back to article Spy agency GCHQ told me Gmail's more secure than Microsoft 365, insists British MP as facepalming security bods tell him to zip it

Conservative MP Tom Tugendhat has publicly claimed GCHQ sources told him Gmail was more secure than Parliament’s own Microsoft Office 365 deployment – but both Parliament and a GCHQ offshoot have told him to stop being silly. The outspoken parliamentarian, who is chairman of the Foreign Affairs Select Committee, made his …

  1. Mike 137 Silver badge

    Either or both secure or insecure?

    When I attempted to investigate Office 365 security on behalf of an international scale client, none of my detailed questions got answered. I was fobbed off instead with truisms including ISO 27001 certification, which everyone really knows (but may not admit) doesn't ensure security at all - only that you follow a formal process. The actual results of following it don't get audited. Consequently the question of relative security between gmail and 365 remains an open question.

    If I want a secure service I either run it myself or I outsource it to those who will keep me fully informed at the detail level. But of course that's more expensive than vaguely specified "cloud" offerings.

    1. PeeKay

      Re: Either or both secure or insecure?

      Schrödinger's email, perchance?

      Where an email provider can be good, evil or both at the same time.

      1. john.jones.name
        Mushroom

        Some products have DANE

        Microsoft Office 365 lacks DANE support yet the feature is coming to Exchange Online servers....

        so yes they both are planning to support DANE and not at the same time...

        https://techcommunity.microsoft.com/t5/exchange-team-blog/support-of-dane-and-dnssec-in-office-365-exchange-online/ba-p/1275494

        GMAIL can support DANE now if you get the MX right and sign your own domain so technically gmail is more secure.

        I hope Microsoft product managers might pay attention and follow through...

        1. Blackjack Silver badge

          Re: Some products have DANE

          Exchange Online servers are something you SHOULD NOT USE if you want privacy and security.

          1. martyn.hare

            Email is something you shouldn’t use

            If you value privacy and security:

            * Implement proper authentication of every entity which can send/receive data

            * Provide full end-to-end encryption of all data which is sent/received

            * Use digital signing to make sure nothing is tampered with at any point

            * Stick to a commonly agreed standard at the presentation layer to keep things clean

            Email does none of the above by default. A bit like telnet,

            1. mistersaxon

              Re: Email is something you shouldn’t use

              Ah, a fan of Lotus Domino! Quite right *nods approvingly*

            2. Anonymous Coward
              Anonymous Coward

              Re: Email is something you shouldn’t use

              "Email does none of the above by default. "

              Indeed not, Teletype-era email (SMTP, POP, even IMAP and MIME and other band-aids) email does none of those in any meaningful way.

              Which is why by the time the 1980s came around, the delights of X.400 email etc started to emerge. Designed from the ground up to do things like authentication, encryption, tamper-evidence, and other useful stuff, generally based on vendor-independent standards rather than proprietary implementations. But the ISPs didn't like it because it wasn't free and in particular it needed expertise and investment and trust, which weren't welcome qualities in the retail ISP market.

              Maybe it'll be fashionable again one day. Meanwhile, keep applying the band-aids to the teletypes.

          2. Anonymous Coward
            Anonymous Coward

            Re: Some products have DANE

            My uncle assures me that Exchange Online Servers are more robust than a jellied eel.

            I am not convinced about this. What do you say?

    2. Primus Secundus Tertius

      Re: Either or both secure or insecure?

      The biggest ISO sham reassurance is ISO9000 Quality Assurance. You will be assured that meetings have been minuted and actions acted upon. But I never met a QA person who could read the code for a program and say, "That's wrong".

      1. Flocke Kroes Silver badge

        Re: QA person could not read code

        Not what he is there for. It is up to you to explain to QA a practical and sufficient method of assessing code quality. He can then document this method and you correct it until the documentation is clear and this can be added to the company's QA procedures. When times change and superior methods become available it is up to you to raise the issue with QA to update the procedures.

        This can still go horribly wrong, for example an x86 emulator kept getting failed because notepad crashed with large files. This was in fact a correct emulation of notepad's behaviour on x86 but no-one was able to convince QA.

        1. jdiebdhidbsusbvwbsidnsoskebid

          Re: QA person could not read code

          "It is up to you to explain to QA a practical and sufficient method of assessing code quality"

          Not quite, you have to show the QA person that you have a method of assessing code quality and that you follow it. The quality of the method itself is not under examination for ISO9000, just your adherence to the method.

          Where I worked once, we got our ISO9000 certification. Our processes were all clearly documented, followed and recorded for the auditors to see. We passed with flying colours. On the way out of the building the auditor basically said well done for for following your processes well, but you do know that your processes are all rubbish?

          1. Anonymous Coward
            Anonymous Coward

            Re: QA person could not read code

            I just have to point out that there is no such thing as ISO9000 certification. The certifiable standard is ISO9001. However, it only certifies the underlying management system used to manage/control quality - not to any specific product/output. Anyone relying solely on ISO9001 certification to assure quality will often be disappointed.

