Here's one story of what happens when people write things down in email that they would not want to see shared with the world.
In this blog, I try to drive home the importance one's online reputation has. One of TechRepublic's bloggers, Scott Lowe, had an interesting experience in which someone online mistakenly dropped his name in relation to an unfolding OpenBSD scandal. Today, I'd like to feature Scott's take on that experience. Here is Scott's story:
A couple of weeks ago, a large part of the technical Internet community got to see what happens when people:
- Write things down in email that they would not want to see shared with the world
- Make unsubstantiated accusations against members of a community
- Recklessly share with the world that which was intended to be kept private
You may recall that the OpenBSD community was abuzz with what, if true, would be a devastating blow to OpenBSD and, frankly, overall trust in what is considered to be a solidly reliable open source development process. Specifically, a gentleman by the name of Theo de Raadt forwarded a private message he received from another gentleman named Gregory Perry. In this private message, Mr. Perry makes a claim that the FBI has paid a developer to add backdoors to OpenBSD's cryptographic framework and has paid others, including "Scott Lowe [...] a well-respected author in virtualization circles who also happens top be on the FBI payroll, and who has also recently published several tutorials for the use of OpenBSD VMs in enterprise VMware vSphere deployments."
While Mr. Perry did not specify which Scott Lowe to which he was referring, I'm far from being a major player in the virtualization community and I have not recently written any tutorials related to OpenBSD. Further, both the "other" Scott Lowe and I denied any such involvement in these activities and he and I had a little bit of email back and forth as a result of this message.
Although the whole thing blew over very quickly, it was an interesting situation made a bit more interesting because of the multiple Scott Lowes involved. This is far from the first time that the EMC Scott Lowe and I have been confused with one another. It happens pretty regularly on Twitter where he is known as @scott_lowe and I am @otherscottlowe. I used to use a different Twitter handle, but decided that I would have a little fun with the name confusion and own the "other" Scott Lowe moniker. In most cases, I don't mind at all being confused with EMC Scott Lowe. Frankly, the guy is brilliant and is an all-around nice guy and, as I understand it, recently found out he's going to be a grandfather for the first time (by the way, Scott, if you read this: Congrats!).
For me, the situation brought to the forefront just how fragile an online reputation can be. Through no fault of either Scott Lowe, a third party dragged our shared name through the mud - albeit, in a private message - without the benefit of defense. I suppose I'm not sure which is worse - falsely accusing someone of something in what was supposed to be a private message or having that message go public. At least once something like that goes public, it provides an opportunity for defense.
There were three basic rules of communication that were negligently violated in this scenario:
- Mr. Perry wrote things down in an email message that should never have seen the light of day. But, guess what - we all do it. Probably every day. We reply to a message with something that, if published in the paper, would be embarrassing or devastating. That said, this kind of situation should be an eye opener.
- Mr. Perry made negligent unsubstantiated accusations against members of a community - namely, Scott Lowe. Yes, he did so in a private message, but as far as I am aware, he didn't bother to verify his claims with anyone before breaking them to Theo de Raadt. One can only hope that Mr. Perry's email account was hijacked, although that doesn't seem to be the case.
- Mr. de Raadt recklessly shared with the world that which was intended to be kept private. In his outing of Mr. Perry's note, Mr. de Raadt did indicate that he wouldn't appreciate his private communication being made public on the grounds that the potential conspiracy outweighed the privacy issues related to the email communication.
So, beyond the security lessons that were shared by Chad Perrin, there are a number of takeaways to be had from this, including:
- Realizing just how easy your online reputation can be ruined, although that has been far from the case in this situation. That said, it could have gone the other way, too.
- Breaches of email etiquette are still commonplace and can have ramifications even when someone believes that the communication is being kept private.