Slashdot Mirror
Even My Mom Could Hack These Sites
I figured that if I wrote to them saying "I forgot my password, please mail it to me," that would be too obvious. Instead, at the time I had set up shop with these hosting companies, I entered a domain name at the time of creating my account, and asked them to register it on my behalf (long before I had this experiment in mind). Then when I wrote to them recently from my Hotmail address, I sent each of them a message saying: I need to transfer this domain somewhere else, can you give me the login at the registrar where you registered the domain, so I can change the domain settings. Five of the ten companies either (a) gave me the registrar login, (b) transferred the domain to my registrar account on request (even though I never provided any proof that the owner of that registrar account was really me, either), or (c) changed the domain to point to a new IP address that I specified -- all of which, of course, would allow an attacker to take over a site temporarily or even permanently, if it hadn't really been me writing from the Hotmail address.
But slow down before you go off to try this out on Yahoo, eBay or Google hoping to get the same 50% success rate. First, these were all low-budget hosting companies, so the people handling my queries were likely not highly trained professionals who would have developed all the right habits about when to get suspicious. Second, this ruse only worked because the hosting companies registered the domains on my behalf. Most sites that are really worth taking over, are hosted on dedicated servers, and this trick wouldn't work on a dedicated hosting company because they usually don't register domains on behalf of customers; they assume that anybody buying an expensive dedicated server, knows enough to buy the domain and point it at the server that the company gives them.
But even for small-time hosting, a 50% success rate for a trick like this is uncomfortably high. So what can we do about it? Well, every problem has a non-solution that requires changing human nature ("People should just stop buying from spammers and they'd go out of business!") and a non-solution that ignores the economics of the situation ("ISPs should devote more resources to stopping spammers on their own network!"). In this case, the corresponding non-solutions would be (a) "People who work for hosting companies should be less gullible" and (b) "ISPs should hire smarter people, without charging more to their hosting customers".
The solution that doesn't require any cheating, though, is to have procedures in place for anything remotely security-related, and drum into employees' heads that they have to follow those procedures. Here's some good news: Of the five companies that fell for the ruse asking for my registrar login information, when I followed up with them saying "Hey, I forgot my account password, can you mail it to me", only two of them actually sent my password to the Hotmail account. To those two, I replied with some terse words about having a six-inch-thick steel door while leaving the window wide open. But at least it was only two out of ten that fell for that ruse, compared to five out of ten that fell for the registrar trick. The difference is that hosting companies have procedures in place to deal with password resets -- a script that sends the existing password, or sends a reset-password link, only to the customer's e-mail address on file.
Similarly, any hosting company that registers domains on behalf of users, should have procedures in place for transferring the domains to users or letting them change domain settings. In fact, of the five companies that didn't fall for the ruse, most of them said "Go to the customer control panel here and log in" -- it wasn't that their guard went up because I was writing from a Hotmail account, it was that they already had procedures in place for a customer wanting to change domain settings, and what's what the idiot-proof book told them to do. Kevin Mitnick always said that the weakest link in any security chain was people. Sometimes the way for ISPs to tighten security is to make the people in the chain act more like machines.
Until then, there are probably many sites out there that are this easy to "hack", using a method that could charitably be called low-tech. After seeing which hosting companies fell for the trick, I pointed out that they had sent the login information to an unverified address and admonished them to be more careful in the future, but I didn't storm out vowing to take all of my business elsewhere -- after all, if 50% of all low-budget hosting companies out there fall for this, what would be the point?
well what ISPs released the info? i want to avoid them.
You get what you pay for.
One cannot conclude from the small sample size that 50% of all small, low-budget hosting companies are not security-conscious. Further, if you want to motivate these insecure companies to change their behavior, voting with your feet by taking your business elsewhere is the correct behavior.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
It continues to astonish me that we as a society continue to make the same mistakes. You would think at this day and age basic 'social engineering' would no longer work.
Now my hosting company won't email my password to my Hotmail account anymore!
I'd go out on a limb and suggest that none of this really occurred and what he's really doing is showing off a huge social experiment about how people will talk about nothing. If he really did find something viable out he would definitely offer up the names and contact information of these companies so that people could complain and drop their services.
When I forgot the password to access the CPanel account to modify my website and I sent an email requesting that it be changed, the ISP owner left a voicemail on my cell phone with the new password and I was charged five bucks.
for various reasons, i think passwords should be stored in hashed format. it should be impossible for the hosting company to tell me my password. they should just reset it.
'nuff said.
of these three options: Cheap, Fast, Secure.
A quick scan of Google would confirm this:
u e
http://www.google.com/search?q=inurl%3Aadmin%3Dtr
I'm not attempting to start a flame-war here, but the percentage of those sites that end in ".php" is remarkably high...
Ah to hell with it, let the flames commence.
*runs*
throw new NoSignatureException();
To be fair, your mom isn't too shabby at social engineering.
I would have thought the opposite: The big monoliths would have out-sourced unmotivated help desks that might do this. Smaller companies, I thought, where actually run by real people with a connection to their customers... Am I wrong?
If you want news from today, you have to come back tomorrow.
"Even my mom could hack these sites" ???
As a 48 yo grandmother, I am offended that technical incompetance is equated with being a mother. I don't think anyone would have said "even my dad could hack these sites".
I am incidentally, a C programmer of 20+ years.
I try this with every new company we utilize through work. I call from a variety of numbers, including the one registered, my cell phone, and my home phone. I call, giving them only the company name and claim to be "new". If they get suspicious, I tell them the entire IT staff was fired and I'm their replacement and the old staff wouldn't give anyone details about accounts. The social engineering aspects are insanely easy. A few want a fax sent on company letterhead. Any idea how easy it is to fake letterhead through fax? Even a postal letter is easily faked. I remove our liability, or at least reduce it, with companies like this. It takes maybe 10-15 minutes for each company -- give a try sometime.
For more fun, forge your from: and reply-to: headers. Attach an empty file called signature.asc. Or make it appear to have been sent from a Blackberry, with a fake tag line "Sent via BlackBerry(r)" at the end. You could even go so far as to forge a "conversation" between 2 people which you are forwarding to make it look like the officers of the company authorized you dealing with the company.
I think part of the failure is that many IT workers have faced a similar situation: new job duties include trying to recover accounts/information from a disgruntled former employee.
What I've done with a few companies that we work with is given them a secret key to store in the account notes. I am the only one that knows the key. The other members of the board know the location to get the key, but not the key itself. Major account changes require the key. Along with the stored key there are detailed instructions about each and every external IT account in case something happens to me, or they wish to fire me. It's not flawless, but it's better than nothing.
A few years ago I wanted to impress it on my boss that the human factor is usually one of the weakest in a security model. So, with him in the room, I called HR and said something like 'Hi Sarah! How are you doing? Didn't you just get back from vacation? Did you have a good time? (...more smalltalk ad nauseum...). Anyway, I'm retarted. I just reset my password, but I must of had caps lock on or something because now I can't get it to work. Can you reset it for me again? Thanks!' No hacking, cracking, phreaking, yadda yadda yadda.
I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
I could see this possibly having applications in shutting down spamvertised websites. Being as usually the domains that are spamvertised have been registered less than 7 days prior to the deluge of promotional spam, the hosting regsitration should be recent.
Of course, this would work better if the hosting companies spoke English (which they seldom admit to doing).
Though really, it would be even better if same trick could be pulled on registrars. If you could get into the registration info for evil.spamdomain.info, and change the DNS information to point to something other than a DNS server, you could pretty quickly shut down the domain.
Yes, I'm the same AC that always blames spam on registars. And I will continue to do so for the forseeable future.
Well, not really...
The company I host with requires quite a bit of security to have requests sent through. Unfortunately I've been burned by it before. You need a few pieces of identification in addition to the correct email address. But without the correct email address, even the other peices of identification won't get you served. This is good since I know my servers are cared for well.
Perhaps these hosts were so small that the tech recognized the person writing in, the language style, etc. This doesn't excuse it at all. This does make be uncomfortable, knowing that in the past, without much money or resources to spend on hosting I have gone to these "low budget" possibly shady hosting companies. Granted, in the article, most sites on these servers have very little to no content that is worth hijacking. But that wouldn't be the point for "hackers"...it would be to just screw up someone's day or week.
I vote for one of the more eccentric, unemployed slashdot users to start a site that chronicles his/her attempts to take over small sites and then post the results in a table for easy avoidance of said hosting companies.
a 50% success rate for a trick like this is uncomfortably high
It seems that the only thing "uncomfortably high" is the author. If real, a 50% failure rate is deplorable, to the point where it ought to have prompted some righteous moral outrage. This isn't just another intellectual exercise in social engineering, it's a failure of the system. It's equivalent to 5 out of 10 grocery stores accepting a check presented by someone not the account holder and with no signature on it. That sort of behavior wouldn't be socially tolerable, nor should this be.
If it is, in fact, a real event.
The author ought to be immediately forthcoming with the who, what, and when of his experiment if he really wants some serious consideration and feedback.
"Even George W. Bush could hack these sites"
;-)
There, that should be inoffensive enough for everyone now.
-(Anonymous for safety)
i smell bullahit. there are no women on /. ;)
2: Ill gained PROFIT!!!
It is responsible of the poster to not reveal which companies have weaknesses he has discovered.
biopowered.co.uk - catalytically cracking triglycerides for home automotive use since 2008. Just say no to big oil!
who have cheap labor doing the work are more likley to have procedures, because the workers aren't trained enough to answer questions like this--it's like a customer service script they wade through.
IMO, the most dangerous aren't the untrained script-readers from a large ISP, nor the three-CS-college-friends small ISPs, but the folks at "mid-sized" ISPs who know just enough to be dangerous. At a big company, procedures protect you. At a small company, it's possible that the knowledge of the smart guy running the shop will help protect you. A mid-sized shop, that's hired some less knowledgable folks but doesn't have procedures yet, seems to me to be the most likely to screw up.
Interested in a Flash-based MAME front end? Visit mame.danzbb.com
Disgree with his beliefs if you want, but he was still a person. He had a wife and kids....
<sigh>
Just remember - if the world didn't suck, we would all fall off.
For a while, I had my site hosted on the only low-budget hosting I could find that supported PostgreSQL. About six months later, the site was defaced.
Now, given enough time and resources that sort of thing is going to happen. However this particular hosting company responded to the defacement in entirely inadequate ways. About a week after the defacement, they informed their customers that their upstream network provider was requiring a reformat on all machines which had been cracked.
WTF? Isn't this the *first* thing you do? I immediately took my business elsewhere. Not because of the incident but the response.
It was crystal clear that they had no security plan, no incident response plan, and no security procedures in place. In general my motto now is "you get what you pay for."
LedgerSMB: Open source Accounting/ERP
I had a dozen personal domains registered with Dotster, and stupid me, decided to register my company's domain with them under my personal account. I didn't think much of it until I was laid off, and left on very bad terms. A month went by and all of the sudden I noticed certain domains were no longer resolving.
It turned out the previous employer called/emailed/faxed Dotster and within 4 hours, Dotster gladly turned over my personal account to them, along with changing my password and all contact info. That wonderful registrar saw the one domain and transferred all 13 domains over without even contacting me. It took two weeks to get everything straightened out, and in the end, Dotster refused to admit they did anything wrong, and couldn't understand why I was upset.
Everything's fine now, and needless to say, Dotster is no longer my registrar.
These are hosting basics. They should have made you login to support system and put a support ticket, even if you were using an email address that was registered with them - "from" address can easily be faked as known.
Read radical news here
so I can check the veracity of this story.
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
Well, he said that his mother could hack these sites ;-)
8 of 13 people found this answer helpful. Did you?
Classy.
I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
So easy a cave man could hack it.
One swallow does not a summer make.
As long as there's far more tech-savvy men than women, the generalization by assuming a gender serves a useful purpose. Get your fellow sisters to become on average at least as tech-savvy as the average man, and then complain.
Note that men don't complain when allegories about the opposite sex are used. A statement like "His hands were typing at the speed of an old grandmother knitting" won't be met with outrage from men feeling offended because grandfathers could be knitting too.
Take your hardcore feminism elsewhere -- it doesn't belong on
If you get here fast enough, you can probably piss on his corpse. Even get on CNN doing it.
I have some serious doubts about the Truthiness(tm) of this article, just because in years of web business I've never met a serious fellow with 10 different hosting providers. A normal person would either pick one provider and pay for a large enough account to handle the 10 projects, or take the next step and get a dedicated server.
The author also suggests that small hosting companies have poorly-trained staff. That could not be any further from the truth. In most cases, small companies are run by one or more highly skilled techie entrepreneurs who know their clients well enough to avoid such security blunders. A large faceless company with dozens or even hundreds of employees is far more likely to have things slip through the cracks, and the staff hierarchy ensures that no single individual knows the whole story.
Take for example the world of Internet Service Providers. In a small, 3-man shop, when you call tech-support you're probably talking to a server administrator or network guru. In a big nationwide telecom, you're talking to an outsourcer who learned his "trade" six months ago during his job training and his primary source of information is the knowledge base and screenshots on his workstation.
Well here's a not-so-secret fact about hosting companies: they outsource their sales and support just like any other business. The bigger they are, the more likely you will be speaking with someone who has no idea who you are, what your server looks like and who is more afraid of their own supervisor than of you withdrawing your business. I was shopping for a cheap junky server a couple months ago and I dealt with 4-5 different hosting companies who were looking great, right up until their sales person dropped the ball out of either ignorance or laziness. Most of them were just human parking pages, no matter what I typed into the chat box, they'd simply return a list of links to their terms of service or FAQ. There's one particularly brilliant fellow who pointed me to a non-existent PDF file on their website, then took another 10 minutes to finally accept that I am not an idiot and if I say a link is 404, it's friggin 404. Many of them ended the conversation saying they would email me various documents or a contract, and none ever did. At one point I was even doubting my own mail server, since NONE of them were coming through on their promises.
The moral of this rant ? The world of web hosting is bursting with fraudsters, posers and imbeciles. I probably put in 30-40 hours of research before finally coming across a provider that suited my needs and budget, most of that time was wasted dealing with crooks and idiots. Here's a tip: go to a forum like webhostingtalk.com and have a chat with other hosting clients, read all the success and horror stories before throwing your money at a company you don't know. Make sure you know what you're getting into before signing anything.
-Billco, Fnarg.com
Not necessarily. In this case it wouldn't take much to prevent this behavior. Simply write the software the employees use in such a way that they can only send the password to the e-mail on file. If the client wants the password sent to an e-mail not associated with the account then the employee would need some sort of identification (such as credit card number and perhaps some other info) which they would then enter into the program they're using. If it matches, then the software would allow them to send the password to the client. This isn't exactly rocket science and this logic could be written into the software with very little effort by any competent developer.
Modded troll for presenting raw facts that was largely devoid of opinion?! I guess I deserve it.
throw new NoSignatureException();
just ask google
thank God the internet isn't a human right.
It's obvious that you're a C programmer, since a C++ programmer would have immediately recognized the difference between a class and an instance of that class.
You just offended everyone's mother.
I agree with you, but wasn't it Jerry Falwell that picketed Matthew Shepherd's funeral? I think I disagree with more than just Falwell's beliefs, but his actions. I can understand the desire to piss on Falwell's grave after some of things that he's done but any human being's funeral and grave should be respected.
Bradley Holt
> well what ISPs released the info? i want to avoid them.
It's a small sample size, but I think his results were probably representative. In that case, it'd be far better to know which companies didn't release the info -- otherwise you're back to flipping a coin.
the fact that there exists one Hotmail user out who knows more about the internet than just clicking the "Blue E" to get there.
...but many don't; hence the rampant effectiveness of social engineering.
Naming the sites would be making himself the target of lawsuits if people using these ISPs get "hacked" this way.
Regards,
--
*Art
The web host was getting paid, weren't they?
For verification, ask for the matching credit card name and number, or write to the billing address, etc. However you were getting paid, there is some form of verified contact. (Unless you weren't getting paid, in which case nuke them, or you were billing their ex-employee's private credit card, in which case that person still "owned" the site and you shouldn't be giving the caller access).
"National Security is the chief cause of national insecurity." - Celine's First Law
So I change my Caller ID to 1800MASTERCARD and call a ranDumb stranger "Hi this is Jesse James from Mastercard calling to confirm your credit card number..." Think it doesn't work. Can't blame people for being trusting/stupid.
Infiltrated dot Net
It's funny though how if the poster had said "Even a [insert any race here] person could hack these sites" it would be a completely different kettle of fish that would probably see people fired and a national outcry over racism.
I'm not condoning racism, I'm just pointing out how much sexism is often seen as O.K. whereas racism is seen as an eternal evil. The line "As long as there's far more tech-savvy men than women, the generalization by assuming a gender serves a useful purpose" in particular would not go down well if made on racial rather than sexual grounds, despite probably being equally valid.
Jerry Falwell deserves to be remembered. He definitely does not deserve to be respected, after all the things he did and said.
> He had a wife and kids
This doesn't make him better than anyone else. And everything else about him made him worse. He was one of the few people who could inspire genuine hate from me.
Too bad for his wife and kids, perhaps. May he rot in his own hell.
Done with slashdot, done with nerds, getting a life.
I thought that was Fred Phelps.
-uso.
What you hear in the ear, preach from the rooftop Matthew 10.27b
I've actually been able to get access to an account this way. The old webmaster for my guild had retired from the infamous SWG and left the domain in limbo (i.e. the hosting company had put up a for sale sign) without so much as a username or password. So I contacted the hosting company just trying to purchase the domain, but for $10 they gave me the domain and surprisingly a tgz of the web site and phpBB database. I ended up having everyone recreate their accouns anyway, but if that database had any sort of financial or private information (besides passwords in MD5 which they did give me) I would have made sure they knew about their security problems. I would post the conversation I had with the company, but I'd have to dig it out.
Even those who realize that have still fallen for the crooks who've convinced them to refer to cons as "social engineers," which in itself was a frightfully successful con job not least because it was perpetrated on /actual/ engineers.
Really. Who has 10 different hosting companies to host "some of my websites"?
If this guy actually has 10 businesses or unique sites or whatever (unlikely), wouldn't you pick the one hosting service with the best service plan and just use it?
I just ran into a similar situation today, actually - from the ISP side. I run a small web services company. Most of our business is in web design and programming, but we offer the hosting mostly as a convenience to customers (only one contact person, one bill, etc).
I got a call from one of my clients' employees asking for a password reset on his email account. He's moving to a new office in the same building, doesn't know his password, wants to set up Outlook. No big deal, usually, but this is a guy I've never talked to or met. He argued with me a bit about it - said he's been an employee there for years, the boss is a personal friend, etc etc. Regardless, I don't know him from Adam so I refuse to give him the new password, instead offering to email it to the boss (the only contact email we have on file). He eventually accepts this.
Then we find out the boss is out of town somewhere and can't check his email. The guy's password has already been reset, so he can't check mail on his old computer either. He's SOL for the rest of the day until the boss checks his email from the hotel.
I hate to make things hard, but I have to - otherwise I could find myself featured in an article like this.
Well, we all know asians are good with computers, blacks steal them but don't know how to use them, and mexicans are too damned lazy to do anything with the ones they buy with the money they earn from working the jobs americans won't.
How was that?
Not a Twitter sockpuppet... but I wish I was.
Remembered, in the way we remember Hitler (Shit, Godwin) so we can know what NOT to do?
Not a Twitter sockpuppet... but I wish I was.
