Slashdot Mirror
How Private Are Sites' Membership Lists?
Something like this is actually possible with quite a few well-known sites -- given a person's e-mail address, it is possible to find out if they have an account with Match.com, PayPal, Netflix, eBay, Amazon, and Google (and, by the way, Slashdot [CT: We'd fix it if I thought it mattered]). For some of those sites, it may even be possible to take a long list of e-mail addresses and use an automated process to find out which of those addresses have accounts with those sites (something I didn't want to risk trying myself, but as a general rule, if you can do it once, you can do it many times, at least if you do it slowly enough). It does not enable the attacker to extract addresses from a site's membership rolls, which is a much more serious type of breach -- in this case, the attacker would have to already know a list of e-mail addresses, and would only be able to find out which of those addresses have accounts with a given service. And it definitely wouldn't enable an attacker to extract more sensitive information like passwords or personal data. But the ability to get a yes/no answer for whether an e-mail address belongs to a member of a given site, should be something that the site designer should take into account. I'm not even saying that it should necessarily be considered a security hole in most cases, just that it should be something that the site designers decide whether or not they want to permit it -- not something that was left in the open accidentally. Representatives from PayPal and Netflix assured me that they knew about the possibility of this attack and had countermeasures to detect it. In the case of Match.com, on the other hand, I would argue it looks like an oversight. For other sites, whether it's a security hole or not depends on your point of view.
There are three main causes for concern with this issue. The first is simple privacy -- for a site like Match.com, a person may not want other people to be able to find out that they're a member. The second is the possibility of making phishing attacks easier. If a phisher sends spam to a huge number of recipients, hoping to trick them into entering their login details on a counterfeit site, then generally their success rate would be proportional to the number of recipients who are members of that site (of which a certain percentage will be duped into entering their login info), but the speed at which the phishing site is shut down would be proportional to the total number of recipients (since any recipient would carry the same likelihood of reporting the phishing site to an ISP and helping to get it shut down). So if the phisher could find out which addresses on their list belong to actual members of a given site, and send mail to just those people, they could get more successful attacks in proportion to the number of e-mails sent. This is especially true of "puddle phishing" attacks, where only a small percentage of recipients are likely to be members of the site being phished. The third possibility is that the data could be valuable to spammers wanting to advertise a competing site -- a spammer advertising a dating site, for example, could get more band for their buck by advertising only to Match.com members. (Maybe even try a hybrid spam-with-just-a-hint-of-phish -- spam that says "Rejected a lot on Match.com?" to make the user think at first that the e-mail really is from Match.com, but then steer them towards a competitor.)
With a build-up like this, the attack is disappointingly simple. (In fact, I listed the possible consequences of the attack first, because otherwise the attack itself is too easy to dismiss.) If you haven't already guessed at least one of these methods, the three easy ways to find out if an e-mail address is associated with an account at a given site, are:
- Try to create a new account with that e-mail address. See if you get an error message saying the address is already associated with an account.
- Log in under an existing account, and try to switch to another e-mail address. See if you get an error message saying the address is already associated with an account.
- Use the forgot-your-password feature to request a password be sent to a given e-mail address. See if you get an error message saying that address is not associated with an account.
With most popular sites that I tested, at least one of the above methods fail, but at least one other method succeeds. On Netflix, for example, the forgot-your-password form requires you to enter a last name and a credit card number, so that form can't be used to find out who is a member. On the new member signup page, though, you can enter an e-mail address and be told whether that e-mail address already belongs to a member. With Match.com, on the other hand, I already mentioned the weakness in the password-reset form, but if I tried to sign up for a new account but I didn't correctly pass the Turing test (reading numbers off a graphic and entering them in a text field), Match.com wouldn't tell me if the e-mail address was associated with an existing account. So that form could not be used to sift through 100,000 addresses and find which ones were Match.com members, but it could be used to find out if an individual person was a subscriber.
There are at least two simple countermeasures to this type of attack. The first is to require a Turing test when a user creates a new account, requests a password reset, or changes their e-mail address on file, and make sure that if the Turing test isn't completed correctly, then no error message is displayed about whether a given e-mail address does or does not exist in the system. This makes it hard for attackers to sift through a mountain of e-mail addresses finding out which ones already belong to accounts, but it still enables someone to check if someone is a member, one person at a time. For sites where that would be a privacy concern (again I'm thinking of Match.com), the other solution is better: send an error message to the e-mail address entered, not displayed to the user in their browser. If you try to sign up as joeblow@aol.com, and that address is already associated with an account, then display the normal message telling the user to check their inbox for confirmation -- but then send them a message saying their address is already in the system. eBay, for example, gets this right on their "forgot your userid" page -- if you enter an e-mail address not associated with an eBay account, it simply says, "eBay just sent your User ID to joeblow@aol.com. Check your email to get your User ID." (On the other hand, eBay's new user signup page lets you check if an e-mail address is assigned to an existing member, without needing to pass a Turing test.)
