Social Search Reveals 700 Comcast Customer Logins

← Back to Stories (view on slashdot.org)

Social Search Reveals 700 Comcast Customer Logins

Posted by samzenpus on Wednesday March 18, 2009 @01:56PM from the easiest-password-to-remember dept.

nandemoari writes "When educational technology specialist Kevin Andreyo recently read a report on people search engines, he decided to conduct a little 'people search' on himself. Andreyo did not expect to find much — so, imagine the surprise when he uncovered the user name and password to his Comcast Internet account, put out there for the entire online world to see. In addition to his personal information, Andreyo also discovered a list that exposed the user names and passwords of (what he believed) to be 8,000 other Comcast customers. Andreyo immediately contacted both Comcast and the FBI, hoping to find the ones responsible for divulging such personal information to the public. While the list is no longer available online, analysts fear that the document still lives on in various cache and online history services."

158 comments

Min score:

Reason:

Sort:

While the list is no longer available online by stonedcat · 2009-03-18 14:00 · Score: 0, Redundant

While the list is no longer available online
Bullshit I'm sure it's in 100 different places by now.

--
You can't take the sky from me.
1. Re:While the list is no longer available online by Anthony_Cargile · 2009-03-18 14:07 · Score: 2, Informative
  
  True, in fact, there is already a comment that gives a download mirror, see here. [slashdot.org]"
  Nobody waste your time/bandwidth even following that link, as it's to the troll post above which links to nothing but a video and imagery probably nobody wants to see (recall goatse.cx links).
2. Re:While the list is no longer available online by Anonymous Coward · 2009-03-18 14:25 · Score: 0
  
  Maybe you got modded redundant because it says the same thing in the summary?
3. Re:While the list is no longer available online by jank1887 · 2009-03-18 15:32 · Score: 1
  
  well... yoda does look a bit trollish
4. Re:While the list is no longer available online by poopdeville · 2009-03-18 15:53 · Score: 5, Informative
  
  It is.
  http://66.218.69.11/search/cache?ei=UTF-8&p=%22ComCast+Mail%22++Kevin+Andreyo&fr=yfp-t-501&u=www.scribd.com/doc/9723141/ComCast-Mail&w=%22comcast+mail%22+kevin+andreyo&d=ZjZ_Sp2uSYep&icp=1&.intl=us
  Took about a minute to find.
  
  --
  After all, I am strangely colored.
5. Re:While the list is no longer available online by Anonymous Coward · 2009-03-18 16:16 · Score: 2, Interesting
  
  How bad would it be to write a script to email all these people and maybe disclose the first 3 or 4 letters of their password, and if they see it's the same, then maybe they can take action...
  Would that be impolite or considered spam?
6. Re:While the list is no longer available online by Anonymous Coward · 2009-03-18 16:22 · Score: 1, Insightful
  
  I think a lot of people would see it as "impolite" or worse. I would want disclosure, but the technologically illiterate would see it as a violation. Still, they are better off knowing.
  I won't be writing that script. :0)
7. Re:While the list is no longer available online by Hurricane78 · 2009-03-18 17:47 · Score: 1
  
  and figured hey I'm on slashdot the smart people here will get what I'm saying.
  You must be new here...
  It's not about smartness. It's about those people here that have nothing better to do than to hang around here all day long, have tons of prejudice and projection, stemming from the self-hatred of not being out there and getting girls, or something like that. It's a very primitive thing. They are very smart on an intellectual level, but emotional and social pre-school children.
  It's what comes as a price with concentrating so much on technology. But hey, would you want to get tons of girls, and not know what to input in a shell? See...
  
  --
  Any sufficiently advanced intelligence is indistinguishable from stupidity.
8. Re:While the list is no longer available online by Anonymous Coward · 2009-03-18 18:06 · Score: 0
  
  Just the idea that it's a guy's role to "get the girls" and that if he fails in this "duty" there are negative consequences... all of that is itself primitive.
9. Re:While the list is no longer available online by furby076 · 2009-03-19 01:05 · Score: 1
  
  Yea...welll... YOU SUCK! I'm going to play with my hawt 3.0 hax'd iphone.
  
  --
  
  I do not support "The Man". I also do not support your irrational stupidity
10. Re:While the list is no longer available online by Bourbonium · 2009-03-19 04:52 · Score: 1
  
  Obviously, it's still out there (look down below in this thread). I remember I changed my comcast password last summer, when they previously announced a similar problem. Now, just to be safe, I'm changing it about every three months, just as I do my work account. You can't be too careful with this kind of stuff, particularly when the gatekeepers of your private information cannot be trusted to safeguard it as securely as I do on my own network.
Comcast has Passwords? by westyvw · 2009-03-18 14:03 · Score: 3, Funny

Who knew? Are these the same people who actually let Comcast install software on thier computers?

--Nothing to do with the leak of passwords, just saying.....
1. Re:Comcast has Passwords? by afidel · 2009-03-18 14:32 · Score: 2, Insightful
  
  All the ISP's do that and as I have told my friends and family repeatedly over the years, DON'T under any circumstances let the installer near your PC with that thing, it's not needed and can only lead to problems.
  
  --
  There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
2. Re:Comcast has Passwords? by JWSmythe · 2009-03-18 14:45 · Score: 4, Funny
  
  I've moved around a lot, and each time they've tried. They've also been insistent that I have a Windows machine for them to install with. I used to keep a spare Windows box handy just for the installs. Usually I could talk them out of touching the machine. Two insisted, and finally made me sign a waiver that I refused, but the connection worked so I didn't care. One blatantly refused to do the install without putting the CD in. I was happy that it was a spare machine I didn't care about. It came offline, and I put my Linux machine up just after they walked out the door. It had a nice clean install of Win98 on it, so they got absolutely no personal information. I wiped it later on, just in case I needed it again for something.
  
  --
  Serious? Seriousness is well above my pay grade.
3. Re:Comcast has Passwords? by AvitarX · 2009-03-18 15:23 · Score: 3, Interesting
  
  I hide my computers for it (I have just moved after all).
  The modem needs to be activated, and the CD can do it, but they can do it remotely too. So I just tell them I want internet for my Xbox, but don't have a computer set up yet. They oblige.
  I'm pretty sure they would have done it if I just said I didn't want to install the software on the phone, but I didn't want to risk it.
  I called a more local office directly though, and they are always polite and helpful (found a local non 800 number).
  
  --
  Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
4. Re:Comcast has Passwords? by morghanphoenix · 2009-03-18 16:32 · Score: 1
  
  Yeah, I called them and said I was unable to install the software as I didn't have a computer runnign Windows. Took a few minutes of them setting up the account remotely, giving me the new password, and then changing it online. I was completely unwilling to subject my wife's XP box to what I've seen on people's computers who were dumb enough to actually put that CD in the drive. It was really simple to avoid installing it, and nobody asked me to sign a waiver, of course I was doing a self-install and only called them to activate my account when everything was all hooked up properly. not sure how much harder it would be if I had some clueless comcost rep at my house insisting that I needed to install the software.
5. Re:Comcast has Passwords? by Anonymous Coward · 2009-03-18 19:04 · Score: 0
  
  I just tell them that I have a corporate machine whose policies disallow me from installing any software - so far it always worked. Although, on a new install where they come out and get annoying, I should setup a emasculated user just for their (non)use.
6. Re:Comcast has Passwords? by furby076 · 2009-03-19 00:45 · Score: 2, Informative
  
  It's actually quite simple. When the comcast person arrives at your house and installs the hardware they will want to install the software. Tell them no and to have them call their dispatch. They don't like to do it because now they have to wait on hold, get the person to manually activate the modem (why the software is not built into the modem is beyond me), and wait for it to start. Basically it means the comcast guy will be at your place for an additional 30 minutes. They will, however, not install it on your request. I have never had to persuade, argue, bribe, or threaten the person - I just said "no thanks I prefer not to have any extra software on my computer".
  
  Let's not make it sound like mission impossible.
  
  --
  
  I do not support "The Man". I also do not support your irrational stupidity
7. Re:Comcast has Passwords? by Lord+Ender · 2009-03-19 01:47 · Score: 2, Funny
  
  While Time Warner, the local cable company, has never tried to force me to install their crapware; if they tried, I would have no trouble handing them my netbook (which lacks an optical drive).
  
