Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Identity Theft and Social Networks

michael posted more than 10 years ago | from the stealing-whuffie dept.

Security 190

scubacuda writes "This Security Focus article looks at the lack of security social network sites have, particularly their lack of SSL logins, which means a user's session ID will be logged on any proxy and possibly sniffed. From the article: '[A]ccording to [Clay] Shirky, one thing is certain: "The value of each site is communally-created. Links and transactions are more important than individuals." In other words, each community creates its own kind of value. Thus, an attacker might hit Tribe to farm social networks for spam victims; and then he might exploit LinkedIn to get the contact information for a VC he wants to meet.'"

cancel ×

190 comments

Sorry! There are no comments related to the filter you selected.

First post (-1)

TheSpoogeAwards (589343) | more than 10 years ago | (#7863439)

Go home, dickbutts.

GNAA INFORMATION FOR THE GAY NIGGER (-1)

ADOT Troll (687975) | more than 10 years ago | (#7863441)

GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the first organization which gathers GAY NIGGERS from all over America and abroad for one common goal - being GAY NIGGERS.

Are you GAY [sr51.com] ?
Are you a NIGGER [superstitionfreeway.com] ?
Are you a GAY NIGGER [state.az.us] ?

If you answered "Yes" to all of the above questions, then the GNAA (GAY NIGGER ASSOCIATION OF AMERICA) might be exactly what you've been looking for!

Join GNAA (GAY NIGGER ASSOCIATION OF AMERICA) today, and enjoy all the benefits of being a full-time GNAA member.

GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the fastest-growing GAY NIGGER community with THOUSANDS of members all over United States of America. You, too, can be a part of GNAA if you join today!

Why not? It's quick and easy - only 3 simple steps!

First, you have to obtain and read the Regional Transportation Plan [maricopa.gov] for the Maricopa Association of Governments [maricopa.gov] sponsored by the Arizona Department of Transportation [state.az.us] . You must take a test to verify your knowledge of the plan. The test consists of 6 questions:

1. How many lanes will US 60 be from Val Vista to Power Rd?
2. What is the scope and span of I-10R?
3. What is the Wickenberg Bypass?
4. When will the Williams Gateway Freeway be built?
5. What is planned for I-17 from McDowell to Dunlap?
6. What is planned for US-60 (Grand Avenue)? How much money is set-aside?

Second, you need to succeed in posting a GNAA "first post" on slashdot.org [slashdot.org] , a popular "news for trolls" website

Third, you need to join the official GNAA irc channel #GNAA on EFNet, and apply for membership. Talk to one of the ops or any of the other members in the channel to sign up today! >[? If you are having trouble locating #GNAA, the official GAY NIGGER ASSOCIATION OF AMERICA irc channel, you might be on a wrong irc network. The correct network is EFNet, and you can connect to irc.secsup.org or irc.easynews.com as one of the EFNet servers.

If you have mod points and would like to support GNAA, please moderate this post up.

I am protesting Slashdot's chronic abuse of its readers and subscribers. Please visit www.anti-slash.org [anti-slash.org] and help us!

lazy (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7863442)

People are getting lazier, as people get lazier security goes down, deal with it.

Re:lazy (4, Insightful)

}InFuZeD{ (52430) | more than 10 years ago | (#7863558)

Nothing to do with laziness. SSL adds extra strain on the system. It's cheaper to not use it. And I really don't see the need for SSL on LiveJournal... it's a journal site, not a bank account.

And your alturnative idea is... (2, Insightful)

Saeed al-Sahaf (665390) | more than 10 years ago | (#7863772)

You don't see the need for SSL on a journal / blog site... Then how do YOU propose to manage security and prevent hacks? Will you feel differently when YOUR account is hacked? No, SSL is virtually required (Oh my! I like that!) for this sort of thing, and overhead is highly overstated.

On the other hand, I tend to think people who live through their on-line journal / blog need to find a real life.

TP (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7863443)

third post

500 Internal Server Error (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7863445)

An internal server error occurred. Please try again later.

If you think slashdot is having to many of these reply to this post.

Re:500 Internal Server Error (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7863467)

the spammers are ddosing us ;)

Re:500 Internal Server Error (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7863481)

when i clicked reply i got ANOTHER one of those messages.

P.S. and when i clicked submit.

GOOD LUCK WITH YOUR MASTURBATION (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7863446)

I have good luck with mine

Nigger nigger nigger lysol (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7863448)

lysol
ysoll
solly
ollys
llyso
lysol

GNAA was here YOU FUCKING NIGGERS

LYSOL [lysol.ws]

Well, duh. (-1, Troll)

James A. C. Joyce (733782) | more than 10 years ago | (#7863451)

The idea of social networks is just insecure from the get-go. When people are connected, there's increased potential for security risks and flaws to be exploited and to be created. It's like broadcasting your real email and IP addresses on Usenet - a bad idea. The buggy implementations are just icing on the cake.

