"It will probably cost more in the long run."
"The NSA will just crack it and spy anyway."
So many people with the attitude that countries that find out their tech partners are actually performing espionage on behalf of the US government (and US security partners) should just tolerate it rather than do something about it.
Migrating the government to Linux and using a free mail infrastructure would be cheaper (saving money in the long term, instead of costing), easier, and way more effective than using a non-standard internal email protocol and keep using Windows everywhere. Why bother when Microsoft still has access to all your data?
About using that proprietary protocol AND migrating to a free software environment, that could be better than just migrating, or worse, depends of the actual quality* of the protocol. But while the government frames it as a XOR option, migrating to an open stack is the only sane option.
* The fact that the protocol isn't public isn't good, the fact that it's Serpro creating it makes this worse - they've already done quite a few bad decisions about security.
To the best of my knowledge, no one has alleged that the NSA had Microsoft's help in intercepting Petrobras-related email. This is more about the possibility of such a threat than anything else.
Why take the chance? From the leaks, the companies have "cooperated enough", especially when we're talking about "foreigners". We don't need proof for absolutely everything and for every single case, to stop trusting American companies, until there's a dramatic change in laws, and surveillance policy in US.
This is going to be the main issue behind that argument. The burden of proof has shifted.
The tech industries reaction to the Snowden seems to the outside very lukewarm. Sure, they are giving all sorts of "trust us" statements, but truth is we don't have the slightest clue if this is their honest opinion or just an opinion that a secret court forces them to uphold. Reality might be much more nuanced, but to the outside there is very little reason to give anyone any longer the benefit of the doubt.
There is nothing that singles Microsoft out here as every other operator of email and other software complied as well. This is something the US government should come clean on and something that the tech companies should push the government to do.
BTW: Petrobras uses, argh!, Lotus Notes. There were a lot allegations that Microsoft and IBM cooperated with the NSA and inserted backdoors in their products.
Sure; I guess I should have said "credible allegations" meaning that a former NSA employee with specific claims is very credible, speculation based on a single exported symbol name in an older version of Windows is quite a bit less so.
I was a bit amused to read that "The Expresso platform will also be used as the base of the Hotmail-like system that the government is also planning to offer to citizens." Are Brazil's citizens that trusting of its government? I certainly can't imagine Americans trusting their email to the government even before Snowden-gate.
Well, what better excuse to push a product ready for local government control but to sell it as the antidote to the specter of American/foreign spying. Brazil, as some other LAm countries, love using the American scapegoat to distract from many local issues (the economy is bad, it's the IMF and the Americans' faults, etc.)
I mean to say this appears to be primarily a political reaction with nice governmental side-benefits.
It sounds a lot like a Brazilian version of the secure intranet (GSI) that the UK has rolled out for lower level stuff.
And from a security perspective (sorry linux fanbois and microsft haters) the choice of MTA/MUA isn't as important as the rest of the security.
Would be interesting if due to this that OSI and X.400 makes a comeback for more secure email - though presumably with all the security enhancement proposed for the later standards - hmm I wonder if you could use quantum networking with x.400/500
If they opted for an entirely open source system (possibly open-sourcing the one in question) that several governments with the same concern could collaborate on, then they would probably be much safer. Going with a bespoke system that will be deployed widely is a recipe for problems. It's likely to have limited documentation and lots of setup edge-cases that are easy to compromise.
For any interesting open source project, why would you think that the NSA wouldn't be deeply involved?
If I were a spy agency and an open source project was being spun up that several countries would use, I'd get at least a dozen devs on it. And if I'm thinking that, then you know they all must be...
I don't think they are swapping the stack for a tech upgrade, they are swapping it because at the moment they are in the position of directing state funds towards an organisation that is seen to be under the control of a government that is acting aggressively towards them, which is not a tenable position politically for the people signing off on the budgets, especially since it is all so very public.
If a country is big enough to have an air force then it is big enough to do something on its own about securing government communications.
How hard is it to write an email client?
With some calendar?
Is it complete rocket surgery or something in the realms of feasibly possible?
Wasn't gmail some 20%-er time by a couple of guys at Google? I don't think it took years or billions to get up and running.
I think you could have a tidy and secure webmail built by half a dozen people randomly chosen from Hacker News in six months. Sure it might not be as all singing and dancing as the oh-so-wonderful Microsoft Outlook but then again it might actually be better for the task in hand - facilitating communication for a government. Sometimes people have got to try rather than be all helpless. I am all for software re-use, open source and everything else deemed good software engineering, but, for a government wanting to keep their communications private some consideration has to be given to 'how hard can it be to write an email client?'
> Is it complete rocket surgery or something in the realms of feasibly possible?
Oh dearie. Thus began every single failed multi-million-dollar software project in the history of software.
> Wasn't gmail some 20%-er time by a couple of guys at Google? I don't think it took years or billions to get up and running.
A: The feature-set of GMail as is released in 2004 is unlikely to impress someone used to Outlook/Exchange
B: What a correctly motivated Google-quality engineer can cook up in a few years (which is apparently how long GMail was in development before release) has little to no correlation to what a government can procure from a systems integrator. Also, I don't recall the calendar being worth much back them. Maybe, maybe, maybe if they hired Google-grade engineers, paid them Google salaries and gave them Google-freedom to work on this, they might be able to pull it off. But that's a lot harder than it sounds.
EDIT:
> do something on its own about securing government communications
It's not hard to secure an email installation - its interface to the internet at large is super small and well understood (SMTP). Most likely NSA grabs the mail they want from outside the installation by sniffing unencrypted network traffic.