  --
  A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
8. Re:Comcast has Passwords? by tibman · 2009-03-19 04:20 · Score: 1
  
  I've done a cable install twice now and just having your linux machine there will prevent them from doing anything. The guy will walk over and say, oh, you don't have windows? Then he'll call in all the numbers on his phone.. that's it! done.
  
  --
  http://soylentnews.org/~tibman
9. Re:Comcast has Passwords? by Ironica · 2009-03-19 04:37 · Score: 1
  
  While Time Warner, the local cable company, has never tried to force me to install their crapware; if they tried, I would have no trouble handing them my netbook (which lacks an optical drive).
  Yeah... TW didn't try to install anything on our computers, either. They used the computer briefly to check that the connection was working, but that's it. No CDs involved.
  But as back-up measures, my main box is Linux *and* my optical drives are hidden under a black canvas baby-proofing cover. ;-) Baffles adults even more than the toddlers.
  
  --
  Don't you wish your girlfriend was a geek like me?
10. Re:Comcast has Passwords? by Golddess · 2009-03-19 05:04 · Score: 1
  
  And if the tech had a USB CD/DVD-ROM on hand? :P
  
  --
  "I'm not sure I like the fugnutish tone you used in your post!" -RogL (608926)-
11. Re:Comcast has Passwords? by ImprovOmega · 2009-03-19 05:28 · Score: 1
  
  Your USB ports are enabled? Amateur.
12. Re:Comcast has Passwords? by jroysdon · 2009-03-19 07:18 · Score: 1
  
  I just have a blank WinXP VM image I give them access to full-screen and in bridged mode. They want local admin access to do their thing, and no way would I give them that even in my WinXP regular personal VM images.
  No big deal, it just worked and let them do what they needed to do. When they were done, I just nuked the VM image.
13. Re:Comcast has Passwords? by evansvillelinux · 2009-03-20 02:54 · Score: 1
  
  All the ISP's do that and as I have told my friends and family repeatedly over the years, DON'T under any circumstances let the installer near your PC with that thing, it's not needed and can only lead to problems.
  
  I will second that. When my current cable/phone/internet provider came and setup their equipment, the installer was beside himself because I wouldn't let him touch my computer. He tried the "required for this to operate" excuse. I told him that I was an IT professional and that I knew he was full of it and that if it was required, he could take his equipment home and I'd cancel my service. He asked if I would at least make the ISPs home page my start page. I guess they needed the inflated traffic stats.
  
  --
  IMHO, IANAL, TINLA, etc...
Anonymous Coward by Anonymous Coward · 2009-03-18 14:03 · Score: 0

I worked at call center, teletech, in Mexico City managing tech support, billing and practically everything customer related for comcast in Houston. I just couldnÂt believe how much comcast and teletech sucked. Security was simply not enforced. I actually tought of writing a story, thinking I could get it published in Rolling Stone or something. I would involve a tale of worker explotation, worst posible consumer service, and complete irresposibility about security.
1. Re:Anonymous Coward by supernova_hq · 2009-03-19 07:10 · Score: 1
  
  I like your mention of security. I installed my grandmother's telus modem (she has had telus for a long time and can't change due to her email being used for a business). The modem is actually a 2-wire wireless modem, with a DEFAULT wireless password (password=telus)... Compare this to shaw, who actually stopped by one day (they had had problems in the area and were personally asking people if they had had problems). I talked for a minute with him and happened to mention that I had a network, he promptly asked me if I had secured the connection properly.
How far is it spread? by Anthony_Cargile · 2009-03-18 14:04 · Score: 4, Insightful

I wonder if that includes both home and business accounts. I'm sure you can Wayback the archive provided you have an original link or precise search terms, but this apparently affects quite a few people although the summary doesn't mention what exactly the revealed username/passwords are to.

If I had to take a guess, I'd say email or online customer accounts (although I don't recall having one during my painful time with Comcast), which either opens up either a financial or spam-exploitable security issue, not sure which.

...In a nutshell: This is pretty bad, but how deep does it go and can Comcast be held responsible in any way?
1. Re:How far is it spread? by Anonymous Coward · 2009-03-18 15:54 · Score: 0
  
  I'm sure you can Wayback the archive provided you have an original link or precise search terms
  Don't be. Wayback does not retreive the entire web. Unless it's a major site like Slashdot, you should be ready for broken links and even 0 results. There are a lot of dark corners. Also Wayback cannot be searched by terms, only by URL, with filtering by date and file type. Also information does not show up before 6 months after retrieval. Also Wayback respects robot exclusion, and even applies it retroactively though there is no legal need to do so, and the practice makes big holes in the record as domains expire & are sucked up by resellers.
  You might get lucky with Wayback machine, but it's not something to be sure of.
2. Re:How far is it spread? by furby076 · 2009-03-19 00:48 · Score: 1
  
  and can Comcast be held responsible in any way?
  I love the sue happy mentality of our society. A better question "and should Comcast be held responsible..."
  Trust me I hate Comcast. My girlfriend laughs at me everytime I talk about comcast. Out of all the companies in the world I have dealt with - comcast is the worst (though a few months ago a comcast manager was so nice to me...no lie, I had a tear come to my eye).
  Sometimes accidents happen, rogue employees happen, or some other factor. You get them to fix the problem and move on.
  
  --
  
  I do not support "The Man". I also do not support your irrational stupidity
3. Re:How far is it spread? by jroysdon · 2009-03-19 07:20 · Score: 1
  
  One concern I'd have is that people often use the same password for all of their accounts. Skimming through the list of usernames and passwords that were released, it's amazing to me how simplistic the passwords are that people use. Straight-up dictionary works, nothing appended. Or just a dictionary word plus a digit or two.
Aggressive Social Sites by Anonymous Coward · 2009-03-18 14:14 · Score: 5, Interesting

A few months ago, my wife received an "invite" from one of her friends regarding one of these "mom" social websites (I really wish that I could recall - but I can't) - picture sharing and all that doo-dah.
Long story short, my constant geek bantering about "security" had finally gotten through to my wife - and she was using a different password for each website. What happened was astonishing: buried in the 58 page EULA, there was text about authorizing the site in question to logon to her supplied email account (e.g. - gmail.com) using the same supplied password. When my wife used a password that was not the same as her email account, the site simply asked her for it.
In other words, the people who use the same password for everything would simply check the "I AGREE" box, which would authorize the new site to harvest their email contacts for the sake of spamming them. Since the generated emails would be coming from a known contact, it would become a plausible suggestion for each recipient (i.e. - better than unsolicited spam).
I can imagine that sites like this would have no problem selling and/or posting this information publicly.
1. Re:Aggressive Social Sites by Milkyfresh · 2009-03-18 14:24 · Score: 3, Insightful
  
  I'm more interested in the site that did this and the legality of them doing it. There is zero reason why a site needs your password to your e-mail account.
2. Re:Aggressive Social Sites by yakatz · 2009-03-18 14:25 · Score: 0, Troll
  
  buried in the 58 page EULA, there was text about authorizing the site in question to logon to her supplied email account (e.g. - gmail.com) using the same supplied password.
  In other words, the people who use the same password for everything would simply check the "I AGREE" box, which would authorize the new site to harvest their email contacts for the sake of spamming them. Since the generated emails would be coming from a known contact, it would become a plausible suggestion for each recipient (i.e. - better than unsolicited spam).
  I can imagine that sites like this would have no problem selling and/or posting this information publicly.
  If you actually read the terms of spokeo.com, they will only use your email password ONCE for the purpose of getting your contact list, as that is the whoole point of the website. There is nothing at all that would imply sending spam.
3. Re:Aggressive Social Sites by VGPowerlord · 2009-03-18 14:26 · Score: 1
  
  Facebook is a "mom" social website now? (It prompts you for your gmail email address and password.)
  
  --
  GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
4. Re:Aggressive Social Sites by yakatz · 2009-03-18 14:27 · Score: 1
  
  They can do almost anything as long as it is there in writing. The reason they ask for your password is to get your contact list. That makes sense considering that the point of the site is to find out what your contacts are doing.
5. Re:Aggressive Social Sites by Anonymous Coward · 2009-03-18 14:41 · Score: 5, Interesting
  
  Yes. My mother, and all of her sisters have facebook, and use it as much as any 15 year old girls. It is scary.
6. Re:Aggressive Social Sites by z0idberg · 2009-03-18 14:44 · Score: 4, Informative
  
  You're not understanding the issue. Yes facebook etc. ask for your email password to get your contact list, but the issue the OP is talking about (though who knows if its true given its an AC who cant recall the original site) is that the site tries to use your supplied email address and the password you use *for that particular site* to try and login to your email account and get your contact list. So you aren't prompted for your gmail/yahoo/hotmail password. They just try to login to your email using your supplied email address and the password for that site. Sneaky given most(?) people use the same password across a wide range of places.
7. Re:Aggressive Social Sites by Renraku · 2009-03-18 14:47 · Score: 1
  
  And why should they have a problem with it?
  I don't think it has caused any trouble for any company as of yet. As far as they know, its practically free advertising. People see that a friend is inviting them to the site, and they're more likely to subscribe themselves.
  Its like those pain in the ass sites that offer to post on your Facebook for you when you've done something at their site.
  
  --
  Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
8. Re:Aggressive Social Sites by yakatz · 2009-03-18 14:53 · Score: 1
  
  I dont know which site you are talking about, but spokeo tells you outright that they will use it to log in to your email.
9. Re:Aggressive Social Sites by Agent+ME · 2009-03-18 15:05 · Score: 1
  
  Twitter also seems to do this. I even skipped the step where it asked to log into my other accounts, but it still seemed to check my MSN account (using the same password) and automatically make me follow the twitter of someone from my contact's list.
10. Re:Aggressive Social Sites by dwarfsoft · 2009-03-18 15:23 · Score: 1
  
  I just want them to try. Having a domain with a catch-all account I just put @dwarfsoft.com and let them use that for a login. There is no attached real email account so they could never log in, even if they tried.
  Also, having different passwords (randomly generated and stored in a secure database, or in memory if you are that freaky) definitely helps :)
  
  --
  Cheers, Chris
11. Re:Aggressive Social Sites by AvitarX · 2009-03-18 15:32 · Score: 1
  
  My understanding of EULA's in case law (IANAL, or even a legal geek) is that they are enforcable in so much as they say what everyone knows and expects to be there. SOme wacky clause would presumably not be then.
  This is for software, not services and may even be wrong, but whatever.
  Wikipedia gave no specifics, saying terms are pretty much case by case, and it focused strongly on software purchases.
  
  --
  Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
12. Re:Aggressive Social Sites by rhizome · 2009-03-18 15:42 · Score: 1
  
  who's talking about "spokeo" (whatever that is), besides you?
  
  --
  When I was a kid, we only had one Darth.
13. Re:Aggressive Social Sites by Brickwall · 2009-03-18 15:54 · Score: 2, Interesting
  
  I understand the need to have different logon/passwords, but geez - some sites are going nuts. My bank and my credit card company wanted to put me through TWO logons each, using different ID's and passwords. And of course, if you forget, neither of them will email you your password; you have to phone tech support, sit on hold for 10-20 minutes, and wait for tech support to reset the password, which takes another 20-30 minutes to take effect. So, just to check my card balance, what should have been a 30-second endeavour turns into an hour-long PITA.
  And I'm not so naive as to write them on a post-it stuck to the bottom of my keyboard, or write them backwards on the back of my credit card. And I did try your suggestion of storing them in a file, but since the ones I forget are sites that I visit infrequently, I forgot the name of the freakin' file! (And again, I'm not so stupid as to name the file "passwords" or "pw", or similar.)
  Finally, the solution that worked for me was using one ID/password combo for sites that don't represent any security issues (e.g. Slashdot), another combo for sites that I don't particularly want people to snoop on (e-mail), and another one with an exceptionally hard password for sites that I really want to keep private, like banking and credit cards. But I wish there was an easier way.
  
  --
  What was once true, is no longer so
14. Re:Aggressive Social Sites by Antique+Geekmeister · 2009-03-18 16:02 · Score: 3, Insightful
  
  And you believe them about safely handling your password and never storing or selling it for other uses, why?
15. Re:Aggressive Social Sites by Potor · 2009-03-18 16:06 · Score: 1
  
  Not quite: it asks for your email address, and your FACEBOOK password (not your email password).
16. Re:Aggressive Social Sites by fractoid · 2009-03-18 16:22 · Score: 2, Informative
  
  Actually, what the GPP is referring to is that when you create a Facebook account, it allows you to enter your email password for a few of the major webmail providers (GMail, Hotmail, can't remember the others), trawls through your contact list and/or inbox, and gives you a list of people you've contacted via email who also have facebook accounts. It's a convenient (albeit scary from the security PoV) way to populate your friend list for a new account.
  
  --
  Rampant carbon sequestration destroyed the Dinosaurs' tropical paradise. I'm here to help repair the damage.
17. Re:Aggressive Social Sites by Anonymous Coward · 2009-03-18 16:45 · Score: 0
  
  I keep my password file encrypted, so the only password I really need to remember is the one to decrypt my files. Makes it a bit simpler when all of my passwords are very long and completely random ASCII strings.
18. Re:Aggressive Social Sites by Kongming · 2009-03-18 17:34 · Score: 1
  
  You can name your passwords file something more obvious and put it in an easier to access place if it is encrypted. There are a lot of free applications that make it pretty easy to encrypt documents and to access said documents, AxCrypt being one example. Remembering one password then gives you access to all of your old, obscure passwords; just never use that password anywhere else.
  
  --
  (no sig)
19. Re:Aggressive Social Sites by 0xDEAD · 2009-03-18 17:52 · Score: 1
  
  http://passwordsafe.sourceforge.net/ I love this app, only need to remember a single password.
20. Re:Aggressive Social Sites by Anonymous Coward · 2009-03-18 18:13 · Score: 1
  
  Oddly 3 of your 4 posts on /. have also been about this site you keep mentioning. And you're the only one to mention it this thread. How much of that company do you own?
21. Re:Aggressive Social Sites by Aydsman · 2009-03-18 19:56 · Score: 1
  
  These days most of the major providers such as GMail and Hotmail have an API which allows you to supply your username and password only to the service itself and Facebook (or whatever wants access to your contact list) simply gets given a security token which they can utilise to retrieve the data. The Google login screen at least also notifies you about the type of access you will be granted.
22. Re:Aggressive Social Sites by Yaur · 2009-03-18 20:07 · Score: 1
  
  What they are really telling you is that they are storing your password in clear text or reversible encryption and as such can't be trusted with a non-disposable password.
23. Re:Aggressive Social Sites by clsours · 2009-03-18 20:10 · Score: 1
  
  a tip i read once was to use word / thought association to create unique, but repeatable passwords, ie for root at work you could but use carrot@streetname or turnip@town or whatever, root at home would be carrot@homebox, etc just something you can remember. or if you use b'day or somesuch, put b'day$sitename.
  
  --
  Seagoon: Shut up Eccles!
  
  Eccles: Shut up Eccles!
24. Re:Aggressive Social Sites by fractoid · 2009-03-18 23:50 · Score: 1
  
  It's entirely possible that this is, in fact, what I was talking about. :P I didn't dig into the source to see if it was actually beer or Facebook. Um, I mean Google or Facebook. I'm waiting for my wife to come back with my beer. Life is good! ;)
  
  --
  Rampant carbon sequestration destroyed the Dinosaurs' tropical paradise. I'm here to help repair the damage.
25. Re:Aggressive Social Sites by furby076 · 2009-03-19 00:54 · Score: 1
  
  I've encountered those sites before - facebook, myspace, etc. They specifically ask me "want us to use your yahoo, gmail, etc to contact your friends". One time I said yes and it brought up a list of all of my friends and then it said "who did you want us to contact". It was a very plain, and clear pop-up. You couldn't miss it and you had to check off names and click submit. Nothing underhanded or sneaky. Now are there sites who will do that - most likely - but the bigger named sites are not currently doing it.
  
  --
  
  I do not support "The Man". I also do not support your irrational stupidity
26. Re:Aggressive Social Sites by TheLink · 2009-03-19 03:16 · Score: 1
  
  "They can do almost anything as long as it is there in writing"
  
  If the Courts agree with you, then it's a matter of who writes the EULA equivalent of a nuke first.
  
