Slashdot Mirror

Julie188 writes "If Netflix loves open source, where's the Linux client? Last week's post from Netflix on its use of open source has gotten a lot of coverage from the tech press. Too bad nobody's called the video giant out on its hypocrisy: They benefit greatly from open source, but really don't care to let their customers do the same."

tkdog writes "Netflix has added Sony's PlayStation 3 and Nintendo's Wii to the list of devices that can stream their catalog's content without the need for a disc. On the Netflix blog, VP Greg Peters adds, 'In addition to removing the need for discs, we've developed a new user interface on both applications that significantly improves the experience. The new applications will allow you to search for content directly from the device and you'll also be able to view an increasing portion of our content library with subtitles or alternate audio tracks.'"

An anonymous reader writes "Netflix just announced that they have cancelled the sequel to the Netflix Prize, which was promised last year. Netflix made the choice after they were sued over privacy concerns. The prize involves releasing large amounts of data about users' movie preferences, which raised concerns from the Federal Trade Commission and a lawsuit from KamberLaw LLC. Netflix's Neil Hunt said, 'We have reached an understanding with the FTC and have settled the lawsuit with plaintiffs. The resolution to both matters involves certain parameters for how we use Netflix data in any future research programs.'"

DeviceGuru writes "Following closely on the heels of the December announcement of D-Link's BoxeeBox, Syabas Technology today said it will ship the PopBox, a $129 Internet-based A/V streaming set-top box (STB) in March. Both new gadgets have the potential to give Roku's popular STB a run for its money. All three boxes can deliver a range of Internet-based A/V streaming and social networking services to consumers' TVs. Like Roku's digital video player STB, the PopBox will include Netflix on-demand video streaming when it first ships. D-Link, meanwhile, is rumored to be scrambling to add Netflix streaming support to its BoxeeBox device as well, prior to inaugural shipments of that device. All three run embedded Linux OSes, and all are expected to sell for less than $200."

itwbennett writes "'Microsoft has always seemed rather enthusiastic when it comes to throwing around the word 'exclusive,' and here is another case in point,' says blogger Peter Smith. Netflix and Sony have announced that Netflix streaming is coming to the Sony PlayStation 3 as early as next month. Back in August, when Microsoft was rolling out its new dashboard update, one of the features it was talking up was Netflix streaming, says Smith, and it said, 'This exclusive partnership offers you the ability to instantly stream movies and TV episodes from Netflix to the television via Xbox 360. Xbox 360 will be the only game console to offer this movie-watching experience...' Apparently, in Microsoft parlance, 'exclusive partnership' means 'we launched it first' and not 'we inked a deal with Netflix preventing this feature from appearing on the competition's hardware.' All this is good news for PS3 owners who can now sign up to be notified of Netflix availability for their system."

almechist writes "Many Netflix customers are up in arms over the new instant-watch player powered by Microsoft's Silverlight. The official Netflix blog is full of complaints from users who decry not only the new player's quality but also the way it's being distributed, with many claiming they were deceived into downloading it. Once you opt for the new player, the old Windows Media based player won't function, not on any computer associated with the account. The new player is supposedly still beta, but NF members are strongly encouraged (some say tricked) by NF into the so-called 'upgrade,' which is permanent — there is no way to opt out. The marked decrease in video quality seen by those who have switched is perhaps not surprising, since the old player could utilize bit streams up to twice as fast as the new one, but this information is nowhere given out by NF. So far NF has been answering all complaints with variations on 'tough luck pal, you're stuck with it,' but many customers are so disgusted they're ready to cancel their NF membership. This could be a public relations disaster in the making for Netflix."

Nom du Keyboard writes "Not for the first time, I've noticed a new film that hasn't yet even reached the theaters, yet has hundreds of positive votes and/or reviews recorded on Netflix. This time the movie is Inkheart. For a movie that doesn't even hit the theaters until January 23, it already has 428 votes and a rating of 4.3 (out of 5) on Netflix. Seems more than a bit fraudulent to me. Also, it has a review that doesn't even review the movie, but instead says the books are great, therefore the movie should be too. Does the word 'shills' come to mind? With millions spent to promote a movie, are a few hundred of that going to phony voters? Or have that many people actually seen the film and just can't wait to rush home and log onto Netflix to vote? Just what is Netflix's responsibility here to provide honest ratings?"

An anonymous reader writes "Netflix on Tivo is officially out and leaving satellite users out in the cold. Tivo announced today that if you are a subscriber to both services then you can start receiving many Netflix titles on your Tivo for no extra charge. This is only available to subscribers with TiVo HD, TiVo HD XL and TiVo Series3 DVRs. The majority of Tivo's subscribers are probably Series 2 owners and will be forced to 'upgrade' if they want this new service but it won't be that easy for those on satellite. Tivo's current model lineup does not really offer a solution for satellite subscribers. The HD and HD XL are cable only and there is no sign of the Series 3 on their site." Another reader also writes to tell us that "Linux PC and AppleTV users are about to gain the ability to stream Netflix's movies and TV shows directly to their systems. Although Netflix's instant watch service only officially supports Windows and Mac, Boxee expects to release Netflix streaming support to the Ubuntu version of its free A/V media center software within a couple of days, and says that adding Netflix streaming support to AppleTV asap is its top priority."

CNet is reporting that Netflix has opened up its "Watch Instantly" feature to Mac users (here is Netflix's blog entry). They accomplished this by using Microsoft's Silverlight technology on both platforms, abandoning the Windows Media Player solution that had been employed in the first, Windows-only, version. Silverlight's DRM capabilities meet Netflix's needs, apparently. Netflix warns that this is beta software. Mac users can opt in here, then watch instantly with Safari or Firefox 2+, with the Silverlight plugin in place. Movie selection is somewhat limited.

