How much faith do you have in the political appointees and federal civil service apparatchiks charged with protecting you from terrorist attack?
It’s no secret that I’ve looked askance on the Department of Homeland Security ever since it was just a gleam in George W. Bush’s eye. It has always seemed to be yet another bureaucratic black hole into which freight cars full of taxpayers’ money can disappear without a trace, not to mention a convenient and lucrative backwater into which favored political cronies can be shunted.
As of today we know one thing: the Department of Homeland security can’t even keep an email newsletter’s subscriber list secure.
The blog Suitably Flip tells the story:
DHS Pulls Bookcase Of Spam Over On Self
I subscribe to a Department of Homeland Security mailing list called the DHS Daily Open Source Infrastructure Report, which is basically a collection of excerpts and hyperlinks to news stories about security issues in communications, transportation, finance, and other critical sectors. The highlighted stories are frequently about cyber-security — e-mail scams, viruses, stolen laptops, etc.
Today, though, the listkeeper (the National Infrastructure Coordinating Center) is flailing in an e-mail mire of its own design.
A little after 8:00 this morning, one of the list subscribers sent a change-of-address notice back to NICC, which — upon arriving in the inboxes of every subscriber — suddenly made it clear that the distribution list was unrestricted. Anyone replying to it was (and still is, apparently) able to hit the inboxes of thousands of security professionals, including law enforcement, U.S. military, federal employees, private security consultants, etc.
The accidental exposer chased his original message with a “recall” note, but the horse had long left the barn. In the hours since, about 100 list members have chimed in, frequently in an ironically futile attempt to ask other members to stop replying, so their inboxes will stop flooding. More than 20 list members were so fed up with all the replies that they’ve sent “unsubscribe” notices (some of them more than mildly perturbed in tone), but in so doing, they’ve frequently broadcast their e-mail addresses, names, and employers to the rest of the list, which may wind up backfiring spectacularly.
So now the email addresses of everyone who subscribed to the list are available to anyone on the list. If you were a clever and resourceful terrorist who subscribed to the list to keep an eye on what DHS is doing, then you got a surprise Ramadan present yesterday: an extensive list of people with a professional interest in US homeland security.
And if you’re a spammer, you’ve got a huge list of live email addresses to add to your database of recipients.
– – – – – – – – –
Maintaining an email list isn’t rocket science, but it’s easy to make mistakes. Most of us have had the experience of being on the receiving end of one of these “bounce floods” when some list administrator checks the wrong box in his list configurations and then someone on the list hits “reply all”.
And most of us could have fixed it promptly, as soon as it was brought to our attention. But not DHS — it took those government security experts nine hours to plug this particular security hole, and by then innumerable messages bearing the email addresses of everyone on the list had passed back and forth.
The DHS response was — wait for it — to blame the list subscribers themselves for hitting “reply”:
At 1:30, the NICC tried to kibosh the insanity with this message:
Please do not use the “reply to all” when responding to the emails from this email address.
The listserve email address used has thousands of recipients and causes server problems when used this way.
That, um… didn’t work. List member “Tech Guy” was stupefied by the attempt.
Are you serious? Is this actually the official response and remedy for this issue?
I have refrained from commenting up till now as to not perpetuate this issue, but this sort of response is unacceptable and just goes to prove why so many lack faith in our government and government agencies.
How about utilize some common measures to ensure that others are not allowed to send to the list. Its actually pretty simple and common place to do.
Thousands of small businesses and private individuals across the country could have dealt with the problem in a tenth of the time it took DHS to get it right. Christine, who keeps the lists at CVF and has years of experience dealing with email groups, would have fixed the error within five minutes of getting the first email from a user.
But not DHS.
The members of the list reacted with commendable distributed intelligence, the hallmark of cyberspace:
List members have now set up at least two off-site forums (this one and that one), both to keep the networking channel open and in an attempt (thus far an unsuccessful one) to divert the message flood away from the listserve.
Flip has this final update:
Update: WSJ’s Washington Wire:
Everyday, the Department of Homeland Security emails an “Open Source Intelligence Report” about the nation’s critical infrastructure to hundreds, perhaps thousands, of security and emergency officials working for corporations, governors’ offices, big city police forces and a myriad of federal agencies. It is a group of serious, security-minded people, or so one would have thought.
A senior DHS official described the incident was a “non-event” for the department’s own security. No systems crashed; no backdoors were revealed. The reaction of the security professionals on the list, he said, was “much more worrying.”
It’s been about 90 minutes since the last message came through, so the problem appears to have been fixed (incredibly, a full 9 hours after the flood began). Now that it’s been pinched off, I’ll reveal that when I tried replying to one of the messages this afternoon, it bounced off an e-mail relay at the firm that handles this listserve for DHS, which then sent me a full list of the e-mail addresses my message did not reach.
Roughly 7,000 in all — presumably every e-mail address on the DHS Daily Report distribution list.
The level of incompetence in all this is mind-boggling.
Now, to be fair, maybe DHS gets the big stuff right and doesn’t sweat the small stuff. Maybe they can handle threats to the homeland, even if they can’t handle an email list.
They’re out there with their geiger counters and their automatic weapons, dressed in kevlar vests and helmets, standing guard against our nation’s enemies. We see them at the airport wanding nuns and making kids take off their shoes. Their reassuring presence lets us know that our homeland is secure.
Fortunately for the American people, all the bad things that have happened since 9-11 have no connection with terrorism. Whether it’s the guy who ran over people in North Carolina, or the fellow who shot up the El Al counter at LAX, or the would-be Sears Tower bombers, or any of the other incidents where American were killed or injured by wackos who just happen to be Muslims, it’s nothing to do with Islamic terrorism. We know this because the Department of Homeland Security has told us so.
And if anything goes wrong, it’s the user’s fault. He shouldn’t have hit “reply all” to that email message. He should have put an extra deadbolt on his door. He should have kept off the Golden Gate Bridge when the threat level was orange, and used an alternate route…
Which would you rather count on for protection, the Department of Homeland Security, or Smith and Wesson?
Hat tip: Larwyn.