US Congress Bans Members From Using Yahoo Mail

A week after we learned that the House of Represantives had banned its members from using Google's appshot.com, more details about the blockage have surfaced. Reader Big Hairy Ian writes: A series of ransomware attacks on the House of Representatives has led U.S. Congress to ban members from using Yahoo Mail, according to a leaked email. Both Yahoo Mail and Gmail are named in the 30 April email, published on Thursday by Gizmodo, saying the attacks had increased "in the past 48 hours". Yahoo Mail will be blocked "until further notice" it adds. Ransomware encrypts victims' files and demands a ransom be paid for unlocking. In this particular instance, I think it isn't all of Yahoo Mail's fault. People need to be wary of the links they click on.

trying to keep email in the headlines

This desperate attempt proves they have nothing on Hillary.

Re: trying to keep email in the headlines

Or, it's just a coincidence and Hillary is still a security risk.

Re:trying to keep email in the headlines

[Phreakiture]

Doesn't it hurt your brain to compose non sequiturs like that?

Re:trying to keep email in the headlines

Brain not required.

Re:trying to keep email in the headlines

This desperate attempt proves they have nothing on Hillary.

The Republican-ruled FBI has nothing so they just have to make-up garbage to try to justify their illegal investigation.

Re:trying to keep email in the headlines

Doubleplusgood duckspeak.

Re:trying to keep email in the headlines

Do you even think any of these shits have read 1984?

Gmail, Yahoo is pretty safe

If you know how to use them. Like a lot of problems in the US, education could probably help solve them, at least a little.

Re:Gmail, Yahoo is pretty safe

[TWX]

If you look at the nature of product recalls, they're generally recalled for one of three reasons:

Product is inherently flawed or otherwise unsafe and cannot be corrected. This covers things like manufacturing the chassis of a product with flawed materials, or using the wrong material, or a design whose intended use is inherently unsafe. Two examples I can think of off of the top of my head are Lawn Darts, whose very concept makes them unsafe, and the Perfect Flame grille, whose housing was magnesium and prone to igniting in a metal-fire.

Product has minor flaws or only a risk of safety-issue, but correcting those flaws will cost too much to achieve. Inexpensive home goods may fall into this category, and sometimes when food products are recalled en-masse it's like this- only a few actual package of a food item may be dangerous, but it would cost far more to test all of the food for the danger than it is to just throw it away.

Users misuse a product and it's not possible to correct user-error. At first this doesn't sound like a product problem, but casual-use products are not supposed to require advanced training to use. There's a threshold for the number of incidents relative to the userbase to be considered, and if too many users are all having similar problems then that's indicative that something in the product itself needs to be changed, as changing human behavior on a large scale is not easy.

Unfortunately software has been allowed to violate #3 and arguably the others for a very long time, as the push for newer/faster/prettier has trumped all other considerations. It's about time that we acknowledge that we haven't really made much improvement in UI in the last decade and that at-best we're reimplementing the wheel, and that we need to forcus on the underpinnings.

Re:Gmail, Yahoo is pretty safe

[Locke2005]

LOL, educate members of the House of Representatives?!? You can't educate people that are already certain they know everything!

Re:Gmail, Yahoo is pretty safe

[sims+2]

Just newer/prettier. I haven't seen a newer verison of something be faster in a very long time.
And no the ui wasn't broken before.

I have to point out that even in windows 10 half the settings are in a touch screen style ui and the rest are in a windows 7 ui its terribly inconistant.

Re:Gmail, Yahoo is pretty safe

[thewolfkin]

Just newer/prettier. I haven't seen a newer verison of something be faster in a very long time. And no the ui wasn't broken before.

I have to point out that even in windows 10 half the settings are in a touch screen style ui and the rest are in a windows 7 ui its terribly inconistant.

you have no idea how much i hate touch screen UI on my Win10 computer. I hate it so much. all the control panels are still there but you have to go thru a curtain of simplified touch screen capable control panels first before you can find them EVERY time. It's a nightmare. Combine that with the hugely annoying Function Keys that are media keys and no way to change them to just plain function keys and I'm hating nearly every moment of my Win10 experience so far.

Re:Gmail, Yahoo is pretty safe

[Grishnakh]

If you hate it so much, stop using it.

Personally, I love it. I don't actually use it, because it's a piece of trash, but I love watching it make other people miserable while they suffer with it, but steadfastly refuse to abandon it like some kind of sadomasochistic ritual, and instead whine endlessly. Of course, they'll spout all kinds of excuses and rationalizations about why they can't possibly stop using Windows, but after year after year of MS making Windows more and more user-hostile, at this point I have zero sympathy left and now I just laugh at them and their self-induced torture. I greatly look forward to what new "treats" Microsoft has in store for its users.

