Yesterday, I received an e-mail from somebody at a major card manufacturer warning me about USB keys. Initially, I thought it was spam, but I looked at it anyway, and the mail happened to be signed by the guy in the From field, and there was no link to a page that could have infected my computer with some interesting malware. More interestingly, this e-mail was apparently sent to an internal alias covering the personnel of a single French facility.
Well, I received it anyway, and as far as I know, I don’t work for that card manufacturer, or at least not directly. And apparently, many people from this companyreceived it, even people from Asia, who apparently don’t understand French. I know that because some of them did a “Reply all” that of course reached me as well. Apparently, many French employees also received the e-mail.
After all this havoc, I felt terrible for the poor guy, and even for his company. He has been lucky enough that his e-mail did not contain any sensitive information. It was simply reminding the internal procedure to fellow employees. I don’t know where the real problem is, but I don’t think this guy has anything to do with it. Even if there exists an alias that sends e-mails to all employees and a few outsiders, it is quite obvious that this alias should not be accessible to just anybody, since it has the potential to clog the entire company’s network.
Of course, this is just a small example of potential security hickup with e-mail. When thinking about it, we all think about terrible mishaps using e-mail, like hitting the Reply button with the message “Ah, that guy is really stupid!”, or realizing a bit late that the Fred Martin to whom you just sent the quotation does not work for your customer but for one of your competitors. At least once, I have been saved by GPG, who complained that it could not find a key for somebody.
The funny things is that things like that are new to us. You can’t send snail mail to your entire company without noticing it; you are quite unlikely to write the wrong guy’s address on an envelope if you have to type it, etc. Some of these issues are directly related to the speed of e-mail, and there may be some solutions, such as Google’s Mail Goggles, which makes sure that you are in a good enough shape to send e-mails, especially on week-end evenings. Google has also added a detector of forgotten attachments, and an Undo Send feature, which gives you a few seconds to realize your terrible mistake.
The bad part is that I haven’t found many interesting that go beyond these simple utilities. I could add a few, like a mail server that asks you to confirm the sending of an e-mail to a large list, or even that requires an explicit authentication to do so. There doesn’t seem to be anything much better than that, which also means that there are plenty of good ideas waiting…
Naturally, in the case that I first mentioned, the problem is most likely with the e-mail administration or configuration, which in a large company, must be a large problem. The problem was quite rapidly fixed (about an hour or two, as far as I can tell), but this is very long in Internet time. There is one thing that I am curious of, though: how did I get in this mailing list, and who else was on there? You can let me know (by e-mail of course, I promise that I won’t forward it to anybody).
Finally, let me give one final word of advice for the original e-mail’s sender. His message is about shared USB keys that can be borrowed by employees, and the procedure makes it mandatory to remove the content before giving it back. Well, this sounds scary to me, because of course people will forget, and I hope that the procedure also involved a full wipe of the keys between two uses.
No Comments