Spy agency GCHQ told me Gmail's more secure than Microsoft 365, insists British MP as facepalming security bods tell him to zip it

Conflicting statement....??

wtf?

"we would always encourage MPs to use parliamentary email, which offers significantly higher levels of security than external providers."

article is about how Parliament moved to Office365 in 2013....are Microsoft that comfortably in bed with governments that they are no longer even considered an external provider....

This is no different than if a government used the commercial G suite offering

Oh dear....

When folks like this are running the country no wonder we are fecked.....

To even possibly think that a free, publicly available email system, run by a foreign company, who have scant regards for the laws of the land is more secure than one provided by their own internal highly skilled professionals with all kinds of traceability..... You couldn't make it up.

I wonder if his "friends" in GCHQ were only ever spoken to on the phone and had a chinese accent?

This really should be a serious disciplinary offence (assuming he used it for any official work)

An ex GCHQ bod once told me never to use GMail

Odd. An ex GCHQ spook told me that if you want everyone to know within 5 minutes put it on GMail. Mind you that was a few years back so maybe things have changed.

I always assume that as soon as you put anything on the Internet it's probably public anyway.

"Just because you're paranoid doesn't mean they aren't after you."

"The mother of parliaments adopted Office 365 in 2013"

England adopted Office 365?

protonmail.com

Tugendhat studied Theology at the University of Bristol

So he's already trained for a Microsoft vs Google debate.

People don't get elected to our Parliament because they have brains.

They get elected because they've found a way to persuade enough people to vote for them.

They don't, in general, care how they do that, but for sure it doesn't involve telling everybody the unvarnished truth. That's the path to sound defeat in the polls.

And it really doesn't matter, except, perhaps, to me and the dozen or so other principled people on the planet. But in the Grand Scheme of These Things, we don't count at all.

Tug end hat? Is that a euphemism?

Email

Is not a secure medium. I guess gmail might be less leaky in that most of the routing happens within google-net. I guess you balance that against the content being trawled for advertising opportunities. Anyway, email is not a secure form of communication. Like sending a post card, you never know who else has interfered with message before your intended recipient gets it. Anyway, the weathers loverly here...

O365 but not as you know it

I think there's a bit of O365 confusion. I cant speak for all of Gov UK but my organisation does use O365 but its a dedicated system that cannot be accessed outside of the network, i.e. you cant use apps or log in from the internet. It's provided for all the cloud working capabilities but only within an enclosed environment.

Spoofing alerts

The email that triggered all this was a lame spoofing attempt sent from a dodgy AOL account.

"I was told by friends at GCHQ that I was better off sticking to Gmail rather than using the parliamentary system because it was more secure,"

It seems to me that whoever gave this advice might have been referring to Gmail / Google Workspace's automatic spoofing warnings which are triggered when the sender's name is the same to one of the directory contacts but the email is not from the company's domain:

https://support.google.com/a/answer/9157861

These alerts are extremely intrusive and therefore are highly efficient with nontechnical users (in fact we were getting a lot of support calls about the alerts themselves), so in a sense would be more... secure.

Secure from who?

It's really a who has access question as I see it.

If you use work/parliament Email, yes they can see anything "if they want to"

If you use gmail, any gov that request your info (as well as their marketing teams/apps) have access.

So if you are trying to hide info from someone, use the other. But in reality if you don't want to be caught doing bad things - don't fricking do them!

Email insecurity

At a previous company I found out that <high up IT person at Head Office> was getting a jolly to the US to do a security course.

I waited until 2 weeks after she had got back and then sent an email from her account to the whole company explaining that she had been on the super secret security course and everything in the network was now super secure like it should be.

A few months later I had to make my team redundant at the behest of Head Office (we'd all been there just under 2 years!)

A went back to my desk in a foul mood afterwards to find all the teams equipment including mine was missing. I rang up Head Office to find out why my kit had gone , only to be told that I was also redundant, and I knew why as I'd just spent all morning telling each of the team members. I learnt 2 things that day:

a) they had at least learnt something about security and removed all the kit before we could use it (and deleted our accounts)

b) Head Office were right 5hits - The IT manager and boss wouldn't even speak to me, but had got me to do all the dirty work for them

C-suite are just 5hits!

It amuses me that so many of the commentards above are getting hot under the collar about the technical and moral arguments regarding Microsoft vs. Google without realising the true significance of this story.

The significance, if you are missing it, is not about whether one system is more secure than another. It's that the honourable (ahem!) member (apt) claims that some unidentified "friends" within GCHQ had told him that a free public email service was more secure that parliaments own in house email system. I would hope GCHQ are investigating who these "friends" are that would talk security to an MP without official clearance, checking their claims very carefully and taking the appropriate action. The latter being either improving the security of the existing email systems or taking disciplinary action against the relevant staff whichever is more appropriate.

Friends in GCHQ?

"I was told by friends at GCHQ that I was better off sticking to Gmail

That would be his friends Louise in reception, George who raises and lowers the barrier in the car park and Mrs T in catering? Yes?

ISTR During passage of the #IPAct...

