Email Worst Practices

I had to send this “support request” email today because of some seriously bad error in judgement when someone hit the sent button today. Seriously folks, this is 2014… have web companies and their employees learned nothing?

Hi,

this morning I got an email asking me to click a link embedded in the email to verify my email address as a condition of maintaining my *********

The email is worded exactly like a phishing attack: requiring fast compliance, threatening a disconnection of service, lacking a link to verify this policy anywhere and the email is unsigned by anyone.

Someone in security who works there must be aware most phishing attacks are carried out exactly this way, and that you should NEVER encourage a user to click a link whether it is a legitimate reason or not in an unsolicited email because of the bad precedent it sets.

Instead, you should give the user a one-time unique token to enter and tell them to login into their account, and enter the token on their account page to verify the email was receive and in fact they do own the account. Not doing so would allow anyone with access to a client’s email account to potentially hijack the account with your service.

If you disagree, then I will have to look for a more competent company to *********. Please escalate this email until it gets to a policy-maker that understands the importance of why this is ““worst practice.”” If this does not happen, I might as well cancel my account because it is only a matter of time before your customers or your client-facing DBs are hacked.

Thanks.

Just to clarify, the raw headers show it was sent from their mail server, and the message looks legitimate, but maybe someone hijacked that through completely unrelated blunder. Anyway, the moral of the story is: do not click links in unsolicited emails. If this was a case of a password reset I requested or a two factor auth thing, or even a newsletter I opted-in for, those are totally understandable, but in this case it was probably just bad form. To allow the company time to correct their policy (or regain control of their mail server) I have not mentioned exactly which web services company this is… but this is yet another case of sloppy work in the IT sector. And, as Danny Glover once said in a movie where he co-starred with a crazy guy, “I’m too old for this shit.”*

Thanks for reading.

*luckily this last word is no longer banned from TV, and thus — in this usage — it is appropriate to describe a distinct lack of professional behavior from a commercial company.

Hope DaltonC makes it…

I have been following Dalton Caldwell on Twitter and reading his blog posts for sometime now. A vast majority of the time, I am nodding along to each of his points, as he points out a company or industry’s fundamental breach of trust or lack of sense in some new strategy that will revolutionize the industry.

This time Dalton is trying to kickstart a new social network with a twist: App.net. Instead of selling you, the user, and having you do all the work by posting content and telling the company what you like, only to have them turn around and sell your data to marketing and advertising agency. So, they can resell it to businesses looking for people in your demographic as a higher priced “targeted ad,” he aligns the social network with users by having the money come directly from the users. Dalton—being a “very smart guy”—knows the idea of paying for a service that is usually free in order to get better treatment has come.

When live journal, tribe, friendster and myspace were all trying to figure out how to monetize their social networking sites, the public at large, didn’t understand how valuable having a way to broadcast to the internet was. Now, that the public has had a taste, the idea and acceptance of social networks being a valuable way to communicate with friends has allowed people like Dalton to finally offer a service that people know the value of paying for. Tribe, Friendster, MySpace, LiveJournal, etc. were all trying to ride the wave when it was still out at sea while also getting towed be boatloads of advertising cash. Facebook, Google and Twitter are now trying to catch a line from the advertising boat, and alienating some of the people generating the wave.

They could easily turn around and offer a paid, ad-free service, however the real damage is with their selling and sharing of your data—things such as you email address, name, age, sex, address, zip code, etc. Once sold, the Facebooks of the world cannot redact any of that information. There is no mechanism to pull your data once it is let out to a third party app or game a person tries even just once. While FB’s compliance policy says the app maker must delete your data if you remove their “free” game, there is no enforcement, nor any auditing to make sure this is actually happening. So, really, it is time for a new entity with a clean slate to start with a center that is based on serving the people who pay for the service rather than the advertisers and companies that pay lip service to privacy concerns.

The saddest part is, even when a big company such a Google or Facebook adopt practices that are gross violations of privacy or make errors that would land a person in jail, they get what amount to a slap on the wrist, and publicly apologize, saying, “it will never happen again.” But we all know that their profit-margin from either alleged “mistakes” such as bypassing a DO NOT TRACK header, or sneaking persistent ID cookies in there to follow your browsing habits far outweigh any penalty once they get caught.

For instance an executive at BP could have sat in his office knowing full well they would be forced to cough up up to 2B for gross negligence (as long as they kept their mouths shut and never admitted wrongdoing), but also the net profits will be up 50% to 15B. That 2B dollar fine is just the cost of doing business and still a 30% jump above last year. (All of this is speculation, and I haven’t even checked their numbers, but you get the idea.) The same could go on every day at a large company in the social network space as well. An executive could weigh the risk-reward ratio of any illegal action, and figure that with enough spin, plausible deniability and legal fees and decide that the penalties are far enough down the road, and that public scrutiny only lasts so long.

I see BP gas stations today and they are doing business as usual with pump prices holding steady a lot higher than before the explosion in the Gulf, because people don’t care unless it is convenient for them to. If it is inconvenient to not use a product or service that they know is from an ethically deficient company, they generally make excuses or just admit, “I don’t care” if they are a more honest person. In fact as long as their interests align, they are willing to put up with a few questionably ethical practices.

The thing is, if one of these companies deices that their quarterly profits are worth more than a permanent injury to a group of people (such as their identity being stolen and their credit destroyed) or the environment (such as sea life mutating thanks to oil dispersants used in concentrations that would affect cell replication), then you or the victim of their risk-reward calculation are fucked. Because all that will happen will be a slap on the wrist, and lip service. There is no such thing as a corporate death penalty for accidents, nor gaming the system. But there should be.

That’s why I hope Dalton succeeds. If his service takes off the ground and holds to its ethical center of “people over profit (but a profit is needed)” then companies like his will take care of killing the parasitic companies and the sociopathic companies for us. So, while I haven’t backed the project yet. I will definitely earmark part of my budget for it, and help by telling people. I do the same for any company that “gets it,” such as duckduckgo.com: because face it, Google’s “‘do no evil’ mantra” has evolved into (as George Carlin would say) “pure bullshit.”

I am not against making money, but I think no company should ever place the basis of their revenue stream at odds with sound ethical practices. If their is ever a question, then obviously you are in the wrong business or talking to the wrong people. Advertising and marketing are usually at odds with maintaining honesty and privacy, and those are the areas I would never work in. For instance: What would I say if asked to develop a system to help people find information when they want it? “Great!” Develop a system to monitor what people are doing with this tool? “Fuck off.” Why? because it’s a basis of freedom, and the word “freedom” does not mean “We will monitor what you do, so only do what we want you to.”

So, yeah, I have $50–$100 for dalton because I value people who put their business practices inline with my concerns for privacy and ethical behavior. Do you? Ask yourself if you really do too. Are you concerned enough to pay someone for this so they can erode those that are paying the numbers with your health, safety and security as their poker chips?