I have a bone to pick with the cybersecurity community at large. As computer security professionals, we are supposed to be better than “normal” or “ordinary” people about our online hygiene. In spite of this, within the past 48 hours I have had two of my digital pet peeves percussed… BY PEOPLE WHO ARE SUPPOSED TO KNOW BETTER!
Peeve #1 – Getting CC’d In Email
We all do it. We go to a class or a meeting or sign up to volunteer our time at a non-profit, and we share our email address with the person or organization involved so they can send us information, documents, photos, whatever…
And when they do send us that whatever via email, they include everyone on their list in either the TO or the CC field.
GREAT! Just flipping great! Now 50 people I don’t know or have never met have my email address! And I have theirs. Lucky them! Lucky, that is, that I’m not a stalker or a spammer or someone from a marketing department!
Seriously, folks, learn to use the the BCC field! “B” as in BLIND. As in don’t share my PII (personally identifiable information) with the Universe at large! As in I have no idea who some of these people are and I may have very good reasons for not wanting them to know how to contact me!
If you don’t already know about the BCC field, allow me to enlighten you. The BCC field lets you to send email messages to LOTS of people, but the only email addresses they will see will be yours (as the sender) and theirs (as the recipient). Conversely, when you put 9,999 email addresses in either the To or the ordinary CC field, you have just given all those email addresses to everyone who is receiving that particular message.
Starting to see why this annoys me?
Peeve #2 – Copy/Pasted URLs with Tracking Codes Intact
I get it. Normal people don’t pay a lot of attention to the URLs of the web pages they visit. This common state of oblivion is what makes phishing so easy and is a delight to bad actors and Black Hats everywhere.
But I’m not normal. I spent over twenty years working as a web developer, so I pay a LOT of attention to URLs because I know very well just how much cruft and crud gets shoved into them, sometimes for legitimate reasons, and other times not. Let’s take a link from Amazon as a benign example of what I mean.
This URL will take you to the Amazon.com page for a book written by someone I know and admire.
https://www.amazon.com/Practical-Lock-Picking-Physical-Penetration/dp/1597499897/ref=sr_1_1?ie=UTF8&qid=1546838838&sr=8-1&keywords=deviant+ollam+lock+picking
Take a moment to really look at the URL. If you look carefully, it isn’t difficult to see that everything from ref= onward is extra stuff that has nothing to do with the actual product. The key/value pairs at the end of the URL are used to track information about what words were used to search for the book, and what character set to use, among other things. Knowing this, if all I want is the link to Dev’s book, what I really need is this:
https://www.amazon.com/Practical-Lock-Picking-Physical-Penetration/dp/1597499897/
See how much cleaner that is? And without all that extra crud I am denying Amazon the ability to track and record how many times that particular query has been shared out across the Internet.
Knowing that cybersecurity folks are supposed to be all paranoid about being tracked, how they cover the lenses on their web cams so no one can watch them covertly, you would think that they would pay more attention to the URLs they share via email, social media, Slack, etc.
Guess again! I am astonished, as in completely flabbergasted, at how many people who claim to be online safety “experts” will blithely share a URL with TONS of tracking cruft in it! It boggles the mind! Seriously! Did you even LOOK at the URL before you posted it?
Sadly, I don’t expect that my fellow cybersecurity folk will wake up and smell the coffee when it comes to these peeves of mine. They are people, after all, people who can’t handle simple things like the difference between there, their, and they’re any better than anyone else.
Doesn’t mean I have to like it, though…