Email nightmare for some FSU students

shieldI mentioned yesterday that sometimes people and software screw up in ways that cause problems. Today I saw an article demonstrating just how bad these issues can be. Florida State University Housing Department sent detailed and confidential violation reports to tens of thousands of students.

On Monday, March 14 at around 2 p.m., FSU first became aware that a glitch in the University Housing software caused the system to email approximately 13,195 current and former FSU students detailed incident reports of any and all code of conduct complaints associated with them, the FSView has learned. FSU News

In some cases, reports were of minor issues like halogen lights or open flames. But in other cases the violations were much more serious. These include reports of drug offenses, harassment and assault. Emails were only sent to the students associated with the report, but there is the possibility that some anonymous reporters were revealed by this glitch. Given some of the reports were more than 10 years old, it’s also possible these emails went to non-involved recipients.
As an email professional this type of glitch is horrifying. I can’t fathom what the glitch was. Whether it involved a human making a mistake or was triggered by the software, this is horrible design. No email containing sensitive and personal information should ever be sent unintentionally.
FSU reports they’ve stopped using the software. I hope they’ve unplugged it from any network completely. A little bit of poking at Google doesn’t tell me who the vendor is, although one of the major campus conduct software vendors (Maxient) has a note on their Facebook page that they are not the software used by FSU.
Like I said yesterday, stuff breaks online. The problem is some of these failures can cause problems and injury to real people. What happens online isn’t that separate from what happens offline these days. Our security needs to be better.

The Internet is hard.
Optimize your SPF records

Related Posts

Fast and loose

Politicians often play fast and loose with permission and data. This can cause them all sorts of problems with email delivery at major ISPs. I really expect that politicians buy, sell, transfer, spindle, mutilate and fold data. If they can use it to further their goals, they will. And, many of the consumer protection and privacy laws don’t apply to political groups.
The news that Representative Bachman may have known that some of her mailing list was taken and used by others is a surprise even to me. I talked with a few ESP reps, though, and they told me that this was mostly par for the course and that they often have a lot of delivery and compliance issues with their political clients. Many have had to suspend or terminate political clients, and a couple people mentioned SBL listings.
This isn’t a problem with just one side of the political spectrum, it seems endemic in how the game is played.
 
 

Read More

Is your data secure?

Not just secure from outside forces, but also secure from employees?
In a recent survey published by Help Net Security, approximately half of all employees said they would take data, including customer data, when leaving a job.
This has major implications for ESPs, where employees have access to customer data and mailing lists. There are at least 2 cases that I am aware of where employees have walked out of a company with customer mailing lists, and I’m sure there are other incidents.
ESPs should take action to prevent employees from stealing customer data.

Read More

Security vendors and trust.

A big part of my predictions for 2016, that I’ll publish shortly, is that security is going to be a huge issue. I think we’re really going to see receivers expecting senders to have their houses in order when it comes to sending mail.
Of course, some filter companies need to get their houses in order to. Yesterday, a security researcher went public with problems in the TrendMicro anti-virus appliance. These vulnerabilities would let any email sender remotely execute code on the recipients machine with no interaction of the user. They also exposed all the passwords on the machine to the outside world.
Even worse, Trend doesn’t seem to understand the urgency to fix this. They have started releasing patches for the exploits, but there are significant problems with the patched versions as well.
If you’re a Trend user, you may want to consider other vendors for desktop security. I know that no security is perfect and that other vendors have problems, too. But shipping a password manager that exposes all passwords is just incompetence. It seems like a corporate lack of understanding of what their business is and how to actually create security software.
Even worse is that lack of urgency from the Trend folks as the security researchers are explaining the problem. I don’t care if the person receiving the report was the janitor, anything that says security exploit should be escalated to someone who can determine if the report is valid.
Compare Trend’s reaction to this to Juniper’s reaction to discovering a backdoor in their code in December. First off, Juniper found the exploit during a routine code review. That alone tells you Juiper is continually monitoring their code security. Second, Juniper was reasonably open about the issue, with executives posting blogs and security posting advisories talking about the issue. More importantly, they shared how they were going to fix it and prevent it from happening again.
Security is such a large issue right now. We have to be able to trust our vendors to do what they’re selling us. Every vendor is going to make mistakes and have vulnerabilities. No code and no developer is perfect. I do expect, though, that vendors will take exploits seriously and act fast in order to correct the problem. I’m not seeing that sense of urgency with Trend.
 

Read More