The Black Liszt

Category: Email

Adventures with Health Insurance Software: Email and Primary Care
Giant organizations have trouble building effective software that works and gets the job done. I have gone into depth on this subject, giving examples of the problems. But there’s something about being a large organization that seems to prevent even being aware that there’s a problem, much less being able to fix it.

I recently had occasion to dive into my health insurance company’s website, enticed by an email to do so. What I experienced was a travesty. If this company were run like a company should be run, heads should have rolled. It’s as bad as a trucking company having a large fraction of their trucks wander around getting lost, and another fraction driving off the road and crashing.

Unfortunately, this story is not about an unfortunate bug or two that somehow snuck into otherwise fine software, which is what any self-respecting manager would start by trying to claim. This is story is about software that is broken in concept and in execution – even when it “works,” it’s simply awful!

What I’m saying here flies in the face of what nearly everyone says and appears to think – including all the managers at all the places that preside over this nightmare of dysfunction. You also don’t hear any lofty academics decrying the “crisis in software,” as they should. So I’m going to lay out the facts, point by point; this is NOT fake news.

This is the first of three blog posts on this subject. This first one is pretty mild.

I got an email from my insurance company. Here it is:

I have a new message – and it’s not sales or promotional! Nothing about what the message could be about. It must be too secret and confidential to put it in regular email. Maybe it’s something about my health? I’d better check. So I click.

Oh, yuck. I’ve got to log in.

Now I have to decide how badly I want to read this non-sales email. They seem to have decided that giving me an intelligence test combined with an endurance test was the best way to determine whether I was worthy to read this non-promotional, possibly health-related message. I persisted. I dug out my user name and password for this site I rarely use, and logged in.

Or rather, I attempted to login. Here’s what I got after successfully entering my user name and password:

My user name and password weren’t good enough! This is clearly an incredibly confidential message! Even though I was using a computer I use all the time, including when accessing Anthem. I picked email, and then got this screen:

I entered the 6 digit code.

This is classic 2-factor authentication. The security “experts” at Anthem probably felt pretty good about how they increased the security at Anthem, particularly after their past embarrassments. But it’s all GARBAGE! Nothing but security Kabuki Theater! Think about it: I got to the login screen by clicking on an email that Anthem sent me!! It’s trivial to include in the email link’s URL the information about the email. So when the request comes in … Anthem knows it’s coming from the email they sent! A simple check would tell them it also is coming from a computer associated with that email. By going through the send-email-enter-6 digit-code b.s., all they’re doing is wasting my time because they already have proof that it’s my email.

Next, there’s the remarkable screen telling me how hard Anthem is working on my behalf:

All this hard work will surely result in displaying the information that the email I clicked on long ago was enticing me to click for, right? Well, no.

A completely generic welcome page!

This is a problem. A big one. You’re supposed to click to read an important message. In every system I know, a “click-me” email is a “deep link,” i.e., it doesn’t go to the home page of the web page; it goes “deep” into the site, to the place the email wants me to see. You’ve experienced this. When Facebook or LinkedIn sends you an email about something, when you click, it always deep-links you to the place referenced by the email. My blankity-blank BANK does this. Even confidential document stores that need to be highly secure do the same – once you’ve verified yourself, you go right to the document. Makes sense.

Except to Anthem. Anthem’s email link brings me to the generic welcome page of Anthem, exactly the same thing I’d see if I’d gone to the site directly.

I can barely remember how I got here, it was such an annoyingly long time ago. Oh, yeah, the email – I’ve got an important message! Now, where might that be? I look at the screen. Why don’t you check it out too – do you see anything that says “messages?” Me neither. Clearly this page, the front splash page of the Anthem patient website, has received the best vetting that the skilled professionals at Anthem can muster. And the vetting somehow failed to notice that they were going to send me to a page looking for a “message” without those seven wonderful letters appearing anywhere on the page.

Again, a combined test of intelligence and endurance. Let’s see if I can pass. Taking a closer look at that generic landing page, look at where I've put the big red arrow…

Aha! I wonder if, by any remote chance, that red shape means messages (in the secret Anthem language), and I have 10 messages that have piled up? Let’s try clicking.

