Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
An interesting take on both the B-B book and the new movie: http://bit.ly/2dfHe8v As I have noted here previously, the Boebert-Blossom book is extraordinarly and carefully detailed. However, the movie was not based on this book, but rather on another. And Hollywood generally has to oversimplify to reach people to don't like or cannot deal with complexity. Nevertheless, the publication of the B-B book was held up for at least half a year because of the movie—which has now opened. The blockbuster is compelling, but overly simplistic in that it stresses primarily only one of the major faults -- the "seament" (underwater cement). This URL considers both the book and the movie.
Blame BP for Deepwater Horizon. But Direct Your Outrage to the Actual Mistake. It was years of cutting corners, not one careless mistake, that caused the explosion. http://www.slate.com/articles/health_and_science/science/2016/09/bp_is_to_blame_for_deepwater_horizon_but_its_mistake_was_actually_years.html [This is an excellent summary of the situation, especially if you are don't like to read books but might want to see the movie. It is consistent with the detailed evidence provided by the Boebert-Blossom book, which suggests that assessing "blame" is the wrong way to approach the fiasco; the diversity of things that went wrong and were not properly addressed was huge, often with premeditation but sometimes in the heat of the moment as things progressed. There was no one single thing that went wrong. It was a collossal sequence of short-sightedensses. See my previous item (above for those of you reading RISKS not undigestified). PGN]
One issue is how long the USA is going to continue to have serious rail accidents, which can be prevented by technology, such as automatic braking? According to US news media, the 29 Sep 2016 commuter train crash at New Jersey's Hoboken Terminal, is just the latest in a series of US train crashes which could be avoided by automatic braking. Rescue efforts were complicated by the collapsed roof bringing live electrical wires, and rainwater, into contact with the wreckage. Automatic, or more rapid cut-off, of electrical power in such a disaster, might be another technology safety feature worth considering. Hoboken is a major commuter transportation hub for the NYC area. In the Hoboken crash, the train apparently arrived at the station at full speed, instead of the usual 5-10 mph, demolishing part of the station, killing 1, injuring 114 people, 8.45 am at height of morning commuter rush hours. 15,000 people use this station every weekday. The train went airborne during the crash, which demolished half of the the first car, bringing roof of car down to level of the seats. We are lucky the harm was not greater. http://www.cnn.com/2016/09/29/us/new-jersey-hoboken-train-crash/ Relevant US authorities: * NTSB: National Transportation Safety Board http://www.ntsb.gov/investigations/Pages/2016-hoboken-nj.aspx * FRA: Federal Railroad Administration The FRA estimates that at least 300 people are injured and 10 killed every year 2003 to 2012 in train accidents, not counting people walking along the tracks, or collisions with road vehicles at highway crossings. * State and local governments * US Congress, and various gov agencies, have been urging for years, that the train industry install positive train control, to give trains automatic braking when conditions call for that. * 2015 May Amtrak crash in Philadelphia killed 8 and injured 200. * 2013 Dec, a Metro North Railroad crash killed 4 in NY. * 2011 May there was another crash at Hoboken sending 30 passengers to hospitals & doing $ 352,617 damage. * 2008 California head on collision killed 25 and injured 100. * 1996 Feb head on collision between 2 commuter trains @ Secaucus, with 400 passengers on the combined trains. http://www.cnn.com/2016/09/29/us/us-commuter-train-wreck-history-trnd/ http://www.nbcnews.com/news/us-news/deadliest-train-crashes-u-s-over-past-25-years-n656826 https://en.wikipedia.org/wiki/Category:Railway_accidents_in_the_United_States HOBOKEN, New Jersey—The National Transportation Safety Board issued an investigative update Oct 1 about its investigation of Thursday's crash of NJ Transit Pascack Valley Line train #1614 into the platform of the Hoboken Terminal. Updated information includes the following: Investigators interviewed the accident train engineer. No interview summaries will be provided until interviews are completed. Environmental and structural issues still prevent removal of the train from the station. Extensive debris removal must be completed before investigators can access the train and then have the train removed. With the assistance of NJ Transit, investigators obtained video from other trains that were at the Hoboken Terminal, to see what those cameras captured from the accident event. The event recorder and camera from the controlling cab of the accident train remain inaccessible to investigators. The event recorder from the trailing locomotive #4214 has arrived at the recorder manufacturer's facility in Kentucky and NTSB personnel are supervising the attempted download. There were no signal anomalies found on the tracks leading to the terminal. A full signal study cannot yet be completed because the accident train remains in the terminal. Investigators completed the walking inspection of the track and found nothing that would have affected the performance of the train.
