Simon Owens of Bloggasm (with two g’s) tends to cover online media. Simon interviewed me the other day for a piece on PZ Myers death threat, the Holy Crackers! scandal and the issue of posting emails one receives. His write up on this is now out, I’ve just read it, and I recommend it.

I’d like to expand on a couple of points.


Simon mentions that I think the IT department at 1-800 Flowers may be more responsible for the Kroll mess than M. Kroll herself. I want to make sure that you understand what I’m saying here. (Simon did a fine job at reporting … I’m simply using this mention as a segue for the following rant.)

First, we don’t really know what happened. There is evidence, as I’ve already posted, that the Krolls, or The Kroll, or someone using a Krollish computer somewhere in New York State may or may not be entirely as represented via email and internet postings. But let us assume that there is a Mr. and a Mrs, and that Mr K posted the death threat on a shared computer and that the email was sent via Mrs K’s account.

IF that is true, then one has to ask: Why would the very remorseful Mr K have done that? The best answer is probably: By accident.

We now have a situation where Mrs. K seems to have been fired because she ‘allowed’ someone other than herself to use her email account. However, this may not be the case at all. It is quite possible that she did not “allow” something to happen any more than the IT department of the company she works for “allowed” something to happen. (Caveat: We don’t know. This is speculation.)

If I turn on my wife’s laptop (which I don’t) and opened up a Firefox window and typed “comcast.net” in the URL box and clicked on Email, AND IF she has previously been using her Comcast email account and did not log off last time, then suddenly I’m in her Comcast email (I think). If I’m distracted and/or not paying attention and click “new email” and use that window to send PZ Myers a death threat .. well, the rest would be history. He’d probably drive down Route 10 and kick my ass.

But you see the point. If a company has people working at home, sets them up with VPN or some other way of connecting to a company server, then this is a risk the company is taking. The best way to manage this is to provide and manage the home computer (which I doubt happened here) and tell the worker that no one else should use this computer (which, by the way, is one reason I would not turn on my wife’s laptop … it is her school computer and I do not go near it. Besides, it runs some zany operating system I try to avoid.)

But, companies will not provide their employees with computers, or if they do, they will make sure to take the old used ones and send them to workcamps in China before they de-assess them and allow them to filter into possession of the employee’s families (so that everyone has cleaner access and all become more computer savvy), or they will fail to provide adequate safeguards on the home system to minimize mistakes by the employee, or they won’t provide adequate training.

I’m not picking on 1-800-Flowers here. Most institutional or corporate entities fail to do what in the long term would benefit both employees and the company when it comes to IT resources. It is quite possible that this is one of those instances, and frankly, I’m rather annoyed that many of the otherwise wonderful and invaluable IT people who read and comment here on this blog are very comfortable with the formula “IT Policy Violated = Fire the person at the keyboard” when in fact, it may be the policy makers who are truly at fault.

Go read: The ethics of hate mail: Should bloggers post email correspondence without permission?, by Simon Owens at Bloggasm.

Comments

  1. #1 Mister Almost
    July 18, 2008

    Excellent point. Many companies want to give the impression of protecting data but do a poor job of it. I’ve seen critical security fixes not get installed because a “business case for the work effort” needs to be provided or worse, “because”.

    I’m sure it never occurred to the alleged account-holder that her alleged husband might send death threats through her alleged account. It often takes an event like this one or something worse to drive home the idea of security, and that idea is usually forgotten within months.

  2. #2 Christian
    July 18, 2008

    It strikes me as odd that a company would even set up a webmail system for their employees to use than providing them with an email client software. Since the use of webmail services is only as secure as the browser utilized, I would not think that a webmail client could be a viable alternative to an email client software (especially one that is not MS Outlook) when it comes to security. The fact, that some browsers can be configured to memorize passwords and automatically log into webmail accounts as soon as you type in the address might have very well contributed greatly to the current mess.

