Department of Defense Now Blocking HTML Email

oKAMi-InfoSec writes "The Department of Defense (DoD) has taken the step of blocking HTML-based email. They are also banning the use of Outlook Web Access email clients. The DoD is making this move because HTML messages can easily be infected with spyware and executable lines of code that enable hackers to access DoD networks, according to an article in Federal Computer Week by Bob Brewin . A spokesman for the Joint Task Force for Global Network Operations (JTF-GNO) claims that this is a response to an increased network threat condition. The network threat condition has risen from Information Condition 5 to Information Condition 4 (also called Infocon 4). InfoCon 5 is normal operating conditions and Infocon 4 comes as a result of 'continuing and sophisticated threats' against DoD Networks. The change to Infocon 4 came in mid-November, after the Naval War College suffered devastating attacks that required their entire system be taken offline, but the JTF-GNO spokesman claims there is no connection."

Good call

[MostAwesomeDude]

Reduced bandwidth, less entry vectors, less spam entering mailboxes. I guess the only losers are the people who send those annoying Flash giftcards through email.

Re:

[Anonymous Coward]

I for one certainly don't miss the annoying pink backgrounds and purple text. But, you forget that a lot of internet based applications send out emails. So you should really include the developers in the losers category here.

I don't know how many email templates I've gone though in the past week converting them to be plain text (where necessary). This mainly applies to processes that include sending tabular data to a person.

Re:

[tehwebguy]

"So you should really include the developers in the losers category here."

which raises the question: why don't they just strip html out instead? it will probably require more work to make sure nothing gets through, but i think that it might be worth it.

Re:

[1u3hr]

which raises the question: why don't they just strip html out instead?

They do. "A Navy user said that any HTML messages sent to his account are automatically converted to plain text." But if you've used tables or such the layout will probably be trashed, so better to reformat as plain text to begin with.

Using something like Lynx to filter HTML into plain text would give pretty good results, it does tables fairly well.

Re:

[1u3hr]

you like your Italics, no?

Bad typing. There's actually a <?i> instead of </i> at the end of the first line. Preview is pretty slow, I usually just wing it.

Re:

[shadowmas]

This is very true. I my self personally prefer plain text mail except when using outlook at the office where i use the default html or richtext.

however when developing i do sometimes use html because it makes reading tabular data and such much easier to read at a glance. true you could use plain text for these but with lots of information it makes it difficult to quickly extract the information you need.

Re:

[Marcion]

End of HTML email? That would be my Christmas present sorted!

P.S Merry Christmas to all you Slashdotters, Linux users, MS fan boys and Trolls.

Too late...

[myowntrueself]

the only losers are the people who send those annoying Flash giftcards through email

Don't worry, they were already losers!

Re:Your Sig

[Millenniumman]

In the free world the media isn't government run; the government is media run. If that's truly your opinion, it's quite fearful. The media should report the news, not control the citizens or the government, regardless of whether it has third party influence.

Re:

[xdc]

Yes, this was absolutely the right choice. I just wonder what took them so long!

I also wonder when other organizations will follow suit.

not entirely

[misanthrope101]

My workplace recently did something similiar. I was never crazy about flashy colors and zillion font options. But I do miss the ability to send tables as part of the email. My job frequently involves info that is best represented in a table, and the ability to copy/paste a table into an email was very helpful. Even allowing for the limitations of plain text,

Outlook did me the favor the other day of removing the "extra" line breaks, screwing up the already limited formatting I was stuck with. People

Re:

[mrmeval]

Anyone who lets emails in with links and attachments intact deserves what they get. It's trivially easy to strip that crap out.

Re:Good call

[cluckshot]

If you are DOD and you want to get Commercial Off the Shelf (COTS) products to resolve your problems without hiring the massively expensive solutions of 1 off stuff built to design, you must be able to accept attachments such as .zip and html mail. Sorry but the commercial guys cannot even tell you what they are doing anymore without this stuff. DOD costs just got higher!

I worked one DOD site where we had to email files of code. The volume of the attachments was beyond the Email limits so we had to zip the files. The filters blocked .zip. So we renamed the files .aaa or something like that. Then the filters didn't catch the files. That way we could get the emails. We had to break our own security just to do our job. This stuff is a real problem.