Netflix, eBay and PayPal also responded to say that they had monitors in place to detect "suspicious" activity, saying that even in cases where the forms did not require a Turing test, they could dynamically detect if someone were using a script to submit the form over and over to harvest data, but they declined to go into more detail. It seems to me this could work for forms that require you to be logged-in, but not for forms that don't. For example, on the Netflix new user page, how would they detect if it's the same person submitting e-mail addresses over and over again? Not by IP address -- you can use Tor and farms of open proxies scattered across the Internet to make it appear as if you're coming from lots of different IP addresses. However, consider the PayPal add-a-new-email-address form. This form does not require a Turing test, and does give you an error message if you try to add an address associated with another account. At first I thought this might be a loophole that an attacker could use to find all the PayPal users in a long list of addresses, but PayPal told me that if you do this enough times under the same account, eventually you will hit a limit where the form starts requiring a Turing test. I never got high enough to hit that limit. However, in this case the "dynamic detection" could actually work -- because you can only perform this action while logged in, and after you hit the limit, to continue testing more addresses would require another PayPal account -- and creating additional throwaway PayPal accounts does require a Turing test for each one. So I'll take their word for it that that attack is blocked, although, it seems to me it would be easier just to require a Turing test on the add-a-new-address page.
On the other hand, perhaps in the case of a site like Netflix, it's not something that users really need to worry about, if the company has no problem with it. Big deal, an attacker can find out whether you're a Netflix user -- but that's not a huge privacy violation, it's not like I shamefully hide those red envelopes under my shirt while I'm scurrying back from the mailbox. Now, a spammer can take a list of addresses and run them through the form to find out who is a Netflix customer, and then spam those users trying to lure them to a competing service -- but that's Netflix's problem, not ours, isn't it? (Well, it's our problem that we get the spam. But without using this attack, the alternative was that the spammer was just going to spam everybody on their list anyway, so by that argument, this attack actually results in less spam all around!)
Except... perhaps an attacker could try the third type of attack, a phishing attack to get people's Netflix usernames and passwords, but not in order to compromise their Netflix account, rather to see if the person has an account with the same password at eBay or PayPal. Perhaps a user would be wary of a PayPal phish since they see so many of them, but they might fall for a Netflix one -- although then the attacker's success would be limited to people who had Netflix and PayPal accounts, and were using the same password for them both...
So it seems to me it's not obvious when this should be considered a problem. (All of the sites mentioned in this article were e-mailed about this issue months ago, and so far none of them considered it a serious enough threat to block all three of the avenues of attack listed above.) If abuse of this type becomes common, perhaps eventually these "queryable membership lists" will come to be considered in the same way as open mail relays -- which were never considered a glaring security hole, but were abused in ways that triggered a shift in people's thinking that got them to be gradually phased out, going from open relays being the default standard up to the early 90's, to the point where many ISPs today prohibit customers from running them. Maybe "queryable membership lists" will start to be abused more, if anti-spam technologies get smart enough that spammers can't send 1 million messages at a time any more and have to limit themselves to, say, 100,000 messages at a time to get through people's filters, so they have to pick which 100,000 of their addresses they could get the most value out of. Or maybe things will go in a completely different direction and this will never become a problem. I just think that, for now, we should be aware that some form of this trick works on the majority of sites that require an account, and the types of abuses described are at least possible.
Not in their best interests, but they ARE capitolists.
If you are doing something you don't want to get caught for, use a throwaway email address. If you trust a web site to keep your information private, you need a reality check. You can fight the windmills all you want, but they will keep spinning away and ignore you.
Problem solved.
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
Sounds like Bennett's wife discovered his match.com account.
-- www.globaltics.net
Political discussion for a new world
Fuck.
If most spouses were savvy enough to call up sites and ask for information on their significant other, they probably would have caught them previously in some way, shape or form.
Chat logs, history and everything else, show quite a bit of information for any computer-literate person to evaluate.
Not only that, but I'm sure that anyone smart enough to hide everything and cover their trail, wouldn't leave personal information for their spouse to find.
"Please, shut up. Just when I think you can't say anything more stupid, you speak again." -Archie Bunker.
Personally, I've been using Slashdot to meet my dating needs. Needless to say I have been less than impressed.
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
what if they met on match.com. but then she figured out he had two match.com accounts, like a secret one. then he would be cheating on her.
If people valued their privacy, it would be in a companies best interest to protect their customers privacy. If a company didn't, people wouldn't use them.
I wonder if I use bold in my signature, people will notice my posts.
...that if you are that paranoid, you should just use a different email address than the one known to your girlfriend. I just don't see this as a problem.
Thought it mattered?!? I don't want people being able to find out that I'm a nerd!
Harold, I know... you've been on that Slashdot site again haven't you? Haven't you? Admit it!!!! You're fooling around with Ubuntu... behind my back!!!