Re:Well, duh. (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7863495)

"Make me your friend; my fans get +1 comment scores."

first, tell me are you a whiny lying backstabbing greedy conservative? or are you a whiny lying backstabbing greedy liberal?

i make my friends/foes based on political leanings.

Re:Well, duh. (0, Offtopic)

kfg (145172) | more than 10 years ago | (#7863547)

Look, I don't suppose you could be convinced to take a dinner break or something, could you?

KFG

Re:Well, duh. (1, Funny)

Anonymous Coward | more than 10 years ago | (#7863723)

1. " The idea of social networks is just insecure from the get-go."

2. "Make me your friend; my fans get +1 comment scores."

?

Re:Well, duh. (4, Insightful)

commodoresloat (172735) | more than 10 years ago | (#7863751)

Well, yeah, and the idea of real-life face to face social networks is also inherently insecure. The more you interact with other people the greater the chances that one of them (or someone who knows one of them, or happens to eavesdrop on one of them) will take advantage of you. But interacting with other people is not automatically a "bad idea" because of this, and the same is true online. You need to weigh the security risks along with other factors (e.g. the social benefits of networking in this manner, or the amount of critical information that is actually compromised by these risks). I think friendster-style web-based networks are valuable enough that people should see what can be done to make them more secure rather than abandoning them as inherently insecure.

EAT ME GNAA COCKSUCKERS! (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7863454)

TrolKore rules /. forever.

CmdrTaco prefers TrollKore's cox in his anus
to GNAA's!

Slashdot doesn't use SSL to login (2, Interesting)

Anonymous Coward | more than 10 years ago | (#7863460)

Guess it doesn't matter if you just stay anonymous.

MODS ON CRACK? (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7863512)

This is totally on topic!

P.S. Got internal server error AGAIN when clicking submit.

Offtopic? (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7863518)


Actually, that was not offtopic (nor flamebait, nor troll.) Moderators, please read the article before moderating. (Reading the moderator guidelines wouldn't hurt either.) kthx

WHAT?!?!?!?!? (0, Funny)

Anonymous Coward | more than 10 years ago | (#7863647)

Slashdot doesn't use or require SSL logins???

I'll have Taco's balls for this!!!! Yes siree!

Hey Taco, instead of constantly fiddling with the lameness filter and the moderation system, how about implementing basic security. Either that, or you could go home to Kathleen. [shudder]

Lameness filter encountered. Post aborted!

Reason: Your subject looks too much like ascii art.

How often they get caught (-1, Insightful)

RobertArnold (737412) | more than 10 years ago | (#7863462)

I've heard the rate at which people who commit identity theft get caught is around 1 in 7000.

So you have a much better than 99.9% chance to just do it to your heart's content and walk away with the money. That's pretty freakin' scary. A crime where you never have to see your victims, never have to face any consequences, and make tons of money. Can you imagine what would happen if a misguided Robin Hood decided to popularize the techniques and teach them to America's poor? Would the entire banking industry collapse at once? With a million people doing it simultaneously you would obviously overload the already overloaded investigative ability of the gov't and probably change the ration to 1 in 100,000 getting caught.

Re:How often they get caught (1)

benna (614220) | more than 10 years ago | (#7863497)

I would be all for that.

Re:How often they get caught (5, Funny)

Brahmastra (685988) | more than 10 years ago | (#7863503)

I was a victim of identity theft once and made a police complaint, an FTC complaint, etc.. They all said that it was unlikely anyone would ever be caught. Haven't heard anything for 2 years now. They need to start castrating identity thieves... it's getting out of hand.

Re:How often they get caught (2, Interesting)

Aviancer (645528) | more than 10 years ago | (#7863632)

Indeed. My wife was the victim of identity fraud. The police caught the perp with my wife's ID -- and LET HER GO. She's been stealing cars from rental agencies and running up Sam's Club credit and cell phone bills ever since -- and the cops know who she is, and how much of a scourge she can be...

Re:How often they get caught (1, Insightful)

Anonymous Coward | more than 10 years ago | (#7863810)

They need to start castrating identity thieves...
What's the point? I mean, if they've only got a 1 in 7,000 chance of getting caught, then how good is any deterent going to be?

Rather than concentrate on more and more extreme punishments, maybe we should concentrate our resources on more and more effective ways of catching fraudsters? Y'think?

Apparently I have to wait another couple of minutes before posting this, so on another subject: why oh why oh why are CD players so big? I mean, with the latest codecs, you ought to be able to store much much longer audio streams on those tiny little CDs you can fit in your pocket. So why not start making more portable CDs like that and standardize on a format and codec?