Score!

The endurance test continues. Click again. Finally, the important message in question:

At this point, all I can say is OMG.
1. I have a primary care doctor, Anthem. You know it because you pay insurance bills for that doctor covering suspiciously primary-care items like “wellness visit.”
2. The primary care doctor you’ve selected for me is indeed in the same state as me. But “close?” Not even in the same county. Sorry. No chance.
I’m so glad I endured the obstacle course and endurance test, making my way past the elaborate privacy protections to read this important message with spot-on recommendation, so cleverly refined with accurate GPS data. I can’t put into words what this has done for my admiration of the excellent insurance company that orchestrated this software ballet.
February 4, 2019
Russia Hacks DNC, Podesta Email: Fake News
The US government has declared that the Russian government has hacked important US entities. It has retaliated against the Russian government in response. It has now issued its official report providing the evidence of hacking.

The "evidence" is a joke. It proves nothing but the incompetence and/or duplicity of the agencies that issued it. The near-certain declaration that the Russian government was behind this and related hacks is fake news. The majority of the US press echos the fake news, supporting it with whatever is left of their credibility.

Cybersecurity background

Most large organizations have a big computer security problem. They just don't know how to get it done and don't seem to care, as repeated massive breaches have demonstrated. Government agencies are just as helpless. They issue regulations that tell corporations how to achieve security, but the regulations make things worse, and are ineffective for the government itself. There are solutions, but no one is interested.

The Hacks

The overall results of the hacks are well-known. In July, Wikileaks released 44,053 emails from officials of the DNC. In October, it released a large batch of Hillary Clinton campaign director John Podesta's email. Many important people immediately accused the Russians of performing the hack and providing the documents to Wikileaks.

The Official Evidence

The government's long-awaited official report of evidence that the Russians performed the hack was released last week by this government agency:

Here is how the report is described:

The report is 13 pages long, with a couple of linked files. The first thing that struck me was that, starting on page 5 and going to the end, the content had literally nothing to do with hacks or Russians — it was just a list of generic nostrums about how to be cyber-secure. One has to wonder where all this supposed powerful wisdom was while the US government Office of Personnel Management (OPM) hack took place; this hack resulted in the loss of highly sensitive data on over 22 million people. People who live in glass houses…

What about the "evidence" contained on the first few pages?

I have personally dealt with computers for a long time. I've had to fix serious problems, evaluate reports of problems and recommend solutions. There is a clear pattern of good work:
- The person and group that did the work is clearly identified.
- There is some kind of narrative that describes the problem and the path of discovery that leads to the conclusion.
- Full details about the computers and software affected are provided. Is it a personal computer or a server? What version of what operating system is installed? If an application is relevant, what is the name and version of the application?
- Full details about event data are provided, for example log files.
- If there are anomalies, full details about them, included where and how they were found.
- Enough data is provided so you can double-check any conclusions that may be drawn.
- If more than one event is involved, this information is provided for each event, with all the information for example servers and operating systems clearly associated with the corresponding event.
None of this standard information was provided in the report! Any conclusions that are drawn, given the total lack of real, professional evidence, are therefore baseless.

Details of the non-evidence

The report provides no separate information about the DNC or Podesta hacks. It says nothing about whether an email server was hacked or a client. Nothing! What the report does have is a little information with generic diagrams, a very techie listing of part of a script, and a list of IP addresses. The contents of what they provided has been competently analyzed by a security firm. Here is their summary:

Let's look at the Podesta hack for a bit.

I looked at a broad sample of the emails on Wikileaks. Podesta had a gmail account, john.podesta@gmail.com. While some of the emails were sent to another address, podesta@law.georgetown.edu, a quick look at the source of the emails (kindly provided by Wikileaks) shows that this was set up as a forwarding address, i.e., automatically forwarded to the gmail account. The source code I examined was all typical, i.e., not faked.

No one claims Google was hacked. So it was Podesta's email account and/or the computer he used to access it. The report, of course, doesn't say. The hack could have been accomplished by any number of techniques, and certainly doesn't require sophistication.

