Michele Bachmann Announces She's Done

U.S. Representative Michele Bachmann (R-Minnesota) announced today that she’s not going to seek re-election in 2014.
Last time around, the race between her and Minnesota businessman Jim Graves was very close. Mr. Graves lost by a very narrow margin. Graves had already announced his intention to take on Ms. Bachmann again next year. As the news came out on Bachmann’s decision, both camps made it clear that they think their person would have won the rematch. Just yesterday, Minnesota Public Radio explained that Graves seemed to be facing “an uphill battle vs. Bachmann.” At the same time, recent polling by the Graves campaign showed him slightly ahead of Bachmann. The race certainly would have been very close, but it was looking to be a scenario much like last time around, which, at the end of the day, Ms. Bachmann did end up winning.
So if she’s got at least a fair shake at winning, why wouldn’t she take it all the way? Well, that’s what brings us to why I’m writing about this here. It seems that Bachmann’s failed 2012 presidential campaign was accused of stealing the email list of Network of Iowa Christian Home Educators (NICHE) back in 2011. In a bit of an attempt to re-write history, they later came to an after-the-fact settlement to label the action a “rental” and NICHE received a $2,000 payment from the Bachmann campaign.
And that’s just one of multiple ethics issues Minnesota’s face of the Tea Party is facing. In March, her attorney confirmed that Bachmann is under investigation by the Office of Congressional Ethics for alleged misuse of campaign funds. One of her own 2012 presidential campaign staffers, Peter Waldron, filed a complaint that Ms. Bachmann’s campaign improperly used leadership PAC funds to pay campaign staff. There were further allegations regarding payment of staffers and attempting to require exiting staffers to sign non-disclosure agreements prohibiting them from talking to police or attorneys. And the FBI is now said to be involved.
I’ve consulted for multiple email service providers who have told me how challenging it can be to work with political senders. At least one ESP prohibits this kind of mail outright, out of frustration with candidates regularly playing fast and loose with permission. PACs, parties, candidates and other groups seem to buy, sell or trade lists constantly, and as a result, spam complaints and blocking would often follow. Thus, it doesn’t surprise me to see Ms. Bachmann’s campaign engaging in something email list-related that they probably thought was just common usage, when the rest of us in the email community would find that use unwelcome and unethical. (And it’s not just her party guilty of this kind of thing.)

Can I join…
Gmail's new inbox tabs. News at 11.

Related Posts

I know your customers' passwords

Go to your ESP customer login page and use “View Source” to look at the HTML (under “Page” on Internet Explorer, “Tools->Web Developer” on Firefox, and “View” on Safari).
Go on, I’ll wait.
Search for the word autocomplete. If it says something like autocomplete=”off” then your web developers have already thought about this security issue. If it doesn’t, then you might have a serious security problem.
What’s going on here? You’ve probably noticed that when you’re filling in a web form your browser will often offer to fill in data for you once you start typing. This feature is supported by most modern browsers and it’s very convenient for users – but it works by recording the contents of the form in the browser, including the username and password.
As a bad guy that’s very interesting data. I can take some off-the-shelf malware and configure it with the URLs of a bunch of ESP login pages. Then I just need to get that malware installed on your customers desktops somehow. A targeted web drive-by malware attack, maybe based on targeted hostile banner ads is one approach, but sending email to people likely to be ESP customers is probably more effective. Maybe I’ll use hostile email that infects the machine automatically, or – most likely – I’ll use a phishing attack, sending a plausible looking email with an attachment I’m hoping recipients will open.
Once the malware is installed it can rummage through the users browser files, looking for any data that matches the list of login pages I gave it. I just need to sit back and wait for the malware to phone home and give me a nicely packaged list of ESPs, usernames and passwords. Then I can steal that customer’s email lists and send my next phishing run through that ESP.
This isn’t a new issue – it’s been discussed since browsers started implementing autocompletion over a decade ago, and it’s been a best practice to include autocomplete=”off” for password fields or login forms for years.
How serious a risk is this for ESPs? Well, I looked at the customer login pages at several ESPs that have a history of being compromised and none of them are using autocomplete=”off”. I looked at several that haven’t been compromised that I know of, and they’re all using either autocomplete=”off” or a complex (and reasonably secure-looking) javascript approach to login. Correlation isn’t causation, but it’s fairly strong circumstantial evidence.
ESPs should fix this hole if they haven’t already. If any customers are upset about having to actually type in their password (really?) they can take a look at secure password management tools (e.g. 1Password, LastPass or KeePass).
Thanks to Tim at Silverpop for reminding me that this is a serious security hole that many ESPs haven’t plugged yet and pointing me at some of these resources.
More on passwords and application security tomorrow.

Read More

Are you ready for the next attack?

ESPs are under attack and being tested. But I’m not sure much progress in handling and responding to the attacks has been made since the Return Path warning or the Epsilon compromise.
Last week a number of email marketers became aware that attacks against ESPs and senders were ongoing. The shock and surprise many people exhibited prompted my Spear Phishing post on Friday.
The first round of phishing went out on Wednesday, by Friday they were coming from a different ESP. Whether this was a compromised ESP customer or employee it doesn’t matter. ESPs should have reaction plans in place to deal with these threats.
It’s been months since the first attacks. This is more than enough time to have implemented some response to reports of attacks. Yet, many people I talked to last week had no idea what they should or could be doing to protect themselves and their customers.
Last time the attacks were publicly discussed I was frustrated with many of the “how to respond” posts because few of them seemed to address the real issue. People seemed to be pushing agendas that had nothing to do with actually fixing the security holes. There were lots of recommendations to sign all mail with DKIM, implement 2 factor authentication, deploy validation certificates on web properties, or adhere to sender’s best practices.
None of those recommendations actually addressed the gaping security hole: Humans.

Read More

Political insanity with email

In one of the more boneheaded email related moves I’ve seen from a political group ever the Obama / Biden campaign has announced that people can go to their website, enter in the email address of a Republican friend, pay some money, and the campaign will send an email to your (soon to be ex-) friend on your behalf.

Read More