Ladies and Gentlemen, I give you Vauhini Vara of the WSJ.
Around 8pm last night I received an e-mail entitled "Re: Please Stop!" from one Vauhini Vara at WSJ.com. I sent the original "Please Stop!" email last week after reading Alex's analysis of the now infamous article:
Thanks for the candid feedback. As it turns out, I think there might be room for a follow-up story on things IT departments wish employees knew. Want to take a stab at offering some thoughts on this? I’m looking for specific tips – along the lines of the last story – highlighting what people can do to keep themselves and their companies secure and prevent legal and regulatory trouble. I would especially welcome any horror stories you can offer that illustrate why these tips are important.
Well, I was gobsmacked. Still am to some extent. I felt justified at having stuck up for her a bit the other day. I still think it was at the very least slightly arrogant to print the article with so many technical errors in, especially when some of it was just wrong, but it seems like some amends are going to be attempted, and that counts for a lot.
To start with I sent her a comprehensive correction of her original article. Which she rejected as she didn't want to rehash her last article. Shame, but I understand that the WSJ has to sell some papers and a repeat of the last article isn't going to cut it.
I deliver the rest of this post as a forewarning however, to show the world that my intentions were honourable, in case of subsequesnt misrepresentation. Yes, I'm taking a hit for the team. My dealings with Vauhini haven't been wholly amicable, although professional. Maybe because the title of our exchange hasn't been changed yet, and maybe that would be a step towards helping our common cause. Maybe because she's young and inexperienced and still feels invincible. As Kai (Roer) said to me earlier, "I was bulletproof when I was her age". She sent me an example of the kind of answer to her questions that she was expecting:
One CIO, for instance, suggested this interesting tip: Don't forward phishing or spam emails to the IT department -- because the phisher or spammer will then know that your email address is legitimate and could use it again.What? Are you sure? I think there may be some wires crossed here (again), and I'd like to try and uncross them:
I’m not sure I fully understand why forwarding a mail to the IT department means that a spammer will know that it is legitimate however… is there more to this explanation? i.e. Spammers often embed links in their mails so they can count the number of people who open them, and their addresses if they are clever about it. However, Outlook will disable links by default. I would always make the IT department aware of phishing mails, so that they can educate the users, and spam so they can take steps to block it.
If you’ve opened the mail already with links enabled, the damage is done. I think you need to make sure you are getting the full story from people when you are writing up what they say, and don’t leave anything out. If you don’t understand it completely, ask for an explanation.
Cue another slightly smug reply:
...and thanks for the journalism tip....Now regular readers will know that I'm not going to take that lying down, but perhaps I went on a bit too much:
Yep, that’s part of the job.
Most of the criticism of the original article came from people saying that you obviously didn’t know what you were talking about. This is why I sent you the notes previously. If you read through them, you will learn what it is that people are annoyed about, a misrepresentation of facts...Grr...
If you print stuff like you sent me previously, and wrote in your original article, people will crucify you. Not because it is encouraging people to break security regulations, but because it is technically incorrect...
If you do have the full story on this one, what else did the CIO with the previous comment say? I’m interested to know, now you’ve told me “that’s part of the job”, because what you’ve told me here doesn’t show a complete understanding of the subject.
Hey, sure, understood - thanksMehtinks the lady doth protest too little, but actually, that's what I would have said, especially when I was young and full of spunk and guts like she obviously is. Now I don't want to get into an argument, so I just spent the morning rewriting the piece on tips for getting on with your IT department. It'll probably be wrong for her again. Hell, if she uses any of it at all, it'll probably be nothing like my original article. I will print my original here later for comparison with anything she might print later. I have a feeling we're going to disagree and I don't want my name pulled through the mud like hers has been, so my version of events will appear here for you to compare with whatever goes into the WSJ. I pray to God my reputation isn't tarnished forever in this attempt to promote security awareness.
Still, it's been fun trying to (promote awareness), and that's what's important right now, the greater good, the common cause and all that. Plus, I might get in the paper.