Agility Loop

Saw this article over at NextGov this morning stating that the Army wants to outsource the creation of one email service for the Army.  BUT, once you read this article it becomes clear that they actually mean one Exchange based email system for the entire Army.

The Army has wanted to do this for years, and in some ways had it with an antiquated email system in AKO.  I just wonder if other vendors out there will argue that there systems should be up to the task?  Seems like the Army has already made the decision on vendor without a fair competition…or at least that is an easy argument for  a vendor.

What’s also interesting is that the Army is “inviting companies to partner with the Defense Information Systems Agency” to house the email system.  Not sure how that contractual relationship would even work?  DISA’s DECCs are not typically vendor facing, and unless something is changed, I am not sure they are designed to work directly with industry.  When working on other enterprise level acquisitions, this same kind of thing was encouraged, and the only offers that were really considered were those that housed the system at DISA “inside the firewall”.

I do love it when wading through the Twitter chaff actually does yield something productive.  Thankfully, my saved search in TweetDeck led me to the Security Musings blog run by Gemini Security Solutions.

Besides feeling a bit of kinship to a blog that seems to really get PKI and security, they had an interesting post a couple of days ago about S/MIME support in Gmail.   It is a Firefox plug-in called Gmail S/MIME.  From reading the blog entry and the plug-in home page, it sounds like it essentually wraps your message in an attachment (which is basically what an S/MIME message is anyhow) and uploads to Gmail.

I gave it a test run by sending a message from Gmail to Outlook 2007 (only after an hour and a half of trying to fix Outlook…thx Gist plugin).  I get an underlying security message error in Outlook…odd.  That is usually related to trust or odd formatting of a message.  If I had some more time, I’d dig into the attachment.  Still a cool idea, and it has lots of promise.  One of the challenges of webmail (and mail on mobile devices) is signing and encrypting email.

But it is 4/16 after all…time to watch the boys finish OGBC!

Today in GCN, there is an article entitled Industry group gives government a failing grade in e-mail authentication — Government Computer News.  The main thrust of the article is detailing how most Government domains do not support any type of email domain authentication such as Sender ID or DomainKeys.

E-mail authentication technology, usually transparent to the end user, lets servers verify that e-mail traffic is indeed coming from the domain or sender that it purports to be from, and that the sender is authorized to use that domain. The OTA study showed that only 11 of 25 government domains examined use such authentication. A similar study of top commercial sites showed that the private sector is doing a little better, with 55 percent using some form of e-mail authentication.

To be fair, the private sector isn’t doing so great either at 55%.

What I find particularly ironic is that much of the government is ahead on PKI and other security technologies.  It seems like this would be a pretty easy solution to combat spam and phishing attacks.  I know in the past we have discuss using simple SMTP over SSL.  This would at least buy security of SMTP mail transfer, and authentication of domains (although it would be difficult to use with external email domains).  However, technology like DomainKeys (which Yahoo uses) is a more versatile solution than SMTP over SSL.  Hell it’s even open source, so costs COULD be minimal.