Re:Gmail, Yahoo is pretty safe

The problem is that the hazard assessment process if primarily focused on risk of injury or death. Financial losses are a secondary issue. If you consider software that has been determined to have a safety effect and is installed in a car, aircraft, medical device, etc. I guarantee you that a product recall would be issued if there was a safety related issue discovered.

Re: Gmail, Yahoo is pretty safe

Yahoo has broken its user interface through its re-incarnations, many times. It has become one of the worst products in cyberspace.

Re: Gmail, Yahoo is pretty safe

What's your favorite Linux WM, to counter the touch screen mania you talk about? TWM for footprint size? LXDE for basic, simple useability?

Re: Gmail, Yahoo is pretty safe

[Grishnakh]

KDE. The basic UI hasn't changed significantly since the 1.0 days. They also believe in having different UIs for different devices (they have a netbook-optimized WM which probably isn't used that much these days, and also one for smartphone-sized devices).

Re:Gmail, Yahoo is pretty safe

[thewolfkin]

If you hate it so much, stop using it

If you can tell me how to turn off the UI Menus within menus that require me to dig thru touch capable menus ( that most importantly don't have the configuration options that I'm actually trying to access) in order to get to the panel that DOES have the config options I'm trying to get at. Then by all means enlighten me and I shall turn it off promptly.

but steadfastly refuse to abandon it like some kind of sadomasochistic ritual

I hate the touch screen aspects. There are however things I really enjoy about windows and have appreciated since I switched from Mac way back when. That said I'm not in a position where I CAN switch even if I were of a mind to. But sure go on and assume that we're all using Windows for the fun of it. That's super reasonable of you.

Re:Gmail, Yahoo is pretty safe

[Grishnakh]

If you can tell me how to turn off the UI Menus....

You can't. That's how it is with Windows and proprietary software in general. You either take it or leave it. If the vendor doesn't care to make it configurable, then you're stuck with it as-is. Don't like it? Too bad. Stop your whining if you're not going to change.

I hate the touch screen aspects. There are however things I really enjoy about windows

Well you can't pick and choose. You can write to MS and try to get them to make these things configurable. Good luck with that.

That said I'm not in a position where I CAN switch even if I were of a mind to.

Sure you can, if it's your personal computer. (If it's your employer's computer, that's an entirely different matter and a different topic of discussion.) Any choice you make is going to have ramifications. I don't have a big pickup truck, so I can't tow a big boat. I don't mind, because I don't have a big boat and don't want one. I don't have a van, so I can't transport 8 passengers. Every consumer choice you make has consequences. Buying a big van and then complaining about the handling and fuel economy is stupid. Buying a Ford pickup and then complaining that the MyFordTouch system sucks and isn't as nice as the one in the Nissan pickup is similarly stupid. Same goes for Windows. If you hate it that much, then use a different OS.

Re:Gmail, Yahoo is pretty safe

[thewolfkin]

You can't. That's how it is with Windows and proprietary software in general. You either take it or leave it.

And this is why it's not "a free choice". I need to use windows to work and when MS changes things that makes it annoying to work with windows, I'm allowed to complain about it. I'm not steadfastly refus[ing] to abandon it like some kind of sadomasochistic ritual. I'm forced to maintain with it because of extrinsic factors that you seem to think are mythical.

Sure you can [switch]

No I can't because I need windows to work. It's like how I now need MS Word to work because I'm literally the only one in my office using LibreOffice and people are compalining that when I edit their documents there are formatting losses.

Any choice you make is going to have ramifications. I don't have a big pickup truck, so I can't tow a big boat.

and this is a much smaller problem when you don't tow boats for a living. When you don't need to tow aboat regularly yeah this is a choice you can make to not have a tow truck because you don't like the handling or the emissions. But when you NEED to tow a boat then no a Nissan Sedan isn't a viable alternative Yes both can take me grocery shopping and while I may do that more often than towing a board if my job description involves towing boats every other day than I can't ignore that need. My current job description involves using MS Office so that I can not bork up the compatability with Office files people send me all the time. If it was as simple as just exporting PDFs back to them this wouldn't be an issue. For years this is how I lived but now my situation is different.

good grief man you don't have a boat and don't want one? What kind of argument is that? That's fine for you but some of us out here HAVE boats and need boats. You waving boatless solutions in our faces is kinda missing the point.

tl;dr - no switching isn't a viable alternative to everyone. Even if it is completely and 100% literally possible within the physical realm of existance, it can be a functional non-starter for people. I guess I'll be seeing you at the next "If you don't like our country, why don't you just leave" rally

Not how they roll

[sjbe]

In this particular instance, I think it isn't all of Yahoo Mail's fault. People need to be wary of the links they click on.

That's not how Congress rolls. They refuse to take personal responsibility for everything and they have the authority to make someone else pay for their incompetence and/or corruption.