A worthwhile effort, and one quite suitable for a government even, is to get people to encrypt their emails.
Oh c'mon. The Gmail of 2013 is not that different from the Gmail of 2004 (unless you count Priority Inbox as an advancement).
There's really nothing complex or fancy in developing a bare bones secure email system. And keep in mind these poor souls are using Lotus Notes (!), so it can't get much worse than that.
Also, it's not that it has to be built entirely from scratch. They will likely re-use existing ideas from other systems, and even (licenses permitting) other open source solutions as a starting point.
All in all, I wish we had more governments stepping up against this whole US spying mess. The real long term solution is not to have each government developing their own proprietary email systems, but for the US to be more transparent and stop the illegal spying.
Sadly, this will have to get worse before it gets better. We'll probably watch a few years of increasing distrust and strained relationships, before governments start to come to terms with the US again.
You'd think so. But we're still in an age of software wizardry. It's easy to write great software if you exist within an organization where software dev. is already a core competency. But if that's not the case and you need to procure high quality software without already having the expertise in house then things get hairy really fast. Not that it's the best example, but look at healthcare.gov, it's a buggy mess at a cost of tens of millions of dollars.
I suspect that Brazil's home grown mail system is also going to be a buggy, low-quality mess at a cost of tens of millions of dollars.
Quite hard to reinvent an entire infrastructure (which I doubt is what they are doing)
If they are writing a brand new clean room new mail standard (plus all the ancillary bits directory non repudiation key handling the whole nine yards) - it will be amusing to watch the CF that results.
Well, one problem is when the client is a government. Healthcare.gov can not exactly be described as rocket science either (even less so I'd imagine), but ended up costing a nice little sum of money, while also not even working.
> If a country is big enough to have an air force then it is big enough to do something on its own about securing government communications.
If that was really the case then the U.S. government (which has effectively 2 separate air forces which are each 10x bigger than any other nation's) should be kicking ass at delivering IT projects of all sorts.
At least, that's an excuse to ditch proprietary solutions. I could back that up. But the source will probably be closed (as the voting machines, for instance), so I don't see any gains there, other than jurisdiction.
It probably won't do much for security though. If anything, vulnerabilities will be more likely. The only thing they've got for it is securing the physical comms. But even if the US (or any other superpower) doesn't compromise them, there are other ways of extracting the data.
And this being SERPRO, they'll likely use cutting edge technologies such as MD5 and DES.
As we've already seen, US companies have very little leverage against the US government in such "national security" matters. (Same for Chinese companies, etc.)
It would be nice if the Brazilian government adopted and helped to improve an existing open source solution (may I recommend Kolab?) instead of falling prey to NIH.
As others have mentioned, PIM is very difficult and if it's done wrong, you end up with metadata leaking across the Internet, security flaws, etc.
If the real issue is with the inability to see the source then open source is better than "Brazilian government"-proprietary, as the NSA could simply hack the source code repository, CIA could plant an insider, the list goes on. You could have someone whose job is to audit the integrity of the archive, but who watches the watchers? With open source the problem is simpler: everyone can watch the source code archive.
I would like to see how this turns out considering how miserably the US's Healthcare.gov site has been going. It sounds like the Brazilian govt. is using an internal group (the Federal Data Processing Service [SERPRO]) to do this, while the US sourced the work to a domestic company (CGI Federal.) I've got a gut feeling that Brazil's email system will fare better than our Healthcare.gov site.
I don't know about your healthcare.gov, but it is very difficult to predict the success or failure of a government project around here (i am brazilian).
At one side we have incredibly well done and well managed examples, as our elections voting system. I get embarassed for US everytime I see the news about your elections, with cards and weird stuff.
On the other hand, we have lots of examples of how the government can mess things up, most notably these days are the stadiums and overall infrastructure for World Cup. It is even worse than any pessimist would have predicted.
So... all we can do is wait. The initiative, I think is good, but the outcome.. who knows?
I use the expresso daily, it's not a good platform, lot of limitations! But at least, is a response for the spying. Better than doing nothing!
Hope this investment change expresso in a better way!
Some day, just for fun, I have broken some gov site using expresso. I got full remote code execution (for test, I just uploaded a php file with a phpinfo()). And I'm not a security expert. I think my govern has a lot of work to do to make their email more secure...
A question from someone that'll probably have to start using it soon: Can you back-up your emails in a way where the central IT of your place can't delete them?
LOL.... BIG LOL! Only who lives here in Brazil should know that software engineering skills is not the requirement to be accepted in SERPRO team. And, considering the corrupt chain of outsourcing related to most of IT projects here, maybe would be safer for us to stay being spied by NSA and other agencies.
This is great. If service providers lose business because of cooperation with the NSA, then it's just a matter of time until those service providers have a compelling reason (Capitalism) that Congress, etc. can get behind.
I find it great that my country (Brazil) is not so mindless about technology. I hope that this anti NSA moves sparks an actual development in the industry here.
They are making the claim that they are doing it for security reasons, why wouldn't they want the code audited? A gov't employee could write a backdoor just like a private sector employee.
Because the obvious candidate is Serpro, but they are already developing it. Anyway, it's open source, so if any part of the government (military maybe, ABIN, or some university) thinks that it deserves an audit, it can simply do it, no need for formalization.
"It will probably cost more in the long run." "The NSA will just crack it and spy anyway."
So many people with the attitude that countries that find out their tech partners are actually performing espionage on behalf of the US government (and US security partners) should just tolerate it rather than do something about it.