CNet is reporting that Netflix has opened up its "Watch Instantly" feature to Mac users (here is Netflix's blog entry). They accomplished this by using Microsoft's Silverlight technology on both platforms, abandoning the Windows Media Player solution that had been employed in the first, Windows-only, version. Silverlight's DRM capabilities meet Netflix's needs, apparently. Netflix warns that this is beta software. Mac users can opt in here, then watch instantly with Safari or Firefox 2+, with the Silverlight plugin in place. Movie selection is somewhat limited.

xChange writes "I too was disappointed at Netflix's decision to remove the Profiles feature, and let them know via email and telephone. I was surprised to find the following email in my inbox today: 'You spoke, and we listened. We are keeping Profiles. Thank you for all the calls and emails telling us how important Profiles are. We are sorry for any inconvenience we may have caused. We hope the next time you hear from us we will delight, and not disappoint, you.' I thought that it sounded too good to be true, and went to their blog to confirm, finding this entry. Netflix decided to listen to its customers, and keep a feature that many of us find essential for our use of their service. I am surprised, and very pleased."

Donald Burr of Borg writes "One of my favorite features of Netflix, the video-rental-by-mail service, is 'profiles.' Profiles lets you create 'sub-accounts' for your friends/family, so that they can share in the video rental love. Each profile gets his/her own Netflix queue that he/she can manage with their own login/password. You can divide up how many movies get sent to you vs. the other profiles under your account. E.g. if you have a 6-out-at-once plan, you can choose to get 3 movies at a time, and have 3 other profiles each receive 1 movie. Unfortunately, the fun stops September 1, at which point Netflix is, for unknown reasons, going to terminate this feature. Why? To '...help us to continue to improve the Netflix website for all our customers.' Improvement indeed."

Slashdot contributor Bennett Haselton has written an essay on a subtle privacy issue affecting many websites (including Slashdot!) He says "Suppose your girlfriend called up Match.com and said, "I think my boyfriend might be cheating on me. His e-mail address is joeblow - at - aol - dot - com. Can you tell me if he's a member?" And Match.com phone support told her, "Why, yes, he is a member. You'd better have a talk with him." After you had gotten over the guilt of getting caught -- I mean, the guilt of cheating -- would you not feel like Match.com had violated your privacy by telling a third party that you were a member?" Keep reading to see what he's getting at and to decide if and when it's a problem.

Something like this is actually possible with quite a few well-known sites -- given a person's e-mail address, it is possible to find out if they have an account with Match.com, PayPal, Netflix, eBay, Amazon, and Google (and, by the way, Slashdot [CT: We'd fix it if I thought it mattered]). For some of those sites, it may even be possible to take a long list of e-mail addresses and use an automated process to find out which of those addresses have accounts with those sites (something I didn't want to risk trying myself, but as a general rule, if you can do it once, you can do it many times, at least if you do it slowly enough). It does not enable the attacker to extract addresses from a site's membership rolls, which is a much more serious type of breach -- in this case, the attacker would have to already know a list of e-mail addresses, and would only be able to find out which of those addresses have accounts with a given service. And it definitely wouldn't enable an attacker to extract more sensitive information like passwords or personal data. But the ability to get a yes/no answer for whether an e-mail address belongs to a member of a given site, should be something that the site designer should take into account. I'm not even saying that it should necessarily be considered a security hole in most cases, just that it should be something that the site designers decide whether or not they want to permit it -- not something that was left in the open accidentally. Representatives from PayPal and Netflix assured me that they knew about the possibility of this attack and had countermeasures to detect it. In the case of Match.com, on the other hand, I would argue it looks like an oversight. For other sites, whether it's a security hole or not depends on your point of view.

There are three main causes for concern with this issue. The first is simple privacy -- for a site like Match.com, a person may not want other people to be able to find out that they're a member. The second is the possibility of making phishing attacks easier. If a phisher sends spam to a huge number of recipients, hoping to trick them into entering their login details on a counterfeit site, then generally their success rate would be proportional to the number of recipients who are members of that site (of which a certain percentage will be duped into entering their login info), but the speed at which the phishing site is shut down would be proportional to the total number of recipients (since any recipient would carry the same likelihood of reporting the phishing site to an ISP and helping to get it shut down). So if the phisher could find out which addresses on their list belong to actual members of a given site, and send mail to just those people, they could get more successful attacks in proportion to the number of e-mails sent. This is especially true of "puddle phishing" attacks, where only a small percentage of recipients are likely to be members of the site being phished. The third possibility is that the data could be valuable to spammers wanting to advertise a competing site -- a spammer advertising a dating site, for example, could get more band for their buck by advertising only to Match.com members. (Maybe even try a hybrid spam-with-just-a-hint-of-phish -- spam that says "Rejected a lot on Match.com?" to make the user think at first that the e-mail really is from Match.com, but then steer them towards a competitor.)

With a build-up like this, the attack is disappointingly simple. (In fact, I listed the possible consequences of the attack first, because otherwise the attack itself is too easy to dismiss.) If you haven't already guessed at least one of these methods, the three easy ways to find out if an e-mail address is associated with an account at a given site, are:

• Try to create a new account with that e-mail address. See if you get an error message saying the address is already associated with an account.
• Log in under an existing account, and try to switch to another e-mail address. See if you get an error message saying the address is already associated with an account.
• Use the forgot-your-password feature to request a password be sent to a given e-mail address. See if you get an error message saying that address is not associated with an account.

Each attack works better if you can avoid triggering an e-mail message sent to the e-mail address in question, whether in a success or failure condition. For example, if the forgot-your-password form only accepts an e-mail address as input, then if the e-mail address you enter really does belong to a member, a password reset e-mail will be sent to that member. That won't prevent you from continuing your attack, but if enough Match.com members get password reset e-mails that they didn't request, some of them will let Match.com know what is going on, and Match.com might find a way to stop the attack in progress. On the other hand, suppose the password-reset form requires an e-mail address and a birthdate, and if you enter an e-mail address without a birthdate, you get one error message telling you that the birthdate was missing, and another error message if the e-mail address you entered is not associated with an account. This avoids triggering an e-mail message to the user in either case, and increases the chance that you can carry on the attack longer without being noticed. And once you've confirmed that someone is a member, this type of password reset form would also let you use trial and error to determine their birthdate as well, something that might make identity theft easier later on. (This, by the way, is exactly how the current Match.com password reset form works. Match.com did not respond to requests for comment.)

