×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Department of Defense Now Blocking HTML Email

Zonk posted more than 7 years ago | from the nuke-them-from-orbit-only-way-to-be-sure dept.

Security 262

oKAMi-InfoSec writes "The Department of Defense (DoD) has taken the step of blocking HTML-based email. They are also banning the use of Outlook Web Access email clients. The DoD is making this move because HTML messages can easily be infected with spyware and executable lines of code that enable hackers to access DoD networks, according to an article in Federal Computer Week by Bob Brewin . A spokesman for the Joint Task Force for Global Network Operations (JTF-GNO) claims that this is a response to an increased network threat condition. The network threat condition has risen from Information Condition 5 to Information Condition 4 (also called Infocon 4). InfoCon 5 is normal operating conditions and Infocon 4 comes as a result of 'continuing and sophisticated threats' against DoD Networks. The change to Infocon 4 came in mid-November, after the Naval War College suffered devastating attacks that required their entire system be taken offline, but the JTF-GNO spokesman claims there is no connection."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

262 comments

Good call (4, Insightful)

MostAwesomeDude (980382) | more than 7 years ago | (#17355618)

Reduced bandwidth, less entry vectors, less spam entering mailboxes. I guess the only losers are the people who send those annoying Flash giftcards through email.

Re:Good call (1)

banerjek (1040522) | more than 7 years ago | (#17355678)

I guess the only losers are the people who send those annoying Flash giftcards through email.
Nahh.... There are plenty of losers everywhere. ;)


That aside, I wonder how many products the military already uses send HTML email. Not all email originates from ordinary mail clients.....

Re:Good call (3, Informative)

Anonymous Coward | more than 7 years ago | (#17355822)

I for one certainly don't miss the annoying pink backgrounds and purple text. But, you forget that a lot of internet based applications send out emails. So you should really include the developers in the losers category here.

I don't know how many email templates I've gone though in the past week converting them to be plain text (where necessary). This mainly applies to processes that include sending tabular data to a person.

Re:Good call (1)

tehwebguy (860335) | more than 7 years ago | (#17356498)

"So you should really include the developers in the losers category here."

which raises the question: why don't they just strip html out instead? it will probably require more work to make sure nothing gets through, but i think that it might be worth it.

Re:Good call (1)

Marcion (876801) | more than 7 years ago | (#17356176)

End of HTML email? That would be my Christmas present sorted!

P.S Merry Christmas to all you Slashdotters, Linux users, MS fan boys and Trolls.

Too late... (3, Funny)

myowntrueself (607117) | more than 7 years ago | (#17356194)

the only losers are the people who send those annoying Flash giftcards through email

Don't worry, they were already losers!

Re:Good call (3, Interesting)

xdc (8753) | more than 7 years ago | (#17356268)

Yes, this was absolutely the right choice. I just wonder what took them so long!

I also wonder when other organizations will follow suit.

As They Should (5, Insightful)

deKernel (65640) | more than 7 years ago | (#17355648)

This I guess will just show my age, but I am soooo OK with this. Email should be just text, period. I personally believe that people should spend more time using complete sentences which includes punctuation and correct capitalization.

I guess I should get back to chiseling my notes on stone slabs now.....

Re:As They Should (0)

Anonymous Coward | more than 7 years ago | (#17355700)

I personally believe that people should spend more time using complete sentences which includes punctuation and correct capitalization.

I guess I should get back to chiseling my notes on stone slabs now.....


That's five dots. With ellipses, you either use three dots within a sentence, or a period (often followed by a space) and then three dots.

Re:As They Should (4, Interesting)

MobileTatsu-NJG (946591) | more than 7 years ago | (#17355816)

"Email should be just text, period."

Personally I'd miss the formatting features of HTML. Bold, Italic, etc. I'm a little surprised there hasn't been a middle ground estbalished at some point. You know... pretty text, no exploits. Well, I can dream. In the mean time, gotta give kudos to GMail. One of my favorite features is that it disables images until you turn them on. That's a feature Outlook 2000 could have used.

Re:As They Should (1)

whoever57 (658626) | more than 7 years ago | (#17355844)

When I first started using email, it was only within the company's WAN. Most people had exactly the same model of printer, so I figured out how to embed printer control characters into emails to make parts appear bold or in italics when printed (most employees printed out their email to read it at that time)

Re:As They Should (5, Funny)

Anonymous Coward | more than 7 years ago | (#17355916)

Personally I'd miss the formatting features of HTML. Bold, Italic, etc. I'm a little surprised there hasn't been a middle ground estbalished at some point. You know... pretty text, no exploits. Well, I can dream.



I think that you have /really/ hit the nail on the proverbial head there. To make plain text emails usable we need a STRONG and well defined _SYNTAX_ for visually communicating "text style". Until then, this email thing will _never_ catch on.

Re:As They Should (3, Insightful)

xTantrum (919048) | more than 7 years ago | (#17356258)

you know i use to read /. for the interesting perspectives of the fellow geeks on here, but i've given up. I now read it for the comedians. wish i had my mod points.

Re:As They Should (2, Interesting)

value_added (719364) | more than 7 years ago | (#17356426)

I think that you have /really/ hit the nail on the proverbial head there. To make plain text emails usable we need a STRONG and well defined _SYNTAX_ for visually communicating "text style". Until then, this email thing will _never_ catch on.

LOL. If the OP wants bold and underlining in his emails, I'd suggest he starts with reading

T^HTh^Hhe^He M^HMu^Hut^Htt^Ht E^HE-^H-M^HMa^Hai^Hil^Hl^HCl^Hli^Hie^Hen^Hnt^Ht

Personally, I'd find that annoying, like every other attempt to be interesting, or creative or otherwise expressive. Look folks, many of us read hundreds of emails per day. Subscribing to few mailing lists and we're looking at thousands.

Do we really need or want anything other than standard messages? The content of an average message is just a few sentences. What people send out, on the other hand, is somewhere between unecessary and absurd. And all of it (at least in a corporate setting) gets stored and archived.

Re:As They Should (2, Interesting)

dkf (304284) | more than 7 years ago | (#17356018)

Personally I'd miss the formatting features of HTML. Bold, Italic, etc. I'm a little surprised there hasn't been a middle ground estbalished at some point.
You should be aware that there has been such a format [wikipedia.org] for quite a while, using the MIME type of text/enriched. I used to receive quite a few emails that used it (no, I don't remember what the originating client was and I'm not interested in looking it up right now) but it never seemed to catch on more widely. (At a wild guess, that's because Outlook didn't generate it; yet another opportunity missed by those geniuses at Microsoft...)

Microsoft RTF (was text/enriched) (1)

MillionthMonkey (240664) | more than 7 years ago | (#17356302)

I remember getting an RTF-formatted email from my ISP back in 1995, when you would actually see RTF in the wild.

I chose RTF as the format for my reply. I thought that was reasonable. (I forget what mail client I was using- maybe Eudora.)

They wrote me back, again in RTF.
"WTF is this? We can't open it."

No, not WTF.
Microsoft RTF.

Re:As They Should (1)

Arker (91948) | more than 7 years ago | (#17356348)

There was such a thing, but MS decided it wasn't exploitable enough and declined to use it. Look up text/enriched.

Re:As They Should (0)

Anonymous Coward | more than 7 years ago | (#17356546)

A side note on your comment about formatting.

In the tech support field, we often take calls from our users that sent a nice pretty email but the recipient saw something not quite the same. All it takes is an email client that is not Outlook or even the recipient to have a different screen resolution and the formatting is different. The same thing happens with Word documents when the recepient has a printer with different margins then the sender has. Well that footnote was supposed to be on page 2, not page 3 or I sent them a 410 page document and they got a 411 page document. I want you in IT to fix it for me NOW!! I'd love to tell them use PD fucking F.

Another some what unrelated note about email is the concept of read receipt and the email recall function with Exchange/Outlook. IT takes a lot of heat because some lawyer tried to recall a document to a client but it was not recalled "correctly" or they did not get a read receipt so I have to troubleshoot the issue for them. Here's an idea, call the fucking guy and ask him if he got your email! We have NO control over those things once it leaves our walled environment. Maybe we do have a training issue, or a lack of training issue and we should explin to our users how the system works. I know that sounds great but no one is going to want to listen to IT give a speech about email operation, believe me, we tried.

Even further off topic but along the lines of formatting is the user that gets a MDB or some type of DBF file as an attachment and wants it "printed".

Re:As They Should (2, Funny)

pchan- (118053) | more than 7 years ago | (#17355818)

But I just finished writing this inspirational xmas email in 32-point Comic Sans font with animated gifs of kittens and reindeer and attached 30-meg screensaver that I was going to sent to Everyone@dod.gov

Be... all that you can be... in ASCII (1)

MillionthMonkey (240664) | more than 7 years ago | (#17356054)

All I can say is, the war in Iraq must be going really badly if the DoD is this desperate for additional recruits.

Better yet, just pitch all the email...... (2, Insightful)

banerjek (1040522) | more than 7 years ago | (#17355652)

At least then people will know why their email never got through. So many people use HTML email without being aware of it and don't realize that's what makes formatting possible.

Although the focus is on Outlook, it seems like there's an outside chance there may be other clients and web interfaces (namely all of them) that are vulnerable to most of the same problems....

Re:Better yet, just pitch all the email...... (4, Informative)

Sepodati (746220) | more than 7 years ago | (#17355726)

It still makes it through, it's just converted to plain text according to the article.

---John Holmes...

Doesn't that break digital signing? (4, Interesting)

khasim (1285) | more than 7 years ago | (#17356064)

If the content of the message is changed, isn't the digital signature invalidated?

Or is the DoD just skipping the concept of digitally signing email?

Re:Doesn't that break digital signing? (2, Informative)

WED Fan (911325) | more than 7 years ago | (#17356172)

If the content of the message is changed, isn't the digital signature invalidated? Or is the DoD just skipping the concept of digitally signing email?

The content doesn't change, just the rendering.

The HTML determines the rendering. (3, Insightful)

khasim (1285) | more than 7 years ago | (#17356192)

If the HTML is stripped from the body of the message, that means that the content of the message has changed from the context of the digital signature.