The US DOD needs to can Microsoft. If they were to run Linux or Apple systems and then to sandbox all emails and web browser stuff under the OS a lot could be done and things would be much more secure. The basic problem is a Microsoft logical design construct. Microsoft thought that they should own your computer and you should rent it from them. Under these conditions they wanted "their" computers to be remotely controlled by various means. The means they designed into their constructs also leave sucking security holes which hackers and other malware designers just walk right through.

There is a real reason most DOD people stick like glue to Microsoft. For Network security people in the DOD they are as worried that some subordinate might actually control his machine as they are of having foreign control. (Foreign to their system) As such they must keep central control. This is the Microsoft construct at a second level. The DOD system I worked on had an entire base having one root password that didn't change folks because of this demand. Linux etc doesn't conform to this as naturally as MS systems. Another level of this sticking like glue to MS systems comes from the fact that most of the people who program (contractors etc) for the Government like to keep their jobs. MS systems do not support legacy software well. As such they are continually "re-inventing the wheel" so to speak and it makes for lots of jobs that last a lifetime. It holds the DOD hostage to continually hiring the same contractor because his software is proprietary and cannot be easily "reverse engineered" without risk of software copyright violations. In the end this synergy of profits and control leaves the US DOD bleeding money, never able to do its job as effectively and wedded to MS systems.

If the taxpayers get involved they will ban such OS like Microsoft because this is completely contrary to the interest of the taxpayers. It however; requires the US DOD to recognize that its only true security lies in the loyalty of its people. In doing so it will have to retract from foreign (non-USA) suppliers and contractors. It will have to seriously look into who it is hiring and it will have to weed out those it has on payroll who are being more selfish than loyal. Let me assure you that if this situation is dealt with properly it will be a top to bottom 10 on the Richter Scale earthquake in US Government operations. Imagine if you will actually not being able to have the management read every document in someones computer without them knowing. Imagine having someone who works for you who you actually have to be able to trust! Imagine real government security! (WOW!)

As They Should

[deKernel]

This I guess will just show my age, but I am soooo OK with this. Email should be just text, period. I personally believe that people should spend more time using complete sentences which includes punctuation and correct capitalization.

I guess I should get back to chiseling my notes on stone slabs now.....

Re:As They Should

[theMerovingian]

Email should be just text, period.

In my day email was dashes and dots, and we liked it that way.

Re:

[__aaclcg7560]

Especially since each one cost eight bits to send. ;)

Re:As They Should

[MobileTatsu-NJG]

"Email should be just text, period."

Personally I'd miss the formatting features of HTML. Bold, Italic, etc. I'm a little surprised there hasn't been a middle ground estbalished at some point. You know... pretty text, no exploits. Well, I can dream. In the mean time, gotta give kudos to GMail. One of my favorite features is that it disables images until you turn them on. That's a feature Outlook 2000 could have used.

Re:

[whoever57]

When I first started using email, it was only within the company's WAN. Most people had exactly the same model of printer, so I figured out how to embed printer control characters into emails to make parts appear bold or in italics when printed (most employees printed out their email to read it at that time)

Re:As They Should

[Anonymous Coward]

Personally I'd miss the formatting features of HTML. Bold, Italic, etc. I'm a little surprised there hasn't been a middle ground estbalished at some point. You know... pretty text, no exploits. Well, I can dream.

I think that you have /really/ hit the nail on the proverbial head there. To make plain text emails usable we need a STRONG and well defined _SYNTAX_ for visually communicating "text style". Until then, this email thing will _never_ catch on.

Re:

[xTantrum]

you know i use to read /. for the interesting perspectives of the fellow geeks on here, but i've given up. I now read it for the comedians. wish i had my mod points.

Re:

[value_added]

I think that you have /really/ hit the nail on the proverbial head there. To make plain text emails usable we need a STRONG and well defined _SYNTAX_ for visually communicating "text style". Until then, this email thing will _never_ catch on.