The list of IP addresses given is completely irrelevant for this kind of hack. If the hackers got his user name and password, all they needed to do was log in — no "attack vectors" required.

Turning to the DNC, the report implies (but doesn't state) that the DNC server was attacked. It talks about how the hacker:

which is quite impressive. How exactly did the malware "escalate privileges?" That's like saying that a lieutenant in the army suddenly became a general! By making it happen himself! It's only possible if there's a bug in the system that was hacked. Was it Microsoft Exchange? What's the bug? We'd like to know!

Going into this made me more suspicious, because the Wikileaks site lists exactly 7 senior officials whose emails were hacked. Here's what they say:

All that's needed to accomplish this is a bent insider, like a junior Edward Snowden, or some good social engineering. In other words, more of the same that worked on Podesta. Otherwise, why would the hack be limited to exactly those 7 and no more?

In other words, an examination of what was hacked leads to the strong suspicion that the "evidence" provided by the government has nothing to do with how the hacking was actually accomplished, or by whom.

Conclusion

Cyber-security is incredibly important. I don't care one way or the other that the DNC and Podesta were hacked. Shame on them for not caring about security when the world is full of bad guys. But I do care that many of our most important institutions such as our government and healthcare institutions fail to take it seriously, and when they do, are incapable of getting the job done. It hurts many of us, and someday could hurt us really badly.
January 5, 2017
Gartner Group: Showcase of Big Company Customer Service
Giant, powerful organizations nearly always do two things really well:
1. Wax eloquent about how concerned they are with respect, privacy and customer service.
2. Treat their actual customers like disposable pieces of crap.
I've seen lots of examples of this over the years. I've written about it, for example illustrating how HP disrespects its customers with simple things like hard-to-get-out-of email subscriptions you never subscribed to. I've just encountered an even grosser example inflicted on me by the world's leading IT consultant firm, Gartner Group.

Gartner Group

I've known a number of Gartner employees over the years, and most have been hard-working, respectful, knowledgeable people. But Gartner is a big place. They purport to teach the world's companies how to do IT. So how does Gartner itself do IT?

Here's the basic story with Gartner:

In addition to thousands of employees, they're worth billions of dollars:

Their range of activities is amazing. It's clear that they teach IT best practices to important companies all over the world:

It's hard to believe that Gartner's own IT practices wouldn't themselves be world-class. Wouldn't you expect a music teacher to be a master musician?

Gartner email

Somehow I ended up getting spammed by Gartner. I'm not sure how. I got this email:

I didn't ask for it, and I don't want it.

So I went to the bottom, and was assured that Gartner is committed respect, privacy and all the usual big-company boiler plate. And even better, I can unsubscribe!

So what happened? Did I get that satisfying one-click experience that responsible spammers provide? You know, the one that immediately says, "you're out! But if you'd be so kind, please tell us why you're going?" You know, like this:

No. Apparently, Gartner emails are much too important to be simply unsubscribed from. When the page popped up, my eye first went to this, which by itself sets a new record for customer disrespect:

They know my information — they're emailing me! But filling out the form for me? I guess this standard practice is beyond the geniuses at Gartner. Or beneath them. Or they kindly want to make sure I'm qualified to live without their wisdom. Or something.

Then I studied the top part of the page, which provided the detailed instructions that must be meticulously followed in order to unsubscribe. If you're not good at reading and following instructions, the penalty is eternal pounding by unwanted junk mail from Gartner:

I have nothing more to say. Gartner, the billion-dollar advisory firm, leading the way, demonstrating the customer respect that big company customer service is all about. Also demonstrating how carefully crafted words are of supreme importance to such large organizations. Actions that match? Not so much.
July 19, 2016
What E-mail teaches us about Bitcoin and Block Chain
E-mail is widely used, and everyone knows what it is. Bitcoin is a hot new techno-bauble, and Bitcoin technologies like block chain are getting lots of attention and money. It turns out that e-mail has a great deal to teach us about Bitcoin and its technologies. Here’s the punch line: in spite of its ubiquity, practically no one understands how e-mail works, and this causes huge errors with practical consequences! By comparison, Bitcoin and its spawn are incredibly complicated; most of the people who do understand e-mail have little chance of understanding Bitcoin. Think about the consequences of this, please.