  Heck, someone should write an EULA with really really ridiculous terms e.g. "You give us complete ownership over your organs after your death, and any derivative products".
  --
  
  Too many replies beneath your current threshold
27. Re:Aggressive Social Sites by pwizard2 · 2009-03-19 04:08 · Score: 1
  
  a tip i read once was to use word / thought association to create unique, but repeatable passwords, ie for root at work you could but use carrot@streetname or turnip@town or whatever, root at home would be carrot@homebox, etc just something you can remember. or if you use b'day or somesuch, put b'day$sitename.
  
  Passwords like the samples you provided seem really vulnerable to dictionary attacks.
  
  --
  "It is a denial of justice not to stretch out a helping hand to the fallen; that is the common right of humanity."
28. Re:Aggressive Social Sites by geminidomino · 2009-03-19 05:40 · Score: 1
  
  But I wish there was an easier way.
  If you use firefox, there is.
  Ask and ye shall receive.
29. Re:Aggressive Social Sites by jroysdon · 2009-03-19 07:24 · Score: 1
  
  Wow, that is scary. All the more ammo to preach to people to use unique passwords.
  Of course, even if you can train those folks to use unique passwords, you still have to train them not to give out account info where it doesn't belong. They'd probably just as easily give out the email account password unless educated. Gmail, etc., needs to add to their EULA that it is against their policy for you to share you account password.
  What they (Google, etc.) should set up is a "safe" way to allow you to let sites get access to your address book (should you choose to allow them to).
30. Re:Aggressive Social Sites by charlesnw · 2009-03-19 07:50 · Score: 1
  
  UH.... I'm sorry but that seems a bit too difficult to believe. I'm gonna say that you are spreading FUD here.
  
  --
  Charles Wyble System Engineer
Not the first time by Anonymous Coward · 2009-03-18 14:28 · Score: 5, Informative

I worked for comcast about 8 years ago and at the time they had a Remedy test account they used for various stuff. One day I decided to login to the ftp using the remedy account and sitting there was a year old file with every subscriber's login and password. And since the ftp site was the account's web site home folder, these were just sitting there available to everyone.
1. Re:Not the first time by Sleepy · 2009-03-19 01:03 · Score: 0, Troll
  
  Why the hell was this helpful and insightful comment moderated "Troll"? This is CLEAR moderation abuse.
  Please, someone at Slashdot: revoke moderation rights on whoever applied the Troll modifier here. This isn't Digg.
2. Re:Not the first time by Anonymous Coward · 2009-03-19 01:56 · Score: 0
  
  Did you follow the link? That's why.
3. Re:Not the first time by Anonymous Coward · 2009-03-19 02:34 · Score: 0
  
  Perhaps it's marked as troll because of the content of the slashdot comment it links to? Something about Yoda and asses. Check it out.
Consumer by AHuxley · 2009-03-18 14:28 · Score: 1

Customers and the people like them are the people your data is sold over.
As a consumer, you are one of many.
Even if someone does care, its a quick fix and back to a race to the bottom.
Security is for paying equals, the people you cannot not afford to upset.
Paying a consumer data 'fine' every so often and a slick PR release is cheaper than real expensive on going prevention.
If congress or any other gov entity cares, any company can swear they have the best security in place..
Just not everywhere, all the time ;)
A line of top university security experts and other independent experts would tell of how the company is secure..
but your not company, just a consumer.

--
Domestic spying is now "Benign Information Gathering"
How do I establish whether I am still a victim? by bogaboga · 2009-03-18 14:45 · Score: 2, Interesting

While the list is no longer available online, analysts fear that the document still lives on in various cache and online history services."
I would like to know whether my details are on that list. Question is: How do I get a hold of that list? How do I access data from the so called caches?
1. Re:How do I establish whether I am still a victim? by Vectronic · 2009-03-18 16:02 · Score: 1
  
  That's probably the wrong question, or wrong way to find out, especially if you do not wish to become suspect, a lot of people would interpret that as a ploy to get a hold of the list for malicious interests.
  The best, or rather the first option would be to call your local Comcast ISP, and ask them if your details are on the leaked list (as they should have the list in some form). When that (likely) fails, then go hunting, or possibly try contacting Mr. Andreyo, although I'm sure he's now receiving about 100 spams a minute on all wires leading to him, and likely had to sign some agreement not to disclose any further information about it.
2. Re:How do I establish whether I am still a victim? by Anonymous Coward · 2009-03-18 16:22 · Score: 1, Informative
  
  | | | | | | | hoagfamily5@comcast.net | kentlake amyleslie@comcast.net | go60852 amyleslie@comcast.net | go60852 Corbettclan5@comcast.net | JFKHS2005 divinedsd@comcast.net | go51137 mryoung1@comcast.net | go51244 mryoung1@comcast.net | go51244 g.galifianakis@comcast.net gortys74 3067 despinad@comcast.net methodios1 2519 dorgan@comcast.net trucks99 2462 Tzannetakis@comcast.net georgios 1307 www.yanninik@comcast.net yanni woodyrn@comcast.net ipcorder woodyrn@comcast.net pilot08 rmayer04@comcast.net millwright kristakerr@comcast.net manning6 snezana.novakovic@comcast.net svetisava ttyronejones@comcast.net bobo1990 zimmagent@comcast.net 184kp5 ckelly31@comcast.net 101875 sjdexter@comcast.net randolph448@comcast.net randy001 paulchizmar@comcast.net 8794944 co_haymes@comcast.net 1soniabelen snbinion@comcast.net r.pendleton2007@comcast.net 1ruta2ed reeseoffice@comcast.net chuck_gibson@comcast.net daehlsum dseyfried@comcast.net kyle22 tarahamm@comcast.net taycol roxy23girl@comcast.net chimes13 dabhome@comcast.net 010636 sylvia.espinoza@comcast.net webe@comcast.net docrahman@comcast.net 1nternet dzisow@comcast.net z10824 @2 roxy23girl@comcast.net womanscenter@comcast.net ghenry208 cabbrown@comcast.net snickers cabbrown@comcast.net madison bchack@comcast.net pwic2@comcast.net bchack@comcast.net bonnieeberlin@comcast.net rowrites@comcast.net drdavislouie@comcast.net jackie bonnieeberlin@comcast.net adamsinghdds@comcast.net 243404mr ankurdharia@comcast.net lat66pie philipp313@comcast.net llaz@comcast.net sam_thompson@comcast.net password obreeden@comcast.net rosko9601 rhsachs@comcast.net wellspring faithfullgirl@comcast.net pray42day landisgrl18@comcast.net 194813emt alankleiman@comcast.net mandible chumley02@comcast.net chumley02@comcast.net bradleyfrey@comcast.net goblu2 Jstritikus1@comcast.net johnharold ajarrouj@comcast.net milo88 bchack@comcast.net bjmac1826 jasnchell@comcast.net loriwrob@comcast.net passusa loriwrob@comcast.net passusa BobHow9846@comcast.net weir1931 emamis1@comcast.net shiraz11 septer80@comcast.net password lauralyce@comcast.net pa55word amcclarn@comcast.net ceasar dennisvollrath@comcast.net Good4Tune2U elonatnaples@comcast.net myesme elonatnaples@comcast.net gilhooly6@comcast.net mafleshner@comcast.net flash1 jmnsullivan@comcast.net mehdi88 cascadesummitvets@comcast.net csah22320 mntz@comcast.net surfing01 producermb@comcast.net monte1225 Dnn05@comcast.net DeanMax ktbdvb@comcast.net mary.ayers@comcast.net Dfelger@comcast.net hardhead ballewcowpan@comcast.net ginger peggyhutchison@comcast.net jimandpatwoodward@comcast.net johnwkastelic@comcast.net my3dogz sglaw@comcast.net nova5646 steve.laymon@comcast.net daveyref@comcast.net bacchus3 stevenjanik@comcast.net carriepac@comcast.net hungrycat vettedude00@comcast.net xmagic jdyermd@comcast.net drdbain@comcast.net dzbain gwelch1@comcast.net maddie1 shaulute@comcast.net select rencic@comcast.net chris1 211sod@comcast.net katykaty wlamb9@comcast.net correctskincare1@comcast.net Jaybug7 ozpfen@comcast.net travelnow steele11@comcast.net casey325 frmhlsinmde@comcast.net aintlovegr8 tiszat@comcast.net rad255 sisleap@comcast.net tufo1973 mpstan1@comcast.net nole77 richardshockey@comcast.net mlray@comcast.net trina7 dadalr@comcast.net da2000 jdjohnson123@comcast.net jdjjdj kathrynryan56@comcast.net KABR1579 TJordanOD@comcast.net 9477216hijulie aquashell@comcast.net 517427333330 regiegonzalez@comcast.net marianne advpodsvcs@comcast.net j1577m shellyalex@comcast.net mollymae damspam@comcast.net wcdijj micovic@comcast.net rijeka drsnook@comcast.net monica djhsrc@comcast.net pjbmd@comcast.net madison4 ericaswan@comcast.net drum68 sanatogaridge@comcast.net sanatogaridge@comcast.net kmhannah@comcast.net sarahrae shermytank@comcast.net Ba5enj1PennY GwenGower@comcast.net office pbohdiewicz@comcast.net nalava.tr barbdunleavy@comcast.net freedom accjunk@comcast.net bohunk nicholskb@comcast.net psalm111 davejn@comcast.net seringue FVAH@comcast.net explorer stug1945@comcast.net 5472308 oneills6@comcast.net oneills doctorharvey@comcast.net 373357 nostering@comcast.net artcarve DRa
3. Re:How do I establish whether I am still a victim? by Hal_Porter · 2009-03-18 19:06 · Score: 1
  