LOL. If the OP wants bold and underlining in his emails, I'd suggest he starts with reading

T^HTh^Hhe^He M^HMu^Hut^Htt^Ht E^HE-^H-M^HMa^Hai^Hil^Hl^HCl^Hli^Hie^Hen^Hnt^Ht

Personally, I'd find that annoying, like every other attempt to be interesting, or creative or otherw

tables are HARDER, no?

[misanthrope101]

I concede your point, mostly. But my bosses want tables. I need the ability to copy/paste tables and queries from Access into an email, and limiting my emails to plain-text means I have to copy/paste the text, then manually format the table into pretty columns. And the first time a boss forwards my email to someone else, the formatting is screwed up again. I don't need the full spectrum of HTML capability, but tables are useful. Give me the tabular environment from Latex, or something. People will jus

Re:

[dkf]

Personally I'd miss the formatting features of HTML. Bold, Italic, etc. I'm a little surprised there hasn't been a middle ground estbalished at some point.

You should be aware that there has been such a format [wikipedia.org] for quite a while, using the MIME type of text/enriched. I used to receive quite a few emails that used it (no, I don't remember what the originating client was and I'm not interested in looking it up right now) but it never seemed to catch on more widely. (At a wild guess, that's because Outlook didn'

Microsoft RTF (was text/enriched)

[MillionthMonkey]

I remember getting an RTF-formatted email from my ISP back in 1995, when you would actually see RTF in the wild.

I chose RTF as the format for my reply. I thought that was reasonable. (I forget what mail client I was using- maybe Eudora.)

They wrote me back, again in RTF.
"WTF is this? We can't open it."

No, not WTF.
Microsoft RTF.

Re:

[Arker]

There was such a thing, but MS decided it wasn't exploitable enough and declined to use it. Look up text/enriched.

Re:

[SCHecklerX]

Personally I'd miss the formatting features of HTML. Bold, Italic, etc. I'm a little surprised there hasn't been a middle ground estbalished at some point. You know... pretty text, no exploits.

There is. Enriched text:

http://www.ietf.org/rfc/rfc1896.txt [ietf.org]

Which is really just a subset of HTML for the most part.

Re:

[1u3hr]

. I'm a little surprised there hasn't been a middle ground estbalished at some point. You know... pretty text, no exploits.

There is (was) a "rich text" for email, looked like a subset of HTML. It was used by early versions of Eudora and other mail clients. I think we can blame Netscape for putting HTML into email, and this was cemented when Outlook came along and started doing it by default. All the other mail clients had to follow though they knew it was a Bad Idea.

My middle ground - both

[NotQuiteReal]

As an old boss once used to say, when presented with options - "Do Both!"

I read all my e-mail as "plain text". After all, HTML is plain-text too.

95% of the time that is all you need. Yeah, I can see they marked it italics or bold, but they are the same words.

If, after looking at the "raw" text, and I really think the formatting will convey some additional info, I might look at it as "html". Looking at the raw text gives you a pretty good idea if there is anything sinister about it.

In my experience,

Re:

[pchan-]

But I just finished writing this inspirational xmas email in 32-point Comic Sans font with animated gifs of kittens and reindeer and attached 30-meg screensaver that I was going to sent to Everyone@dod.gov

Be... all that you can be... in ASCII

[MillionthMonkey]

All I can say is, the war in Iraq must be going really badly if the DoD is this desperate for additional recruits.

Re:

[mordors9]

You young whippersnappers and your crazy ideas. Whatever happened to a good postcard.

Re:

[a.d.trick]

I don't know how old you are, but I'm still a college student and I share your feelings as well. What annoys me the worst is that retarted mail client called Outlook that has a love afair with <FONT SIZE=8 COLOR=BLUE> [1]. Text is wonderful because it allows me to specify the color, font family, and size of the email so I can read the blasted thing.

Plain text isn't perfect either. Things like text formating is often done in awkward ways that can get screwed up fairly easily. (The 80 column line wrapp

Re:

[Megane]

I don't know how old you are, but I'm still a college student and I share your feelings as well. What annoys me the worst is that retarted mail client called Outlook that has a love afair with .

ARGH! I know exactly what you mean. I used to work at a mostly MS-dominated company, full of people using Outhouse and MSexchange, and most e-mails would have those defaults, which would appear at an annoyingly small size under the OS X mail program. I always had to just give up and hit the command keys to show them as plain text. Having a mail program specify the font size BY DEFAULT in HTML mail is completely and thoroughly brain damaged, doubly so when the default is so small.