A credible supposition as to the cause—explained in laymen's terms -- in this article: http://newatlas.com/spacex-falcon-9-explosion-helium/45594/
The jet tried to land on a snow covered LaGuardia runway, but instead went thru a fence, almost into Flushing Bay. Rapid braking on a snow covered short runway can be challenging to the most experienced pilots. This snow covered runway was more treacherous than as described by other planes which landed 16 and 8 minutes earlier That can happen when snow continues to fal, with ground crews struggling to catch up with snow clearing. Plane damage included communications systems, which contributed to incorrect passenger count; delayed passenger evacuation; and delayed 1st responders. The NTSB made 10 recommendations to the Federal Aviation Administration <http://www.faa.gov/> , two to Boeing <http://www.boeing.com/> , one to the U.S. operators of MD-80 series airplanes, and one to the Port Authority of New York and New Jersey. <http://www.panynj.gov/> To view the accident investigation summary and resulting recommendations visit: http://go.usa.gov/xBB9k.
The German IT news service Golem reports that the traffic lights from some unnamed German company can be programmed remotely—by anyone, as there is no encrypted communication. http://www.golem.de/news/sicherheitsrisiko-baustellenampeln-gruene-welle-auf-knopfdruck-1609-123503.html Philipp Schäfers and Sebastian Neef, both authors at Golem and IT specialists, have been poking around and found security holes in unexpected places such as utility companies and "uninterruptible power sources" that were mining Bitcoins. (http://www.golem.de/news/schwachstellen-aufgedeckt-der-leichtfertige-umgang-mit-kritischen-infrastrukturen-1607-122063.html) http://www.golem.de/news/kritische-infrastrukturen-wenn-die-usv-kryptowaehrungen-schuerft-1608-122837.html They found 23 traffic lights that were not secure and informed the company that produces them. The company has to date done nothing, even though the German federal office for IT security (BSI, Bundesamt für Sicherheit in der Informationstechnik) has requested that they fix this pronto. The response was just a nice thank you email, nothing more. In Berlin we recently had the other side of the coin, the automatic traffic speed sign system decided during rush hour that it was foggy outside, even though we were enjoying bright sunlight. All the automatic traffic signs in Berlin were turned down to 40 kmh (normally 80 kmh on the inner city autobahns), causing an enormous traffic jam. I'm sure all of those stuck in the jam wished they could make those traffic lights turn green for them as soon as they left the highway.... Prof. Dr. Debora Weber-Wulff, HTW Berlin, Studiengang IMI, Treskowallee 8, 10313 Berlin +49-30-5019-2320 http://www.f4.htw-berlin.de/people/weberwu/
(The Register, Sept 16) [ mmm... 'active' defense with 'offensive' weapons... and the (virtual) Collateral Damages expected (considered and accepted) is what?!? ] National Cyber Security Centre to shift UK to 'active' defence Cyber chief calls for 'offensive' weapons* 16 Sep 2016 at 13:42, John Leyden <http://www.theregister.co.uk/Author/2578> The head of the UK's new National Cyber Security Centre (NCSC) has detailed plans to move the UK to "active cyber-defence", to better protect government networks and improve the UK's overall security. The strategy update by NCSC chief exec Ciaran Martin comes just weeks before the new centre is due to open next month and days after the publication of a damning report by the National Audit Office into the UK government's current approach to digital security. <https://www.cesg.gov.uk/news/new-approach-cyber-security-uk> <http://www.theregister.co.uk/2016/09/14/cabinet_office_failing_to_coordinate_ukgovs_infosec_practices_says_national_audit_office/> Martin called for the "development of lawful and carefully governed offensive cyber capabilities to combat and deter the most aggressive threats". Active cyber defence means hacking back against attackers to disrupt assaults, in US parlance at least. Martin defined the approach more narrowly as "where the government takes specific action with industry