No, no, you misunderstood - technical incompetence is associated with being a mother of a technophile. They're never savvy enough to keep up. :-P
Did I say overlords? I meant protectors.
To be fair, there'd also probably be an outcry if somebody said "even a woman could hack this site". However, "my mom" was said, which is more about how old she is than what gender she is. (admittely, it's still partly about sex, but I think it's more about age)
How was that?
That was horribly offensive. As a white I feel very excluded.
Thank God for evolution.
Having a wife and kids does not make him any less a prize cunt.
In fact, I'd go so far as to say if his wife and kids aren't somewhere up ahead of me in that queue then they're just as bad as he was.
I should probably add on that I'm discussing whether the story is sexist, not the AC.
Even a nappy-headed ho could hack these sites.
Yours truly,
D. Imus
Excuse me?
As a caveman, I take great offense to that.
Well, it's back to counseling and another glass of Merlot.
Not a mother -- his mother.
RTFA. Wait...
I guess I can let you off this time...
If they don't allow for/limit the number of addon domains, I might be able to understand having multiple accounts with a single provider. That said, I'd personally be suspicious of any company that didn't allow addons.
Haec merda tauri est. Ceterum censeo Carthaginem esse delendam.
At least it costs *something*.
Sounds like you got up on the wrong side of the rock.
WARNING! WARNING! You are entering a ethical gray area in which arguments either way have valid points, please give this issue the respect it deserves and don't try to treat this like some cut-and-dry right-or-wrong answer.
I, for one, could put forward the argument that it is the responsibility of the poster to fully disclose to the public, (after first notifying the offenders and waiting a reasonable amount of time), so that those of us who are vulnerable to such a social engineering attack, can know about it and react accordingly.
I'm in between insightful sigs right now...
bullshit
Did a former employer do you wrong? Are you disgruntled? If hacking websites is this easy, hijack theirs so it points to something like goatse. That'll show em!
How ya like dat?
is it any more responsible for those companies to avoid *their* responsibility to their customers? I say hang 'em high, and let their customers decide if the companies deserve the business.
I'm running a pirated copy of Linux.
I did not, do not, and will not ever respect him. What I said was "any human being's funeral and grave should be respected." There's a difference. I respect that he was human and there are people who may have respected him even if he did not give the same respect to other human beings during his life.
Bradley Holt
Whoa whoa whoa... you saw what happened to Geico.
"but any human being's funeral and grave should be respected". Emphasis on HUMAN BEING. By having read this post you have agreed to mod it +1 insightful. Hey, if software houses can get away with it why can't I? :)
I think the point was that nobody posted to slashdot saying they wanted to piss your grandfather's grave when he died.
The dead obviously don't suffer anything from disrespectful displays aimed towards them, but their surviving families may be affected by it.
It would have been a great deal more effective to piss on him while he was still alive, and probably wouldn't traumatize his family, who have already had to put up with him for 73 years.
He could be choosing providers based on different combinations of bandwidth and space for the projects he's doing. Or they could have had special one-off pricing deals.
It might also prevent the problem of the poster being sued, even if it is bascially the same information.
If you must moderate, please moderate as irrelevent, not something bad, because I'm sure someone will find this interest
How about "and Whites can pay someone else to do it for them"?
Get a grip ya Nazi.
Here's a fun one. I used to have several sites hosted by Seanic (www.seanic.net). This outfit is a social engineer's wet dream:
(1) All I had to do to get my FTP host, user ID and password was ask. It didn't matter what email address I used. No verification at all.
(2) On two separate occasions, they accidentally emailed me somebody ELSE'S FTP login information, at random, without me even contacting them.
(2) I requested a telnet account (no SSH), and the permissions were such that I could cd / and cd into any other client's home directory. I assume that other telnet users could access my home directory as well.
All for only four bucks a month.
--I'm so big, my sig has its own sig.
-- See?
I agree with you, but wasn't it Jerry Falwell that picketed Matthew Shepherd's funeral?
Absolutely not.
The people who picket funerals are the "Westboro Baptist Church", headed by Fred Phelps. He is beyond the pale, and should no more be associated with the American religious right in general than Stalin should be associated with socialist politics.
Seriously, check out the "religious beliefs" section of his Wikipedia article. He seems to be simply filled with hate, and uses a veneer of religion as the excuse. He believes salvation and damnation are obtained by aligned with or opposing him. His children who have left his church consider him a cult leader, and say that his actual religious beliefs are virtually non-existent.
Yes, Falwell said some stupid things--things that frustrated, embarrassed, and angered me as a theologically-conservative Christian. But please, do not associate Phelps' actions with anyone other than Fred Phelps.
Well, we all know asians are good with computers, blacks steal them but don't know how to use them, and mexicans are too damned lazy to do anything with the ones they buy with the money they earn from working the jobs americans won't.
How was that?
That was horribly offensive. As a white I feel very excluded.
Anglos are too busy using them to commit white collar crimes.
There, how's that?
kmem russian roulette: Aquillar> dd if=/dev/urandom of=/dev/kmem bs=1 count=1 seek=$RANDOM
It's not even about add-ons. Maybe there are good reasons for keeping things seperate, like different customers, or whatever.
