I'm all about the attention to detale.
And this, kids, is why we have to pay attention.
SPAM, how I love thee. I’m sure if you’ve ever used the interweb you’ve probably got one or two of your own along the way. One of my tasks is to cut back on the SPAM that gets through to the rest of the staff, but in the meanwhile to try to minimize the number of false positives. Fair enough, it is what we’ve brought upon ourselves with the underpinnings of email. Spammers take advantage of how email was designed to work. Our email system was put together years ago when most people on the net trusted each other - often because they actually knew each other as they met through conferences and collaborations, using email to work together from distant locations.
So you gotta think I’m pretty familiar with all the SPAM tricks and can spot them a mile away, right?
I get an email allegedly from Delta Airlines to a former employee. Wanting to be nice and helpful I happily forward it back to him. It’s confirmation of a ticket, ferghod’ssake, so it’s got to be important and get sent to him pronto, right? I even laughed at the utter stupidity of Delta Airlines to include a PASSWORD in PLAIN TEXT in an email - that’s just stupid kids, never, ever, EVER send a password in an email. It’s flat out idiotic. People watch for stuff like that.
The truth: It really was spam. I got completely utterly sucked in by half-paying attention and trying to be helpful without cognitively processing the email. Well, I certainly feel stupid after the fact.
If nothing else, it emphasizes the point that security is a process. There is no one single thing you can do to be safe. There are a whole lot of things you need to do to reduce the risk, but there are no guarantees.
Outlook Express and it’s big brother Outlook has proven itself to be a massively huge security hole in the past and continues to have my scorn as my single most hated application. I hate a lot of programs. It takes a lot to make #1 on my list. Not everyone can get off Outlook, but I certainly recommend you try to get off it entirely. Is Windows Mail (the replacement that comes with Vista) any better? I don’t know, I have so little trust from past history I refuse to touch it. Fool me once, shame on you…
If you have a safer email program, there’s no guarantee you’re not going to blow it and mistake spam for a real message. It happened to me, and I’m a professional. Think about your system settings next. Are you hiding the file extensions on Windows? It remains the dumbest default setting I can think of in Windows. You need to be able to see what the real file name is ALWAYS. Go to Windows Explorer (Windows-E for the short cut), go to Tools –> Folder Options, then the View tab and uncheck “Hide extensions for known file types” in the Advanced options. I don’t care if you barely understand that sentence, if you run Windows you should be doing everything you can to find that setting and change it. You’re not going to have evil.jpg.exe sneaking onto your computer to do damage when you see it’s an executable file pretending to be a picture.
Okay, so you’ve dumped Outhouse, you’ve changed your settings to be more secure, and you’re still dumb enough to open that lousy email. I laughed once I saw it, because it wasn’t going to run on the Mac no matter what. Woo-hoo, I am mighty and invulnerable on my shiny aluminum shield of impregnability!
Nope. Sooner or later there’s going to be a script written that’s going to target OS X and punch through in a meaningful way. Eventually there’s going to be some program that runs in the background on Linux. There already are, but for design decisions it’s more difficult to run rampage across your entire computer in OS X and Linux. Any computer professional that is honest with his or herself sees the benefit of not running as administrator (as found in Linux, OS X and Vista) and they also know that running as a limited user is not a panacea.
So it’s hopeless and we should all turn off our computers and get off the net. Perhaps not a bad idea, but a little cynical even for me.
It’s an arms race out there and we all have to take our own responsibility for our computers. Patch according to best practises. Try to limit your risk. Think when you open your email. Never buy anything that came unsolicited into your inbox.
You’d think it would be obvious. But if it was, the profit motivation for spam would have dried up years ago and we’d severely cut back our attack vectors.
No one is safe. No one is immune. The onus is on us all. We all have to take charge and fix this.