Aussie PM Office Calls For Government Ban On Gmail, Hotmail 178
aesoteric writes "The Australian National Audit Office has called on all Australian government agencies to block free web-based email services like Gmail and Hotmail to mitigate security and information integrity risks. The auditor noted that such public email services 'should be blocked on agency IT systems, as these can provide an easily accessible point of entry for an external attack and subject the agency to the potential for intended or unintended information disclosure.' Not surprisingly, the move is seen by some as an attempt to prevent a WikiLeaks-style disclosure from occurring."
Why not just block attachments? (Score:2)
Why not just block uploading/download attachments from those services. That seems like it would solve the problem for the most part, even if you could hand type or copy/paste sensitive informtiation the time to do so would be prohibative.
Re: (Score:3)
Once this session is in HTTPS how do you determine what's a POST for someone sending text and someone sending data?
The only way to do it would be in the browser and not anywhere in the rest of the network. Simply from a management perspective, this just isn't possible.
Re:Why not just block attachments? (Score:5, Informative)
It is 100% possible and it is done ever day.
The proxy terminates the https request and then creates a new https request going out. So yes you can tell if there is POST event. You can tell if it is a file. You may not be able to read the file as it may have separate encryption.
Re: (Score:2)
This relies on the browser trusting the proxy of course, and the proxy being able to fake being any/all websites.
What sorts of systems can do this at the moment?
I'm interested, because I can see it's possible to build it into an HTTP or HTTPS proxy, but there would be quite a lot of certificate futzing needed to get it working properly.
Re: (Score:2)
I can't completely answer the question, but it's worth noting that the system only works because the same entity has control of both the proxy and the client browser; they can set up their own internal CA if need be. And since the proxy is redirecting everything, trying to bypass it (e.g. running a browser of a usb drive) just means you can't get to anything over ssl.
Re: (Score:2)
You got it in 1. :)
A large enterprise like the government can most definitely have this level of control over the proxy, internal CA and client standard operating environment.
This is actually rather trivial to setup. I can assure you it is used in practice.
Oh you can use your own browser. You just have to add the CA cert and make sure you use the proxy.pac file that a standard install would use. Some of the weirdo auth mechanism that some enterprises use can get in the way however.
Re:Why not just block attachments? (Score:5, Insightful)
This is why nerds will never rule the world. We see an article about Governments blocking mail services with the intention of silencing would-be whistle-blowers, and the first thread is about "wouldn't this be a better way to accomplish that?" :)
Re: (Score:2)
Well, yes and no. One of the first steps in figuring out a fool-proof way to work around damage is to figure out what the damage is, or might be.
Gmail over Tor might work... assuming you can find any Tor peers that aren't yet blocked.
Re: (Score:2)
Re: (Score:2)
Interesting. So this turns their proxy into a Man-In-The-Middle-Attack by faking the SSL certificate of the server you are trying to connect?
Re: (Score:2)
This is why self-signed certificates should not be used outside a testing/development environment: anyone who hacks into a proxy at your ISP, anyone running a public internet access service, or anyone on the same wireless network who manages an arp-spoofing attack in order to setup a transparent proxy, or anyone who manages a DNS poisoning attack, can
Re: (Score:2)
Is the software that does this fancy HTTPS interception and fake SSL cert generation typically off-the-shelf, or is it simple enough that companies write it themselves? If off-the-shelf, what this type of software be called?
Re: (Score:2)
I made one recently, it only took a few hundred lines of python.
Re: (Score:2)
Any Windows machine on a domain can be tricked instantly.
