Hacker News new | ask | show | jobs
by anonymouz 4864 days ago
No, their reasoning is that the continuous phishing attacks caused unacceptable trouble with their email system (e.g., Hotmail dropping all emails coming from Oxford). Due to extensive international collaborations, keeping a universities email system running is probably one of the most important tasks of the IT team. Google Docs is nice and useful, but nowhere near as important. Given that they, practically speaking, had no alternative way of dealing with the phishing attacks effectively, they made the right choice in temporarily suspending Google Docs access.
6 comments
betterunix 4864 days ago
"no alternative way of dealing with the phishing attacks effectively"

How about not using passwords? All students, staff, and faculty should have ID cards; start issuing smartcards, and start using cryptographic techniques to authenticate users. Also, digitally sign all official mail, and instruct the users to check those signatures.

These are not insurmountable problems. The real issue is that the IT team is not willing to push for a real solution, and instead went for a bandaid on a broken leg.

link
pfortuny 4864 days ago
Your solutions do not take into account the main problem with the security department: budget. There is a huge budgetary crisis in ALL european universities at this moment, including Oxford and Cambridge.

I bet if they ask for the resources to implement all those solutions, they will be told: find something at zero cost, I repeat zero-cost. Roger that?

Not that I agree blocking google docs is reasonable, just pointing out the problems with your suggestions.

link
huhsamovar 4864 days ago
>Your solutions do not take into account the main problem with the security department: budget. There is a huge budgetary crisis in ALL european universities at this moment, including Oxford and Cambridge.

False.

link
Semaphor 4864 days ago
> How about not using passwords? All students, staff, and faculty should have ID cards; start issuing smartcards, and start using cryptographic techniques to authenticate users.

Costs. At my university (though of course slightly smaller than Oxford) that would never work.

> Also, digitally sign all official mail, and instruct the users to check those signatures.

Have you met users? That's as good as saying they shouldn't be idiots and never enter their credentials in a site linked in a mail. If that would work all anti virus vendors could close shop.

link
EwanToo 4864 days ago
I also wonder why so many phishing emails are getting through the university spam filters - a slightly better solution might of been to remove links in external emails that point to docs.google.com.

But anyway, I don't want to start slagging off a particular team that I've never met - maybe they wanted to do all sorts of other, smarter, things and weren't allowed, and maybe they'll be allowed to do them now..

link
jacques_chester 4864 days ago
> I also wonder why so many phishing emails are getting through the university spam filters

It's usually customised for each university.

link
EwanToo 4864 days ago
I can believe it, I just don't know why it's not been customised to react to links to docs.google.com if it's such a high volume issue.

It's not a trivial problem by any means, but from the network security team's blog it doesn't seem like they've taken many of the steps that I'd expect prior to cutting off a very high traffic website.

link
jacques_chester 4864 days ago
Time.

There's the nice clever intelligent solution which could be developed over a few weeks, or there's the fact that the phishers have decided -- for whatever reason -- to go apeshit today.

link
EwanToo 4864 days ago
True, but in this case it seems like it's not a particularly new problem, just something that they've finally reacted to?

They actually mention sinkholing spreadsheets.google.com in this post from August 2011 [1], they actually say "There are also some forms which are more difficult to block ( I don’t think we’d be too popular if we sink-holed spreadsheets.google.com for example)".

So they've had the issue for years.

1 - https://blogs.oucs.ox.ac.uk/oxcert/2011/08/12/the-price-of-p...

link
rmc 4864 days ago
instruct the users to check those signatures.

People fall for 419 phishing scams. What makes you think they are able to check for digital signatures.

link
betterunix 4864 days ago
Their email client can do it automatically. Basically, you just need to tell them, "Official emails will always have a big, green border around them."

Also, the number of people who fall for 419 scams is fairly low, just barely above the threshold of profitability. The reason people are shocked when they hear that anyone falls for such scams is that hardly anyone does. There is a hypothesis that 419 scams are designed to be obvious, because it helps in filtering potential victims: anyone who would be naive enough to reply is an easy target.

I think a broader problem is that most people are not just unaware of cryptography, but they use an email client that has no support for checking digital signatures. Webmail is by far the most popular email client type, but many popular webmail systems have no support for digital signatures at all, not even checking them for validity. It would be a lot easier to tell people to check for a digital signature if that meant looking for a border color, or a big gold star, or if hovering over/clicking on a link in an unsigned message displayed an annoying warning but no warnings were displayed in signed messages; sufficiently annoying warnings do help in making cryptosystems more effective in practice:

https://bugzilla.mozilla.org/show_bug.cgi?id=460374

link
rmc 4864 days ago
Their email client can do it automatically. Basically, you just need to tell them, "Official emails will always have a big, green border around them."

You then have 2 problems: (a) What email clients will support it and (b) con artists will just put big green borders around their spam emails.

link
betterunix 4863 days ago
Further proof that HTML mail is a terrible idea...

(Edit: It is also conceivable that a client could put another prominent border around HTML mail, to mitigate the issue somewhat.)

link
rmc 4862 days ago
Heh, and you think people will be able to tell the difference between HTML email with a border, and the border around certified email.
link
EwanToo 4864 days ago
They could deal with the email issue in a number of ways, all of them causing the security, systems, and network teams hassle, but not end users.

For example, blocking all outgoing SMTP traffic except via approved internal relay servers would make tracking these millions of unexpected outgoing emails much easier. Most organisations already put these kinds of restrictions in place, it seems Oxford don't.

As far as I can see, their temporary blocking of Google Docs access did nothing but annoy users, cause them to lose face amongst users, and in the long term make users less likely to cooperate with the security team.

link
jnazario 4864 days ago
continuous phishing attacks via google docs? no, not quite. some collaborators and myself studied this a couple of years ago, it's a minuscule part of the phishing problem.

http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=61...

edited to add: here's the paper for you to read, i forgot i had a copy lying around.

http://monkey.org/~jose/tmp/PHISHING-FINAL-03-KN.pdf

link
freehunter 4864 days ago
Just because you saw a small amount from Google Docs doesn't mean that Oxford isn't seeing a large amount, or large enough to concern them. If you're a researcher, you should know that you can't extrapolate your dataset to everyone.
link
mcherm 4864 days ago
Thank you for posting ACTUAL RESEARCH!

Although I'll note that I didn't read the research since it's behind a $31 paywall.

link
fnordfnordfnord 4864 days ago
My own employer has farmed out the admin of student email accounts to Google (wisely IMO). The system had some initial glitches I admit. On a few occasions (if I'm not mistaken) Google banned email originating from their own system. In other news, many faculty use Google Docs for communication with students, and a lengthy disruption would be a big hassle, at least for me.
link
rmc 4864 days ago
(e.g., Hotmail dropping all emails coming from Oxford)

This can be a problem for universities in specific ways. Students get emailed some change to course work, all students using hotmail don't get the email, students then have a case to appeal the (possibly) worse mark they received.

link
martinced 4864 days ago
"Google Docs are nowhere near as important"

Sure. Which is why after so many people complained it is already back up.

Did you miss the recent articles about how spreadsheets were essential to many people? I know many SMEs and individuals which are doing nearly everything besides email in Google Docs. And what do they use email for? To send PDF of Google Docs to those that don't have GMail accounts.

In the recent "tools of the trade" for HN readers one of the webapp that came out the most often was Google Docs. It is also, quite arguably, seen all its functionalities and seen that it's made by a team of, what, 600 Googlers (!) the most advanced webapp ever.

I think you really don't realize how important Google Docs has become. And it is growing by the day.

There are people who create a GMail account only to get Google Docs after they've seen a demo of it.

link