And what's the deal with all those endings for Lord of the Rings: Return of the King? Some of us had to go for a pee for crying out loud. Did any of them add any value to the film whatsoever? No, so why include them? And is the rumour true that the Special Edition Extended DVD version of Return of the King will be essentially the same film only with another three hours of endings tacked on to the end?

Re:How often they get caught (0)

Anonymous Coward | more than 10 years ago | (#7863546)

how about the rate of comment theft?

I congratulate you for using the anti-slash db tool.

The jihad is alive and well. Allah Akbar!!

Re:How often they get caught (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7863570)

1 in 7,000, baby. You've been called out.

Re:How often they get caught (1)

Carewolf (581105) | more than 10 years ago | (#7863683)

Like with most things in life. Problems only gets solved once they truly become a problem. Currently banks takes the responsibilty when they are conned out of money. Once they loose more money this way than it would cost to do something about it, it would change.

The same happens with most laws. The laws the politician creates in the meantime are either of no real significance or to boost personal interests.

Money needs to go (0)

Anonymous Coward | more than 10 years ago | (#7863738)

Money is just a piss poor patch (at best) to the
problem of people just not being able to get along
with eachother.

As a CISSP... (4, Insightful)

bc90021 (43730) | more than 10 years ago | (#7863464)

...it is rather scary how little attention people pay to security. The article even states: "...site performance is our highest priority, and SSL is a pain." While it can be costly to set up security (ie, paying security consultants ;) ), if done right from the start it is less expensive than trying to fit it in after the fact.

It is certainly less expensive than having your site hacked and/or having users leave when people post their private thoughts publicly!

Re:As a CISSP... (5, Interesting)

filth grinder (577043) | more than 10 years ago | (#7863550)

As you said, it's cheaper to do it right the first time, design good comprehensive security in from the ground up.

Now, I'll tell you how it works in the real world. Most of these social network sites are designed small. Some odd project that happens to catch on and spiral out from there. Most sites start out small and then explode. This isn't giant corporations with lots of employees. Hell, most of them aren't even start ups. They are guys in basements who had an idea for a site, it took off. Through donations and subscriptions they gains size and scaled their programs up. Now they need to worry about things like SSL and site performance, and it's too late.

It should have been done from the ground up, but it wasn't. Things like SSL and good tight security don't get built in when you never intend for projects to get as big as it does.

Look at a site like Livejournal. It started small, and now it's taken off to being incredibly popular. They had a small team working on the site who had to decide what stuff needed to be done. Once the site got large, you have to go, "well, the site is running slow as it is, do we set up some more databases, work on memcache, or impliment SSL which will bog down performance even more." Obviously in order to stay in business they had to improve the site performance and struggle to keep good service up. It's easy to let security go slack.

It's even easier to sit back and scoff, "you should have done it in the beginning".

Re:As a CISSP... (1, Interesting)

Anonymous Coward | more than 10 years ago | (#7863631)

Actually, it's easy just to stick Apache in front of an app, buy a certificate, and turn on SSL. These securityfocus guys are engaging in yellow journalism here, trying to make a story where one doesn't really exist.

Re:As a CISSP... (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7863834)

it's so easy, slashdot still hasn't done it.

Re:As a CISSP... (4, Insightful)

bc90021 (43730) | more than 10 years ago | (#7863648)

That is true, however:

I wasn't scoffing. ;)

Secondly, it is easy to let security go slack. And that is my point. I have seen way too many places do just that. Everyone starts small. But how many people plan to stay that way?

How hard is it to use two commands to generate a CSR? If you don't know how to do it, Google for it. GeoTrust has step-by-step instructions, as it's in their interest. Don't know how to run Apache securely? Pay a consultant, or ask a knowledgeable friend. By posting to craigslist or slashdot, they could have found someone willing to trade services for potential profit sharing or even a free account for life.

I'm not saying that things like memcache or the databases aren't important, and shouldn't have been prioritised. But they ignored security, and their customers have already payed the price in some instances. There comes a point where the diminishing returns of working on everything *but* security will start to directly affect everything else, and that is what has happened here.

Re:As a CISSP... (0)

Anonymous Coward | more than 10 years ago | (#7863740)

When you say 'that is what has happened here', do you mean that someone has paid some price because these sites aren't secured by SSL? Who?

Or do you mean that the companies have paid the price by being the target of bad press?

Re:As a CISSP... (1)

bc90021 (43730) | more than 10 years ago | (#7863780)

Both.

The companies obviously got bad press. And the article states that at least one customer had his account hacked into, and those entries he kept private were posted publicly, embarassing both him and his friends.

All it takes is for that to happen to someone who has a good lawyer as a relative, and all of a sudden lack of security translates into legal expenses.

Re:As a CISSP... (1)

Dulimano (686806) | more than 10 years ago | (#7863760)

I work for such a site (wiw.hu). The parent gives a perfect description of our situation.

web-hosting is THE solution (1)

axxackall (579006) | more than 10 years ago | (#7863771)

Now they need to worry about things like SSL and site performance, and it's too late.