to address large-scale, non-sophisticated attacks". During his speech at the Billington Cyber Security Summit in Washington DC, NCSC's Martin also floated the idea of sharing government network security tools such as DNS filters with private-sector ISPs, as previously reported <http://www.theregister.co.uk/2016/09/14/great_british_blockoff/>. [...] The NCSC will act as a hub for sharing best practices in security between public and private sectors as well as taking a lead role in national cyber incident response. The organisation will report to GCHQ, the signals intelligence agency. Bootnote The US's Cybersecurity Information Sharing Act was bitterly but ultimately unsuccessfully opposed by privacy activists. <http://www.theregister.co.uk/2015/12/16/congress_strips_out_privacy_protections_from_cisa_security_bill/>
The Computer Voting Revolution Is Already Crappy, Buggy, and Obsolete https://www.bloomberg.com/features/2016-voting-technology/ Six days after Memphis voters went to the polls last October to elect a mayor and other city officials, a local computer programmer named Bennie Smith sat on his couch after work to catch up on e-mail. The vote had gone off about as well as elections usually do in Memphis, which means not well at all. The proceedings were full of the technical mishaps that have plagued Shelby County, where Memphis is the seat, since officials switched to electronic voting machines in 2006. Servers froze, and the results were hours late. But experts at the county election commission assured both candidates and voters that the problems were minor and the final tabulation wasn't affected. Shelby County uses a GEMS tabulator -— for Global Election Management System -— which is a personal computer installed with Diebold software that sits in a windowless room in the county's election headquarters. The tabulator is the brains of the system. It monitors the voting machines, sorts out which ma chines have delivered data and which haven't, and tallies the results. As voting machines check in and their votes are included in the official count, each machine's status turns green on the GEMS master panel. A red light means the upload has failed. At the end of Memphis's election night in October 2015, there was no indication from the technician running Shelby County's GEMS tabulator that any voting machine hadn't checked in or that any votes had gone missing, according to election commission e-mails obtained by Bloomberg Businessweek. Yet as county technicians followed up on the evidence from Smith’s poll-tape photo, they discovered more votes that never made it into the election night count, all from precincts with large concentrations of black voters.
via NNSquad http://arstechnica.co.uk/tech-policy/2016/09/switzerland-votes-for-meatier-surveillance-law-by-large-margin/ In total, 65.5 percent were in favour, and 34.5 percent against. Under the new law, Switzerland's intelligence agency, the Service de renseignement de la Confedration (SRC), will be allowed to break into computers and install malware, spy on phone and Internet communications, and place microphones and video cameras in private locations. "This is not generalised surveillance, it's letting the intelligence services do their job," said Swiss Christian Democratic party vice-president Yannick Buttet, according to the Guardian. However, Swiss parliamentarian and leading member of the leftwing Social Democrats Jean Christophe Schwaab disagreed: "This law seeks to introduce mass observation and preventive surveillance. Both methods are not efficient and go against the basic rights of citizens."
http://www.goodwill.org/press-releases/goodwill-provides-update-on-data-security-issue/ http://www.bizjournals.com/boston/blog/health-care/2016/06/mgh-says-patients-impacted-by-third-party-data.html https://sharedassessments.org/2014/03/data-breaches-third-party-risk/ Trustwave Global Security Report: In a stinging condemnation of outsourced system administration practices, reported that in 76% of the cases it investigated a third party responsible for system support, development or maintenance introduced the security deficiencies later exploited by attackers."