Therefore, the digital signature will no longer reflect the "data" portion of the message and will be invalid.

Re:The HTML determines the rendering. (1)

Beryllium Sphere(tm) (193358) | more than 7 years ago | (#17356378)

Yep. S/MIME signs the whole package including the MIME headers. " Demime is designed to break signatures" [squawk.com]. Not sure, but it looks like PGP/MIME has the same problem.

You could still sign plain text and send that. Or send an attachment with a detached or builtin signature. Microsoft Word documents could have a signature and timestamp through the USPS Electronic Postmark system.

Re:Doesn't that break digital signing? (3, Insightful)

emurphy42 (631808) | more than 7 years ago | (#17356314)

How many people do you really think there are who (1) write HTML messages and (2) even know what digital signing is, much less use it?

Re:Doesn't that break digital signing? (0)

Anonymous Coward | more than 7 years ago | (#17356500)

Well, by direction all DOD folks are supposed to digitally sign emails if they are providing direction or critical information to others. In addition, they are supposed to encrypt emails if they contain sensitive info. Problem is that encrypting has the bad side-effect of rendering the email unreadable via OWA, which represents the only email access for quite a number of DOD users. Given that the direction to start signing emails was part of the INFOCON directive, it's not hard to jump to the conclusion that there is an ongoing problem of spoofed emails. The problem of non-repudiation of email has always existed of course, but seems to be getting special attention lately. Ironically the ability to centrally manage email certificate via AD and handle all the certificate publishing, etc required for encryption are the reasons why Exchange/Outlook were chosen as the DOD standard in the first place. They initially standardized on Netscape, but Netscape didn't really support their requirements and the Netscape developers had no interest in making the product fit their needs.

Re:Better yet, just pitch all the email...... (0)

Anonymous Coward | more than 7 years ago | (#17356312)

No. Its Outlook. Microsoft borked the security (again, still, ongoing, and will again tomorrow). Every one else is just fine. Don't blame everyone for Microsofts screwups. They did badly and were named singly, because they screwed up singly (they are responsible for their own bad products). I am quite tired of people blaming 'the computer industry' for Microsofts screwups. Outlook is a Microsoft product, and it has problems. Quickly saying 'oh, everyone else' is junk. There are other companies that take security more seriously (sure, at the expense of profits), and there is other software out there whose sole purpose is quality and functionality (profits are not the main goal, quality software is). They aren't blaming other people for this, they are blaming Microsoft, as they should. Please don't try to dull the blame directed toward Microsoft, they have been let off the hook millions of times by millions of people over decades. ENOUGH I SAY!

I like some HTML email (1)

kwilliam (919560) | more than 7 years ago | (#17355660)

I find HTML email useful for sending friends pictures with annotations, and I find numbered and bulleted lists useful visual aids for organizing information.

That said, Javascript should obviously be banned, and I wouldn't care if CSS wasn't supported. (CSS can be used to hide things deceitfully.)

Basically, I'd like to see BBCode used for emails, lol!

Re:I like some HTML email (3, Insightful)

commodoresloat (172735) | more than 7 years ago | (#17355784)

Put the pictures on a web page and send your friends a link to the web page. I can't stand getting pictures via email. If you must show me a photo of your new kid, put it on a website and send me the link. I still won't look at it, but I'll respond telling you how cute he/she is and we will both feel better. As for bulleted lists,

* what
* the
* hell
* is
* wrong
* with
* asterisks?

Re:I like some HTML email (1)

EvanED (569694) | more than 7 years ago | (#17355894)

Nothing is terribly wrong with asterisks, but <ul>-formatted lists look nicer. (Especially if you have multiple lines with a proportional font, because then it gets indented correctly.) Just like nothing's wrong with writing bold text with *blah* and similar things, but the html version is still better looking.

Re:I like some HTML email (3, Insightful)

commodoresloat (172735) | more than 7 years ago | (#17356342)

I don't see the point of taking security risks and wasting bandwidth on email that "looks nicer." You want a nice looking email, format it as a webpage, and send your friend a link to the web page. Or print it out and stick it in the post box. My email program is instructed to display all email as text only and if it is full of crappy html that isn't filtered out, I hope it wasn't an important email because I deleted it. But I shouldn't have to bother; this junk should be filtered out at the server level and I'm glad the DoD at least recognizes that email security is more important than how nice it looks. I only wish my university would do the same :) Don't get me wrong, I love html, but it's not made for pretty-ing up email. It's made for hyper-text, which email should not be. Most email programs allow you to follow links that are part of an email message pretty easily, so what's wrong with sending the link to your browser?

Re:I like some HTML email (0)

Anonymous Coward | more than 7 years ago | (#17355906)

Put the pictures on a web page and send your friends a link to the web page.
Two words: "Web bug." HTML in email is just plain Evil. I'm hoping a couple of large corporations follow suit--maybe that'd finally spell the doom of the abortion that is HTML email.

Re:I like some HTML email (1)

LiquidCoooled (634315) | more than 7 years ago | (#17355862)

I agree with this.
A basic text formatting subset of HTML to help get the message across without any of the risks of full DOM support.
Slashcode handles bold and italic and lists (I think) and a few others but anything else is culled.

