Blind Carbon-Copies with 20-20 Vision
Copyright © 2011 Carlos Moreno
and Mochima Software/AudioSystems
The Shock
Really, Bruce Schneier could not have said it better: “The Internet Explorer sucks!” [1]. Actually, he could (and maybe should) have said it better: what he really should have said is: Microsoft products suck! (and I'm sure many many people would want to correct me and remove the word “products” from that sentence)
Leave it to Microsoft to be so creative, so imaginative as to come up with bugs that no-one could possibly imagine that any software could get wrong, not even if they tried! Leave it to Microsoft to shock the world with the groundbreaking notion and very ingenious idea of blind carbon copies that are not that blind — that indeed seem to have 20-20 vision!
I also have to clarify up front that it is September 7; more specifically, it is not April 1; so no, really, this is not an April's fool prank! I have to say it because, really, this is the kind of thing that I would not believe in a million years; not even coming from Microsoft could I even entertain the idea that such a bug could possibly occur!
I mean, even my 5 year old niece and 7 year old nephew understand quite well such a simple notion: if you send an e-mail to someone (say, to Alice at alice@a.com) and blind-carbon-copy someone else (say, Bob at bob@b.com), then of course Alice would not learn (by means of the received e-mail, of course) and will have no way to know that Bob was also a recipient of the message. There simply can be no way that Alice could deduce, from the information she receives in the message, that Bob also received that same message (of course, Alice could learn that from other means; she might have access to Bob's e-mail or something silly like that; or she might know Bob and by talking with him she learns that he received that message; but this is obviously a different matter, and not relevant to the rantin....Ermmm, to the discussion at hand!)
As the greatest “Duh!”, possibly granting me a nomination for the “Mr. State the Obvious 2011 Award”, let me state it: that of course means that the message that Alice receives must in no way contain Bob's address (again, except if the sender of the message writes it in the body or subject of the message; but again, this would be an entirely different matter, not relevant here, and let's face it: that normally does not happen; not even with the most unskilled of computer and Internet users out there!).
The above notion is so obvious that I really feel embarrassed to have to explain it — but the thing is, as you will see, I need to explain it, because Microsoft developers do not seem to understand it, so it may not be as simple and as obvious as I tend to believe. Of course, if in any way Bob's address were to be included in the message (even if just hiding in some obscure, custom header line), the thing is, that address now is in Alice's hands, and therefore Alice can learn that Bob was a recipient of that same message, negating the premise of the use of BCC; if the sender does not care and wants to allow Alice to learn that Bob is being sent that same message, well, there is the regular carbon-copy for that purpose.
The Puzzling X-MS-Exchange-CrossPremises-BCC Header
So I receive this e-mail from a staff member addressed to a certain community that I'm part of. By pure coincidence, I needed to re-adjust some parameters in my (custom-made, home-grown) spam filter, so I went and dug into the internals of the message, checking the various header lines. I found, with great horror,[1] that I'm seeing a list of 40 or 50 recipients, including of course my e-mail address.
Not being (not by a long shot) the only time that I've received an e-mail where the sender was so irresponsible to send out a mass e-mail using carbon-copy instead of blind carbon-copy and thus disclosing everyone's e-mail address to every other recipient, even in cases where this e-mail address had been given under their privacy terms that prevent them from disclosing it to anyone else without my consent (and in fact, in some jurisdictions, like the one where I live, protected by Federal Privacy Laws), I was really furious — the anger fueled by the feeling of hopelessness about strongly and harshly complaining to that person that presumably made the very serious error of mass e-mailing disclosing everyone's e-mail addresses.
I'm then puzzled by the fact that my e-mail client (Thunderbird, of course) shows no headers, and shows indeed that she sent the message to herself exclusively, with no carbon-copies showing at all.
Huh? ... Ermmm ... Huh??
Back to the message's internals, to discover the non-believable header X-MS-Exchange-CrossPremises-BCC, which very nicely and conveniently makes the list of secretly copied recipients accessible to everyone that receives the message. How nice!
I mean, I can picture in a sketch of Get Smart! (the TV series from the 60s, of course, not the movie from a few years ago!), Maxwell Smart being so stupid (after all, those characters were stupid by design, for the noble purpose of being funny) as to tell his Kaos captors a list of names, telling them something like «but this list of names is secret, so you were not supposed to know; pretend that you did not hear it!»
If you understand the technical details about the inner workings of e-mail and e-mail communications, you would understand that the above (made up) joke is the most accurate possible analogy for the level of stupidity that this Microsoft software carries! You know, it's not even that the list of BCC addresses was accidentally misplaced and miscategorized so it made it through to the sent message. The software explicitly chose to state These are the BCC'd addresses; the ones that you can not be allowed to be able to learn.