Do You Know How E-mail works?

E-mail is simple, right? You login to your e-mail account, fill out the To and Subject fields, maybe add a couple people in the CC field, write your e-mail, and press send. Then some magic happens, and the e-mail shows up in the in-boxes of the people to whom you sent it. You can read your own e-mail by looking at the items in your in-box, and even go to your sent-mail folder and look at what you sent. It’s simple, wonderful and true! For the vast majority of the time, it’s fine to leave “then some magic happens” alone.

The trouble comes when trouble comes, i.e., when there’s some special circumstance that requires knowing something about how that “magic” in the middle works. That’s when it comes out that almost no one has a clue about what’s going on, even in something as simple and ubiquitous as e-mail.

The IRS e-mail case

There are lots of examples, but the issues involving e-mail at the IRS which have been in the news off and on for the last couple of years are a good case in point. Here’s the lead paragraph from Wikipedia on the subject:

Now, remember – I’m not talking about the merits of the issue on one side or the other. I’m solely talking about the knowledge exhibited of how e-mail works, and the practical consequences of that knowledge. Read this juicy lead from an AP story on the subject:

Here are the key points:
- In June 2011, Lois Lerner’s computer crashed.
- This resulted “in the loss of records”
- It was determined that the records on the hard drive, i.e., Lois Lerner's emails, were gone forever
I am aghast. Agog. At a loss for words. I’d like to be shocked at the “depth” of misunderstanding, but I think it’s more appropriate to be shocked at the “shallowness” of misunderstanding exhibited in this quote, and in the heads of all the IRS employees, FBI, Congressional staffers, the archivists, and all the journalists with their fancy degrees from fancy schools.

Here is the core concept that everyone involved on every side seems to agree on:

The e-mails Lois Lerner wrote are uniquely stored on the hard drive of her personal computer. If it is true that the hard drive is severely damaged, then the e-mails are “gone forever.”

The simple thing

Even from the simplistic view of how e-mail works, every e-mail is either a draft or is sent to someone. If it's been given an accurate address, it arrives. It's in the receiver's in-box, and perhaps eventually in their deleted mail folder. Since the issue involved e-mails not only received by Ms. Lerner, but ones sent by her, presumably to other IRS employees, there is an obvious strategy: do a search on the e-mail of every IRS employee to whom Ms. Lerner could have sent an e-mail, and see if she did send one. It's the magic of e-mail: the sender has a copy of what was sent, and the recipient has a copy of what was received. There are at least two copies: both sender and receiver have one!

Have you ever read that simple thought anywhere else? Neither have I.

The "deep" thing, requiring understanding of how it works

Now we get to the real point. An e-mail address has two main parts: the name, and the domain. The name is the part before the @ and the domain is the part after the @, for example Lois@IRS.gov. Similarly, all e-mail systems have two main pieces of software involved: a client and a server. Software by Microsoft is widely used in governments and corporations. Outlook is the client software, which runs on the computer on which you read and write e-mails. Exchange is the server software, which runs in a data center somewhere. Exchange is a program with a database holding the e-mails, address books and calendars for a whole bunch of users. A domain like IRS.gov is implemented with many Exchange servers, each with the e-mails of a particular collection of IRS workers, typically a couple for each physical location.

When Ms. Lerner wrote an e-mail, she used her computer running an e-mail client such an Outlook. When she hit the Send button, the e-mail immediately went to her Exchange server, which filed it away. It then found the Exchange server(s) of the recipient(s) and passed the e-mail to it (them), which it turn sent it to the user's Outlook clients. Shortly after Ms. Lerner sent an e-mail to her colleague Mr. Lowe, it was stored in no less than four places, including a couple servers. In addition, assuming the government had at least moderately responsible Exchange administration, the e-mails were further copied to replicas, on and off-site, and in addition periodically backed up to yet another medium and location.

