As We Speak, Teen Social Site Is Leaking Millions Of Plaintext Passwords (arstechnica.com)

← Back to Stories (view on slashdot.org)

As We Speak, Teen Social Site Is Leaking Millions Of Plaintext Passwords (arstechnica.com)

Posted by msmash on Monday September 26, 2016 @08:05AM from the security-woes dept.

Dan Goodin, reporting for ArsTechnica: A social hangout website for teenage girls has sprung a leak that's exposing plaintext passwords protecting as many as 5.5 million user accounts. As this post went live, all attempts to get the leak plugged had failed. Operators of i-Dressup didn't respond to messages sent by Ars informing them that a hacker has already downloaded more than 2.2 million of the improperly stored account credentials. The hacker said it took him about three weeks to obtain the cache and that there's nothing stopping him or others from downloading the entire database of slightly more than 5.5 million entries. The hacker said he acquired the e-mail addresses and passwords by using a SQL injection attack that exploited vulnerabilities in the i-Dressup website. The hacker provided the 2.2 million account credentials both to Ars and breach notification service Have I Been Pwned?. By plugging randomly selected e-mail addresses into the forgotten password section of i-Dressup, both Ars and Have I Been Pwned? principal Troy Hunt found that they all were used to register accounts on the site. Ars then used the contact us page on i-Dressup to privately notify operators of the vulnerability, but more than five days later, no one has responded and the bug remains unfixed.

67 of 126 comments (clear)

Min score:

Reason:

Sort:

Exposing those who store plaintext passwords by Anonymous Coward · 2016-09-26 08:13 · Score: 1

I've tried being nice, writing to CIOs and CISOs to let them know of their security lapses, but they rarely do anything. Is there anything short of hacking them that will get their attention?
1. Re:Exposing those who store plaintext passwords by infolation · 2016-09-26 08:32 · Score: 1
  
  Is there anything short of hacking them that will get their attention?
  Slashdot them. And bringing their site to its knees will also stop it leaking passwords so quickly.
2. Re:Exposing those who store plaintext passwords by NatasRevol · 2016-09-26 08:40 · Score: 1
  
  There are a few companies that might respond, but generally the answer is no. Because they have legal resources to threaten you. For exposing their lack of security. Cheaper for them to lawyer up than secure up.
  
  --
  There are two types of people in the world: Those who crave closure
3. Re:Exposing those who store plaintext passwords by geekmux · 2016-09-26 09:21 · Score: 2
  
  There are a few companies that might respond, but generally the answer is no. Because they have legal resources to threaten you. For exposing their lack of security. Cheaper for them to lawyer up than secure up.
  It's kind of hard to get those "legal resources" to work for you when they suddenly discover you have no revenue left to pay them, due to an incessant stream of constant and successful hacking.
  By not addressing security, at some point you'll either run out of customers or money. Either way means death in business unless you're smart enough to respect all of the risks to prevent a premature demise.
4. Re:Exposing those who store plaintext passwords by NatasRevol · 2016-09-26 09:22 · Score: 1
  
  That's not really how it works in the real world.
  
  --
  There are two types of people in the world: Those who crave closure
5. Re:Exposing those who store plaintext passwords by OrangeTide · 2016-09-26 09:33 · Score: 1
  
  They won't do anything unless something has immediate financial consequences. And even when they are hacked, they cry about being the victim and how hackers cost them millions of dollars. They need to be told: No, not spending a few thousand dollars on regular audits is why you lost millions of dollars.
  
  --
  “Common sense is not so common.” — Voltaire
6. Re:Exposing those who store plaintext passwords by sg_oneill · 2016-09-26 10:03 · Score: 1
  
  That's not really how it works in the real world.
  I'd bet Ashley Maddisons subscriber count is way down.
  
  --
  Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
7. Re:Exposing those who store plaintext passwords by gweihir · 2016-09-26 10:42 · Score: 1
  
  They need to be found guilty of gross negligence and sent to prison. Before that happens, nothing will change.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
8. Re:Exposing those who store plaintext passwords by OrangeTide · 2016-09-26 12:24 · Score: 1
  
  I don't think much will happen, considering business executives don't go to prison for knowingly putting tainted water into the pipes or leaking gas into people's homes. Leaking passwords seems like a minor thing, maybe if the banks and credit companies got tired of paying, but I suspect those guys have figured out a way to pass the costs onto customers or the individual account holders.
  