I feel dirty whenever I have to switch from flat-text mails.
The way Outlook shares its email HTML properties with explorer gives me the shivers.

Re:I like some HTML email (1)

glitch23 (557124) | more than 7 years ago | (#17356606)

If you want to send pictures with annotations but not use HTML then do what I've seen ignorant people do a few years ago which was to put all pictures in a Word document because they thought that is how you stored pictures, then they would send the Word doc in an email. At that point my jaw would drop as I asked them why didn't they just send the picture itself.

Stupid (3, Interesting)

Nicopa (87617) | more than 7 years ago | (#17355686)

That's stupid. The problem is not with HTML mail (which is generated by many people unknowingly). They could just standarize in a safe mail program, with some mandatory defaults. They could force the use of a modified version of Thunderbird forcing the (already existing) oprion of "Disable JavaScript" off. Another interesting Thunderbird feature is the ability to "sanitize HTML", that is, remove from the HTML view anything that isn't strictly formatting (paragraphs, bullet lists, etc.).

Re:Stupid (4, Insightful)

Beryllium Sphere(tm) (193358) | more than 7 years ago | (#17355744)

But even without Javascript there are still web bugs, image file parsing exploits, and remember what engine is probably parsing the HTML on a Windows client. A "safe" email client is one that disables most of the features of HTML, and unless it's guaranteed to catch everything dangerous then it's safer to prevent HTML in the first place.

Up-to-date patches would mitigate those, but do you think somebody might be saving some zero-days for the DoD?

Re:Stupid (1)

LiquidCoooled (634315) | more than 7 years ago | (#17355890)

One question about Outlook that now would be a good time to ask:

Does it still Render the mail in a HTML window even when you switch to flat text, or is it another rendering control?

Kind of like the difference between a multiline Text box, and a RichText control.

Re:Stupid (1)

Stumbles (602007) | more than 7 years ago | (#17355760)

No, it's not stupid.... doing nothing is stupid. The simple fact remains. No matter what client your using, be it proprietary or some open source variety all the nastiest that can be placed in HTML is simply a hassle to block. Sure you can run things like spamassassin, razor and any number of things but those are just extra things that have to be maintained, updated, etc. The simplest is to dump HTML altogether. I have never been a fan of HTML email because it's a colossal waste of bandwith.

Re:Stupid (1)

Belial6 (794905) | more than 7 years ago | (#17356182)

I have never been a fan of HTML email either, but I think the 'waste of bandwidth' argument is long dead. Even a dial up modem has plenty of bandwidth to handle HTML email.

Re:Stupid (1)

headkase (533448) | more than 7 years ago | (#17355836)

What's stupid is that they were not aware of the obviously better solution you know of. That's where targeted information needs to be supplied. Google is everyone's friend but sometimes it's still not easy enough to find the answers to your specific situation. The challenge being connecting the right answers with unknown information in the search queries. Google's next biggest challenge is finding what you didn't know you needed!

Re:Stupid (1, Insightful)

Metshrine (674200) | more than 7 years ago | (#17355900)

Thunderbird is a better solution here? I dont think so. People bad mouth outlook/exchange all the time, especially on /., however, in the case of most large enterprises (DoD especially), t-bird simply doesnt fit the bill. Outlook/Exchange offer so many more features and functions that most larger businesses and corporations use that t-bird doesnt even begin to fit into the same realm.

Do you honestly think the DoD is going to move from a platform which supports every feature they currently utilize (I know, I am in the US Army) to one which doesnt have support for basic things like calendaring, public folders, centralized rules administration, and various other features that simply arent available in this "better solution"? Thunderbird is not ready for the enterprise, nor will it be anytime soon without support for exchange/domino connectivity.

I am all for using open source, but when it doesnt fit the bill, I am not afraid to say that it wont do the job. Thunderbird is good for home use, but for corporate use (especially in a large entity like the DoD), its just sub-standard and lacking in the necessary areas. The fact of the matter is that you cant even access an exchange server with T-Bird.

Re:Stupid (1)

@madeus (24818) | more than 7 years ago | (#17356116)

I quite agree. I am typically not in favour of reducing functionality for increased security when there are viable alternatives, but disabling HTML email seems like a smart move in this case. It's simple and unlikely to be really inconvenient and it's had numerous problems for ages, I'm more a bit surprised they are only doing this now (personally I would have started with it off in an environment like the DoD).

While its true that many users unwittingly generate HTML email, pretty much all clients that do generate plain text versions too (using MIME/multipart) - it's easy to configure a mail server just to strip the HTML parts (not sure about Exchange, but certainly with something like Exim). Of course if Microsoft took a better approach to handling potential issues like this (by handling HTML messages better by default), I don't think anyone would have even seen HTML formatted messages as a risk (though they'd still be inconvinent in some other scenarios).

Re:Stupid (1)

dkf (304284) | more than 7 years ago | (#17356180)

basic things like calendaring, public folders, centralized rules administration
I know what calendaring does (and note that there are free alternatives to Outlook under development [mozilla.org]) but what are "public folders" and "centralized rules administration"? Are public folders like an NNTP server, possibly with server-local or domain-local groups, which Thunderbird handles excellently? (Googling for "centralized rules administration" doesn't seem to lead to much enlightenment; too many other probably-unrelated schemes for centralizing the administration of rules in specific domains...) Without knowing exactly what features (at the technical level) are missing, it's hard to argue against what you say.

