Unprofessional Emails from Georgia Tech

A few days ago I got a rather spammy message from the College of Computing at Georgia Tech.

The contents were harmless enough; just another message from Zvi Galil asking everyone to fill out instructor evaluations for the last academic term. In full, it read:

Hello Non CS majors,
 
I ask you to fill out the CIOS course evaluations, especially for courses you take from CoC professors.
If you do all such courses, which might mean one course in some cases, you will participate in a drawing and might win an Apple 16GB iPod nano.
We hope to improve our 69.5% participation record. The goal for this term is 75%.
We do need your input to help us improve our teaching and in some cases to recognize great teachers.
 
You will now get my spamming reminders and terrible jokes.
My apologies.
 
Zvi Galil
 
Dean CoC

I had already received far too many emails like this (from several different campus departments) over the past few weeks, so I sent what was intended to be a polite, but firm, request to be removed from the list (since there was no `unsubscribe' link at the bottom). The following email correspondance then took place:

From me:

Please remove me from this list. I do not appreciate getting all these reminder emails.

Best,
Sam

From Zvi:

You can remove yourself from the list by dropping out of all CoC courses

Sent from my iPhone

From me:

Galil: [sic]

I would still like to take courses with the CoC, I just don't wish to
receive all the spammy messages they send out.
I've been informed there is a way to have yourself removed from the
list while still being enrolled in courses, however, I was unable to
find any information online, so I went straight to the source. If you
could remove me I would appreciate it.

Best,
Sam

I thought that was it. While I thought that it was silly to suggest that I drop out of all CoC courses a week before finals, I didn't see any cause for concern, and assumed that I would be removed from the list shortly. A few days later, an email was sent out to the entire College of Computing, all non-CS undergrads enrolled in CS courses, all CS faculty, and all CS PHD students. It read (in part):

From Zvi:

PS. One of the non-majors sent me hate mail (twice) insisting on getting off the mailing list.
I explained to him that the only way for him was to drop out of our classes..
I actually got few nice emails from CoC students.
Maybe because they know their terrible vengeful dean.

and, in the interest of full disclosure, I sent the following response (after someone else showed me how to remove myself from the mailing list):

From me:

Zvi:

I'm extremely disappointed that you would choose to tell the entire CoC that a student (presumably me) was sending you hate mail. If you were referring to the two messages I sent you, I'm sorry that you seem to have taken them as a personal insult. I tried to keep them polite, and simply explain wehre I was coming from, they certainly weren't hate mail. A friend told me about `lists.gatech.edu' today, from which I was able to unsubscribe from the list. Instead of acting unprofessionally and sending out a message to the entire CoC discussing the emails I sent you (even if it was just an afterthought), you could have simply told me that you couldn't facilitate the removal and that I would have to do it manually. 

All the best,
Sam

While Zvi seems like a nice enough man, I am concerned that he would send out a threat (even a joke one) on a widely distributed mailing list. This is unprofessional behavior that is not acceptable from someone in Zvi's position.

What are your thoughts? Harmless joke, or terrible public relations?

UPDATE (1707 EST): A few moments ago I received the following reply from Zvi (sorry, I couldn't resist including the formatting):

From Zvi:

Hi Sam,
 
Thank you for your messages. They were not even close to being “hate mail”…
No offense. I was only kidding about dropping out from the courses.
Sooner or later people will understand my strange sense of humor.
As you found out, people can easily opt out and some did.
FYI the ratio of people cheering my messages (saying they love them) and “hate mailers” is 4 to 1.
And my spam has been working: there was a bump in the participation after each time I sent an email.
 
CIOS is very important to the College. This is the only time where I err on the side of more.
There is a proposal on the table to have it mandatory.
At Yale students have to do it in order to take the final.  We will collectively decide in the College in what way we will do it.
The current way will also be an option.
 
