Weird addressing

Email addresses are weird.

Web addresses run from broadest to most narrow scope, which makes total sense to me. http is the protocol basically informing the computer how to handle the request. (Back in the 90s, we more commonly also saw ftp and mailto and gopher as protocols in links.) Next is the computer address which ideally would have been ordered Top Level Domain (TLD), site domain, hostname, so for example this site would have been com.ezrasf.www. Next is the folder tree down to the file location. Finally, is the file name.

Similarly, email addresses should have been designed as protocol, TLD, site domain, username. So, you could reach me at mailto:com.ezrasf/blog. Instead, the username at server address is what we got. It works, but it has bothered me that it does for a decade and a half.

Email Changes

Ran across a site where if one changes the email address associated with the account, it sends the confirmation email to the new address.

Say, I am a Blackhat and used a phishing attack to get the password for the account. Having legitimately logged in, I then change the email address associated with it from victim@outlook.com to my blackhatalias@gmail.com. Sending the confirmation to blackhatalias rather than the victim ensures a compromised account will get altered. Strong security would want to prevent the change unless the owner of victim@outlook.com confirms the change.

Though, it does look like an email was sent to victim@outlook.com almost 3 hours after the confirmation saying:

Still scary. The blackhat has probably already made off with the data and done the damage.

I get the temptation to allow users to change their email address to a new one. It will prevent support phone calls because if they no longer have control of the old email account, users can simply change it to another address they do.

Of course, the site in question also does not have Two Factor Authentication. But, then it also is just a support forum. So, the ramifications of losing the account is impersonation at worst. They could ask or answer a question as me or change the profile to say something demeaning.

Confirmations

Received an email from a company they were using to validate my email address is the correct one. It specifically told me not to do anything if the email address is correct and to let them know if it was not.

We’re writing to confirm that this is your current email address. If this email address is still current, you don’t need to do a thing.

If you would like to change your email address, please update your information today.

Um…

I presume if the email bounced, then they have tools that noticing this would mark the email address as bad and use phone or postal mail to reach out to me. Which is fine.

But… Let’s say I stopped using this email address because it is overwhelmed with junk and am using a different one. This email gets to that address, it does not bounce because it is perfectly legitimate but I’m not reading anything sent there. I will not see this. Because of their “don’t do a thing,” they think I would see it in the future. Therefore, I would not have an opportunity to update my information to a better one unless I think of it myself or eventually stumble across this buried message.

Of course, this same company was pretty aggressive a couple years ago wanting my cell phone number so they could text me.

Posting To Your WP From Foreign Sites

(This assumes a WordPress.org site not one on Wordress.com hosting.)

Placing your username and password in the database of third party sites is not very good. If the account provided is the WordPress administrator account, then that means credentials for the most important account are potentially exposed. The password is going to be kept in the clear or in a form decryption is easy so it can be used to post to WordPress.

Better instead is to create a limited user with the Author role for this purpose. These accounts are so easy to create that I make one for every site I use to post to this blog. If any of these sites are hacked or the credentials otherwise given to others, then the potential damage is just the posts belonging to that user.

One stumbling block for this is WordPress.org installs want a unique email address for each account. A workaround I use is either generating email accounts via my hosting provider or the +anything for Gmail.

Also, it makes easy identifying the posts which came from the foreign source. My Goodreads posts are an example where that site is setup to post for an account I specially created for that purpose.

Open Letter Re: Behind the Blackboard

Hi Blackboard Support,

Today, without warning, you changed Behind the Blackboard. Clients dislike surprises. We like knowing how things work. Give us access to the new thing before we have to deal with it. That way we become familiar with it.

Even if you do not give advance viewing of the service, then advance warning the change would happen today so I can plan around it happening. I had a phone call with one of your employees yesterday. That would have been a good time to tell me. It is a web site, so you could put on your web site to expect the change.

The main problem is I cannot login to this site. My current user id and client id are not accepted. The math problem to foil bot does not accept the correct answers. Others found the password provided did not work. This roll out seems less than ready for production use. I emailed the address on the support page for help.

Thanks,

Ezra

UPDATE 2011-06-10: Apparently there was an email sent on May 27th, about 12 days before change. It looks like many customers just like me did not see the email. Also, this is about the time a coworker’s email address changed to foo@blackboard. In the lists discussing this mess, another client got noemailonrecord101@company.inc.

I guess the old system is not available because apparently we have to tell Blackboard the people who to add to our client id? (Nevermind that because we are a system there are about 40 client ids.)

UPDATE 2011-06-14: I got into the site. Now my default list of tickets belongs to the first client id in the set of our consortium. Since the merger of the WebCT and Blackboard support almost five years ago, I have been working tickets in the client id for the system office. Maybe one day this will work?

Email Harvesters

Good Sign I missed the story about brothers convicted of harvesting emails the first time. Well, I noticed a followup.

Back around 2001, the CIO received complaints about performance for the web server. So, I went log trolling to see what the web server was doing. A single IP dominated the HTTP requests. This one IP passed various last names into the email directory. Some quick research revealed Apache could block requests from that IP. That calmed things down enough for me to identify the owner of the IP. The CIO then bullied the ISP to provide contact information for the company involved.

Previous little adventures like this landed me a permanent job, so I jumped at similar challenges.