    This whole “cracker death threat affair” would have probably never happened if Mrs. K would have used, say, Thunderbird as an email client software. I highly doubt that Mr. K would have opened up her software client (unless he deliberately wanted to send the threat in her name, in which case he probably would have found a way anyhow) in order to send private messages. Furthermore, Thunderbird can quite simply be protected via a password – and much more effectively than a webmail client, since you can set the system to require re-typing the password every time you want to use it.

    It would be reasonable to assume that any company with employees working from home on shared computers would be able to come up with a set of rules regarding the proper use of a secure email client software as well as organize some workshops for their employees.

    The blame for the threat however, should be placed squarely on the shoulders of the person who sent it – and not on the IT policies of the company. Since one could assume that the company might fire an employee over any violation of their IT policies (from death threat to birthday message), you are right in pointing out that there is certainly much room for many companies when it comes to improving their policies.

    Personally, I would favour integrating basic internet safety training into school curricula. Think: internet scams, Nigeria connection, child predators etc. pp. Any person who uses the internet should have at least basic knowledge about how to protect him- or herself. Sadly, this is not the case (at least not here in Germany). But then again, who has money for education programmes these days…?

  3. #3 AB
    July 18, 2008

    I think you may be entirely correct about this being an accident. A similar source of confusion is that when I (or my wife) use my laptop and and browse a webpage that a has an email link, a click of that link automatically brings up a new outgoing message through MS Outlook. We both use multiple gmail, hotmail, and work accounts and we don’t ever read those accounts through Outlook. So it isn’t exactly obvious which email account this message is coming from. A moderately computer savvy person would have no trouble sorting this out, however the level of intellect we seem to be dealing with with Mr. K would likely not only have no chance of figuring it out, he would not even recognize there is an issue or possibly even understand that the email is coming from a specific account as opposed to just coming out of his computer.

  4. #4 peter
    July 18, 2008

    dunno if I agree with that premise… at my company, the whole reason you have a vpn account with a one-time-pad keyfob is to be able to prevent this sort of thing. you log in when you need the office network, and log out when you’re not using it any more. added advantage is that if you’re not logged in, you can’t access the corporate mailservers anymore. also, I’m not sure about other companies, but at least here, all work related hardware, whether at home or in the office is supplied by the company.

    it may have been accidental, but the responsibility of the employee with the vpn account is to be diligent about not letting this sort of thing happen, you have the keys to the candy store. for that matter, most OSes these days have multiple user accounts, if you sit down at a machine, you switch accounts. if you don’t have an account on a system, you probably shouldn’t be using it without explicit permission.

    now whether she should have been fired or reprimanded is a separate argument from whether or not she was culpable. it was a death threat, and it did garner national attention and bad publicity for 1800 flowers. if it had been something with less attention, it may not have resulted in a firing. I certainly don’t believe in the fixed equation that you mention above, but nor do I think that this is the sort of thing that can be totally glossed over. as you suggest, perhaps the company made an error in judgement in allowing this person to have remote access, but the employee has a certain amount of responsibility for their own actions.

  5. #5 Stephanie Z
    July 18, 2008

    Peter, the point is whether employees are being blamed for accidents that a rational IT security policy would have prevented. Yours sounds quite rational. Many companys’ are not. Most employees, even those who require lots of access, are just not that computer-savvy, certainly not as much as you are.

    Christian makes a very good point about education.

  6. #6 Greg Laden
    July 18, 2008

    Peter:

    On your second point: If we are asking if Mrs K is guilty, the severity of Mr K’s transgression is irrelevant, logically. So the fact that is was a death threat does not make her more guilty of having screwed up account access.

    With respect to your first point, you may be right but we don’t know enough. However, it has been my experience that IT experts and departments often have policies that blame the victim of bad design or non-existent training. That may or may not be the case here.

  7. #7 Rev Matt
    July 18, 2008

    I’ve worked for a lot of companies in a lot of different sectors of the economy. Small or large the policy with access from home has always been either a) company provided computer that only employee is allowed to use or b) employee provided computer with the explicit condition that employee not allow anyone to use their profile (e.g. if husband wants to use computer he must log you out first). In either of these instances it is still Mrs K’s fault if she violated either of these types of policies.

