It's a government by, of, and for money.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    5. Re:Pretty much a given? by Anonymous Coward · · Score: 0

      I think Iceland is quite trustworthy. Iceland is one of the few countries without military.

    6. Re:Pretty much a given? by Anonymous Coward · · Score: 0

      Argument: "You can't trust software by American bussinesses"
      Rebutal: "But the EU may hypothetically be just as evil too!"

      Wut. Why the hell is this drivel modded up, this is a complete strawman and doesn't contradict GP at all. You don't need to trust any governments, you can always roll out open hardware and software and circumvent the organizational trust issue altogether.

    7. Re:Pretty much a given? by drinkypoo · · Score: 2

      Wut. Why the hell is this drivel modded up

      The same reason my comment was modded down, and four other of my unrelated comments too, for good measure: Jingoism. My country, right or wrong. Well, the USA is my country, and I want it to be better. These dildos who mod anything critical of the USA down exemplify the kind of asshole who is the problem with this country. MERICAFUCKYEAH, don't tell me it's not perfect or I'll shoot you

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    8. Re:Pretty much a given? by Coren22 · · Score: 1

      RIM? If you don't run your own BES server, the RIM servers (or carrier BES server) have the password stored on them in order to download the mail. If you run your own BES server, it has full control on your domain in order to access mailboxes, and it has internet access to send mail to the RIM servers, where it is cached.

      Oh, and RIM is a Canadian company, one of the Five Eyes, so in most respects no different than being American. I would love to see what the EU intends to use for email on phone.

      http://en.wikipedia.org/wiki/F...

      Apple - WA, USA
      Google - CA, USA
      RIM - Canada

      Well, that covers all the major phone OSes.

      How do you think that any country is any different anyways. The NSA had some of its programs exposed, do you really think there is a country on this planet that doesn't (or wishes they could) do anything that the NSA was doing? The NSA is chartered to protect the interests of the US, just like any other foreign intelligence organization, they will do what they can to accomplish that goal.

      Would China be any better to host this stuff in? How about Russia? Japan (close allies of the US)? Korea (also allies)? Heck, any EU country is about as trustworthy, as most of them work very closely with the US through NATO. Guess we are all going to design, fab, code and run our very own cell phones/cell networks to prevent spying. What happens when someone then sets up their own cell tower to capture the unencrypted data stream? Are you going to then trust SSL or whatever encrypts the mail server conversations (over and above the cell network encryption that is being bypassed)?

      https://www.google.com/search?...

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
  4. You didn't pay your dues, MS. by Anonymous Coward · · Score: 0

    All the other US corporations (Google, Yahoo, etc.) and China-manufactured hardware remain 100% safe, so you keep all that data in the cloud now. The NSA have no interest in EU negotiations, since they're just an economic backwater and not the largest economy in the world.

  5. Pretty much a given? by Anonymous Coward · · Score: 0

    >I think MS (and other American cloud providers) are going to start finding themselves very unwanted ...

    Why do you think it is better in Europe (or anywhere for that matter)? If you don't want your data in the hands of NSA then yes, don't touch "american" clouds. However there are other agencies all around the world with very similar goals to the NSA and similar means in their sphere of influence.

  6. An old joke worth repeating: by operator_error · · Score: 1

    Microsoft Outlook/Exchange is a massive client-server security risk that doubles as a collaborative email & calendaring application.

  7. Very likely... by kefalonia · · Score: 1

    ...some people @ EU parliament are doing their job just finely right

    It should have been called perhaps earlier, that's the only thing to consider at this point.

  8. EU: Send Beer (OK, money too) by bill_mcgonigle · · Score: 2

    why the hell any member of the EU Parliament would think that using anything from Microsoft isn't a stupid idea is beyond me.

    Well, because they want the feature set. The EU should start dumping truckloads of money on Inverse and Samba until the open source solution is superior.

    Sogo is close to being done (the hard bits like single instance modifications of repeating events aren't) and Samba4 is teetering on stilts; though it works in ideal circumstances, lots of problems aren't handled and there is missing functionality.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  9. It's actually worse than that! by s.petry · · Score: 3, Insightful

    Read TFA. Microsoft is doing what EVERY SINGLE SECURITY PROFESSIONAL TELLS YOU NOT TO DO! Caching passwords on a remote server. I don't care how many times you claim to encrypt the password, and I don't care what encryption algorithm they claim to use. You never, ever under any circumstances cache a users password. This is simply inexcusable and Microsoft deserves every bit of heat they get for this.

    If I was told that a client sent an auth string and received a Kerberos ticket that got cached, I would not have the same opinion or harsh criticisms. This is plain old idiocy and laziness!

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

  10. The company I work for blocked this last week by Terje+Mathisen · · Score: 1

    After checking out how the Outlook app handles emails and authentication, our security group pushed out an update to the blocklists, making it impossible to install this app on any phone connected to our company mail servers. (Connecting to those email servers already requires you to accept a minimum set of company security requirements, like secure unlock, not just a swipe, and the capability to remotely wipe the phone.)

    Terje

    --
    "almost all programming can be viewed as an exercise in caching"
    1. Re:The company I work for blocked this last week by Anonymous Coward · · Score: 0

      According to https://netzpolitik.org/2015/eu-parlament-soll-ms-outlook-auf-ios-wegen-schwerwiegenden-sicherheitsmaengeln-loeschen/ the EU IT department warned about Outlook on Friday.

  11. security? Where? by Anonymous Coward · · Score: 0

    This has been known. Really, no one should be using it. Minus points for Microsoft for buying a product and rebranding it without looking at the security at all. Using AWS instead of Azure is hilarious. It is even mentioned in the app’s Terms of Service that Microsoft can read your data, if it deems it necessary. It doubles outlook traffic as it pipes it to the cloud, and integrates with Dropbox and the ilk client side, so data exfil is possible.

    Sources:
    https://blog.winkelmeyer.com/2015/01/warning-microsofts-outlook-app-for-ios-breaks-your-company-security/
    http://www.reddit.com/r/sysadmin/comments/2uuwrg/the_security_and_performance_of_the_outlook_app/
    http://blogs.office.com/2015/01/29/deeper-look-outlook-ios-android/
    http://www.itproportal.com/2015/02/02/microsofts-new-ios-outlook-app-serious-security-flaws/
    https://www.acompli.com/privacy-policy/