It's never late. Getting working site under SSL is 2 hours to 2 days work. I did it few times and never had any serious performance problems.

And if performance is still a problem, isn't reasonable to consider a web-hosting? If application is done one anything that a web-hosting company can run (Perl, Java, ASP, even Zope) then both performance and SSL are even less problem - most of hosting companies provide SSL and have no performance problems. The thumb rule is: if you don't know how to do the job right - give it to people who know the drill.

I STOLE A WHOLE BRANCH OF FRIENDS (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7863483)

and I feel damn cool for doing it. They still haven't figured it out.

It's just common sense (5, Funny)

Waffle Iron (339739) | more than 10 years ago | (#7863498)

Only a total idiot would post a message on a site that doesn't use a secure login procedure.

Oh, wait...

Re:It's just common sense (1)

/dev/trash (182850) | more than 10 years ago | (#7863589)

You can login via SSL at K5 [kuro5hin.org]

YOU FUCKING FAG (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7863617)

you suck cock, gaiboi.

Re:YOU FUCKING FAG (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7863727)

Don't look now, but I think he's sucking yours.

Re:YOU FUCKING FAG (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7863850)

ahh, I wondered why some guy was on his knees with his face buried in my crotch!

what a bunch of idiots... (5, Insightful)

Anonymous Coward | more than 10 years ago | (#7863505)

One friend feared that she might lose her job when a private entry about problems with her supervisor was made public

Rule 1:
If you want to keep something confidential, don't post it on a free website.

If they aren't using SSL, they are basically saying they don't value privacy the way you value your privacy."

Duh. Unless you use encryption, almost anything you send on the internet can be intercepted. Conduct yourself accordingly.

Even with SSL (4, Interesting)

tr0llx0r (730590) | more than 10 years ago | (#7863507)

you're far from safe. SSL connections are vulnerable
to MiTM attacks - we saw this with M$ Passport, hotmail
etc. The only solution to these problems, is
for people (ie the average user of /.) to realise
that anything they transmit over the net is sniffable
with a little effort.

In a dorm or corporate lan environment, all it takes
is one trojaned laptop running a sniffer, and all
you CC numbers are belong to us.

GNAA!

PARENT IS COCKSUCKER! (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7863561)

you fucking fag.

IF I EVR MEET YOU I WILL FUCK YOUR ASS!

# messages before posting your own to avoid simply duplicating what has already been said.
# Use a clear subject that describes what your message is about.
# Offtopic, Inflammatory, Inapp

Hi Vlad! (0)

Anonymous Coward | more than 10 years ago | (#7863661)

What's Reza up to these days? Judging by her photos, I'd say 600lbs!

HAW! HAW! HAW!

Re:Even with SSL (0)

Anonymous Coward | more than 10 years ago | (#7863597)

you're far from safe. SSL connections are vulnerable to MiTM attacks - we saw this with M$ Passport, hotmail etc. The only solution to these problems, is for people (ie the average user of /.) to realise that anything they transmit over the net is sniffable with a little effort. In a dorm or corporate lan environment, all it takes is one trojaned Cmdr Taco fucking you asss, and all you CC numbers are belong to us.

Re:Even with SSL (4, Insightful)

m0rph3us0 (549631) | more than 10 years ago | (#7863643)

SSL is safe for people who read warning messages.

Re:Even with SSL (0)

Anonymous Coward | more than 10 years ago | (#7863831)

Take it a step further than that, even. SSL has demonstrated vulnerabilities, but even if you tunnel your HTTP connection over SSH using AES encryption, security could still suck.

Encrypting transmissions only solves the problem of transmission. What about how well the data is protected once its already there? Are passwords hashed on the server or stored plaintext? If they're hashed, are they hashed properly? If they're hashed properly, are they adequately protected? Is the server itself well protected against unauthorized access? The list goes on.

The way I explain this to my wife is: what good is a secure browser connection if the company on the other end prints out your credit card number on paper and doesn't shred it? It's even easier to dumpster dive than it is to sniff packets.

eCommerce Failure (5, Interesting)

pipingguy (566974) | more than 10 years ago | (#7863509)


All the more reason to allow "anonymous", one-time use of purchased credits.

Like phone cards - pay cash and use it online as you wish without easy tracking.

Believe it or not, there are a lot of people online that don't have credit cards but would like to buy stuff over the internet (or people that *have* credit cards but are afraid to expose their information.

Yeah, some people are going to bring up the "you are only liable for fifty bucks, anyway" issue.

disposable CC numbers (3, Informative)

aaandre (526056) | more than 10 years ago | (#7863755)

Citibank provides disposable CC numbers for one time use only, or for use with only one merchant (i.e. subscription).

You log on to their web site with your account info and gener... Oh, wait...