    Now if the company does not have those sorts of policies then it becomes much less clear how much blame lies with her and how much with the company. I just think it’s highly unlikely they don’t have any sort of ‘acceptable use of company resources’ policy that is part of the employee handbook that no one reads but still signs the form saying they got it and will obey it. Allowing a non-employee to use company resources without permission would be pretty high on the list of prohibited uses.

    As you say, we don’t know nor likely will we ever know the details.

  8. #8 Kevin
    July 18, 2008

    IT personnel can not always be looking over the shoulder of end users to make sure they are following IT policies. The weakest link in any network’s security system is the end user. Blaming IT staff or policies is silly since you can’t always be there to enforce policy, especially if you have people that work on the road or from home.

    You can give users all the security tools they need or that you require them to have, but if they are lax about using them there’s not a whole lot that IT staff can do about it other than scolding the offenders or firing them for more egregious infractions. If someone doesn’t lock their computer at home when they leave to do something else, how is the IT staff or security policies to blame?

    It’s unfortunate that this woman lost her job for something that she did not do, but it was her fault she left her work computer in an unsecured state and further, it’s her husband who used the computer to send the death threat and the blame for that lies squarely with him.

    Yes, I work in the IT industry. My user account at work has pretty much unlimited access to our whole system. If I leave my desk and someone uses my account to gain access to our system and do some damage the blame lies solely with me, the end user.

    PS: First time poster, long time lurker; love the blog!

  9. #9 Mike Haubrich, FCD
    July 18, 2008

    I work at a bank and we have full access to the internet; but still I feel uncomfortable posting an e-mail to my yahoo or gmail account from work, or even replying in a post. It’s because of the ip address that could be traced if someone doesn’t like what I write. I could be fired. Mind, I am not in the habit of of sending death threats, but even writing a comment supporting PZ at this point could get me in trouble if I do it from work.

    During orientation, we are required to read and sign the disclosures that we are responsible for anything and everything entered at our workstations. We have to lock them down with a secure password whenever we leave our desks.

    I feel sorry for Melanie Kroll, but with access comes responsibility. Conceptually hers is the same responsibility for what happens as in Dram Shop laws. Bars are held responsible for the consequences of overserving if a drunk driver kills someone, even if they aren’t at the wheel of the car. She should have been paying attention to the rules.

  10. #10 peter
    July 19, 2008

    greg:
    agreed, regardless of the actions taken by Mr. K, the transgression of Mrs. K is unchanged. my point was not intended that the severity of Mr. K’s actions should dictate the severity of the punishment, simply that the nature of Mrs. K’s lapse might have been seen as (relatively) slight, therefore a reprimand would have been sufficient. the difference could be seen as a: she let her husband send an email via the company server, or b: she left the computer unattended and a complete stranger was given access. I can see judging ‘a’ as less severe than ‘b’ I think however that Kevin has it just about right. in either case, it shouldn’t have been allowed. and you rightly point out, we’ll probably never know.

    As Stephanie suggests, there are quite a lot of people that have enormous access who are not very computer savvy. I’m thankful that I was sent to computer summer camp as a child, (along with the usual sorts of day camps,) and have developed some deeper knowledge of the inner workings of these damned machines… (which I spend far too much time on…) I am however constantly shocked by the lack of any sort of basic understanding of the underlying systems by certain sections of my company.

    re: Mike’s comment. when you send an email via browser based gmail, yahoo or .me or whatever, the originating IP address is that of the webmail’s mailserver. it does not show the IP address of the host computer that the browser is running on. (assuming you access the webmail account via a browser rather than a mail client.) this is one of the reasons spammers love hotmail and the like. you can try this experiment, send yourself emails from the two web clients, then send yourself something from the work email program and compare the raw source of the messages. the originating server will be different in all the cases.

    btw, on a different subject, just got back from the midnight show of ‘Dark Night’… very good flick! (hence why I’m responding to this at 4 in the morning…)

    cheers

  11. #11 peter
    July 20, 2008

    just for comparison, this person was only reprimanded.