Slashdot Mirror
Sites Leaking Users' Email Addresses
Pisang writes "CNet is running a story about
how spammers and phishers can learn about our surfing habits to better target their attacks. According to the article, web sites that use e-mail addresses as IDs are vulnerable to attacks that could leak their users' email addresses. These attacks are performed by requesting a password reminder for an address or trying to register with it."
All the more reason to register with root@127.0.0.1
All the more reason to have a disposeable hotmail account. Only some few personal friends have my "real" email. I've been doing this for years, and never get any spam.
list off all students at Maine Maritime Academy Directly linked from http://www.mma.edu/ (Academics/Student Schedules on the java menu)
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
Seems like the 'hero hackers' are already working on this...
5 410901%5E15306%5E%5Enbv%5E,00.html
http://australianit.news.com.au/articles/0,7204,1
While we're on the topic of security, here is another bad problem.
When you register for an account at a website, and that account doesn't ever expire, yet your e-mail address is one that expires if you don't check it, this creates a problem, especially if you have site updates.
Hypothetically, someone registers an account at a travel website. Their e-mail address is used, and it doesn't matter if it is used for a username or not. This account at the travel website never expires, even if you never go back to it again. Yet the company will keep sending you updates concerning their business. Well, if you let your e-mail address expire, and someone else registers it later on, they won't have trouble doing a password request which will allow them into your account, which will contain your personal information.
Maybe this security issue could be solved by instead of sticking up a message saying "email not found" if the email is entered incorrectly, it could randomly generate the "secret questions".
Another problem with "password reminders" I find is that people put far too obvious answers - for example when I was back at school I managed to gain access to someone's hotmail account because their "secret question" was "what do I do at the weekends?" and he'd been on local TV, newspapers and school newsletter about his football (soccer) refereeing.
Linux Wireless Hardware in the UK
pros for using email as login:
- guaranteed unique, though you'd be a fool to not have check.
- users forget it slightly less
- you have to send verification/password anyway
cons for using email as login:After reading the article, I've just adjusted my registration page (on my work site, not on sportsdot, my perl ain't what it should be) to not give the "pick another account name" if a user tries to register and existing email address. Both success and failure now go to the "Your password has been mailed to ." I send either a success or "this account is already in use" message to the email address. I also stuck on a 3 registration attempts per day per email address whether success or failure to prevent me from inadvertantly spamming.
Nothing great was ever achieved without enthusiasm
Aren't you going to be mister popular!?!
/. that may not have stumbled across that directory.
Thanks from the spammer geeks that read
Thanks from the students who are probably now going to get a new surge of spam.
My employer has a similar type of diretory. I made my point that it was too easy for spammers to collect email addresses. Of course no one believed me. Now everyone one at my work complains about spam. The upper admins want a "silver bullet" spam solution and it takes forever for things to get evaluated and approved.
I run a bayesian filter and go about my business.
Keep the Classic Slashdot.
Have you ever allowed your email address to expire, and, if so, did someone else claim your email address and then go to websites asking them to send your passwords to that old email address?
If so, the law offices of James Sokolove would like to help. Please contact us at http://www.jimsokolove.com/contact/.
Note that if you cannot remember your account password at jimsokolove.com, then the law offices of James Sokolove will be happy to send a password reminder to your registered email address.
Thank you, and have a good day.
Another issue I have is that some very popular sites that require registration (MySpace, Xanga, several banking sites, etc) do not do e-mail address validation. Given that I have a very very very 'easy to use' e-mail address with my company (e.g., firstname@reallybigisp.net), I get about 30 registrations per day from people who just enter it in instead of their own for whatever reason. And then i get all of their account updates, "you have 4 new responses to your profile!", etc. If every site with user registrations would use the "please validate your account by going to this url" system, it would save a lot of people like myself a lot of hassle of having to go in and cancel the accounts. That has required me to do things like calling up a bank on the phone and trying to convince them that I'm not really the guy who filled out the web form with the wrong e-mail address, and the guy who did really doesn't own that e-mail address. After about 20 minutes of arguing I can finally get those taken care of.
Off Topic but didn't know wherelese to post. Slashdot, you might want to think about doing a case insensitive string comparison against the image's text and the user's text on your new Human Verification thing you have going. My validation string was displayed in the image in ALL CAPS, but until i entered it in the box in lowercase, it wouldn't let me post.
My experience has been that if I keep an email address away from the web, and never, ever let it appear on any website or directory anywhere, that email address will never, ever get spammed or phished. It helps if the address isn't just a single first name, of course. I used to have my email address on my website until I was getting about two hundred spams a day, and once I changed my email address, put up a harvester-proof form on my website, and notified all of my contacts of my new address, I never got spammed again.
You are in error. No-one is screaming. Thank you for your cooperation.
I believe you miswrote spammers. The word you are looking for is shark and/or dolphin. People get spammers, sharks and dolphins mixed up all the time. You can tell them apart from the dorsal fin.
I know that this is going to start a religious flame war. And I apologize in advance. But since I started using challenge/response (specifically TMDA) I just don't care. I give anyone my email whenever they want. I register on websites with an address that expires. So it works for long enough for them to send whatever it is that I need from them and then stops working after that.
/.
Do I still get spam? Yes. The 419 scammers can get through. I see one of them once every 6 months or so. I just blacklist them. 2 spams a year is much easier to deal with than 12000. Do I see automated spam? Nope. Haven't seen one of those in my mailbox since 2001.
IMHO, C/R is the best tool that I've seen to allow me to not worry about giving out my email address to others. I wish there was a way in which we could create a small experiment on the internet in which everyone used C/R, and see what happened to spam. My prediction: it would disappear. And when that happened, no one would be afraid to give out their email address. No one would be worried about companies leaking their email addresses. This story would not be interesting enough to make the front page of
(FWIW, I fully understand the argument that says that C/R is bad. I do not agree with it's accuracy nor it's validity. I'm happy to argue about the merits of C/R, but recognize that a lot of these arguments have been addressed by TMDA and other well behaved C/R.)
Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.
I just assumed any site I provided my email to for 'free' access to something, sold that email address to some direct marketing agency anyway. Who reads all the fine print of the privacy statements on most sites? Don't they say details will be kept strictly 'for use by the comany and its affiliates'? The affiliate being a direct marketing company of course.
All of these problems stem from the fact that the Internet was created with trusted hosts in mind.
Now with a minuscule fraction of the users being maliscous and the power of computers to take ANY bad thing(tm) and magnify it to hyperbolic extremes, the Internet now must be seen as a hostile network. Any web designer or systems integrator who sees otherwise is a fool for thinking so. It is possible to cut off nodes that are acting abnormally to restore some sense of trusted communications again. But in doing so the freedoms that we currently enjoy are at the whim of a select few who program the hueristics. Hence, as a system of checks and balances, we try and enter that needed human element in the verification process in an attempt to keep those freedoms.
I registered for a site today that forced you to enter your email address, and then confirm it, before you gave them any other details. I hope they have some reasonable limits, or this could be used to annoy people.
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
create a user
employ his address
delete the user
no user = no spam
need something?
resurrect the user
done?
delete him again
Maybe this security issue could be solved by instead of sticking up a message saying "email not found" if the email is entered incorrectly, it could randomly generate the "secret questions".
I've got a better idea. Don't require the user to give you their email address EXCEPT for initial registration. Don't use their email address as their ID. Don't ask for email address for password reset*. Just take the user ID, send the message, and have done with it.
This is a case where there's really no good and easy way to fix the security problem except by backing up and not doing the thing that causes the problem. This is like someone's saying "I want to leave my front door open while I'm not at home, so my cat can get in and out." and then coming up with "Well, you can set up a webcam to close the door when something bigger than a car comes up" instead of "Don't DO that, use a cat-flap".
----
* Why sites do that, I don't know... there's no extra security from having a login name AND and email address typed in by the user, since the verification mail won't go to anyone but the real user... all it does for me is make me generate a new account 'cos I don't know what email address I used to sign up with because of exactly this kind of problem.
What they need to do is require four secret questions, all needing to be answered correctly to go on.
As soon as they get the FIRST question they have the information they need, that this is a valid email address.
If you don't put the email address in in the first place, then you don't need any secret questions at all.
There is an easier way to do it that IS native to most systems (even Windows). Only allow 3 failed attempts before requiring re-activation (and enforcing change of password). While you are at it you could email the true account on each failed attempt letting the user know someone is playing jiggy-jiggy with their account. It isn't too hard.
B.
This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
Of course if you post a user's email addy, a spammer is going to find it.
Another step that should be taken, to prevent phishing, is to move to a copy/paste method for VALIDATION. Right now user validation is handled with a clickthrough. This leads to users relying on clickthroughs to get things from your website.
My new cms is currently being forked into two versions:
- GS 1.9.9 Beta : rapid content management for small business
- GS Blog 0.9.1: rapid content management for bloggers
One of the main new features I've implemented is to have a validation MD5 that you have to copy/paste when you first log onto the system. It's pretty simple if you register.But dial it back a bit and examine the whole password reminder systems. I'm doing this code, coincedentally, today. A user who forgets their password, is prompted the next time they log-in. It will be the exact same as the registration code, except, you will have to accept the password change with a code, or optionally reject it.
I just think that CMS designers need to examine the whole process and look at the big picture. If you show an email address, a spammer can find it. If you ask your users to clickthrough, the next time they get an email from a phisher, they are going to click it.
Yes, there is a limited level of intelligence to use the internet, but I think we need to be always looking at better methods of implementing CMS design.
The dangers of knowledge trigger emotional distress in human beings.
This is why I use sneakemail for every registration I ever enter. Sneakemail is a (free) mail-forwarding service, that will generate an unlimited number of randomized email addresses, and forward them to 1 of 10 of your addresses. Every forwarded mail has a tag (specificed by you) attached to the subject for easy filtering. The 'From' addresses are mapped os that a responses from you gets sent to sneakemail (where it gets re-sent back to the recipient with the 'random' e-mail address (and all header information removed). In other words, sneamemail is a kind of anonimizer proxy for email. I like this service because (a) I never have to give out my real email address, (b) I know which sites are giving away my email address, (c) I can disble, block, or delete an email address that is being used for spam, and (d) it makes it difficult for anyone to associate an email address to me (In the cases where I don't want to give my real name). Admittedly, you can accomplish all of the above if you have your own domain name, and create addresses for every account (except that (d) becomes a bit harder, as it requires fake information in your domain registration). This is superior to throw away email addresses, which only work for (a), and which if you ever need to receive email from them (say because you lost your password, or they use email as login) you need to remember the address somehow. I can always log into sneakemail and see a list of all the addresses I have, neatly categorized.
So give out a temp email address on your own domain (example: junk_3937448@yourdomain.com. That way nobody else will ever be able to use it.
Or, give out a meaningful temp email address (example: from.bestbuy@yourdomain.com). That way you know when they are selling you to spammers.
shinyfeet.com
they force a security image (like the one slashdot finally added for posts) for things like signup, and password checks/changes. this prevents scripts from harvesting anything.
I have used them for a few months, I use my shinyfeet address for everything, subscriptions, newsletters, orders, etc. and I see no spam (unless I check my junk folder).
So even if my email was sold from one of the sites I registered with, or they harvested my information from, say slashdot, Shinyfeet's spam filtering is good enought that I do not have to deal with it. My Yahoo and Gmail accounts, on the other hand, are not nearly as nice to me when I have to try and shift through non-stop SPAM in my Inbox. And I haven't even used Gmail for much!
do you have shinyfeet?
My ISP and email provider both allow me to use email aliases that send everything in front of the @subdoamin.domain.net part to one account. I can filter out a lot of shit on their server, and categorise the rest in my email program. If someone sends me spam, i can quickly trace the origin of the leak, as I routinely put their domainname in the username part.
99% of the spam I get comes from some porn sites I once bought something from. They overbilled and sold my addres, so now I put all the porn I downloaded from their site on ed2k.
This space is intentionally staring blankly at you
Just add "+$SUFFIX" to your username. Example: username+somplaceregistration@gmail.com Then if you start getting spam at that address, jsut adda filter to delete mail to the "+someplaceregistration" suffix. Unfortuantely, some sites don't accept email addresses with "+" in them.
Ok, so you take out some phishers. They will simply keep coming. This is akin to trying to make MS secure; Until you change the underlieing problem, you are simply throwing money into a bottomless pit.
The way to stop phishers is to change the protocol. https helps, but their are problems due to the set-up. The registry companies have gotten greedy and will stop any compition, but allow anybody to register. Big mistake all around.
I prefer the "u" in honour as it seems to be missing these days.
As an on-again, off-again Wikipedian responsible for countless edits as well as several full articles, I used to be happy to leave administrative matters there to others. Such was my bliss, anyway, until I stumbled upon something extremely troubling--something that forced upon me an awareness of the project's astonishingly careless attitude toward privacy and security. This is the product, apparently, of an obsession with countering vandalism so all-consuming that administrators are even willing to expose unlucky bystanders to identity theft.
This is what I discovered.
A Wikipedia developer, intending to catch sockpuppet accounts (multiple accounts created by the same individual), queried the user database for a list of accounts whose passwords matched passwords belonging to known vandals and trolls. Hoping the results would be useful to others, he published his findings on his user page. Of course, such a list necessarily included anyone who happened to be using, merely by coincidence, the same passwords as the targeted individuals. As a matter of fact, it seems likely that the dragnet caught at least some people by chance alone. But only the people on the list could know for sure.
That in itself sounds unfortunate, but none too dangerous. The horrifying punchline is this: in publishing the results of his query, the developer had effectively given these vandals and trolls a list of usernames with whom they shared a password. And once so equipped, the vitals of each compromised account--including the email address--were just a login away.
Leaking people's passwords, usernames, and email addresses to anyone is damaging enough, let alone to established miscreants.
Anywhere else, a mistake like this would be acknowledged, the offending information removed, and the potential victims notified. Not so on Wikipedia, where the list spawned nothing but a protracted debate and then a vote to remove the page. In a second blow to Wikipedia's reputability--the first being the mistake itself--the vote finally succumbed to addled logic and shortsightedness, as did a motion to restrict its visibility to site administrators. And so the page has remained linked and visible now for almost a full year, a threat to any innocents listed therein and an affront to anyone with an interest in their privacy and personal security.
Imagine if you were on that list. (In fact, maybe you are.) Wouldn't you wonder how it was possible for Wikipedia to expose your password to malicious users for the better part of a year? Wouldn't you marvel that no one had alerted you?
I don't mean to single anyone out here, which is why I've refrained from mentioning the name of the careless developer. The real indictment, in my view, is of the process that:
It is my opinion that this incident is only symptomatic of a larger problem: Wikipedia's tradition of policymaking by ad hoc polling. It is also, perhaps, a harbinger of disasters to come. A draft privacy policy offers some hope, but interest in its adoption appears to have stagnated.
For the foreseeable future, then, it would be unwise for anyone to entrust their privacy to the Wikipedia site, when the project's developers and administrators have so clearly demonstrated a severe unfitness to guard it, to say nothing of a callous contempt for the real-world safety of contributors.
----
Note: If my anonymity gives you pause to question my credi
- search google to find the URL of the registration page for, say, a zillion deployed instances of the software system (a zillion should be enough)
- employ a script to visit the zillion sites and attempt to register a few times, using the target's email address
Each site becomes an unwitting stooge which now sends, first an email to the target saying they have registered a new account, and then two more emails that say that the account has already been registered -- on the first day of the attack. On the second day, they each send three notices of the latter type. Target receives 3 zillion emails each day.On the bright side, perhaps those emails would be similar enough that the target could filter most of them out automatically.
And of course there are plenty of other opportunities to perform DDoS on an inbox which are simpler and more effective, so it's unlikely anyone would exploit this. The simplest technique is placing the target's email address on a web page and letting spambots trawl it, resulting in zillions and zillions of unwanted emails which are all very different, effectively making email unusable for the victim... oh, wait a second... this describes the current situation of most of the inboxes on the planet today.
If you mod me down, I shall become more powerful than you could possibly imagine.
Imagine if you were on that list. (In fact, maybe you are.)
That's the amusing thing. I worried about this for a moment, then looked at the page and realised he has only listed matching passwords for blatant collections of troll accounts.
You got caught. Tough shit, Lir. Sucks to be you. Next time, use different passwords when trolling! Oh, and stop posting anonymously on Slashdot, you chicken!
for IM alias phishers to just plug IDs into Yahoo or AOL IM - have a bot or boiler room chatter talk with you through IM and try to scam you either A) Out of money or B) Into visiting some porn site.
Yell & scream & rant & rave... it's no use... you need a shaaaave ~ Bugs Bunny
I'm not Lir--I don't even know who he is--and while the list seems to include many similarly-named accounts, there are just as many who don't seem to have any affiliation with the guy. He probably used a dictionary word as his password, and other people with the same password unfortunately got caught up on the list.
The more I read, the more I discover, the easier and cheaper it becomes to contact us, the more beseiged we become by these spammers and phishers, the more convinced I am that the only possible response is to ban all email and calls from businesses. None should get through. Not a one.
We could make a "slight" exception for opt-in newsletters, but any sort of commercial message that has not been explicitly asked for, and signed for in the clearest possible way, should open the sender up to extreme fines. It is no longer worth the risk we run of having our bank accounts, our credit cards, our lives snooped into and stolen in exchange for the ability of Wal-Mart or Carrefour to send me a personalized greeting.
In 10 years, phone numbers will no longer mean a thing as we pass from telephones to VoIP, and then the floodgates will open. Someone did a very good analysis (I forget where) about telemarketing centers in India being able to turn a profit if they only ask for $5 per call (an amount that most people would be ready to pay for even the silliest things, witness ring-tones) and have an incredibly low-- 1 to 2%-- success rate. With all the detailed info they already have, and the ability to call you for FREE over an untraceable line, imagine what a fisher could do?
I hate to sound so vitriolic, and I don't mean to be a Chicken Little, but this is a serious issue that we have to attack now, not later. By accepting calls from unknown parties, we are rapidly losing the ability to distinguish between friend and foe. We should ban it all, at the source, and make companies ultra-cautious about contacting anyone without proper authorization. This is the only way I see that we're going to regain our ability to know that the person on the other end of the phone can be trusted.
www.eissq.com/BandP.html Ball and Plate System. Amuse your friends. Crush your enemies.
Where does that go?
Why do I need an account in the first place? I have far too many accounts as it is, I don't need more.
Case in point: I wanted some book not in any local store, and had a 10% Barns and Noble online discount. I quit the order when they asked for a password. I gave them my address and credit card number. That is all they need to ship the order, I don't want a stupid account, I want the book. There is nothing of my they need to save. I know my address, I have more passwords than I can remember.
Even though I'm protected I'd prefer they not remember my credit card number. I will enter it every time, it doesn't take long.
Anyone know what the writers of the report are up to? Their site has a few more research papers and some teasers, but otherwise it's lacking in details. Is anyone familiar with what they do?
This is very easy for site operators to fix.
The website simply needs to return the same message regardless of whether a username/email is registered or not. Its not highly user friendly, but its a reasonable tradeoff to prevent giving information to people who are not authorised to receive that information. The website can simply say that "if the account name@email.com exists, a password reset email has been sent". It could then explain that it is unable to reveal if an email address is valid to protect the identity of its members. People reading that would ussually be happy with such an explaination, as it fits into much of the privacy requirements.
Your standard ftp server or unix console/ssh login works in exactly the same matter, it doesn't matter if you get the password or the username wrong, you simply get told that the login is incorrect and to try again.
It's utterly fucking ridiculous that this was modded down on SLASHDOT of all fucking places. The people here on Slashdot claim that security is of the utmost importance, and what happened here is sickening. I cannot believe that someone can actually SUPPORT what is, basically, the publishing of passwords to a group of individiuals. If you are in a group there, you know everyone else's passwords. So what happens to the innocents that have/are/will be caught up in this?
It disgusts me that this is modded down and that page is still up. You, parent Anonymous "Coward," are now dubbed an Anonymous Hero.
Wheel in the sky keeps on turnin'.
http://www.bilsystem.com/paypal_export.php This dude puts up the paypal username and addresses.
unless you let your domain expire and someone else registers it!
No, he's right, even if he's "Lir". How do you know all those user names are his? There's so goddamn many! Not to mention, most of them don't look related. And what about "Nico" and the rest of them? I think they must have used dictionary words for their passwords, or something common that a lot of other people unfortunately were also using.
Original post should be modded up. Or submitted as a story. If there's even one person who's on that page by coincidence (and it looks like there's probably at least a few) then that's seriously, seriously fucked, maybe even lawsuit fucked.
because I got one of those password reset emails from /. a few days ago, even though I didnt request it.
The Doormat
If you're not outraged, then you're not paying attention.
Am I the only one that considered this to be obvious downfall of giving a site your email address?
----
All of whose base are belong to the what-now?
It's hilarious! send it to all your friends and you will have good luck for an entire year!
... such as the ones provided by Mailzilla.com http://www.mailzilla.com/. You should never give out your true email address to any online site because they could resell it w/o your consent. They could also be hacked, so your email address could be stolen.
http://willhackforfood.biz/ Full-featured and sexily named, run by the tasty boys of the DDP ;)
Use http://www.jetable.org/en/index
And if you're one of the enlightened folks who use Firefox, then there's an extension for it.
Yes, they can't email you if you lose your password...
Beetle B.
Or you can use mytrashmail.com and get a free temporary email to sign up to sites with.
I already emailed the admin of mma.edu regarding this obvious privacy risk, and I still haven't received a response. That was over 2 weeks ago. I guess privacy isn't important with MMA, I think we should inform the media and start a public boycott, that'll get there attention.
Fair enough, but if you let your domain expire, or whoever you've appointed to keep it current, you've got even bigger problems, obviously.
After registering at a few websites, I get 100 emails every hour! Such nice friendly folks wanting to talk to me. This internet thing is great! I get business proposals, discount meds, bedroom talk from a chick call Kandy. It couldn't get better.
The CNet article does not mention any sites that are vulnerable to registration attacks and password reminder attacks by name. The study http://www.bluesecurity.com/the_blue_zone/2005/05/ hostile_consume.html that sparked this article does not mention any sites either. I found only one article http://www.businessweek.com/magazine/content/05_23 /b3936026_mz006.htm/ that does name vulnerable sites, including Victoria's Secret, Amazon.com and L.L. Bean. I checked them out, and indeed those sites are vulnerable.
Perhaps someone from these sites is willing to confirm (or deny) that there were actual attacks? Are there any other web masters or users that have some clear evidence of actual exploits?
