SGT Curtis Earl 277409 <div class="images-v2-count-0"></div>I posted this on the Army G6 blog and several other sites. My unit has migrated to EE recently there are several major issues that are going to directly contribute to security.<br /><br />*Issue 1: NG/AR don't have consistent access to their respective networks*<br />In the past, we used AKO which could be accessed by username/password and via IMAP on mobile devices. Soldiers got automatic notifications and could respond to correspondence in timely manner. That's changed. User's without Army laptops often have to wait til Battle Assembly to check their email. Some people are computer savvy and can fumble their way through the install process. But the current install process for CACs is complicated and tedious for average users. In my unit, I don't think 100% of my users have CAC access. That means they miss things like SSD deadlines and important emails from command. That means we end up using third party, insecure, methods to communicate.<br /><br />*Issue 2: Overly aggressive link and attachment removal*<br />AKO attached "blocked" url's in messages, but if you really wanted to use it you could unblock and follow the link. The new blocking method often strips urls entirely. This causes issues as not all training sites are .mil sites. <br /><br />The system kills any attachment with anything on it resembling PII. This includes Orders saved as PDFs. For those that don't know, NG/AR get orders when they are activated to attend NCOES, attend a PHA or even a birth month audit. Soldiers are not supposed to travel without a copy of official orders. Neither DTS authorizations or vouches can be completed without orders. Without signed orders, we can't even be paid ofr our work. Some civilian employers require us to submit our official orders to use our military leave days. Some soldiers are actually calling out sick or using vacation days to complete their Army duties and attend NCOES. A work around is for the UA to complete the DTS authorization and upload the orders there. Then soldiers can download a copy from there... that's *if* they can even CAC into DTS. UA's can also sign a voucher with a signed 1351... assuming the EE lets the form through.<br /><br />This problem is significant.<br /><br />Herein lies the security issue: Due to the complications caused by issues 1 and 2, soldiers are increasingly using personal freemail in place of EE. There is no way around it. We have to get our work done. As a reservist, we're already building training schedules, unpaid, in our free time. Shop-work gets squeezed in before going to bed. The added complication of not having email access literally pushes people over the edge. 'The Soldier Comes First' and no matter how convoluted the system may be, we can't leave a soldier unpaid simply because he can't access his EE.<br /><br />Good security is a balance of security and usability. I am a SYSADMIN as a civilian and I ride this balance everyday. If the security system is a hindrance, users will find ways around it. In this regard, 'mail.mil' has been an utter failure.<br /><br />How I would fix the DoD Email issue:<br /><br />1. Create an APP. A DOD/EE/DISA or 'whatever' app. It can sit in the App stores respectively, but require 2 factors to activate and connect to an EE account and calendars. If that's not secure enough, it can be sideloaded from the innards of the OWA.<br /><br />2. Connect the app via PIN and QR code. Users would have to log into their OWA with their CAC/PIV and PIN. In the OPTIONS section of the OWA, generate a unique QR code. Use the app to verify the QR code. BOOM, there's ya go: 2 factor authentication. Make the QR code good for 30 days or 90 days and force users to rescan. If the Army felt the need to make it even more needlessly difficult, force the users to reconnect their BOYDs from an ARNET connected laptop.<br /><br />3. Disable screenshotting and copy/paste abilities. I've seen apps like LastPass do that. Even Snapchat will notify the other user if an image was screenshot. Give the app the ability to copy/paste, but only WITHIN the app itself.<br /><br />4. Autoconfig. Use the QR code to set up, connect and configure our imaginary DoD/EE/DISA app. You don't even need to enable IMAP, exchange will work fine. We already do this with laptops and blackberries, I see no reason why this can't be extended to other users.<br /><br />Sorry so verbose. DoD Webmail has been a failure. Here's how I would fix it. 2014-10-14T12:41:07-04:00 SGT Curtis Earl 277409 <div class="images-v2-count-0"></div>I posted this on the Army G6 blog and several other sites. My unit has migrated to EE recently there are several major issues that are going to directly contribute to security.<br /><br />*Issue 1: NG/AR don't have consistent access to their respective networks*<br />In the past, we used AKO which could be accessed by username/password and via IMAP on mobile devices. Soldiers got automatic notifications and could respond to correspondence in timely manner. That's changed. User's without Army laptops often have to wait til Battle Assembly to check their email. Some people are computer savvy and can fumble their way through the install process. But the current install process for CACs is complicated and tedious for average users. In my unit, I don't think 100% of my users have CAC access. That means they miss things like SSD deadlines and important emails from command. That means we end up using third party, insecure, methods to communicate.