Sister and fellow aoir-heads: Feel free to ignore the following as perhaps entirely too trivial and of no significance or interest to anyone but me. One of my students was sent a Hallmark e-card from someone using the address: Dr. Charles Ess <imcharlesess@hotmail.com> The card was more humorous than not: http://ecardview.hallmark.com/hmk/Website/greeting.jsp?id=EG2189-485477-7888 476 This seems to be a largely harmless joke - but I'm wondering what others might suggest would be the appropriate next step? To begin with, it is bothersome to me that someone has used my name and pretended to be me. This also appears to be a clear violation of the MSN terms of us policy - i.e., under "Use of Services," the listed prohibitions include: "Create a false identity for the purpose of misleading others." (see <http://privacy.msn.com/tou/>). In particular, I suspect that the perpetrator is a somewhat socially disfunctional student in a current class who likes to brag a great deal about his (!) computer abilities, including being savvy enough to use the University network in prohibited ways (e.g., to set up his own server utilizing a damagingly large proportion of network bandworth). I've contacted MSN to inquire - but I'd welcome your thoughts and suggestions. Is this a relatively harmless joke, best to be ignored - or is it something that I should pursue with the aim of helping the perpetrator understand that this is an important violation of others' rights? (How's that for Internet research ethics? - smile) Thanks for any advice and counsel you may have to offer. Charles Ess Director, Interdisciplinary Studies Center Drury University 900 N. Benton Ave. Voice: 417-873-7230 Springfield, MO 65802 USA FAX: 417-873-7435 Home page: http://www.drury.edu/ess/ess.html Co-chair, CATaC 2002: http://www.it.murdoch.edu.au/~sudweeks/catac02/ Education is what is left over after you've forgotten everything that you've learned. (source unknown)
I would also inspect your institutions appropriate use policy. Also there is usually, and abuse e-mail address for reporting abuse of all kinds of networking resources. as for the teaching part, my approach would be to use it as an example in class, with the student you know's permission, iow, play hamlet, and see who the uncle might be. If nothing else, it will show that you generally disapprove of such things. You could also speak about appropriate use policies, the ability to discern who a user is from the internet, etc. it is amazing what you can do with just an ip number and logs, the ip number might be had from msn, but could be any number for demonstration purposes, and from there with the proper connections in the right places, you can track even things as miniscule as the stream of addressed packets along the backbone with tools like http://eyeball.sourceforge.net/ (written by an old philosophy colleague, who moved into IT during the boom). This would go far to remove the individuals assumptions of anonymous nature of the internet. To me, this seems not to be a major problem, it seems harmless, but for me the problem lies in the assumptions that the person has involving risk, anonymity, identity, etc. So, i think it is important to get him or her to think about their actions, even if they never admit to what they did, they at least might begin to realize that things might not be as they thought they were and that next time it might not be a wise thing to pursue. on another note, it is quite easy to spoof a hotmail address without ever applying for that address. Most people who are inclined to do things like this, could do this through open relays and/or broken scripts, or other exploits without ever touching a hotmail server. The majority of the spam that I get have hotmail or yahoo send addresses, but did not originate from that domain. In this case though, it would be interesting to know how the postcard sending system works. Does one have to have an account to send a postcard from it, or can one type in any address? If the latter, then the address may be entirely spurious, though you can still check the webserver or application logs and retrieve the connection information which would allow you to find the host that connected to the server, though that might be a dead end. If the former, then you have a closer link that could be traced. In any case, one rule of thumb for this type of forensic work or really for nearly anything related to identity is never to 'trust' an e-mail address for a wide variety of reasons. This is why we have digital signatures, public keys, etc. for establishing identities for many processes. jeremy hunsinger jhuns@vt.edu on the ibook www.cddc.vt.edu www.cddc.vt.edu/jeremy www.dromocracy.com
Dr. Ess, I suspect that the answer is quite simple. On most sites, emailing a greeting card or news article to another party requires the sender to enter his or her name and email address. However, the programs behind these systems don't actually check whether the sender's account is valid. That makes it easy to send messages that look like they're coming from any address, real or fake. To verify that this is what happened to you and your student, I just sent myself an e-card from a non-existing email address via Hallmark. It worked like a charm (see below). So, the student is probably neither socially disfunctional nor a computer wiz -- he or she probably just wanted to play a practical joke on a classmate, and has a good sense of humor, but also has exceptionally poor judgement. (Ie., impersonating a faculty member in an email is much less funny than impersonating, say, God, who would be much less likely to get in trouble for emailing students) I guess that my biggest concern for you is, what if a student picks up on this idea and tries to set you or another faculty member up? Ie., it would be pretty easy to send a racy or otherwise inappropriate e-card and make it look like it's coming from a legit university email address, which could really offend a student and get the "sender" in serious trouble. While I doubt it would come to that, it might be worth notifying your higher-ups of this situation, just in case there is any malice behind this. Best regards, Rebecca Hains Instructor of English Emmanuel College, Boston ----- Original Message ----- From: <Goddess@sky.org> To: <rchains@attbi.com> Sent: Saturday, April 20, 2002 10:46 AM Subject: A Hallmark E-Card from A Deity
Greetings!
We wanted to let you know that A Deity created a Hallmark.com e-card for you. To see your card, click the link below, or copy and paste this link into your Web browser's address line:
http://ecardview.hallmark.com/hmk/Website/greeting.jsp?id=EG4106-250387-1889 406
participants (3)
-
Charles Ess -
jeremy hunsinger -
Rebecca C. Hains