Also, the Blue Security's original paper claims most ISPs and Web Email Providers leak their users' email addresses. Has anyone seen some examples of vulnerable sites? I was unable to find any specific examples in the press. It looks like Gmail is not vulnerable, but I did not check other email providers.
wow thanks for the heads up, luckily those are really shitty passwords, and mine are atleast alittle better than that.
so I'm not on the list.
Comment removed based on user account deletion
Shut up, fuck off and die already Lir! Pretty Please...
Hotmail accounts are not disposeable if you use them for registration anywhere.
I used to use a Hotmail account like that. The problem is that after using it for a while and giving it in various places, I ended up with an account I couldn't dispose of, because it was given at some places I wanted to get notifications from. Furthermore, I did not remember exactly all the places where I used the Hotmail address to register, but I knew I would rather get notifications from some of them (especially in cases where money was involved). Of course there were places I did know I registered with that email address that wouldn't allow change of email address (stupid, ha?!) and there were places that allowed it but finding how to do it was too much effort.
So my conclusion is that any address you use more than once is not really disposable. What you need to overcome the problem described in the article is to use many addresses, each address once or with a small well defined group of senders. Addresses in one's own domain can serve that purpose, but has some drawbacks, and the main one is that it's a completely manual process. "Disposable address" services give different kinds of automation tools that achive different goals. I use spamgourmet.com (that was described in another reply to the parent) but only to post in forums or to "register" in places I never want to use again (like reregistering each time I want to read an article in places that "require preregistration"). The lesson of not remembering all the places I registered in made me use sneakemail.com for almost all registrations. It a bit more effort, by having to click a few links to generate a new address each time, but the advantage is that it is a place that records all the info I want to remember on registrations in one place, accessible from anywhere (and also makes it available as text or csv files). Sneakemail.com is a bit geeky in the way it builds actions from components, but that would only appeal to the average slashdotter... I only use my own domain for registration when I expect to receive large attachments bigger than sneakemail's limits, or for giving to people I know or work with, and even with this I use different addresses at various subdomains so I can easily block those that will get too much spam in the future.
One-time permanent addresses have many more uses, such as using the recipient's address for email authentication (the recipient's address is the only data that SMTP requires to be correct for email to be deliverable).
Abyway, the most important concept is "not to put all the eggs in the same basket"!
Despite the fact I can't conceal my street address when dealing remotely with most businesses, and in fact, anyone walking by my house could theoretically harvest the address and send me "Urgent" mail addressed to "Valued Customer", I have never yet been tricked into giving out my mailbox key or credit card number to a scammer.
Well, unless you count Columbia House.
Did I say overlords? I meant protectors.
How 'bout Anonymous Troll? The exact same thing was dropped into the edit queue on K5 by someone named Wikt. Seems that if this was to be a story, it should have been posted here (and there) oh, about a year ago. The debate's over now. The OP is just beating a dead horse. Something tells me he's a vandal who got bitchslapped recently.
Or, maybe you're the troll and I just bit. Oh well.
OH NOES!!! IT APPEARS YUO DO NOT HAVE ENOUGH MONEY TO PAY FOR DIS HERE PIZZA! WAHT EVER ARE YOU GOING TO DO!?!?
I remember, when I was designing the login system for a website of mine (which has since been taken down), I hashed the user's password along with their username, simply so that I wouldn't be able to tell who had the same password (and thus, neither would anyone else who got my database somehow.)
You just don't give out info about people's passwords. At all. Yeesh.
Breaking Into the Industry - A development log about starting a game studio.
SBC Yahoo! Web Mail service is actively trading in compiled lists of FREE email addresses and secretly using those addresses and the computers associated with them for routing their chunked/compressed commercial [Bulk]web mail ADVERTISEMENT push-links through those accounts.
Mentor Graphics Corporation and Verisign "Trust Network" have actually sent me snail mail with labels printed on them that were obviously obtained from supposedly secure databases without my express consent to release the information.
