Threads from Henry's Web

Tag: security

  • Deceiving without Lying

    Deceiving without Lying

    I got this letter in the mail.

     

    If you look at the reply envelope, you’ll see that there is no identification of the company that is sending this e-mail out. Look to the right, where I’ve let a bit of the outer envelope show. It shows a quite correct statement of penalties for obstructing mail delivery. It’s not particularly relevant, but whatever. At the end, in smaller print, we note that this is not from the government..

    At the bottom of the pink sheet, we see a note that this is not “affiliated with or endorsed by any government of Medicare program.” Another statement that is likely quite true.

    With the “NATIONAL RESPONSE CENTER SENIOR BENEFITS DEPT.” the intention is to keep the recipient from thinking of this as a ad for life insurance, which it is, and to suggest that they are being informed of benefits already earned (Medicare, Social Security), which they are not.

    I wouldn’t post this normally, but I did for two reasons:

    1. This is aimed at the elderly, and there are many actual benefits available. There are many organizations and government agencies that do work to provide information about actual benefits. Because of that, someone else can slip in deceptively and imply that they are such a group, while making sure that they don’t actual tell any lies and have all the disclaimers available.
    2. Most of my readers will find this particular mailing trivially easy to analyze and dismiss. In the modern world, you are assailed much more commonly by e-mail, something many of you are much less skilled at evaluating. You need to apply the same sort of logic. How does a reputable company go about introducing you to its services? Does the e-mail you’re looking at look like and function like that sort of introduction? If you look carefully at the e-mails you receive that are legitimate, especially those from businesses with which you have a relationship, you will more likely recognize when someone is playing around.

    It’s possible for people to spoof the sender of an email. That means they use a name or an e-mail address that is not theirs. It is much more difficult, but nowhere near impossible to place false data in the actual record of how the e-mail was transmitted. I have nonetheless had friends receive e-mails that purported to be from me. I got them to forward the e-mail to me and I was able to check that it was indeed not sent from the appropriate server, and just my name was faked (not even the e-mail address in a couple of recent cases).

    Just like someone could type my name on a piece of paper and forge my signature, so they can fake that information on an e-mail. Or they can fake yours. They can do this without hacking your account. Your information is easy to access.

    They could, for example, extract my address from the picture above, but that is ubiquitous on the web. I blacked out my zip code, but anyone who wants it already has it. My point here is don’t assume that simply showing the right return information makes it certain the e-mail is correct. If you have any doubt—and please take enough time that you’d notice—then confirm with the sender before following any links or opening any attachments. A huge percentage of the fraud problems on the internet would be abated considerably by this.

  • You Don’t Have to Have an Opinion about Everything

    I posted a note from an article regarding the data released by DHS about Russian hacking, if it was Russian, and then I started wondering whether people would assume it is my opinion that the Russians were not involved.

    In fact, I do not have an opinion on that because I do not have enough information to support a reasonably informed one. The article simply notes that the evidence released by DHS doesn’t appear to point to Russian activity specifically. That doesn’t mean that this is the only software used, or the only IPs, nor does it mean that the understanding of the article writers is complete. Their conclusions are stated in admiral fashion. They note the nature of the evidence and what they can identify about who it points to.

    What amazes me, however, is the massive number of people who already have come to a conclusion on this. Either the Russians did it or they didn’t, and we make the determination based not on actual data but simply on which group of people we associate ourselves with. My guess is that not one in ten of those people with a firm opinion on this topic have even the tiny amount of information that I’ve collected, nor do they have my knowledge of computer security. Many of them couldn’t really tell you what “hacking” means, and what would be necessary to get the kinds of data involved. Yet they have firm opinions, loudly expressed.

    I note here that I’m not a security expert in the sense that the people who develop anti-virus software are. I simply know enough about how computers are attacked that I can select good software and suggest/apply good security practices. The people who have the expertise to actually make determinations are not all that numerous.

    It doesn’t hurt not to have an opinion. It doesn’t hurt to say, “I don’t know.” Which I say right now: I don’t know. I am not convinced it was a Russian government action, nor am I convinced it was not. Let’s look at the evidence.

    What really bothers me about all this, and what I do have an opinion about, is the threat that potential hacking presents to national security. A serious effort could disrupt an election and in ways that are much worse than some manipulation of information. Get used to it. Information is going to be manipulated. I don’t trust the government to be able to deal with the human factors that hamper good data security. In my experience, the most common problem is the password on a sticky note, often also easily guessed, and not the highly technical hacker.

    And of course I must note that I suspect rampant stupidity has a greater influence on U. S. elections than does foreign interference, assuming there was any.

    We might want to consider electing some more technically qualified leaders for a technical age … it’s just a thought.

    (FWIW, it’s bad writing style to conclude with something quite unrelated to your title and opening paragraph. But this is my blog and I’ll write badly if I want to.)