The fact of the matter is that you cant even access an exchange server with T-Bird.
That's one I know about, and it's because of the nasty mess that is Exchange, and especially its protocols for talking to Outlook. I could say more on what I think about this particular area, but it's the season of Goodwill To Men, so I think I prefer to stay mellow...

Re:Stupid (0)

Anonymous Coward | more than 7 years ago | (#17356452)

Do you honestly think the DoD is going to move from a platform which supports every feature they currently utilize (I know, I am in the US Army)...

Ooohhh, dude !! You're in the army, so you have all the answers. How cool to be you.

...to one which doesnt have support for basic things like calendaring, public folders, centralized rules administration, and various other features that simply arent available in this "better solution"? Thunderbird is not ready for the enterprise, nor will it be anytime soon without support for exchange/domino connectivity.

It's really easy -- just disable the email function in Outlook, continue to use all the other uber-cool stuff, then substitute a competent email client.

The fact of the matter is that you cant even access an exchange server with T-Bird.

Too bad -- the problem is with exchange, not with any other clients. If I install electrical outlets in my business which have non-standard spacing for the prongs on standard plugs, I have no business bitching out the vendors of all the electrical equipment I need to run my business.

If you're in the army, you'll appreciate the old joke about the woman watching her son's boot camp graduation. She turns to the family next to her and says, "Look at my son down there -- you can tell which one he is -- he's the only one on the parade field who's in step."

Re:Stupid (1)

Metshrine (674200) | more than 7 years ago | (#17356592)

First, I didnt claim to have all the answers nor will I ever, however I do know that the army uses outlook to its potential and I know for a fact that thunderbird would not suite the needs of the army. Just because most of these tbird users dont like outlook and hate anything microsoft on principle of it being anti-OSS, doesnt mean that they are right in any aspect. Your comment about disabling email in outlook shows your total lack of knowledge about how a business is run. No business in their right mind would spend money on something, then disable its primary function to use a third party product which is best suited for a niche of users at best. I use thunderbird, however, I dont try to pretend its something its not (as is the case with most of the firefox/tbird fanatics). You claim that its microsoft's problem that t-bird doesnt interface with exchange. Can you explain then, why several other email clients CAN interface with it? Can you explain why the API's exist to allow other clients to interface with it and have been in use for several years?

Re:Stupid (1)

drmerope (771119) | more than 7 years ago | (#17356040)

No. Its the KISS principle. Code complexity itself endangers security.

Rendering engines aren't rewritten frequently. Typically the code you have available for reuse supports many features you don't want: embedding, javascript, images (don't forget the GDI exploit). It is true that you can provide knobs to disable these dangerous features in the rendering engine. *BUT* have you ever been involved in real software verification efforts? Too many knobs means too little coverage.

Writing good tests is hard.

I have to assume that the DoD peformed some sort of balancing test: do the benefits of html exceed the risks?

People in general should ask themselves: do the benefits of pretty emails make up for the risk of having my computer rooted or leading to disclosure of personal information.

It is true, we could have both if enough people were willing to _pay_ lots of money for their rendering engine. It doesn't seem that is the case.

Re:Stupid (1)

flyingfsck (986395) | more than 7 years ago | (#17356152)

Standardizing the DOD mail program is not the issue. Their problem is with *incoming* email. They have no control over what mail client Hotlipz in Tombstone Arizona is using to send a cutesy Christmas card executable to her boyfriend in Iraq...

Re:Stupid (0)

Anonymous Coward | more than 7 years ago | (#17356528)

Standardizing the DOD mail program is not the issue. Their problem is with *incoming* email. They have no control over what mail client Hotlipz in Tombstone Arizona is using to send a cutesy Christmas card executable to her boyfriend in Iraq...

Yeah -- it's better by far that she be able to send cutesy pictures than that her BF is on a system that's been made more secure from exploits. WTF is he doing opening anything with executable code anyway?

It would be trivial for DoD to reject all non-compliant email with a message pointing the sender to a page explaining that they do not accept html mail and describing how to shut off the bullshit function in the more widely used clients.

As for the outfits that provide the cards, they can damned well include a prominent "text only" button or sink into the mud as more organizations start refusing html mail.