GetOuttaMySpace - The Anti-Social Network
Think about the purpose of that site for a second: the whole idea of match.com is you post a picture and a profile so you can meet new people. You're already spilling a ton of personally-identifiable information about yourself, and presumably someone is going to be able to search for you - so why get pissy about someone being able to determine that your e-mail address is registered there?
And while I'm thinking about it, if you're using match.com while you're already in a relationship with somebody then maybe you need to have a talk with that person and let them know things aren't working out.
Amazing how much stuff you can get done by asking. A friend recently bought a new house. To shut off the power to his old house he simply called the power company and gave them his name and old address. No more power to that house. Of course names and addresses are usually a click away but I bet you already know the name of your neighbor who blasts music all night....
So many sites out there tell you if you have got your email address or password wrong when you log in, when what it should do is tell you that your email OR password are incorrent. By entering someone elses email address (if used for login) into one of these sites, you can tell if they have registered or not.
But if you're NOT "open", then think about your other half/significant other/whatever. If you're mutually apart for a period of time (a day, a week, whatever) then you've got a limited window. If you violate your other half, then you should have IN ADVANCE considered and expected to accept the consequences.
If Joe Blow gets caught, tough. If his girlfriend KNEW he was logging in to such sites, then she could live with it or walk away on her own. IF she finds out by other means, whatever they may be aside from personally breaking into his computer/s, then tough for him. Maybe people should mutually declare or assign a "sanctity rating" to their relationships so they can responsibly handle each others' emotions so no one is crushed when an occasional fling occurs.
Oh well, so many people are feeble-minded. And, DAMNED RUDE with others' feelings
Captch: "odorous"
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
...should be considered public information. The street address comparison seems analogous here in many ways - just like anyone can see your address from the street, any time you use an e-mail address as a UID, it should be assumed that it's public. In other words, there should be no expectation on the part of someone sharing their address that it'll be kept secret.
I'm not saying this is a good thing (I think that, in general, sites that collect private information have at least an implicit responsibility to keep it private), but the bigger issue is that the average internet user needs to be aware of these really basic facts. Just like he/she needs to be skeptical enough not to click through to phishing attacks.
Until the state of awareness on these issues increases, there will always be opportunities for these sorts of marginal attacks on people's privacy.
20+ y.o. male geek, likes long walks on the beach, dark rooms, WoW, and Ubuntu, seeking female with similar interest to keep me company in my parents basement while I hack -- prefer a virgin.
GetOuttaMySpace - The Anti-Social Network
I don't know, but I'll be sure to let everyone know when I finish page 467 of the book you just wrote.
For he today that sheds his blood with me shall be my brother.
Many (most) email systems now will allow suffixed addresses, typically using "+" as the separator. Chances are that most of the services that use email address as a username or have the features that allow a third party to detect whether a particular email address is registered will treat "foo@domain.example" as entirely distinct from "foo+bar@domain.example". So most people have easy access to throw away addresses. Unfortunately this doesn't fully solve the problem. Sites use email addresses as identifiers exactly because people remember their own. Using unique addresses for each service defeats that purpose.
The real solution to the real problem is for people to use proper username and password management tools. With such tools users don't have to remember their usernames and passwords, so schemes that try to verify whether a username is registered on a system won't identify to the world the person behind that username the way an email address might.
Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
I find there's too many women on this site. I'm going to check out digg.
Jonathanjk.com
For squirting spoilers into the text of his post. Jackass.
!#@%*)anks for hanging up the phone, dear.
The couple that porns together, stays together.
Are you...Are you some kind of genius?
No, ma'am, I'm just a regular Slashdot reader.
Is that village isolated from the outside world though?
There may be no crime perpetuated by the villagers themselves but what of visitors?
"There is much pleasure to be gained from useless knowledge." - Bertrand Russell.
You're a dolt. Adultery is NOT illegal in almost every county in the US. That, along with many other blue laws have been tossed out years ago. What contract did you sign when you got married? Most people only get a piece of paper stating that they are married.. there are no terms on it.
Wow I'd fit your needs perfectly. Too bad I'm gay and looking for the same girl. ;)
696e6b6564
Match.com and Yahoo's personals were both caught and fined for creating fake identities...
would you trust match.com and yahoo? not me...
Politics is Treachery, Religion is Brainwashing
Big deal, an attacker can find out whether you're a Netflix user -- but that's not a huge privacy violation, it's not like I shamefully hide those red envelopes under my shirt while I'm scurrying back from the mailbox.
So here you are, making a big fuss about some perceived privacy problem. Yet appearantly privacy mainly means being able to hide the thing you are ashamed of. If that is all you are concerned with your privacy is not the problem.
While I wouldn't say that this guy had as yet done anything illegal (maybe slimy), you're right about privately owned web sites not having to respect one's right to privacy. Especially because in the USofA, there is no right to privacy. We have that expectation, but there is no constitutional right to it. This was hardly an issue when the constitution was written, but I think the time has come to address that.