  --
  “Common sense is not so common.” — Voltaire
9. Re:Exposing those who store plaintext passwords by arglebargle_xiv · 2016-09-26 18:30 · Score: 1
  
  It's not so bad, fully 50% of the users were actually FBI agents pretending to be 14-year-old girls. The remaining 99.999% were guys pretending to be teenage girls. The one genuine girl on the site has said she's not too fussed since she didn't use it that much anyway, it was too full of FBI agents and guys.
10. Re:Exposing those who store plaintext passwords by TheRaven64 · 2016-09-26 21:27 · Score: 1
  
  Make sure that you let them know that, because you have gone through responsible disclosure, if they are compromised then you will happily testify in court that they were aware of the insecurity of the personal information and that this makes them liable for increased damages for any compromise resulting in a failure to address the issue in a number of jurisdictions.
  
  --
  I am TheRaven on Soylent News
11. Re:Exposing those who store plaintext passwords by kc7rad · 2016-09-27 04:28 · Score: 1
  
  IMHO you will get nowhere contacting CIOs and CFOs. Do a little poking and contact the network admins or engineers. Have done that a few times and generally received thanks (and a few t-shirts and mousepads).
12. Re:Exposing those who store plaintext passwords by TechnoJoe · 2016-09-27 05:51 · Score: 1
  
  There’s a difference between exposing a lack of security and hacking.
  For example, I once found a site that sent me my plaintext password in an email. After receiving no response, I reported the site (which had a local, physical presence) to my Attorney General. I argued that the site’s Privacy Policy said they would take reasonable steps to protect my information, and sending out my password as unencrypted plaintext fell short of that standard. I also argued that they should follow a generally accepted security practice, like PBKDF2 as an example.
  The AG letter got the site to respond. They specifically refuted the need to store the passwords according to any generally accepted standard, saying there was no law requiring them to. However, I got them to stop sending out unencrypted passwords in plaintext.
  You might think this is a hollow victory, but the victory comes if/when the site is hacked. If hacked, and if someone sues the site over the hack, the site’s refusal to implement generally accepted password encryption will show up during discovery. It will be very damaging to their case, and it may even make the case eligible for punitive damages.
  Given an uncooperative/hostile site, I think this is the best anyone can do.
It's a pity... by OpenSourced · 2016-09-26 08:13 · Score: 4, Funny

It's a pity that they didn't enroll little Bobby Tables in that website. That would have taught them to sanitize their SQL input.

--
Rome taught me patience and assiduous application to detail. Virtues which temper the boldness of great, general views.
1. Re:It's a pity... by ShanghaiBill · 2016-09-26 09:02 · Score: 3, Insightful
  
  The real problem was not SQL vulnerabilities. Plain text passwords should never be transmitted to servers. They should be salted and hashed on the client. It should have been clear to anyone that bothered to look at the data being transmitted that this website had major security problems and was developed by clueless amateurs.
2. Re:It's a pity... by KFK2 · 2016-09-26 09:24 · Score: 4, Insightful
  
  So then the hash becomes a plain text password?....
3. Re:It's a pity... by The+MAZZTer · 2016-09-26 09:33 · Score: 2
  
  Yup. Sending the plain text password to the server is the way to go, since you can't and should not trust the client to do any cryptographic work for you with it. But what you SHOULD do for sure is use HTTPS... then it doesn't matter that it's plain text, using HTTPS will be your encryption for sending it over the network. Chrome has started flagging pages that have login forms submitting to HTTP to notify users the page is not secure. Good move.
4. Re:It's a pity... by ShanghaiBill · 2016-09-26 09:38 · Score: 1
  
