Email Someone A Lot, You Maybe A Computer Hacker

Here is another court ruling that demonstrates that many in the legal profession do not understand simple everyday technology. There is a case recently ruled by the Sixth Circuit appeals court where a labor union asked all its member to email a company. The company in question in turn sued the labor union and the court has ruled that the labor union can be sued under the Computer Fraud and Abuse Act (CFAA) for hacking. So emailing someone multiple times can be considered hacking! I am just dumbfounded!

This is the most absurd complaint ever. Emails are especially easy to filter based on email address, subject, body, ip addresses, keywords, and other criteria. You can block email addresses out right as spam, or filter emails to different folders, and going through a few hundred emails about the same topic is fairly easy to do. The offline equivalent to emails is postal mail. This is just the same as receiving coupons and circulars in the mail. I usually never read the ads, circulars, and other unsolicited mail that I receive in a typical day. So I quickly scan and put them in the recycling bin. I’m not going to sue Little Caesar’s because the keep sending me coupons in the mail.

Stupid Security Questions

I’ve always have a problem with security questions asked by banks and other financial institutions. For one part, these security questions are not really that secure and are easy to guess and reverse engineer. In 2008, the Republican vice-presidential candidate, Alaska Governor Sarah Palin’s email hacked by guessing the answers of security questions. From a Wired report on the account of the email crack.

The Palin hack didn’t require any real skill. Instead, the hacker simply reset Palin’s password using her birthdate, ZIP code and information about where she met her spouse — the security question on her Yahoo account, which was answered (Wasilla High) by a simple Google search.

Recently, it was reported that President Obama’s Twitter account was hacked by guessing the security question related to password recovery systems. These type of ‘hacks’ require no computer science degree, computer security expertise, or black hat hacking skills. This is the sort of ‘hacking’ that an ex might find themselves doing on your Facebook account. I would not put a lot of blame on curious kids with a lot of time on their hands and an internet connections, I put the blame on enterprise software architects that impose stupid and weak security systems in place.

At first, security questions consisted of naming the town you where born, or the maiden name of your mother. Then the progressed to the name of your third grade teacher, then the last name of your fifth girlfriend, then to the where you where in the 1989 Loma Prieta earthquake, and they have gotten worse since then. Here are some security questions I found myself forced to answer.

  • Who was your childhood hero?
  • What is the first and last name of your first boyfriend or girlfriend?
  • Which phone number do you remember most from your childhood?
  • What was your favorite place to visit as a child?
  • Who is your favorite actor, musician, or artist?
  • What was the last name of your third grade teacher?

The problem now, with the current trend of security questions, is that even I don’t know the answers to them or that their answer might change over time. Trying to answer any of the the above security questions in five years from now and you might sounds like the following… “I liked both Spiderman and Wolverine, but I might have answered Superman. I liked Britney Spears then, but not as much as Miley Cyrus, but wasn’t Lady Futura big then.”

I think that security questions are not secure or practical. They are a annoyance for users and high light security flaws in computer systems.

Here is a list of security questions considered good and notice that they all suffer from the issues outline here, they are either easy to guess or easy to forget.

  • What was your childhood nickname?
  • In what city did you meet your spouse/significant other?
  • What is the name of your favorite childhood friend?
  • What street did you live on in third grade?
  • What is your oldest sibling’s birthday month and year? (e.g., January 1900)
  • What is the middle name of your youngest child?
  • What is your oldest sibling’s middle name?
  • What school did you attend for sixth grade?
  • What was your childhood phone number including area code? (e.g., 000-000-0000)
  • What is your oldest cousin’s first and last name?
  • What was the name of your first stuffed animal?
  • In what city or town did your mother and father meet?
  • Where were you when you had your first kiss?
  • What is the first name of the boy or girl that you first kissed?
  • What was the last name of your third grade teacher?
  • In what city does your nearest sibling live?
  • What is your youngest brother’s birthday month and year? (e.g., January 1900)
  • What is your maternal grandmother’s maiden name?
  • In what city or town was your first job?
  • What is the name of the place your wedding reception was held?
  • What is the name of a college you applied to but didn’t attend?
  • Where were you when you first heard about 9/11?

Another trend that I have noticed is that financial institutions and credit companies have a lot of private data on you and other perspective borrowers. So they don’t need to ask you such security questions, they can generate they own and match your answers to the years of paper trail and data fingerprints they have on you. If you call your bank in the near future, don’t be surprised if they ask you who you lose your virginity to.