To be frank however, I cannot see any sane reason why our elected officials are not using official government email accounts supported by official government IT workers. It's not like congress doesn't know where to find the money to do it. Why on Earth they would be using Yahoo accounts while on the job is a mystery without a responsible answer.

Re:Not how they roll

[AF_Cheddar_Head]

Why on Earth they would be using Yahoo accounts while on the job is a mystery without a responsible answer.

Because in the infinite wisdom of taxpayers and Congress government employees are not supposed to use the Government maintained e-mail to conduct personal business so they resort to webmail products. Also anything on the Government servers is subject to FOIA requests so they use a .COM server instead.

FOIA is one of the biggest reasons that executive branch personnel (AKA Hillary, Condoleeza, and Colin Powell all had there own private e-mail servers.

Re:Not how they roll

[DigiShaman]

Why on Earth they would be using Yahoo accounts while on the job is a mystery without a responsible answer.

That's a rhetorical question BTW.

Re:Not how they roll

and why all the fire and brimstone of private email server usage when they themselves are doing the same thing? oh, yeah, the old smoke and mirrors trick. same thing goes for the Facebook news slant when they have the 24 hour tea party propaganda machine Faux News. i love hypocrisy.

Re:Not how they roll

Thank you

Re:Not how they roll

I cannot see any sane reason why our elected officials are not using official government email accounts supported by official government IT workers.

Because much like gwb43.com, Gov.Palin@yahoo.com, etc. they don't want their emails being subject to open records requests.

Re:Not how they roll

[Karl+Cocknozzle]

That's not how Congress rolls. They refuse to take personal responsibility for everything and they have the authority to make someone else pay for their incompetence and/or corruption.

To be frank however, I cannot see any sane reason why our elected officials are not using official government email accounts supported by official government IT workers. It's not like congress doesn't know where to find the money to do it. Why on Earth they would be using Yahoo accounts while on the job is a mystery without a responsible answer.

Although I agree people should be more careful what they click on, it's grossly irresponsible that the CIO of the House of Representatives didn't already have access to Yahoo Mail blocked--it's been a known conduit for this stuff for years precisely because their filtering is so weak. My opinion? A message containing a harmful URL shouldn't get through. There are a myriad of spam services/products/filters that can deliver this type of feature... Why on earth isn't Yahoo running one of them?

Re:Not how they roll

[Locke2005]

Why on Earth they would be using Yahoo accounts while on the job is a mystery without a responsible answer.

It's congress, obviously they have too much spare time on their hands! It's not like they spend all day enacting useful legislation, is it? Hell, they can't even pass a budget plan!

Re:Not how they roll

" I cannot see any sane reason why our elected officials are not using official government email accounts supported by official government IT workers. "

Campaign finance laws prohibit using gov't resources for campaigning. Every Member of the US House is up for re-election every two years so it's become a never-ending campaign.

Re:Not how they roll

[drew_kime]

" I cannot see any sane reason why our elected officials are not using official government email accounts supported by official government IT workers. "

Campaign finance laws prohibit using gov't resources for campaigning. Every Member of the US House is up for re-election every two years so it's become a never-ending campaign.

I wish that weren't the case, but it pretty much starts and ends with that.

Re:Not how they roll

[Hentes]

I'm guessing the reason they can block Yahoo without disrupting operation is because they don't actually use it. Those are most likely people checking their personal account from work.

Re:Not how they roll

Yahoo leaks their password database constantly. My canary account has been breached 4 times and I do not use it except when the canary dies. Basically, they have a lot of back end holes and the entire account is worthless. Their security is shit.

Re:Not how they roll

In this particular instance, I think it isn't all of Yahoo Mail's fault. People need to be wary of the links they click on.

That's not how Congress rolls. They refuse to take personal responsibility for everything and they have the authority to make someone else pay for their incompetence and/or corruption.

To be frank however, I cannot see any sane reason why our elected officials are not using official government email accounts supported by official government IT workers. It's not like congress doesn't know where to find the money to do it. Why on Earth they would be using Yahoo accounts while on the job is a mystery without a responsible answer.

you know there are a lot of people that work in congress that aren't actually elected officials. They are allowed to access non work related sites, don't like it bring it up with their union.

Re:Not how they roll

[roccomaglio]

Hillary is the only Secretary of State who had a private email server.

Re:Not how they roll

To be frank however, I cannot see any sane reason why our elected officials are not using official government email accounts supported by official government IT workers. It's not like congress doesn't know where to find the money to do it. Why on Earth they would be using Yahoo accounts while on the job is a mystery without a responsible answer.

Many organizations allow employees to browse the web (including webmail) during their personal time while at the office but not working (breaks, lunchtime, etc).

