Alan Hargreaves' Blog

The ramblings of a former Australian SaND TSC* Principal Field Technologist

Newspapers, Hoax Stories from Email, Risk Management

Over the last few days I’ve seen a lot in the news about newspapers (eg this one)looking for someone to blame for the fact that on receipt of an email of a story from what looked like one of their correspondents about what would have been a major scoop (Citigroup buying a controlling interest in the Australian Telco Telstra), only to find after they published that the From address was forged and the story a hoax.

For goodness sake people, email address forging has been around since email began. It’s really not rocket science. It’s certainly not sophisticated hacking as reported in some stories.

A line from the Dire Straits song “Solid Rock” comes to mind.

When you point your finger ’cause your plan fell through,
You’ve got three more fingers pointing back at you

One of the first lessons of email is to never trust the fields in the headers, they are simply text that any program (or even for that matter, someone at a keyboard in a telnet session to an open SMTP gateway) could initiate.

The real issue here is, why on earth are the papers and their correspondents communicating via email and not using some kind of encryption/authentication? It’s not like the technology is new, nor difficult. What we are looking at here is either ignorance of the technology (unlikely), or a risk management decision (conscious or unconscious) to not use it. As with all risk management decisions, each decision you make has a consequence and associated risk and probability. In this case the consequence of not using authenticated email has the risk of what we have seen just happen.

I find it laughable that having taken a decision to not use authenticated email that we now see the papers attempting to find a scapegoat other than the people who made that risk management decision.

The blame for the papers running with these stories lies fairly and squarely with the papers themselves. Any attempt to place it elsewhere is the result of people attempting to protect their own backsides. Then again, unfortunately our society has moved to the point where people (and companies, etc) are unwilling to accept the consequences of their own actions and decisions. It must be someone else’s fault.

A message to the newspapers, …. Grow up and accept responsibility for your own risk management decisions. The correct action here is not to find a scapegoat, but to learn from the event and act positively on it.


Written by Alan

June 30, 2010 at 11:37 am

Posted in General

%d bloggers like this: