Help support TMP


"Advertisers' passwords on public display" Topic


26 Posts

All members in good standing are free to post here. Opinions expressed here are solely those of the posters, and have not been cleared with nor are they endorsed by The Miniatures Page.

Please avoid recent politics on the forums.

For more information, see the TMP FAQ.


Back to the Hobby Industry Message Board

Back to the TMP Bugs and Features Message Board

Back to the TMP Talk Message Board


Areas of Interest

General

Featured Hobby News Article


Featured Recent Link


Featured Showcase Article

Elmer's Xtreme School Glue Stick

Is there finally a gluestick worth buying for paper modelers?


Featured Profile Article

How Scurvy Got His "Style"

How Scurvy developed his unique approach to miniatures.


Current Poll


Featured Book Review


3,372 hits since 6 Feb 2015
©1994-2021 Bill Armintrout
Comments or corrections?

Matakishi06 Feb 2015 3:36 p.m. PST

It was brought to my attention that my password is in the url to my (cancelled) advertiser's statistics page. A quick google check shows every other advertiser has the same problem.

This needs to be remedied, without the usual blame-switching and obfuscation, immediately.

I have of course changed my password but words fail me as to the blatant disregard for basic online privacy laws and decorum that this demonstrates.

Sort this out Bill.

Mako1106 Feb 2015 3:41 p.m. PST

That is very bad.

To be fair though, on-line privacy is now a myth, and a rather quaint, old-fashioned, and long-gone notion.

Just look at all of the the medical security breaches, and lack of protections for the ACA, NSA scandals, and other security failures at major retailers, investment institutions, and banks, too.

Weasel06 Feb 2015 3:51 p.m. PST

Holy ****

Gwydion06 Feb 2015 4:03 p.m. PST

Yes, me too apparently. Appreciate it is an oversight Bill – but please change it asap. Thanks.

DS615106 Feb 2015 4:11 p.m. PST

To be fair though, on-line privacy is now a myth, and a rather quaint, old-fashioned, and long-gone notion.

Which is why you will post your bank details here for us. Now. Right?
Ah, I see. Privacy is dead, but hypocrisy lives on. Good to know.

Maddaz11106 Feb 2015 4:20 p.m. PST

wondering why you didn't message bill rather than putting this out on open view?

B6GOBOS06 Feb 2015 4:28 p.m. PST

No. This is not some government sponsored group of computer guru's or secret mob hackers breaching co.puter security. This is sloppy computer work and a failure to enact simple security. I showed the site to some of the IT people at work and asked about security "if" I was a advertiser. They are still laughting at what they called up and saw. One asked if I had given him any password and if so change then pronto.
I understand Bill is working on TMP but what the heck is he and the editorial staff doing right now?

Matakishi06 Feb 2015 4:37 p.m. PST

@ Maddaz111
Messages to Bill have remained unanswered.
This is already on open view, that's the whole point. At least now more people who are affected know to do something about it.

Personal logo etotheipi Sponsoring Member of TMP06 Feb 2015 4:49 p.m. PST

on-line privacy is now a myth

On-line privacy has always been a myth. The Internet (back when it was ARPANet) was explicitly built without any capability for what we would call privacy. It continues to be that way to this day (which is one of the prime reasons it works as well as it does).

The United States (and other countries) have on-line privacy laws. These are not part of the technology, they were placed on top of it (in much the same way that you are not allowed to legally pick the lock on my front door, whether you can or not).

But every time you send data to the Internet, you are agreeing that anyone getting your data is free to send it to countries where those laws do not have jurisdiction.

So, you did not notice this when you got the link to your advertiser's page? It was pretty obvious.

Matakishi06 Feb 2015 5:00 p.m. PST

Obvious doesn't make it right (or lawful).

Personal logo etotheipi Sponsoring Member of TMP06 Feb 2015 5:03 p.m. PST

Actually, it does.

You got the URL and decided to use it.

There is nothing posted on the TMP servers with your password exposed that someone can get to. Only when you send that URL out to a DNS does your password transit the Internet.