Re:eCommerce Failure (2, Interesting)

metlin (258108) | more than 10 years ago | (#7863798)

There is another solution to this - use a check card.

I have an account which has very little money that I use just for online transactions and at clubs.

Usually, my online purchases don't exceed $100, so I just pay using that account. And when there is a need for me to pay more than that amount, I just transfer the amount to my checking account.

Not exactly very convenient, but it works just fine for me. And it sure as hell is safe.

it's always been this way (2, Informative)

ohzero (525786) | more than 10 years ago | (#7863514)

the web doesnt change anything. Especially if you're talking about "hackers." SSNs, Credit Card numbers, and many other implements of destruction have been made available to those who would crack systems or sift through garbage cans since I can remember. There's really two points that matter:
  • There are people who participate in identity theft via any means possible, because that's the life they lead.
  • Social security numbers in and of themselves ARE the vulnerable entry point because the information flow to and from them is bidirectional.
The only possible suggestion here is the same one that's been played over and over on the record entitled "keeping your information safe for dummies," which is "use caution and reason in any transaction you make.

Boycott social networking sites (-1, Troll)

Seth Finklestein (582901) | more than 10 years ago | (#7863525)

A lot of good has come out of the "social networking" craze. I have personally blogged about a lot of this on my personal blog that I administrate myself. You'll notice that I have discovered a very unique piece of software called "Movable Type" that allows me to blog what I want without surrendering any information to the outside world. That's right: every time you go to Friendster, LiverJournal, or another so-called "community" site, you are subjecting yourself to a host of vulnerabilities. Read the privacy policies: these sites surreptitiously save data to your hard drive through the use of so-called "cookies"; they may serve intrusive ads that interfere with your web browsing experience; and they may fall prey to black-hat "crackers" (not "hackers").

Personally, I feel that every third-party site is not to be trusted. For the greater good of the blogosphere, I believe that the future lies in individually unique weblogs connected by a perfectly synergistic system of TrackBack pings.

Sincerely,
Seth Finklestein
Social Networking Consultant

It's an interesting proposition (5, Interesting)

Fortunato_NC (736786) | more than 10 years ago | (#7863532)

In "The Cuckoo's Egg", one of Cliff Stoll's key points was that the more secure a network becomes, the less useful it is to its users, because it becomes more inconvenient to work with. In a network where the entire idea is to exchange "personal" data such as contact info, then restrictions placed to enforce good security have a way of reducing the value of the network.

But without such security, you have a "tragedy of the commons" type effect where the greedy among us abuse the good nature of others, again, reducing the value of the network.

Seems like a rather immutable Catch-22 to me...

Define "user" (3, Interesting)

czardonic (526710) | more than 10 years ago | (#7863626)

An insecure network is useless to this user (for purposes that I deem to be in need of security), no matter how "convenient" it is.

Generally speaking, I wonder how the numbers of people who would refuse to use a given network because it is inconveniently secure compare to the numbers of people who would start using it if was no longer inconveniently insecure?

Re:It's an interesting proposition (2, Insightful)

kfg (145172) | more than 10 years ago | (#7863702)

The same is true IRL as well. Put the best lock on your front door that you want, it really doesn't matter. I'm coming in through the window anyway. Boarding up the windows reduces the utility of your house and just forces me to come in through the basement.

You could build a wall around the house I suppose, which again is a pain for you, not to mention expensive, and doesn't slow me down all that much really, but it makes me nice and invisible from the street once I get in. So now you have to add all the electronic gizmos. . .

I think Patton had something to say about fortifications.

Most physical security amounts to efforts to keep slightly dishonest people honest as regards your property. You don't have to outrun the bear, just your buddy.

The bad guys are going to do a certain amount of winning. It's selfish but the trick is to do your best to make sure it's the other guy who looks like the rube so you get left alone.

'Cause if they really, really want you, they're going to get you sooner or later.

Having bodyguards didn't help Indira Gandhi one little bit.

KFG

Re:It's an interesting proposition (0)

Anonymous Coward | more than 10 years ago | (#7863840)

"Having bodyguards didn't help Indira Gandhi one little bit." nor JFK p.s. Cobain was murdered, too.

it'll go on like this until somebody pays dear... (4, Insightful)

demonhold (735615) | more than 10 years ago | (#7863543)

It saddens me that nothing will be done until some poor fella pays very dear when someone finds the motivation to sue, gets a good lawyer and wins big.

It seems that in most things related to security, and not only virtual security, people don't start taking measures until something bad happens and they are made to pay for it...

What do we expect anyway, common sense is the less common of senses..

Something's wrong here (0)

Anonymous Coward | more than 10 years ago | (#7863560)

particularly their lack of SSL logins

As if that is our problem. That's the wild-west attitude: if you can't secure yourself, you deserve whatever you have coming for you.

Why should we invest in something that's a self-evident fundamental right (even on the net): security.