For years, thousands were tricked into buying low-quality ebooks. http://www.zdnet.com/article/exclusive-inside-a-million-dollar-amazon-kindle-catfishing-scam/
http://arstechnica.com/security/2016/09/more-than-400-malicious-apps-infiltrate-google-play/
John Leyden, *The Register*, 21 Sep 2016 Got one of these gizmos? Patch its firmware ASAP <http://www.theregister.co.uk/2016/09/21/bt_wifi_booster_fix/> BT is urging folks to patch the firmware in its Wi-Fi Extender following the discovery of multiple security flaws. Security researchers at Pen Test Partners discovered vulnerabilities with the consumer-grade kit, including cross-site scripting and the ability to change a password without knowing it. <https://www.amazon.co.uk/BT-Wi-Fi-Extender-300-Booster/dp/B00X7H36YA> Pen Test Partners found it was possible to combine these flaws and exploit them to snatch a victim's WPA wireless network passphrase after tricking them into visiting a maliciously constructed webpage while connected to their home network. [...] upgrading the firmware <http://bt.custhelp.com/app/answers/detail/a_id/54345> of the Wi-Fi Extender to version 1.1.8 resolves the problem. [...] The bugs—the latest in a long line of vulnerabilities in SOHOpeless networking kit—is explained in a blog post by Pen Test Partners here. <https://www.pentestpartners.com/blog/bt-wi-fi-extender-multiple-security-issues-upgrade-asap/>
Alisha Rouse, *Daily Mail* via *The Register*, 13 Sep 2016 <http://www.dailymail.co.uk/money/news/article-3787960/Watch-crooks-complain-Twitter-Criminals-posing-bank-customer-service-staff-social-media.html> Watch out for crooks if you complain on Twitter Crooks are posing as bank customer service staff on the social media website to try to dupe customers into visiting a dodgy website or clicking a link so the fraudster can steal their financial details. Most banks have a dedicated account on Twitter for customers who need instant help. Those who have used the service often say it's an efficient way to get a response to basic complaints as the bank must be seen to be acting swiftly in public. But fraudsters are setting up profiles that look almost identical to these official bank help accounts. They are then swooping on customers who ask for help from the official accounts and trying to lure them to dangerous websites. ... All the major [British] banks say they've seen instances of fraud like this.
Woody Leonhard, InfoWorld, 23 Sep 2016 The convoluted method Microsoft used to fix the MS16-098 double-printing bug is a harbinger of screw-ups to come with the new all-or-nothing approach to patching http://www.infoworld.com/article/3123670/microsoft-windows/microsoft-finally-fixes-double-print-bug-but-more-patching-problems-loom.html
Lucian Constantin, 26 Sep 2016 DDoS attacks got a power boost thanks to hundreds of thousands of insecure IoT devices http://www.infoworld.com/article/3124215/security/armies-of-hacked-iot-devices-launch-unprecedented-ddos-attacks.html opening text: Security researchers have been warning for years that poor security for Internet-of-Things devices could have serious consequences. We're now seeing those warnings come true, with botnets made up of compromised IoT devices capable of launching distributed denial-of-service attacks of unprecedented scale. Octave Klaba, the founder and CTO of French hosting firm OVH, sounded the alarm on Twitter last week when his company was hit with two concurrent DDoS attacks whose combined bandwidth reached almost 1 terabit per second. One of the two attacks peaked at 799Gbps alone, making it the largest ever reported. According to Klaba, the attack targeted Minecraft servers hosted on OVH's network, and the source of the junk traffic was a botnet made up of 145,607 hacked digital video recorders and IP cameras. With the ability to generate traffic of 1Mbps to 30Mbps from every single Internet Protocol (IP) address, this botnet is able to launch DDoS attacks that exceed 1.5Tbps, Klaba warned.
I noticed that my spam filters deleted RISKS-29.79. I read it on Usenet, and saw that it had been blocked because a post from "The CyberWire" with a subject line of "Russian intelligence services seem responsible for hacking German political groups" cited a URL on the notorious spam website c o n s t a n t c o n t a c t . c o m. I expect that lots of people didn't get the digest for that reason, and that many of those who did, including me, refused to click on that website since spam sites are likely to host malware, or at least to be totally unreliable sources of information.
