Email Worst Practices

I had to send this “support request” email today because of some seriously bad error in judgement when someone hit the sent button today. Seriously folks, this is 2014… have web companies and their employees learned nothing?

Hi,

this morning I got an email asking me to click a link embedded in the email to verify my email address as a condition of maintaining my *********

The email is worded exactly like a phishing attack: requiring fast compliance, threatening a disconnection of service, lacking a link to verify this policy anywhere and the email is unsigned by anyone.

Someone in security who works there must be aware most phishing attacks are carried out exactly this way, and that you should NEVER encourage a user to click a link whether it is a legitimate reason or not in an unsolicited email because of the bad precedent it sets.

Instead, you should give the user a one-time unique token to enter and tell them to login into their account, and enter the token on their account page to verify the email was receive and in fact they do own the account. Not doing so would allow anyone with access to a client’s email account to potentially hijack the account with your service.

If you disagree, then I will have to look for a more competent company to *********. Please escalate this email until it gets to a policy-maker that understands the importance of why this is ““worst practice.”” If this does not happen, I might as well cancel my account because it is only a matter of time before your customers or your client-facing DBs are hacked.

Thanks.

Just to clarify, the raw headers show it was sent from their mail server, and the message looks legitimate, but maybe someone hijacked that through completely unrelated blunder. Anyway, the moral of the story is: do not click links in unsolicited emails. If this was a case of a password reset I requested or a two factor auth thing, or even a newsletter I opted-in for, those are totally understandable, but in this case it was probably just bad form. To allow the company time to correct their policy (or regain control of their mail server) I have not mentioned exactly which web services company this is… but this is yet another case of sloppy work in the IT sector. And, as Danny Glover once said in a movie where he co-starred with a crazy guy, “I’m too old for this shit.”*

Thanks for reading.

*luckily this last word is no longer banned from TV, and thus — in this usage — it is appropriate to describe a distinct lack of professional behavior from a commercial company.

Advertisements

HTML5 Developer’s Conference Wrap Up

After a good conference, badges are kind of like medals or trophies

Badges? We do need some stinkin’ badges. Gracias!

HTML5 is here in full swing. With portions of CSS3 reaching recommendation candidate status and ES6 coming, it is critical for web developers to continue to learn not only the new technologies, but also current best practices. Because I try to do the right thing, I went to the HTML5 Developer’s Conference in SF. My Editor was in town and we ended up meeting and while I was enthusiastically telling him about it, he asked me if I would write up an article for DiceNews about what I found.

That would be great, I said. So, I pounded out a quick one the next day. You can read the article by clicking this link http://news.dice.com/2013/04/15/lessons-learned-at-html5-dev/if you so desire.

Feel free to comment here or there. But please forgive my generalizations. I know people are making full use of animations, and other modern features, but many more are not. And yes, I realize sometimes a page refresh is desired too. With that said, enjoy.

Dropbox Invitation Scam Spam Today

I got this in the email today. I found it fishy that a person I do not know sent this, so I moused over to see if my suspicion was correct. Yup! Scam most likely leading to a website that would do a drive by download and pwn my system. Patch your Windows Machines folks, & Mac users use Sophos! (I didn’t actually click the link because I didn’t want to take my machine and use it as a lab rat.) The moral of the story: look before you leap = check the real URL before you click.

As you can see the link leads elsewhere

 

 

Technology Failures or “Hammering with a Screwdriver”

The guiding principle of technology is, technology is supposed to make our lives better by alleviating the drudgery from our lives and letting us have more time doing what we enjoy. But there is a dark side to technology, and I am not talking about surveillance this time. This dark side is perpetrated by people who create it and use it. I’m going to talk about two things: design/process failure and computer etiquette “netiquette” because they have the same basic root cause.

There are many failures in use of  technology by companies that should know better that I wonder how the people in charge manage to keep their jobs. Now it is easy for me to sit here atop my perch and take pot shots, insulated from all the conflicting pressures of making products that both please the management’s bottom line and customers. However, I have always been of the opinion that there is a way to do both. There are solutions that can actually deliver more satisfaction to both company and customer.

Continue reading