There are other e-mail clients and other e-mail servers. I have no information about what the IRS actually used. But this is how e-mail works! There are clients. There are servers, which serve a number of users/clients. When a human writes an e-mail, it goes from her client to her server to the recipient's server to the recipient's client. As as result, it should have made no difference whatsoever that Ms. Lerner's computer "crashed." It wouldn't matter if it suddenly grew wings and flew off to Tahiti to frolic in the waves. Any e-mails that Ms. Lerner wrote were securely stored on her e-mail server shared with other users and in a data center, and on multiple replicas, backups and disaster recovery sites.

The fact that Ms. Lerner's computer crashed and people supposedly spent time attempting to recover e-mails from it, and when they failed, declared them "lost forever," and the fact that everyone else involved, including journalists and commentators and experts of all sorts, accepted that as the state of affairs ("well, if her hard disk crashed, what can you do, ya know?"), demonstrates that none of them has a clue about how e-mail works. It's like not knowing that cars have engines. It's that bad.

What e-mails have to do with Bitcoin and Block Chain

Compared to many other computer technologies, e-mail is simple. Compared to many other computer technologies, Bitcoin is complex. Even worse, what's interesting about Bitcoin isn't Bitcoin the crypto-currency — it's the block chain technology on which it's implemented. Block chain is getting all sorts of attention from financial technology people and investors. I won't review it here, but a brief look at the action will convince you it's frothy.

What if investors, financial industry executives and Bitcoin technology company leaders are as informed about block chain as everyone involved was/is about e-mail? What if they're making important decisions based on critical observations as sound as "well, the hard drive is kaput, so the e-mail is gone, and that's that?" If the understanding of important actors in the e-mail drama exhibit paper-thin understanding and wrong-headed conclusions, are we to understand that all the folks involved in Bitcoin and block chain are geniuses by comparison?

Place your bets, people. I know what I'm betting on.
November 3, 2015
Emails and Customer Respect: HP again

In an earlier post, I complained about software quality at big companies, illustrated by how they get the "little" things wrong, which of course sometimes builds up into getting really big things wrong.

HP is definitely on a roll in that regard. Just to pick an example, HP decided to buy Autonomy for $11.7 Billion in 2011, and about a year later, was forced to write off $8.8 Billion. In that context, little things like email marketing practices are trivial, things of no concern at all.

But that's the point! Quality starts at the top, it starts at the bottom, and attitudes about it pervade an organization. If no one is particularly concerned about quality, then stuff happens. And seems to be happening at HP (among others).

The importance of email

Some people may think that email is a tiny little unimportant thing. That's odd, because email is an important way that companies communicate with and interact with their customers. The fact that a company's many divisions may send out millions of emails tempts people inside the company to think how insignificant emails are. We send them out by the million!

But in the experience of any one customer, email may have a large role to play in forming their image of the company. Does it make good products that I want to buy? Does it listen to me? Does it respect my views and respond to my requests? When it makes an offer and I respond, what is the company's follow-up?

Email is like a salesperson, or a customer service representative, having an important role to play in the customer's future relationship with the company.

HP and email

Someone in power at HP badly needs to read this. The way HP currently handles their email is a sad example of dissing current and potential customers.

I recently received a couple more spam emails from HP, after many diligent attempts to follow their rules for unsubscribing.

Here's the bottom of the email:

Sounds good, huh? HP doesn't just protect my privacy, they're committed to it. I can choose (hah!) whether HP may communicate with me!

So, yet again, I clicked here to unsubscribe. This time HP put up a new hurdle.

They know what my email address is. All they have to do is what every responsible e-mail marketer does and put it in the unsubscribe URL in order to deliver what customers want, which is one-click unsubscribe. Not exactly a new idea!

But HP, that organization capable of rebuffing double-digit numbers of pleas from me to unsubscribe, has decided to up the ante. Now they demand that I type in my email address! Which they know! Just to show who's boss, and to show how much they respect me, and to hope that maybe I won't bother to type it in, forcing them to find another excuse to keep pounding me with spam.

