Slashdot Mirror
Hacking Web Services
siduri writes "Udi Manber, chief scientist at Yahoo!, gave a great talk on the kinds of hacks that Yahoo sees at the IEEE's Symposium on Security and Privacy. I wrote an overview of his talk for Dr. Dobb's Journal. While some of the message is well-known stuff (like that people will spend a lot of time hacking the most trivial things), the details of what Yahoo has to deal with are really pretty interesting."
If Dr Dobbs was slashdotted, it might be understandable. As it is, you're just being an asshole.
Best Slashdot Co
I know that someone has been hacking google for the past few years about once a week. Always changing the google logo(jk). I guess google is just powerless to protect themselves
from the article: "If you have any kind of rating, people go to all kinds of trouble to get that rating in an illegitimate way,"
hmm. sounds like they're describing karma whores
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
Why on earth does this guy call "violating security" of web services "hacking?" I read this article expecting to hear about some nuanced application hacks for XSLT or SOAP or general "Web Services" not a security "lookout!" article. This should be filed in the "no shit" department. If you leave a service open which can be connected to, be it a socket or a web form, somebody will start passing date to it to see what works and doesn't work.
Comparing it to Windows will be a moot point, since El Dorado is going to have a 40% larger code base than XP.
at least according to the yahoo guy.
my personal site (which is) grabs headlines and quotes from yahoo for my personal use using a perl script. solution? simple.
yahoo (like the record companies) should provide a resource for me to get this text cheaply (and quickly), and i'll pay them for it. the demand is there. basic economics dictates that people provide a supply.
now, i understand they are talking about thieves, on the whole, but it seems easy enough to track massive hits from another server and then to block it. i mean, it's 2002. let's fix these problems.
go get it
The IEEE Symposium on Security and Privacy is one of the longest-running forums on this topic and is well worth being aware of. The papers for the 2002 session are on CD-ROM; so is a compilation of those from 1980-1999...
How should they then go about dealing with those who abuse the system?
It's easy to raise complaints (though I'm not sure I agree with you on 1 & 2). Unless we can come up with better solutions, we will have to live with the solutions you complain about...
What do you know I wrote a novel
He's not relying upon obscurity, but it IS a tactic. You don't put a whiz-bang safe in your house that holds $1M and then advertise it in the newspaper. Your safe IS secure, right? And the mass account creation anecdote was in humor ...
Interestingly enough, by copy-and-pasting the whole text of this story from Dr. Dobbs to Slashdot, you have unwittingly done one of the more common "hacks" that Udi Manber describes as being dangerous. Information stealing is easy to do, and sometimes doesn't even feel like it's a crime.
Congratulations for illustrating his points so directly.
--Mid
You said that you were doing it for personal use. His problem is with people who do it, and then re-sell it, or give it away, to the world.
Best Slashdot Co
Your characterization of him as a "world-class sleazeball" seems to be unwarranted. In response to point #1, did you not read the explanation that immediate publication of his countermeasures would cause harm to Yahoo? Security through obscurity is not a permanent fix to any problem, but in the short term it is preferable to openness if there are no better alternatives available.
As for point 2, I'm quite certain that his quip about distributed computing was in jest.
Finally, regarding your third point, why shouldn't he attempt to protect Yahoo's content? I'm certainly not going to give you root access to my server; does this mean I'm attempting to "Balkanize the web"?
The guy freely admitted that his was using obscurity to thwart the crackers. Of course, he isn't claiming to have a secure system.
I don't practice what I preach because I'm not the kind of person that I'm preaching to.
Yahoo's problems are massive, and I think it's good that at least SOME people at Yahoo realize it, even though I'm still not convinced they are aware of the full scale of the problem.
After all, if you chat with Yahoo's service, you're eventually going to be booted off by another user. Some of the methods users use to exploit the system and kick off other users are clever, some are not so clever.
One method involves running a program easily downloaded off of the internet and typing in the desired victims name. It's your basic "Punter". Some of the programs available are effective at removing users of Yahoo's Messenger, while a few of the more recent ones do a good job taking out users who use 3rd party Yahoo clients, or even Yahoo's web-based Java client.
These methods of exploitation are half-way understandable, though I don't see why Yahoo hasn't worked to block the attacks in the same way that AOL has with AIM.
The other method, plain old boot-text, is simply unacceptable.
If I were chatting with someone using Yahoo Messenger and they annoyed me, all I would have to do is send them a single URL with an unrealistically long domain name in it, and their Yahoo Messenger will crash. A URL such as www.xxxxx.com with about 400 to 500 X's in the name will work nicely.
It's a relatively simple matter for the end user to set up a personal word-filter on their messenger and block out all occurences of "www." which effectively makes them invulnerable to this attack, but that is not the issue. The issue is, that if Yahoo has such easily exploitable end-user software, I'm very worried about the quality of their security as a whole.
Think about it.
"Everything you know is wrong. (And stupid.)"
Moderation Totals: Wrong=2, Stupid=3, Total=5.
Hey, moron, had you *read* the article, you would have noticed the following:
1. He said that he knows "security through obscurity" isn't the answer, but that his methods are so weak that he *knows* they won't stand under scrutiny; they just happen to be the best he's got at the moment. That's called good judgement.
2. You have no sense of humor.
3. His concerns are legitamite; Yahoo! is trying to provide services on the web, and people are *stealing* them. Yahoo! isn't screwing artists out of money, or exploiting third-world children, or screwing their customers; they just want people to engage in reputable transactions. That's how businesses make their money, and why you can spew crap from your personal computer.
Sheesh.
--
I Hit the Karma Cap, and All I Got Was This Lousy
If anonymity disappeared from the web, "a lot of the problems would go away," he said.
That's especially true if you equate users with problems ;-)
But he dismissed legal solutions altogether, saying that measures like anti-spam legislation are completely ineffective. "This has to be solved technically, not legally," he warned. "If we can't solve these problems, we'll see less and less services."
That's a point that is occasionally debated in anti-spam circles. The problem there is that the Internet mail delivery system was designed for the kinds of users we had 25 years ago. Heck, it wasn't until somewhat over 5 years ago that all the MTAs [that mattered] would ship with relaying turned off by default. Looked at from that perspective, it seems like a technical problem... change the delivery system and you make the abuse irrelevant. The problem is, how do you implement such a change? It's not so much a question of designing a new system... I've seen a number of proposals that looked fine. The problem is, how do you get all the mail servers on the net to switch over?
At that point in the debate is where the division usually comes in. Some folks will propose various systems for gradual adoption of new systems (essentially having two delivery systems in place until the new one is widely adopted enough to drop the old), while others pull back at that point. They'll say that spam is a social problem and, as a result, it can't be solved technically. Usually those folks will go on to pursue legislative attempts at a solution. The problem is, the track record of using legislation to solve social problems is nothing to write home about.
If he can come up with a technical solution for Yahoo!, of course, then he is all set. The problem, as he said, was that you only have so much identification information available to you at the server end. That makes it nontrivial to reliably separate the valid users from the rest. The thing is, just how much personal identification information are you comfortable giving to Yahoo! to get a mailbox...?
And when you learn to read headers you'll find that your spam isn't really coming from AOL, Yahoo, Hotmail, etc
I don't know if you're being sarcastic or not, so I'll assume you're not.
1) Yes, this is a form of security through obscurity. However, the methods they use to counter attacks are not intended to make the system more secure, but hopefully to identify those that are abusing it. The actual problems are much more fundamental in nature. You have to weigh the user friendliness of a free and open network, with the fact that a significant number of people would destroy the network if they had a chance. The alternatives were stated in the article. Require actual names and credit card #'s from everyone. However, they don't want to take it to that extreme, so they're forced to use clever tricks to counter the malicious actions of those who only seek to abuse.
2) The distributed computing comment was a joke. The point of asking a user to compute a simple math problem is to trump the bots, not to accomplish any task of economic significance.
3) Obfuscated HTML is possible now, and not too difficult to implement. He could do it if he wanted to, and it would at least slow down the bots. Why not do it? Well, it slows down the connections, and it will break some browsers. So they continue in the name of greater compatibility rather than some locked down browser specific html coding nightmare that creates more problems than it solves. And no, he's not suggesting packetflooding the offender, even if he jokingly implied it. He's looking for a defense that does not involve governmental regulation and does not involve decreasing the openness of the internet.
-Restil
Play with my webcams and lights here
"Oh! somebody stole your credit card number from our database...Sorry...we've been trying to fix that. In the meantime, here's a coupon for a free CD."
The only way to secure a transaction/service is to use physical ID/presense. So go shopping at the mall, and share ideas online. Simple solution to a complex problem.
"Make it by hand, break it by hand"
Perhaps, but I actually know Udi. He teaches an advanced computer science class at the University of Arizona (or at least he did in the mid 90's). In terms of problem solving and cleverness, this guy was high on the list.
For what it's worth, however, I totally failed his class. Way over my head.
You needn't be insulted. Just because having (or doing) a Phd implies cleverness does not mean that lack of a Phd implies lesser intelligence.
he talked about countermeasures instituted against hackers, but doesn't want them openly published (security through obscurity, anyone?)
I'm quite tired of hearing statements like 'company X won't reveal Y; this demonstrates security though obscurity which everyone knows is bad.' Well, it's not! Your statement demonstates that you can echo the slogans but don't understand what security really means. I strongly encourage you to read a recent Crypto-gram by Bruce Schneier. You cannot apply the principles used for analyzing a mathematical system to all real world security issues.
Given one hour to live, the student replied: "I'd spend it with professor FP who can make an hour seem like a lifetime."
people are still registering for massive numbers of accounts. "As far as I can tell, they're just doing it by hand. They're sitting there all day doing it by hand," he said. So he's considering changing the registration test to a simple arithmetic problem. It won't stop the mass registrations, but he might be able to get the abusers to perform distributed computing tasks for him.
HAH! That is really clever. Of course there isn't much computing power there, and if Yahoo! did harness it they would resell it and/or generally become sleazy about it, but at first blush, that's pretty funny. He should patent it (ha ha).
I HERD YUO COUD HAXOR ADN CHAT ON TEH INTARWEB? Apparently having to scroll down to read this is less lame than just the above line of caps text.
Karma: Good (despite my invention of the Karma: sig)
I am unsure if here he is saying that anti-spam legislation will be ineffective, or if the "right to spam" should not be outlawed by lawmakers. I would imagine the former is what he meant, since obviously, having the U.S. outlaw spam will do nothing to stop spammers in other countries, and probably do little to stop spammers here in the states either....
Solving the spam problem technically seems to be impossible though. People have been trying to do that forever. I find it very poignant that in the same passage he says that spam could kill off services if it continues to be unstoppable.
---------------rhad
Slashdot needs to interview Natalie Portman.
First, security through obscurity is only dangerous if it is the main line of security. Obscurity can be an important and necessary part of security. For instance, it not wise to publish the exact configuration of every computer on a network, even though, conceivable, such information might allow some help in keeping the computers secure.
Second, I think the registration procedure for Yahoo! is quite clever. I am much more likely to get crap from a Hotmail account than a Yahoo! account. The use of people to do distributed computing(as was done 200 years ago) is clearly so unreliable that such a statement must be a joke. However, the intent to increase the time necessary to create an account is valid.
The third point is of concern for all of us who wish to have free and unrestricted flow of imformation. On the ohter hand, the balkanization of the web is already here, with the help of Microsoft and Macromedia. For instance, bus schedules in houston are provided on the web with flash introductions and PDF only formats. Why is this neccesary for someone who just want to catch a bus? Yahoo would likely add just a few more useless plugins and extensions to a web already rampant with useless plugins and extensions. To Yahoo's credit, it is one the few sites that reliable, effectively, and quickly works with all the browsers I have tried(Netscape, opera, mozilla, and IE.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
Yahoo!'s problems are no different from those brick-and-mortar retailers have with loss leaders and promotions: if you give something away at a loss, there is a good chance that others will find it profitable to get lots of it and resell it. It's not a security problem, it's a problem with the business model. Welcome to the real world.
Yahoo! may want to continue to bask in the glory of having many millions of users, but if they want stop these problems, all they have to do is charge for all of their services. The choice is really theirs.
Don't get me wrong: I like Yahoo! services and I think it would be great if they continue to be free. But I really worry when Manber uses terms like "theft" and "security" for a problem that has very little to do with "theft" and "security". Fortunately, Manber himself isn't calling for a legal solution, but management and lawmakers may be less understanding of the issues involved.
During hotly contested auctions, some users will mount password attacks on other bidder's accounts an hour before the end of the auction -- not to actually gain access, but merely to trigger a security lockout, thereby ensuring that the legitimate user cannot place last-minute bids.
I realize how ridiculously easy it is to get a new IP address on a dialup system or in a facility where someone has access to many addresses but wouldn't a simple IP block after so many attempts help discourage the casual DoS but still allow the legitimate user access when they come to make their last minute bid?
If not this then what about using a login name which is different then the displayed account name? This way the login name is not available to people viewing a particular account's public details for their use in a DoS. I know this is an added step of complication but may be necessary to eliminate bad side effects.
I have decided to let my yahoo mailbox fill with the spam that they allow. I figure that if they have to pay for the space, storage, and backup of spam for all these accounts, they will eventually figure out that they need to do something.
I only use the account for testing mail from the *outside* world. If they shutoff that account, I will get one from somewhere else. God, I may even break down and open an account on Hotmail...
Quick, help, I may be slipping into the clutches of the M$ beast....
And now for something completely different...
What OS do you want to abuse today?
As for being part of the problem: would he have publicly spoken about security measures that they are taking, sharing and collaborating with the community if he was not trying to be part of the solution? Yes he asked that those in attendance not repeat in open forums these solutions, as that would make them obsolete.
The more we involve the courts in settling our problems, the less individual freedom we have.
In 1998, we had started a company with the sole purpose of proving who and who is not a robot on line. We developed a range of techniques for detecting bots and stopping spammers -- images, rate limits, statistical techniques, etc.
The two most important techniques were what we called the "Visual Turing Test" and a reapplication of a cypherpunk scheme called HashCash.
The Visual Turing Test is widely used today, it's the image generated with a code that you have to type in. Our technique started with that, but went much further to defeat OCRs by including AI-level questions, such as displaying an image with a dog, a cat, and a horse, with instructions in the image that say "click on the one that is not a house hold pet."
Back then, we ran a free webmail service for people, without adds, using these techniques to stop email spam.
We were a very poor start up, working over a year with no pay. We went to Yahoo and had a meeting with their engineers and biz-dev people, under a *nondisclosure agreement*, we demoed all this anti-spam, anti-fraud technology. We were looking to sell them the scalable image generation server software we wrote, statistical analysis software, and our services, and potentially our patent on these techniques.
Yahoo basically said "not interested" after several meetings, and one yahoo engineer basically said "We could implement this all myself, why do we need you?" We never heard from yahoo again, didn't get any more meetings. But magically, about a year later, we noticed yahoo using our techniques.
Our company was eventually bought by one of those "pay to watch ads" companies, because they had massive fraud of people installing fake clients, and signing up for hundreds of accounts. Unlike Yahoo's fraud problem, these companies were paying out tens of millions of dollars in cash to people who were signing up bogus accounts.
But it still doesn't take away from the fact that Yahoo is a dishonest shark. If it wasn't for the fact that I am morally opposed to using software patents against people (only had one to make our biz plan look good for investors), I would have sued them.
Word to the wise. Don't present your ideas to yahoo as a small startup and expect they will abide by an NDA.
I've met, and worked with, several Phd holders who could best be described as "morons", and whose ability to solve problems was limited to applying their hammer in a manner that presumed that everything is a nail. Again: I have no doubt that there are some brilliant Phd holders (often in exclusive fields however), just as I know that there are some brilliant non-Phd holders, however blanket claiming that one title indicates a superior being is ridiculous, and I'd love to see an intelligence and "cleverness" ranking between Phd holders and general comp. sci. grads.
So it would be a great boon to web services if there were a way to somehow have a way of confirming that a person hasn't already signed up for a service. It'd allow many boards to weed-out their troll population while maintaining an open sign-up. On one forum I was on, the problem was so bad that registration was completely closed then later moved to a pay-only model.
The problem is that I can't see any way to do it without compromising the identities of the people. For example, I don't see a problem with Slashdot knowing that 'Erasmus Darwin' is my only Slashdot account, but I don't want to create a system where they could theoretically share records with another entity and use that to determine my identity there. Perhaps the identity token I provide to Slashdot could be some sort of one-way hash of my identity combined with '@slashdot.org', thereby limiting it to a single area.
One downside of this system is that a government-type institution with a search warrant could use my secret identity information to reproduce my Slashdot token and verify my identity. I don't see any way to prevent the identification from somehow serving to find-out who I am. Still, that theoretically pushes the identification process off to a similar level of difficulty to tracing the user's IP (i.e. Slashdot couldn't do it on its own). Thus, if we pretend that no one uses anonymizing web proxies, it's the same level of anonymity.
Also, there'd be a problem of issuing the secret identity keys. Presumably, this would be handled by the companies that already do encryption/security certificates. That means there'd be a cost associated with such keys, which would turn away a number of people. If only a small percentage of people fork over the $XX/year for a personal identity certificate, most sites won't be able to require their use for signup. Furthermore, it'd be difficult for the issuing agency to verify the uniqueness of each request, especially when we consider that this would have an international audience. I also wouldn't be surprised if some of the countries that have whored out their ccTLDs decided to also start selling their equivilent of SSNs to people interested in extra identities.
Finally, there'd be the issue of identity theft. Having a single, computer-based identity key would be a very tempting target for various malicious programs. If I were an evil spammer type and such an identity system were in place, I'd definitely try and steal as many identities as possible for sign up use.
I believe that Yahoo's problems can be solved in the complex plane by calculus of residues. Translate the Web Services into equations over the integers, using the obvious mapping from {0,1}-star to the square-free integers, and extend them over the whole complex plane. Take an exponential and premultiply with the Riemann Zeta function, so all your non-trivial roots lie on the critical line. Then integrate using calculus of residues to obtain the eigenmodes of the web service computation. Negative eigenvalues should be investigated, they correspond to exploitable holes in the web services.
I think it's pretty silly to imagine that the solution to spam will be through technology. It would be very hard to differentiate spam and legitimate mailing lists.
And of course a legal solution can work...to the extent that other laws work and are enforceable. Many forms of mail fraud are illegal, but that doesn't mean you won't get mail scams and such sent to you. However it severely reduces the amount that you receive and also determines a path for you or the goverment to prosecute offenders.
...obviously. ;-)
Good judgement comes from experience, and experience comes from bad judgement.
- W. Wriston, former Citibank CEO
No spam?
You must really lucky. I get like 40 spams a week. No joke.
You can't legislate goodness. Let each to his own destiny, by will of his freely made choices.
Have the humans do something that machines can't do very well, say image recognition and/or categorization.
A simple "Tell me about this picture" and an associated image and a text box would do. If the text submitted does not match a previously stored description well enough, no deal.
Every one in five or so, put out a new, previously un-cataloged, image and log the description...That would also be an easy way to beef up their image search engine.
Good judgement comes from experience, and experience comes from bad judgement.
- W. Wriston, former Citibank CEO
More reason to use sniping software. Hide yourself.
He's not relying upon obscurity, but it IS a tactic.
And it's one I'll bet most systems use somewhere in the process. If you have a password, the security is based on the assumption that only you know it. Once it is publicized -- no longer "obscure" -- it is no longer effective. As long as the obscurity you're relying on is sufficiently difficult to guess, it's effective.
Nope, no sig
So he's considering changing the registration test to a simple arithmetic problem. It won't stop the mass registrations, but he might be able to get the abusers to perform distributed computing tasks for him.
I wouldn't get my hopes up. If the calculation he needs is really complex, he should get himself a pocket calculator. I suspect that would be one hell of a lot faster.
Besides, I wouldn't want a bunch of pr0n hounds working out the reentry trajectory of the next-gen space shuttle.
Blearf. Blearf, I say.
I almost went to the site (not because I have any interest in hacking Hotmail) until I saw this post.
dalamcd
moer liek CELtroid prime!!@1!
Just curious. A few months ago the trash folder on my Yahoo mail stopped being automatically emptied. Yahoo support only replies 'your mail account is working correctly'.
I wondered if it was a push for the paid extra space because it increases the likelyhood of someone seeing the 'Your mailbox is almost full' message.
In general, I think the Yahoo free stuff is a pretty good service.
Pardon my French, but that is foolish! You would rather hand your credit card to some checkout clerk who turns around and runs it through a machine and "accidentaly" does something like press it on carbon copy paper, as opposed to sending it over 128-bit encryption?
The social problem is that we expect strangers to read our emails to them without any verification. This worked great fifteen years ago, but not now.
The solution is for email clients to send simple challenges to unknown senders, like "tell met the sum of three and four and I'll read your mail." Ie., we change our expectations - if we email a stranger, we should expect to spend a few extra seconds introducing ourselves. People stuck in the old mindset don't like this idea, but the old system doesn't work, and this solution would eliminate spam completely, while taking very little user time.
There are a few extra details to take care of to make it a complete solution, but think about it a bit and you can see what to do.
Yeah, if you tell the whole world about the hack, then everyone will know about it, rather than just the hackers.
I don't get it. Exactly what are we protecting here?
In order to get the full story, you have to hang out with the people who commit the crimes, hack the servers, or whatever else people are trying to hide from you. They are very free with their information, unlike the supposed "good guys", who want to make it all proprietary.
Sometimes I truly do wonder who the "black hats" are.
You must really lucky. I get like 40 spams a week. No joke.
YMMV, but most of my yahoo spam came from 2 allegedly opt-in email promotion companies. following the links at the bottom of the messages stopped the spam.
Well done. You're my nomination for this year's STTBA (Star Trek Technobabble Award).
The illegal we do immediately. The unconstitutional takes a little longer.
--Henry Kissinger
I read the story on Slashdot's front page, and thought "great, an article about creating web services" and thought it would be about .NET XML-RPC type stuff and hacking together some programs that can make use of it, wishfully thinking that someone had written a good article about doing it on Linux. But oh no, someone just doesn't know what the word "hacking" means, and feels they should use it in the wrong way. That just ruined my day ;-)
Follow me
So why not include non-degreed individuals in your rankings as well? If the primary difference between B.S. and Ph.D. computer science people is some combination of time, money and determination acting independently of intelligence and/or cleverness, then those same differences would apply to non-degreed and B.S people as well, right? It would then similarly apply between B.S. and B.A. folks, or those having an M.S and an B.F.A.
I don't mean to be obtuse (or a troll), but I have to ask: Is a Bachelor's the point at which you begin ranking intelligence? Why not start at a high school diploma? Why not eighth grade (US)? Kindergarten? At which level can one finally claim the title of a "superior being"? Should society be a meritocracy? Can I be a Webelo without all my badges? If not, am I as smart as a Boy Scout or doomed to be labeled simple for all time?
Not that it matters much to anyone, but I never made it out of Cub Scouts and it's far too late in the game to start caring what everyone else in the den thinks...
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
"I've seen Ph.D. level cleverness" - Ph. D and cleverness are only seen in the same sentence when its spoken by a Ph.D...
This is not the greatest sig in the world, this is just a tribute.
Sometimes, it's much easier to use information if it's not tied down to a browser page-- perl programmers have been parsing web pages for years. Various versions of Excel can do this as well, importing data from Yahoo! Finance 's stock ticker directly into a spreadsheet. Sherlock (for MacOS) parses search engine results. BioPerl parses NCBI webpages (among others) into sequence data...
Obfuscated code makes this type of activity less useful. The trouble is that most of the services are tied to an archaic, and annoying advertising based model. Sherlock gets around this problem by actually parsing the ads and displaying them to a mac user. But most clients are built not to avoid ads so much as increasing the usability of the data. For some things, web browser interfaces leave a lot to be desired.
Most of the spam you get from hotmail/yahoo/otherbigmailprovider is forged so that spam filters have to either block all yahoo addresses or none at all. The reply-to addresses are either fake, or were just temporarily set up so that a few spams would get through.
:)
Spammers are evil, and lie whenever they can. Esp. in the client-provided "From:" header.
Man, he's never gonna win, he didn't even say "synchronize" or "modulate" ONCE!
Let alone his total lack of quarks, electrons, chronons, glutons, crayons and pigeons.
Sheesh, he should even be DISQUALIFIED 'cause he never *mentioned* the DEFLECTOR ARRAY!
The man of knowledge must be able not only to love his enemies but also to hate his friends.
You left off the end:
...as opposed to sending it over 128-bit encryption to a site whose overworked webmaster left them vulnerable to the credit card hijack hack of the week?
The answer is that they're both more or less risky, depending on the merchant. You choose who to hand over the info to based on their track record.
Your right to not believe: Americans United for Separation of Church and
Shock horror! This can't be true - a *nix server with security holes? But, the typical news coverage on /. says that only M$ products have these kind of flaws.
Hold on - theres a new virus which uses Kazaa to spread itself - i've noticed that since this isn't made by M$, then it doesn't get covered by /. - even though there are millions of users that could potentially be affected....
How naive of me to think that /. is completely unbiased - shucks.
You can't get a credit card in my name unless you've managed to get more than my personal information: you've managed to take over my personal home phone number and intercept all telephone calls to me; you've managed to steal all my USPS mail and e-mail; you've managed to forge my signature exactly.
Sorry, but that doesn't happen.
Identity theft is urban folklore and one thief getting very lucky with his social engineering.
That is cruel!
Now that UPS is attempting to charge us for "excessive use" of their web site, we track or competitors shipments too
you lying sack of shit how can you track your competitors shipments. you need tracking numbers.
Mod down people who tell people how to mod in their sigs
You did...
Best Slashdot Co
There is pretty much nothing stopping me from getting cards in her name, if I had her SSN and mother's maiden name. I could put any phone number and address I wanted on the app, and she'd never hear anything about it until I ran up the super-platinum card to 40 grand or so and split.
They wouldn't go calling her house or mailing anything there, they'd only have the info I gave them.
This doesn't raise red flags, for a while, I had two sets of contact info I used for my own cards, and my creditors never questioned it. They didn't know that I had other cards with a different address.
I wouldn't either! thats just wrong!
Well done. You're my nomination for this year's STTBA (Star Trek Technobabble Award).
The sad thing is that it isn't babble. All the words were real.
The sadder thing is that I understood it.
I didn't take enough complex analysis to verify that it's accurate though.
Subject pretty much says it all. I don't think any wise person would disagree if you were to say that the most heinous intellectual crime is one of unfulfilled potential. Whether fulfilling that potential necessarily means a degree or just living a fruitful life is the sticky bit. I know a lot of people that have the societal measure of success yet haven't stretched themselves mentally in the slightest. I know a lot of people that have the piece (or pieces, in at least one case) of paper, but had to work very hard at it because they aren't that bright. I know some who excelled at rote learning, but failed awfully when asked to integrate two concepts into a novel whole. And I know a lot of very bright, certifiably genius-level people who have decided to do and make stuff instead of spend time learning about other stuff that was done and made. If one is lucky, one gets the choice which road to take.
Sad part is, hard economic times bring out the great equalizer: management knows that individuals who have graduated from a certain institution at a certain level have demonstrably performed to a level which guarantees they themselves cannot be faulted for "taking a chance" on a new hire. It's the way things are always going to be, unless you know people. You either have a degree and hotjobs/monster/dice, or no degree but people who you and know you've done excellent work in the past. Official references don't count, either. I'm talking about people that know you and will hire you because they know what you can do. If you don't fit into neither camp, you stand a hard chance of finding a decent job in today's economy.
And BTW, I was agreeing with your earlier post. I currently work at a university. Before that I worked at a high-dollar startup, before that a Fortune 100 company, and before that a university. I don't have a degree, and that is by choice. I've faced a lot of discrimination because of it. However, I've never had trouble finding a good job at any time in the past 13 years largely because I know people who know me and know what I can do. I know I'm smart, because I'm smart enough to recognize where I fit in what I can do. I'm also smart enough not to care about the ArsDigitia's of the world. I guess I have a self-worth that doesn't depend on other people. Which is probably not healthy....
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
The article is not about (security related to) instant messaging, but e.g. bots signing up for a dozen Yahoo E-mail accounts, which use them for spam, people grabbing their stock quotes every fifth minute and re-publish them on their own site, people who do password attacks on auction accounts to trigger a lock-out, so that the bidder can't place any new bids during the last hour of the action etc.
I'd be tempted to give you any information you wanted, but then I'd probably have to cancel my credit card and go through the bother of changing that in every stupid online store I use.
I'm really just not that impressed with any argument I've heard for the existence of "identity theft". I think it's amusing that I get moderated down as a troll or for flamebaiting, really. It just goes to show that most people on Slashdot can't formulate an argument or rebuttal -- they resort to moderating you down when they disagree.
No it's not!
I got power (a lot of it) but I never dropped my demand for freedom and free food. Please give me food now!
Thank you.
Maybe you'd like a testimonial