Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Encryption Privacy Security The Internet The Military

The Pentagon Says It Will Start Encrypting Soldiers' Emails Next Year (vice.com) 63

An anonymous reader shares a Motherboard report: Basic decade-old encryption technology is finally coming to Pentagon email servers next year. For years, major online email providers such as Google and Microsoft have used encryption to protect your emails as they travel across the internet. That technology, technically known as STARTTLS, isn't a cutting edge development -- it's been around since 2002. But since that time the Pentagon never implemented it. As a Motherboard investigation revealed in 2015, the lack of encryption potentially left some soldiers' emails open to being intercepted by enemies as they travel across the internet. The US military uses its own internal service, mail.mil, which is hosted on the cloud for 4.5 million users. But now the Defense Information Systems Agency or DISA, the Pentagon's branch that oversees email, says it will finally start using STARTTLS within the year, according to a letter from DISA. DISA's promise comes months after Senator Ron Wyden (D-Oregon) said he was concerned that the agency wasn't taking advantage of "a basic, widely used, easily-enabled cybersecurity technology."
This discussion has been archived. No new comments can be posted.

The Pentagon Says It Will Start Encrypting Soldiers' Emails Next Year

Comments Filter:
  • Available Encryption (Score:5, Informative)

    by Frosty Piss ( 770223 ) * on Friday July 07, 2017 @01:22PM (#54764863)

    None of this, of course, is to say that encryption of email itself has been un available. Indeed I use the credentials on my CAC (Common Access Card) to encrypt most if not all of my email before sending it.

    • Re: (Score:1, Funny)

      by Anonymous Coward
      I was about to be aghast as the article implies there's been "no security"

      Shoulda remembered I was reading a slashdot post...
    • by Anonymous Coward

      So every single military transaction is prone to human error and or complacency. This isn't a nuanced criticism. It is in fact damning.

      • So every single military transaction is prone to human error and or complacency.

        Why? You're making a huge ASS umption that most if not all people who send sensative email are not like me. Of course I work for the Air Force where people are intellegent, but the idea that the DoD is populated by morons is a stereotype prepetuated by people who have never had meaningful interestion with very many people who work for the DoD.

        • The average person is barely above the level of moron and half of them are dumber than that. I start with the assumption everyone is an idiot and wait until proven wrong on a case by case basis. Yes I include myself in that. While I generally learn from my mistakes after 40 years I still find instances of what was I Thinking when I recently did X.

          It isn't that there are not smart people at the DOD. It is the average is well average. And that doesn't fill me with confidence. I work with smart people. Peopl

          • It isn't that there are not smart people at the DOD. It is the average is well average. And that doesn't fill me with confidence. I work with smart people. People who have used computers for 20 years. And I still have to explain basic file handling and email concepts to them. it is even more baffling when OCD organized people , people who organize parts and clothes by size color and shape. have 100 files and folders on their "desktop" computer and can never find what they are looking for.

            I understand your point.

            I work exclusively with pilots, most of whom are Academy grads as well as having advanced degrees, mostly science but it varies, from well known schools.

            So my exposure is probably skewed. The "rank and file" actually have to do fairly regular computer security and safety training to maintain network access, but absorbing the essentials is a variable.

            I can not speak for the Army or other DoD departments, only mine, which in general is made up of educated people.

            - Frosty

    • this tells me that the pentagon could care less about the security of the u.s. soldiers emails until now, 2017.
    • by Anonymous Coward

      The article is full of issues. #1, the MAIL.MIL system is what they are talking about and the connections it makes with "external" MTA's.
      Internally, mail has been routed over SSL/STARTTLS connections. The Exchange servers before the DEE migration also used secure relay for messages.

      Mail items themselves have been encrypted using CAC cards and probably one of the largest implemented PKI infrastructures out there. In fact, the DoD PKI/PKE is so large and expensive (cards are $30+ each and routinely get burned

  • by Anonymous Coward

    It is here:

    The US military uses its own internal service, mail.mil, which is hosted on the cloud for 4.5 million users

    What could possibly go wrong?

  • "which is hosted on the cloud "

    Ah, yes, "the cloud". Like there is just one. Thanks for the specifics. Does anyone know the details here; is the military really using AWS for email hosting?

  • How email works.... (Score:2, Informative)

    by Anonymous Coward

    ...I think people have misconceptions about how exactly emails works. It's not bounced around from server to server until it gets to it's destination.

    It's delivered directly to whichever server(s) your specified in your domain's mx record. So emails cannot simply be intercepted by whomever just like that.

    However by default it is sent as clear text, which means in theory your Tier 3 (your ISP), tier 2 and tier 1 providers could intercept those emails since the packets have to pass through their networking eq

    • Re: (Score:2, Informative)

      by Anonymous Coward

      > So emails cannot simply be intercepted by whomever just like that.