And there's a small a

Re:

[t14m4t]

Actually, Righ Text format is still authorized. I can still send e-mail with bold, italics, colors, etc. I just can't use any embedded HTML.

For those who are interested, this is one of the (many) moves the DOD has taken over that past year or two in response to the continuing series of "F" grades DOD networks have received regarding their security. I'm the CIO at my command; I've had the "joy" of implemeting these changes - I took over the job right around the time the changes started.

Better yet, just pitch all the email......

[banerjek]

At least then people will know why their email never got through. So many people use HTML email without being aware of it and don't realize that's what makes formatting possible.

Although the focus is on Outlook, it seems like there's an outside chance there may be other clients and web interfaces (namely all of them) that are vulnerable to most of the same problems....

Re:Better yet, just pitch all the email......

[Sepodati]

It still makes it through, it's just converted to plain text according to the article.

---John Holmes...

Doesn't that break digital signing?

[khasim]

If the content of the message is changed, isn't the digital signature invalidated?

Or is the DoD just skipping the concept of digitally signing email?

Re:

[WED Fan]

If the content of the message is changed, isn't the digital signature invalidated? Or is the DoD just skipping the concept of digitally signing email?

The content doesn't change, just the rendering.

The HTML determines the rendering.

[khasim]

If the HTML is stripped from the body of the message, that means that the content of the message has changed from the context of the digital signature.

Therefore, the digital signature will no longer reflect the "data" portion of the message and will be invalid.

Re:

[Beryllium Sphere(tm)]

Yep. S/MIME signs the whole package including the MIME headers. " Demime is designed to break signatures" [squawk.com]. Not sure, but it looks like PGP/MIME has the same problem.

You could still sign plain text and send that. Or send an attachment with a detached or builtin signature. Microsoft Word documents could have a signature and timestamp through the USPS Electronic Postmark system.

Re:Doesn't that break digital signing?

[emurphy42]

How many people do you really think there are who (1) write HTML messages and (2) even know what digital signing is, much less use it?

Re:

[jark]

The email is not *converted* to plain text at all. There is absolutely no true format converting taking place at all.

By way of a Windows GPO the ability to compose email in HTML format is completely disabled. The default format for Outlook has been set to "Rich Text" so that people are still able to use a small subset of formatting. Users are capable of composing in plain text, but most will stick with the default.

Additionally, the Outlook preview pane is set to "convert" all inbound email to plain text. Ho

Stupid

[Nicopa]

That's stupid. The problem is not with HTML mail (which is generated by many people unknowingly). They could just standarize in a safe mail program, with some mandatory defaults. They could force the use of a modified version of Thunderbird forcing the (already existing) oprion of "Disable JavaScript" off. Another interesting Thunderbird feature is the ability to "sanitize HTML", that is, remove from the HTML view anything that isn't strictly formatting (paragraphs, bullet lists, etc.).

Re:Stupid

[Beryllium Sphere(tm)]

But even without Javascript there are still web bugs, image file parsing exploits, and remember what engine is probably parsing the HTML on a Windows client. A "safe" email client is one that disables most of the features of HTML, and unless it's guaranteed to catch everything dangerous then it's safer to prevent HTML in the first place.

Up-to-date patches would mitigate those, but do you think somebody might be saving some zero-days for the DoD?

Re:

[It'sYerMam]

Use XML/Subset of XHTML (a la jabber messages) - the parser throws an error or ignores anything that isn't in its list of commands.

software stupidity

[oohshiny]

It shouldn't be rocket science to display a piece of formatted text while disallowing network connections or scripts.

The fact that none of the major E-mail clients can be trusted to do this is a testament to the sad state of software engineering.

Re:

[1u3hr]

The fact that none of the major E-mail clients can be trusted to do this is a testament to the sad state of software engineering.

I think it's more that to get the same look as intended by the sender using an MS client, you have to use the IE renderer built in to Windows. Otherwise people complained it looked wrong. And this was no doubt a lot easier than writing your own renderer and keeping it up to date.