Personal logo Editor in Chief Bill The Editor of TMP Fezian06 Feb 2015 5:52 p.m. PST

When you became an advertiser, you received an email which began with…

Your private TMP advertising account page has been set up at:

(Note that your password is in the URL)

Therefore, this should come as no great surprise to anyone.

And if you are not careful, and somehow your URL (with the password) gets out, what can someone do with it?

Gosh, I guess they could send a Hobby News story in for publication.

That's about it.

And no, the passwords are not on "public display" unless you make them so.

Personal logo etotheipi Sponsoring Member of TMP06 Feb 2015 6:33 p.m. PST

They could also pay your advertising bill.

darthfozzywig Supporting Member of TMP06 Feb 2015 6:38 p.m. PST

Still a bonehead design to put passwords in a URL.

14Bore06 Feb 2015 6:45 p.m. PST

or sabotage a competitor.

Personal logo Editor in Chief Bill The Editor of TMP Fezian06 Feb 2015 7:36 p.m. PST

Still a bonehead design to put passwords in a URL.

It was a simple design, and the password is not particularly useful to anyone.

Now it's been flagged up as a problem, at the very least a private email to every advertiser past and present warning them of this and to be careful about the data in the url should be sent out immediately.

They were warned when they were issued with the URL.

I'd also hope that system would be quickly reworked so that any passwords were either encrypted or better still not included in the url!

This is being discussed on the advertisers forum.

Personal logo Editor in Chief Bill The Editor of TMP Fezian06 Feb 2015 7:38 p.m. PST

or sabotage a competitor.

How? The two advertisers that compromised their passwords have had new passwords issued. Even if someone could get the password, they can't do much with it, that's not how the system is designed.

darthfozzywig Supporting Member of TMP06 Feb 2015 7:57 p.m. PST

My apologies for how I phrased that.

Rebelyell200606 Feb 2015 10:02 p.m. PST

It was a simple design, and the password is not particularly useful to anyone.

It is if a person does not use different passwords for different websites.

Personal logo etotheipi Sponsoring Member of TMP07 Feb 2015 3:30 a.m. PST

Still a bonehead design to put passwords in a URL.

It was a simple design, and the password is not particularly useful to anyone.

Technically, the practice is unwise. I linked to the URL specification because it is pretty obvious that some people are using the web but don't really know how it works, which is also unwise.

If you really want to understand how the small number of password parts (not the entire thing) got compromised, you also should read up on how the webcrawler that found the info works, how the specific URL in question works, and a little bit about how the interact.

It is if a person does not use different passwords for different websites.

Whether or not someone does something unwise with their passwords does not affect the quality of the solutions others provide for the systems on which they use those passwords.

You really can't expect a system you use to compensate for your own multiple errors. If you use the same password for multiple sites and actively publish your password data from one of them, you can't hold that site's security liable. Or the security of the other sites for which you use the same password.

No link to why reusing passwords is unwise. Just Google "don't use the same password" and pretty much every modern computer security company will tell you that (as opposed to the stuff above that you would actually have to look for). Also, that advice predates the Internet, and computers, by a bit as it was a part of common knowledge when Byzantium stood up one of the first government espionage agencies about 2,500 years ago.

galvinm07 Feb 2015 6:44 p.m. PST

First email addresses and now passwords.

This is not good.

What is going on?

nazrat08 Feb 2015 8:20 a.m. PST

Ah, TMP-- where the storms in the cups are neverending! Sail on, boys. Sail on.

Robert Kennedy08 Feb 2015 10:51 a.m. PST

+1 to nazrat

Personal logo Editor in Chief Bill The Editor of TMP Fezian08 Feb 2015 2:53 p.m. PST

First email addresses and now passwords.

This is not good.

What is going on?

Not reallt sure what you're on about.

Yes, we've used a relatively low-security method for advertisers to access a particular report. We felt the level of security was appropriate for the information involved.

Yes, if an advertiser is not careful, he might leak the URL containing his account password. With hundreds of advertisers over the years, this has apparently happened just twice.

Can someone do anything malicious if he gets the password? No.

Militia Pete10 Feb 2015 6:31 p.m. PST

RebelYell hit me again if you are in SC. I am in Lexington..

Sorry - only verified members can post on the forums.