Windows on a domain with enterprise certificate services installed trusts the domain certificate authority by default. The admins can then issue certs from that authority for any domain they like, which will be fully validated to anything using the Windows certificate store ... meaning Internet Explorer by default, firefox doesn't, which is freaking annoying and I don't remember what chrome does. Either way, you just simply only allow IE to be used/
MS Forefront TMG can inspect HTTPS connections... (Score:2)
Have a look at Microsoft Forefront Threat Management Gateway (It's the renamed ISA Server)
It has full support for a man-in-the-middle HTTPS filtering module, with a wildcard certificate creation done for you as part of the wizard (the certificate is usually distributed in Active Directory to the clients)
It does however prompt you that there may be legal issues in your company should you enable the HTTPS filtering without notifing your users, and it also will prompt anyone using the client-side component wit
Re: (Score:2)
Fair enough!
I figured that was the way it would have to be done, as I've made similar programs (just for SSL/HTTPS) myself, was just wondering if there was some clever way that companies worked around the need to have a new CA cert in every browser.
Sounds like a very useful tool for the network admin.
Re: (Score:2)
OK, fair point.
I've seen that technology being used as an anti-virus filter, but never seen it to be able to intercept specific streams. Especially pulling everything apart at the application level....
Re: (Score:2)
IIRC, the POST keyword in the http request is encrypted as well. EVERYTHING is encrypted. How can you tell if it's a file? I mean, everything is a stream of bits. Encrypted in https how can you tell the difference?
Re: (Score:2)
Re: (Score:2)
How does it decrypt the traffic? It can't; only the parties in the SSL handshaking can do that, and that is the user's browser and the end server with its certificate.
Other posts on this thread detail how this is possible: You work for company X and go to https://bank.com./ [bank.com.] Company X creates a Certificate Authority SSL certificate and installs it on all browsers. When you go to https://bank.com/ [bank.com] the proxy intercepts and pretends to be bank.com by generating a new server certificate for bank.com and talki
Re: (Score:2)
This is only possible if you are forced to use a browser with that CA cert installed, and the company has a proxy or other software/hardware that can essentially do a Man In The Middle attack.
And since the subject of TFA is government-internal government-provided IT services and networks, that's not just feasible, it's easy. If you're on the gov.au internal network, you would be using hardware assets provided by the government for performing government duties. These hardware assets would be administrative
Re: (Score:2)
Ah yes, you need the proxy cert in all your browsers. Short of that, it can't work.
Re: (Score:2)
And if the browser doesn't accept the proxy's cert, the proxy doesn't accept the browser's traffic. Problem solved, all your bits are belong to us.
Re: (Score:2)
Re: (Score:2)
(Disclaimer: I resell some Barracuda products to my clients)
As far as I can tell, Barracuda's Web Filter does this. From the section of the help file associated with HTTPS filtering:
[snip]
HTTPS Filtering
You can expand HTTP filtering to include HTTPS filtering. HTTPS traffic can be detected by content category filters and domain filters, as well as by blocking exceptions for all Web traffic, content category filters, and domain filters. This option is disabled by default.
Limitations for enabling HTTPS
Re: (Score:2)
Surely, it will work because it's impossible for someone to encode stuff in Base64 or even Base36 and just paste in the email about 4-8K of characters at a time.
Or maybe it's too hard to just create a 1x1 pixel PNG file in paint, run copy smallpicture.png+secretdocument.doc fakepicture.png in command line, and use this picture inline in the email...
Re: (Score:3)
Good luck detecting what is an attachment and when you just "copy/pasted sensitive information in the very body of the email".
Even when blocking gmail/yahoo, still not addressing leakers using :
a. a HTTP proxy (e.g. to access gmail).
b. a private mailserver
c. a combination of the above (one can arrange for tunneling through HTTP [wikipedia.org] a totally different protocol).
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
More accurately the whole concept is that all email leaving or entering government departments adhere to similar principles of snail mail. That it adhere to the standards set forth by each department, with regards to record keeping and content.
Bit of a miss of private email but then that is the quirk of employer supplied email versus employer supplied snail mail. With snail mail, you wrote in on company time, pilfered a stamp but you used non letter head paper and a blank envelope, nobody really cared di
Re: (Score:2)
Gmail forces HTTPS these days. Maybe there is an option to turn it off, but it is default. (it used to be the other way around, not too long ago).