          2. medit

            Re: QA person could not read code

            QA is not an assurance of good quality. It is an assurance of consistent quality. If the documented procedures produce software that is consistently of rubbish quality then ISO9001 is doing its job of assuring consistent quality.

            You can't blame QA or its practitioners for the calibre of the code.

            1. Anonymous Coward
              Anonymous Coward

              Re: QA person could not

              "You can't blame QA or its practitioners for the calibre of the [product]."

              Maybe not, initially, but what about after the first couple of years worth of formal complaints come in following the documented complaints process? There is a properly documented complaints process, right, with proper followup required? And the BS/ISO9000 auditors will want to see how well it's working, right?

              You're on thin ice here, but maybe that shouldn't be a surprise.

      2. Cynic_999 Silver badge

        Re: Either or both secure or insecure?

        It only ensures that the quality will be *consistent* from day to day and product to product. That could mean consistently *bad* quality. It also says absolutely nothing about whether the product is fit for purpose.

        1. Doctor Syntax Silver badge

          Re: Either or both secure or insecure?

          I used to refer to the QMS as the mediocrity management system - if you were being consistent with your documented level of mediocrity that was fine.

      3. Aitor 1 Silver badge

        Re: Either or both secure or insecure?

        Worse still, the testing method could be to say "it is ok", and as long as it is followed, you thet the ISO.

      4. Ian Johnston Silver badge

        Re: Either or both secure or insecure?

        ISO900n, like BS5750 before it, simply verifies that you can produce crap in a documented and repeatable way.

    3. sev.monster Bronze badge
      Thumb Down

      Re: Either or both secure or insecure?

      Microsoft Support is all woefully inept outsourcing at all but the highest and internal levels, so good luck getting any kind of answer out of them in this regard.

      I'll also tell you in case you didn't know: The essence of "Microsoft 365" is AD, Exchange, and other things you could run yourself, with a bloated, buggy web interface and overcomplicated sync tool for hybrid environments. These services, in my research, run on Server 2016 and *nix machines, with the software itself often being a few versions bebind. The only thing 365 does that you can't download and run for yourself is their proprietary Azure development environment, and some of their new offerings like Power Automate. Everything else Microsoft either sells as a standalone product or there are better non-MS options available. The big draw to 365 is it having everything in one web-centralized package... A package you get incredibly confused even trying to buy, since it seems not even Microsoft certified licensing experts can help get the right solution. MR. REP, LET ME ASK AGAIN: IS OVS-ES INTUNE LICENSED PER USER OR BY FTE COUNT? I AM YELLING THROUGH THE SCREEN, MAYBE THAT WILL HELP.

      Heed my warning. There will be at least 3 minor to major problems that crop up in your 365 environment every day without fail. What should be a managed solution ends up becoming another full-time job in addition to other priorities. Oh look, speaking of—"365 Service Alert" plops in my already fattened inbox right as I'm writing this comment... And the outages! Oh, the outages for stupid reasons! They are much more prevalent than they have a right to be.

      I can't imagine supporting this trite at an international scale without being overstaffed to handle all the BS edge-cases. It can barely handle what we use it for.

      Time to contact support again because this UPN is unchangable, just to be told that being able to change it is not a feature yet... I shit you not, and it's been like this for years, but I have to do my due dilligence, huh?

    4. FlamingDeath Silver badge

      Re: Either or both secure or insecure?

      I was once tasked with creating an ISO 27001 report, I discovered the company I was doing this for, their ISP was conveniently next door.

      While investing some WAN outages, I wandered in there, literally, no access controls, no guards or receptionists, the first person I met helpfully showed me around the place, where their comms cabinets were etc, without verifying who I was or if my story about working next door was true

      I raised this as an issue as part of the ISO 27001 report, the managing director said it was outside of scope, I disagreed, I left after having to sit and listen to the director tell me how amazing he was and how shit I was for being pedantic

      I left after only 2 weeks

      I guess they got some other agreeable chump instead....

    5. Anonymous Coward
      Anonymous Coward

      Re: Either or both secure or insecure?

      None of these email services are secure or safe and O365 is not less safe than gmail. The suggestion is preposterous.

      GMAIL is hacked DAILY with Google Chrome password mining also a daily hack Google have been unable to stem.

      All those organizations using gmail and O365 may as well be posting their emails to the world in an open slack channel anyone and everyone can read.

      You want secure email? On Prem exchange or Linux servers using PGP or better encryption schemes with SED and EKS are the only way to get to secure and private.

      The cloud has ZERO security unless you run an OS like AOS on their EC2s with all the security options turned on, SED in the cluster nodes and the full FLOW enchilada configured with the EKS AOS comes with.

      Even then on Prem AOS with all the security hardware and software enabled is pretty hard to beat.

      O365 is also so basic compared with the full Microsoft Office Suite I really fail to understand the attraction it offers as its so frustrating the O365 version does not have full feature compatibility to the "real thing" all you get is irked beyond belief.

