Saturday, October 27, 2007

"To" vs. "BCC": An Oldie but Goodie Strikes Again

For all of the talk amongst the cyberspace cognoscenti about high-technology security problems, it's good to be reminded that almost all of the 'oops' we've seen before today continue to haunt us.

I can't vouch for this story other than what we read here, but for what it's worth it's a good reminder to us all. There are reports out that an email was sent out by the US House Judiciary Committee to a group of people who had sent in anonymous notes to a whistle blower tip-box. The email was reminding all of how their identities were going to be kept secret.

Of course -- You guessed it -- The email was sent simultaneously to 150 anonymous tipsters by putting each of their email addresses into the "TO" field. Thus, everybody on the mailing list now knows the email addresses of the other 149. (Plus, all of the recipients were probably annoyed at having to scroll down through 7 inches of addresses before they got to the message!) The problem would have been mostly avoided by simply putting the recipients' addresses into the BCC field rather than the TO field. (Even then, the ISP that originally processes the email from the sender certainly has all of the BCC list on its logs, at least for some period of time, so it's not a totally safe maneuver.)

Without getting into the almost certain political fun that will follow, we can take this as a lesson. While we all work to stay up to date on the most cutting edge of exploits and security tactics, don't let the old ones fall out of sight and out of mind. The oldies but goodies are just as likely to bite you today as they were when they were new.

No comments: