Part of the problem

The only downside of living in a city that is a popular tourist destination is having to compete with tourists. Once spring break arrives, whole herds of teenagers or senior citizens wearing matching T-shirts graze the food court at Union Station, where until now I've enjoyed a peaceful lunchtime most Fridays. I take some consolation in the fact that the stellar Indian food at Aditi is always overlooked in favor of pizza and chicken wings, so my wait in line isn't any longer than usual, but it's getting harder to find a seat. Last week I found a two-top next to three women at an adjacent table, and when I asked if anyone was sitting there, one responded "You are!" I didn't have to ask if they were from the Midwest. After a few minutes, though, others from their group started to gather, and before you know it I'm ceding the opposite side of my table, drafting food court treaty provisions in my head, hoping to finish my curry before everyone forgets I had a legitimate claim.

Being rather new to the area, there's still plenty we'd like to see ourselves, too. Fall and Winter were great times to catch up on a lot of stuff we hadn't seen in a while and explore the sights that were always too far down the priority list to cut the mustard when we were just visitors. Like the Theodore Roosevelt Island National Memorial. Didn't know there was a Theodore Roosevelt Memorial? Let alone an island? Yeah, neither did we. It holds up a commuter freeway, and since 9/11 airport traffic has passed directly overhead, so it's not exactly the remote wilderness Teddy may have wanted. If you like mosquitoes and goofy statues, though, do put it on your list.

For Mother's Day we had grand plans of visiting Great Falls Park, making an afternoon of nature's majesty just ten miles from home. So did everyone else, apparently, because a police car was blocking the entrance when we arrived, and most of the cars passing by could be seen turning around with disappointment on their faces. We were among them, but at least we could tell the kids we'd just come back another time - no big deal. So we resorted to Plan B:

Security weakness by design

I have a pretty simple email address (only seven letters, no numbers or symbols), so I've gotten used to receiving emails meant for other people. It's not spam - it was meant for an individual person, just not me. I usually reply with a "Sorry, wrong email address," and that's that. Most of the time, I get an apology or a "Thanks for letting me know." One real estate agent tried to sell me a house while he had my attention even though I wasn't the intended client, but that's rare.

The messages I've received by accident have ranged from the mundane (forwarded jokes, baby pictures, nice-meeting-you-at-the-convention) to the embarrassing (think Taxicab Confessions). The first email that made me really worry about security issues, though, was from a hospital. A patient had made a mistake writing out her email address, so I ended up with correspondence that included home address, social security number, you name it. I immediately contacted the hospital to alert them of the error, and felt relieved that the information hadn't ended up in the wrong hands. I'm not sure what you'd do with the identity of someone from back-country Arkansas, but I've never wanted a credit card at Wal-Mart, either.

A few days ago I received an email asking me to confirm my email with some website called Plaxo. I'd never heard of it, so I assumed someone mistyped their email address again and deleted the message. The next day I received another email from Plaxo, then a couple more within hours. Assuming the message would keep coming, I looked for something to click on that would DISconfirm my address, but this is all the email contained:


I figured my problem needed "additional help," so I sent an email to validation@plaxo.com as instructed. The next day I received this response:


I tried to use the E-mail Validation Troubleshooter, but following the link took me to a login screen. Since it wasn't my account, I couldn't know the password, so I emailed Plaxo again, recounting my experience and telling them that there had been a mistake. The response?


One of the three email addresses listed made it clear that their registered user's name was Kevin, but they went ahead and addressed their reply to Karl. Apparently, sending an email to validation@plaxo.com validated my email address, so now I'm anticipating a flood of emails meant to go to some guy whose typing skills leave something to be desired. I shot off yet another email to Plaxo, telling them that their confirmation process is a one-way street with no exit.

Then it hit me. If my email address had been confirmed, would I be able to claim that I had forgotten my password and get a new one sent to me? I returned to the Plaxo login screen, clicked on "Lost Password," entered my email address, and sent off the request. Within seconds, I received this:


Followed the link, entered a new password, and I was in. All I wanted to do was get my email off of the account, but I could have taken whatever information I could find in this stranger's account. Scary.

This is an example of poor design leading to weak security. By not providing a way to say no to an email confirmation, anyone who received it in error could gain access to the intended user's account. Plaxo appears to be just an internet address book, but if a similar weakness existed elsewhere, a serious breach of privacy could arise. This isn't just a bad way to run a company - it's bad news for the users. Simple mistakes shouldn't lead to security lapses. Here's hoping that Plaxo can provide a bad example that others will learn by.