This space intentionally left blank.
I believe a person's right to privacy ends when they're breaking the law -- adultery is still illegal last I checked
Maybe in some states, but last I checked it's not illegal in most states.
at least insofar as it's a violation of a marriage contract --
I don't know much about marriage law. But I've never heard of anyone being charged with a crime, at least in the last 30 odd years for committing adultery. I was under the impression most states had "no fault divorce laws" on the books many years ago.
or when their actions are causing harm to an innocent third party.
Wow, if "causing harm to an innocent third party" (assuming non-physical) is illegal, then can I put Rush Limbaugh in jail because he pisses me off?
AccountKiller
You want to be able to go get all the services you want while maintaining total privacy, huh? Well, if you want privacy, I have a 100% guaranteed-to-work solution for you. Don't give your email address out. Don't sign up for stuff on the web. If you're going to go in 'public', you're going to lose 'privacy', see, because they're opposites. That's how it works. You can go as emo about it as you want. It won't change the fact that in public, there is no expectation of privacy. (excepting that of your person, but that's not applicable online because you don't have an online 'body')
http://xkcd.com/386/
If you find her, for pity's sake take pictures!
a. deserve to be caught
or
b. should not be fooling around
Not exactly the same thing, but I know a few married, computer-illiterate people who correspond daily with their fling using email. They think it is safe just because their local computer account is password protected. At the same time, their email program (OL, TB) is set to remember the password, and don't mind walking hand and hand with their fling down Broadway.
Okcupid is free and has some geek cred, it uses a least squares regression to match people.
And why would you use your regular email address? There is no anonymity on the Internet.
Deleted
Especially because in the USofA, there is no right to privacy. We have that expectation, but there is no constitutional right to it.
Actually, that falls under Amendment 9. The government doesn't explicitly get to regulate it, therefore it belongs to the people.
!#@%*)anks for hanging up the phone, dear.
That is odd. I never signed a contract when I got married. If I was still married would I be arrested for not signing the "marriage contract"?
Just because something is illegal does not mean it is wrong. Just because it is wrong does not make it illegal. For example, it is illegal in the USA state of Georgia to have oral sex with your wife. At least it was in 1989 when James David Moseley went to prison for 17 months for going down on his wife. It was consensual. http://www.ling.upenn.edu/~kurisuto/sodomy.html
I have an open relationship. Each of us get to play with most anyone we want to. There are a few rules, but not many. In my world there isn't a lot of difference between "lying" and "cheating" in a relationship. They are both a violation of trust.
I don't have a lot of sympathy for a guy that is on match.com trying to "find someone the side", but only because he is trying to hide it. To me that is also a violation of trust.
I really shouldn't have used someone else's email address for this account.
As far as a relationship goes, I would say that if the parties are fishing around for each others' correspondence and Internet accounts, the relationship already has some pretty serious problems with trust.
It's simple really. Maintain 3 email addresses.
The first is your personal email address you give to friends and people who you actually want to communicate with.
The second is your 'account' address you give to companies, organisations, websites that you either have a financial arrangement with or some other connection that you actually care about.
The third is your 'trash & spam' address you give to websites/organisations that demand it, but you don't care about and never read.
I do this, and no person or organisation knows of the other. Not because it's a massive secret, but simply because they've no need to know. So in the scenario given here; my signup at Match would either be on my 'account' or 'trash & spam' email address and my girlfriend would only know my personal address.
Anyways, if I was the lying, cheating type, all I'd need to do would be tell the girlfriend that it was a ancient account I signed up to years ago and never use now.
Depends. If you're Jewish, then you *did* sign a contract. Your Ketubah is a contract. Because a Jewish marriage is a contract, that's why you can't get married on Shabbat.
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
I wouldn't want a girlfriend that would not trust me enough to ask me directly if I'm a match.com member. I would, of course, answer honestly.
If a girlfriend treats you with that much mistrust, you probably don't have a happy future together.
To
News flash ! Any females that meet that criteria ARE virgins.
As for me , give me a dirty girl every day of the week over a virgin , them dirty girls know how to work it !
This package Does Not Contain a Winner
"Suppose your girlfriend"....you can stop right there, buddy, this is slashdot!
stuff |
Wow, if "causing harm to an innocent third party" (assuming non-physical) is illegal, then can I put Rush Limbaugh in jail because he pisses me off?
No, you have to get him for abusing prescription drug medications.
I didn't mean to imply that causing harm to an innocent third party is illegal, but it is clearly wrong, at least IMO.
!#@%*)anks for hanging up the phone, dear.
I use an even simpler solution to the problem than any Mr. Hasselton suggests. Each site I sign up with where I care about this gets a unique e-mail address dedicated to them, one that isn't my regular e-mail address. I don't bother telling anyone else what these site-specific addresses are because nobody but that site should be sending mail to them anyway. Anyone checking my regular e-mail addresses would get back "not a member", since that address isn't a member. They can try and guess what different address I used, but that's only likely to work for sites like eBay where having an account isn't particularly embarrassing. For someplace like Match.com I'd be using something plausible but arbitrary like "tk487c5", and that's going to be all but impossible to guess if you don't know what it is already.