Thanks again

Zvi

Update 2 (1725 EST): Comments appear to be broken on the post (keep trying, I'm working on it), but the lovely Jessie Newman dropped me the following line over on Google+:

+Sam Whited Already commented on your blog but that was EXACTLY the email I received minus the line "Your suggestion will be considered as well. Thanks again"

This coming after she sent an email requesting that changes be made to the list to help people receive only content that they find valuable, and stating that she definitely wasn't sending "hate mail."

Thoughts on CISPA

H.R. 3523 (also known as CISPA) starts out pretty good; the whole point is to:

"... establish procedures to allow elements of the intelligence community to share cyber threat intelligence with private-sector entities and to encourage the sharing of such intelligence."

More open sharing of information in both directions; sounds great! And data can only be turned over if it's related to "cyber threat intelligence," so it will only be turned over to stop criminals from stealing personal or government secrets right? The act defines "cyber threat intelligence" as:

"information in the possession of an element of the intelligence community directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from ... (B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information."

Wait, "intellectual property?" So when your kid brother sends you a Kina Grannis song, Facebook can turn over all of your personal information? It amused me that a bill that's partially about protecting "personally identifiable information" could allow any "cybersecurity provider" you use to turn over all of your information without fear of legal repercussions. ... yup, you read that last bit right:

"No civil or criminal cause of action shall lie or be maintained in Federal or State court against a protected entity, self-protected entity, cybersecurity provider, or an officer, employee, or agent of a protected entity, self-protected entity, or cybersecurity provider, acting in good faith ... for using cybersecurity systems or sharing information in accordance with this section"

Sounds a bit vague. Luckily, the act also requires an annual review of shared information by the Privacy and Civil Liberties Oversight Board (at least one thing here was done right).

Yes, it might allow the government to share information in good faith, but the hopelessly vague wording of the bill also means any private company can share your information with other approved parties for "cybersecurity purposes" (cybersecurity isn't defined anywhere in the bill, by the way).

Luckily, Facebook (among others, I'm sure) "has no intention of [sharing sensitive personal information with the government in the name of protecting cybersecurity] and it is unrelated to the things we liked about HR 3523 in the first place [1]"

Thanks Facebook; I'm glad you promise not to share everyone's personal information.

Personally, I'm of the opinion that the vagueness of CISPA is not driven by ulterior motives, and I love the general idea; but maybe we should clean this up, drop the stupid intellectual property references, and make sure we define things a little better before sending it to the floor for a vote (in 2 weeks).

For more information, the full text of CISPA can be found here. A statement against the bill by the EFF can be read here, and a good statement about why it's not as bad as the EFF makes it out to be can be found here.

Another year, another new years post

Yup, it's that time of year again: That time of year when I post a random photo (such as what I had for lunch), comment on how my posting has decreased for yet another straight year (down to 2 posts this past year), and wish you all a happy new year. So from me, and these delicious tacos, have a happy new year!

Security on the Internet

These days computer security is a hot topic. Companies tell us how hard they work to ensure their users safety, and the media throws around buzz words like "military grade encryption" constantly. And yet, despite all of this hype and the general trend of wider public awareness, many of the largest companies still don't understand basic security principles. Social media companies such as Facebook and Twitter have taken steps to allow encrypted connections to their services via SSL/TLS (Or "Secure Socket Layer," and its successor, "Transport Layer Security," the encryption protocols behind HTTPS), but they still don't have them enabled by default for the majority of their users—meaning your password can easily be stolen by the guy sitting across the coffee shop from you on the same public Wi-Fi hotspot. A recent request for investigation [PDF] filed with the Federal Communications Commission (@FCC on Twitter) exposed file-hosting company Dropbox for allowing its employees to access customers encrypted files, and even worse than all that is the recent string of attacks by the (arguably) grey hat hacker group referring to itself as "LulzSec." Victims of these attacks were exploited using relatively simple attack vectors and included high-profile companies such as PBS, Sony (NYSE: SNE), Sony again, and—allegedly—InfraGard, a non-profit partner of the FBI. Even security companies and defense contractors aren't immune, with RSA, The Security Division of EMC Corporation (NYSE: EMC) recently announcing that a vulnerability in its SecurID two-factor authentication product had been exploited by unknown attackers to infiltrate Lockheed Martin (NYSE: LMT). If these big players can't keep up, how's a small business or individual supposed to ensure their data is secure? The answer, as it turns out, is "easily." Below are a few easy steps you can take to make sure your data is secure.