What we need here is strong action from the world governments. Make the net a safe place for everyone!

Re:Something's wrong here (1, Funny)

Anonymous Coward | more than 10 years ago | (#7863623)

I know what's wrong! You forgot the </i>.

The question is the wrong one (2, Interesting)

lgeezer (168976) | more than 10 years ago | (#7863562)

Most community sites seem to be local run affairs by the kid down the hall in his spare time, not by those with the money to spend on SSL certs. That, and given the value of the Internet is to allow people to connect in new ways unencumbered by worrying how to pay for it suggests that the problem here is not how to provide technically secure transactions.
The problem here is how to create personaly security on the Internet. When you're in the mall, gals keep their bags so the flap is on the inside. Guys don't stare at other guys for too long. That is how they are personally secure, not because the mall guards have guns.
So a more interesting question is not "how can you make other people more secure?" but "how do you make yourself more secure?" Publish your results, and best practice will win.

Re:The question is the wrong one (0)

Anonymous Coward | more than 10 years ago | (#7863799)

Most community sites seem to be local run affairs by the kid down the hall in his spare time, not by those with the money to spend on SSL certs.

You can buy SSL certs from www.instantssl.com for US$49. Works with any modern browser (99%+). No need to pay the verisign prices.

I had to hack phpbb and get an SSL cert... (2, Informative)

mellon (7048) | more than 10 years ago | (#7863598)

...which cost me >$100, in order to have some password security on the bulletin board I run. phpbb would mail the password out in the clear, and didn't allow you to log in over SSL. It wasn't a big deal to hack it, but I was surprised that it wasn't an option. It may be that more people would use decent security if the software they ran supported it.

Re:I had to hack phpbb and get an SSL cert... (1)

Anonymous Crowhead (577505) | more than 10 years ago | (#7863741)

$49 ssl certs [instantssl.com]

Compare with Europe (-1, Interesting)

Aens (737179) | more than 10 years ago | (#7863600)

Did you know that the crime of identity theft ist virtually unknown in Europe (at least in Germany, where I live)?

And there are some obvious reasons for this:

- Nobody in Europe has mail boxes without a lock. European mailbox are usually flat, upright, rectangular boxes with a slit on the top of the front where the mailman drops the letters and they fall down a slide so you cannot get them out without using either very long pliers or, of course, the key to unlock the door at the back.

- No bank would give you a checking account or a credit without checking your ID card and making a photo copy of it and noting the number. (Remember that in most European countries (except e.g. the UK) every citizen is required to have a national ID card which you show whenever somebody has to be sure of your ID. (These cards have all kinds of witty security features to make them really hard to counterfeit.)

- All laws and courts agree that a reasonbable proof that somebody did make a business transaction is a signature on a piece of paper, or at least some computer record showing that the customer has entered a secret PIN. 'Secret' meaning, that nobody else should be able to know it. (PINs are printed out by the banks' computer systems and put in a sealed envelope without any employees being able to look at them.)

- Especially, if you told a court that a business transaction was valid because you checked the caller's identity on phone by asking for his SSN (or some lcoal equivalent of this), his date of birth or his mother's maiden name, the judge would probably only laugh at you.

While staying for half a year in California, I was quite astonished about the lax way of checking identities common in th US.

(For example, I got liability insurance for the used car I bought by just phoning the company. The guy asked for my Visa card number, then said 'Fine. Your car insurance is valid starting now, i.e. 4:13 pm.' That was great and convenient, but after all, I still prefer the European way, where they'll first ask 'So, how do we know, that this was your credit card number, and not taken from some receipt you picked out of a trash can?'. As the very least they would want proof of your address so that they can send you a court summons in case you tried a fraud.)

I am astonished (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7863621)

I, for one, am quite astonished that you would accept such a blatant violation of privacy as a national ID card and even think that it is a "good thing".

Fortunately it will never fly here in the UK. We are still human beings, not numbers.

Re:I am astonished (0)

Anonymous Coward | more than 10 years ago | (#7863663)

you make no sence.. do you have a drivers license? then you have an id card.. wtf..

Re:I am astonished (0)

Anonymous Coward | more than 10 years ago | (#7863709)

Yeah, but I do not have to show it to a cop (even if requested) or to a clerk in a bank.

You see, some of us are still free...

Re:Compare with Europe (0)

Anonymous Coward | more than 10 years ago | (#7863682)

Did you know that the crime of identity theft ist virtually unknown in Europe (at least in Germany, where I live)?

Yes I did. That's because I read the post made months ago [slashdot.org] that you copied this from.

Parent is troll (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7863687)

Parent is linking to same post in order to confuse moderators.

Re:Parent is troll (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7863700)

Yeah, and somehow he's managed to change the name of the poster and the date of posting... oh, and the story it's attached to. Fiendishly clever.