Or perhaps Congresspeople are investigating Yahoo for violating users' privacy and want to see the website themselves (yeah, right)

Re:Not how they roll

[squiggleslash]

The wording on your last sentence is slightly wrong enough to ensure that pedants will come out and tell you you're flat out wrong without acknowledging that the principle was right. Hillary and Powell used private email systems. Clinton, however, owned her own server while Powell didn't (so technically Powell didn't "have" his "own" private email server.)

But certainly neither used a government supplied email system, which is the point you were trying to make.

Rice, I believe, didn't actually use email to conduct official business.

Information on Powell here. Warning, Politico link. Doesn't tell us which email service Powell used, so until proven otherwise we have to assume Hotmail, because hilarious.

Re:Not how they roll

[WheezyJoe]

Why on Earth they would be using Yahoo accounts while on the job is a mystery without a responsible answer.

A sensible, and possibly accurate, answer: they're sticking with the e-mail accounts they're familiar with. Before they're elected, they won't have .gov e-mail accounts - they'll be heavily invested in something else, like Yahoo, something they've had and settled with for years. If elected, they can get a House account, but most all their contacts know them by their old accounts, and if they're un-elected in two years, the fancy House account goes away (I assume).

So, a luddite (and let's face it, most politicians are) figures why bother asking all their contacts (who are probably also luddites) to switch to a new unfamiliar address, if that address might go away in two years simply because some heavily bankrolled Tea Party asshole spends more money in attack ads? Let a staff member watch the House .gov account (which is public, and therefore a major spam/hatemail target), and get real work done with the non-public address that will stick around even if they lose an election.

Re:Not how they roll

[tsqr]

and why all the fire and brimstone of private email server usage when they themselves are doing the same thing? oh, yeah, the old smoke and mirrors trick. same thing goes for the Facebook news slant when they have the 24 hour tea party propaganda machine Faux News. i love hypocrisy.

You do know that government employees are not allowed to use government email for personal purposes, right? The intent there is to prevent the use of taxpayer-provided resources for campaign fund-raising efforts. And the intent of the rules against using non-government email for government business is to provide accountability and, in the case of sensitive information, a DoD-audited security environment. And yes, I know that a DoD-audited security environment is not proof against being hacked.Thing is, if you use the system and the information is compromised, you're not accountable; if you don't use the system, you're accountable even if the information isn't compromised.

Hillary used non-government email for everything. She did not use government email for anything. Given her position as Secretary of State, it is impossible that some of the traffic handled by her personal server was not classified Secret or Top Secret, whether or not it was marked as such (if this concept confuses you, google "born classified"). I believe that much has already been established by the FBI investigation. Oops, I mean, by the FBI "security inquiry".

Re: Not how they roll

Yahoo Mail stinks, but what email server doesn't stink for one reason or another?

Re:Not how they roll

[Grishnakh]

I disagree. "Harmful" URLs should not be a problem for government computers, and if they are, that's the government's fault for having a shitty IT infrastructure.

Hint: a URL can only be "harmful" if you're running Windows.

Re:Not how they roll

[Grishnakh]

Last I heard, Powell used an AOL account.

Someone fire the Infosec guy

This reeks of an incompetent public school sysadmin who bullshitted his way in to a public service position now making draconian/hamfisted policy changes because he lacks the education to take a less brute force approach.

I'd still blame Yahoo.

[fishscene]

I'd still blame Yahoo for allowing this sort of thing. I've been warning people for MONTHS now to 100% stop using their search engine because random search results will redirect to a bogus Microsoft support virus infection message. It's a little difficult to train users to hover over the link and ignore the first 75 characters to see where it is actually pointing to- assuming they have the link details at the bottom.

Re:I'd still blame Yahoo.

[Locke2005]

failblog,com has been putting up a "You need to update Adobe" trojan for several weeks now... they really need to be more selective about who they let advertise on their site!

why is it that

[i.r.id10t]

Why is it that people who are provided accounts by their employer/organization insist on using "free" services ? I can't imagine NOT using my work provided address for work stuff, and whatever personal address I use on whatever provider for personal stuff...

Re:why is it that

Why is it that people who are provided accounts by their employer/organization insist on using "free" services ? I can't imagine NOT using my work provided address for work stuff, and whatever personal address I use on whatever provider for personal stuff...

The implication is that members of Congress are accessing personal Yahoo mail from the Congress wifi network, not that they are using Yahoo email for official business.

But yahoo seems to be a way of delivering malware attachments or links to malware.

Re:why is it that

Instead of playing whack-a-mole with third-party sites, maybe Congress should run a new call for bids for an OS supplier, where this time security and the ability to lock down code execution would be important criteria?

Re:why is it that

As an IT professional, I think I can say with some certainty that the human animal is lazy, and the idea of having to use 2 different services to accomplish a single task (I.E., checking their email) is simply too cumbersome for the 2 or 3 brain cells they have applied to the task. Most Congress-critters are grandparents at this stage of the game, and just don't comprehend the tech behind it, so they fall back on the Dumbest Common Denominator.

