Well, as often seems to be the case, a Big Deal broke in the Climate News and I was not noticing. Sigh.
It involves fraud and deception on the part of the Warmers, in the person of Gleick.
It’s exploding all over, and I’m sure most of you are already aware of it, but if not, hit the links:
So looks like despite my desire to learn how the moon controls the precipitation of colloidal silver (and my waking / active times… my ‘natural free run’ day length is about 25 hours, as is the “lunar day” at 24 hours 50 minutes…) it looks like instead I’ll be playing “catch up” for the next few hours on the issue of Gleick pretending to be a board member and getting a clandestine document feed via email.
As an email administrator, one of the things you need to do is assure that you are protected from “spoofing” attacks. The easiest way to do that is to HAVE an email administrator who maintains formal mailing lists. For anything that matters, THEY are the person who validates that any given email address is, in fact, valid, and controls any changes.
Now you can see why.
When the various board members just have their own lists, or when “the secretary” can add folks or remove them at will: Eventually things will get out of sync. Folks will miss documents, and as can be seen here, unauthorized folks can get on the list.
One of the things that would slightly annoy folks at sites where my team managed the email lists was that they would call up with an email change, and we’d thank them for the update and ask that they hang up. (This was before the days of caller ID being everywhere). We would then call them back and ask for confirmation. (And often send a notification to the OLD email address as well…)
Such things are not just a formality. They are how you prevent this kind of fraud.
I wonder if the The Heartland Institute would like to have a Geek On Staff… There really is NO reason for this “spoof” to have worked other than lax enforcement of known standards of care with email lists (perhaps not the fault of the I.T. ‘department’ if the Board decided to do email via an informal exchange of addresses… becoming ever more common these days). Still, they OUGHT to have a formal mailing list of BoardMembers@Heartland.x.x and on it ought to be aliases for each Board Member of the form MemberOne@Heartland.x.x and only a VERIFIED and VALIDATED request to change the final address at which that alias points ought to be allowed. This actually makes it easier for folks to remember email addresses as they just need the name and @Heartland. Polish Point: Don’t make the names First.Last@ or similar. It’s too easy to ‘spoof’ via good guessing or via learning the method from observing one name. So “MikeS” for one guy “MSmith” for another and “EMSmith” for a third… Users can remember / coordinate that ‘wiggle’ easily and it blocks “SPAM by Guessing Names”…
Also, any sensitive documents ought to be marked to send to VERIFIED and VALIDATED addresses only. Both physical and electronic.
Ah well, folks will learn. One way or another…
Subscribe to feed