Re: (Score:2)
d. a USB stick
e. a printout
Re: (Score:2)
Physical theft scares most people more than electronic since you can easily be caught holding the evidence. A USB stick is relatively easy to conceal ... unless they do searches in and out.
A print out? Anything of a size to be worth while is going to be big enough to be obvious that you're taking it out of the building.
In the end however, its mostly the mental component that makes people do an electronic transfer rather than sneaker net. Since they can't see the data flowing out, they have less fear of
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I would think this is also to stop people from using their personal email accounts on the taxpayers time.
Re: (Score:2)
So people shouldn't have breaks? I thought you wanted productive employees.
Re: (Score:2)
Nice strawman. I never said anything about denying people breaks.
Re: (Score:2)
So people should have breaks, but be blocked from using personal email accounts during them, why?
Re: (Score:2)
No they shouldn't at all be blocked from using their own email. I send and receive emails all the time when on break, however I use my own equipment for that.
Why should your employer allow you to use their system for anything other than the work they pay you for?
Re: (Score:2)
Why should your employer allow you to use their system for anything other than the work they pay you for?
Because they are paying you to be in the office, not renting your fucking brain and soul for every second you're there.
Re: (Score:2)
No they are paying you to do a job. What they are not paying you for is to use their equipment for your own personal activities. If you want to check personal email do it from your own system or not at all. Next you'll be wanting to borrow a company vehicle to help you move house.
Re: (Score:2)
Re: (Score:2)
no, please let this be. This cracks me up. This is like closing a pinhole leak in a door but leaving the door open. The site suggests filtering of inbound and outbound emails, even though anyone leaking things who knows what they are doing will get around that incredibly easy.
Steganography, easily done without using steganography. Rename a file to a different file type, and send it to someone. Done.
Re: (Score:2)
I don't know what software you use for virus scanning and such, but nothing they would use to filter files is going to give a flying fuck what the extension is. Content scanners realized in the 90s that file extensions don't mean jack shit.
Re: (Score:2)
bahahahahaha seriously? Go look around.
You know what content scanners depend on? Knowing the type of content. You don't even need an extension to mask that.
Re: (Score:2)
Exactly, shows how little the PM knows about computers and what he is suggesting is going to affect such a broad spectrum of things, although here at work, we block gmail and hotmail, but this is only to avoid too much time spent on those sites, not for blocking uploading and downloading, as we still need to be able to do that for our daily activities.
Re: (Score:2)
Is it? I think that people know how to do forwarding etc. etc.
It seems to me that it's actually easier to block all executable content (flash / javascript etc) and then block file upload/download to / from the browser than it would be to find every possible https based mail service (including my own secret one; which is used only by me personally and even that almost never) which is what you would have to do in order for this to make sense.
Re: (Score:3, Interesting)
Personally I think the first thing that they should do prior to disabling gmail or hotmail is disable USB keys from working on the computers in the network... I'm surprised at how many places haven't locked this down... What's the point of locking down the services if they can just copy whatever information and then email it from home?
Or maybe they should look closer at how they are operating first and try to mitigate the risk by running a clean house and educating staff of the finer points of netiquette "n
Hyperbole much? (Score:5, Insightful)
Now seriously guys, there are bad titles, and there are pathetic ones. This takes the cake as the prime of the prime on the latter camp. You make it sound like they want to ban it on Australia as a whole, while the truth is much more simple and in fact, valid. They simply urged the agencies to not use those services. The puzzlement should come from why are they using it anyway?
This was an audit performed on the security of Government data and not an exercise on quashing free speech. FFS aesoteric and samzepous, this was so pathetic that it wasn't even funny.
Re: (Score:2)
Agreed and public servants should have better things to do than ping around personal e-mails all day. While with a proper security model the attachment aspect shouldn't matter for security, in practice it will. Also if you know what the Australian public sector is like I'd be concerned about my tax being used to pay for $50K for "counselling" and "support" to someone after being exposed to a naked pair of breasts in the workplace.
