Webmail isn't evil, IT departments are

Monday, August 04, 2008

The IT department at work has decided to block all webmail beginning August 18th. This is a big problem for me, because I’m a contractor and don’t really use the work email. It’s a pain, and I can’t get to it from home without jumping through hoops. My actual work email is my Gmail account. So this is going to cause me a ton of problems. And for what? I did a little Googling for the security risks associated with webmail.

“Any pop-up ad that appears in a webmail message could potentially contain a virus when it opens,“ she said. "An attachment that comes in from a webmail message could possibly bypass all the safeguards all the way to the user’s computer.” In addition, just opening a Web browser window to these commercial webmail sites can leave a computer open to outside attack. (Source)

This is a bit of a strawman argument. First, you can get popups or viruses or whatever from all sorts of sites. It’s not restricted to webmail. But if you use good, up-to-date software, this shouldn’t be an issue. There are some really good free, open-source tools to protect your computer. If your users are getting viruses and hacked computers, it’s not the fault of Gmail or Hotmail. It’s your users, and it’s the tools you’ve chosen to give them.

I’m an … advocate of the "block access” point of view. Personal webmail, if accessible, provides another vector for your data to fly out of the window but one that you have poor control over and little ability to monitor and audit. Neither can you comply with data storage and archiving regulations if the service is being used to legitimately send and receive business data to and from external addresses. (Source)

Archiving is a legitimate concern. Although I can’t imagine why the author thinks it’s not possible to comply with regulations - there is nothing stopping you from hooking up your webmail account to Outlook or Thunderbird and downloading it all. Then you can archive to your heart’s content. Actually, I think Yahoo and Hotmail make you pay for POP3 access, but that’s because they hate their customers.

If anything, what’s [sic] it’s partly demonstrating is the problems in the usability associated with security products. By making them too cumbersome, it’s natural for people to seek routes around them — making the security procedures a risk in their own way. (Source)

This I totally agree with. I use a ton of Google’s web tools for legitimate work purposes because they are easy and useful. If you block them, I’m going to try to get around the blocks, like the way you can use https instead of http to get around some filters that block Gmail. But I more or less know what I’m doing. I’ve heard of some ridiculous unsafe hacks to get around work-imposed security. Some of the workarounds are much more dangerous than the thing being blocked. But you know what’s more dangerous to security than all of this put together? Stupid people. And, to a perhaps greater extent, smart but ignorant people. People who think they know better, but don’t, are a huge source of problems. Much better to know you’re incompetent and stop trying. I remain entirely unconvinced that this will do any good. You can’t possibly block all possible routes for sensitive information to leak out of the office. By blocking webmail, you’re taking away one of the most convenient methods, but what you may end up doing is driving the leaks to more and better hidden channels. Maybe now one person is going to start Twittering all day, while another is going to use some other service. The information can still get out. And what about someone who goes to do a little online banking and accidentally hits a phishing site that steals their banking info and deposits a virus on their computer, giving a hacker total control of their PC? Are you going to ban bank sites, too? Why not just ban everything? Chain employees to the desk in rooms with white walls and no windows. Give them three breaks a day where they can use the bathroom and buy lunch from the company (Wouldn’t want them sharing company secrets at the local deli, would we?). Maybe we should just stop sharing secrets with employees altogether. Just keep it all with the executives, who can lock themselves in ivory towers, making angels in piles of FOUO and COMPANY PROPRIETARY documents. Maybe we shouldn’t even do any work. The dangers of compromised secrets are too great. We should all go back to a hunter-gatherer economy, where there were no documents in need of protection from the horrors of webmail. Better for the environment, too, as a majority of Americans would die of starvation within the year. Or we could save time and trouble by committing mass suicide in orderly rows. That would teach Google to make a great webmail service with an intuitive, helpful interface. Stupid jerks.

Posted in: complaint , stupid people , the internet , work