Posted on Oct 14, 2014
SGT Curtis Earl
6.9K
9
7
5
5
0
I posted this on the Army G6 blog and several other sites. My unit has migrated to EE recently there are several major issues that are going to directly contribute to security.

*Issue 1: NG/AR don't have consistent access to their respective networks*
In the past, we used AKO which could be accessed by username/password and via IMAP on mobile devices. Soldiers got automatic notifications and could respond to correspondence in timely manner. That's changed. User's without Army laptops often have to wait til Battle Assembly to check their email. Some people are computer savvy and can fumble their way through the install process. But the current install process for CACs is complicated and tedious for average users. In my unit, I don't think 100% of my users have CAC access. That means they miss things like SSD deadlines and important emails from command. That means we end up using third party, insecure, methods to communicate.

*Issue 2: Overly aggressive link and attachment removal*
AKO attached "blocked" url's in messages, but if you really wanted to use it you could unblock and follow the link. The new blocking method often strips urls entirely. This causes issues as not all training sites are .mil sites.

The system kills any attachment with anything on it resembling PII. This includes Orders saved as PDFs. For those that don't know, NG/AR get orders when they are activated to attend NCOES, attend a PHA or even a birth month audit. Soldiers are not supposed to travel without a copy of official orders. Neither DTS authorizations or vouches can be completed without orders. Without signed orders, we can't even be paid ofr our work. Some civilian employers require us to submit our official orders to use our military leave days. Some soldiers are actually calling out sick or using vacation days to complete their Army duties and attend NCOES. A work around is for the UA to complete the DTS authorization and upload the orders there. Then soldiers can download a copy from there... that's *if* they can even CAC into DTS. UA's can also sign a voucher with a signed 1351... assuming the EE lets the form through.

This problem is significant.

Herein lies the security issue: Due to the complications caused by issues 1 and 2, soldiers are increasingly using personal freemail in place of EE. There is no way around it. We have to get our work done. As a reservist, we're already building training schedules, unpaid, in our free time. Shop-work gets squeezed in before going to bed. The added complication of not having email access literally pushes people over the edge. 'The Soldier Comes First' and no matter how convoluted the system may be, we can't leave a soldier unpaid simply because he can't access his EE.

Good security is a balance of security and usability. I am a SYSADMIN as a civilian and I ride this balance everyday. If the security system is a hindrance, users will find ways around it. In this regard, 'mail.mil' has been an utter failure.

How I would fix the DoD Email issue:

1. Create an APP. A DOD/EE/DISA or 'whatever' app. It can sit in the App stores respectively, but require 2 factors to activate and connect to an EE account and calendars. If that's not secure enough, it can be sideloaded from the innards of the OWA.

2. Connect the app via PIN and QR code. Users would have to log into their OWA with their CAC/PIV and PIN. In the OPTIONS section of the OWA, generate a unique QR code. Use the app to verify the QR code. BOOM, there's ya go: 2 factor authentication. Make the QR code good for 30 days or 90 days and force users to rescan. If the Army felt the need to make it even more needlessly difficult, force the users to reconnect their BOYDs from an ARNET connected laptop.

3. Disable screenshotting and copy/paste abilities. I've seen apps like LastPass do that. Even Snapchat will notify the other user if an image was screenshot. Give the app the ability to copy/paste, but only WITHIN the app itself.

4. Autoconfig. Use the QR code to set up, connect and configure our imaginary DoD/EE/DISA app. You don't even need to enable IMAP, exchange will work fine. We already do this with laptops and blackberries, I see no reason why this can't be extended to other users.

Sorry so verbose.
Posted in these groups: Email logo EmailKansas state flag Mission
Edited 10 y ago
Avatar feed
Responses: 4
SSgt Carpenter
2
2
0
I don't understand half that SGT Curtis Earl , but I definitely agree! I have been able to get it to work on my computer, but it takes a lot of work. And very frequently the next time I go to log in, it won't; so I have to go to militarycac.com and follow the steps to get logged in, just to have to do it again in a week.

Today I downloaded Firefox, and an alternate program instead of using activeclient. Took me about an hour, but I did check my enterprise mail today.
(2)
Comment
(0)
Avatar small
CW3 Technical Supply Oic
1
1
0
Excellent points of discussion you have here SGT. Sadly enough controversial topics seem to get more attention around here than productive ones. I also believe there are way too many ways to fix the issue to not have it fixed by now. I did sit in a CIO G-6 conference where they were discussing solutions for this issue. I cant wait to see what will be implemented to resolve the issue.
(1)
Comment
(0)
SGT Curtis Earl
SGT Curtis Earl
>1 y
Yes sir. About two weeks ago I lost access to OWA and DTS on all my civilian laptops. Luckily, I have one of my units army laptops (we only have 8). I made no adjustments to my software and didn't bother troubleshooting anything. This morning I pulled up my civilian laptop and logged right into OWA and signed a DTS authorization. I have no idea why if failed 2 weeks ago and even less idea why it suddenly began working again.

We have our Annual Training at Fort Benning this summer. Unless something has changed, we won't have computer access as we can't jack our Reserve computers into AC networks. They will essentially be CAC enabled paperweights. We'll be doing our online classes, NCOERs and such at the post eduction center. I'll be bringing a personal laser printer and Hotspot so that we can do work during the duty day without leasing out the labs at the library.
(0)
Reply
(0)
Avatar small
SSG Platoon Sergeant
1
1
0
I really really like this post. Two thumbs up and couldn't agree more.
(1)
Comment
(0)
Avatar small

Join nearly 2 million former and current members of the US military, just like you.

close