Re: (Score:3)
It seems that many if not most of the american politicians use gmail/yahoo from their offices to conduct state business on in order to hide from public discovery/freedom of information act... Perhaps the U.S. needs policies like this too!
Re: (Score:2)
This is true in the US, as well.
When I was at Los Alamos, you could not access public email sites -- although, you could (back then) access social media sites (Orkut, MySpace etc). Plus, they had blocked off access to all USB ports as well (that was around the time when they had the whole hard-drive missing and found thing going on).
Re: (Score:2)
aesoteric and ..., this was so pathetic that it wasn't even funny.
aesoteric [slashdot.org] a user that doesn't post comments, but only stories. And which's web page leads to...itnews.com.au. /. these days?
It is bound to lead to a double dose of advertising... with luck, the TFA may fall into "stuff that matters" category but... how muck luck can one have on
Re: (Score:2)
ummm...you read TFA? You must be new here ;)
Re: (Score:2)
Dude, I know you oldtimers had the decency not to read the article, but please don't worry. Most of us newcomers didn't read it either. Besides, there's no specific evidence that the GP actually read the article, only that he or she followed the link. And checked the profile of the other user.
Wait, seriously? Slashdot has a user profile section? Whoah, look... all my old comments are there.... ;-)
Re:Hyperbole much? (Score:5, Interesting)
Re: (Score:2)
How about a new hyperbole? Slashdot editors are trying to control what we see and think. I was getting bored with the usual terrorist and government boogeymen anyway.
Re: (Score:2)
Re:Hyperbole much? (Score:5, Informative)
I've worked in quite a few Australian Govt. Departments (Commonwealth and State). In at least three-quarters of them, webmail such as Gmail and Yahoo and Hotmail were ~already blocked~. So this recommendation I suppose is just to pull the few departments that haven't already blocked them, into line.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Agreed.
In the US, where governmental records are required by law to be kept, using a non-governmental privately-owned system for email that is (a) insecure, and (b) likely not compliant with the necessary auditing and archiving requirements, (c) likely not subject to FOIA, when the email is for official business is against the law in many states in addition to being just outright stupid. As in ex-Gov. Palin stupid, remember?
There is no reason for the government employees to be using GMail or Hotmail for th
Re: (Score:2)
Says the guy posting to slashdot from work.
What where they thinking? (Score:4, Informative)
In the private sector I have been doing this for years, because of security. If a user want to access his Gmail/private mail he can use his mobile not via my network and if management agrees I would place a shared system in areas that is on a separate network for such uses.
"Allow all, block some" firewalls don't work (Score:2)
If I want to get a file off a computer with Internet access, it WILL happen.
Re: (Score:2)
If I want to get a file off a computer with Internet access, it WILL happen.
Perhaps. But if your employee handbook forbids it, the vast majority of file sharing sites and email sites are locked down, your USB port is disabled, and you can't burn CDs or DVDs, your machine is locked down and can't join an unauthorized WiFi network, your Bluetooth is disabled, and there's an application firewall that proxies (and inspects) your SSL packets, a DLP engine scanning your outbound mail through company servers, and 20 other things that can be done... guess what, your IT security team has do
Re: (Score:3)
And it, like everything else, is vulnerable to the "analog hole". Yes, I know that at high security installations people are searched upon entry for cameras and audio recording devices, but unfortunately, the advance of technology makes it likely that it will eventually be trivial to conceal such devices from most kinds of search equipment (in general, the smaller something is, the easier it is to conceal it).
Ah yes, the good ol' a-hole vulnerability. And a micro-SDcard dipped in vaseline.
Beat around the.. (Score:2)
Obviously they can't come out and say directly that Google doesn't protect your from CIA BS, nor from the CIA's Wikileaks media outlet. They would be considered conspiracy nuts (as you consider me after reading this).