The importance of email in customer relations and branding

An email interaction with a customer is like a sales person's interaction with a customer, i.e., an opportunity to show the company at its best, to make a good impression and to act in a way that inclines the customer to spend money buying the company's products and services, now or in the future. If the customer says "no, I'm not interested right now," the effective sales person bows out in a way that maximizes the chances that, in the future when the customer has a need, they will be favorably inclined to the company.

What if the sales person says "I really respect you and I respond to your needs, but if you want me to leave your office, you have to write on this piece of paper your exact name and job title. If what you write fails to match the information I have in any way, even a single letter, I will continue to walk into your office uninvited and demand your time and attention." That's the physical equivalent of the email interaction I had with HP. How do you think this would work out if physical sales people did it? Is there any reason to believe that the quality of the reaction is different when the HP representative is email?

More and even worse

HP has just announced that it's splitting into two companies. Naturally, having ignored all my requests to be dropped from their email lists, HP emailed me about it. Not just some division; central, home-office HP. Here's what I received:

Note that the subject of the email is "separation information pertaining to email subscription." Thus, the home office of HP is still convinced I'm an email subscriber. And this email is about being a legitimate, opted-in subscriber to HP email.

Naturally, I was curious to see how they'd handle the unsubscribe request. I clicked on the link above and got … nothing! For several hours I periodically tried, and the link led to a site that simply didn't respond. The next day I tried again, and got this page:

Again, I got that worst-practice of email unsubscription methods, the "we're making believe we don't have the email address that you clicked on to get here, so you have to guess to which of your potentially several email addresses we sent this and enter it correctly, otherwise we deem you insufficiently skilled to deserve being excused from being spammed by HP, and we will continue our periodic spam until you get it together."

That and a lawyerly "privacy" policy and five bucks will get you a coffee at the nearest Starbucks.

To all companies in the world anywhere that send email: take this as an example of what not to do. Your present and potential future customers sincerely request it, and will respond accordingly.

October 28, 2015
Software Quality at Big Companies: United, HP and Google

I would love to avoid the issue of software quality — but it keeps finding me and biting me, as I'm innocently going about my business. I guess you can understand that there are issues at a giant company whose main business is flying airplanes. It gets more annoying when the company says it makes computers. It's even worse when it's an incredibly well-regarded software company. Here are just a couple personal examples. They seem small. But they're indicative of a pattern in practice.

United Airlines

I fly on United airlines a fair amount. I needed information about one of their flights, and not even on a day when a computer systems failure brought everything there to a halt. Just a regular day after they released some new software, software that no customer was pounding their fist on a table demanding — just regular old new software they felt compelled to release. Software that didn't work.

They point out that the new version isn't available — but neglect to point out that the old isn't available either! Sad. Pathetic. They put the effort into assuring that their error message would include an attractive picture of one of their planes flying — perhaps they could instead have put a bit more effort into keeping their software flying?

HP

This once-great company has been drifting for years. I'm amazed they still have as many customers as they do. Clearly some executive in some cushy suite is putting pressure on the marketing people to generate more leads. So I've been getting spam from HP like never before — yes, HP is "spamming" me.

Word has clearly also come down to keep the pressure on those recalcitrant would-be customers like me. So, like a nice, obedient spam target, I click the opt-out button at the bottom of the e-mail.
I have great expectations, because, after all, "HP respects your privacy." I go to the relevant page,

So I go to the form, and make sure the "unsubscribe all" box is checked before clicking the button.
Then, I get a re-assuring page saying it's all set, no more spam.

Everything is OK then, right, because HP respects me and everything about me; they say so.

Except: I've gone through this exact process or one similar to it ten times in the last month, and nothing changes! HP apparently is eager for me to receive their information, and they respect me as much as ever. Their software is broken and no one cares. Is this huge? No, of course not. But it's the small things that tell you what's really going on.

Google

For reasons that escape me, the general impression is that Google is great and everyone who works there is a genius. I get business plans telling me that everything is great with their software because they've hired a team from … Google! Case closed!

Except it's not, from big things to small. Here's a small personal example. I went onto Google+ (one of the many projects/services that is rarely on the short list of great Google achievements) to get my posts. Here's what I got:

I tried and tried. No luck that day.