Personally I stick with an ancient version of Eudora, which does have its own renderer. Sometimes i

Re:

[Stumbles]

No, it's not stupid.... doing nothing is stupid. The simple fact remains. No matter what client your using, be it proprietary or some open source variety all the nastiest that can be placed in HTML is simply a hassle to block. Sure you can run things like spamassassin, razor and any number of things but those are just extra things that have to be maintained, updated, etc. The simplest is to dump HTML altogether. I have never been a fan of HTML email because it's a colossal waste of bandwith.

Re:

[Belial6]

I have never been a fan of HTML email either, but I think the 'waste of bandwidth' argument is long dead. Even a dial up modem has plenty of bandwidth to handle HTML email.

Re:

[headkase]

What's stupid is that they were not aware of the obviously better solution you know of. That's where targeted information needs to be supplied. Google is everyone's friend but sometimes it's still not easy enough to find the answers to your specific situation. The challenge being connecting the right answers with unknown information in the search queries. Google's next biggest challenge is finding what you didn't know you needed!

Re:

[@madeus]

I quite agree. I am typically not in favour of reducing functionality for increased security when there are viable alternatives, but disabling HTML email seems like a smart move in this case. It's simple and unlikely to be really inconvenient and it's had numerous problems for ages, I'm more a bit surprised they are only doing this now (personally I would have started with it off in an environment like the DoD).

While its true that many users unwittingly generate HTML email, pretty much all clients that do g

Re:

[dkf]

basic things like calendaring, public folders, centralized rules administration

I know what calendaring does (and note that there are free alternatives to Outlook under development [mozilla.org]) but what are "public folders" and "centralized rules administration"? Are public folders like an NNTP server, possibly with server-local or domain-local groups, which Thunderbird handles excellently? (Googling for "centralized rules administration" doesn't seem to lead to much enlightenment; too many other probably-unrelated sche

Re:

[kernelpanicked]

Wow. Everytime I read a comment like the stupid trash you just posted it makes me want to scream DO YOU KNOW WHAT THE FUCK EMAIL IS? Why do Windows users feel it necessary to cram 50 different applications' functions into one super crappy, insecure piece of bloatware and then rave on about how superior it is? Me, personally, I'm using mutt in an enterprise environment because I'm just crazy enough to believe you should read email with, you know, a fucking email client.

Re:

[drmerope]

No. Its the KISS principle. Code complexity itself endangers security.

Rendering engines aren't rewritten frequently. Typically the code you have available for reuse supports many features you don't want: embedding, javascript, images (don't forget the GDI exploit). It is true that you can provide knobs to disable these dangerous features in the rendering engine. *BUT* have you ever been involved in real software verification efforts? Too many knobs means too little coverage.

Writing good tests is hard.

Re:

[flyingfsck]

Standardizing the DOD mail program is not the issue. Their problem is with *incoming* email. They have no control over what mail client Hotlipz in Tombstone Arizona is using to send a cutesy Christmas card executable to her boyfriend in Iraq...

Re:

[a.d.trick]

Maybe in the utopian land of happiness and glee. But for those of who live in the real world, it doesn't work so well. The fact is that software is buggy, and the more features it has, but buggier it tends to get. Security isn't a black and white thing. Most of the real decisions us real people have to make is based on a number of factors that we aren't quite certain about. Something like HTML email provides a much larger surface of attack and potential places for programmers to screw up. The most mail clie

Re:

[hey]

I just looked in my Thunderbird help - can't see any thing about "sanitize HTML".
Can you please point me to this option. Thanks.

Re:

[mackyrae]

There are ways in HTML email of inserting 1-pixel transparent gifs which have unique load addresses based on who opens the email so that the sender know which people they mail read it. That's how spammers know if you open the spam they send. It's a sort of tracking cookie image.

Let them outsource!

[bogaboga]

If the DoD cannot find a solution to this kind of email, they should outsource its management to countries like India and Russia. Isn't it true that a good amount of our defense contracts are outsourced?

Re:

[ScentCone]

If the DoD cannot find a solution to this kind of email, they should outsource its management to countries like India and Russia. Isn't it true that a good amount of our defense contracts are outsourced?

Um, they just did enact a solution.