If anyone has ever bothered to explain operational security to them, they weren't listening.

Re:why is it that

[Locke2005]

Agreed, they are accessing their personal accounts from work, but they are only allowed to do this because their system administrator is too incompetent to block access to sketchy sites. And yes, Yahoo Mail is a sketchy site!

Re:why is it that

[cdrudge]

Why is it that people who are provided accounts by their employer/organization insist on using "free" services ?

For the same reason that I have a corporate email account, but also have a free account hosting my own domain at gmail. I want to keep my work activities and emails separate from my personal activities and email.

In the case of Congress members, they are prohibited from using official account(s) for personal or political campaigning activities that are not related to an official representative purpose. Now why they would use a free Yahoo account as opposed to a paid hosted account I don't know, other than they are cheap, stupid, and technologically inept.

Re:why is it that

They could call it ChromeOS!

(Written on a chromebook)

Re:why is it that

If you trust government email servers more than you trust Yahoo, you've clearly never seen the quality of employee that gets past USAJobs.gov.

It's like credentialism and the dunning-kruger effect has a baby and named it "Civil Service".

Re:why is it that

Clearly, you've never worked seen how much of a screwup private sector IT is. Combine the autocratic "job creator" mentality with the profit motive and you've got a recipe for disaster.

Re:why is it that

[Grishnakh]

If you trust Yahoo more than government email servers, you've clearly had your head in the sand. At least government email accounts require two-factor authentication; I've never seen any webmail service like that. You've also clearly never worked in government. It's not the workers that are the problem (some are though), it's Congress. Congress micro-manages everything in federal agencies and does a terrible job of it; that's why we get all these horrible policies and broken organizations.

Ransomware...

[__aaclcg7560]

"Your email service has been banned. A generous contribution to the Congressional Don't Forget The Children fund can reverse this ban."

- Sincerely, Congress

Better question...

[jratcliffe]

...is why non-government webmail is allowed on government computers? Should be blocked entirely. If it's a government computer, then it's for government business, and emails for government business should be sent on government accounts that are saved should they be needed for FOIA act requests down the line. If people want to use personal email, they should do it on personal devices.

Re:Better question...

[__aaclcg7560]

If the government computers are on an unrestricted, non-classified network, government workers are not that much different than regular office workers. Some personal usage is permitted as long as it doesn't interfere with work.

Re:Better question...

[AF_Cheddar_Head]

So when you are at work your significant other can't send you an e-mail to your company address with a grocery list or asking you to pick up the kids? You only use your phone to get these kinds of e-mail.

  BTW in many government facilities you can't bring in personal computing devices (including your phone0 so you use your government e-mail for this kind of communication or you use a webmail provider.

Re:Better question...

[jratcliffe]

I have no problem with using gov't computers for limited personal business. That's perfectly reasonable. The employee needs to understand that business is now a matter of public record, however.

Re:Better question...

[jratcliffe]

Reasonable personal usage is fine, no objection, but not software that allows for communications that aren't available for FOIA or investigation in the future.

This is the model in finance - webmail, dropbox, etc. is blocked from work computers, but nobody cares if you email your spouse about weekend plans on your work account. If you email your spouse "hey, I just heard we're helping company X buy company Y, get your dad to buy a bunch of Y stock today," that's going to present a problem.

Re:Better question...

[__aaclcg7560]

Most government workers don't have admin rights to install software on their government computers. The few who do and do install software can get into trouble whenever a security audit is run. I once had to figure out why a Java component was updating out of sync with the other Java components on one system, traced the log entries back to eight months, and determined that a user with admin rights had installed a version of Java from off the Internet. Fixed the problem, notified my management, and the user got a vigorous slap on the wrist.

Re:Better question...

[jratcliffe]

I'm not talking about admin rights (no reason for the user to have those), I'm talking about the firewall blocking gmail, yahoo mail, etc. etc. the same way it blocks pron sites, etc.

Re:Better question...

[jratcliffe]

Sorry, shouldn't have used "software," poor choice of words.

Re:Better question...

[__aaclcg7560]

I'm not talking about admin rights (no reason for the user to have those), I'm talking about the firewall blocking gmail, yahoo mail, etc. etc. the same way it blocks pron sites, etc.

Email services are typically not blocked because they don't present a security risk on a non-restricted, unclassified network. Government workers have annual training on the proper use of network resources, including clicking on any strange links in email and web browser. That's a lot more training than most people get in the private sector.

Re:Better question...

[jratcliffe]

The security risk (which seems to be driving the Yahoo ban in the article) is one thing - the rationale for banning webmail is more extensive than just "somebody might click on a virus." It's also the fact that allowing its use leaves a major source of communication unreviewable and unarchived, which is a problem for FOIA or investigatory purposes.