-William Brendel
I believe a person's right to privacy ends when they're breaking the law -- adultery is still illegal last I checked, at least insofar as it's a violation of a marriage contract -- or when their actions are causing harm to an innocent third party.
From the statement, I guessed that you were female. Most females I know seem to think that adultery is illegal or if it is not, that it should be.
Sorry Jennifer, it is not illegal. I thought pagans enjoyed a verity of non-standard living arrangements... Polygamy, etc.
The problem is that there is little to no privacy and few really understand that.
It is necessary to have a girlfriend (whatever that is) for this to be a problem, so I guess we are all safe...
His argument that the requests would only be suspicious if the attacker is logged in misses some of the point. Let's say that Match.com usually gets 10 password requests per second, now they're suddenly getting an average of 15. That's a significant increase, so then they'll do some data mining or start requiring a Turing test. Also, his argument depends on not having to reuse any IP addresses, since the same IP address checking 3 email addresses that correspond to 3 unrelated accounts would be suspicious. I'm not saying that it's not harder to spot the attack when someone isn't logged in, but I am saying it's not impossible.
I have an open relationship. Each of us get to play with most anyone we want to. There are a few rules, but not many. In my world there isn't a lot of difference between "lying" and "cheating" in a relationship. They are both a violation of trust.
I agree. Polyamory introduces a third dimension of complication, but the basics -- trust and communication -- are equally essential for any poly relationship as for any monogamous relationship. Maybe more so, because there's a lot of communication required from the very beginning insofar as explaining what polyamory is (at least to non-poly folks), what it means in the context of a relationship, what the ground rules are for relationships, etc.
On the other hand, I think poly folks have a leg up on most monogamous folks because they know they can't take any of this stuff for granted. Whenever people don't communicate (because of assumptions), they leave themselves open to being hurt.
!#@%*)anks for hanging up the phone, dear.
I am not a lawyer, and I have not researched the laws of all 50 states. I do know that in my county an individual was recently sued for "Alienation of Affections." The defendant lost the case. I can't remember if the defendant had to pay damages or, if so, what the damages were. I am not aware of a criminal penalty for adultery where I live, but it seems there is a civil liability for the person who instigates the breakup of a marriage.
One of the examples in the essay is that a girlfriend wants to know if her boyfriend is cheating on her... but by checking if he has an account?
Give me a break... First of all, what if he created the account several years ago and hasn't visited in that long? If the said girlfriend sees only that he has an account and automatically jumps to "He's cheating on me, the louse!" then I think they have some trust issues that go way deeper than Match.com.
Second of all, it's a social networking / matchmaking site. How difficult would it be to sign up for a freebie account and just search for his damn name? Seems to me like that would be a lot more definitive than checking the magic 8 ball of "Does he have an account?"
From the statement, I guessed that you were female.
Wow. Fifty percent chance of getting it right and you screwed the pooch.
Pagans are generally more open-minded, yes ... but the same rules of communication and trust apply no matter what sort of relationship you're in.
!#@%*)anks for hanging up the phone, dear.
"I like the idea of a Panopticon style world actually, with no privacy at all."
Are you serious? First sentence in the article: "The Panopticon is a type of prison building . . . " Which is exactly what a world without privacy would be.
"May your chains set lightly upon you, and may posterity forget that ye were our country[man]."
Samuel Adams
I can't speak for Jewish people, I don't know any anymore.
Even if its a legally binding contract it still doesn't support the OPs sweeping generalization. The fact is in the US, most marriages are not covered by any form of contract and adultery is not illegal in most places.
I have a match.com account from more than 10 years ago when I was single, back when they offered free service. That email address (which is no longer valid) is still "claimed".
Wish I remembered the password, apparently the free account is still active, and can be sold to slackers on EBay for $$. Since the email is no longer valid (the domain name is long gone) I can't reset the password.
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
This is big problem with data protection laws in the US. There's lots of complaints about this sort of thing from the EU, and some slow moves to sort it out.
But until you get decent DP laws there's little you can do...
Try reading TFA. He not only covers this attack - he discusses it's drawbacks.
Rob, I think it's time to fix that membership problem...
--
# Canmephians for a better Linux Kernel
$Stalag99{"URL"}="http://stalag99.net";
1) Do as the poster suggests, and harvest a list of valid email addresses
2) Attempt to log on as those users (either by guessing that their username is probably the same as the username in their email address).
3) Repeat step 2 until the user account hits the "too many invalid login attempts" theshold, and gets locked out.
4) Repeat step 2 for every email address you have.
