Matakishi | 06 Feb 2015 3:36 p.m. PST |
It was brought to my attention that my password is in the url to my (cancelled) advertiser's statistics page. A quick google check shows every other advertiser has the same problem. This needs to be remedied, without the usual blame-switching and obfuscation, immediately. I have of course changed my password but words fail me as to the blatant disregard for basic online privacy laws and decorum that this demonstrates. Sort this out Bill. |
Mako11 | 06 Feb 2015 3:41 p.m. PST |
That is very bad. To be fair though, on-line privacy is now a myth, and a rather quaint, old-fashioned, and long-gone notion. Just look at all of the the medical security breaches, and lack of protections for the ACA, NSA scandals, and other security failures at major retailers, investment institutions, and banks, too. |
Weasel | 06 Feb 2015 3:51 p.m. PST |
|
Gwydion | 06 Feb 2015 4:03 p.m. PST |
Yes, me too apparently. Appreciate it is an oversight Bill – but please change it asap. Thanks. |
DS6151 | 06 Feb 2015 4:11 p.m. PST |
To be fair though, on-line privacy is now a myth, and a rather quaint, old-fashioned, and long-gone notion. Which is why you will post your bank details here for us. Now. Right? Ah, I see. Privacy is dead, but hypocrisy lives on. Good to know. |
Maddaz111 | 06 Feb 2015 4:20 p.m. PST |
wondering why you didn't message bill rather than putting this out on open view? |
B6GOBOS | 06 Feb 2015 4:28 p.m. PST |
No. This is not some government sponsored group of computer guru's or secret mob hackers breaching co.puter security. This is sloppy computer work and a failure to enact simple security. I showed the site to some of the IT people at work and asked about security "if" I was a advertiser. They are still laughting at what they called up and saw. One asked if I had given him any password and if so change then pronto. I understand Bill is working on TMP but what the heck is he and the editorial staff doing right now? |
Matakishi | 06 Feb 2015 4:37 p.m. PST |
@ Maddaz111 Messages to Bill have remained unanswered. This is already on open view, that's the whole point. At least now more people who are affected know to do something about it. |
etotheipi | 06 Feb 2015 4:49 p.m. PST |
on-line privacy is now a myth On-line privacy has always been a myth. The Internet (back when it was ARPANet) was explicitly built without any capability for what we would call privacy. It continues to be that way to this day (which is one of the prime reasons it works as well as it does). The United States (and other countries) have on-line privacy laws. These are not part of the technology, they were placed on top of it (in much the same way that you are not allowed to legally pick the lock on my front door, whether you can or not). But every time you send data to the Internet, you are agreeing that anyone getting your data is free to send it to countries where those laws do not have jurisdiction. So, you did not notice this when you got the link to your advertiser's page? It was pretty obvious. |
Matakishi | 06 Feb 2015 5:00 p.m. PST |
Obvious doesn't make it right (or lawful). |
etotheipi | 06 Feb 2015 5:03 p.m. PST |
Actually, it does. You got the URL and decided to use it. There is nothing posted on the TMP servers with your password exposed that someone can get to. Only when you send that URL out to a DNS does your password transit the Internet. |
Editor in Chief Bill | 06 Feb 2015 5:52 p.m. PST |
When you became an advertiser, you received an email which began with… Your private TMP advertising account page has been set up at:(Note that your password is in the URL) Therefore, this should come as no great surprise to anyone. And if you are not careful, and somehow your URL (with the password) gets out, what can someone do with it? Gosh, I guess they could send a Hobby News story in for publication. That's about it. And no, the passwords are not on "public display" unless you make them so. |
etotheipi | 06 Feb 2015 6:33 p.m. PST |
They could also pay your advertising bill. |
darthfozzywig | 06 Feb 2015 6:38 p.m. PST |
Still a bonehead design to put passwords in a URL. |
14Bore | 06 Feb 2015 6:45 p.m. PST |
or sabotage a competitor. |
Editor in Chief Bill | 06 Feb 2015 7:36 p.m. PST |
Still a bonehead design to put passwords in a URL. It was a simple design, and the password is not particularly useful to anyone. Now it's been flagged up as a problem, at the very least a private email to every advertiser past and present warning them of this and to be careful about the data in the url should be sent out immediately. They were warned when they were issued with the URL. I'd also hope that system would be quickly reworked so that any passwords were either encrypted or better still not included in the url! This is being discussed on the advertisers forum. |
Editor in Chief Bill | 06 Feb 2015 7:38 p.m. PST |
or sabotage a competitor. How? The two advertisers that compromised their passwords have had new passwords issued. Even if someone could get the password, they can't do much with it, that's not how the system is designed. |
darthfozzywig | 06 Feb 2015 7:57 p.m. PST |
My apologies for how I phrased that. |
Rebelyell2006 | 06 Feb 2015 10:02 p.m. PST |
It was a simple design, and the password is not particularly useful to anyone. It is if a person does not use different passwords for different websites. |
etotheipi | 07 Feb 2015 3:30 a.m. PST |
Still a bonehead design to put passwords in a URL. It was a simple design, and the password is not particularly useful to anyone.
Technically, the practice is unwise. I linked to the URL specification because it is pretty obvious that some people are using the web but don't really know how it works, which is also unwise. If you really want to understand how the small number of password parts (not the entire thing) got compromised, you also should read up on how the webcrawler that found the info works, how the specific URL in question works, and a little bit about how the interact. It is if a person does not use different passwords for different websites. Whether or not someone does something unwise with their passwords does not affect the quality of the solutions others provide for the systems on which they use those passwords. You really can't expect a system you use to compensate for your own multiple errors. If you use the same password for multiple sites and actively publish your password data from one of them, you can't hold that site's security liable. Or the security of the other sites for which you use the same password. No link to why reusing passwords is unwise. Just Google "don't use the same password" and pretty much every modern computer security company will tell you that (as opposed to the stuff above that you would actually have to look for). Also, that advice predates the Internet, and computers, by a bit as it was a part of common knowledge when Byzantium stood up one of the first government espionage agencies about 2,500 years ago. |
galvinm | 07 Feb 2015 6:44 p.m. PST |
First email addresses and now passwords. This is not good. What is going on? |
nazrat | 08 Feb 2015 8:20 a.m. PST |
Ah, TMP-- where the storms in the cups are neverending! Sail on, boys. Sail on. |
Robert Kennedy | 08 Feb 2015 10:51 a.m. PST |
|
Editor in Chief Bill | 08 Feb 2015 2:53 p.m. PST |
First email addresses and now passwords.This is not good. What is going on? Not reallt sure what you're on about. Yes, we've used a relatively low-security method for advertisers to access a particular report. We felt the level of security was appropriate for the information involved. Yes, if an advertiser is not careful, he might leak the URL containing his account password. With hundreds of advertisers over the years, this has apparently happened just twice. Can someone do anything malicious if he gets the password? No. |
Militia Pete | 10 Feb 2015 6:31 p.m. PST |
RebelYell hit me again if you are in SC. I am in Lexington.. |