With most popular sites that I tested, at least one of the above methods fail, but at least one other method succeeds. On Netflix, for example, the forgot-your-password form requires you to enter a last name and a credit card number, so that form can't be used to find out who is a member. On the new member signup page, though, you can enter an e-mail address and be told whether that e-mail address already belongs to a member. With Match.com, on the other hand, I already mentioned the weakness in the password-reset form, but if I tried to sign up for a new account but I didn't correctly pass the Turing test (reading numbers off a graphic and entering them in a text field), Match.com wouldn't tell me if the e-mail address was associated with an existing account. So that form could not be used to sift through 100,000 addresses and find which ones were Match.com members, but it could be used to find out if an individual person was a subscriber.

There are at least two simple countermeasures to this type of attack. The first is to require a Turing test when a user creates a new account, requests a password reset, or changes their e-mail address on file, and make sure that if the Turing test isn't completed correctly, then no error message is displayed about whether a given e-mail address does or does not exist in the system. This makes it hard for attackers to sift through a mountain of e-mail addresses finding out which ones already belong to accounts, but it still enables someone to check if someone is a member, one person at a time. For sites where that would be a privacy concern (again I'm thinking of Match.com), the other solution is better: send an error message to the e-mail address entered, not displayed to the user in their browser. If you try to sign up as joeblow@aol.com, and that address is already associated with an account, then display the normal message telling the user to check their inbox for confirmation -- but then send them a message saying their address is already in the system. eBay, for example, gets this right on their "forgot your userid" page -- if you enter an e-mail address not associated with an eBay account, it simply says, "eBay just sent your User ID to joeblow@aol.com. Check your email to get your User ID." (On the other hand, eBay's new user signup page lets you check if an e-mail address is assigned to an existing member, without needing to pass a Turing test.)

Netflix, eBay and PayPal also responded to say that they had monitors in place to detect "suspicious" activity, saying that even in cases where the forms did not require a Turing test, they could dynamically detect if someone were using a script to submit the form over and over to harvest data, but they declined to go into more detail. It seems to me this could work for forms that require you to be logged-in, but not for forms that don't. For example, on the Netflix new user page, how would they detect if it's the same person submitting e-mail addresses over and over again? Not by IP address -- you can use Tor and farms of open proxies scattered across the Internet to make it appear as if you're coming from lots of different IP addresses. However, consider the PayPal add-a-new-email-address form. This form does not require a Turing test, and does give you an error message if you try to add an address associated with another account. At first I thought this might be a loophole that an attacker could use to find all the PayPal users in a long list of addresses, but PayPal told me that if you do this enough times under the same account, eventually you will hit a limit where the form starts requiring a Turing test. I never got high enough to hit that limit. However, in this case the "dynamic detection" could actually work -- because you can only perform this action while logged in, and after you hit the limit, to continue testing more addresses would require another PayPal account -- and creating additional throwaway PayPal accounts does require a Turing test for each one. So I'll take their word for it that that attack is blocked, although, it seems to me it would be easier just to require a Turing test on the add-a-new-address page.

On the other hand, perhaps in the case of a site like Netflix, it's not something that users really need to worry about, if the company has no problem with it. Big deal, an attacker can find out whether you're a Netflix user -- but that's not a huge privacy violation, it's not like I shamefully hide those red envelopes under my shirt while I'm scurrying back from the mailbox. Now, a spammer can take a list of addresses and run them through the form to find out who is a Netflix customer, and then spam those users trying to lure them to a competing service -- but that's Netflix's problem, not ours, isn't it? (Well, it's our problem that we get the spam. But without using this attack, the alternative was that the spammer was just going to spam everybody on their list anyway, so by that argument, this attack actually results in less spam all around!)

Except... perhaps an attacker could try the third type of attack, a phishing attack to get people's Netflix usernames and passwords, but not in order to compromise their Netflix account, rather to see if the person has an account with the same password at eBay or PayPal. Perhaps a user would be wary of a PayPal phish since they see so many of them, but they might fall for a Netflix one -- although then the attacker's success would be limited to people who had Netflix and PayPal accounts, and were using the same password for them both...

So it seems to me it's not obvious when this should be considered a problem. (All of the sites mentioned in this article were e-mailed about this issue months ago, and so far none of them considered it a serious enough threat to block all three of the avenues of attack listed above.) If abuse of this type becomes common, perhaps eventually these "queryable membership lists" will come to be considered in the same way as open mail relays -- which were never considered a glaring security hole, but were abused in ways that triggered a shift in people's thinking that got them to be gradually phased out, going from open relays being the default standard up to the early 90's, to the point where many ISPs today prohibit customers from running them. Maybe "queryable membership lists" will start to be abused more, if anti-spam technologies get smart enough that spammers can't send 1 million messages at a time any more and have to limit themselves to, say, 100,000 messages at a time to get through people's filters, so they have to pick which 100,000 of their addresses they could get the most value out of. Or maybe things will go in a completely different direction and this will never become a problem. I just think that, for now, we should be aware that some form of this trick works on the majority of sites that require an account, and the types of abuses described are at least possible.

Slashdot contributor Bennett Haselton has written an essay on a subtle privacy issue affecting many websites (including Slashdot!) He says "Suppose your girlfriend called up Match.com and said, "I think my boyfriend might be cheating on me. His e-mail address is joeblow - at - aol - dot - com. Can you tell me if he's a member?" And Match.com phone support told her, "Why, yes, he is a member. You'd better have a talk with him." After you had gotten over the guilt of getting caught -- I mean, the guilt of cheating -- would you not feel like Match.com had violated your privacy by telling a third party that you were a member?" Keep reading to see what he's getting at and to decide if and when it's a problem.

Something like this is actually possible with quite a few well-known sites -- given a person's e-mail address, it is possible to find out if they have an account with Match.com, PayPal, Netflix, eBay, Amazon, and Google (and, by the way, Slashdot [CT: We'd fix it if I thought it mattered]). For some of those sites, it may even be possible to take a long list of e-mail addresses and use an automated process to find out which of those addresses have accounts with those sites (something I didn't want to risk trying myself, but as a general rule, if you can do it once, you can do it many times, at least if you do it slowly enough). It does not enable the attacker to extract addresses from a site's membership rolls, which is a much more serious type of breach -- in this case, the attacker would have to already know a list of e-mail addresses, and would only be able to find out which of those addresses have accounts with a given service. And it definitely wouldn't enable an attacker to extract more sensitive information like passwords or personal data. But the ability to get a yes/no answer for whether an e-mail address belongs to a member of a given site, should be something that the site designer should take into account. I'm not even saying that it should necessarily be considered a security hole in most cases, just that it should be something that the site designers decide whether or not they want to permit it -- not something that was left in the open accidentally. Representatives from PayPal and Netflix assured me that they knew about the possibility of this attack and had countermeasures to detect it. In the case of Match.com, on the other hand, I would argue it looks like an oversight. For other sites, whether it's a security hole or not depends on your point of view.

There are three main causes for concern with this issue. The first is simple privacy -- for a site like Match.com, a person may not want other people to be able to find out that they're a member. The second is the possibility of making phishing attacks easier. If a phisher sends spam to a huge number of recipients, hoping to trick them into entering their login details on a counterfeit site, then generally their success rate would be proportional to the number of recipients who are members of that site (of which a certain percentage will be duped into entering their login info), but the speed at which the phishing site is shut down would be proportional to the total number of recipients (since any recipient would carry the same likelihood of reporting the phishing site to an ISP and helping to get it shut down). So if the phisher could find out which addresses on their list belong to actual members of a given site, and send mail to just those people, they could get more successful attacks in proportion to the number of e-mails sent. This is especially true of "puddle phishing" attacks, where only a small percentage of recipients are likely to be members of the site being phished. The third possibility is that the data could be valuable to spammers wanting to advertise a competing site -- a spammer advertising a dating site, for example, could get more band for their buck by advertising only to Match.com members. (Maybe even try a hybrid spam-with-just-a-hint-of-phish -- spam that says "Rejected a lot on Match.com?" to make the user think at first that the e-mail really is from Match.com, but then steer them towards a competitor.)

With a build-up like this, the attack is disappointingly simple. (In fact, I listed the possible consequences of the attack first, because otherwise the attack itself is too easy to dismiss.) If you haven't already guessed at least one of these methods, the three easy ways to find out if an e-mail address is associated with an account at a given site, are:

• Try to create a new account with that e-mail address. See if you get an error message saying the address is already associated with an account.
• Log in under an existing account, and try to switch to another e-mail address. See if you get an error message saying the address is already associated with an account.
• Use the forgot-your-password feature to request a password be sent to a given e-mail address. See if you get an error message saying that address is not associated with an account.

Each attack works better if you can avoid triggering an e-mail message sent to the e-mail address in question, whether in a success or failure condition. For example, if the forgot-your-password form only accepts an e-mail address as input, then if the e-mail address you enter really does belong to a member, a password reset e-mail will be sent to that member. That won't prevent you from continuing your attack, but if enough Match.com members get password reset e-mails that they didn't request, some of them will let Match.com know what is going on, and Match.com might find a way to stop the attack in progress. On the other hand, suppose the password-reset form requires an e-mail address and a birthdate, and if you enter an e-mail address without a birthdate, you get one error message telling you that the birthdate was missing, and another error message if the e-mail address you entered is not associated with an account. This avoids triggering an e-mail message to the user in either case, and increases the chance that you can carry on the attack longer without being noticed. And once you've confirmed that someone is a member, this type of password reset form would also let you use trial and error to determine their birthdate as well, something that might make identity theft easier later on. (This, by the way, is exactly how the current Match.com password reset form works. Match.com did not respond to requests for comment.)

With most popular sites that I tested, at least one of the above methods fail, but at least one other method succeeds. On Netflix, for example, the forgot-your-password form requires you to enter a last name and a credit card number, so that form can't be used to find out who is a member. On the new member signup page, though, you can enter an e-mail address and be told whether that e-mail address already belongs to a member. With Match.com, on the other hand, I already mentioned the weakness in the password-reset form, but if I tried to sign up for a new account but I didn't correctly pass the Turing test (reading numbers off a graphic and entering them in a text field), Match.com wouldn't tell me if the e-mail address was associated with an existing account. So that form could not be used to sift through 100,000 addresses and find which ones were Match.com members, but it could be used to find out if an individual person was a subscriber.

There are at least two simple countermeasures to this type of attack. The first is to require a Turing test when a user creates a new account, requests a password reset, or changes their e-mail address on file, and make sure that if the Turing test isn't completed correctly, then no error message is displayed about whether a given e-mail address does or does not exist in the system. This makes it hard for attackers to sift through a mountain of e-mail addresses finding out which ones already belong to accounts, but it still enables someone to check if someone is a member, one person at a time. For sites where that would be a privacy concern (again I'm thinking of Match.com), the other solution is better: send an error message to the e-mail address entered, not displayed to the user in their browser. If you try to sign up as joeblow@aol.com, and that address is already associated with an account, then display the normal message telling the user to check their inbox for confirmation -- but then send them a message saying their address is already in the system. eBay, for example, gets this right on their "forgot your userid" page -- if you enter an e-mail address not associated with an eBay account, it simply says, "eBay just sent your User ID to joeblow@aol.com. Check your email to get your User ID." (On the other hand, eBay's new user signup page lets you check if an e-mail address is assigned to an existing member, without needing to pass a Turing test.)

Netflix, eBay and PayPal also responded to say that they had monitors in place to detect "suspicious" activity, saying that even in cases where the forms did not require a Turing test, they could dynamically detect if someone were using a script to submit the form over and over to harvest data, but they declined to go into more detail. It seems to me this could work for forms that require you to be logged-in, but not for forms that don't. For example, on the Netflix new user page, how would they detect if it's the same person submitting e-mail addresses over and over again? Not by IP address -- you can use Tor and farms of open proxies scattered across the Internet to make it appear as if you're coming from lots of different IP addresses. However, consider the PayPal add-a-new-email-address form. This form does not require a Turing test, and does give you an error message if you try to add an address associated with another account. At first I thought this might be a loophole that an attacker could use to find all the PayPal users in a long list of addresses, but PayPal told me that if you do this enough times under the same account, eventually you will hit a limit where the form starts requiring a Turing test. I never got high enough to hit that limit. However, in this case the "dynamic detection" could actually work -- because you can only perform this action while logged in, and after you hit the limit, to continue testing more addresses would require another PayPal account -- and creating additional throwaway PayPal accounts does require a Turing test for each one. So I'll take their word for it that that attack is blocked, although, it seems to me it would be easier just to require a Turing test on the add-a-new-address page.

On the other hand, perhaps in the case of a site like Netflix, it's not something that users really need to worry about, if the company has no problem with it. Big deal, an attacker can find out whether you're a Netflix user -- but that's not a huge privacy violation, it's not like I shamefully hide those red envelopes under my shirt while I'm scurrying back from the mailbox. Now, a spammer can take a list of addresses and run them through the form to find out who is a Netflix customer, and then spam those users trying to lure them to a competing service -- but that's Netflix's problem, not ours, isn't it? (Well, it's our problem that we get the spam. But without using this attack, the alternative was that the spammer was just going to spam everybody on their list anyway, so by that argument, this attack actually results in less spam all around!)

Except... perhaps an attacker could try the third type of attack, a phishing attack to get people's Netflix usernames and passwords, but not in order to compromise their Netflix account, rather to see if the person has an account with the same password at eBay or PayPal. Perhaps a user would be wary of a PayPal phish since they see so many of them, but they might fall for a Netflix one -- although then the attacker's success would be limited to people who had Netflix and PayPal accounts, and were using the same password for them both...

So it seems to me it's not obvious when this should be considered a problem. (All of the sites mentioned in this article were e-mailed about this issue months ago, and so far none of them considered it a serious enough threat to block all three of the avenues of attack listed above.) If abuse of this type becomes common, perhaps eventually these "queryable membership lists" will come to be considered in the same way as open mail relays -- which were never considered a glaring security hole, but were abused in ways that triggered a shift in people's thinking that got them to be gradually phased out, going from open relays being the default standard up to the early 90's, to the point where many ISPs today prohibit customers from running them. Maybe "queryable membership lists" will start to be abused more, if anti-spam technologies get smart enough that spammers can't send 1 million messages at a time any more and have to limit themselves to, say, 100,000 messages at a time to get through people's filters, so they have to pick which 100,000 of their addresses they could get the most value out of. Or maybe things will go in a completely different direction and this will never become a problem. I just think that, for now, we should be aware that some form of this trick works on the majority of sites that require an account, and the types of abuses described are at least possible.

Slashdot contributor Bennett Haselton has written an essay on a subtle privacy issue affecting many websites (including Slashdot!) He says "Suppose your girlfriend called up Match.com and said, "I think my boyfriend might be cheating on me. His e-mail address is joeblow - at - aol - dot - com. Can you tell me if he's a member?" And Match.com phone support told her, "Why, yes, he is a member. You'd better have a talk with him." After you had gotten over the guilt of getting caught -- I mean, the guilt of cheating -- would you not feel like Match.com had violated your privacy by telling a third party that you were a member?" Keep reading to see what he's getting at and to decide if and when it's a problem.

Something like this is actually possible with quite a few well-known sites -- given a person's e-mail address, it is possible to find out if they have an account with Match.com, PayPal, Netflix, eBay, Amazon, and Google (and, by the way, Slashdot [CT: We'd fix it if I thought it mattered]). For some of those sites, it may even be possible to take a long list of e-mail addresses and use an automated process to find out which of those addresses have accounts with those sites (something I didn't want to risk trying myself, but as a general rule, if you can do it once, you can do it many times, at least if you do it slowly enough). It does not enable the attacker to extract addresses from a site's membership rolls, which is a much more serious type of breach -- in this case, the attacker would have to already know a list of e-mail addresses, and would only be able to find out which of those addresses have accounts with a given service. And it definitely wouldn't enable an attacker to extract more sensitive information like passwords or personal data. But the ability to get a yes/no answer for whether an e-mail address belongs to a member of a given site, should be something that the site designer should take into account. I'm not even saying that it should necessarily be considered a security hole in most cases, just that it should be something that the site designers decide whether or not they want to permit it -- not something that was left in the open accidentally. Representatives from PayPal and Netflix assured me that they knew about the possibility of this attack and had countermeasures to detect it. In the case of Match.com, on the other hand, I would argue it looks like an oversight. For other sites, whether it's a security hole or not depends on your point of view.

There are three main causes for concern with this issue. The first is simple privacy -- for a site like Match.com, a person may not want other people to be able to find out that they're a member. The second is the possibility of making phishing attacks easier. If a phisher sends spam to a huge number of recipients, hoping to trick them into entering their login details on a counterfeit site, then generally their success rate would be proportional to the number of recipients who are members of that site (of which a certain percentage will be duped into entering their login info), but the speed at which the phishing site is shut down would be proportional to the total number of recipients (since any recipient would carry the same likelihood of reporting the phishing site to an ISP and helping to get it shut down). So if the phisher could find out which addresses on their list belong to actual members of a given site, and send mail to just those people, they could get more successful attacks in proportion to the number of e-mails sent. This is especially true of "puddle phishing" attacks, where only a small percentage of recipients are likely to be members of the site being phished. The third possibility is that the data could be valuable to spammers wanting to advertise a competing site -- a spammer advertising a dating site, for example, could get more band for their buck by advertising only to Match.com members. (Maybe even try a hybrid spam-with-just-a-hint-of-phish -- spam that says "Rejected a lot on Match.com?" to make the user think at first that the e-mail really is from Match.com, but then steer them towards a competitor.)

With a build-up like this, the attack is disappointingly simple. (In fact, I listed the possible consequences of the attack first, because otherwise the attack itself is too easy to dismiss.) If you haven't already guessed at least one of these methods, the three easy ways to find out if an e-mail address is associated with an account at a given site, are:

• Try to create a new account with that e-mail address. See if you get an error message saying the address is already associated with an account.
• Log in under an existing account, and try to switch to another e-mail address. See if you get an error message saying the address is already associated with an account.
• Use the forgot-your-password feature to request a password be sent to a given e-mail address. See if you get an error message saying that address is not associated with an account.

Each attack works better if you can avoid triggering an e-mail message sent to the e-mail address in question, whether in a success or failure condition. For example, if the forgot-your-password form only accepts an e-mail address as input, then if the e-mail address you enter really does belong to a member, a password reset e-mail will be sent to that member. That won't prevent you from continuing your attack, but if enough Match.com members get password reset e-mails that they didn't request, some of them will let Match.com know what is going on, and Match.com might find a way to stop the attack in progress. On the other hand, suppose the password-reset form requires an e-mail address and a birthdate, and if you enter an e-mail address without a birthdate, you get one error message telling you that the birthdate was missing, and another error message if the e-mail address you entered is not associated with an account. This avoids triggering an e-mail message to the user in either case, and increases the chance that you can carry on the attack longer without being noticed. And once you've confirmed that someone is a member, this type of password reset form would also let you use trial and error to determine their birthdate as well, something that might make identity theft easier later on. (This, by the way, is exactly how the current Match.com password reset form works. Match.com did not respond to requests for comment.)

With most popular sites that I tested, at least one of the above methods fail, but at least one other method succeeds. On Netflix, for example, the forgot-your-password form requires you to enter a last name and a credit card number, so that form can't be used to find out who is a member. On the new member signup page, though, you can enter an e-mail address and be told whether that e-mail address already belongs to a member. With Match.com, on the other hand, I already mentioned the weakness in the password-reset form, but if I tried to sign up for a new account but I didn't correctly pass the Turing test (reading numbers off a graphic and entering them in a text field), Match.com wouldn't tell me if the e-mail address was associated with an existing account. So that form could not be used to sift through 100,000 addresses and find which ones were Match.com members, but it could be used to find out if an individual person was a subscriber.

There are at least two simple countermeasures to this type of attack. The first is to require a Turing test when a user creates a new account, requests a password reset, or changes their e-mail address on file, and make sure that if the Turing test isn't completed correctly, then no error message is displayed about whether a given e-mail address does or does not exist in the system. This makes it hard for attackers to sift through a mountain of e-mail addresses finding out which ones already belong to accounts, but it still enables someone to check if someone is a member, one person at a time. For sites where that would be a privacy concern (again I'm thinking of Match.com), the other solution is better: send an error message to the e-mail address entered, not displayed to the user in their browser. If you try to sign up as joeblow@aol.com, and that address is already associated with an account, then display the normal message telling the user to check their inbox for confirmation -- but then send them a message saying their address is already in the system. eBay, for example, gets this right on their "forgot your userid" page -- if you enter an e-mail address not associated with an eBay account, it simply says, "eBay just sent your User ID to joeblow@aol.com. Check your email to get your User ID." (On the other hand, eBay's new user signup page lets you check if an e-mail address is assigned to an existing member, without needing to pass a Turing test.)

Netflix, eBay and PayPal also responded to say that they had monitors in place to detect "suspicious" activity, saying that even in cases where the forms did not require a Turing test, they could dynamically detect if someone were using a script to submit the form over and over to harvest data, but they declined to go into more detail. It seems to me this could work for forms that require you to be logged-in, but not for forms that don't. For example, on the Netflix new user page, how would they detect if it's the same person submitting e-mail addresses over and over again? Not by IP address -- you can use Tor and farms of open proxies scattered across the Internet to make it appear as if you're coming from lots of different IP addresses. However, consider the PayPal add-a-new-email-address form. This form does not require a Turing test, and does give you an error message if you try to add an address associated with another account. At first I thought this might be a loophole that an attacker could use to find all the PayPal users in a long list of addresses, but PayPal told me that if you do this enough times under the same account, eventually you will hit a limit where the form starts requiring a Turing test. I never got high enough to hit that limit. However, in this case the "dynamic detection" could actually work -- because you can only perform this action while logged in, and after you hit the limit, to continue testing more addresses would require another PayPal account -- and creating additional throwaway PayPal accounts does require a Turing test for each one. So I'll take their word for it that that attack is blocked, although, it seems to me it would be easier just to require a Turing test on the add-a-new-address page.

On the other hand, perhaps in the case of a site like Netflix, it's not something that users really need to worry about, if the company has no problem with it. Big deal, an attacker can find out whether you're a Netflix user -- but that's not a huge privacy violation, it's not like I shamefully hide those red envelopes under my shirt while I'm scurrying back from the mailbox. Now, a spammer can take a list of addresses and run them through the form to find out who is a Netflix customer, and then spam those users trying to lure them to a competing service -- but that's Netflix's problem, not ours, isn't it? (Well, it's our problem that we get the spam. But without using this attack, the alternative was that the spammer was just going to spam everybody on their list anyway, so by that argument, this attack actually results in less spam all around!)

Except... perhaps an attacker could try the third type of attack, a phishing attack to get people's Netflix usernames and passwords, but not in order to compromise their Netflix account, rather to see if the person has an account with the same password at eBay or PayPal. Perhaps a user would be wary of a PayPal phish since they see so many of them, but they might fall for a Netflix one -- although then the attacker's success would be limited to people who had Netflix and PayPal accounts, and were using the same password for them both...

So it seems to me it's not obvious when this should be considered a problem. (All of the sites mentioned in this article were e-mailed about this issue months ago, and so far none of them considered it a serious enough threat to block all three of the avenues of attack listed above.) If abuse of this type becomes common, perhaps eventually these "queryable membership lists" will come to be considered in the same way as open mail relays -- which were never considered a glaring security hole, but were abused in ways that triggered a shift in people's thinking that got them to be gradually phased out, going from open relays being the default standard up to the early 90's, to the point where many ISPs today prohibit customers from running them. Maybe "queryable membership lists" will start to be abused more, if anti-spam technologies get smart enough that spammers can't send 1 million messages at a time any more and have to limit themselves to, say, 100,000 messages at a time to get through people's filters, so they have to pick which 100,000 of their addresses they could get the most value out of. Or maybe things will go in a completely different direction and this will never become a problem. I just think that, for now, we should be aware that some form of this trick works on the majority of sites that require an account, and the types of abuses described are at least possible.

An anonymous reader writes "In a quest to better movie recommendations, Netflix is opening their database (nytimes, registration and first child required) to users to try to craft a better recommendation technology. The problem is not easy. Says one researcher: 'You're competing with 15 years of really smart people banging away at the problem.'" Recommender systems are really an interesting problem, and that is likely very interesting data to play with.

Slashback tonight with a response from Sony that removes the DRM 'rootkit' that has caused so much commotion, more hijinks from the MPAA, continued battery advancement, a followup to the UK broadband plan that had so many American's drooling, a catch in the recent Netflix settlement, and continued financial trouble for Silicon Graphics. Details on these stories and more, below.

It's not evil, but just in case... gmr2048 writes "Sony seems to have heard the commotion. They have offered a "Service Pack" to uninstall the DRM Rootkit. From the announcement: 'This Service Pack removes the cloaking technology component that has been recently discussed in a number of articles published regarding the XCP Technology used on SONY BMG content protected CDs. This component is not malicious and does not compromise security. However to alleviate any concerns that users may have about the program posing potential security vulnerabilities, this update has been released to enable users to remove this component from their computers.'"

Obviously they have never heard the adage about deep pockets. Dieppe writes "The MPAA is at it again. This time they're suing a grandfather who didn't cave into the $4,000 blackmail offer for movie downloads his grandson downloaded from iMesh. Four movies in total, and they already owned 3 out of 4 with the grandson deleting them soon after download. This time the MPAA wants "as much as $600,000" in damages. The article also claims that "illegal downloading" costs the industry $5.4 billion per year. Not sure where the MPAA comes up with these figures."

Longer life and no charge time. It doesn't come easy writes "A press release from A123Systems announces another new lithium-ion battery technology that promises to deliver unprecedented performance (according to them). The technology is suppose to deliver 10 times the cycle life and 5 times the power over conventional lithium technology, and only require 5 minutes to recharge to 90% capacity. This is certainly not the first breakthrough for lithium based batteries that has been promised. I wonder if there is a patent lawsuit in the making?"

Fast net connection, but only if you live nearby. conJunk writes "The BBC is running an article about the ADSL2+ that touted a 24MB/s net connection. It seems that this number in fact only holds up if you live across the street from the service provider."

Always read the fine print. JeremyWall writes "The recent Netflix class action settlement has a catch. While it is nice that the average subscriber will be upgraded for one month for free, if you read the fine print in section 4.2 of the long form [PDF Warning] of the settlement you find that you will be automatically charged for the higher subscription going forward. If you don't opt back out when you get their email, you are gonna get charged from then on. If you opt in for the settlement - check your email box regularly!"

Know when to hold and know when to fold. psykocrime writes "According to a recent press release SGI stock has been delisted by the New York Stock Exchange, as a result of falling below the NYSE's minimum share price." SGI, the former darling of the high-tech world, has been in trouble for a while, perhaps this is really the end.

Slashback tonight with a response from Sony that removes the DRM 'rootkit' that has caused so much commotion, more hijinks from the MPAA, continued battery advancement, a followup to the UK broadband plan that had so many American's drooling, a catch in the recent Netflix settlement, and continued financial trouble for Silicon Graphics. Details on these stories and more, below.

It's not evil, but just in case... gmr2048 writes "Sony seems to have heard the commotion. They have offered a "Service Pack" to uninstall the DRM Rootkit. From the announcement: 'This Service Pack removes the cloaking technology component that has been recently discussed in a number of articles published regarding the XCP Technology used on SONY BMG content protected CDs. This component is not malicious and does not compromise security. However to alleviate any concerns that users may have about the program posing potential security vulnerabilities, this update has been released to enable users to remove this component from their computers.'"

Obviously they have never heard the adage about deep pockets. Dieppe writes "The MPAA is at it again. This time they're suing a grandfather who didn't cave into the $4,000 blackmail offer for movie downloads his grandson downloaded from iMesh. Four movies in total, and they already owned 3 out of 4 with the grandson deleting them soon after download. This time the MPAA wants "as much as $600,000" in damages. The article also claims that "illegal downloading" costs the industry $5.4 billion per year. Not sure where the MPAA comes up with these figures."

Longer life and no charge time. It doesn't come easy writes "A press release from A123Systems announces another new lithium-ion battery technology that promises to deliver unprecedented performance (according to them). The technology is suppose to deliver 10 times the cycle life and 5 times the power over conventional lithium technology, and only require 5 minutes to recharge to 90% capacity. This is certainly not the first breakthrough for lithium based batteries that has been promised. I wonder if there is a patent lawsuit in the making?"

Fast net connection, but only if you live nearby. conJunk writes "The BBC is running an article about the ADSL2+ that touted a 24MB/s net connection. It seems that this number in fact only holds up if you live across the street from the service provider."

Always read the fine print. JeremyWall writes "The recent Netflix class action settlement has a catch. While it is nice that the average subscriber will be upgraded for one month for free, if you read the fine print in section 4.2 of the long form [PDF Warning] of the settlement you find that you will be automatically charged for the higher subscription going forward. If you don't opt back out when you get their email, you are gonna get charged from then on. If you opt in for the settlement - check your email box regularly!"

Know when to hold and know when to fold. psykocrime writes "According to a recent press release SGI stock has been delisted by the New York Stock Exchange, as a result of falling below the NYSE's minimum share price." SGI, the former darling of the high-tech world, has been in trouble for a while, perhaps this is really the end.

Mike1024 writes "US DVDs-by-post company Netflix appears to be planning a service that will let users download movies over the internet. Hackingnetflix.com has some accidentally-revealed screenshots, and the Netflix jobs page includes a product manager position, saying "The Electronic Delivery Service (EDS) will augment Netflix's current DVD delivery model with high quality movies delivered to consumers' home TVs through the Internet, on a subscription basis". Apple's iTunes demonstrated many people are willing to live with some DRM and hardware/vendor lock-in."

(54)T-Dub writes "Cricket Media recently released 'Netflix Fanatic', an OSX based shareware app that lets you manage your rental queue without logging on to Netflix. An article on Think Secret reveals the reason behind it's mysterious disappearance. Apparently the developer's employer, Apple, has claimed ownership over the application's name and source code. The developer claims that under Section 2870 of the California Labor Code this is illegal. The law states that if a company has an employment agreement with provisions saying employees must assign the rights of their inventions to their employer, those sections do not apply if the employee developed it on his or her own time, without using the employer's equipment, supplies, facilities, or trade secret information. Within Apple, there's unsubstantiated speculation that Apple wants to include the Netflix Fanatic code in a new version of Sherlock." Also, they're presumably not too worried with employee morale.

wcbrown writes "AP reports that Wal-Mart is entering into the online DVD rental arena, currently dominated by Netflix. Wal-Mart is starting out with 13,000 titles, six distribution centers, and competitive pricing. With a seriously tremendous infrastructure and expansive will, Wal-Mart stands poised to overtake Netflix. To say the least, that's not going to be good for business."

Slashback with words on the demise of TIPS, MPlayer's newest add-in, Revolution OS on DVD, Wal-Mart blinking first in their fight with FatWallet, and more. Read on for the details.

Facts is facts, Ma'am. joebeone writes "WalMart has backed down [AScribe.org] from it's DMCA claim in the FatWallet case[1] after FatWallet countered that facts are uncopyrightable (at least in the US). Let this be a lesson to those who would use the DMCA to unjustly intimidate websites into removing content. I definitely think that Boalt Hall's Samuelson Law, Technology and Public Policy Clinic deserves some major credit for sticking up for the little guys who don't have the litigatory resources that companies like WalMart have.

[1] WalMart claimed that their day-after-thanksgiving sale prices were copyrightable."

Maybe they just changed the drop location. An anonymous reader writes "There was one small ray of light in the Homeland Security Act. A provision inserted in the bill killed the Justice Department's TIPS initiative. You'll recall that TIPS was the DoJ's proposal to create a domestic spy network using ordinary citizens. And I was hoping to join up and inform them that John Ashcroft wears women's underwear. Oh well ..."

Best way to play back "L.A. Confidential." An anonymous reader writes "The best media player for *nixes, MPlayer, has just gotten better with the ability to play Windows Media Player 9 (WMV9 and WMA9) files. When Sorensen playback was added the only remaining codecs were the Window Media Player ones. Now that this is complete, Linux finally seems to have a complete solution for multimedia playback. It just remains for the mainstream distros to include this gem."

Measure three or four times at least, cut once. jdevons writes "The Owner-Builder Book that I reviewed a while ago has been updated. The author reads slashdot regularly and included many of the ideas and suggestions offered in the slashdot comments ..."

Jeff, Rob and Chris in their Hollywood makeup. updog writes "The film Revolution OS, which has been discussed on Slashdot here and here, is now available on DVD at Netflix (btw, it's interesting to note that this Netflix version is sub-licensed under the guise of pay-per-view television, and the director J.T.S. Moore wasn't even aware of its existence until recently.)

A 2 Disc Special Edition DVD will be available in January 2003, and will include additional interviews, bonus material, and better video quality over the Netflix version. You can make sure that you're notified when it's released by requesting info here. Finally, I've written a review of the Netflix version of the DVD, which you can read here."

Next year's stocking stuffer, maybe? An anonymous reader writes "nvmax.com is running a story/press release explaining how Dynamism.com is teaming up with the Zaurus Open Source development community to bring the Sharp Zaurus SL-C700 to English!. I need to get one!"

What I want is C-64 style Aztec. retro128 writes "For all of your old schoolers out there, Tierra Entertainment has released a re-make of King's Quest II, which includes original art, completely redone music, and a few extra things not seen in the original game (some early screen shots hinted at a town, which did not exist in the original). What's remarkable is that Tierra has no affiliation with Sierra whatsoever, and is driven by two developers who wish to remain anonymous. I've played their re-make of KQ1 and it's up to snuff. Check out the main page or go straight to the good stuff."

LR_none writes "Today's New York Times has this short piece suggesting snail mail is the leading broadband technology, at least for video movies on demand. The article states that the 8 to 9 gigs of data on a DVD would take two weeks to download at 56kb, making Netflix' three-day distribution by mail seem speedy. (Since they can send three or more movies at once, Netflix compares favorably with DSL download speeds, too.) The author estimates Netflix alone distributes 1,500 terabytes a day, which is impressive considering the Internet carries 2,000TB a day (by estimates cited in the article). The 'immediate gratification' aspect of Internet consumerism has given a huge boost to companies like FedEx and UPS, but it's surprising to think of the post office as being the leading infrastructure provider for digital entertainment, in terms of market share and efficiency, for the forseeable future. (Disclaimer: I don't work for Netflix or the post office.)"

The Llama King asks: "Our group has an interesting idea for being able to rate different items, then receiving preferences for similar items, a feature found at sites such as NetFlix and Amazon. Unfortunately, we have big ideas and a small budget. I've searched high and low for an open-source version of this kind of algorithm, with no success. Are there any out there worth compiling?" Update: 05/16 10:30PM EDT by C :As it turns out, Jamie has some words on the subject, click below for more.

In an email from co-editor, Jamie:

"I researched this stuff for a possible project some years back. Not much has changed.

There isn't any open-source code out there that I know of, but, people have been writing masters' theses and dissertations about it for several years now. They can go search the literature if they're really interested. But there isn't just a perl module you can install to get this stuff...yet.

You should probably try these search terms:

• 'recommender system'
• 'recommendation system'

'FireFly' is another one -- that was the name of some (fairly successful) recommendation software which was purchased by our favorite innovator, Microsoft, three years ago and repackaged as (surprise!) 'Passport.'

[And for those interested]...here's a promising link .