      It absolutely can be intercepted by whomever just like that. Just because email doesn't bounce around at the application level doesn't mean packets don't bounce around at the transport level. Do a traceroute between mail servers. Any one of those routers (and any devices in between them that silently pass packets) can be compromised. Any link in between them can be compromised. Don't say it can't happen. The government at least already h

    • If you are sharing top secret or confidential military info , you should be encrypting every email you send via your email client, regardless if the servers transmit it in clear text or not.

      ^ This.

      Nobody should rely on STARTTLS actually working anywhere, any time, especially in countries like Australia where ISPs are legally required to MITM all SMTP connections on behalf of the United States "intelligence" services. ISP do this with proxy appliances that remove the STARTTLS capability from the origin serv

  • by hackel ( 10452 )

    They're talking about *personal* emails, right? Surely they aren't *that* incompetent that they're sending official communications over unencrypted email? PLEASE tell me they're not that stupid...

    • Re:Um... (Score:4, Informative)

      by jeff4747 ( 256583 ) on Friday July 07, 2017 @02:40PM (#54765419)

      DoD networking isn't quite the same as what's available to the rest of us.

      "Normal" stuff goes over something called NIPRNet. It uses Internet protocols and is connected to the Internet via a few gateways, but if you are emailing from .mil to .mil, it stays on NIPRNet. So it's a bit like emailing another employee at work - The message stays within your employer's network so it's hard(er) to MITM.

      Important things go over SIPRNet, JWICS or another more secure network. Encryption in-transit over those networks has been standard since those networks were built, and is done via hardware devices.

    • Yes, you should not send official communications unencrypted. But even sending personal information unencrypted may be bad. If one person emails his wife saying that he is stationed at base X then that is no big deal. But if a thousand people say that they just got stationed at base X within a short period of time then that might be bad. There is a reason why during WWII before d-day they officially put Patton in charge of an inflatable and fake army. They were trying to convince Hitler that Patton's attack

    • by AHuxley ( 892839 )
      It would depend on who is talking or emailing. Who, why and how could be of great interest to other nations.
      What could go wrong?
      Someone on a ship sends an email home with the final server been a very average for profit .com in the USA?
      Some faith or cult member or dual citizen makes a copy of all .mil related material as they got work deep in the .com and have total trusted access for work?
      Another nation slowly builds a database of all in use .mil accounts (via some external agency or cover .com or outs
  • by Anonymous Coward

    Most SMTP servers that implement STARTTLS don't even bother to verify the certificate presented to them by the remote host. Pretty trivial to MITM this traffic. This is basically the equivalent of putting a crapton of post cards in a lock box with a skeleton key. It'll keep honest people from reading your mail..thats about it.

    The real solution is to encrypt the CONTENTS of the email using something like S/MIME or GPG.

  • Oooooohhhhhmmmmmm

    ps I actually loved Notes specifically because it was so damn secure. Hard and expensive to manage, so the bean counters didn't agree with me.

    • Notes at least gave everyone their own private key that was used for everything.

      My question is, can S/MIME, or even Symantec's PGP fill in this gap for secure E-mail? Symantec's PGP had the ability to use ADK (additional decryption keys) for recovery, and work pretty well. It would be another add-on to Outlook, but done right, a compromise of a mail server would be mitigated by doing this.

      • Depending on how the PGP server is set up it can also proxy the connection and do the encryption on the server itself, a lot of companies are set up that way. The encryption server sits between the MTA and the mail gateway or the Internet and encrypts/decrypts on the fly so compromising the mail server still would give the attacker access to plaintext messages. Actually encrypting mail is a solved problem, the problem is with key exchange. Despite many attempts at searchable keyservers and different keys

  • by Train0987 ( 1059246 ) on Friday July 07, 2017 @02:30PM (#54765367)
    Only the connection between the mail client and the mail server is encrypted. Once it leaves the mail server to go to the recipient it is no longer encrypted.
    • That makes no sense. I suppose you're talking about once it leaves one mail server to go to another mail server it is no longer encrypted. But that scenario is only relevant if you're going to another server you don't control. That is not likely the case here.

      • It makes perfect sense. In most use cases the only encryption is between the mail client and its server. When you send an email from your client it goes to your server and then to the recipient's mail server (based on the recipients MX record). With STARTTLS the only "secure" connection is between your mail client and your mail server. Your mail server will almost always then send it out to the recipient on their wire in plain text. That's how email works, and has worked for 50 years. TLS is really ju
        • When you send an email from your client it goes to your server and then to the recipient's mail server

          Your connection to the server is encrypted. If your recipient is on the same server then no further transmission is necessary. If you're recipient is within an internal network who's servers you can control then the further transmission can be encrypted if the admin chooses it to be. Then the only remaining piece is to read the mail using encryption. And that is precisely what is happening in this case.

          Your mail server will almost always then send it out to the recipient on their wire in plain text.

          Get with the times. Email servers these days will "almost always" send out to the recipient using encrypti

  • by XSportSeeker ( 4641865 ) on Friday July 07, 2017 @02:48PM (#54765467)

    Are they demanding a backdoor to be build on those too?

  • Pedophiles. Think of the children.

If you had better tools, you could more effectively demonstrate your total incompetence.

Working...