  So then the hash becomes a plain text password?....
  ... except that it is not plain text because it is salted and hashed, so even if it is later compromised, it is useless for logging into other sites.
  If you transmit the plain text password to the server before hashing, you are open to multiple vulnerabilities. It is vulnerable in transit, it is vulnerable to memory side attacks on the server, it is vulnerable to VM compromises if it is swapped to disk, it is vulnerable to compromised software on your server, and it is vulnerable to disloyal employees. And all of that is even if neither you nor any of your employees are stupid enough to actually store it in a DB.
  Plain text passwords should never leave the client.
5. Re:It's a pity... by ShanghaiBill · 2016-09-26 09:47 · Score: 1
  
  if somebody grabs a copy of it from the server they can still log in by sending that as the salted-crypted password.
  Only if you use single-factor-auth. If you use a known-client cookie as a second factor, this problem goes away. If the user is logging in from an unknown client, then you ask a security question or send a code to their registered cellphone, or whatever.
  Proper security is done in depth. Each level needs to be reasonably secure without compromising convenience. Client-side hashing is not a panacea that solves everything, but it is a simple common sense step that adds an extra layer of security.
6. Re:It's a pity... by Todd+Knarr · 2016-09-26 09:47 · Score: 1
  
  HTTP has had this forever: challenge/response authentication. There's one problem with it though: it requires storing the plaintext password on the server so it can be used to encrypt the challenge to check against the client's response. I don't know of any challenge/response algorithm that works with one-way hashes of passwords.
7. Re:It's a pity... by ShanghaiBill · 2016-09-26 10:33 · Score: 1
  
  There's one problem with it though: it requires storing the plaintext password on the server
  No it doesn't. You can store a salted hash and then perform the challenge/response against a regenerated hash on the client.
  
  I don't know of any challenge/response algorithm that works with one-way hashes of passwords.
  I don't know of any that don't. Why would an algorithm care if the "password" was plaintext or a hash?
8. Re:It's a pity... by gweihir · 2016-09-26 10:48 · Score: 1
  
  Indeed. Some people are really clueless. No, the plaintext-passwords can be sent, but the need to be sent over a secured channel and they need to never be stored and erased immediately after comparison.
  Incidentally, unless you iterate the hash an appropriate number of times (say at least 100'000 times at the moment, but better use pbkdf2 or far better Argon2 with a similar number of iterations) you will still be insecure.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
9. Re:It's a pity... by gweihir · 2016-09-26 10:50 · Score: 1
  
  And how, please tell us, are you supposed to do that login without sending the salted hash? And how do you do that salting and hashing on the client in the first place? Push some code to the client? Not smart at all.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
10. Re:It's a pity... by gweihir · 2016-09-26 10:52 · Score: 1
  
  Indeed. Of course you should store the password salted and hashed a few 100'000 times on the server (better do it right and use pbkdf2 or Argon2) and you should dispose of that plain-text password immediately after you have compared it.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
11. Re:It's a pity... by ShanghaiBill · 2016-09-26 11:41 · Score: 1
  
  No, the plaintext-passwords can be sent
  But there is no reason to send them. You are just exposing yourself and your user to unnecessary extra vulnerabilities.
  
  ... and erased immediately after comparison.
  How do you ensure they are "erased" from your VM backing store, or the kernel cache, or memory that has just been reallocated to another instance owned by another company?
12. Re:It's a pity... by ShanghaiBill · 2016-09-26 11:57 · Score: 2
  
  Sending the plain text password to the server is the way to go
  There is no advantage in doing that, and many disadvantages.
  
  since you can't and should not trust the client to do any cryptographic work for you with it.
  Hashing on the client is an additional level of security, not a replacement for existing levels, so no extra "trust" is required.
  
  But what you SHOULD do for sure is use HTTPS...
  Yes. Duh.
  
  then it doesn't matter that it's plain text, using HTTPS will be your encryption for sending it over the network.
  HTTPS only protects you during transmission It does not protect you from server side attacks or from dishonest/incompetent employees.
  
  Chrome has started flagging pages that have login forms submitting to HTTP to notify users the page is not secure. Good move.
  Yes, that is a good move. The next step would be to warn users if their just typed password is being transmitted in plaintext. That would encourage best practices, and would have prevented the leak described in TFA.
13. Re:It's a pity... by ShanghaiBill · 2016-09-26 12:09 · Score: 1
  
  this is moot if you use a secure channel and appropriately salt the password on the server.
  ... and your system is absolutely perfectly secure in every other possible way, and all your employees are perfectly competent, and their loyalty has been guaranteed by Suk Imperial Conditioning.
  