Can you imagine something being down for a day? The recent American Airlines system outage that I had the pleasure to personally experience while caught in a system-wide ground halt lasted a couple hours. In that context, it's a good thing that Google+ is nothing but a free service for helping people waste time.

Conclusion

Software quality is a huge, on-going, unsolved (at most organizations) problem. There are ways to solve it. The overwhelming majority of practicing professionals and computer science academics prefer to ignore it. Meanwhile, the rest of us get the message loud and clear: we don't matter to them, and words to the contrary are nothing but propaganda.

September 29, 2015
Internet Driver’s Licenses Needed for Users

We give kids sex education. We give them driver education, and require a driver test and license before driving. But we let any fool onto the internet to wreak whatever havoc they can on themselves and others without a second thought. It's time for a change!

Education for Meaningful Use

Education on the basics of how the internet and associated technologies work and how to control, respond to and interpret what you see is totally neglected. There are no significant efforts that I know of to make people educated consumers of this important, ubiquitous service that is so widely used. But there is a more important issue…

Education for Safety

By far the most important subject for internet education is safety. Maintaining internet safety has some similarities to general safety, but is different in important ways.

Internet "driving" safety

The most important aspect of safety while driving is avoiding driving while impaired in any way, and paying sharp attention to the road and other vehicles at all times. Driving while impaired by drugs or alcohol or while engaged in texting or talking
are recognized factors.

So imagine how hazardous internet driving must be when people don't even know how to read the road signs (the URL's) and can't tell that they've wandered onto a road constructed by criminals specifically for the purpose of enabling them to steal your car, drive it to your bank and take out a big withdrawal! But that's exactly what it is! Here's an example of a more brazen attack (image from a good guy, Yoo Security), demanding that you send the money yourself:
Unfortunately, there are criminals out there who have grown far beyond simple smash-and-grab operations. These sophisticated criminals with a long-term view trick you to "drive" onto their criminally-constructed "road" for the sole purpose of making your car an instrument for stealing from other people or organizations. They can make your computer into a zombie to participate in botnets. It can serve that purpose for minutes or years without your awareness. Is the problem big? You betcha. There are more computers that have been hi-jacked into botnets (maybe yours!) than most people are aware of:

Sometimes, of course, the criminals are stupid, greedy or malicious — I guess those are the drop-outs from the "criminals should be good citizens" certification program. So your hi-jacked device could slow to a crawl, do weird things, look over your shoulder as you type until they get the information needed to drain your bank account or max out your credit card, or even (just because it's fun!) wipe out your machine while leaving some cute "it was me! Have a nice life!" Message on your screen.

Internet E-mail fraud

How often do you get a letter purporting to be from your bank asking you to send them a letter containing your account number just so they can verify that everything's OK? If you got one, do you think you'd respond as requested? Apparently you're not alone — criminals are the supreme capitalists, and abandon efforts that are unprofitable before long.

But how about letters on the internet, i.e., e-mail? Along with everyone I know, I get an amazing number of criminal solicitations, ranging from the laughable (at least to me) to the amazingly credible every day. Data-driven capitalists that they are, the only explanation for the persistence of these efforts is that more than enough of them work to cover the costs and trouble of running the schemes, certainly more than getting a legal job. I've seen fewer solicitations from Nigeria lately, but the slack has been taken up by Libya.

Here's one of the new breed from Libya:

Here is a somewhat more plausible one from a place that really could be your bank:

Conclusion

Uneducated internet users cause billions of dollars of harm to themselves and others every year. You think this would result in outcry by those users and people who know them for education. You might think this might merit a bit of attention from the institutions who so assiduously and expensively educate, authorize, license and otherwise keep us on the straight and narrow. When I'm in Central Park in New York, there are rangers watching my every move; they set me straight when I ride my bike where I'm not supposed to, or walk in one of the ever-changing restricted areas. The conclusion is obvious: every move I make in the Park is more worthy of watchful restriction by people in uniforms than the millions of actions on the internet that seem, at least to me, far more destructive. I must be missing something.

April 7, 2015