<br /><br />*Issue 2: Overly aggressive link and attachment removal*<br />AKO attached "blocked" url's in messages, but if you really wanted to use it you could unblock and follow the link. The new blocking method often strips urls entirely. This causes issues as not all training sites are .mil sites. <br /><br />The system kills any attachment with anything on it resembling PII. This includes Orders saved as PDFs. For those that don't know, NG/AR get orders when they are activated to attend NCOES, attend a PHA or even a birth month audit. Soldiers are not supposed to travel without a copy of official orders. Neither DTS authorizations or vouches can be completed without orders. Without signed orders, we can't even be paid ofr our work. Some civilian employers require us to submit our official orders to use our military leave days. Some soldiers are actually calling out sick or using vacation days to complete their Army duties and attend NCOES. A work around is for the UA to complete the DTS authorization and upload the orders there. Then soldiers can download a copy from there... that's *if* they can even CAC into DTS. UA's can also sign a voucher with a signed 1351... assuming the EE lets the form through.<br /><br />This problem is significant.<br /><br />Herein lies the security issue: Due to the complications caused by issues 1 and 2, soldiers are increasingly using personal freemail in place of EE. There is no way around it. We have to get our work done. As a reservist, we're already building training schedules, unpaid, in our free time. Shop-work gets squeezed in before going to bed. The added complication of not having email access literally pushes people over the edge. 'The Soldier Comes First' and no matter how convoluted the system may be, we can't leave a soldier unpaid simply because he can't access his EE.<br /><br />Good security is a balance of security and usability. I am a SYSADMIN as a civilian and I ride this balance everyday. If the security system is a hindrance, users will find ways around it. In this regard, 'mail.mil' has been an utter failure.<br /><br />How I would fix the DoD Email issue:<br /><br />1. Create an APP. A DOD/EE/DISA or 'whatever' app. It can sit in the App stores respectively, but require 2 factors to activate and connect to an EE account and calendars. If that's not secure enough, it can be sideloaded from the innards of the OWA.<br /><br />2. Connect the app via PIN and QR code. Users would have to log into their OWA with their CAC/PIV and PIN. In the OPTIONS section of the OWA, generate a unique QR code. Use the app to verify the QR code. BOOM, there's ya go: 2 factor authentication. Make the QR code good for 30 days or 90 days and force users to rescan. If the Army felt the need to make it even more needlessly difficult, force the users to reconnect their BOYDs from an ARNET connected laptop.<br /><br />3. Disable screenshotting and copy/paste abilities. I've seen apps like LastPass do that. Even Snapchat will notify the other user if an image was screenshot. Give the app the ability to copy/paste, but only WITHIN the app itself.<br /><br />4. Autoconfig. Use the QR code to set up, connect and configure our imaginary DoD/EE/DISA app. You don't even need to enable IMAP, exchange will work fine. We already do this with laptops and blackberries, I see no reason why this can't be extended to other users.<br /><br />Sorry so verbose. DoD Webmail has been a failure. Here's how I would fix it. 2014-10-14T12:41:07-04:00 2014-10-14T12:41:07-04:00 SSgt Private RallyPoint Member 395196 <div class="images-v2-count-0"></div>I don't understand half that <a class="dark-link bold-link" role="profile-hover" data-qtip-container="body" data-id="61193" data-source-page-controller="question_response_contents" href="/profiles/61193-sgt-curtis-earl">SGT Curtis Earl</a> , but I definitely agree! I have been able to get it to work on my computer, but it takes a lot of work. And very frequently the next time I go to log in, it won't; so I have to go to militarycac.com and follow the steps to get logged in, just to have to do it again in a week.<br /><br />Today I downloaded Firefox, and an alternate program instead of using activeclient. Took me about an hour, but I did check my enterprise mail today. Response by SSgt Private RallyPoint Member made Dec 31 at 2014 11:21 PM 2014-12-31T23:21:11-05:00 2014-12-31T23:21:11-05:00 SSG Private RallyPoint Member 413654 <div class="images-v2-count-0"></div>I really really like this post. Two thumbs up and couldn't agree more. Response by SSG Private RallyPoint Member made Jan 12 at 2015 6:26 AM 2015-01-12T06:26:22-05:00 2015-01-12T06:26:22-05:00 SSgt Private RallyPoint Member 435756 <div class="images-v2-count-0"></div>Again. Just spent an hour trying to check my enterprise email. I can log into AKO, but I can't log into Enterprise or Iperms. I'm quitting trying before I smash something. Response by SSgt Private RallyPoint Member made Jan 25 at 2015 6:40 PM 2015-01-25T18:40:54-05:00 2015-01-25T18:40:54-05:00 CW3 Private RallyPoint Member 663494 <div class="images-v2-count-0"></div>Excellent points of discussion you have here SGT. Sadly enough controversial topics seem to get more attention around here than productive ones. I also believe there are way too many ways to fix the issue to not have it fixed by now. I did sit in a CIO G-6 conference where they were discussing solutions for this issue. I cant wait to see what will be implemented to resolve the issue. Response by CW3 Private RallyPoint Member made May 12 at 2015 10:23 PM 2015-05-12T22:23:58-04:00 2015-05-12T22:23:58-04:00 2014-10-14T12:41:07-04:00