Website Security

One of the most basic ways you can protect yourself online is by visiting social media sites, email, etc. via SSL where supported and enabling any options to force SSL encryption. These options are available on all the major social-media / webmail sites including Facebook, Twitter, Gmail, and Hotmail.

If you own a website or other internet-based service that doesn't implement SSL/TLS, enabling encryption is one of the best (and easiest) things you can do to secure your site and protect your visitors. This is as easy as purchasing and installing a certificate from a trusted Certificate Authority. I recommend RapidSSL (49.00 USD / year) or Network Solutions (39.99 USD / year). Unfortunately, SSL certificates do often cost good money, and this can be tough on individuals or small businesses. However, it is possible to secure your site using a free CA such as CAcert or StartSSL. The trade off is that these certificates are not trusted by as many browsers, so your users may see confusing warning messages when trying to visit your site over HTTPS unless they install your providers root certificate. Bear in mind that the strength of your SSL certificate is only as strong as the protection of your private key (the part of the certificate that is installed on the server). SSL only works as long as no one else has access to the private key which is used to encrypt communications, so if your private key is stolen—perhaps due to a server vulnerability, or an attacker gaining physical access to the machine—there's no guarantee that the encrypted channel is actually private. If you're not using an untrusted or self-signed certificate, you might also consider enabling the "Strict-Transport-Security" header which tells modern browsers that your site supports SSL and that they should use it whenever possible.

Another simple thing you can do to protect your website is to make sure your forms are not vulnerable to SQL injection (or, more generally, code injection). The recent PBS / Sony hacks were performed by a simple tool which automatically injected SQL code into a page using the login form. This sort of problem is one of the deadly sins of the web. It is absolutely inexcusable to be vulnerable to such simple attacks. If you're interfacing with a database, either use existing libraries which are known to be secure, or use parameterized statements. Many websites think that because they sanitize their input, they'll be okay. However, this approach is fairly naive, and won't catch 100% of the tricks hackers use to bypass your security.

Even following these basic steps, it's still (easily) possible that some little oversight may lead to a vulnerability and your site could be compromised. When this happens, what data could an attacker get? If the answer is "plaintext passwords," you're still doing it wrong. Lots of companies choose to store user passwords in plaintext, meaning that anyone who gets a dump of the password database can instantly login as any user and compromise other user-data (perhaps due to that cardinal sin, password-reuse). Have a little respect for your users and save their passwords as salted hashes.

Email Security

Email security is another beast all together. As stated in the IETF's RFC 1855,

"Unless you are using an encryption device (hardware or software), you should assume that mail on the Internet is not secure. Never put in a mail message anything you would not put on a postcard."

Email encryption is an underutilized tool that should be used whenever possible. Most mail clients support either S/MIME or PGP/MIME, and even if they don't, attachments and text can always be encrypted and/or signed (so that a recipient knows they came from you) with a free program such as GNUPG which implements the OpenPGP standard. Personally, I prefer PGP to S/MIME when signing and encrypting emails. For the system to really work, unfortunately, everyone needs to encrypt all of their email all of the time. This way an attacker can't tell the difference between emails containing sensitive data, and those that contain pictures of your cats.

Other simple steps you can take to ensure your email is secure include implementing a two-factor authentication system. This approach is becoming more popular among the consumer sector, with Gmail recently implementing it for regular and Google Apps users. Two-factor authentication can take many forms. Gmail's approach involves calling or texting the user's cell phone and giving them a code which they must enter every time they log in (along with their username and password). Two-factor authentication can be used for much more than email, however. It's common practice to require it when logging into websites, remote servers, and even for physical locks.