  The resultant hash *is* effectively your password and is just as susceptible to password leaks via weak encryption or bad caching practices.
  ... except the consequences of that leak are less severe because it is worthless for attacking other systems. It doesn't make your site more secure, but it makes your users more secure, and it makes us all collectively more secure.
  
  DO NOT STORE THE PASSWORD ON THE SERVER!!! This, of course, includes caches.
  How many PHP back end coders know how to clear a kernel cache?
14. Re:It's a pity... by ShanghaiBill · 2016-09-26 12:35 · Score: 1
  
  And how, please tell us, are you supposed to do that login without sending the salted hash?
  And how, please tells us, would it be better, in any way, to send the plaintext password instead?
  
  Push some code to the client? Not smart at all.
  The entire web is based on servers sending stuff to clients. How is sending code over HTTPS any less secure than sending plaintext passwords?
15. Re:It's a pity... by gweihir · 2016-09-26 15:35 · Score: 2
  
  1. There is also no reason not to send them, as anything you can send instead does not provide any benefit.
  2. Please read up on this. This is a solved problem.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
16. Re:It's a pity... by gweihir · 2016-09-27 11:10 · Score: 1
  
  I am not convinced that helps, because suddenly you have pretty complex crypto on the user's side and that may just leak the passwords as well. Especially as passwords handled right on the server side no _not_ leak.
  I do agree that the state of web-application security is a very sad one, but this is an attempt to fix the wrong problem.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Private industry doing it better than government by smooth+wombat · 2016-09-26 08:13 · Score: 2, Insightful

Just last week we had the half billion accounts from Yahoo! leaked and now this website, after being notified it has a problem, leaves things in place to continue leaking credentials.

Yeah, private industry is so great compared to government.

--
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
Ah yes... by The-Ixian · 2016-09-26 08:15 · Score: 5, Funny

The old SQL injection attack.... been around since the beginning of forever but will web devs ever learn to take simple steps to protect their SQL backends? newp...
Let's make sure we never sanitize HTML and never parameterize our SQL queries... that would just be like soooo neckbeard....

--
My eyes reflect the stars and a smile lights up my face.
1. Re:Ah yes... by Anonymous Coward · 2016-09-26 08:18 · Score: 3, Insightful
  
  How about not storing passwords in plaintext? That way, simple attack, or more sophisticated attack, you're not just handing them credentials carte blanche....
2. Re:Ah yes... by The-Ixian · 2016-09-26 08:25 · Score: 1
  
  Of course... they all go hand in hand.
  An SQL injection attack is the easiest thing to close the loop on though. It is the low hanging fruit of security. At least start with that... then we can talk encryption...
  
  --
  My eyes reflect the stars and a smile lights up my face.
3. Re:Ah yes... by tlhIngan · 2016-09-26 08:35 · Score: 2
  
  An SQL injection attack is the easiest thing to close the loop on though. It is the low hanging fruit of security. At least start with that... then we can talk encryption...
  Or hashing.
  SQL injectable website, passwords in plain text...I'm sure there's a third "security best practice" that's not being followed.
  I mean, geez, plain text passwords hasn't been in on any "industry best practice" since never. If there's any reason to make yourself completely vulnerable to being sued, this would be it.
4. Re:Ah yes... by Qzukk · 2016-09-26 08:40 · Score: 1
  
  I'm sure there's a third "security best practice" that's not being followed.
  I bet one of the accounts on there is a test account for the developer to test with in production, and the username/password is the same as the password to the FTP server or to the DNS registry or some other important service.
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
5. Re:Ah yes... by gweihir · 2016-09-26 10:55 · Score: 1
  
  Maybe there is a secret society that is dedicated to keeping old vulnerabilities alive. Would explain why the same tired old mistakes are made time and again.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Re:Private industry doing it better than governmen by BarbaraHudson · 2016-09-26 08:16 · Score: 1

I-Dressup? Sounds like a cross-dresser forum. Either way, it's like the Yahoo and Ashley Madison passwords - nothing of value was lost.

