It's interesting that they can just reassign an email alias to someone else without any approvals. Could this be a permissions oversight? Or could the person who designed the system thought that heck it's always permitted to reassign an email alias owned by the current user?
The sheer number of multi-million dollar value domains you could snag in those days was wild. All that ended when it changed to, IIRC, $200/2yr and everyone suddenly dropped all their parked domains.
We were all a bit high and mighty and believed commercial use of the Internet was an awful idea. So grabbing any domain for selling things (cars.com, movies.com, sex.com) was out of the question. We were so, so wrong.
Everyone’s super concerned about security and control, but the best places I worked in were more concerned with freedom. Yes, be savvy about security, protect key assets, but “permissions oversight” about claiming an alias seems excessive.
You’ll have 1,000x more headaches and burned operational cash getting everyone to approve everyone else’s every step than handling one security incident in a decade. And even with very tight security, something will still happen. It’s best to have backups, a good restore plan, and a relaxed culture*. Or that’s what I think, anyway.
I’m in SME land though, not big tech. But then again, 99.99% companies are.
One of the biggest time sinks and "velocity" killers in BigTech, and sometimes also in MediumTech, is the need to get approval (sometimes multiple people's approvals) for absolutely everything. Often, approvers are among the most senior, busy people in the company, and "approving a dozen things" is not even top 100 on their list of things to do today. There are people who spend >75% of their time just "chasing" approvers and reminding them to please, please, please approve my Thing X so we can launch Product Y on time!
In multinational megacorps this is more or less modus operandi. I am not even mad anymore, I realized this aint malice but simply inevitable as size goes up and time passes on.
The best companies that realize this can minimize it, but its inevitable.
I feel you. I keep hearing people in software say "wild west" when they mean "absence of paternalistic bureaucratic controls."
The virtual space is locked down so so so much harder than the physical because it's "free" to automate, but the vibe is it's outrageously uncontrollable. I get it when we're talking the whole Internet, but the same group of insiders as the physical space?
> but the best places I worked in were more concerned with freedom
Sure. But if that's the case why do you even have individual email? Make everything a group email and group IM. Not allowed to send messages to a specific person; can only send messages to everyone. What would happen?
Can you see the flaw in this logic? Email isn't only for discussing work projects. It needs to be private for discussions involving HR, legal, and other personnel matters.
And every NeXT machine came with an email waiting in your inbox out of the box from sjobs@next.com complete with Lip Service voice message from Steve Jobs.
Of course you likely had no immediate way to reply to an internet email address like that at the time out of the box.
Registering an alias self-service style is fine. What's potentially problematic is changing that alias once it has become established. Please read my original comment again.
Even with the privacy concerns aside, you need individual mailboxes for reasons of maintaining organization.
I think your point would be better made if in your hypothetical, we still had individual mailboxes, but everyone could see into everyone else's mailbox.
The bigger issue is probably being allowed to set up an arbitrary one at _all_ without approvals. Once you have one, redirecting it is maybe not the biggest issue? Could still be problematic though.
This story is quite old, security culture in tech was really quite basic and forgotten in a lot of places. I would hope that a similar thing would not be allowed today at anything like a big company.
>security culture in tech was really quite non-existent
This is 1991, the actual number of people on the internet was tiny back then. Things like SMTP servers were commonly open relays (for some reason I'm remembering sendmail being an open relay out of the box).
A lot of the internet culture wasn't based on security, but of the premise you shouldn't be a dick.
It quickly changed in the next few years as the number of people online exploded.
Yep! A formative experience of my childhood was working out how to type SMTP commands over telnet and sending mail from billg@microsoft.com to my dad. Such "opportunities" vanished decades ago.
Worked at an aerospace concern in the early 90s… for the first year or so there was no firewall. Yes, my Mac and PC directly on the internet with routable addresses.
I soon set up a website and webcam as they were shipped. CU-See-Me blew my mind. At some point I stood up a Quake server and invited friends to play. ;-)