Very Short Blacklists (Score:2)
There are literally more than 290.000.000 of ways to upload data to the internet. Blocking 2 gets you a list of 289.999.999 ways. On top of that, people can use his phones, usb drives, etc.
Proper safety stuff is *nothing* like that.
Anyway could be a first step in a "defense in deep" protection, to achieve a 2% or 5% more protection.
Re: (Score:2)
Actually, it's 289999998.... best to leave out the commas and decimal points entirely when speaking to a global audience.
Just sayin'
Re: (Score:2)
Actually, it's 289 999 998
If you're going to be a pedantic prick at least try to be correct. ISO 31-0 [wikipedia.org]
Re: (Score:2)
No way ... reading long numbers without thousands separators (whether dots or commas or spaces) is hard :(
Re: (Score:2)
Wow you suck understanding english words.
it is not unusual for companies to block webmail. (Score:3)
Non-IT people making IT decisions. (Score:3)
I don't have to mention how much of nothing this solves.
The real issue is non-IT people making IT decisions.
Maybe IT people making IT decisions. (Score:5, Insightful)
There's also the archiving problem. An important email sent to or from hotmail may disappear into a black hole never to be seen again within a year so you are out of luck if you want the information in it after that date.
Then there's the "paper trail". We wouldn't have had so much on Poindexter and North selling weapons to terrorists (Hezbolla via Iran after Hezbolla killed all those US Marines) if their emails hadn't been on the backup tapes. That's one reason why places have rules about not using hotmail etc.
Finally, gmail may be stable but if you are a University that has outsourced your students mail to hotmail and a stupid internal Microsoft DNS error prevents them getting email your trouble ticket gets put in a queue for a week before it gets fixed. That's for paying customers. Lost mail and no access for over a week. Now consider how those on free accounts are going to get treated when things go wrong.
It really is quite stupid to rely on it for anything work related if you want to pretend to be any sort of professional organisation.
Re: (Score:2)
Where did you come up with this? Many corporations in the US block external mail sites - in fact, the one I work at does. Its quite simple - to keep proprietary and classified information from inadvertantly leaving the company. Its amazing what people think is information that can be publicly shared. Restricting webmail, and forcing everyone to use the company e-mail, cuts down on the number of leaks. Of course, you can still use your iPhone or Blackberry or Android in the office for personal stuff, the ide
Re: (Score:2)
"there are over 190 countries on the WORLD WIDE web each with their own mail sites, I doubt that even 10% are blocked."
Like China? Libia? Iran? Iraq? Egypt? Afghanastain? Russia? North Korea? Vietnam? Venezuela?
Doesn't GMail block executable attachments? (Score:2)
And scan all email for viruses and malware? I've never so much as had a peep from anything I've gotten in GMail in 5 years.
This already happens (Score:2)
Pointless (Score:3)
Re: (Score:2)
Re:Waste of Time (Score:5, Insightful)
The real problem with gmail, yahoo, msn or whatever is that it isn't the government's server, and there are lots of requirements for archiving and providing an audit trail for government business that gmail cannot (and shouldn't) provide.
IT is more than just putting up a webpage and sending messages, it is also insuring accountability and security. Free web mail is fine and even preferable for private stuff, but when it comes to government work we demand a certain accountability and security, and rightly so. Perhaps people do private messages at work, but this is damn hard to filter and in general on tax-payers time you have no right to be doing private correspondance on government payroll and equipment.
From the workers point of view it might seem a hassle, but try to look at it from the administrator's point of view. Those blocks are there for a reason, and the audit trail is there for a reason. Remove the audit trail and it would be close to impossible to make any sort of investigation on who stole the last 10,000 $ from the government till, and who influenced who in the last bid, and who approved what by which contacts.
People aren't perfect, company and government policies even less so, but there is often a reason for the policy even if it is implemented wrongly.