      If you want security you also have to remove that malware parasite every computer comes with called Google Chrome.

      Nicht für mich Kamerade, Nicht für mich!!

      1. Anonymous Coward
        Anonymous Coward

        Re: Either or both secure or insecure?

        And for our next exhibit we have the extremus maximus, an IT resource who believes that he is smarter than everyone else. Key behavior to look for in order to identify this species include attempts to over-engineer every project that he is a part of, to the detriment of project timelines, usability, CSAT, and budget.

  2. solv

    Conflicting statement....??

    wtf?

    "we would always encourage MPs to use parliamentary email, which offers significantly higher levels of security than external providers."

    article is about how Parliament moved to Office365 in 2013....are Microsoft that comfortably in bed with governments that they are no longer even considered an external provider....

    This is no different than if a government used the commercial G suite offering

    1. Pascal Monett Silver badge

      Re: Conflicting statement....??

      If your Exchange server is on-prem and properly firewalled, the Borkzilla is no more an external provider than all those workstations based on Windows.

      In any case, don't worry about Borkzilla : it is comfortably in bed with all governments.

      1. Anonymous Coward
        Anonymous Coward

        Re: Conflicting statement....??

        "In any case, don't worry about Borkzilla : it is comfortably in bed with all governments."

        I wouldn't be so sure about all: I don't imagine it would be having much luck successfully negotiating email exfiltration contracts with China, Russia, countries barred by US laws, etc.

        In fact, is it only the anglophone world that has tended to have been enveloped by the tentacles, or does anyone know whether other European, South American, African, Asian, countries have had more sense fending them off so far?

        1. sev.monster Bronze badge

          Re: Conflicting statement....??

          365/Azure have datacenters in China, and Chinese-specific operating environments for both are available; these environments come specced out for SMBs, enterprise, and government IIRC. Of course, the contracts for using these environments likely say "the CCP can access everything without asking" as per usual.

          1. Anonymous Coward
            Anonymous Coward

            Re: Conflicting statement....??

            That's saddening to hear that MS have managed to get through the Great Wall.

            I don't agree with all the reasons why China tries to develop its own IT infrastructure (spying on ordinary citizens, whoever does it, isn't a good thing), but it is commendable that they do put a lot of effort into developing their own Linux distro, etc. It's just a shame if they still also let another untrustworthy organisation join in on the spying too.

      2. Twilight

        Re: Conflicting statement....??

        But if you have Exchange server on-prem, then you are not using Office 365 (afaik), correct?

        I got Office 2019 because I refuse to use Office 365 (unless forced by work). And I don't use MS for email.

        1. sev.monster Bronze badge

          Re: Conflicting statement....??

          Exchange can function in a hybrid environment. Just because they have Office 365 Exchange Online doesn't mean they are using cloud email only. You can have mailboxes hosted on-prem or online, and use the other service as a RemoteMailbox proxy, depending on the user.

    2. Roger Kynaston Silver badge

      Re: Conflicting statement....??

      The HoC used to run an Exchange server but along with a lot of other Government departments they moved to O365. This was, likely driven by cost as they could outsource management of mail to our friends in Redmond. MS offered a promise that data would be hosted in the EU and so be GDPR whatevered while Google couldn't/didn't want to offer the same promises.

      Don't forget the costs included the Exchange admins. Taxpayer pounds have to be saved of course.

      Whether that actually makes parliamentary emails more secure or not is an interesting question. I suppose that since GCHQ is part of Five Eyes they get to share in any snooping M$ bods do.

  3. Anonymous Coward
    Anonymous Coward

    Oh dear....

    When folks like this are running the country no wonder we are fecked.....

    To even possibly think that a free, publicly available email system, run by a foreign company, who have scant regards for the laws of the land is more secure than one provided by their own internal highly skilled professionals with all kinds of traceability..... You couldn't make it up.

    I wonder if his "friends" in GCHQ were only ever spoken to on the phone and had a chinese accent?

    This really should be a serious disciplinary offence (assuming he used it for any official work)

    1. Anonymous Coward
      Anonymous Coward

      Re: Oh dear....

      This story appeared on the BBC website yesterday, and i could not e-mail the reporter to provide some information about Google looking at the contents of your e-mail.

      I did find it surprising what was said by the MP, and thought it must have been a crossed wires thing.

      1. Doctor Syntax Silver badge

        Re: Oh dear....

        "I did find it surprising what was said by the MP"

        Why should anyone be surprised at anything an MP says? Disbelieving, yes, surprised, no.

      2. Smirnov

        Re: Oh dear....

        "i could not e-mail the reporter to provide some information about Google looking at the contents of your e-mail."

        Google stopped scanning email content of personal GMAIL accounts many years ago, and never did it for its business offerings (G Suite/Google Workspace):

        https://workspace.google.com/learn-more/security/security-whitepaper/page-6.html

        https://workspace.google.com/terms/dpa_terms.html

    2. Anonymous Coward
      Anonymous Coward

      Re: Oh dear....