Re:Better question...

[__aaclcg7560]

It's also the fact that allowing its use leaves a major source of communication unreviewable and unarchived, which is a problem for FOIA or investigatory purposes.

Congress has the ability to subpoena personal email accounts. Everything in a subpoenaed accounts becomes public record. If the government worker is a contractor, the attorney for the contracting agency will review the personal email account. If Congress wants it, they get it.

Re:Better question...

[jratcliffe]

But that doesn't extend to FOIA, at least not fully.

Re:Better question...

[__aaclcg7560]

But that doesn't extend to FOIA, at least not fully.

If someone goes out of their way to avoid FOIA, you really can't stop them. If you lock down everything in sight, you won't get anything done. You can treat users as adults or children. The government agency I work for treats everyone as adults.

Re:Better question...

[jratcliffe]

You can't stop them, but you can make it harder for them. There's no good reason to allow access to non-logged, non-archived private email accounts on government computers, and lots of reasons not to.

Re:Better question...

[__aaclcg7560]

There's no good reason to allow access to non-logged, non-archived private email accounts on government computers, and lots of reasons not to.

Sure. But you have balance convenience with security. If politicians and government appointees are skirting FOIA, punishing government workers on non-restricted, non-classified networks isn't going to change the underlying problem.

Re:Better question...

[jratcliffe]

There's no loss of convenience - reasonable use of gov't email for personal use would be fine, and if the personal use isn't reasonable, the employee shouldn't be doing it at work at all.

Skirting FOIA should be a serious offense - if, for some reason, a gov't employee needs to use personal email for government work, then every email they send from that account should be required to be cc'd to their gov't account, so it gets archived.

Re:Better question...

[Grishnakh]

No, the problem here was that the user had admin rights. That should never happen. If some software requires admin rights to work, then you need different software. There is never any good reason for a non-admin user to have admin rights on a locked-down machine. The only users who should ever have admin rights are developers, but those machines should not be the same machines they access the internet with.

Re:Better question...

[Grishnakh]

BTW in many government facilities you can't bring in personal computing devices (including your phone0 so you use your government e-mail for this kind of communication or you use a webmail provider.

Or, they can use this old-fashioned thing called a "telephone" (I mean the government-provided landline desk phone that every government office worker has).

And if they want to send a grocery list, they can just send that by text as usual, and then give their spouse a phone call at work to tell them they've sent a text. When the government worker leaves the secure space and grabs their phone before leaving, the text will be waiting for them. Government workers don't have to leave their phones at home; I don't know where you got that idea. They just can't bring them into secure spaces. In practice, they usually end up going outside on breaks and checking their phones then.

Re:Better question...

[AF_Cheddar_Head]

Not just secure spaces, many Air Force buildings prohibit bringing any person computing devices, including personal phones.

True you can receive a call on your desk phone from a spouse but don't you think the GP might object to that base on his rant about not using non-personal devices for personal business.

By the way these days that desk phone is really a dedicated computer using VIOP software and I have personally participated in meetings where it has been discussed eliminating stand-alone phones on AF desks and just using VOIP software and a microphone on the standard desktop computer. What do you think the GP would think of using the company computer now for phone calls?

Re:Better question...

[Grishnakh]

I don't see the problem. The spouse just needs to call up and say "check your personal phone". Then the employee can leave the secure space or building, grab his phone from the locker, walk outside, and use it like normal. The government isn't going to hassle employees for using government computers and phones for this kind of thing.

Yahoo mail doesn't clean up the shit

[Bruce66423]

As a user of both Yahoo mail and Live, it's notable that my junk folder in Yahoo is stuffed with phising emails - easily identified by the difference between the visible sender and the originating email address. By contrast my live junk folder has virtually none.

So why doesn't Yahoo make the effort to kill off the dangerous junk?

Re:Yahoo mail doesn't clean up the shit

[DigiShaman]

Is it free? Cause you get what you pay for.

Re:Yahoo mail doesn't clean up the shit

[Locke2005]

Simply answer to "why doesn't Yahoo do X?" is: because it would cost them money, and they don't have any. They will have even less after paying Marissa Meyer her $55 million golden parachute! Their new company slogan is is "Somebody buy us... please!"

Re:Yahoo mail doesn't clean up the shit

[Danathar]

The reason why Yahoo does not fix things is because the company is "dead man walking". They have been trying to get sold to SOMEBODY for years, but since Microsoft refused to buy them years back for a premium nobody seems to want to buy them.

Spending the time, money and resources to fix an email problem is not a high priority for them considering the position the company is in...