  That's a very interesting list. It shows you that it's worth enforcing some limits on passwords.
  The classic NT restriction is that you need to have
  http://technet.microsoft.com/en-us/library/cc875814.aspx
  * The password is at least six characters long.
  * The password contains characters from at least three of the following five categories:
  * English uppercase characters (A - Z)
  * English lowercase characters (a - z)
  * Base 10 digits (0 - 9)
  * Non-alphanumeric (For example: !, $, #, or %)
  * Unicode characters
  * The password does not contain three or more characters from the user's account name.
  They recommend setting the maximum password age to 42 days too. And the default is to remember the last 24 passwords and stop people reusing them. It's clear the people that use their girlfriend or boyfriend's name as a password would be stopped by this and would thus be a much harder target for casual password guessers.
  Actually storing a hash rather than the password would be helpful too, that way even if the list leaks someone would still have to find a password which generates the leaked hash.
  
  --
  echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
4. Re:How do I establish whether I am still a victim? by furby076 · 2009-03-19 00:56 · Score: 1
  
  A court ordered subpeona is the only way comcast will release information about that list. What you would need to do is sue comcast for the list stating, in the law suit, users who are on the list should be notified.
  
  --
  
  I do not support "The Man". I also do not support your irrational stupidity
5. Re:How do I establish whether I am still a victim? by sd.fhasldff · 2009-03-19 01:11 · Score: 1
  
  They recommend setting the maximum password age to 42 days too.
  Anyone who has ever worked in IT, or has a bit of common sense, knows that the result of such a policy is that every employee has a post-it with their password on or near their monitor.
6. Re:How do I establish whether I am still a victim? by Fred_A · 2009-03-19 01:14 · Score: 2, Insightful
  
  They recommend setting the maximum password age to 42 days too. And the default is to remember the last 24 passwords and stop people reusing them.
  And that's when PostIts start to appear because people are fed up with remembering a new variant of "89fZ#9I$" every month.
  So you've substituted one security problem for another.
  Password expiration isn't all that it's cracked up to be.
  
  --
  
  May contain traces of nut.
  Made from the freshest electrons.
7. Re:How do I establish whether I am still a victim? by Hal_Porter · 2009-03-19 01:35 · Score: 1
  
  Well then they shouldn't choose passwords they can't remember.
  I have a password which is a nonsense phrase with a few of the letters changed to numbers and some punctuation. Each time I need to change it I increment one of the numbers.
  E.g. IHeardYouL1ekFoob1es@12, IHeardYouL1ekFoob1es@13 and so on.
  Actually it's better that they have a password like 89fZ#9I$ on a postit than a password like madison. You could guess madison by looking at their resume, 89fZ#9I$ requires you have physical access to their desk.
  
  --
  echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
8. Re:How do I establish whether I am still a victim? by TheLink · 2009-03-19 03:23 · Score: 1
  
  Why not just change your password? Even if it's not in that particular document, it might be in other similar documents, this might not be a one-off mistake.
  
  Or are you trying to figure out whether you can sue them? ;)
  --
  
  Too many replies beneath your current threshold
9. Re:How do I establish whether I am still a victim? by Bourbonium · 2009-03-19 05:10 · Score: 1
  
  Why take any chances? Just assume your account has been compromised. Whether or not you are a victim, you should change your password today. That takes care of it, without you having to do any follow-up research.
  Also, make a habit of using encryption for all your email correspondence, regardless of sensitivity. If all your communication is encrypted, it doesn't matter how important or private it is, it will be protected.
10. Re:How do I establish whether I am still a victim? by Ironica · 2009-03-19 05:26 · Score: 1
  
  The best, or rather the first option would be to call your local Comcast ISP, and ask them if your details are on the leaked list (as they should have the list in some form).
  Actually, the FIRST thing you should do if you have a Comcast account is CHANGE YOUR PASSWORD. Also, change your password for any accounts that use the same password.
  
  --
  Don't you wish your girlfriend was a geek like me?
11. Re:How do I establish whether I am still a victim? by BlueNoteMKVI · 2009-03-19 05:28 · Score: 1
  
  Unfortunately, many password systems will reject those passwords. I used to use a similar system, but started seeing errors about "your new password cannot use more than x characters from your old password." This of course means that they're saving my old passwords in plaintext or reversible encryption, which is a security risk in itself.
  My most recent scheme is to use a pattern on the keyboard (yay for muscle memory). Usually I'll do the pattern once, then hold shift and do the same pattern. This gives you upper and lower case, and if you include a number or two it gives you numbers and punctuation. As long as your pattern is 5 characters long you'll pass 99% of the password rules out there (5 keys, hold shift then the same 5 keys makes 10 digits). When the time comes to change your password, shift the pattern one key to the left or right. This way I can at least guess my password in a few tries if I have to.
  My fallback is this:
  http://gnukeyring.sourceforge.net/
  Stores the passwords on my palm pilot, encrypted. As long as I remember my decryption password and don't lose my palm pilot, I'm golden.
12. Re:How do I establish whether I am still a victim? by HTH+NE1 · 2009-03-19 05:32 · Score: 1
  
  Throw in one more rule:
  * The password does not contain three or more characters used in any of the 24 previous passwords
  Assuming that the average user doesn't know how to enter Unicode characters (effectively reducing to 4 categories) and doesn't even repeat a character in a single password...
  Will the user run out of possible new passwords within 24 iterations of this policy?
  
  --
  Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
13. Re:How do I establish whether I am still a victim? by Ironica · 2009-03-19 05:45 · Score: 1
  
  Well then they shouldn't choose passwords they can't remember.
  So they're supposed to:
  * Choose a different password for each application (since one of them might be compromised);
  * Choose a new password every 42 days or less;
  * Not use any of the last 24 passwords
  Just *how* many passwords do you want them to remember?
  
  I have a password which is a nonsense phrase with a few of the letters changed to numbers and some punctuation. Each time I need to change it I increment one of the numbers.
  E.g. IHeardYouL1ekFoob1es@12, IHeardYouL1ekFoob1es@13 and so on.
  So, if someone gets a hold of your password, and then it auto-expires, they're defeated... unless they increment the last digit or two. You're right! That's so incredibly secure!
  Except, not. If your nonsense phrase is compromised, your entire password scheme is compromised. There is NO POINT to auto-expiring your password if you're just going to increment it. Which is why many auto-expire policies *also* won't let you use a password that is more than a certain percentage the same as your old password.
  
  Actually it's better that they have a password like 89fZ#9I$ on a postit than a password like madison. You could guess madison by looking at their resume, 89fZ#9I$ requires you have physical access to their desk.
  And if you work in an open-plan office, everyone has access to your desk. Half the purpose of unique network logons is for accountability. If you want to do something nefarious, you just log on to someone else's account, which you conveniently know the password to from reading it while you were at their desk asking about lunch.
  It's better to teach people how to generate a reasonably secure and memorable password ONCE, and encourage them to change it anytime they feel it might have been compromised, rather than to give them arbitrary rules at password creation and every so often afterward without actually teaching them anything about security.
  