And, no. You don't really have Indian outsourcing operations involved in the day-to-day admin of communications to and from the Pentagon. No.

Re:

[will_die]

The UAE company was NOT taking over any part of secuity they were taking over the cranes,etc the securuity was always being run by a local company and the US federal and state officials.

Also compared to what was happening they were not outsourcing it, since it was already outsourced, it was run by company based in another country. That was the only funny thing about about the whole thing, the Democrates were there yelling how about some evil forgein country would run the operation when a forgein country was

That's pretty obvious!

[erroneus]

That's as obvious as the department of homeland security closing the borders!

I applaud the effort, but why did they take so long to wise up even this much?

Still ways to get email from outside the network

[Sepodati]

Although vanilla access to OWA is being blocked, there are still ways to get to your email from outside of the network (mainly what OWA was used for, anyhow). You can VPN into the network, log on to OWA using your CAC (common access card, smart card, etc), use your Blackberry (assuming your rank is high enough to get one ;)).

So instead of just plain old OWA sitting out there waiting for anyone to type in a username and password, they've upped the security a little bit. Yes, it's making us jump through hoops a little (for myself, need to stand up an ASA5510 as a VPN concentrator to receive outside connections), but it's not impossible.

Besides... not being able to check your work email from home can only be a good thing, no?? I know, I know, it's for people on travel, leave, etc. too...

As for the "blocking" of HTML email, can't say that I've seen that at all. Maybe it's only for emails that originate from outside of the network since we use HTML email all the time from within Outlook (formatting is useful in this case).

---John Holmes...

Moronic Policy

[mwilliamson]

As long as stupid users dictate policy (and it always seems to be the most idiotic, uninformed, timetable pounding and ego-blinded of all users usually are in the upper echelons of an organization), security problems do to software choice will prevail. This is how microsnot products usually get pushed into an organization. Score one for the DoD getting rid of freaking html-mail and outhouse web access. One can only hope they s**tcan ms-exchange while they're at it.

Re:

[mwilliamson]

s/do/due

Good!

[porkThreeWays]

Good! HTML email is very annoying. Most of the time it doesn't display as intended anyway. Many clients will only support a safer reduced set of html thus only parts of the page will display properly. This makes the page even harder to decipher. HTML email is really only useful for spammers and advertisers usually anyway. If something needs to be that heavily formatted, attach it as a word processor document. If you can't get a basic idea across in plain-text, then the problem probably isn't because you are missing your bold tag.

Re:

[Xugumad]

No, not a word processor document, please attach it as as PDF!

Re:

[Simon Garlick]

Off the top of my head, here's a use to which I've put HTML email in the past week and I found it useful. It was something like:

"Alice, Bob and I have read your earlier queries and here are our replies. The black text below is the specific part of your email that we wish to comment on; the blue text is Bob's comments; the red text is my comments."

Temporary?

[Bluesman]

This appears to be a temporary measure based on the current threat level.

If the Infocon levels work anything like the other readiness levels in the DoD, then a shift to Infocon 4 requires a change (temporary) in policy. So it seems that a shift back to level 5 would mean HTML e-mail is no longer blocked.

It's like after 9-11, when all DoD installations had much stricter physical access rules and extra guards at the gates.

Which is a shame, because saying goodbye to html email entirely would be fine by me.

Re:

[Locutus]

good point but another option is to put an email cleanser inline to remove all problematic formating. Also, because they will probably not give up Microsoft software for this, they have to realize that a major change is needed for longterm protection.

Who knows, maybe they will 86 MS LookOut.

LoB

Blocking? Looked to me they were just converting.

[MysticOne]

I work as a contractor to the Navy, and we received e-mails a few weeks back saying that HTML e-mail would no longer be allowed. However, they weren't blocking it, merely converting anything that was HTML to plain-text or RTF. I've not tested by sending an HTML e-mail to my .mil address (gonna try that in a few minutes), but I don't think they're actually blocking it.

I've been doing this for work for ages

[Kris_J]

I determined a couple of years ago that in order for the small IT department of one (me), to be able to keep up with potential Outlook security problems, I had to filter HTML down to Plain Text. When you've got a program that can be used to infect a computer just be previewing a message, you have to do _something_. Now that we've install Exchange (bleh), internal messages are no longer filtered, but thankfully the old filters for stuff going in (and out) of the company remain in use.