Re:Parent is troll (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7863722)

um, they link to the SAME THING

fucking troll you are

POST IS A COPY (0)

Anonymous Coward | more than 10 years ago | (#7863758)

Seriously, it's already been pointed out [slashdot.org] once that this post was blatantly plagiarised from an earlier one [slashdot.org] . Why are people STILL modding this regurgitated crap up?

Re:POST IS A COPY - SO WHAT?! (0)

Anonymous Coward | more than 10 years ago | (#7863807)

(I am not the poster you are talking about and I have, in fact, karma bonus when I post with my account)

So fucking what?!

Are you so hung up on the concept of karma that you can't stand the idea of someone gaining it?

Fuck you. The post is ON TOPIC and INSIGHTFUL. It doesn't matter if it was or was not original.

It is YOU who should be modded down. Asshole.

It's called PLAGIARISM (0)

Anonymous Coward | more than 10 years ago | (#7863868)

Being a copy isn't a bad thing in itself. Copying someone else's post and re-posting it as your own is plagiarism. I think most most people on Slashdot would agree THAT is a bad thing.

Re:Compare with Europe (3, Informative)

HeghmoH (13204) | more than 10 years ago | (#7863804)

I don't know what the bank example is doing in your list. If I want to store money in some bank under whatever name I want, why shouldn't I be able to do it? A bank account alone doesn't get me very far. Now, if I were to start taking out loans and so on, things get sticker, but if I just want a checking account, I shouldn't have to make an appointment a week in advance, then show up and have to show identity, proof of residency, proof of address, proof of salary, and on and on and on. (This isn't made-up, I actually had to do this.) When I last opened a bank account in the US, which was a while ago, they basically asked for my money. I like this. There isn't really an opportunity for fraud by providing bad information.

I have no real contention with the rest of your statements, just this one.

Re:Compare with Europe (2, Insightful)

Anonymous Coward | more than 10 years ago | (#7863832)

in most European countries (except e.g. the UK) every citizen is required to have a national ID card which you show whenever somebody has to be sure of your ID. (These cards have all kinds of witty security features to make them really hard to counterfeit.)

Even though this looks like a copy, I'll respond.

I am a french citizen. I have a CARTE NATIONALE D'IDENTITE, which consists of a photograph attached with 2 rivets to a cheap paper and a bad stamp. With this document I can enter france (and most of the EU), and it's trivial to forge this document.

Article is spot on. Happened to me.. (-1, Troll)

SlashdotCEO (737177) | more than 10 years ago | (#7863611)

I had my identity stolen about 8 years ago. It suuuuuked!

In San Francisco, when some people move out, they throw all this crap they don't need anymore on the curb. I saw this thoughout the city, time and time again, so when it came time for me to move, I did the same.

I got rid of almost everything! This included, tons of old papers - possibly old pay stubs. Big NO NO! At one point, I even noticed some people looking through the big pile. "Just people who like crap", I thought.

Six months later, the Postmaster General Attorney's office in San Jose calls me saying they've arrested someone on postal fraud that had my name and info in his little black book. It was under a section that basically was ready to have a drivers license and social security card issued in my name with this guy's picture!

To make a long story short, the guy went to prison and I had to notify all agencies where I had any type of id or credit/bank card to put a watch on them for the next six months.

My lesson learned: shread everything.

However, online, this is a totally different issue and the only thing I can suggest and do about that is to check into companies and try to make sure they are responsible about how they store your credit-card information. I've personally written to all the online companies I use to ask as how they protect my information. If it ever seemed like they weren't up to snuff, I explained my concerns and asked for some sort of reassurences. Although, I must admit, that's not the best thing and sometimes letters to the BBB and other groups/agencies are necessary.

COPIED POST (2, Informative)

Anonymous Coward | more than 10 years ago | (#7863649)

Post above is copied from one made months ago [slashdot.org] by a different poster. Please mod accordingly.

Re:COPIED POST (0)

Anonymous Coward | more than 10 years ago | (#7863697)

Parent is a copy too [slashdot.org] Read the posting guidlines [slashdot.org]

Re:COPIED POST (0)

Anonymous Coward | more than 10 years ago | (#7863704)

how'd you find this out?

the anti-slash db tool is to be used strictly for karma whoring, not to bust the karma whores.

Why can't slashdot have a search function that compares to the trolls'?

Re:COPIED POST (0)

Anonymous Coward | more than 10 years ago | (#7863715)

the anti-slash db tool is to be used strictly for karma whoring, not to bust the karma whores.

Doesn't make much difference. Idiots are still modding them up anyway, even after it's been pointed out.

Weakest Link (0)

Anonymous Coward | more than 10 years ago | (#7863655)

Sure its nice to have SSL, but 90% of breakins are due to compromised email accounts, especially hotmail (where to change a password you just need a correct response to a user-generated question like "What is my favorite color"). Not to mention hotmail's past reputation with security issues.
The user is always the weakest link, the'll click/run on anything that looks tempting, and its going to take a buttload more than SSL to protect against that.

