
Brazilian government to ditch Microsoft in favour of bespoke email system - singold
http://www.zdnet.com/brazilian-government-to-ditch-microsoft-in-favour-of-bespoke-email-system-7000021929/
======
Ensorceled
I love the discussions on this topic:

"It will probably cost more in the long run." "The NSA will just crack it and
spy anyway."

So many people with the attitude that countries that find out their tech
partners are actually performing espionage on behalf of the US government (and
US security partners) should just tolerate it rather than do something about
it.

~~~
CurtHagenlocher
To the best of my knowledge, no one has alleged that the NSA had Microsoft's
help in intercepting Petrobras-related email. This is more about the
possibility of such a threat than anything else.

Disclaimer: I work at Microsoft, so eh.

~~~
devx
Why take the chance? From the leaks, the companies have "cooperated enough",
especially when we're talking about "foreigners". We don't need proof for
absolutely everything and for every single case, to stop trusting American
companies, until there's a dramatic change in laws, and surveillance policy in
US.

~~~
stfu
This is going to be the main issue behind that argument. The burden of proof
has shifted.

The tech industries reaction to the Snowden seems to the outside very
lukewarm. Sure, they are giving all sorts of "trust us" statements, but truth
is we don't have the slightest clue if this is their honest opinion or just an
opinion that a secret court forces them to uphold. Reality might be much more
nuanced, but to the outside there is very little reason to give anyone any
longer the benefit of the doubt.

~~~
barista
There is nothing that singles Microsoft out here as every other operator of
email and other software complied as well. This is something the US government
should come clean on and something that the tech companies should push the
government to do.

~~~
stfu
Absolutely. There is nothing that singles out Microsoft as better or worse,
but it is a looming issue for the whole US tech industry.

------
Theodores
If a country is big enough to have an air force then it is big enough to do
something on its own about securing government communications.

How hard is it to write an email client?

With some calendar?

Is it complete rocket surgery or something in the realms of feasibly possible?

Wasn't gmail some 20%-er time by a couple of guys at Google? I don't think it
took years or billions to get up and running.

I think you could have a tidy and secure webmail built by half a dozen people
randomly chosen from Hacker News in six months. Sure it might not be as all
singing and dancing as the oh-so-wonderful Microsoft Outlook but then again it
might actually be better for the task in hand - facilitating communication for
a government. Sometimes people have got to try rather than be all helpless. I
am all for software re-use, open source and everything else deemed good
software engineering, but, for a government wanting to keep their
communications private some consideration has to be given to 'how hard can it
be to write an email client?'

~~~
mseebach
> How hard is it to write an email client?

> With some calendar?

> Is it complete rocket surgery or something in the realms of feasibly
> possible?

Oh dearie. Thus began every single failed multi-million-dollar software
project in the history of software.

> Wasn't gmail some 20%-er time by a couple of guys at Google? I don't think
> it took years or billions to get up and running.

A: The feature-set of GMail as is released in 2004 is unlikely to impress
someone used to Outlook/Exchange

B: What a correctly motivated Google-quality engineer can cook up in a few
years (which is apparently how long GMail was in development before release)
has little to no correlation to what a government can procure from a systems
integrator. Also, I don't recall the calendar being worth much back them.
Maybe, maybe, maybe if they hired Google-grade engineers, paid them Google
salaries and gave them Google-freedom to work on this, they might be able to
pull it off. But that's _a lot_ harder than it sounds.

EDIT:

> do something on its own about securing government communications

It's not hard to secure an email installation - its interface to the internet
at large is super small and well understood (SMTP). Most likely NSA grabs the
mail they want from outside the installation by sniffing unencrypted network
traffic.

A worthwhile effort, and one quite suitable for a government even, is to get
people to encrypt their emails.

~~~
guiambros
Oh c'mon. The Gmail of 2013 is not _that_ different from the Gmail of 2004
(unless you count Priority Inbox as an advancement).

There's really nothing complex or fancy in developing a bare bones secure
email system. And keep in mind these poor souls are using Lotus Notes (!), so
it can't get much worse than that.

Also, it's not that it has to be built entirely from scratch. They will likely
re-use existing ideas from other systems, and even (licenses permitting) other
open source solutions as a starting point.

All in all, I wish we had more governments stepping up against this whole US
spying mess. The _real_ long term solution is not to have each government
developing their own proprietary email systems, but for the US to be more
transparent and stop the illegal spying.

Sadly, this will have to get worse before it gets better. We'll probably watch
a few years of increasing distrust and strained relationships, before
governments start to come to terms with the US again.

------
outworlder
At least, that's an excuse to ditch proprietary solutions. I could back that
up. But the source will probably be closed (as the voting machines, for
instance), so I don't see any gains there, other than jurisdiction.

It probably won't do much for security though. If anything, vulnerabilities
will be more likely. The only thing they've got for it is securing the
physical comms. But even if the US (or any other superpower) doesn't
compromise them, there are other ways of extracting the data.

And this being SERPRO, they'll likely use cutting edge technologies such as
MD5 and DES.