Voila. Service = denied. That user now has to go through the "reactivate my account" procedure, which probably involves several minutes of effort and possibly a Security Question that they might not remember. And if the script kiddie is doing his "job" right, that person will be locked out again by the next time they try to log in.
This can get annoying very quickly, especially on a time-sensitive site like eBay (where you are trying to win an auction), or even a stock-trading site.
UTF-8: There and Back Again
It has long been considered best practice to not identify that a user is valid in case of failure, as this can allow login harvesting. In case of privacy, I wouldn't necessarily disagree.
You can try to fight this boogieman, but when you turn on the lights, he simply doesn't exist. You have woes-is-me arguments, nothing of substances.
I wonder if I use bold in my signature, people will notice my posts.
No offense meant, but I think a monogamous couple with good communication has a leg up on that. :) However, I'll grant you that most couples have lousy communication.
Sorry
"No matter where you go, there you are." -- Buckaroo Banzai
Jewish contract law doesn't provide for signatures, because you can't assume literacy (Jewish contract law goes back at least 1600 years to the codification of the Talmud). The people that are supposed to sign the Ketubah are the witnesses. They witness that the man agreed to the terms of the Ketubah, and it is presented to the wife, whose acceptance (in front of Witnesses) creates the legal contract.
Now, Ashkenazi communities have used the same standard Aramaic Ketubah for centuries, but among some Sephardic communities, the Ketubah is still negotiated.
Jewish marriage is normally codified via contract, but can be established in three ways, sexual intercourse, being secluded with a member of the opposite sex and validly witnessed, or via contract. The former is frowned upon, and somewhat questionable because there are references in Jewish law to having sex outside the confines of marriage (not counting adultery), but since Jewish laws are so strict on sexual behavior without marriage, it was determined that sexual behavior is sufficient to form a marriage.
This may seem archaic, but some parts of the Israeli Rabbinate have made cohabitation be considered a marriage, and require a Get before permitting the woman to enter a marriage. This is extremely problematic for Kohanim, who aren't permitted to marry divorces.
What contract would this be? You don't sign anything that says you will be sexually faithful to your spouse. In fact, some marriages allow this activity. There is nothing illegal about it. Immoral, sure...but if this were a law, why would Clinton still be running free or without a fine?
Support a great indie game: http://www.abaddon360.com
> Not every fling deserves to be made known - sometimes people keep secrets from their partner because they love them
What a steaming pile! If they loved the person, they wouldn't f`ing cheat on them to begin with!!! WTF is with people trying to justify their disgusting practices with lies like that?
...by sending you a verification email you have to click a link in.
If you're worried that your partner is cheating on you, and you don't know their date of birth, I'd also be questioning your commitment to the relationship.
> Are you serious? First sentence in the article: "The Panopticon is a type of prison
> building . . . " Which is exactly what a world without privacy would be.
The key feature of the Panopticon is that the guards have complete privacy. The prisoners can be observed at any time but can never know who is watching or when. In a world without any privacy you would know who was watching you when and could watch them in turn. Knowledge is not power. Secret knowledge is power.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
I didn't mean to imply that causing harm to an innocent third party is illegal, but it is clearly wrong, at least IMO.
I guess my point is that harm is pretty relative. I'd agree that adultery is wrong, but making a blanket statement about harm to "innocent" people goes too far. What's harm, and what's innocent? If I call George Bush the worst president in history, and it hurts his feelings, have I harmed him?
AccountKiller
So you've never heard of swingers, open marriages, polygamy, polyandry, etc? Humans are one of the rarest of animals that does NOT have multiple partners. The only other animal I can think of that mates for life in the Canada Goose. There are theories that to preserve certain bloodlines in the Jewish nation was why Adultery was banned. I don't know if thats true. I try not to judge other people unless I'm sitting on a jury.
.
.
.
.
I've got to plug SpamGourmet.com. It's perfect for temporary throw-away addresses, like "slashdot.5.myalias@spamgourmet.com" which is my way of saying, "I've given my email address to a site called slashdot. They're only allowed to send mail to this address 5 times. After that, they bounce. The first five that make it through will be forwarded to an email address of my specification."
Of course there's the risk that a spammer would learn about spamgourmet and decide to exploit it by sending 115ASG123.20.myalias@spamgourmet.comm, but then they'd need to know my spamgourmet alias.
http://www.spamgourmet.com/.
I only post comments when someone on the internet is wrong.
[CT: We'd fix it if I thought it mattered]
This is a perfect example of the heart of the privacy issue: who gets to decide what is and what is not a matter of privacy, what information is "worth" privacy protection, what circumstances warrant privacy, and what does not.
You can bet that the answer the vast majority of corporate America is going to respond with is "we do".
Please post your full name, so that we all know with whom to avoid entering a relationship.
One method that is incredibly difficult to stop -- at least, sites are unwilling to do so -- is through timing the login page. By timing how long it takes to respond to an invalid login attempt (just use a bogus password), you can figure out if the username/email is valid at that site. Check out the paper on this called Exposing Private Information by Timing Web Applications at http://www.abortz.net/, which recently appeared at the IW3C2 World Wide Web conference this year.