  --
  Don't you wish your girlfriend was a geek like me?
14. Re:How do I establish whether I am still a victim? by Hal_Porter · 2009-03-19 14:58 · Score: 1
  
  I have a password which is a nonsense phrase with a few of the letters changed to numbers and some punctuation. Each time I need to change it I increment one of the numbers.
  E.g. IHeardYouL1ekFoob1es@12, IHeardYouL1ekFoob1es@13 and so on.
  So, if someone gets a hold of your password, and then it auto-expires, they're defeated... unless they increment the last digit or two. You're right! That's so incredibly secure!
  Well they don't know which of the digits in the password should be incremented. If there are more than three of them they will run out of guesses. To be able to crack this they'd need to know not just one of my passwords but two to spot the pattern.
  But (and this is obvious if you'd thought about it) that doesn't matter, if they got hold of one password they could change it to whatever they wanted. Password expiry doesn't help at all in that case, the game is lost.
  Nothing is 100% secure. Stopping people having their password set to madison or whatever their girlfriend's name (or better any word which could be dictionary attacked) is makes things more secure because it stops dictionary attacks. Making sure passwords are long and not all lower case letters makes things more secure because it makes brute force attacks take much longer. E.g. find a zip password brute forcer and compare how long it takes to crack a n character password with all the character classes in the Microsoft rule vs a n character password which is just lower case letters, for reasonable n. Even if you have local access to the zip file and can try combinations really quickly, you can quickly get to the point where unless you are the NSA you won't have enough machines to crack the password before it expires.
  
  --
  echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
15. Re:How do I establish whether I am still a victim? by Ironica · 2009-03-20 07:18 · Score: 1
  
  Well they don't know which of the digits in the password should be incremented. If there are more than three of them they will run out of guesses.
  But then *you* have to keep track of which of the sets of digits that appear to be simply appended to the passphrase are the incremented ones, and what number you're on. Again, you have to remember something... or write it down on a post-it stuck to your monitor.
  
  But (and this is obvious if you'd thought about it) that doesn't matter, if they got hold of one password they could change it to whatever they wanted. Password expiry doesn't help at all in that case, the game is lost.
  What password expiry does help with is passwords that are compromised, but where the hacker wishes to keep that a secret and use the compromised account to gain access and gather information in ways that are not detected, more than once over a period of time. That's really the only point to it. If someone just wants to pwn your account or network in a single incidence, then it only matters how difficult it is for them to obtain a working password, and password expiry doesn't affect the issue one way or t'other (except insofar as it makes it easier for someone with physical access to go shoulder-surfing for post-its).
  
  Nothing is 100% secure. Stopping people having their password set to madison or whatever their girlfriend's name (or better any word which could be dictionary attacked) is makes things more secure because it stops dictionary attacks. Making sure passwords are long and not all lower case letters makes things more secure because it makes brute force attacks take much longer. E.g. find a zip password brute forcer and compare how long it takes to crack a n character password with all the character classes in the Microsoft rule vs a n character password which is just lower case letters, for reasonable n. Even if you have local access to the zip file and can try combinations really quickly, you can quickly get to the point where unless you are the NSA you won't have enough machines to crack the password before it expires.
  But if your system locks someone out if they try more than X number of times, that puts a damper on brute-force attacks, too.
  
  --
  Don't you wish your girlfriend was a geek like me?
Password lists by JWSmythe · 2009-03-18 14:50 · Score: 4, Interesting

I remember in the good ol' days of dialup, folks (now known as script kiddies) would pound on the dialups with common username:password combinations until they found one. Those lists would float around. I've seen lists of thousands of valid usernames. The folks who got them would use the now "free" dialup until the customer finally canceled. Of course, those usernames were the same as the email address (like foo@aol.com), so in theory you had their email address too. If you hopped in the right IRC channel and chatted for a few minutes, you could get your hands on a different list pretty quickly.
I saw other comments saying that this was just Comcast insecurity, but it brought back memories. :)

--
Serious? Seriousness is well above my pay grade.
1. Re:Password lists by 0100010001010011 · 2009-03-18 15:40 · Score: 2, Interesting
  
  Easier than that, over my 16.8k connection I would ping scan port 80. 99.9% of the port 80s that were open were routers that served internal networks. The geniuses at the router company decided that shadowing the password on the config page was enough.
  Little did they know I was a Haxxor that knew how to "View Page Source".
  So many accounts from that...
2. Re:Password lists by Anonymous Coward · 2009-03-18 17:37 · Score: 0
  
  ah, the good ol days
3. Re:Password lists by adolf · 2009-03-18 21:38 · Score: 1
  
  Back in the day, my ISP had a Unix box (I forget the flavor). It was their web server, their FTP server, their mail server, and so on. /etc/passwd was wide-open, and non-shadowed.
  I leave the rest for the imagination.
  
  --
  Kid-proof tablet..
4. Re:Password lists by TheRaven64 · 2009-03-18 23:12 · Score: 1
  
  Did people really bother doing that? Most of the dial-up ISPs had an account that was intended for testing and didn't enforce a connection limit, which was a lot more reliable. I remember one local computer shop setting up every machine that left with this account on the Yahoo! ISP so all of their customers got free dial-up Internet.
  
  --
  I am TheRaven on Soylent News
5. Re:Password lists by Anonymous Coward · 2009-03-18 23:32 · Score: 0
  
  Reminds me a bit of something I did. Here in the uk where phone calls cost money, you could get internet accounts that were free except for the phone call; the isp gets money from the phone suppliers.
  BT Internet ran one of these services, you could sign up for free online really quick, and they had another service for some pounds per month that gave you an 0800 number.
  Guess what you could do there? Yep... sign up for the free account and then simply use the 0800 number with the same username/login details. free internet :) That was fun until someone posted it on alt.ph.uk and it stopped working about a week later.
6. Re:Password lists by tibman · 2009-03-19 04:45 · Score: 1
  
  When i was a kid i figured out that you could manually dial Compuserve numbers and not "login". They wouldn't kick you for 2 hrs. I had a sweet IBM Thinkpad and Compuserve was damn near everywhere.. it was great when traveling around. A 1-800 number would tell me the local compuserve dial up too. That internet was a different world from this one though.
  
  --
  http://soylentnews.org/~tibman
Best Way To Stay Anonymous? by tthomas48 · 2009-03-18 14:54 · Score: 2, Insightful

Have a really, really common name.
1. Re:Best Way To Stay Anonymous? by Anonymous Coward · 2009-03-18 15:03 · Score: 0
  
  Be middle aged and have a social network that doesn't involve the web 2.0 sites - you might have some hits from Google searches, but mostly, it'll turn up others with the same name.
2. Re:Best Way To Stay Anonymous? by d4nowar · 2009-03-18 15:04 · Score: 0
  
  Spoken by the one, the only, Thomas!
  oh wait...
3. Re:Best Way To Stay Anonymous? by Anonymous Coward · 2009-03-18 15:05 · Score: 0
  
  Sorry, userid/login/email addresses are normally unique.
4. Re:Best Way To Stay Anonymous? by Anonymous Coward · 2009-03-19 01:12 · Score: 0
  
  That's not what he's talking about. I'll give you an example. Look me up on google and tell me what you find. My name is Mike Smith.
5. Re:Best Way To Stay Anonymous? by tb3 · 2009-03-19 01:12 · Score: 1
  
  The problem with that is that it's damn hard to audit.
  I have a very uncommon name. I plugged it into those search sites linked in TFA, and 99% of the search results were definitely about me. And nothing sordid or embarrassing came up.
  So as long as you're careful you can still stay anonymous on the web.
  
  --
  www.lucernesys.comHorizon: Calendar-based personal finance
6. Re:Best Way To Stay Anonymous? by Anonymous Coward · 2009-03-19 06:49 · Score: 0
  
  There's only one problem. People always think that I'm dead.
  - John Doe.
7. Re:Best Way To Stay Anonymous? by VeNoM0619 · 2009-03-23 04:53 · Score: 1
  
  That's not what he's talking about. I'll give you an example. Look me up on google and tell me what you find. My name is Mike Smith.
  Yea.. well look ME up on google, my name is Mike Hunt!
  
