Members of the Tulane community have been experiencing delays sending and receiving email for the past two days. This delay stems from the fact that one of our users responded to the email phishing scam that we warned you about yesterday. This person furnished his Tulane email and password. A spammer from Africa used this information to send out a huge number of spam messages. This action caused great harm to our community. Our domain is now listed as a source of spam causing companies such as Yahoo.com and hotmail.com to reject email from us. We are working diligently to resolve this issue. To learn more about this specific attack, please read this article from the Chronicle of Higher Education.
For at least another 10 years or so, there will be people whose first experience with email is in college. As long as there’s a steady supply of these n00bs, there will be a steady supply of people who respond to email scams, so we can expect this kind of thing for at least the next decade.
Enough is enough! I can think of a couple ways of dealing with this, none of which require people to magically cease being stupid enough to fall for one of these scams. If Paul Barron was serious about solving the problem, he’d follow my advice:
Don’t just flip a switch when you get the tuition check. Make email a privilege, and one that has to be earned. I know many classes use email for homework and so on, but I use the internet to do my job, too. Before you get an account and a password, Tulane should determine if you’re a risk to the community at large. Just funneling people through an orientation session won’t do it, because no one pays attention to those things. People have to be certified to drive a car or be a lifeguard, so they should be required to show at least minimal knowledge of how to use the internet safely before being allowed to do so.
I suggest that in order to activate your account, you should have to answer questions such as:
- Under what circumstances would the IT department email me asking for my account details?
Never. They’ve already got it, dumbass! - What should I ask myself before clicking a link in an email?
Do I know the sender, or did I sign up to receive this? Does the actual URL that will be loaded when I click actually go where it says it will? Is my browser set to not allow unprompted installation of software, and is it updated to the latest version? If the email wasn’t sent directly to me(forwards don’t count) from someone I know personally and could beat up if they hacked my computer, does the email have absolutely nothing to do with sex, drugs, money, violence, or tragedy? - Name three characteristics of a good password:
more than 6 characters, contains mixed case, numbers, and/or symbols, is not your pet’s name - Where should I write down my password so I don’t forget it?
Nowhere! What college student doesn’t remember their phone number, address, and SSN? A password should be remembered too. If you really have trouble, use some technique to generate a password from a more easily rememberable word. - How can I find out if this email attachment purporting to show Britney Spears in a compromising situation is actually an executable file that will pwn my computer?
This is client specific, so I suggest making this a free-form answer and letting a tech support person determine whether they should have the ability to send or receive attachments. - What should I do to my buddy/classmate/uncle who forwards me an online petition or bogus warning story?
Another free-form answer but suggested good answers include: sneaking into their room and placing their hand in a bowl of warm water, replying-all to the forward with 4 or 5 sites debunking the story, or perhaps simply adding them to the NAMBLA mailing list(snail mail too, but be sure to use their work address).
Once these questions have been satisfactorily answered, then the account can be set up. Forgetting can be addressed by enforcing periodic re-activations. For people who deserve the privilege, this should be only a 30 second process, not much more burden than changing a password.
People who allow their accounts to be breached and make the community suffer by failing to exercise common sense should have their access revoked.
I know many classes use email, but is it really too much to ask a prospective graduate to know how to not endanger those around them? People have to demonstrate minimal knowledge about driving to be allowed to drive, guns to be allowed to hunt, and life-saving techniques to be a lifeguard. I don’t think I’m out of line suggesting that, in the closed community of Tulane, people should have to demonstrate minimal knowledge about how to use the internet safely to be allowed to participate.
Those who lose their access can either get the info from a friend, or use a locked-down and secured public computer. I’m serious about this, so what do you say? Shall we have a pilot trial of an “internet license” here at Tulane?
On a more serious note, I’m aware that muggings of kids stumbling home from the bar happen routinely, and that kids will always put themselves in harm’s way. That’s a more serious problem, but beyond the scope of what I’m talking about here.