Spammers don't care how many of the people in their spam email lists are actually members of Match.com or wherever. What's the point of checking each of 100,000 emails against Match.com when a spammer can just send the same spam to all 100,000 and automatically get the ones that happen to both be members of Match.com and unlucky enough to be spammed by them?
oh my god that is so scary!
People, by simple human nature, are irrationally judgemental.
Given omniscience, most people will seek to place themselves above the people they observe, on a moral scale and will seek out faults with their behavior.
Given that the total lack of privacy is associated with all sorts of serious psychological and developmental problems, it seems a profoundly bad idea.
Lack of crime is not indicative of a healthy society. It may be one small metric, but personal happiness is better obtained through liberty, freedom and privacy at the expense of saftey. I think the ideal is a balance point in the middle.
I think our culture is already swaying too far into the 'nanny state' and the UK has gone even further, to the point that most people fear the police on instinct and mistrust their neighbors in a way that would have seemed absurd 50 years ago.
On the other hand, the utter anonymity of a huge city does cause people to grow antisocial.
So here are the two hands.
1) A totally anonymous person has no reason other than internal fortitude, to have any morals. Having a sense of responsibility for oneself is a stabilizing force.
2) A person totally lacking privacy and anonymity has no individualism, other than that which is granted to him by the watchers, which leads to all sorts of crazy dissociative personality disorders, etc.
Surely there is a balance, right?
Panopticon.... sheesh
Stew
There are 10 kinds of people in the world. Those who understand binary and those who don't.
Heard of them? Hell, most of my friends fall into one of those categories. But like the AC said, the topic is "cheating." If the SO knows of the arrangement and approves, that is not cheating.
My friend worked for an employment verifications company doing exactly this type of check. You could get a simple check for a few dollars, which was a criminal background and credit check. You could get employment or education verification, reference checks, etc. A top-shelf full verification ran hundreds of dollars.
I couldn't believe all the crap they found. People lied about all kinds of things on their applications and resumes. People lied about their criminal history, usually substituting something minor for a felony conviction.
I don't approve of the movement towards an Orwellian character investigation, but can certainly understand how a lot of businesses find it to be comforting. It is a very big market, and one that is growing rapidly. They ran checks for fast food workers to CEOs and everything in between, for a wide range of companies. Their biggest clients were financial and healthcare companies.
Man, you really need that seminar!
Your Dad isn't Patrick McGoohan, is he?
It also would have no real freedom to do things which are legal but enough out of the mainstream to cause significant problems if your neighbors and family knows. Depending on where you live, that can be anything from being a member of a fringe political group to sexual preferences.
Holy teal deer!
Could that article have been any longer?
There should be a moderation category "Dumbest Comment EVER"
The first two points of the list are based on a very much flawed assumption by the applications, the problem to get a mail-address. The third is just plain stupid and leaks information.
Why are the first two flawed? They assume, that it is hard to get a second mail-address and therefore allowing only one account to be associated with an email-address somehow makes it harder for people to sign up multiple times. If that is not the reason, then the only other one I find is, to collect as many email-addresses as possible.
For me, there is no real reason, why an email-address can't be used multiple times. If you are afraid that someone signs up thousands of accounts, limit the number of signups per week. The probability that someone else trying to find out, if the address is being used hits one of the weeks where you signed up an account is much smaller.
I mean, In Soviet Russia came and went, the hot grits thing came and went, but for some reason, no one around here seems to get tired of reading the same, tired, "no one on slashdot can get a date!" jokes.
Oh, hell. Who am I kidding? I haven't had a date since my first kid was born. Nevermind.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
1. Girlfriend finds out our victim is using Match.com
2. Girlfriend dumps our hero.
3. Hero must use dating agencies more to find new girlfriend.
4. Hero signs up for premium account, views more ads etc.
Clearly Match.com are doing what is their duty under capitalism!
${YEAR+1} is going to be the year of Linux on the desktop!
1) Get hold of the Goatse vistor's list.
2) Put it up for bid.
3) ????
4) Profit!
Have gnu, will travel.
Hey, you don't need the internet to have companies f*ck with your privacy.
How would you like it if your hotel gave your room key to a guy with a bunch of TV cameras?
- RG>
Hey pal, this isn't a pleasantforest, so don't waste my time with pleasantries!
well obviously, a. a bj is not sex OR adultery b. laws do not apply to presidents
Rather than launch a spam campaign and deal with the associated risks, why not just bounce your list off of a few high-traffic web sites to see if it's a valid login there? It's scriptable, doesn't cost anything - and the resulting list is much more valuable. If you're really lucky, the sites will offer other personal data as a "clue" to the forgotten password and you can plump up the list and make it even more valuable.