There's no excuse for it

[thewils]

If you know how to use HTML, you should know how to be able to write an email without using any HTML.

If you don't know how to use HTML, you shouldn't use it, period.

I know this is redundant, but...

[Runefox]

HTML wouldn't be such an exploitable thing with e-mail if Microsoft's mail software weren't so full of holes. If Outlook/Exchange is really that important to some organizations, why not offer support for [b]internal[/b] mail to be sent in Microsoft Word format?

Re:

[Dachannien]

why not offer support for [b]internal[/b] mail

Given the topic of the OP, there's definitely some sort of irony here.

Re:

[LurkerXXX]

There have been exploits before in mozilla/thunderbird, eudora, etc.

HTML doesn't belong in emails.

And the problem with this is?

[imasu]

I block html email myself simply because it is annoying and 90+% is spam anyway. Why is this a problem?

Re:

[fluffy99]

Because 10% is not spam?

data + code = screwed

[Duncan3]

Yay! How profound that what we've always known finally made it into the heads of the military. If you mix code into your data, you're screwed eventually. No way around it.

That said, it's the JavaScript, not the HTML - formatting is data not code.

Now if only they would figure out the same about Word/Excel.

why doesn't Microsoft indemnify such flaws

[Locutus]

well, you already know the answer. Too bad nobody at the DoD is willing to step up and ask why their *nix systems are not having these problems.

LoB

Slashdot strikes again......sigh.

[LibertineR]

Folks, the DOD is NOT blocking HTML mail, just converting it to plain text and disabling scripts, something ANY Exchange admin should already be doing in addition to Sender ID.

Instead of facts, we get just another bash Microsoft thread. Figures.

NMCI goes even further

[truckaxle]

Any here that are forced to use the NMCI (Navy/Marine Corps Intranet) network know that reading any email at all can be a challenge.

A NMCI laptop takes over 10 minutes to boot and load the dozens of background processes and roving preferences. Once booted the machine is near useless performance wise.

Most, including middle management, refer to NMCI as No More Computing In-house.

In order to get idea just how bad things are, upper management conducted "customer satisfaction surveys". Even though the NMCI program office controlled the content, distribution, and analysis of the survey the results indicated overwhelming dissatisfaction. The NMCI program office has declined to release the raw data from the survey, instead issuing a release about the results. Rear Admiral J. B. Godwin III said releasing the results would challenge the "integrity of our data." Hmmm....

Most Navy labs that are under the burden of the NMCI contract maintain two networks, the legacy and the NMCI - the one to get work done on an the other to read email. This leads to double the costs and double the vulnerability exposure, and halves the resources to concentrate on security and usability.

Worst I hear that the Navy just extended the contract to 2010. Your tax dollars at work.

Re:

[Bios_Hakr]

NMCI is an admin's dream. CAC authentication means no more password issues. Locked-down desktops means no more shareware crap. Remote desktop and remote program installs means reduced admin visits.

Of course, paying $5000 for a shitty computer sucks ass. Plus what, $500 per user? On top of that, you have to pay retail for every app you want.

I have a CD-Burner in my NMCI machine. If I want NERO installed, I have to pay $300 for a cd-burner (because my build does not show a burner even though any idiot c

NMCI: One of the great defeats in Naval history

[HangingChad]

A NMCI laptop takes over 10 minutes to boot and load the dozens of background processes and roving preferences. Once booted the machine is near useless performance wise.

That is so true. The Navy needed technical standards, not NMCI. The organization is too big and diverse for a one-size-fits-all solution. Application development has all but stopped outside of San Diego and EDS is running...or should say ruining...most of that. Layers of process and bureaucracy between the users and a usable product.

Enemies!

[DoofusOfDeath]

It sounds like DoD IT people hate users' freedom! Sounds like we've found an Al Quida sleeper cell right in the DoD!!!

Damn - there goes my (to be patented) security

[Tribbles]

I encode all my emails using WingDings font, so absolutely no-one can read them :) I can't do that in plain text!