      He didn't say what his "friend" does at GCHQ ...

      1. LDS Silver badge
        Devil

        Re: Oh dear....

        Probably a Chinese one.

      2. lglethal Silver badge
        Trollface

        Re: Oh dear....

        Even GCHQ need their toilets cleaned by someone...

    3. Chris G Silver badge

      Re: Oh dear....

      It's equally likely his friends in GCHQ live in Mountain View.

      1. Anonymous Coward
        Anonymous Coward

        Re: Oh dear....

        His friends work for Google HQ, see...

        It's an easy mistake to make.

    4. Anonymous Coward
      Anonymous Coward

      Re: Oh dear....

      To be fair, it probably IS more secure to use gmail if your concern is being found out by someone in the UK investigating some kind of parliamentary irregularity. In which case it's probably better still to use one of the anonymised disposable email addresses that tin foil hatters love. And TBH I do occasionally use those myself in order to make sure the anonymous tips offs I send to various places are truly anonymous and I'm not likely to be investigated myself in the course of, say, giving the police the number plates, descriptions and locations of vehicles and persons I suspect to be involved in drug dealing when I'm out and about in the small wee hours on a shout to some dark corner of an otherwise deserted industrial estate housing a company's DC. Don't want the county-lines gang getting my details from plod and turning up at the door with murderous intent.

      1. sev.monster Bronze badge
        Boffin

        Re: Oh dear....

        Just hide in the server closet until they sod off.

    5. Doctor Syntax Silver badge

      Re: Oh dear....

      "one provided by their own internal highly skilled professionals"

      We don't have any. We outsource it somebody else's staff. Whether they are highly skilled professionals is unknown.

      1. cyberdemon Silver badge
        Devil

        highly skilled professionals

        are what crapita are best known for! Right, Dave?

        (The public contracts & lobbying department, that is)

    6. 2+2=5 Silver badge
      Joke

      Re: Oh dear....

      > To even possibly think that a free, publicly available email system, run by a foreign company, who have scant regards for the laws of the land is more secure than one provided by their own internal highly skilled professionals with all kinds of traceability..... You couldn't make it up.

      You clearly have no idea what you are talking about ... it's not free. :-)

    7. macjules Silver badge

      Re: Oh dear....

      "This really should be a serious disciplinary offence"

      I believe that they can sub that on their expenses nowadays. There is a special checkbox marked "special discipline expense (no receipt required)"

  4. TVC

    An ex GCHQ bod once told me never to use GMail

    Odd. An ex GCHQ spook told me that if you want everyone to know within 5 minutes put it on GMail. Mind you that was a few years back so maybe things have changed.

    I always assume that as soon as you put anything on the Internet it's probably public anyway.

    "Just because you're paranoid doesn't mean they aren't after you."

    1. lglethal Silver badge
      Big Brother

      Re: An ex GCHQ bod once told me never to use GMail

      "Mind you that was a few years back so maybe things have changed."

      Yep, now it only takes 3 minutes...

    2. blah@blag.com

      Re: An ex GCHQ bod once told me never to use GMail

      I use Gmail, Gdrive sheets & docs for convenience but have always assumed everything on it is basically compromised. i.e. if you have data you would rather not share then keep it elsewhere. In my case encrypted drives plus extra encryption where necessary. Not that this is a total solution either but will defeat casual nosyparkers. If the MAN comes calling then naturally I'm an open book cos I don't want an appointment with Mr Big in the prison showers thank you.

      1. Chris Fox

        Re: An ex GCHQ bod once told me never to use GMail

        “I use Gmail, Gdrive sheets & docs for convenience but ... if you have data you would rather not share then keep it elsewhere.”

        Presumably the corollary is thus: “if you have data you would rather not share with third parties, then don't collaborate with me, or anyone else known to use GMail, GDrive and googledocs”?

        1. blah@blag.com

          Re: An ex GCHQ bod once told me never to use GMail

          All I'm saying is that if your data was leaked and that had legal, commercial or personal consequences then find another way.

          25 years ago as a newly minted sysadmin our team came up with the phrase "Are you paranoid enough?" which has served us all over the years. This should not be a brick wall and stop you from doing anything, but it is a useful pause for thought where you consider the consequences of your actions and potentially the actions of others.

        2. Anonymous Coward
          Anonymous Coward

          Re: An ex GCHQ bod once told me never to use GMail

          "if you have data you would rather not share with third parties, then don't collaborate"

          FTFY

    3. Dan 55 Silver badge

      Re: An ex GCHQ bod once told me never to use GMail

      Odd. An ex GCHQ spook told me that if you want everyone to know within 5 minutes put it on GMail. Mind you that was a few years back so maybe things have changed.

      It might have been that at the time Google didn't use SSL between their data centres as they thought they had the fibre connections all to themselves. They do now (or so they tell us).

    4. GrumpyKiwi

      Re: An ex GCHQ bod once told me never to use GMail

      All the ex-GCHQ people I worked with were dodgy-as scumbags who thought nothing of cheating on their spouses and taxes and several of whom were heavily involved in a corporate fraud liquidation/phoenix rebirth scheme that cost several of my friends and ex co-workers a lot of money.