Conclusion

There are all sorts of ways to enhance your security online, and there are many more I'd love to cover here (such as using public-key authentication for SSH connections), time permitting. However, for now, enough—and then some—has been said. Online security is important to the modern internet, and even a basic knowledge of general good-security principles goes a long way towards protecting you and/or your customers. With that in mind, I encourage you to think about your own security, and work towards improving it in the future.

EDIT: After taking recent events into account, I've decided not to even entertain the argument that Lulz Security is a grey hat group. Their antics were always in rather bad taste, but now they're just plain disgusting.


EDIT: And now there's this. Confirmation, directly from Lulz Security, that they are no more than petty cyber-crooks.

World IPv6 Day: Intent to participate

As you might have read, the Internet Society Newsletter today announced World IPv6 Day. The intent is to create AAAA Records for the homepages of major websites which previously only had IPv6 connectivity on subdomains on 08 June 2011 and test them for 24 hours. Though the event is designed for websites owned by large companies with millions of viewers, IPv6 is just as important for people running low traffic personal websites.

With this in mind, I am announcing my intent to participate in World IPv6 day, however, I would like to take it a step further. By most estimates, having a dual stack running IPv4 and IPv6 will only cause connectivity problems for some 0.05% of users [1]. Before and after June 8th, I will begin carefully monitoring access to my website and looking for changes and trends in the data. If at the end of the day I find that having IPv6 connectivity on the main site does not adversely affect the majority of my users, I will be permanently enabling IPv6 support on SamWhited.com.

I have sent my intent to participate to the Internet Society, and hope they will see that their mission affects large companies and small websites alike. The traffic generated from being an official part of IPv6 day (both before, and after the event) would give me a much better baseline and signal to noise ratio to work with as I monitor my traffic this June.

With only ~37 days worth of IPv4 addresses remaining as of 12 January 2011, it is imperative that ISP’s and device manufacturers begin to take a look at restructuring their services to include IPv6 [2]. NAT is only a temporary solution, and can not be allowed to grow at the ISP level. We all share a mission to ensure a widely available and open internet, where users are free to consume and generate content without being locked into the rigid rules of the old and dying protocols used by their ISP’s. Some people say the way forward is not clear, and many argue—correctly—that it may be costly. However, in the end, IPv6 is the only way to save the internet from suffocation, and move forward into an evermore open playing field.

EDIT: On January 14^th I received the following reply from ISOC’s Phil Roberts:

Hi Sam,

thanks for your interest.  I've had quite a few responses from individuals who have their own website.  I'm not sure we're going to list individuals but we may, and if so, you're [sic] site is in my database.

Regards,
Phil

Hopefully they will realize that IPv6 affects large and small alike, and list smaller websites as well so that we can all improve our quality of service. If you would like to see smaller sites represented, contact ISOC and let them know!

The “New Year Post”

Though I’ve only had 4 posts since last year's new year post (and most of them short) I’ve been keeping busy, and productive: everything I wish for you in the new year!

From me, and Goliath the Eastern Screech Owl (Megascops asio), have a wonderful 2011, and happy 23-day (01/01/11)₂!

Redesign

As you may have noticed, this blog has changed (again)! Just like last time, I recently updated my personal website and wanted the blog to reflect that. I also wanted to design the new template to be compatible with Blogger's template designer.

 

When designing the new site my primary goal was minimalism. My old site had too many colors, lines, and fonts, so I took most of them out. Since the main content of the site (and this blog) is text, the choice of typeface was very important. With this in mind I looked for three things: First of all, the typefaces needed to reflect the simplicity of the site, secondly they needed to be installed on the majority of my visitors computers (or be licensed for use as a webfont), and finally, they needed to make reading the site easy. To achieve this I looked primarily at humanist and neo-grotesque typefaces. I ended up settling on Verdana, Geneva, and Tahoma (falling back in that order) for the body text. For titles I wanted a transitional serif font which would be easy to read, both on screen, and in print. I ended up using Georgia with Times New Roman as a fall back. The main heading of the site felt important enough that I wanted it to stand apart from the rest of the page and have its own typeface; for this I chose Museo.

 

This post contains material from SamWhited.com. For the latest information, please visit samwhited.com/about/site/.