~~~
darkarmani
> And this being SERPRO, they'll likely use cutting edge technologies such as
> MD5 and DES.

Hey, PBKDF1 uses md5. That only puts them a handful of years behind.

------
felipe
Apparently this is the software currently being used to replace Outlook:
[http://www.expressolivre.org/modules/conteudo/conteudo.php?c...](http://www.expressolivre.org/modules/conteudo/conteudo.php?conteudo=3)

------
jwoah12
Hopefully as this happens more often, the affected companies will start to
lobby against the current policies.

~~~
auctiontheory
As we've already seen, US companies have very little leverage against the US
government in such "national security" matters. (Same for Chinese companies,
etc.)

------
mpyne
It would be nice if the Brazilian government adopted and helped to improve an
existing open source solution (may I recommend Kolab?) instead of falling prey
to NIH.

As others have mentioned, PIM is _very difficult_ and if it's done wrong, you
end up with metadata leaking across the Internet, security flaws, etc.

If the real issue is with the inability to see the source then open source is
better than "Brazilian government"-proprietary, as the NSA could simply hack
the source code repository, CIA could plant an insider, the list goes on. You
could have someone whose job is to audit the integrity of the archive, but who
watches the watchers? With open source the problem is simpler: everyone can
watch the source code archive.

------
kevin_rubyhouse
I would like to see how this turns out considering how miserably the US's
Healthcare.gov site has been going. It sounds like the Brazilian govt. is
using an internal group (the Federal Data Processing Service [SERPRO]) to do
this, while the US sourced the work to a domestic company (CGI Federal.) I've
got a gut feeling that Brazil's email system will fare better than our
Healthcare.gov site.

Article about SERPRO launching their cloud platform.
[http://www.zdnet.com/brazilian-government-launches-own-
cloud...](http://www.zdnet.com/brazilian-government-launches-own-cloud-
offering-7000020738/)

Some random info about the Healthcare.gov devs:
[http://www.washingtonpost.com/blogs/wonkblog/wp/2013/10/09/h...](http://www.washingtonpost.com/blogs/wonkblog/wp/2013/10/09/healthcare-
gov-was-originally-built-in-a-garage/)

~~~
filipemonte
I use the expresso daily, it's not a good platform, lot of limitations! But at
least, is a response for the spying. Better than doing nothing! Hope this
investment change expresso in a better way!

~~~
marcosdumay
A question from someone that'll probably have to start using it soon: Can you
back-up your emails in a way where the central IT of your place can't delete
them?

~~~
filipemonte
Yes. You can use local storage.

~~~
marcosdumay
Thanks, that's a relief. I was afraid there were other reasons to push the
system. It's great that I was wrong :)

------
jhhn
LOL.... BIG LOL! Only who lives here in Brazil should know that software
engineering skills is not the requirement to be accepted in SERPRO team. And,
considering the corrupt chain of outsourcing related to most of IT projects
here, maybe would be safer for us to stay being spied by NSA and other
agencies.

------
doorty
This is great. If service providers lose business because of cooperation with
the NSA, then it's just a matter of time until those service providers have a
compelling reason (Capitalism) that Congress, etc. can get behind.

------
evli
I find it great that my country (Brazil) is not so mindless about technology.
I hope that this anti NSA moves sparks an actual development in the industry
here.

------
yeukhon
Who created Expresso?

~~~
filipemonte
It is based in a german project
([http://www.egroupware.org/](http://www.egroupware.org/))

~~~
yeukhon
Cool. Since they think that project is more secured than MS Outlook, I wonder
if the government has requested to audit or not.

~~~
marcosdumay
The (brazilian) government is the maintainer of the software. Why would it
require an audit?

~~~
darkarmani
They are making the claim that they are doing it for security reasons, why
wouldn't they want the code audited? A gov't employee could write a backdoor
just like a private sector employee.

~~~
marcosdumay
Ok, maybe I should rephrase that.

Who would do an audit?

Because the obvious candidate is Serpro, but they are already developing it.
Anyway, it's open source, so if any part of the government (military maybe,
ABIN, or some university) thinks that it deserves an audit, it can simply do
it, no need for formalization.

------
ffrryuu
Spying/backdoor may be a consideration.

~~~
cleverjake
It literally says that in the first paragraph.