      GCHQ could tell me that the sky is blue and I wouldn't trust a word they said.

  5. J.G.Harston Silver badge

    "The mother of parliaments adopted Office 365 in 2013"

    England adopted Office 365?

    1. PTW

      Tynwald adopted office 356?

      1. Doctor Syntax Silver badge

        Is your allowance of 9 days downtime enough?

  6. PTW

    protonmail.com

  7. Warm Braw Silver badge

    Tugendhat studied Theology at the University of Bristol

    So he's already trained for a Microsoft vs Google debate.

  8. sitta_europea Silver badge

    People don't get elected to our Parliament because they have brains.

    They get elected because they've found a way to persuade enough people to vote for them.

    They don't, in general, care how they do that, but for sure it doesn't involve telling everybody the unvarnished truth. That's the path to sound defeat in the polls.

    And it really doesn't matter, except, perhaps, to me and the dozen or so other principled people on the planet. But in the Grand Scheme of These Things, we don't count at all.

    1. Cynic_999 Silver badge

      "

      They get elected because they've found a way to persuade enough people to vote for them.

      "

      Usually it's because they had enough money to pay someone else to persuade the general public to vote for them.

      1. Yet Another Anonymous coward Silver badge

        >They get elected because they've found a way to persuade enough people to vote for them.

        They persuade a very small number of people on the local party selection committee to vote for them and are in a safe seat.

  9. Mr Dogshit
    FAIL

    An AOL account?

    Can't be that difficult to trace then.

    1. Yes Me Silver badge
      Facepalm

      Re: An AOL account?

      I don't know when I last saw an email from an AOL account that wasn't bogus. But I do find it a bit odd that the email system of the Mother of All FuckupsParliaments doesn't flag messages from outside as messages from outside. Lots of corporate email systems do this, for good reasons.

  10. Huw D

    Tug end hat? Is that a euphemism?

    1. TRT Silver badge

      It's a lager that was popular in the 80s isn't it?

    2. Anonymous Coward
      Anonymous Coward

      I've been calling him Tug Boat Hat since he first made national news, which is so mild its childish. I much prefer bitter. I think I'll refer to him henceforth as Tom Helmet Stretcher.

      (I opened el Reg in a background tab while DDGing Andorian Ale. Did a doubletake when looked up and saw 'The Register: Enterprise Technol...'

      I think I'll buy a bottle of Jack and some blue food dye!)

    3. Pangasinan Philippines

      Tug

      Darn, That was my password

  11. Plest
    Facepalm

    If it's free...

    My general advice to people is if the internet service is free then you've compromised something to get it. It might be security or allowing the service provider to scan the data you push through it, but as they say "There's ought for nought in this life.". I'm happy to use GMail for crappy emails with nothing important but you wouldn't use it to trade financial info.

    I believe Virgin Media now backend all the email services through GMail, say no more!

    1. Terry 6 Silver badge

      Re: If it's free...

      VM started with Gmail, and tbh it was a bloody sight better when they did. They stopped using VM. It's been an in-house spam magnet for years.

  12. You aint sin me, roit Silver badge
    Trollface

    Surely it's Huawei's fault...

    Did he borrow Bozza's Huawei phone to access his gmail account?

  13. Julz Silver badge

    Email

    Is not a secure medium. I guess gmail might be less leaky in that most of the routing happens within google-net. I guess you balance that against the content being trawled for advertising opportunities. Anyway, email is not a secure form of communication. Like sending a post card, you never know who else has interfered with message before your intended recipient gets it. Anyway, the weathers loverly here...

    1. Potemkine! Silver badge

      Re: Email

      +1! One should rather consider that emails are not secure by design. It's like a message in a bottle 'magically' going to the recipient through the Internet sea, with everybody in between able to read the message. If you want something secure, you should use Signal, and if you want it very secure, don't send it by digital means at all.

  14. Anonymous Coward
    Anonymous Coward

    O365 but not as you know it

    I think there's a bit of O365 confusion. I cant speak for all of Gov UK but my organisation does use O365 but its a dedicated system that cannot be accessed outside of the network, i.e. you cant use apps or log in from the internet. It's provided for all the cloud working capabilities but only within an enclosed environment.

    1. kirk_augustin@yahoo.com

      Re: O365 but not as you know it

      You can easily make a secure email system by not connecting to the internet, but then what is the point? If you have to in the building to access it, then just talk to the person instead of emailing at all.

      1. Cynic_999 Silver badge

        Re: O365 but not as you know it

        Talking to someone (either in person or on the phone) entails interrupting what they are doing, and then giving them information that they may well forget or mis-remember. Emails do not interrupt what the receiptient is currently doing, and may be referred to whenever required rather than relying on memory.

        1. Yet Another Anonymous coward Silver badge

          Re: O365 but not as you know it

          More importantly you know anything sent out by email is the equivalent of the office notice board memo and can safely be ignored.

