For those of you who don’t know, for many, many years I covered various topics for a government-directed computer publication, for most of those years writing a column titled Power User, so I am intimately familiar with the security follies of government agencies.
Heck, I once found myself (a clearly identified reporter/columnist) on an e-mail database along with a number of C.I.A. and NSA employees (whose very existence was supposed to be top secret at that time), of course everyone on the database had access to every other address, agency, and name. I knew the people and addresses were legit because, for reasons I can't go into, I knew a lot of them personally and professionally. But there were a lot of strangers on that list also and it wasn't even slightly secured, anyone who was interested (including anyone from the Soviet or Chinese Embassy and clearly identified as such, could have gotten on the same list.)
But, to today's point - since as long ago as you could first get e-mail in HTML format or with attachments, I editorialized against permitting HTML format e-mail in any government agency and recommended extremely stringent limits on attachments. (Just as I later railed against the default use of .DOC files because of macro virus concerns and, of course periodically ranted against the use of Outlook.)
Well, two years after I left that publication the Department of Defense (http://www.fcw.com/article97178-12-22-06-Web) has FINALLY banned the use of Outlook Web Access e-mail applications AND is now blocking all HTML-based e-mail (actually just converting them to plain text).
Gee, makes me feel all secure and stuff to know hackers and actual terrorists can't send e-mail bombs to the Pentagon any longer.
Now, if they would ONLY begin to block attachments!
But, while we all laugh at the term "military intelligence" the DoD's belated security move does bring up the question of just when YOUR company wake up to the fact that e-mail should be used to communicate information in text format uncluttered with fancy fonts and dangerous live links which could be redirecting your browser virtually anywhere?
In point of fact, to this day, my little security company has never used Outlook or Outlook Express (except on test systems) and only accepts HTML e-mail in some very special circumstances. I also warn clients that they are on their own when it comes to e-mail security if they use Outlook - after all, they are paying me to keep them secure, not clean up their mistakes later.
Is it really worth compromising your network just so every clerical employee and junior executive can get e-mail in HTML format instead of plain text? Not to mention not being able to download pictures of Ms. Spears on a business computer?