Re:Yahoo mail doesn't clean up the shit

[Grishnakh]

"Please!" is right: Yahoo actually has negative value. Alibaba is the only part of the company that actually has real value, more in fact that the total value of Yahoo!, and once that spins off, the rest of it will be less that worthless: they'd have to somehow pay another company to take them over.

hijacked yahoo email accounts

I get more bogus phishing emails from hijacked Yahoo accounts than from anywhere else - they are always from someone who had me in their Yahoo contacts at some point, and now they are sending me a file that I need to check out. I recognize them for what they are, but I can see someone who's not as careful getting a file from a user that they think they know and trust, and opening the file.

I don't know why Yahoo mail is so easy to compromise, but I definitely don't get so many hijacked Gmail accounts sending me stuff. It's always Yahoo.

Re:hijacked yahoo email accounts

[Locke2005]

Hotmail had a vulnerability a couple years ago where it would send a trojan to everybody in your address list, so I had to apologize to lots of people for spamming them.

Alternatives?

[Tablizer]

Cubicle Politics 101: "Don't complain without supplying alternatives". The public-sector alternatives are not so great either.

Haus of Represantin!

...and Commander Taco evidently banned the use of spellcheck on Slashdot.

Re:Haus of Represantin!

[Locke2005]

It kept correcting his name to "command her taco!"

Why Y! mail is f'd up...

My previous internet provider (AT&Something) uses Yahoo for their email provider. You could check email using either their domain or Yahoos domain using your username/password. I changed my password via one domain, but using the other resulted in both the old and new password working. I couldn't get the old password deleted no matter what I tried. Inquires went unanswered.

Re:Why Y! mail is f'd up...

[__aaclcg7560]

I used to have ATT DSL service. So my sbcgloabal.net and yahoo.com email addresses pointed to the same email box at Yahoo. After I left ATT DSL, I kept the sbcglobal.net email and still get email from people and services that still have that old address.

Re:Why Y! mail is f'd up...

When I cut all ties to AT&T, they said they would continue to provide my email address service. The bottom line is they do this to keep you listed as a customer so they can still spam you via email, snailmail, phone solicitors, and door to door solicitors. Five years later and those leaches still knock on my door trying to sell me U-verse. My door has a NO SOLICITING sign, they are allowed to ignore it for this loophole.

Re:Why Y! mail is f'd up...

[__aaclcg7560]

The bottom line is they do this to keep you listed as a customer so they can still spam you via email, snailmail, phone solicitors, and door to door solicitors.

I haven't seen that crap in years. As for the emails, I hit the unsubscribe link and that was that.

Re:Why Y! mail is f'd up...

[Grishnakh]

Yet another reason why you should never use ISP-provided email. It's always shit.

Outlaw All 3rd Party Ad Agencies & Pop-Up Tech

[zenlessyank]

All internet advertising is immoral and should be made illegal. The inventor of the pop-up window needs to be shot, hung and quartered. Any less actions will be regarded as criminal collusion.

Go away APK

Just block the bad sites.
Simple and fast. I have added it to my firewall DNS, so all equipment is protected without local changes.

Yes, because it's SO HARD to just hop to a new domain.

Verizon

After setting up a tablet for my father this weekend I discovered that Verizon is apparently using Yahoo for all of it's email now, so if they are a Verizon customer that's gonna be a bit of a pain.

Re:Verizon

As an IT guy now for 20 years, I just don't want to come home and troubleshoot machines for family. We are all iPads and soon to be a Chromebook for me. I just want to be able to do a quick reset and not worry about loss. Running Windows, Linux, and OS X is a far more problematic, when more and more of what I do is mobile.

Re:Verizon

[Locke2005]

Right, because everybody needs to read their home email at work! I'm a Comcast subscriber, and I don't even know the password to my Comcast email account!

Re:Verizon

So ask them why they aren't using their government-provided email system, its not like our tax dollars aren't paying for it.

Oh wait, they quit using email, apparently:

http://www.conservativeusa.net/whycantiwritetoallrepresentatives.htm

Re:Verizon

"So ask them why they aren't using their government-provided email system, its not like our tax dollars aren't paying for it."

It's illegal for a Member of Congress to use House resources for campaigning.

Security lapses persist in modern software

[Eravnrekaree]

Why modern browsers even allows users to download and execute binaries any more confounds me. The app repository idea is something long overdue for all desktop OSs as well, where all of the SHA verification can be done and so forth. It would be a good idea to apply some access rules to ban users from executing any executable in their user writable directories like their home directory. It also makes little sense that we insist installers run as super user when all they need to do is install a few files, yet they have to have access to the entire system. I would suggest running such installers at least in a filesystem overlay of some kind or a more of a complete sandbox or jail. Older Windows versions did not encourage users to use a non priveleged account for browsing. Still, even the prompt to request an administrator password is too much of a risk for them to install something. All installers should be default be run in a "fake root" environment such as the filesystem overlay.

