Outgoing White House Emails Not Protected by Verification System

The security advocacy group Global Cyber Alliance tested the 26 email domains managed by the Executive Office of the President (EOP) and found that only one fully implements a security protocol that verifies the emails as genuinely from the White House. From a report: Of the 26 domains, 18 are not in compliance with a Department of Homeland Security directive to implement that protocol. Imagine the havoc someone could cause sending misinformation from a presidential aide's account: Such fraudulent messages could be used in phishing campaigns, to spread misinformation to careless reporters, or to embarrass White House employees by sending fake tirades under their names.

SubjectsSuck

[aardvarkjoe]

Imagine the havoc someone could cause sending misinformation from a presidential aide's account:

Imagine the havoc someone could cause sending misinformation from the President's Twitter account! ...on second thought, not much imagination required.

Re:SubjectsSuck

[Oswald+McWeany]

They'd be indistinguishable.

Usually, Phishing e-mails can be identified by misspellings and poor grammar. In Trump's case, if an e-mail was sent with correct spelling and grammar it almost certainly wasn't from the real President.

It's e-mail, it's never going to be 'secure'

[guruevi]

There is this checklist that pops up here on Slashdot once in a while. There is no way of making e-mail secure. Yes, I could send an e-mail from obama@whitehouse.gov from my personal e-mail server and nobody would be able to prevent it. There are ways of verifying, but all parties have to agree on the method of verification and how that is done depends on whether you're Yahoo, Microsoft or Google

Re:It's e-mail, it's never going to be 'secure'

[Thruen]

Your front door isn't truly secure, it can be knocked down. Does that mean you shouldn't lock it? Does that mean the President shouldn't lock his doors?

Personally, I feel like even if a problem can't be entirely avoided, it makes sense to put a reasonable amount of effort into reducing the chances of that problem occurring. Seems like most folks agree considering how often people lock their doors. I suspect you agree, too, but decided to throw logic out the window on this one for whatever reason. The fact that one of these domains was better protected tells us more could've been done to protect the others, and I don't think it's unreasonable to ask an administration that has stressed the importance of email security as much as this one has to put that little bit of effort in.

Re:It's e-mail, it's never going to be 'secure'

[blane.bramble]

Not strictly true - that SPF records says to treat a failed result as suspicious, not to reject it, so email servers will accept it and usually treat it as having a higher spam rating.

Re:It's e-mail, it's never going to be 'secure'

[mysidia]

but all parties have to agree on the method of verification

That's why we have standards, and the applicable standard is called DMARC, which involves implementing a SPF policy in the DNS zone, DKIM message signing, and a DKIM policy in the DNS zone, and signing the DNS zone using DNSSEC.

Re:It's e-mail, it's never going to be 'secure'

[houghi]

If only there where some sort of General Purpose Guard or a some sort of Public Guarding Preference.

And secure does not mean secret. It means verifiable. I want to know if the email is from my bank or from a phishing site.

misinformation from a presidential aide's account

[Patent+Lover]

How would this be any different than normal?