Germany calls halt to Facebook's WhatsApp info slurp http://www.theregister.co.uk/2016/09/27/germany_calls_halt_to_facebooks_whatsapp_info_slurp/ Privacy watchdog says nein John Oates, 27 Sep 2016 A German privacy regulator has told Facebook to stop collecting user information from WhatsApp. Hamburg's Commissioner for Data Protection and Freedom of Information issued an administrative order to immediately stop the collection and storage of data from German WhatsApp users. It also told Zuckerberg's social media giant to delete all information it had already collected from the messaging service. Johannes Caspar, the Hamburg Commissioner for Data Protection and Freedom of Information, said in a statement: “This administrative order protects the data of about 35 million WhatsApp users in Germany. It has to be their decision, whether they want to connect their account with Facebook. Therefore, Facebook has to ask for their permission in advance. This has not happened.'' “In addition, there are many millions of people whose contact details were uploaded to WhatsApp from the user's address books, although they might not even have a connection to Facebook or WhatsApp. According to Facebook, this gigantic amount of data has not yet been collected. Facebook's answer, that this has merely not been done for the time being, is cause for concern that the gravity of the data protection breach will have much a more severe impact.'' Facebook altered WhatsApp terms and conditions to a default setting of sharing data. Users were given time to change their settings if they wished to but there has still been wide criticism of the move. Facebook told Reuters it was willing to work with the regulator to resolve their concerns. There are ongoing legal challenges in Germany and in India to oppose the move and US regulators are also examining the issue. Facebook paid $19bn for WhatsApp two years ago <http://www.theregister.co.uk/2014/02/19/facebook_acquires_whatsapp/>.
Michael Kan, 27 Sep 2016 The company isn't saying how it arrived at the conclusion that its massive data breach was carried out by a state-sponsored actor http://www.infoworld.com/article/3124406/security/yahoos-claim-of-state-sponsored-hackers-meets-with-skepticism.html selected text: Yahoo has blamed its massive data breach on a "state-sponsored actor." But the company isn't saying why it arrived at that conclusion. Nor has it provided any evidence. The lingering questions are causing some security experts to wonder why Yahoo isn't offering more details on a hack that stole account information from 500 million users. "If I want to cover my rear end and make it seem like I have plausible deniability, I would say 'nation-state actor' in a heartbeat," said Chase Cunningham, director of cyber operations at security provider A10 Networks.
via NNSquad "Yahoo says hack of 500 million users "state-sponsored", but a security firm calls bull****" http://boingboing.net/2016/09/29/yahoo-says-huge-hack-was-sta.html So, that huge hack of 500 million Yahoo user accounts last week that Yahoo blamed on a "state-sponsored actor"? A private Internet security firm is calling bull**** on the "state-sponsored" part. The hack of more than 500 million account credentials was the work of an Eastern European criminal gang, claims InfoArmor. The Arizona-based firm released a report Wednesday challenging Yahoo's claims that a nation-state actor was behind the data heist.
Computerworld | Sep 30, 2016 3:00 AM PT http://www.computerworld.com/article/3124784/security/sort-of-gives-driving-safely-a-whole-new-meaning.html selected text: It seems someone driving near fish tried to pair his or her phone just as they were alongside—fish figures the other driver must have the same brand of GPS, and connected with fish's by mistake. On the other hand, fish realizes he could have downloaded Pat's contacts, listened to Pat's voice mail and likely grabbed all of Pat's text-message history.
http://www.nytimes.com/2016/09/21/technology/the-15-point-federal-checklist-for-self-driving-cars.html Federal regulators urge automakers to prove that their semiautonomous and driverless vehicles meet specific safety expectations.