          Stuff that you need to deal with gets sent by whatsapp/signal/teams

    2. Displacement Activity

      Re: O365 but not as you know it

      So...

      it's "provided for all the cloud working capabilities", but "only within an enclosed environment".

      Surely that's an oxymoron?

      1. Anonymous Coward
        Anonymous Coward

        Re: O365 but not as you know it

        It depends if you have hundreds of people in different offices all around the country trying to work together, although I probably should have said collaborative working capabilities.

  15. cipnt

    Spoofing alerts

    The email that triggered all this was a lame spoofing attempt sent from a dodgy AOL account.

    "I was told by friends at GCHQ that I was better off sticking to Gmail rather than using the parliamentary system because it was more secure,"

    It seems to me that whoever gave this advice might have been referring to Gmail / Google Workspace's automatic spoofing warnings which are triggered when the sender's name is the same to one of the directory contacts but the email is not from the company's domain:

    https://support.google.com/a/answer/9157861

    These alerts are extremely intrusive and therefore are highly efficient with nontechnical users (in fact we were getting a lot of support calls about the alerts themselves), so in a sense would be more... secure.

    1. Ben Tasker Silver badge

      Re: Spoofing alerts

      > The email that triggered all this was a lame spoofing attempt sent from a dodgy AOL account.

      The other side to this is that if you don't use the "standard" solution you only make spoofs more credible.

      If everyone knows Tugendhat never uses his Parliamentary email (because he doesn't think it's secure) then they're more likely *not* to question an email from tudendhat@well-known-provider, working on the assumption that must be his alternate account.

      If, however, it's not well-known that you're into shadow IT, people are more likely to go "that came from off-net? Hmmmm".

      To an extent, of course, there will always be people who will believe whatever lands in their inbox

  16. Anonymous Coward
    Anonymous Coward

    Secure from who?

    It's really a who has access question as I see it.

    If you use work/parliament Email, yes they can see anything "if they want to"

    If you use gmail, any gov that request your info (as well as their marketing teams/apps) have access.

    So if you are trying to hide info from someone, use the other. But in reality if you don't want to be caught doing bad things - don't fricking do them!

  17. Kane Silver badge
    Boffin

    A request to El Reg

    Can you please refrain from using links to twitter pics in your articles? I've mentioned this before but some of us either a) can't view twitter or b) choose not to view twitter, for whatever reasons a) or b) may be.

    Just embed a screenshot of the twitter pic in the article, please?

    1. Anonymous Coward
      Anonymous Coward

      Re: A request to El Reg

      "some of us either a) can't view twitter or b) choose not to view twitter, for whatever reasons a) or b) may be."

      Yes, as in, like all of Arseface and half of Google, marked as 'Untrusted' in NoScript.

      1. tiggity Silver badge

        Re: A request to El Reg

        The twitter images totally pass me by as need JS enabled for Twitter to see them & that's not going to happen on my PC.

        Would have to use partners computer to see it- partner cannot deal with using my computer as so much disabled by default so has their own machine (& no internal network access between the 2 machines as partner machine just a big risk IMHO)

  18. TrumpSlurp the Troll
    Trollface

    Non-technical issue?

    Like the non-technical people the spook knew were administering the system?

  19. Anonymous Coward
    Anonymous Coward

    Email insecurity

    At a previous company I found out that <high up IT person at Head Office> was getting a jolly to the US to do a security course.

    I waited until 2 weeks after she had got back and then sent an email from her account to the whole company explaining that she had been on the super secret security course and everything in the network was now super secure like it should be.

    A few months later I had to make my team redundant at the behest of Head Office (we'd all been there just under 2 years!)

    A went back to my desk in a foul mood afterwards to find all the teams equipment including mine was missing. I rang up Head Office to find out why my kit had gone , only to be told that I was also redundant, and I knew why as I'd just spent all morning telling each of the team members. I learnt 2 things that day:

    a) they had at least learnt something about security and removed all the kit before we could use it (and deleted our accounts)

    b) Head Office were right 5hits - The IT manager and boss wouldn't even speak to me, but had got me to do all the dirty work for them

    C-suite are just 5hits!

    1. Grease Monkey Silver badge

      Re: Email insecurity

      This is standard practice. If you are a team leader and you are told to make your whole team redundant then it should be pretty clear to you that you are redundant too. A team leader with no team? That's no job then.

      Don't forget there's supposed to be a consultation period first where people are told they are "at risk of redundancy".

      I worked with a chap in the same situation who when advised to get the team together and tell them they were being made redundant (itself a breach of the guidelines as each employee is supposed to be informed individually) made the smart move of saying "so does that mean I am redundant too?"

      A smart move because if he was told "no" then he would be able to claim unfair dismissal should they subsequently dismiss him. However the answer that came back was "yes" so he replied to his line manager "get your arse over here and tell them yourself then".