Correlation =/= causation

[thermidor]

Rather than Yahoo Mail being a particular attack vector for ransomware, is it not more likely that users who use a relatively old and unsophisticated email service are also more likely to indiscriminately click through on a dodgy email?

is the FBI going to investigate the house?

is the FBI going to investigate the house of representatives for its use of corporate email when they had access to government email but chose to use their own preferred email due to convenience?

quick...provide the house's IT director/staff with immunity to get to the bottom of this!

So is outlook free!

[Bruce66423]

Both are free services. One kills the dangerous spam, one doesn't.

Re:So is outlook free!

I've been using Yahoo's free email since the late 90's. I rarely get span in my inbox. The spam folder is quite full.

Re:So is outlook free!

[Cro+Magnon]

As is gmail. 2 out of 3 kill spam.

Re:Outlaw All 3rd Party Ad Agencies & Pop-Up T

If it's any consolation, at least the man behind pop-up ads apologized.

http://www.independent.co.uk/life-style/gadgets-and-tech/news/man-who-invented-pop-ups-ads-im-sorry-9670809.html

Timely article.

[tloh]

Funny how this came on the heels of a wide spread outage at yahoo mail last night.

Re:Outlaw All 3rd Party Ad Agencies & Pop-Up T

[sims+2]

What about the one that invented the pop under?

HTML mail was a bad idea right from the start

IIRC, It was Netscape that started all this back in the 90s. I was on a mailing list, and suddenly HTML markup started appearing on the list. HTML added nothing to mail then, and I would submit that it adds nothing of value to mail now. No good ever comes from clicking on links or viewing images inline with mail. NONE. Mail is text. Attachments are data. You could cut down on a lot of shenanigans by going back to that. If they download an attachment, it's totally the user's fault.

I suspect changing mail providers won't help much.

[elistan]

Yahoo Mail is simply a vehicle that doesn't appear to me to be any more or less secure than most other delivery vehicles. Yesterday we dealt with some ransomware that came in the form of an email from an employee's spouse that had a link to a landscaping company, and that landscaping company's website had a link (probably an ad) to a malicious site that delivered the ransomware. The employee's spouse contacted their IT, who reported not seeing any ransomware, which is why I'm thinking it was an ad on the landscaping company's website rather than the website itself that had the malware.

Telling Congress "don't use Yahoo Mail, it isn't safe, use official email instead" is giving them the wrong idea that they're safe to click on anything they get in the official email, and doesn't do anything to mitigate the danger of malicious websites. Their official mail might or might not be any better about scanning attachments for viruses. Their official mail would hopefully be better about prevent account hacks, though - it seems that's a fairly common thing for Yahoo Mail.

Servers

[CauseBy]

Huh, maybe they should run their own mail servers...

Hold up ...

[jxander]

Do Congresscritters not have standard-issue .gov email addresses, with in-house servers (exchange, apache, lotus, whatever)??

Or is congress saying that members can't use Yahoo at home for receiving recipes from their mom, participating in fantasy football, and/or signing up for Cat Facts.

At a quick glance ...

[paulxnuke]

"appshot" looks an awful lot like "asshat".

Re:At a quick glance ...

At quick glance your name looks like puke.

The burden is on the end user

[Revek]

If they fall for some garbage email its their fault, not the provider. If they are so incompetent they fall for some scam it isn't yahoo or googles fault. I guess they will tell people to quit using AT&T or Verizon if they fall for some tech support phone scam.

But how about bsmt server protocol?

[140Mandak262Jamuna]

No, bsmt is not bull shit mail transfer protocol. It is basement mail server protocol, as in you keep your own server in your basement. Is that allowed?

Congress Represents the population of America

Users all of them. I'm not normally rude but I feel like sometimes I should sit over my users' shoulders and watch them while they work on the computer. This goes for Congress, the NSA already has a live-stream of US congressional PCs why can't they just reach out and stop Congressman Ryan before he clicks on that box with the dancing hooker.

Agreed me either

[AF_Cheddar_Head]

The GP is suggesting that no government or corporate computer or account should ever be used for personal business.

As usual, blaming the wrong party.

The problem isn't Yahoo. Or any other mail service either.

The problem is using the wrong software.

Use Windows? Expect the worst.

Eventually you might learn not to use Windows.

Government will goverment

[MrLint]

This is hardly a surprising action. Instead of addressing the behavior of people, the solution will be to attack a problem with technology. Its 'easier' then trying to fix people.

Use what they give you

[Monoman]

They should be explicitly banned from using anything other than the official email for official duties and only while using supplied equipment. Personal and business communications should be partitioned off from one another. This is how it *should* be but that's not how reality works.

We agree

[AF_Cheddar_Head]

I am referring to "jratcliffe's" attitude expressed in the above posting.

According to him a government computer should only be used for government business and nothing else. He would probably to you taking that few minutes to go out to the car to check your personal phone.