Anonymous malice and e-mail protocol

The long view of security strategies for your network.

A couple of incidents recently reminded me of principles I teach my students in computing courses about how to govern ourselves when using e-mail.

In one case, some idiot posted spam in several pages of the commentary sections for the Network World Security Strategies. I wrote to the people whose Web sites appeared in the spam with some mild comments about looking into whether someone at their firm was making the mistake of trying to advertise using spam. I did not automatically assume that the people whose Web site is named in the spam are necessarily responsible for it. Readers would do well to remember that anonymous posters may be anyone, and that the people named in spam may actually be the victims of malice.

The second incident involved a colleague of mine at Norwich University who was accused by an anonymous correspondent of having plagiarized material from an organization in one of his overview presentations at a security conference. The anonymous accuser wrote, "I found your article on your student ironic or maybe hypocritical. I recently caught another Norwich professor in your program plagerizing[sic] the COPYRIGHTED work of -----.org during a presentation he gave at -----. Maybe you should put the same effort into calling out your professors as you do your students. Are you just about holding students accountable or professors, too?" 

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

A couple of incidents recently reminded me of principles I teach my students in computing courses about how to govern ourselves when using e-mail.

In one case, some idiot posted spam in several pages of the commentary sections for the Network World Security Strategies. I wrote to the people whose Web sites appeared in the spam with some mild comments about looking into whether someone at their firm was making the mistake of trying to advertise using spam. I did not automatically assume that the people whose Web site is named in the spam are necessarily responsible for it. Readers would do well to remember that anonymous posters may be anyone, and that the people named in spam may actually be the victims of malice.

The second incident involved a colleague of mine at Norwich University who was accused by an anonymous correspondent of having plagiarized material from an organization in one of his overview presentations at a security conference. The anonymous accuser wrote, "I found your article on your student ironic or maybe hypocritical. I recently caught another Norwich professor in your program plagerizing[sic] the COPYRIGHTED work of -----.org during a presentation he gave at -----. Maybe you should put the same effort into calling out your professors as you do your students. Are you just about holding students accountable or professors, too?" 

He then appended a stream of poorly-formatted correspondence between himself and a director of the organization concerned.

I found out within five minutes that my colleague had in fact included a reference to the material but that the organization wanted him to put a note of provenance and copyright on every slide – which he did at once. The problem was resolved amicably without rancor in little time. However, the anonymous accuser ("it") did not bother to help resolve the problem – it chose to libel my colleague to me and to who knows how many other people.

The issue here is that the writer could have asked for clarifications nicely or made a suggestion for improvement by writing to my colleague directly instead of making accusations to employers and copyright owners. What was the advantage of assuming ill intent on the part of the professor without even engaging in research? And why the anonymity?

My advice to everyone is that one should check with the accused before publishing accusations as fact. For example, at the time of writing, I am researching a case of what I believe to be wholesale copyright infringement by a firm that charges people to access stolen intellectual property; when I complete my draft report for publication, I will be sending that draft to the people involved for their response before the article goes to the publisher. Wouldn't you want to be treated that way if someone accused you of wrongdoing?

Did my treatment of the student I accused of presenting work that wasn't his violate the principles enunciated above? No, because I presented evidence to a duly-constituted board of enquiry following the rules defined in the regulations of the institution in which we were both members. The accused was given the opportunity to present his case in his own defense and no one outside the university officials involved was informed of the accusations. The student's original grade was not influenced by the suspicion of dishonesty.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.