Last week, while working on my thesis (yes, that’s also why I’m late), I received an email from a company at my uni email address. I apparently ordered something — yes, I shouldn’t use my uni address for this, but it’s in vogue after all — but forgot about it. So the company kindly reminded me that they received my order and that it would be processed as soon as payment was received.
But no, siiike, it was a phish. Or, not really: it wasn’t really gleaning for any personal information, and all the links looked harmless besides the glaring misspellings. But it was a phish which had skipped the spam filtering. Hhhmmm, wait a minute. The phish came from the inside!
The university having to cheat to send us fake spam wasn’t the thing that annoyed me the most: it was their communication preceding it. I think I got three or four emails before this, implying that we are somehow responsible for the university’s data security. They also friendly reminded me that I haven’t finished my ‘voluntary assignments’. ‘You are the last line of defense against cyber attacks’ — so much for ‘people first’ I guess..?
It’s not like these disingenuous rhetorical maneuvers are unprecedented here. Remember when the board tried to avoid stepping on people’s toes with their hubris? It’s rubbing off onto the students too. That same board got impersonated by the University Rebellion in an email declaring a ‘climate emergency’. The same spam-filter that the university used to cheat the fake-spam in, let actual-spam (no, not the edible kind) in. In a showing of their technical prowess, the spammers showed us their magic: they just leeched the addresses from the internal contacts directory. Easy-as that.
All of this shows two things. For one, at a technical university, besides a lot of people who could stand to learn a bit more about ‘the cyber’, there are bound to be some with a very particular set of skills. I dunno, say those who manage to spam, without even having to subvert any security measures; or those who can read email headers and figure out you cheated — and then be very annoyed at you for implying they need more schooling in that very subject with no unsub link in sight.
It also shows the importance of rhetoric. If you want the conversation to be about how important it is to be knowledgeable about our digital security, or that the climate deserves way more attention that it gets now; instead of people complaining about your emails, or people complaining about your emails — you have to be rhetorically honest. Be honest why you would like us to do your ‘assignments’, and most definitely be honest about who you are. (And, you’d think it be obvious: don’t resort to spam)
So instead of expecting everyone to participate in the Security Education modules (it’s a bit condescending after all), I propose that the university offers two extracurricular Education Modules. One about digital security, and another one about rhetoric. And I get to be annoyed by both.