    2. Anonymous Coward
      Anonymous Coward

      Re: Email insecurity

      > I waited until 2 weeks after she had got back and then sent an email from her account

      Lucky you were made redundant. That's a sackable offence in most places.

    3. Anonymous Coward
      Anonymous Coward

      Re: Email insecurity

      "I waited until 2 weeks after she had got back and then sent an email from her account to the whole company explaining that she had been on the super secret security course and everything in the network was now super secure like it should be."

      I'll take "things that never happened" for $500, Alex...

  20. Grease Monkey Silver badge

    It amuses me that so many of the commentards above are getting hot under the collar about the technical and moral arguments regarding Microsoft vs. Google without realising the true significance of this story.

    The significance, if you are missing it, is not about whether one system is more secure than another. It's that the honourable (ahem!) member (apt) claims that some unidentified "friends" within GCHQ had told him that a free public email service was more secure that parliaments own in house email system. I would hope GCHQ are investigating who these "friends" are that would talk security to an MP without official clearance, checking their claims very carefully and taking the appropriate action. The latter being either improving the security of the existing email systems or taking disciplinary action against the relevant staff whichever is more appropriate.

    1. kirk_augustin@yahoo.com

      Microsoft 365 NOT in-house

      Of course GMail is more secure than any cloud service like Microsoft 365. Microsoft 365 is NOT in-house. It is a remote cloud service, and is about the least secure system anyone could ever come up with.

      1. Anonymous Coward
        Anonymous Coward

        Re: Microsoft 365 NOT in-house

        Sorry you're suggesting that gmail is not a cloud system then?

        But you are missing the OP's point by a country mile. The issue at hand here is not which system is more secure. The issue goes way beyond email security. But the original post points out that some people are such tech dweebs that they can't actually see beyond tech issues.

  21. Pen-y-gors Silver badge

    Friends in GCHQ?

    "I was told by friends at GCHQ that I was better off sticking to Gmail

    That would be his friends Louise in reception, George who raises and lowers the barrier in the car park and Mrs T in catering? Yes?

  22. Camilla Smythe

    ISTR During passage of the #IPAct...

    MP were warned by their constituents that privacy of communications with members would be subject to interception. Naturally the MPs voted themselves through an exemption. At the time the service was via another third party provider. For the moment I can't remember who, it may have been symantec, however I was aware and made MPs I was in contact with aware that that service provider scanned e-mails and visited links within e-mails to documents hosted on my own web server. I could link to such a document within an e-mail and within seconds or minutes of sending the e-mail a copy of the document was requested by the third party provider both from EU and US located servers. None of it is secure.

  23. theOtherJT

    But Email isn't secure...

    No email service is secure. It's not a secure transit mechanism. You want "secure" in your email you encrypt whatever you're sending before you send it.

  24. steviebuk Silver badge

    Clearly not

    A Parliamentary spokesperson said in a statement: "We have robust cybersecurity measures in place and work closely with partners in the National Cyber Security Centre. In line with guidance from the NCSC we would always encourage MPs to use parliamentary email, which offers significantly higher levels of security than external providers."

    If someone was spoofing the MPs address, why don't they have anti-spoof on for all MPs so the spam filter should pick that up straight away.

    Don't get me started on gmails issues. Unable to control its spam filter, it decides so someone within a company can abuse it by flagging all legit emails as spam until gmail AI agrees with no control over this in the gsuite console. Its shitty UI and search. It lack of auditing for the desktop sync meaning anyone in the company can sync emails to their person PC with desktop app and their be no audit.

    1. Grease Monkey Silver badge

      Re: Clearly not

      Yes anti spoofing is easy to set up. You create an SPF record for your domain that lists the valid senders. However this only works if the receiving servers are set up to check SPF records for the senders domains and reject incoming email accordingly.

      This is one reason you need to ensure all your end users only use your organisation's own email system and not some third party solution. For example when I worked in the public sector the rule was that nobody was allowed to use third party email solutions to carry out the organization's business. We would periodically come across folks using gmail to carry out business, usually because it was "more convenient". Convenience was not the issue - the rules clearly stated you could only use officially issued devices for official business. And guess what? All those devices were set up to stop you using third party email solutions on them. So by "more convenient" what most people meant was that they wanted to use their own phone/laptop/PC for email rather than their officially issues phone/laptop.

      This was easy enough to achieve - employees were contractually obliged to follow the rules and would be subject to disciplinary action up to and including dismissal should they fail to comply. Elected representatives however had a code of practice to follow. Few sanctions were available should they fail to comply.

      No doubt the situation with MPs is exactly the same.

      1. Anonymous Coward
        Anonymous Coward

        Re: Clearly not

        You forget when a place may have poncy, hispter directors involved with no clue. Who state that "going google" is the way forward. And that "as long as staff sign a form to say their personal device they are using to access google has a password and anti virus then they can use it". Half the staff don't understand and just sign yes anyway. Devices that are likely full of shit. And again the ability to install google desktop to sync all google drive files to your personal PC, which, last time I checked, google still said they didn't audit. Which essentially meant you could steal a loud of company documents and start up your own business in the very same area you used to work. They were warned this could happen and then a head of service did just that, but they had no evidence to prove it and in their continued bentness carried on doing business with him even though it was fucking obvious. Considering one large site that he'd help get "sold" to a 3rd party, his business was then "working" with that 3rd party after.