A Lab42 survey, which polled consumers across the United States, Germany, France, New Zealand, Australia and the United Kingdom, highlights the psychology around why consumers develop poor password habits despite understanding the obvious risk, and suggests that there is a level of cognitive dissonance around our online habits. https://www.helpnetsecurity.com/2016/09/29/risky-password-practices/ via NNSquad
This question on twitter made me laugh: How long until robot ransomware? Send us 3BTC or you'll never get your Roomba out from under the couch.
https://krebsonsecurity.com/2016/09/the-democratization-of-censorship/ Today, I am happy to report that the site is back up—this time under Project Shield [https://jigsaw.google.com/projects/#project-shield], a free program run by Google to help protect journalists from online censorship. And make no mistake, DDoS attacks—particularly those the size of the assault that hit my site this week—are uniquely effective weapons for stomping on free speech, for reasons I'll explore in this post.
In Risks 29.79, Dimitri Maziuk <dmaziuk@bmrb.wisc.edu> wrote: > The ruling is that a business entity is not required to disclose > the details of a deal it made with another business entity to anyone > who bothers to ask. Obviously, you can't rule otherwise and have free > market capitalism at the same time. It's not obvious to me. Free markets do not require perfect information, but, on the other hand, they can exist when perfect information is required. ("Perfect information" is a term of art in economics, meaning, roughly, that everyone in the market knows details of prices, which aren't meaningful without terms, and even the details of production methods and other information.) A perfect market (another term of art) is characterized by perfect competition (yet another term of art), which includes perfect information (go ahead, assume it). Perfect markets can exist in capitalist, socialist, or other contexts. On the other hand, these various contexts do not require perfect markets. The significance of a perfect market is, in part, due to its tendency to reach a certain kind of equilibrium, termed Pareto optimality. It is also related to the kinds of profits which enterprises can yield, but that's another, though related, topic. So, capitalist markets can exist in the context of varying degrees of disclosure. Note that the stock market, which is typically considered more nearly perfect than, say, the real-estate market, is considered quintessentially capitalist, despite government-required disclosures. Anyone can learn a lot about publicly traded stocks, but real-estate agents try to monopolize the information about their market, so that market is less efficient. Although this terminology is well established, the benefits and detriments of the various decisions relating to the advisability of these things are intensely debated. Politicians, as well as economists making political statements, often gloss over the details, which can be highly misleading. To be fair, the economist's definition of perfect competition doesn't necessarily allow for economies of scale, network effects, and some other things a non-rigorous definition might ignore. However, ignoring these qualifications further fans the flames of public debate. Few politicians offer opinions on other sciences, but many render pronouncements on economics, although arguably other sciences are equally relevant to the de facto (but not necessarily appropriate) roles of government. Despite Adam Smith's conjecture that markets pre-date government intervention, there is little hard evidence that such markets were (and are) not qualitatively extremely different from what an economist calls a market. Intuition and conventional wisdom don't necessarily suffice here. Moreover, governments are involved in all markets as we normally understand the term; for example, they participate in the enforcement of contracts. As such they make policy, which can directly impact the operation of the market. For instance, it's a matter of public policy that, in most jurisdiction, much of certain kinds of drug dealing, prostitution, killing for hire, and other "criminal" activities are discouraged. Therefore, the courts will not enforce contracts based on such activities. You might imagine a situation where a government would declare imperfect markets to be undesirable, for some suitable choice of propinquity to perfection, and refuse to enforce contracts where complete disclosure was not made. Of course, this would require that the government itself would be transparent, that the anonymity of corporate organization would be prohibited, and so on. Picture, if you will, a government failing to enforce patent rights when the plaintiff has concealed important market information. (For instance, think of submarine patents.) This is not so preposterous a suggestion as it might first seem, since the justification for patents in the first place is based on the assumption that disclosure will benefit the arts and sciences, and almost everyone assumes that perfect competition (which requires perfect information) usually is in everyone's best interests; indeed, it is often held (incorrectly) that competition and free markets are the bedrock of capitalism. This is a deep rabbit hole, indeed.
