Supposed SysAdmin & Network Security experts don’t know how to run a secure Web site

By | April 9, 2010

Yesterday, I decided I wanted to unsubscribe from one of the e-newsletters published by SANS, which bills itself as, “the most trusted source for computer security training, certification and research.”

There were no instructions in the e-newsletter for how to unsubscribe, so I went to their Web site. It told me that I had to sign into my Portal account; the only problem is that I’ve never had a Portal account, and I subscribed to the SANS e-newsletters long before such a thing existed.  I figured that perhaps they auto-created an account for me at some point, so I gave the site my email address and told it that I’d forgotten my password.  It claimed to have mailed password reset instructions to me and told me that I had to follow them within two hours, but over ten minutes later, they still hadn’t arrived.

Thinking that perhaps I could register my email address for a Portal account and would then “inherit” any legacy subscriptions under that email address, I tried registering.  It rejected my registration form, telling me that I needed to enter a valid email address.   I couldn’t tell whether it was rejecting the form because the email I entered was already in its database, or because it incorrectly believed that “” was not a valid address (a lot of Web sites can’t seem to handle the idea that “” is a valid email domain).

At this point, I threw up my hands and sent them email describing everything that had happened and asking what the heck I should do.  I ended my email with, “The fact that you guys are supposedly experts at secure Web site design make this rather ironic.”

The password reset email finally arrived after having been held up on the SANS mail server for an hour and a half.  I wasn’t on-line when it arrived, and by the time I saw it, the two-hour window had elapsed and I couldn’t use it to reset my password.  I also received another delayed email message informing me that I had tried to register a new account using an email address that was already registered, thus answering the question of what the Web site had meant when it rejected my email address as invalid, but not explaining why it couldn’t have just displayed this message in my browser rather than sending me an email message about it.

I tried the password reset thing again, and this time the email arrived immediately, so I was able to log into the Portal account they had created for me and unsubscribe from the e-newsletter.

A day later, they responded to my email: “I apologize for the inconvenience.  Upon reviewing your account it appears that you are no longer subscribed to @RISK.  You are sill [sic], however, subscribed to Newsbites.”

Gee, thanks for telling me what I already know.  How about telling me something useful, like why my password reset email was delayed for an hour and a half on your mail server or why you send people email rather than displaying an error in their browsers when they try to register an email address that’s already registered?

Print Friendly, PDF & Email

Leave a Reply

Your email address will not be published. Required fields are marked *