  --
  Disclaimer: I am not god.
  We may not be created equal
  But we can be treated equal.
I haxxored Comcast... by feepness · 2009-03-18 15:09 · Score: 5, Funny

So I'm trying to log on to Comcast to look at my bill. It's one of those places you log on every three years or so, so I can't remember anything about the account. I gave them my name and they give me a secret question asking "What is your favorite drink?" Well who the hell has a special favorite drink? So I plug in a few answers and finally try "milk". Bingo, I'm in. Change the password to my standard website name hash, poke around, get confused, and realize... wait a second... this isn't my account. My name is fairly rare, but I guess not rare enough. I don't really have any way of resetting it to what it was before, and for some reason there was no email verification involved. So I whistled quietly as I closed the window and called customer service instead.
1. Re:I haxxored Comcast... by Thinboy00 · 2009-03-18 15:24 · Score: 1
  
  So I'm trying to log on to Comcast to look at my bill. It's one of those places you log on every three years or so, so I can't remember anything about the account. I gave them my name and they give me a secret question asking "What is your favorite drink?" Well who the hell has a special favorite drink? So I plug in a few answers and finally try "milk". Bingo, I'm in. Change the password to my standard website name hash, poke around, get confused, and realize... wait a second... this isn't my account. My name is fairly rare, but I guess not rare enough.
  I don't really have any way of resetting it to what it was before, and for some reason there was no email verification involved. So I whistled quietly as I closed the window and called customer service instead.
  
  Bad idea. They'll probably remember you as "that weird guy that insisted on using Linux/not using Windows/what-have-you" and accuse you of "hacking".
  
  --
  $ make available
2. Re:I haxxored Comcast... by Anonymous Coward · 2009-03-18 15:34 · Score: 1, Insightful
  
  Presumably he called just to ask about the question he had about his account, instead of telling them about the hacking.
3. Re:I haxxored Comcast... by feepness · 2009-03-18 17:12 · Score: 1
  
  Presumably he called just to ask about the question he had about his account, instead of telling them about the hacking.
  Yes, not much of a point in telling them about it. I just decided they weren't quite internet ready and relied on phone instead.
4. Re:I haxxored Comcast... by Phroggy · 2009-03-18 19:22 · Score: 1
  
  I wonder how long it will be before people figure out that "secret questions" are such a huge security hole.
  
  --
  $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
  $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
5. Re:I haxxored Comcast... by Anonymous Coward · 2009-03-18 20:16 · Score: 0
  
  thats why instead of answering the question you fill in a hash of something you will remember. Q: "where were you born?" A: "bf57d4d327983056bc500fa7aff3ebc6e623fa5f"
6. Re:I haxxored Comcast... by TheRaven64 · 2009-03-18 23:15 · Score: 2, Insightful
  
  Security questions are not too bad. The worst things are things like one of my banks which insists on asking me my date of birth and mother's maiden name when I log in. Both of these are public-domain information and can be accessed in a searchable form for a very small fee (or free if you bother collecting them all yourself from the various registries), but they seem to be under the impression that it adds some security.
  
  --
  I am TheRaven on Soylent News
7. Re:I haxxored Comcast... by nightglider28 · 2009-03-19 00:25 · Score: 1
  
  Actually, I'm a purely Linux user (Debian) and had to call Comcast to switch to the modem I had purchased. The problem was their end and the rep on the other end was amused and asked me what kind of programs I run after I mentioned that I used an XP vm to get it running in the first place. He sounded like he actually knew something and was surprised that I sounded like it as well.
8. Re:I haxxored Comcast... by furby076 · 2009-03-19 00:59 · Score: 1
  
  They'll probably remember you as "that weird guy that insisted on using Linux/not using Windows/what-have-you" and accuse you of "hacking".
  Considering his subject said "I haxxored Comcast" he admitted to doing it. Don't worry he will get a reduced sentence for coming clean.
  
  --
  
  I do not support "The Man". I also do not support your irrational stupidity
9. Re:I haxxored Comcast... by trentblase · 2009-03-19 02:03 · Score: 1
  
  Just run the answers through a good hAsh function. Yeah it's an extra step, but you don't answer security questions that often and that way people don't know our favorite drink. Not completely secure if the attacker knows your hash function but I longer low hangng fruit
10. Re:I haxxored Comcast... by Ironica · 2009-03-19 05:53 · Score: 2, Funny
  
  Not completely secure if the attacker knows your hash function but I longer low hangng fruit
  Or you could just use the last five words as your secret passphrase, and no one would ever get it because it's apparently a totally random combination of words and letters.
  
  --
  Don't you wish your girlfriend was a geek like me?
11. Re:I haxxored Comcast... by HTH+NE1 · 2009-03-19 06:50 · Score: 1
  
  Just run the answers through a good hAsh function.
  That's great until some web admin decides to rephrase the question.
  
  --
  Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
12. Re:I haxxored Comcast... by TriezGamer · 2009-03-19 13:13 · Score: 1
  
  I've basically established a standard answer to any security question and use it universally, regardless of the question. Effectively, it's like having yet another password to remember, but it works well enough.
  Still, I agree with the general sentiment -- especially when the question is such a basic thing as 'your favorite color'.
Slashdotted... by rockNme2349 · 2009-03-18 15:33 · Score: 2, Funny

I can't seem to find the link to the page with the passwords, seems their servers weren't up to slashdot.
Can someone post google cache link please?

--
Sewage Treatment Facilities - "Our duty is clear."
1. Re:Slashdotted... by Anonymous Coward · 2009-03-18 16:26 · Score: 1, Informative
  
  http://66.218.69.11/search/cache?ei=UTF-8&p=%22ComCast+Mail%22++Kevin+Andreyo&fr=yfp-t-501&u=www.scribd.com/doc/9723141/ComCast-Mail&w=%22comcast+mail%22+kevin+andreyo&d=ZjZ_Sp2uSYep&icp=1&.intl=us
2. Re:Slashdotted... by Hal_Porter · 2009-03-18 19:40 · Score: 2, Funny
  
  I shall notify the people who have critically weak passwords by email.
  
  --
  echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
3. Re:Slashdotted... by HTH+NE1 · 2009-03-19 06:55 · Score: 1
  
  I shall notify the people who have critically weak passwords by email.
  From themselves?
  
  --
  Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
Heavily encrypted? by ub3r+n3u7r4l1st · 2009-03-18 15:34 · Score: 3, Interesting

If, according to comcast, the password are heavily encrypted, how the hell someone can find it in clear text?
That means someone or something in somewhere store these information in clear text to begin with.

--
New Economic Perspectives
1. Re:Heavily encrypted? by ryszard99 · 2009-03-18 16:34 · Score: 1
  
  using a dictionary attack?!
  
  --
  -- $_='ab-bc ratvarre';tr"'a-z'"'n-za-m'";print
2. Re:Heavily encrypted? by davidphogan74 · 2009-03-18 18:24 · Score: 1
  
  Many of the passwords shown in the postings I've skimmed past haven't looked like dictionary words. I've actually gone back to an earlier post, and Google'd a few of the higher-security looking ones, and the only result is a single out of order page.
  That makes me fairly certain someone screwed up this one.
3. Re:Heavily encrypted? by ub3r+n3u7r4l1st · 2009-03-19 03:19 · Score: 1
  
  Having a dictionary attack of 8000 accounts requires probably 1 million machines using Intel Core i7-965 for a thousand years.
  
  --
  New Economic Perspectives
Thank Goodness. by revoldub · 2009-03-18 15:48 · Score: 1

I mean the following statement with little to no sarcasm at all. How many of you will believe that is a different story.
I have Slashdot to thank once again for saving me at the last minute from switching from Verizon to Comcast.
Warn the comcast users! by gmuslera · 2009-03-18 15:57 · Score: 1

I bet will be around a lot of messages reporting pretty much what the article say, telling the user that his password was disclosed, and asking to change their password at www.comcast.com.etc.hacksite.com/resetpassword.php.

There is always space to make a bad situation far worse
1. Re:Warn the comcast users! by morghanphoenix · 2009-03-18 16:54 · Score: 1
  
  Too bad I already hunted down the list and verified that my account isn't on it. Well, not that they'd get me anyway, especially since that little trick to show me the wrong url in my navigation bar doesn't work with my browser.
2. Re:Warn the comcast users! by furby076 · 2009-03-19 01:03 · Score: 1
  
  My name could be on that list and I wouldn't care. Last time comcast came around (to replace my broken cable modem) the guy said I was one of their oldest customers using their very out-of-date system. They had to delete my account and recreate it from scratch. My old account was before they issued usernames/passwords. When they asked me what I wanted my username/password to be I looked at the guy and asked him why do I need it. He said for comcast e-mail. I told him I've survived without comcast e-mail as one of the "oldest customers" (which I call BS btw) and I would pass. When he called their tech-ops they asked for the desired username/password and he explained to them that the custoemr (me) could care less. They created something, asked if I wanted it, and I said no. Whoever is using it...enjoy!
  
  --
  
  I do not support "The Man". I also do not support your irrational stupidity
3. Re:Warn the comcast users! by gmuslera · 2009-03-19 01:34 · Score: 1
  
  What if your username/pw could do something for you, like up/downgrading your connection (or cutting it) or ordering things which chargues that goes against your acount? You couldnt worry about that identity theft regarding the rest of the world, but what about Comcast (and maybe Comcast partners) in particular?
4. Re:Warn the comcast users! by TheLink · 2009-03-19 03:35 · Score: 1
  
  Well maybe he could go before a jury of his peers, and say "I didn't do that, it must have been someone using my account".
  
  And most of the jurors would believe him, since they'd have been phished/keylogged/pwned/comcasted[1] before or knew someone who had.
  
  [1] Comcasting is the broadcasting of your usernames and passwords.
  --
  
  Too many replies beneath your current threshold
5. Re:Warn the comcast users! by Ironica · 2009-03-19 05:56 · Score: 1
  
  Too bad I already hunted down the list and verified that my account isn't on it. Well, not that they'd get me anyway, especially since that little trick to show me the wrong url in my navigation bar doesn't work with my browser.
  If they do it the way shown above, it does "work," for very low values of work. Your navigation bar would say www.comcast.net.etc.hacksite.com/resetpassword.php, because that would be the REAL URL.
  
  --
  Don't you wish your girlfriend was a geek like me?
I'll Give Even Comcast the Benefit of Doubt by carlzum · 2009-03-18 16:50 · Score: 4, Interesting

I have to believe Comcast is telling the truth and some kind of malware is to blame. Over my many years in corporate IT departments, I've seen customer information handled poorly in many way. But an application storing passwords in clear text? I can honestly say I've never seen that happen. Maybe in some homegrown internal application, but not a customer-facing web site in the post-SOX era. A company as big as Comcast is certainly using third-party authentication software. They would have to go out of their way to capture passwords.

If this document is traced back to Comcast they're guilty of more than simple incompetence, they engaged in deliberate unethical behavior.
1. Re:I'll Give Even Comcast the Benefit of Doubt by lumenistan · 2009-03-18 18:30 · Score: 1
  
  The old adage works here - never ascribe to malice that which can be easily explained by incompetence.
2. Re:I'll Give Even Comcast the Benefit of Doubt by Anonymous Coward · 2009-03-18 22:15 · Score: 0
  
  I've worked for a company that stored user passwords for webadministration in cleartext. It was made around 2000 I think, and is still in use. It actually uses DBase..
  I'm glad I quit that job. :)
3. Re:I'll Give Even Comcast the Benefit of Doubt by AshPattern · 2009-03-19 01:28 · Score: 1
  
  http://advogato.org/ stores their passwords in plaintext, or at least in non-hash form. I think it's more common than you believe.
4. Re:I'll Give Even Comcast the Benefit of Doubt by Lord+Ender · 2009-03-19 02:06 · Score: 2, Insightful
  
  I work at a software company. In security.
  The software engineering team is absolutely certain they don't want corporate IT security anywhere near their precious development process. We would just slow things down. So they all put "security expert" on their resumes and said they don't need us, they know what they're doing, etc..
  Yeah, every app they use has totally botch authentication--plaintext password storage, unsalted hashes--you name the security mistake, these "expert" developers ship it in our top-dollar "enterprise" software.
  
  --
  A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
5. Re:I'll Give Even Comcast the Benefit of Doubt by Anonymous Coward · 2009-03-19 02:32 · Score: 0
  
  Yeah, I knew of a certain company that I may or may not have worked for that did this. It's not as uncommon as most people think.
  I'm probably remembering wrong, but at one time I don't think MS SQL Server even had an encrypted password field, which would encourage this type of plain-text storage. Can anyone verify/refute this? It seems like that was the case, but it may be that the company I'm speaking of was just being stupid.
  I should point out that the company in question stopped doing this very soon after I got there.
6. Re:I'll Give Even Comcast the Benefit of Doubt by Bourbonium · 2009-03-19 05:23 · Score: 1
  
  Of course they're going to blame malware or a third party. They just did a complete re-design of their web-based email system about three weeks ago. System was down for maintenance for a few hours late one night while they moved everything to the new servers. All Comcast customers were notified about the change about a week in advance. I think they sent two or three messages, boasting about all the great changes that were in store for us on the horizon after the new mail system was in place. Chances are the target addresses for the notification message was hacked. Comcast has way more than just 8000 customers, so they could have sent the message out in small groups of, say, 8,000 customers, and one of the transmissions was intercepted.
  Just speculating here, but the timing of this breach is suspicious.
7. Re:I'll Give Even Comcast the Benefit of Doubt by Ironica · 2009-03-19 06:01 · Score: 1
  
  I have to believe Comcast is telling the truth and some kind of malware is to blame.
  Malware where? On their installation CD? Because this is a list only of Comcast accounts... so the malware would either have to be targeting Comcast users on their own computers (so, the installation CD provided by the ISP) or it's getting the info from Comcast's computers... which would mean that they're storing passwords in plaintext.
  
  --
  Don't you wish your girlfriend was a geek like me?
8. Re:I'll Give Even Comcast the Benefit of Doubt by carlzum · 2009-03-19 13:54 · Score: 1
  
  I have some advice for your software team from a fellow developer, when you're the sole contributer to the software's security design you assume the risk as well. Let the security experts define the functional requirements and focus on the implementation.
  
  Security involves more than encrypting passwords and defining some roles. Thorough auditing, timely alerts, and granular data control are mandated by regulations like SOX and HIPAA. A cavalier, do-it-yourself attitude puts you and your company at risk.
9. Re:I'll Give Even Comcast the Benefit of Doubt by carlzum · 2009-03-19 14:16 · Score: 1
  
  A keylogger or spyware that reads the browser's auto-complete history could do it. There's even a shareware application that targets Comcast customers which claims to unmask saved passwords in your browser. The fact that this seems limited to Comcast logins is very suspicious. If they are responsible, they deserve to be punished to the greatest extent possible.
security question solution by airdrummer · 2009-03-19 00:45 · Score: 1

don't use yer mom's real maiden name, just make something up...of course, u'll have 2 remember what u made up;-)
1. Re:security question solution by Anonymous Coward · 2009-03-19 03:36 · Score: 0
  
  Learn how to spell the word "you", you fucking moron.
2. Re:security question solution by Ironica · 2009-03-19 05:52 · Score: 1
  
  I think he was trying to drop hints about what he uses as his mother's maiden name.
  
  --
  Don't you wish your girlfriend was a geek like me?
What about Verizon by hawg2k · 2009-03-19 07:57 · Score: 1

My brother recently tried to get the really cheap low bandwidth DSL from Verizon in IL. The only thing you could do through the DSL modem initially was install the Verizon software that took you through setup.

My brother doesn't currently have a computer. He wanted the DSL so he could VPN to work with his work computer. The work computer is locked down and will only do VPN to the company over non company networks.

Using a borrowed computer, he went through the process. All the software did was ask some quesitons to verify who he was etc. (probalby for billing purposes) and allow him to build a Verizon email account etc. All things that could have been done via a web service and a browser, if set up that way.

This worked for about a week, and then magically reverted, requiring it to be done again. So, he called Verizon explaining that he didn't have a computer, and they basically said he wasn't going to be able to use the service.

So, did he just get bad information from a bad rep, or is Verizon one company basically forcing you to put software on your computer (at least initially) to set up the account?
what was the question? by airdrummer · 2009-03-19 12:04 · Score: 1

i've forgotten;-)
What street did you grow up on? by siriuskase · 2009-03-24 11:39 · Score: 1

One of my charge card accounts actually asked me that. If I answered correctly, all my childhood friends and enemies are in.

--
If you must moderate, please moderate as irrelevent, not something bad, because I'm sure someone will find this interest