  25. razorfishsl

    Both are exploitable.......

    I wrote to google in 2011 about an exploit I found in gmail....

    month later they replied back that , whilst it worked... Gmail was performing within spec....

    As far as i know...it's still there....

  26. Steve B

    The good old oxymoron - Government Intelligence.

    For the past few years I have not witnessed anything to confirm that intelligent life exists in Parliament or Whitehall, but lots to the contrary

  27. kirk_augustin@yahoo.com

    Microsoft 365 Very Insecure

    As a cloud service, Microsoft 365 likely is less secure than Gmail. But it is foolish to want or expect email to be secure. It really can't be. If you want security, you need encryption, and then you need something like Cisco VPN.

  28. russmichaels

    duh!!!

    kinda obvious really. everyone knows that Office365 security is rubbish, thus why you need to use 3rd party solutions to make your email secure, protect from phshing, malware and take backups.

    You don't need to do that with gmail/gsuite as it has that built in. Even the companies that provide the 3rd party security/backup solutions admit this.

  29. 6491wm

    Which is more secure.

    Email or Snail mail?

    Discuss

  30. pintofbitter
    Facepalm

    These clowns run our country ??

    1. Yet Another Anonymous coward Silver badge

      Demonstrably these clowns couldn't run a whelk stall.

      They are obviously there to distract from who really runs the country - and his cat

  31. Confuciousmobil

    Gmail

    It must be tue, he got an email from yourfriendatgchq@gmail.com telling him that.

    If they use gmail then it’s good enough for him.

    Lots of Nigerian princes use it to give me their money, they wouldn’t use it if it wasn’t safe.

  32. Richard Cranium

    email is fundamentally flawed

    The problem is that when Ray Tomlinson sat down half a century ago to create the basis of the email system we see today, it was an unofficial side-project to facilitate communication between a somewhat limited group of largely techies.

    Anyone intending to design a global email system today supporting 4 billion accounts would make some very different decisions.

    The problem we have now is that there are so many mail servers that it's far too late to change. The NCSC estimated 7,000 microsoft servers in the UK alone had been affected by the Hafnium email hack, despite the widespread publicity, several days later only half had implemented the patches). The slow adoption of approaches like SPF & DKIM are examples of the difficulty of implementing change however worthwhile that change may be.

  33. flayman

    Do I need to point out the obvious?

    The spoofing of an inbound email has nothing to do with the security of the receiving email system. Tugendhat is a muppet for suggesting otherwise.

    1. Yet Another Anonymous coward Silver badge

      Re: Do I need to point out the obvious?

      Although you would hope that a decently secure system for something like a government MIGHT have a setting to flag "This message claims to come from @parliament.gov.uk but the original sender was kremlin-spam-farm.ru"

  34. peterw52

    Was he serious

    Isn't it likely his friend was being slightly sarcastic? He assumed gmail was bad and was just saying 365 was worse!

  35. Jake Maverick

    Well, he is absolutely right and I believe every word he has said there!

    But the state now forcing supposedly elected representatives to GIVE confidential information to the Amerikans? Make it routine? Nobody else see the question of sovereignty issue here?

  36. This post has been deleted by its author

  37. Anonymous Coward
    Anonymous Coward

    Improve e-mail security is possible but difficult

    E-mails can be made much more secure with:

    - SPF;

    - DKIM;

    - DMARK;

    - DNSSEC;

    - mandatory > TLS 1.2 connection with the other mail server, and verify the certificates;

    - Don't put anything in the subject;

    - Use S/MIME or OpenPGP to protect message and other content attached;

    - BIMI;

    - CAA;

    - TLSA;

    - Reject mail that fails SPF/ DKIM/ DMARC;

    - Reject mail that is not properly sign and encrypted (S/MIME or OpenPGP), with the public keys on the server to check is really from some known sender (do not mistake these with that being confident of who is the other... backdoors/ spyware have been around for too long... to trust anything).. and not just some random attacker sending mass mail to everyone;

    - Use your own dedicated SMTP/ POP3 server WITHOUT web browsing, and without anything else but the strictly necessary say for example: "qmail" (design by D. J. Bernstein), for the server, and for example Mozilla Thunderbird, or some other client software.

    But in the end of the day, all of these is just too damn difficult to be made properly!

    I would like something more like Threema App, but with the improvements in the security that are present in Signal App that prevents the leak of the main private key from compromising everything ever capture before... and somehow free like the e-mail is (to some extend) so that everyone use it (like e-mail), and by that way people can use it as the main way to be contacted. If possible in a way that is not centralized so people can be sure the thing won't go way the next day because someone give some millions to buy and close the thing... or some government decide to forbid.

  38. eaadams

    AOL email account?!?!?!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021