--
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Re:Private industry doing it better than governmen by LeftCoastThinker · 2016-09-26 08:19 · Score: 1

Pretty sure they are both doing a crap job at securing sensitive data. The good thing about private industry is that there are laws penalizing them for this kind of behavior, and they can also be sued. For all intents and purposes it is impossible to sue the federal government so there is very little accountability.

--
If you disagree, please post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like
Re:Private industry doing it better than governmen by The-Ixian · 2016-09-26 08:19 · Score: 2

I am guessing.... just making a wild stab in the dark here... that these account credentials are the most valuable of all. They belong to a group of people who likely have accounts all over the place all using the same credentials and no 2FA.

--
My eyes reflect the stars and a smile lights up my face.
Re:Private industry doing it better than governmen by BarbaraHudson · 2016-09-26 08:22 · Score: 1

Only a perv would want to steal kiddie log-ins. Be a good way to track them down by "accidentally" leaking them.

--
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
full destruction by XparXnoiaX · 2016-09-26 08:31 · Score: 1

Full destruction of the company is the only way to stop these kinds of stupid things from happening. Plaintext passwords are negligent, have been known to be negligent for longer than the internet has existed.

--
Irresponsible disclosure is responsible
1. Re:full destruction by OverlordQ · 2016-09-26 09:31 · Score: 1
  
  No, that's not what responsible disclosure is.
  
  --
  Your hair look like poop, Bob! - Wanker.
Re:Private industry doing it better than governmen by The-Ixian · 2016-09-26 08:32 · Score: 1

I was thinking spammers.... but ok....

--
My eyes reflect the stars and a smile lights up my face.
Re:Private industry doing it better than governmen by sims+2 · 2016-09-26 08:32 · Score: 1

So when do the forced Yahoo password changes start?

--
Minimum threshold fixed. Thanks!
Re:Private industry doing it better than governmen by NatasRevol · 2016-09-26 08:41 · Score: 2

Teens also have credit cards, 976 number redialing, botnet possibilities.
In spite of BarbarHudson's ignorance, anything at this scale is very valuable.

--
There are two types of people in the world: Those who crave closure
Re:Private industry doing it better than governmen by rudy_wayne · 2016-09-26 08:43 · Score: 1

The good thing about private industry is that there are laws penalizing them for this kind of behavior
And how often has anyone received a meaningful punishment for this sort of thing? That would be somewhere close to . . . never.

and they can also be sued.
And how often has anyone been successfully sued over this sort of thing? See the answer to the question above.
Re:Private industry doing it better than governmen by BarbaraHudson · 2016-09-26 08:45 · Score: 1

None of this is of any value if you don't give your kids access to your credit card. And if you do, then you're already exposed to bigger threats.

--
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Re:Private industry doing it better than governmen by smooth+wombat · 2016-09-26 08:51 · Score: 1, Insightful

The good thing about private industry is that there are laws penalizing them for this kind of behavior,

Hogwash. Target settled with a $10 million payout: $10K per affected person. $10 million is less than the compensation package for Brian Cornell, CEO of Target, in 2015. That "penalty" barely ranks as an itch on the Target balance sheet.

Home Depot settled for $19.5 million. A bit better but nothing to write home about.

Penalties are supposed to hurt. They are supposed to be designed to either force or encourage better behavior. The above two examples do not fall into the category and from the look of things, nor do other penalties for data breaches.

--
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
In the eternal words of Grumpy Cat... by Gravis+Zero · 2016-09-26 08:53 · Score: 1

GOOD.

--
Anons need not reply. Questions end with a question mark.
Re:Private industry doing it better than governmen by NatasRevol · 2016-09-26 08:57 · Score: 1

"If"
Guess what?
The real world is that they HAVE credit cards, debit cards, phones, cars, money, drugs, sex.
Move on to the real world.

--
There are two types of people in the world: Those who crave closure
Re:Private industry doing it better than governmen by Mycroft-X · 2016-09-26 08:59 · Score: 1

The difference being that neither yahoo nor idressup can legally use guys with guns to force me to register on their websites (and that's what it would take, for those two at least).
Comment removed by account_deleted · 2016-09-26 09:02 · Score: 1

Comment removed based on user account deletion
you forgot the sarcasm tag. by publiclurker · 2016-09-26 09:04 · Score: 1

wouldn't want anyone to think you were serious.
Re:Private industry doing it better than governmen by pr0fessor · 2016-09-26 09:07 · Score: 1

This also covers teens who have jobs and their own bank accounts...
Re:Private industry doing it better than governmen by ShanghaiBill · 2016-09-26 09:11 · Score: 4, Insightful

None of this is of any value if you don't give your kids access to your credit card.
My 16 year old daughter has had her own card since she was 10.