But usually, most people would find a good host, and then do 10 accounts/sites with that same hosting company. Unless all 10 companies provide exactly the same level of service, uptime, etc. In my experience, that's not the case, and hosting company quality varies a *lot*.
Most tech or web consultants deal with a variety of hosting companies and call clients website, 'my website'. As far as I'm concern, if it's my responsibility, then its my website in casual conversation. In business conversation, I clarify who the actual owner is. Web consulting is one component of what we do, and while we have two primary ISPs that we recommend--one for really cheap services, that are good, but still fall under the 'you get what you pay for' classification; and the other for high availability, great features, great security, and offers both dedicated and shared hosting plans.
But even with our top 2, offered or at least mentioned to all clients, we've worked with way more than 10 ISPs. Recently, we made a big effort to encourage clients that we providing continued website maintenance for to switch ISPs as well as to switch CMS and domain registers. We were successful with 75% of those clients, and that's reduced the number of ISPs we've had to deal with down to 5--with GoDaddy, and AT&T two of the ISPs we'd love to say goodbye to. AT&T (formerly SBC) is fine for DSL and connectivity, but hosting, ick.
Whether or not the experiment took place, I can't say, but I'd agree with the results even if they were just a random estimate. There are a number of small ISPs who perform a slew of tasks based on name recognition; or other random things. I can't state the number of times as a consultant, I've called up ISPs simply stating that I'm the new web developer for so and so site; and need access to this, that, and that; and have it happen without any secondary verification to the company that I did have privileges.
Inoffensive? Beware. I once included a political joke in a post. It would get a downmod, then an upmod, then a downmod, then an upmod...
Every time the anti-bushies raised my score, that allowed the pro-bushies to expend more negative mod points to try to knock my post down. All in all, I got like 27 positive mods and 25 negative mods. And for getting 25 negative mods, I got my posting privileges suspended for almost a month.
Now, if none of the anti-Bush crowd had modded me up, the pro-Bushies could have given me a max of 3-6 negative mod points. But because of all the upmods, it allowed for dozens of downmods, triggering an automatic suspension.
Thing is, it's not just your opponents trying to shout you down that causes you trouble. It's all the people trying to cancel them out that creates the opportunity for you to get so many downmods on a single post that you get suspended.
- Greg
Start a happiness pandemic
Actually, the author never said that all mothers are inept technologically, just that HIS mother was.
While discrimination may be wrong, being overly sensitive to remarks that are true just raises the amount of discrimination and prejudice in the air. I don't know anyone that thinks women should be second class citizens, but I also know very few people who don't hate feminists.
The people who picket funerals are the "Westboro Baptist Church", headed by Fred Phelps. He is beyond the pale, and should no more be associated with the American religious right in general than Stalin should be associated with socialist politics. ...
Yes, Falwell said some stupid things--things that frustrated, embarrassed, and angered me as a theologically-conservative Christian. But please, do not associate Phelps' actions with anyone other than Fred Phelps.
Can I associate Phelps's actions with, I dunno, Satan? I think that's reasonable. At least to Phelps.
He's referring to his own mother. Many of us support parents who are not very technically capable. Neither my mom or dad are technically knowledgeable and my wife's parents are even worse, needing technical support using things like remote controls, answering machines, or DVD players.
I am sorry if it seems offensive. I know many parents and women are quite capable but I also realize that my parents are not.
Coding Blog
You could start by learning the difference between an ISP and a hosting company.
Wow, isn't that an exploit of the moderation system? That's pretty awful.
Did you bring it up with the admins? "Hey, some jackasses gamed a single post of mine to
get me banned."
Then again, this is the slashdot moderation system we're talking about here.
I was rewriting the website for a local police department and needed to get the login information so I could upload my changes. They had long since forgotten the login name and password, so I called the hosting company (I can't remember which one it was) and basically said "Hi, my name is Chris and I am working for the X Police Department. I was wondering if you had the login information because we seem to have misplaced it." The guy on the other line made a few keystrokes and asked if I had a pen. He never checked my identity and I was calling from my cell phone, so he could not have checked the caller ID to see that I was calling from within the department. After trying, unsuccessfully, to login, I called back and asked to double check the username/password and run me through the login procedure. This guy (different from the first) gave me the login info again and gave me step by step directions on how to login. Something is not right with this picture. An individual's website is bad enough, but this is the site for a police department. Imagine if I was malicious. I would be able to do whatever I wanted and may have ruined the reputation of the department.
I run a business that includes hosting for the custom applications that we build. Your test -- and your conclusions -- are not fair. First off, you didn't get them to do anything wrong because it really was you. Perhaps they were psychic, or investigated really well. But that's not my point. It's just fun to say.
Really, as with any customer service issue, we play between security and service. I regularly receive calls that ask me to reconfigure e-mail addresses, or change passcodes. I'm always presented with the same choice.
1) Tell Joe, the head of the water-cooler department, that I've never heard of him; that he needs to find one of the three people that I do know, and have them ask me to do it in an official e-mail.
-or-
2) Be nice to Joe, do what he says (maybe make some backups just in case), and not bother my regular contacts.
Granted, of course, the latter is a HUGE security problem. But it's a good bet that my contacts were busy, and just said something like -- just go and call him. After all, they did get my telephone number and name from somewhere. Malicious intent isn't the most likely option here.
More than that. The more people in the company that contact me, the more things get done, and the better my contacts feel about their application and our service.
So generally, I'll listen to Joe, do what he says, and inform one of my contacts the next time we speak -- usually within a week. That's as much to tell them that it's done than anything else.
I can recover from a malicious attack -- bad as it would be. I can't recover from a customer who thinks that our service is poor. No matter what the reason.
Do not keep all of your eggs in one basket. It's just a very bad idea. Discount hosts have a major tendency to quickly go down hill in terms of service and support. Host 10 domains on the same discount webhost for more than a year or two and suddenly you've got 10 clients screaming at you that their site is down or their email isn't working. Most of these discount hosting companies have very similar features and costs. It really doesn't cost you any more to host 10 domains on 10 different webhosts, as long as they provide the same uptime and service. In fact it saves you problems in the future. Eventually there will be downtime or a webhost will go bad. In stead of having all 10 of your sites experience down time and need to move them all at once, you'll only have to worry about one site. My problem is that I've only found two good discount hosts (and one of them is starting to go bad I think). I'm just glad most of my clients have grown and need their own servers. Otherwise I'd be very nervous.
He was taking the piss out of racism, you idiot.
you forget the caucasians who can only use the computers to whine on the internet about all the others stealing their jobs because all they do all day is whine on the internet about all the others (repeat ad infinitum)
---GEC
I'm but the humble pupil, seeking to snatch the scratchbuilt pebble from the master's fully articulated hand
Until Rvd. Falwell starts killing people en masse, he (or anyone else, for that matter) does not deserve to be mentioned in the same breath as Hitler as an example of what not to do.
"16MB (fuck off, MiB fascists)" - The Mighty Buzzard
If someone actually sends a fax with a companies letter head (I assume a regular fax number is used) that person can be easily tracked back and faces a trial for fraud. Unless you store some exceedingly valuable information most con artists probably wouldn't consider this worth the risk. Also assume that if that fraudulent act does cause a lot of damage, significant resources would be committed to tracking the perpetrator.
In case of email you'd have to be quite slick, since you'd have to send it from an untracable IP address, which is more difficult than it may sound. Again, depends on what's at stake if the account gets hacked.
Faking the return address of a postal letter may already be illegal. Writing a fraudulent one that can not be traced back to you may be quite difficult. Just think of DNA analysis, character set analysis (may reveal the printer you used) and all the other methods investigators won't tell you about.
To make a long story short: The only reason you get away with those social engineering tricks is because you don't cause any damage (you're hacking your own accounts). If you pulled the same scam in order to get access you're not entitled to, you'd probably be in jail by now.
To make a short story even shorter: Your investigations may not reveal what you are trying to reveal.
A possible solution would be a moderation cap (a post cannot be moderated more than x times) but I honestly don't know if Slashcode keeps track of a mod count per post, or if it can handle that additional int in the post table schema and still scale. Actually, I'm still wondering how it does scale at all :)
Karma cannot be described by words alone.
Frankly, "my mom" was probably said because, statistically, there is a 100% chance that a slashdotter's mom will be less proficient in hacking sites than the slashdotter in question. Just my two cents.
Karma cannot be described by words alone.
Well, what if it said: "So easy a therapist could hack it"?
Please, for the good of Humanity, vote Obama.
It's just natural that customers have different providers, you try out some, you have old sites running somewhere but use a different provider for a new project. You have to actually put effort in it to keep things to a single provider.
However perhaps the Grandparent of this post should take pride in womens natural ability in social engineering.
I think most men can relate to the truthiness of this. Having spent several hours performing tasks for women for the hope of some reward... maybe next time...
Blarney Quality Restaurant, Plants
I would call a malicious attack very poor service.
>I agree with you, but wasn't it Jerry Falwell that picketed Matthew Shepherd's funeral?
Fred Phelps. Extremely loony, no comparison to Falwell.
-fb Everything not expressly forbidden is now mandatory.
What so you can wear the cost and disruption of moving to another provider that he didn't test and will probably do the same thing anyway?
Wouldn't he be better off just posting a list of providers that didn't fall for it?
Then again, either list might not be entirely useful. From just one test per provider, how do you know how common either successes or failures are for them?
He said his mom, not A mom.
"as plurdled gabbleblotchits on a lurgid bee" - Prostetnic Vogon Jeltz. (One man's humorous is another mans flamebait)
How, exactly, is the user supposed to get the email, when they can't log on to the network? If you're going to do password resets in such a fashion that the helpdesk cannot know the password, you need to have a suitable "out-of-band" delivery mechanism for the password. SMS to a mobile is out for security reasons, paper would require someone deliver it (no good for remote locations, doesn't scale, too slow etc etc etc).