Re:Stupid (0)

Anonymous Coward | more than 7 years ago | (#17356162)

I'm contracted to a number of DOD agencies IT departments and am fairly familiar with the JTF-GNO compliance requirements. You're under a misconception that the JTF-GNO is responsible for maintaining the various systems in DOD. They are not. They are responsible for maintaining the secure standards of those systems. This means creating requirements and not creating solutions to those requirements.
For instance you're required to have two factor authentication for a compliant JTF-GNO system. Whether you use a secure ID token, a biometric signature or a cat card it doesn't really matter so long as you fulfill the requirement. What makes it difficult is when there are undefined requirements such as "prevent all unsafe html code." This naturally has one ask "What's unsafe" and we become stuck in red tape trying to define it for every single location out there. As a tax payer and a technician I far prefer a well defined requirement that covers all the bases and doesn't curtail functionality. Preventing HTML in emails is a good one. It's well defined, easy to implement and doesn't sacrifice any functionality email is used for. If an agency wishes to use thunderbird for some reason it's up to them (so long as it meets all the requirements).
The long and short of it is that trying to impose technical solutions for tens of thousands of shops around the global is a bad way of going about business.

blocking is stupid (1, Insightful)

Anonymous Coward | more than 7 years ago | (#17355706)


however stripping HTML would be a better option as emails are usually sent as text/plain and text/html combined
blocking is just too drastic , perhaps IM would be a better option

Let them outsource! (1)

bogaboga (793279) | more than 7 years ago | (#17355708)

If the DoD cannot find a solution to this kind of email, they should outsource its management to countries like India and Russia. Isn't it true that a good amount of our defense contracts are outsourced?

Re:Let them outsource! (1)

ScentCone (795499) | more than 7 years ago | (#17355846)

If the DoD cannot find a solution to this kind of email, they should outsource its management to countries like India and Russia. Isn't it true that a good amount of our defense contracts are outsourced?

Um, they just did enact a solution.

And, no. You don't really have Indian outsourcing operations involved in the day-to-day admin of communications to and from the Pentagon. No.

Re:Let them outsource! (0)

Anonymous Coward | more than 7 years ago | (#17356382)

Of all the things not outsourced, our defense contracts are #1 on that list.

Don't you recall the issues with the harbor security company that was taken over by the UAE-based business, which was eventually blocked? That wasn't strictly outsourcing, as it was a full price job, but the idea is that we mainly only trust in-country people, or close allies to get the job done when it comes to these defense contracts.

Re:Let them outsource! (1)

will_die (586523) | more than 7 years ago | (#17356544)

The UAE company was NOT taking over any part of secuity they were taking over the cranes,etc the securuity was always being run by a local company and the US federal and state officials.

Also compared to what was happening they were not outsourcing it, since it was already outsourced, it was run by company based in another country. That was the only funny thing about about the whole thing, the Democrates were there yelling how about some evil forgein country would run the operation when a forgein country was already doing it.

That's pretty obvious! (3, Funny)

erroneus (253617) | more than 7 years ago | (#17355718)

That's as obvious as the department of homeland security closing the borders!

I applaud the effort, but why did they take so long to wise up even this much?

Next step (1, Funny)

Anonymous Coward | more than 7 years ago | (#17355754)

Lynx.

Get rid of IE.

Still ways to get email from outside the network (4, Interesting)

Sepodati (746220) | more than 7 years ago | (#17355758)

Although vanilla access to OWA is being blocked, there are still ways to get to your email from outside of the network (mainly what OWA was used for, anyhow). You can VPN into the network, log on to OWA using your CAC (common access card, smart card, etc), use your Blackberry (assuming your rank is high enough to get one ;)).

So instead of just plain old OWA sitting out there waiting for anyone to type in a username and password, they've upped the security a little bit. Yes, it's making us jump through hoops a little (for myself, need to stand up an ASA5510 as a VPN concentrator to receive outside connections), but it's not impossible.

Besides... not being able to check your work email from home can only be a good thing, no?? I know, I know, it's for people on travel, leave, etc. too...

As for the "blocking" of HTML email, can't say that I've seen that at all. Maybe it's only for emails that originate from outside of the network since we use HTML email all the time from within Outlook (formatting is useful in this case).

---John Holmes...

Re:Still ways to get email from outside the networ (0)

Anonymous Coward | more than 7 years ago | (#17356178)

Well if you are DOD and you are not blocking/converting html emails then you are in violation of standing DOD directives. And no you are not allowed to simply stand up a VPN without going through the proper approvals either. So what command are you in, so we can shut down your NIPRNET connections. After all you appear to be part of the problem that they are trying to correct (ie incompetent system admins who put priority on easy of use instead of security).

Re:Still ways to get email from outside the networ (0)

Anonymous Coward | more than 7 years ago | (#17356420)

Yes, I have to go through the proper approvals for VPN. It's still a valid option for getting back into the network from outside for the right people with the right approvals. That's all I was saying. Or OWA with CAC or Blackberries.

Unless my DOIM is lying to me... they wouldn't do that, would they? ;)

---John Holmes...

Re:Still ways to get email from outside the networ (1)

phobos512 (766371) | more than 7 years ago | (#17356196)

I still receive all the HTML email I did previously - it's just converted to text formatting. A great deal of it is virtually illegible as some of the places I would receive email from had elaborate background files to their emails - now I just get a jumble of URLs at the start of those emails and have to search for the actual content.

The other problem is that (at least at my agency) we are still forced to create emails in Outlook RTF even though official policy was to switch Outlook to creating text-formatted emails (the option is locked thanks to our user settings). So our emails never get to where they are going looking the way they did when we sent them as they lose all formatting.

Moronic Policy (1, Funny)

mwilliamson (672411) | more than 7 years ago | (#17355772)

As long as stupid users dictate policy (and it always seems to be the most idiotic, uninformed, timetable pounding and ego-blinded of all users usually are in the upper echelons of an organization), security problems do to software choice will prevail. This is how microsnot products usually get pushed into an organization. Score one for the DoD getting rid of freaking html-mail and outhouse web access. One can only hope they s**tcan ms-exchange while they're at it.

Re:Moronic Policy (1)

Sod A Dog (1043342) | more than 7 years ago | (#17356068)

This move is good, but it's still just a drop in the bucket, and they'll never drop ms-exchange while they're on their current contracts. The DoD likes to sign contracts that it can't get out of, even when the service provider is doing a terrible job managing and/or maintaining the network.

NMCI, the Navy - Marine Corps network, is one of the worst intranets I've ever seen. Poor support, poor reliability, slow clients, crash-prone servers, poorly implemented and mandatory smart-card login, not nearly enough bandwidth to go around, etc., etc., etc. When the senior enlisted man in the Corps can't log in for a week because his account got borked, there's a problem. There are platoons that have hired independent contractors to come in and build small networks that actually work, and they only use the government computers when it's absolutely necessary. Every single user of NMCI hates it and wants it dropped like a bad habit.

But they won't replace it because they locked themselves into a ten year-long contract and the brass says that it would cost billions to fix the damned thing. That's a poor excuse - the DoD wastes billions of dollars every month. Seriously, if you work for the DoD, don't expect anything related to your computer to work properly.

"This is a bad idea? It's not going to work? It's going to cost way too much? It's going to piss off everybody who has no choise but to use it? Perfect."

Back to EMail as communication not art. (1, Offtopic)

aauu (46157) | more than 7 years ago | (#17355776)

Way too much email formatting is pointless and does not enhance communication. Links work fine in plain text and images/complexly formatted data can be attached. This is a giant leap forward. Does anyone have MUTT client for windows?

Re:Back to EMail as communication not art. (1)

maelstrom (638) | more than 7 years ago | (#17355820)

Putty [greenend.org.uk]

Re:Back to EMail as communication not art. (1)

aauu (46157) | more than 7 years ago | (#17355876)

Putty only works if the email server is *nix. I want a MUTT client for Exchange. Besides putty sucks compared to the real ssh client.

Re:Back to EMail as communication not art. (1)

rlwhite (219604) | more than 7 years ago | (#17356560)

Links in email? It's against DOD security policy to click links in email. Copy and paste it.

Yeah, they're not losing anything by banning HTML email.

Good! (4, Informative)

porkThreeWays (895269) | more than 7 years ago | (#17355806)

Good! HTML email is very annoying. Most of the time it doesn't display as intended anyway. Many clients will only support a safer reduced set of html thus only parts of the page will display properly. This makes the page even harder to decipher. HTML email is really only useful for spammers and advertisers usually anyway. If something needs to be that heavily formatted, attach it as a word processor document. If you can't get a basic idea across in plain-text, then the problem probably isn't because you are missing your bold tag.

Temporary? (4, Interesting)

Bluesman (104513) | more than 7 years ago | (#17355812)

This appears to be a temporary measure based on the current threat level.

If the Infocon levels work anything like the other readiness levels in the DoD, then a shift to Infocon 4 requires a change (temporary) in policy. So it seems that a shift back to level 5 would mean HTML e-mail is no longer blocked.

It's like after 9-11, when all DoD installations had much stricter physical access rules and extra guards at the gates.

Which is a shame, because saying goodbye to html email entirely would be fine by me.

Blocking? Looked to me they were just converting. (2, Informative)

MysticOne (142751) | more than 7 years ago | (#17355824)

I work as a contractor to the Navy, and we received e-mails a few weeks back saying that HTML e-mail would no longer be allowed. However, they weren't blocking it, merely converting anything that was HTML to plain-text or RTF. I've not tested by sending an HTML e-mail to my .mil address (gonna try that in a few minutes), but I don't think they're actually blocking it.

Re:Blocking? Looked to me they were just convertin (1, Interesting)

Anonymous Coward | more than 7 years ago | (#17355898)

Yes that is all they are doing. In fact, if the formatting comes across screwed up, there is an option to restore html view. Not sure just what rules are applied and how the emails are being affected. I do know I sent a table copied another M$ product and sent it to my supervisor, which he replied back to me. The table was completed screwed up in plaintext mode. However, I did have the option of viewing the 'original format' or something close to it that put the table back the way it was.

The grinch that stole HTML (0)

Anonymous Coward | more than 7 years ago | (#17355852)

  • B,b,b,b,but I likes it and I likes sending my newsletter in red comic-sans


After arguing this with people whos knowledge of email extends to clicking the correct buttons in their GUI client, I've given up. The more convincing arguments were always the ones about those who have trouble using email. They weren't a convincing argument for HTML email, they were just a convincing argument that some folks shouldn't be using computers.

I've been doing this for work for ages (1)

Kris_J (10111) | more than 7 years ago | (#17355938)

I determined a couple of years ago that in order for the small IT department of one (me), to be able to keep up with potential Outlook security problems, I had to filter HTML down to Plain Text. When you've got a program that can be used to infect a computer just be previewing a message, you have to do _something_. Now that we've install Exchange (bleh), internal messages are no longer filtered, but thankfully the old filters for stuff going in (and out) of the company remain in use.

There's no excuse for it (2, Insightful)

thewils (463314) | more than 7 years ago | (#17355994)

If you know how to use HTML, you should know how to be able to write an email without using any HTML.

If you don't know how to use HTML, you shouldn't use it, period.

I know this is redundant, but... (1)

Runefox (905204) | more than 7 years ago | (#17356020)

HTML wouldn't be such an exploitable thing with e-mail if Microsoft's mail software weren't so full of holes. If Outlook/Exchange is really that important to some organizations, why not offer support for [b]internal[/b] mail to be sent in Microsoft Word format?

Re:I know this is redundant, but... (1)

Dachannien (617929) | more than 7 years ago | (#17356304)

why not offer support for [b]internal[/b] mail

Given the topic of the OP, there's definitely some sort of irony here.

And the problem with this is? (2, Interesting)

imasu (1008081) | more than 7 years ago | (#17356096)


I block html email myself simply because it is annoying and 90+% is spam anyway. Why is this a problem?

What no stationary on my e-mails (0)

Anonymous Coward | more than 7 years ago | (#17356118)

and what about those cute little Microsoft Office pictures? How will I ever be able to get my point across using just words?

Not Banning OWA (0)

Anonymous Coward | more than 7 years ago | (#17356156)

Just not without CAC. If you have CAC, you can use it.

data + code = screwed (1)

Duncan3 (10537) | more than 7 years ago | (#17356184)

Yay! How profound that what we've always known finally made it into the heads of the military. If you mix code into your data, you're screwed eventually. No way around it.

That said, it's the JavaScript, not the HTML - formatting is data not code.

Now if only they would figure out the same about Word/Excel.

why doesn't Microsoft indemnify such flaws (1)

Locutus (9039) | more than 7 years ago | (#17356210)

well, you already know the answer. Too bad nobody at the DoD is willing to step up and ask why their *nix systems are not having these problems.

LoB

Slashdot strikes again......sigh. (4, Informative)

LibertineR (591918) | more than 7 years ago | (#17356212)

Folks, the DOD is NOT blocking HTML mail, just converting it to plain text and disabling scripts, something ANY Exchange admin should already be doing in addition to Sender ID.

Instead of facts, we get just another bash Microsoft thread. Figures.

Re:Slashdot strikes again......sigh. (0)

Anonymous Coward | more than 7 years ago | (#17356280)

> in addition to Sender ID.

WTF are you checking against? My SPF records were published long before Microsoft announced their intent to misinterpret them using technically unsound PRA nonsense. So please don't check Sender ID - check SPF. [openspf.org]

Re:Slashdot strikes again......sigh. (1)

Tempest429 (1024249) | more than 7 years ago | (#17356352)

Instead of facts, we get just another bash Microsoft thread. Figures.
Welcome to Slashdot

NMCI goes even further (4, Interesting)

truckaxle (883149) | more than 7 years ago | (#17356246)

Any here that are forced to use the NMCI (Navy/Marine Corps Intranet) network know that reading any email at all can be a challenge.

A NMCI laptop takes over 10 minutes to boot and load the dozens of background processes and roving preferences. Once booted the machine is near useless performance wise.

Most, including middle management, refer to NMCI as No More Computing In-house.

In order to get idea just how bad things are, upper management conducted "customer satisfaction surveys". Even though the NMCI program office controlled the content, distribution, and analysis of the survey the results indicated overwhelming dissatisfaction. The NMCI program office has declined to release the raw data from the survey, instead issuing a release about the results. Rear Admiral J. B. Godwin III said releasing the results would challenge the "integrity of our data." Hmmm....

Most Navy labs that are under the burden of the NMCI contract maintain two networks, the legacy and the NMCI - the one to get work done on an the other to read email. This leads to double the costs and double the vulnerability exposure, and halves the resources to concentrate on security and usability.

Worst I hear that the Navy just extended the contract to 2010. Your tax dollars at work.

Remeber SoBig or was it Slammer? (1)

WheelDweller (108946) | more than 7 years ago | (#17356278)

This little beastie got into an offline nuclear reactor and blanked their control of it for four hours. The same bug shut down monitoring on a CSX rail line, causing just as much concern.

How many years ago was all this? Sounds like the paperwork just got filed.

Good move.

Haha! I Love It! (0)

Anonymous Coward | more than 7 years ago | (#17356288)

Haha! I love it! Only about ten years before everyone else banned it and a mere fifty years before all the morons of this world (including David 'don't tell me I can't send HTML mail' Pogue) decide they're not going to give it up anyway.

And just a reminder that AutoDesk John Walker YEARS ago called HTML mail 'the hallmark of the clueless'.

Hooray.

Enemies! (1)

DoofusOfDeath (636671) | more than 7 years ago | (#17356552)

It sounds like DoD IT people hate users' freedom! Sounds like we've found an Al Quida sleeper cell right in the DoD!!!

Damn - there goes my (to be patented) security (1)

Tribbles (218927) | more than 7 years ago | (#17356598)

I encode all my emails using WingDings font, so absolutely no-one can read them :) I can't do that in plain text!
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...