MP were warned by their constituents that privacy of communications with members would be subject to interception. Naturally the MPs voted themselves through an exemption. At the time the service was via another third party provider. For the moment I can't remember who, it may have been symantec, however I was aware and made MPs I was in contact with aware that that service provider scanned e-mails and visited links within e-mails to documents hosted on my own web server. I could link to such a document within an e-mail and within seconds or minutes of sending the e-mail a copy of the document was requested by the third party provider both from EU and US located servers. None of it is secure.

But Email isn't secure...

No email service is secure. It's not a secure transit mechanism. You want "secure" in your email you encrypt whatever you're sending before you send it.

Clearly not

A Parliamentary spokesperson said in a statement: "We have robust cybersecurity measures in place and work closely with partners in the National Cyber Security Centre. In line with guidance from the NCSC we would always encourage MPs to use parliamentary email, which offers significantly higher levels of security than external providers."

If someone was spoofing the MPs address, why don't they have anti-spoof on for all MPs so the spam filter should pick that up straight away.

Don't get me started on gmails issues. Unable to control its spam filter, it decides so someone within a company can abuse it by flagging all legit emails as spam until gmail AI agrees with no control over this in the gsuite console. Its shitty UI and search. It lack of auditing for the desktop sync meaning anyone in the company can sync emails to their person PC with desktop app and their be no audit.

Both are exploitable.......

I wrote to google in 2011 about an exploit I found in gmail....

month later they replied back that , whilst it worked... Gmail was performing within spec....

As far as i know...it's still there....

The good old oxymoron - Government Intelligence.

For the past few years I have not witnessed anything to confirm that intelligent life exists in Parliament or Whitehall, but lots to the contrary

Microsoft 365 Very Insecure

As a cloud service, Microsoft 365 likely is less secure than Gmail. But it is foolish to want or expect email to be secure. It really can't be. If you want security, you need encryption, and then you need something like Cisco VPN.

duh!!!

kinda obvious really. everyone knows that Office365 security is rubbish, thus why you need to use 3rd party solutions to make your email secure, protect from phshing, malware and take backups.

You don't need to do that with gmail/gsuite as it has that built in. Even the companies that provide the 3rd party security/backup solutions admit this.

Which is more secure.

Email or Snail mail?

Discuss

Gmail

It must be tue, he got an email from yourfriendatgchq@gmail.com telling him that.

If they use gmail then it’s good enough for him.

Lots of Nigerian princes use it to give me their money, they wouldn’t use it if it wasn’t safe.

email is fundamentally flawed

The problem is that when Ray Tomlinson sat down half a century ago to create the basis of the email system we see today, it was an unofficial side-project to facilitate communication between a somewhat limited group of largely techies.

Anyone intending to design a global email system today supporting 4 billion accounts would make some very different decisions.

The problem we have now is that there are so many mail servers that it's far too late to change. The NCSC estimated 7,000 microsoft servers in the UK alone had been affected by the Hafnium email hack, despite the widespread publicity, several days later only half had implemented the patches). The slow adoption of approaches like SPF & DKIM are examples of the difficulty of implementing change however worthwhile that change may be.

Do I need to point out the obvious?

The spoofing of an inbound email has nothing to do with the security of the receiving email system. Tugendhat is a muppet for suggesting otherwise.

Was he serious

Isn't it likely his friend was being slightly sarcastic? He assumed gmail was bad and was just saying 365 was worse!

Well, he is absolutely right and I believe every word he has said there!

But the state now forcing supposedly elected representatives to GIVE confidential information to the Amerikans? Make it routine? Nobody else see the question of sovereignty issue here?

Improve e-mail security is possible but difficult

E-mails can be made much more secure with:

- SPF;

- DKIM;

- DMARK;

- DNSSEC;

- mandatory > TLS 1.2 connection with the other mail server, and verify the certificates;

- Don't put anything in the subject;

- Use S/MIME or OpenPGP to protect message and other content attached;

- BIMI;

- CAA;

- TLSA;

- Reject mail that fails SPF/ DKIM/ DMARC;

- Reject mail that is not properly sign and encrypted (S/MIME or OpenPGP), with the public keys on the server to check is really from some known sender (do not mistake these with that being confident of who is the other... backdoors/ spyware have been around for too long... to trust anything).. and not just some random attacker sending mass mail to everyone;

- Use your own dedicated SMTP/ POP3 server WITHOUT web browsing, and without anything else but the strictly necessary say for example: "qmail" (design by D. J. Bernstein), for the server, and for example Mozilla Thunderbird, or some other client software.

But in the end of the day, all of these is just too damn difficult to be made properly!

I would like something more like Threema App, but with the improvements in the security that are present in Signal App that prevents the leak of the main private key from compromising everything ever capture before... and somehow free like the e-mail is (to some extend) so that everyone use it (like e-mail), and by that way people can use it as the main way to be contacted. If possible in a way that is not centralized so people can be sure the thing won't go way the next day because someone give some millions to buy and close the thing... or some government decide to forbid.

AOL email account?!?!?!