As the first person to register for Google mail with my particular name, I got it, with no digits or suffix tweaks. Now I get mail for lots of other people with my name, probably because they forget to use their digits, or someone copies it wrong. I've gotten other people's plane reservations, copies of medical records, diplomatic documents, notifications of overdue library books, auto maintenance reminders, confirmations of job interviews, invitations to class reunions and other parties, detailed sales offers, drafts of contracts, reminiscences of old love affairs, and Facebook membership notices. Sometimes it's possible to find and inform the actual person or sender, often not—what's that e-mail address? And I've learned a lot about how companies try to protect themselves from those pesky complaints by making themselves impervious to contact, or through simple incompetence. When contact is impractical, I try to take action. The airline company was uncooperative, so I used their online system to cancel the reservations. (To me that one smelled like credit card fraud anyhow.) The online system was perfectly happy to "help" me reset the "lost" password using the e-mail address it had for me, plus information on the confirmation itself. Hm. What happened when that couple showed up at the airport? I know they didn't get the mail confirming the cancellation - I did! Mail from that airline stopped shortly thereafter. I got into the the Facebook account and e-mailed some of the owner's contacts to ask them to tell him his mail was falsely directed, without effect. So I closed it. What did he think caused that? There's also a certain amount of malicious misuse of my address by people who aren't spammers or phishers, but apparently just think they're doing something funny. Sometimes it's possible to fix that. Luckily most of that stuff ends up in the spam folder anyway.
As happens, I can relate to John Levine's submission. I was an early adopter of GMail, and coming from a Unix background of 8 character userids, I've generally used my 8 character surname as my preferred email address. I've received email that people thought was going to Newt Gingrich, I've received loan documents and a lot of other misdirected messages. And recently this has become more common. After some consideration I'd like to put forward a possible mechanism. I've noticed that when I use an iPad in particular, the automatic text prediction will put a space after a full-stop. I would suggest that there are number of addresses of the form foo.gingrich@gmail and that when foo enters an address on whatever site, the text prediction adds a space and I get the email. When I am convinced that the sender is legitimate (following a good look at full headers), I frequently respond to the sender telling them they've got the wrong Gingrich. Or I simply unsubscribe if I can. But the problems of unsubscribing an incorrectly entered email address is another completely different and more complex problem. Don Gingrich gingrich@internode.on.net gingrich@gmail.com gingrich@acm.org don.gingrich@member.sage-au.org.au http://www.gingrich.id.au for web page
I also frequently get email intended for other people, and the main reason is that the primary offenders are a lovely couple whose first names ("Andrew" and "Pam") happen to be the same as my full name. Consequently when they could not get andrew.pam at a globally popular mail provider, they chose to settle for "andrew.pam2" as their account name. The evidence shows that this was not a good choice, as they frequently either mistype this themselves or the address is corrupted in transcription, resulting in my having to inform correspondents that they have reached the wrong person on the wrong continent. I would suggest that in order to mitigate the RISK of confusion and unintentional exposure of private information, perhaps mail providers should consider not allowing account names that differ from existing accounts by only a single character.
> The normal approach for verifying an e-mail address is to send a message to > it with a click here if that was you who signed up and (too often missing) > click there if it wasn't you. There's nothing wrong with this link not being there. The thought behind its absence is to fail safe: if there is no positive response, the automatic assumption _must_ be that there would have been a negative one. In other words, if you don't actively click "it was me", the list assumes that it wasn't you. There is, and should be, no need to actively confirm the negative case; if the positive case isn't actively confirmed, the negative route is taken. > But a lot of marketers apparently think that's too hard, and why would > someone give us the wrong address? Ah, now, a lack of a confirmation link—and therefore, an assumption of the _positive_ reply, unlike in the previous case—is certainly wrong. However, I suspect you give marketeers too much credit. My strong suspicion is that they're not even being naive, they know many addresses they get are of people who don't want their spam and they just don't care. Eat your spam, Consumer Unit 56634, it's good for you.
Please report problems with the web pages to the maintainer