And if you do, then you're already exposed to bigger threats.
Like kids who have learned responsibility and basic financial management? Just make sure the limit is low, and let kids make mistakes and learn from them. Your kids won't grow up to be capable and responsible adults if you shelter them from reality and make every decision for them.
Re:Private industry doing it better than governmen by HornWumpus · 2016-09-26 09:29 · Score: 1

Your SIG:
Are you saying Frankenferter is not a transexual?

--
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
Re:ROFLCOPTER by NatasRevol · 2016-09-26 10:33 · Score: 1

Now that's funny.

--
There are two types of people in the world: Those who crave closure
Re:Private industry doing it better than governmen by Mal-2 · 2016-09-26 11:58 · Score: 1

Are you saying Frankenferter is not a transexual?
He's from Transsexual, but actually just a sweet transvestite.

--
How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
Re:Private industry doing it better than governmen by BarbaraHudson · 2016-09-26 12:08 · Score: 1

Then the people who have unreal expectations of how benign the real world is will learn the hard way. That's how people learn in the real world - by experience.

--
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Re:ROFLCOPTER by BarbaraHudson · 2016-09-26 12:09 · Score: 1

Too ban that the law, my birth certificate, my ID, and my doctors all disagree with you. I'll take educated specialists over some know-nothing internet troll.

--
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Re:Private industry doing it better than governmen by BarbaraHudson · 2016-09-26 12:23 · Score: 1

Kids who have their own bank accounts and jobs wouldn't be on a site that caters to tweens (kids between 8 and 12). It's a site built around a flash game where kids can dress up their i-dolls and save them. and make stamps. teen-agers wouldn't be caught dead there.

--
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Re:Private industry doing it better than governmen by houghi · 2016-09-27 00:17 · Score: 1

Your kids won't grow up to be capable and responsible adults if you shelter them from reality and make every decision for them.
This is so true. Know a girl that was "protected" by her parents. She was not even allowed to play with any other kids. Then at 18 she was an adult and was aset free. Within 2 months she was known as the school slut.

--
Don't fight for your country, if your country does not fight for you.
Re:Private industry doing it better than governmen by r2rknot · 2016-09-27 00:43 · Score: 1

Let me tell you about my SSN, and PII being lost/exposed/incorrectly released by government employees. Multiple times, multiple agencies.

--
"...whenever any Form of Government becomes destructive...it is the Right of the People to alter or to abolish it..."
Re:Private industry doing it better than governmen by pr0fessor · 2016-09-27 01:23 · Score: 1

I don't have any daughters but I have 6 nieces that are 15 to 34 yrs old and two of them still watch Disney shows and little kid cartoons like Dora the Explorer. I wouldn't be surprised if they were into i-dressup also and that's a 22 and 27yr old.
Re:Private industry doing it better than governmen by operagost · 2016-09-27 02:46 · Score: 1

You just discovered that there are incompetent IT professionals in both the public and private sector. Congratulations.

--

Gamingmuseum.com: Give your 3D accelerator a rest.
Re:ROFLCOPTER by BarbaraHudson · 2016-09-27 03:12 · Score: 1

Who knows? Never been sequenced, probably never will be. Of course, if I were really desperate, I'd just get a bone marrow transplant from a woman and blood tests would then show female, but it doesn't matter, because in the eyes of the law (including the bathroom bill laws) it's what's on your birth certificate that counts, and mine now says female.
Also, the law is unenforceable. They can't just demand to see people's birth certificates because they are suspicious - the US Supreme Court has said that profiling is illegal when trying to enforce a law. So unless you're ready to check everyone's birth cert (and who the hell carries one around with them anyway), you're open to a federal law suit, doesn't matter what the state law says. So saith the Supreme Court :-)
Must suck to be on the wrong side of the law.

--
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.