This is why Slashdot should care - if a login fails, no website should offer anything more than the fact that the login failed. No "bad password" or "invalid user id" - and definitely no "wrong password, click here and we'll ask you a personal question". Nothing more than "login failed".
I once googled myself. I got nothing, but my uncle turned up. I clicked on the link--it was an Asian board game association, and I am curious naturally--and found several thousand other names. Not just the names, either--full contact information, like addresses, phone numbers, e-mail, etc.
I fight the enemy in my Sopwith Camel...and the enemy is the RIAA--er, Red Baron.
Working in a large corporation that has an extreme amount of exposure, I can't help but think that soon....very soon...these sites will more than likely get slapped with a lawsuit. Reading and agreeing to a privacy policy is one thing, but I would personally be EXTREMELY upset if anyone ever disclosed my email address to someone without proof of identity. Stalkers of the world unite! As long as you have an email address, your heart's desire is within reach. Leaving a voicemail with too much info can even be considered excessive and grounds for breach of contract. This will be an interesting topic to keep your eyes on.
I mean "deserve" exactly in a non-moral sense. I mean "deserve" in a practical, non-hypothetical, non-religious sense, a form that involves lawyers, judges, loss of material objects, loss of privileges. I don't mean "deserve" in a ritual where one might be stoned to death, or one has say a few prayers, or made donate some money to an institution, and maybe some higher power will forgive your indiscretions.
Does _anybody_ read the 4 or 5 page long Tos? And who has the time? There could be all kinds of nonsense in it! And for an experiment, probably the guys at Google might have already done this -> added terms like 'All my property will belong to Google after x time of having an account' in that huge document nobody cares to read.
Interesting. I'd never considered that the use of e-mail addresses as a unique identifier caused information about a person to become publicly available, but it is pretty clear that it does.
I wonder how this sits with EU data protection laws, which make it illegal to reveal personal data about a third party as part of a business without that person's consent.
You can even stop the spam if the spammer finds your spamgourmet alias. You just pick a keyword that must form a part of every address. If the spammer works out your keyword (unlikely) then you just change it.
:)
I love the service. I've loved it for years. It has blocked thousands of spam emails that have havested my address from slashdot.
This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
There may be no crime perpetuated by the villagers themselves but what of visitors?
/ news/news.html?in_article_id=457934&in_page_id=177 0&ct=5
My Dad told me two stories about visitors to the village. In one, a large group of gypsies arrived and camped on one of the fields. They had lots of dogs running around, music playing, hordes of verminous children shouting and so on. The villagers watched them from inside their houses, and from inside the pub. After a while, some local emerged from the pub and gave the gypsies some friendly advice. There are lots of farms there, and farmers don't like to see dogs off the leash. The gypsies told him to f*ck off. He went back into the pub. Night fell, and everyone eventually went to sleep, even though the gypsies made a lot of noise late into the night.
When they woke up, the gypsies found all their dogs had been shot in the night. All the locals have shotguns, and some of them went hunting carrying them, walking past the gypsy encampment. The gypsies took the hint and left that day.
In the second, the locals told my parents that they before my parents bought a house there, people had seen them driving around, and thought it was suspicious. Someone had checked up on their license plate and other people had talked to them. Eventually word spread that they were basically civilised people planning to move there. Then the surveillance stopped.
So there's a kind of authentication process. If you show some respect, all is ok. But if the gypsies hadn't of taken the hint, things would have got really nasty. The police are essentially part of the system, so it's not like there are any laws restraining people from protecting it.
It's a sort of oligarchic utopia utopia really, an example of a society that works well because it ignores liberal sacred cows like the right to privacy. I rather admire that, and want to try to extend that system to the UK as a whole. There are clear analogies for example from the gypsies to criminals or fundamentalist Muslims and from my parents to people who are moving to the UK in good faith. The UK hasn't traditional been a country of universal rights, that's an idea no older than the current Labour government. They've backed down on it somewhat.
E.g. look at this
http://www.mailonsunday.co.uk/pages/live/articles
The Mail on Sunday is a Tory paper and interestingly they also link to an article on "Human rights nonsense", about how extending rights to people that are hostile to civilisation hampers the government. They mention approvingly that the Tories will derogate from the human rights act.
In village terms, you could say that the FTAC is the locals in the pub, and the terrorists suspects are the gypsies. Some people are alien to culture of the UK and the people that run it can quite legitimately decide to deny them rights that they would have if they made some attempt to fit it. Most of the people in the village are Tory voters, and now that Blair is going, ironically brought down by the far left, there is a fair chance that derogation will end its brief experiment with US style inalienable rights.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
When I first read the excerpt in this article in the email digest, I read the example email address as blowjob@aol.com.
Buster: It wasn't really the pronunciation that bothered me.
[command INSERTWITTYQUIP failed: insufficient wit]
Hello, I received an email today that was supposed to have information about my account in it. It instead contained hundreds of usernames and or emails. I have contacted paypal about this but received no response. I am trying to get the word out where ever I can.