Verisign was trying to sell me security software to protect myself from that very practice. Go figure.
For those who believe that their email addresses are secured by root @ 127.0.0.1, it is strongly recommended that they make absolutely certain their localhost asset tracker is covered between 0.0.0.0 and 127.0.0.0 on all 65,535 mini-ports.
Just being "HIP" to the numbers does not mean that your "Human Interface Parser" will be secure from real-time deep-scanning (RASAPI32) operations on your system registry.
Bill Gates and all his BONZI buddies are all listening for great new Dell Deals! for sale at WAOL SUPERSUB.DLL Purple GORILLA.BAS
eXtended [MS-DOS Games]
[XBOX Live MSN Internet Gaming Zone].
Smells like an electrical fire in the making to my schnozzola, wad about yours?
"How 'bout Anonymous Troll? The exact same thing was dropped into the edit queue on K5..."
What, so just because I crossposted it to kuro5hin.org makes me a troll? I'm posting here anonymously because I'd like to avoid retribution on Wikipedia, where I've been a frequent contributor over the last few months. What exactly do you want me to do?
As you say, the debate was over a year ago. The problem is that the outcome is obviously unsatisfactory-- everyone on that list now knows each others' passwords , for God's sake. Whether you think I'm a vandal, a troll, or whatever does nothing to change that fact.
Yes, that's exactly right. The problem is that the severity of the mistake is a little harder to understand than, say, if a bank were to leak credit card numbers, so it's not immediately obvious, without a little thought, why that page is such a danger.
... submitted as a story."
"Original post should be
I submitted this to Slashdot, but it must have been rejected. It truly ought to concern a lot of Slashdotters, though. Maybe someone else can try submitting it.
Well, thank you. My post is at +5 now.
Still, I'd rather see the problem taken care of, and since so few seem to understand the danger--least of all, unfortunately, the Wikipedia admins--I'm not sure how to proceed. I tried submitting what I wrote to Slashdot, but it must have been rejected. Do you have any suggestions? Should I resubmit the story?
I think it's a problem of the underlying community. I've lost faith in Slashdotites and the such.
I don't know what to do if the admins are AGREEING with what was done. It's just disgusting.
Wheel in the sky keeps on turnin'.
OH NOES!!! IT APPEARS YUO DO NOT HAVE ENOUGH MONEY TO PAY FOR DIS HERE PIZZA! WAHT EVER ARE YOU GOING TO DO!?!?
When the same ip, same browser version brute forces 2000 passwords, a webmaster should notice that ...
....
.... 30 minus if you ever did anything with GD ...
... tasks that your average highschool kid can program after the first week of informatics classes ....
... what should i say
also form data must be checked for where the post is coming from
inventing a simple "dirty" image and a php script that puts 5 alphanumeric characters over it so when you register or post takes less than 1 hour for anyone who ever touched PHP
all these attacs can be successful because of poor programming of very simple tasks
well
Your're absolutly right! I know people in most cases think "what's the probability of two users with the same password getting the same hash?", but I would never think that on withe the size of wiki!
I can't really say I get what this person publishing this info was thinkig...
Scully: Should we arrest David Copperfield?
Mulder: Yes we should, but not for this.
Cmon guys -- its *just* a Wikipedia account -- no wonder it was modded down - is *this* your idea of a SECURITY BREACH .... I mean whether 20 or 20,000 accounts were lost is irrelevant ... what's a guy going to do with those accounts anyway ?!?! :)) :))
Considering that the logon is not done over TLS or SSL you are quite silly if you think your privacy is secured -- whether this page exists or not!
Nico is a common Dutch first name, and I can see a couple of Dutch names on the Nico list... I bert there are many people in Holland who use Nico as their password (father, dog whatever...)
nico isn't necessarily the password, it's the troll account.
You obviously haven't read the article. You missed the point completely.