I know that a considerable fraction of the readers will simply not believe me (I know I would be in that fraction if I was reading such a report on some forum or blog out there); I know it does seem like a this is simply, unconditionally, and from any conceivable point of view, not possible kind of thing. I guess I can only invite you to search through your InBox to see if it has happened to you.
It started happening to me on last July 11 (that is, this is the date of the earliest message in my InBox that shows a list of BCC'd addresses through the X-MS-Exchange-CrossPremises-BCC header item). It may be a configuration option (possibly an obscure one), which does not absolve Microsoft from blame; in which case, it may or may not happen in your case. It may be a bug that appeared with some upgrade or some new version of that software that was available some time before that date, in which case this could be happening to lots of people. It may be some plugin or some external software that was installed in the network where this person was, and that was to blame for the horrible bug? I would normally tend to think that in such case I would present my apologies to Microsoft (not that I believe that they would care in the least), but you know what? For too long they have gotten away with being left off the hook and absolved from liability in the most horribly unfair ways, when they should have paid dearly for their irresponsibilities, their abuses, and their incompetence and utter lack of care for the quality of the products that they force into the market. So no, I wouldn't feel bad if this time it turned out to be the opposite; somehow I really doubt it; the thing is: some piece of software did make that mistake; I find it really implausible that someone other than Microsoft would have the capacity to do something that unbelievably stupid! (plus, the evidence points quite conclusively in their direction)
Of course, if someone could shed some light on why exactly this could happen, and it turned out that my claims are inaccurate, I would of course withdraw this essay on the grounds of being technically inaccurate (but only for being inaccurate — Microsoft would most definitely not have my sympathy!).
This whole thing makes me think about this piece of news that I read recently, about how Microsoft is steadily profiting off Android (apparently something about patent enforcement, forcing several companies to pay them fees for each smartphone they sell). That caused mixed feelings; on the one hand, I feel anger to see such a parasytical behaviour (since I'm sure that the patents are most likely bogus and frivolous, designed to extort money from other companies), but then, I figured, well, one could see this as society's way of telling Microsoft: «please stay away from smartphones: we'll pay you to stay away from smartphones!!»
I wonder if Microsoft should just go ahead and patent things so that they can extort money from everyone that uses Sendmail and Thunderbird, or whatever non-broken mail software (both server and client), so that they make more money off that scheme and stop inflicting pain on society by putting MS-Exchange and MS-Outlook out there!
Some Concluding Remarks
Bruce Schneier also ranted about How Liable Should Vendors Be? [2], in favor of the idea that software vendors should be financially liable for the bugs in their products as the only hope for computer security (and privacy as a side-effect, most likely) to get any better. The reasoning is that they do not care about security because adding security costs them money, whereas the lack of security in their products really does not cause them any financial losses, and thus they do not have any financial incentive to make their products more secure. Legislation, Schneier suggests, should change this, since now the security problems in their products would lead to financial losses.
More in general, I do think that legislation that assigns financial liability not only to software vendors, but also to companies and organizations (in general, to non-individuals) for these sorts of errors, is badly needed. It's very easy for them to just apologize for their error, when they are not the ones that suffer the consequences for those errors, that should be entirely avoidable. How? Well, as things are now, it may seem unreasonable to pretend and expect that they be compelled by law not to make certain mistakes (after all, human error is unavoidable, right?). But if they were financially liable for those mistakes, believe me, they would find ways to make those errors simply not possible. The thing is, not being any legislation that makes them liable in any way, of course they do not care (I mean, some of them do care, but to the point of apologizing — a sadly and utterly useless gesture, given the irreversible nature of the damage done by that sort of mistake).
You know, it is bad enough that your friends and relatives make this mistake all the time (sending, say, a chain letter, to everyone in their address book, being so dumb to use CC instead of BCC). You yell at them, and quite likely they will not do it again (quite likely they will, but since you yelled at them, they will probably be pissed off at you and will remove you from their address books, so maybe they won't do it again to you; but after all, that's all you care about, right?). But the thing is, someone else will do it after them. And after you yell at that other person and that other person doesn't do it again, then someone new in your life will. The cycle never stops.
Fine, you can't do anything about your friends and relatives; but you go to a store, or the doctor, or a gym, or any organization that you want or need services from, and you're subject to them just disrespecting the privacy of the information that you confide in them, without anything that you can do? I say, enough !
What to do about it?
Of course, if possible at all, you should use disposable e-mail addresses exclusively. Tag them with an identifier of the organization that you're giving it to (so that if you start to receive spam to that address, you'll know where the leak came from); for example, I would setup an email address such as myname-kodak@whatever if I order prints of my digital photos from kodak's online service and they require an e-mail address. Whatever e-mail address that becomes compromised by the irresponsibility of others, you can always discard (after yelling at them, or before, or during — doesn't really matter), making the problem a little less annoying.
Footnotes
- No, I'm not being overdramatic; for someone working on Computer Security and Privacy, things like this are horrific. ↑