Go and hug your IT admin today, you'll find it easier to get your job done
Re:Waste of Time (Score:5, Informative)
Re: (Score:2)
Aside from the fact governments seem to have a hard time hiring quality people, keeping them motivated, and firing or encouraging them to move on when they get burnt out, one would hope most government employees are professionals. You hire a professional to do a job. That job may take 30 or 40 or 50 hours a week. To a cert
Re: (Score:3)
Settle down mate. (Score:2)
Re: (Score:2)
Um as an Aussie we don't feel the "Aussie" is in any way insulting.
As an X Canadian I also did not feel any shame in being called a Canuck.
I assume you must be a Yank. Cause if I was a Yank I would be insulted.
Re: (Score:2)
As an American I can say with the utmost certainly, we tend to get offended and any nickname given by someone other than a close friend, regardless of why it was given, term of endearment or insult.
I don't really know why, I've been wondering that for the last several years myself. It seems that our struggles with racism seem to focus more on the name calling than the actual bad things that were involved with it. I think it may possibly be because if we focus on the names we can trick ourselves into forge
Yank (Score:2)
Or even more insulted if you were called a seppo.
Re: (Score:2)
You're way off base there. "PM" is used throughout the former British Commonwealth as semi-official short-hand for Prime Minister, and Aussie is a badge worn with pride. "Aussie PM" in particular is published in newspapers every single day.
I'm sure the PM herself would be horrified at the suggestion that the term was anything to be ashamed of.
Re: (Score:2)
Not how it works in Oz, politicians are the lowest form of life, lower then ameoba, racists and Fremantle Dockers fans.
We like it this way, they tend not to get delusions of grandeur like pollies in the states.
Well that's how you get most articles published. How many articles go "Obama $
Sit down and have a nice cuppa tea (Score:2)
Have you ever met, in person, an Australian Prime Minister? Back in 1988, I was a guest at the Parliament House Christmas party put on my the Labor Party for Parliament House staff. While I was having a cold beer, up comes an older man, magnificent head of silvery-gray hair, with a glass of orange juice and a big cigar.
"G'day mate, I'm Bob", he said, offering his hand
I shook his hand and replied, "G'day Bob, I'm Ken."
That's how Aussie PM's should interact with other Aussies. I would hope the current Auss
Re: (Score:3)
It's the Australian Prime Minister.
I assume this was article was submitted by an Australian, and to that person I would say you need to get a little self-respect.
It's not insulting, it's a compliment.
I'm an Aussie, and I bear the term proudly. I am also proud of our long, rich heritage of not having sticks up our collective arses. Now an expat, I often refer to home as "Oz" and fondly tell stories like that of Bob Dwyer having to apologise to the Queen in 1991.
But, refering to the highest office in the land or any other official goverment entity for that matter as being 'aussie' is just insulting.
PM or not, she bloody well better be an 'Aussie' first.
No, you would refer to him as the US President or more likely just the President, or Obama, even if you hated his guts. To do otherwise is to insult the American people.
According to large portions of the American people, Obama is a terrorist and G.W. Bush was retarded, so I'm not quite sure what you're trying to convey to that Australian who needs "a little s
Re: (Score:2)
Most people would've shortened that to "Yank Prez" and it's a perfectly cromulent way for a foreigner to refer to a US president, since we ourselves often refer to the president as "da prez" informally.
I'm sure Australians rarely refer to the "australian X" in their government though, since it's quicker to just say, "the X" Adding the qualifier when it doesn't really need to be qualified seems a little patronizing.
Re: (Score:2)
Mod parent up +1 Informative. Would do it myself (I have points) but I already posted on this thread.
Re: (Score:3)
Re: (Score:2)
The government isn't telling it's citizens what they can and cannot do. This is just an employer directing it's employees what they are not permitted to do while at work using the employer's equipment and facilities. Just about every employer will do that. So what's your problem?
Re: (Score:2)
You just don't get it. You don't.
This is about gov't workers on gov't time using gov't machines. Understand? You can can get back to us when they start using secret police to arrest those using free email services or bombing crowds or oppressing women, being ruled by a "royal family" through a theocracy, or.......never mind. You lose.