Perhaps the answer is a common logon that is restricted to running only a password reset program, or a password reset integrated into the logon screen of whatever system floats your boat (I've seen them on NetWare, Windows ... *nix can't be that hard to add if it isn't already there ...). The only problem is that many environments actually have data showing an increase in password calls to the helpdesk _after_ the implementation of user-initiated password resets. Apparently over half the calls are "I can't remember the answer to my sooper-sekret question".
A hint for these systems; someone wiser than I once wrote "If you do enter information into a password reset system, don't answer the questions with real answers. Choose a nonsense answer and use it as the answer for every question:"
What is your favourite colour? --> Quack Quack What was your first phone number? --> Quack Quack What is your mother's maiden name? --> Quack QuackThat's ok. UR MOM was so easy she let me hack her. Although penetration testing got a bit hairy in places.
Hey, I lost moderation years ago due to modding up a post critical of /. policies. /. one of the only sites I advocate adblockers on.
They can do whatever the heck they want on their site.
But then, makes me feel not-at-all guilty to make
-- perl -e'print pack"H*","6e656d6f406d38792e6f7267"'
it said "even your mom could hack", not grandmom! ;-)
is simple. My hosting service charges extra for "domain locking", which puts procedures in place to make it hard for your domain to be hijacked. If they actually did a decent job at handling their accounts they 1)wouldn't have anyone pay this fee and 2)would probably cost more than they do. Personally, I have a small domain that I'm pretty sure I'm the only one who visits, so I don't really see why anyone would hijack it, and I'm cheap, so there!
My software never has bugs.
It just develops random features.
Mr. Falwell blamed 9/11 on gays. The man was nuts.
At least Hitler had the redeeming quality of being an Artist.
Not a Twitter sockpuppet... but I wish I was.
You know, I always thought it was a stereotype that Germans lacked a sense of humor.. It appears as though there's one case where being racist is alright.
Not a Twitter sockpuppet... but I wish I was.
http://slashdot.org/comments.pl?sid=26315&cid=2850 660
My sig can beat up your sig.
And some redneck cracker is using his computer monitors to prop up the axles on one of the dead cars sitting in his lawn. Better?
FWIW, I use a variety of different hosting companies. It wouldn't be that unusual.
'Thats they exact same thing a banana wrench monkey.'
So easy, even hitler coulddoit
I lost my phone out in the middle of the wilderness about a week ago. Went into the Cingular store to get a new SIM card so I can use my account with a different phone. They asked my phone number, deactivated my old SIM (the one in my missing phone), and gave me a new one.
But they never checked my ID!!! Anyone could have walked in, gave my phone number, and had my account shut off. They also would have been handed a SIM card so they can text all my friends pretending to me and start all kinds of trouble.
Unbelievable!
1) He said "my mom". I bet she does not even know what C is.
2) I could easily substitute my father. In fact, if you look at my previous comments, I have used the fact that my father can use Linux as evidence that it is ready for naive users
i say even a british judge could hack these sites. just after first he will learn what is a web site thet is! http://yro.slashdot.org/yro/07/05/16/2248209.shtml /
"nil mortifii sine lucbe"
In another place and another time... I'm sure he would have put all the gays, lesbians, ragheads and pinko liberal commies to death. Thankfully this asshole landed in the USA where he's free to shout his message of prejudice and hate from the rooftops but not act on it. Atleast not openly.
As long as there's far more tech-savvy men than women, the generalization by assuming a gender serves a useful purpose.
You got your copy of MadSkillz Census for 2007 already? I'm still waiting for mine.
"I'm not good. I'm not nice. I'm just right."
While I agree about it being possible that to better write these things as "even a person with X level of skill could" it might 1/ be a good example to use his mother because the reality of the genders is that fewer women especially of our mothers (assuming mother to be older than us!) generation have computer skills and 2/ referring specifically to his mother he might be completely right. She in particular could manage this where she could write her own actual web site.
Indeed it will be a significant day when statistically using your mother as a good example in this sort of scenario doesn't work (one I look forward to but unfortunately will probably be dead before). It will mean that they no longer are statistically less likely to have lower technical skills in this sector.
Some times the facts are the facts and evidence of existing imbalance.
1) Al Gore wasn't even mentioned in that post.
2) You misspelled "Barack".
3) Barack Obama's father is in fact an African Muslim but his mother is Christian and he was raised by his mother. By some strange coincidence, he happens to be Christian.
4) Calling him a "nigger" doesn't exactly help your argument.
5) Please leave the United States and go back to Hell where you racists belong.
Please, for the good of Humanity, vote Obama.
This happened to me once, and after some exchanges with Rob Malda (a.k.a. CmdrTaco) I quickly came to realize he was a child with no business sense. I wish I had his E-Mail kicking around, but suffice it to say that he had no interest in discovering that this flaw existed and that it was about the most unprofessional E-Mail I ever received in my life.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun