Beware Google Mail/gmail External SMTP Feature

Last year, Google added a feature so that you could send authenticated email through another SMTP server.  This eliminated the need for the "on behalf of" Sender header.

It requires you to enter the authentication details of an account and it verifies that it can access the SMTP server at that time.

However, if that account changes (i.e. password change or anything which would cause authentication to fail), you will get no notification of email failures.  You can click send and the message will go into sent items, but will never arrive at the destination.  You will receive no bounce.  You will receive no message from Google that the account isn't working, there is no visual indication that anything is wrong.

Your mail will simply and silently not be sent.


T-SQL Tuesday - Business: Listen and Learn

T-SQL Tuesday Hosted by Steve Jones

The official topic this month is:
What issues have you had in interacting with the business to get your job done.

I have entitled my essay: Listen and Learn

I have found that most things in life obey an 80/20 rule. With regards to this rule, business is no exception. I find that dealing with the business, like dealing with anything else, requires you to listen carefully and understand not only the requests and the rationale for them but also the personal motivations of the people behind the requests.

There are many myths about "business" people - the first is that only "the business" is good at business. Well, only about 20% of business people are really good at business regardless of how you define it. And even out of those, there are other factors besides skill involved. A lot of business is not "business" - it's luck and human nature. And plenty of people who are "good" at business aren't "successful" at it, and plenty who are "successful" but aren't "good" at it.

Look at Steve Jobs. His "business" skills are product-oriented. The things he is good at are not financial problems, or production problems, or operations problems, or any number of other things you may associate with business. He's not a deal-maker CEO, either. This is a completely different motivation and focus than the next business person you may pick.

In the CEO or President role you will see different motivations than in the CFO or COO or CIO roles. Being aware of that is a key to being able to present solutions and strategic options.

IT is just part of the business and the users in IT who understand the business and understand the motivations will succeed beyond those who treat IT as a compartmentalized endeavor. If a CEO has weak technological skills, they will need to be augmented by someone who can provide technology options which can inform, enable or drive strategic initiatives. Even in an enterprise which is not technology driven, some technology (even if it may be considered outdated, like paper and pencil) will be used.

It's important to have IT be a strong partner in the business, through and through. For that to happen, IT people have to listen and learn the business completely.

Because some day you may be running the business.

What's up with Gawker and why it's a big deal?

On Gawker's side:

Amateur security fuckups - plain and simple - these are all basic security failures

You shouldn't be storing encrypted passwords in the first place - even if the data is encrypted, what are you using for key management? - is all the data encrypted with the same key?  Why worry about that - DON'T STORE PASSWORDS.

When you store a hash, store a salted hash to avoid identifying people who have the same password and help to avoid the easy attacks

They didn't notify any of the affected users until days after twitter was already full of information about it

On users' side:
We all know you can't remember a million passwords - you have to use a password vault software and where possible use central authentication like facebook connect or OpenID.

You can't re-use passwords - look at the site - Gawker is a multi-million dollar enterprise and they are security fuckups - how many sites do you think may not be even encrypting passwords

Looks like it might be a good idea not to re-use email addresses either, since the problem cascades with using the email address to identify users fairly uniquely - this is where the whol system breaks down (see my paragraph later about infrastructure)

When you go to a site you rarely use like Gawker or an online forum where you need help with a question about bicycle repair - take the time to make a unique email address and password for the site instead of using a throwaway weak password you use for lots of unimportant sites.  Because even if all those sites are meaningless to you and your important accounts are secured with strong passwords, you still can be majorly inconvenienced when your email address cascades through the systems and the owners decide to desiable your account because a site like Gawker is hacked.  In addition, you'll have a good record of all these little accounts and be able to go back and check them.  If you've taken to using the same email address and password for all these little sites, you'll have trouble finding their details, but with a password vault they will all be there for you.

Other sites:
It's nice that you have a list of affected users' emails - the effort to disable all their accounts and require resets is a good one.  So far I've received notification from facebook, Digsby and LinkedIn.  If you could quantity that cost and bill it back to Gawker, that would be great - because now even users with unique secure passwords on different sites have been inconvenienced by the fact that they didn't want to also have to remember a million email addresses so they re-used their email address for a ton of sites.

Too bad lots of other sites won't run the email list through their systems and notify their users

On the infrastructure side:
More than ever, it's clear that we need sites (especially those which don't have the resources to follow basic security principles) to move to OpenID, facebook connect or whatever, and that users need better tools to manage their digital identities over thousands of sites.

Even with a password vault, we are already managing too many user ids, emails and passwords, all with varying standards for strength.