Good! As an IT guy it pisses me off!

[Aphrika]

It's not security, it's not size.. it's the bleedin' fact that every sodding day some bellend asks me how they insert >picture/video/stupidlink< into their email. I'm fed up with it! I'd rather feed their bones to pigs!

Merry Christmas by the way.

Incidentally, if those bloody angle brackets are the wrong way round - blame the sodding HTML! Merry Christmas again... and yes, I've been out getting lathered, deal with it! :o)

In most contexts, this is overkilll, but DoD...

[WoTG]

A lot of folks are going to say that this is overkill. A safe email client, patches, scanners, etc. should be "good enough". Well, if I was American (as opposed to Canadian), I'd say that this move by the DoD is a good one. Who cares if the risk is "small"? There is a higher risk with HTML email than plain text, and only marginal benefit. We are talking about an organization that needs to operate at very high levels of security.

Why Treat Only Unknown Senders as Hostile?

[darkonc]

From: Donald Rumsfield
To: General Whosit
Subject: My final Orders

This email contains a computer trogan.

You are so pwned!!!

Sincerely
Osama Bin Ladin.
____

Yeah... Typos are on purpose

Converting Gateway

[morcego]

Why don't they simply add some format conversion feature on the border e-mail gateway ? That way, HTML messages gets converted plain text before delivery.
Then again, maybe they use Exchange, and can't implement something of this sort. I know it is, if not trivial, relatively easy to implement on many F/OSS MTAs (namely exim).

Re:I like some HTML email

[commodoresloat]

Put the pictures on a web page and send your friends a link to the web page. I can't stand getting pictures via email. If you must show me a photo of your new kid, put it on a website and send me the link. I still won't look at it, but I'll respond telling you how cute he/she is and we will both feel better. As for bulleted lists,

* what
* the
* hell
* is
* wrong
* with
* asterisks?

Re:I like some HTML email

[commodoresloat]

I don't see the point of taking security risks and wasting bandwidth on email that "looks nicer." You want a nice looking email, format it as a webpage, and send your friend a link to the web page. Or print it out and stick it in the post box. My email program is instructed to display all email as text only and if it is full of crappy html that isn't filtered out, I hope it wasn't an important email because I deleted it. But I shouldn't have to bother; this junk should be filtered out at the server level and I'm glad the DoD at least recognizes that email security is more important than how nice it looks. I only wish my university would do the same :) Don't get me wrong, I love html, but it's not made for pretty-ing up email. It's made for hyper-text, which email should not be. Most email programs allow you to follow links that are part of an email message pretty easily, so what's wrong with sending the link to your browser?

Re:

[Watson Ladd]

Uhhh, the links are in html. So that's not going to work.

Re:

[commodoresloat]

Uhhh, no they're not. At least, they don't have to be, and the email program shouldn't allow them to be.

Re:

[commodoresloat]

The browser is designed for HTML and is configurable by the user (or the user's admin) -- you can say no java, etc. More importantly, the user has to take positive action -- click a link -- and to recognize that he/she is now going on the web to see something rather than looking at an email document stored locally as a file. You can also see where the nastiness is coming from if you land on a hostile script posted to a web page. Finally, you have a choice whether or not to click the link (and I usually d

one more point

[commodoresloat]

And that is that the web browser is designed specifically to deal with html. New html security holes are dealt with by web browser patches on a regular basis (for the good browsers anyway). Email clients read html as an extra; their main function is to send and receive email -- hopefully they will be updated regularly too when new security threats arise, but it's more likely to be an afterthought. That's another reason why I'm a proponent of having clients do what they are supposed to do and then pass th

Re:

[maelstrom]

Putty [greenend.org.uk]

Re:

[Arker]

http://www.geocities.com/win32mutt/win32.html [geocities.com]

Still, it's a better solution just to telnet to a real computer.

Re:

[rlwhite]

Links in email? It's against DOD security policy to click links in email. Copy and paste it.

Yeah, they're not losing anything by banning HTML email.

Good to hear...

[SanityInAnarchy]

...The trouble is, they should've done this ten years ago. At least the HTML mail... It's a bit scary that the DoD is taking so long to get reasonably secure. Department of Defense, people!