in Musings, X-Geek

Validating email alerts about school closures

I just got this emailed alert (allegedly) from Wake County Public Schools, announcing that school was closed tomorrow (we have an inch of snow tonight with another six possible by daybreak):

From: notify at …
Subject: Wake Schools Closed Wed, Jan 29
To: notify at …
Reply-To: webadmin at …

All Wake County Public School System schools will be closed on Wednesday, January 29, due to inclement weather. Athletic and extracurricular events are also canceled. The safety of our students, parents and staff remains our top priority.

Make-up dates for this missed day of instruction will be announced as soon as possible.

(I’ve replaced the wcpss.net domain in the above email addresses to thwart spammers)

Now the problem with emailed alerts announcing school closures is that it’s stupefyingly easy to forge emails. I was doing that twenty years ago. One doesn’t have to go to the lengths that the prankster NCSU students went to in 2005 to submit fake closure announcements to TV stations. Simply forge an email to news outlets and they’ll repost it. After all, it looks official, doesn’t it?

Now, this is an excellent case for cryptographically-signed emails. Wake County Schools simply creates a public key, posts it on its website, and cryptographically signs every important email sent to its audience. If there’s any doubt about the authenticity of the email, all one needs to do is check the message against the key on their official website. If it matches, the email is legit.

Hopefully, our news media is already verifying these reports through other channels, but it would be easy for Wake to do this themselves.

  1. So many things would be better if GPG was used by “ordinary” people in everyday situations. Unfortunately GPG has been decidedly placed in the “it’s too hard” category. I suspect much of this is due to the poor documentation, poor implementation in Windows software, and the lack of understanding of why this is important.

    Since starting to work for one of the largest open source/Linux companies on the globe I’ve been shocked at the number of people who regularly offer their GPG key fingerprint in their signature but fail to *actually* sign their email on any regular frequency.

    Disappointed? Yes. Given up? Hardly.

Comments are closed.