Well, a few years later, it happened again. This time my boss had made me develop a script for the dissemination of the anti-virus software package to home users. Basically, it used email authentication for verification if someone could get the download link. So, I applied the same technique to the email directory. Well, this upset some people who legitimately needed email addresses. So the human workers would provide email addresses to people with a legitimate need.

I’m glad since I’ve left, VSU no longer looks up email addresses for people. (I thought some of the requests questionable.) Also, my little email authentication script was before LDAP was available to the university. I think the new solution much better.

One the more vocal complainers about my having stopped non-VSU access to the email directory was my current employer. We apparently list email addresses for employees freely. Which makes me wonder how much spam we get is due to the brothers described at the beginning of this story? Or other email harvesters? Just hitting the send button potentially exposes the email address.

No worries. I’m sure Glenn is protecting me. 🙂

Athensdating.org

Writing a Blog Post About This Scam I noticed a little black and white sign: “Single? athensdating.org” a while ago. A couple weeks ago it came up in conversation. Today I saw it again. So I visited the site.

First impression: A local site should have images to represent something about the locality. Generic stock photography doesn’t cut it for me. The signup for wanted my home and cell phone numbers.

That sounded phishy to me.

Domaintools.com is a great site for looking up who runs a site. If the owner has selected privacy options with their registrar, then that would be a snag. Fortunately for us, the owner of athensdating.org isn’t hiding.

Owner: NuStar Solutions

The note “Email address is associated with about 4,690 domains” caught my eye. So I looked up NuStar and found this article about these popping up everywhere. (At least DomainTools gave me the info in one shot without having to do the same extensive research.) Lots of stuff online about these signs, who is placing them, and whether or not this is a scam.

I’m just going to assume it is a scam.

Picture info: Writing a Blog Post About This Scam on Flickr from sneezypb

Mail From Address

It appears CE/Vista has several locations for defining the email addresses it uses for SMTP.

  1. $WEBCTDOMAIN/config/config.xml:
    mail.from=
    From address for messages sent.
  2. $WEBCTDOMAIN/customconfig/startup.properties:
    WEBCT_ADMIN_EMAIL=
    Some internal errors have a mailto: prompt to contact the server administrator.
  3. $WEBCTDOMAIN/serverconfs/log4j.properties:
    log4j.appender.EMail.To=
    Report fatal errors.
  4. $WEBCTDOMAIN/serverconfs/log4jstartup.properties:
    log4j.appender.EMail.To=
    Report fatal errors.
  5. $WEBCTDOMAIN/webctInstalledServer.properties:
    WEBCT_ADMIN_EMAIL=
    Installer picks up this value for populating #2 and possibly #3 and #4.
  6. $WEBCTDOMAIN/webctInstalledServer.properties:
    MAIL_ORIGIN=
    Installer picks up this value for populating #1.

What really disturbs me is the Vista 8 installer created log4j properties files with the  SMTP server set up for miles.webct.com and sending from vista.monitor@webct.com? I cannot seem to find anything in the Vista 8 documentation or wiki or Google index about the “Vista Trap Notification” subject line, from address, or SMTP address which the log4j appender appears to be designed to send.

This Vista Trap Notification appears designed to send an email to the address any time a fatal error is encountered. That’s fine. Just use the smtp host and From address requested in the installer.

Don’t get me started about giving end users a mailto: prompt to report errors.

Gravatars

Probably I missed or didn’t understand the announcement.

For the past month or so, I’ve noticed all these comments with the poster’s picture next to it on various blogs. I knew them to be WordPress blogs. I noticed my own WP had some default icon in the admin user interface. Today I finally put it all together.

A recent WordPress version incorporated Globally Recognized Avatars into the main code. (They are also known as GRAvatars) Using a hash on the email address, it locates a WordPress commenter’s 96×96 picture for including in the comment. Naturally, you need to register your email account with the gravatar service.

So, now many of you get to see my ugly mug!

Zemanta Pixie

Confidentiality

A student wants Blackboard Vista to not reveal his or her last name. The student has already gone to the Registrar and gotten a confidentiality flag placed on the record. As I understand it, this flag in Banner is a FERPA protection to prevent the record from being provided to parties external to the university. It does not provide anonymity within the university. That electronic systems are being scrubbed of the student’s last name means something more than just confidentiality.

We only create new and not update from our student information system (SIS). So in general, the last name should not revert.

The instructor must know who the student is in order to correctly assign grades. If grades were automatically sent back to the SIS, then it would match the IMS id to the what is in the SIS. The user name or any other name is immaterial and not a confounder to the process. Unfortunately, our faculty has to manually transfer the grades. Some rely on the WebCT id / username. Others rely on the first and last name. I guess without names, this latter group is going to have to deal with relying on the WebCT id.

Only username, first and last name, and role are populated into the grade book. So moving the last name to another name field (like other, prefix, or suffix) would not help.

The last name appears to be part of their scheme for creating usernames, so they will likely need to change the username if the point is to not let anyone know what it is. The school in question does not appear to populate their Vista user records with a school email address. So I don’t know if the same would need to be done with it as well.

Blackboard Vista 3.0.7 does have issues with renaming the last name. While many things are immediately updated (good), some things are not. This is not a comprehensive list.

  1. The last name in the grade book was not updated. Removing the user from the section and restoring it to the section changed the name to the correct one.
  2. The last name in discussions was not updated.

So while renaming the account is easy to do, not everything takes place as quicklly as we would like.

Zemanta Pixie