Satisfying, carefree sex (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7863689)

That's sex with your sister.

The question is: how do you talk her into it?

I know some of you slashdotters have "done the nasty" with your dear sis. Don't hold back. How did you do it?

Security Focus... (0)

Anonymous Coward | more than 10 years ago | (#7863690)

I clicked on the story reference and after 10 or so irritating cookie alerts told my browser to put the referenced host onto the unconditional cookie reject list.

Referenced story looks bona fide.

WTF?

Identity Theft (-1, Troll)

sparklingfruit (736978) | more than 10 years ago | (#7863721)

I've heard the rate at which people who commit identity theft get caught is around 1 in 7000.

So you have a much better than 99.9% chance to just do it to your heart's content and walk away with the money. That's pretty freakin' scary. A crime where you never have to see your victims, never have to face any consequences, and make tons of money. Can you imagine what would happen if a misguided Robin Hood decided to popularize the techniques and teach them to America's poor? Would the entire banking industry collapse at once? With a million people doing it simultaneously you would obviously overload the already overloaded investigative ability of the gov't and probably change the ration to 1 in 100,000 getting caught.

Re:Identity Theft (0)

Anonymous Coward | more than 10 years ago | (#7863781)

I liked this message the first time I read it [slashdot.org] , when it was posted by Robert Arnold.

Re:Identity Theft (0)

Anonymous Coward | more than 10 years ago | (#7863812)

Given that there are two [slashdot.org] posts [slashdot.org] further up that have both been modded up to +4 and +5 that are blatant reposts of other people's works, it's hardly surprising that he thought he could get away with it.

another case of blame crooks for being crooks (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7863747)

instead of protecting their inf..

the real threat to yOUR social system is the constaNT suck of the endlessly needy corepirate nazi marketeering execrable, if you don't couNT the georgewellian fuddite debt & disruption machines.

both 'institutions' fail miserably, & sadly enough, voluntarily, in the area of protection of personal information, unless it is their own, & even then, they just fail buy ineptitude.

consult with yOUR creators... that's it. you are entitled to some privacy. it's a huge planet.

Article Slant (5, Informative)

bradfitz (23252) | more than 10 years ago | (#7863773)

I'm Brad Fitzpatrick, from LiveJournal.

The reporter who talked to me obviously wanted a fun slant for her article: "Look at all this insecure crap out there!"

Things we talked about that she decided to ignore in her article:

-- we've been working on challenge/response logins in JavaScript so passwords don't go in the clear. it's like Digest auth but in JS instead. We had this working when we talked to her, and since then it's gone into final user testing on our public test site. it'll probably go live this weekend. (I remember when I talked to her I compared it to HTTP Digest Auth and I had to explain what Digest auth was to her..... this is a _security_ reporter?)

-- we never said SSL wasn't important or security wasn't a priority. we told her it HAS BEEN a priority, but performance stuff keeps getting in the way. in fact, we have SSL stuff working and it's going live at the same time as the challenge/response logins. we just told her that it's hard to do right when you have a shitload of servers.

-- we let users bind their login session to their IP, so damage from cookie theft over non-SSL is mitigated

-- we don't let users do any major action (like, oh, change the account's password) without the original password.

-- we have no many anti-hijacking measures in place to let owners of accounts restore their stolen accounts. and you know what? it's not because of SSL... it's because of people just people plain dumb/trusting/gullible. SSL isn't a magic security wand.

Anyway, please recognize an article on a security site wants a "security's terrible!" slant. Who wants to read an article saying, "Yup, security's pretty good and improving." The security situation isn't as grim as it's made out to be.

Re:Article Slant (0)

Anonymous Coward | more than 10 years ago | (#7863836)

Agreed, this article was poorly written and obvously wanted to stir up ratings.
It fails to address how people will click/run on anything that is presented to them...
I thought SecurityFocus had better reporters than this.

Re:Article Slant (3, Informative)

metalpet (557056) | more than 10 years ago | (#7863879)

yeah, journalists with an agenda are a bit evil, but it's not all bad:
- LJ gains some exposure from this
- real security folks reading over this most likely won't feel livejournal is that far behind. Half of the complains in the articles are generic (phishing, impact of social networks on an account compromise), and the other half is mild (there might be XSS there, just like anywhere else), or unreasonable (what? you're sending session cookies over a non-SSL connection? how dare you!)

Brad, I'd suggest you post a copy of your reply at this url:
http://securityfocus.com/cgi-bin/sfonline/fo rms/co mment_form.pl?section=news&id=7739
SecurityFocus happens to have a fairly visible forum system, you might as well use it.

eBay's lack of SSL (3, Insightful)

thedillybar (677116) | more than 10 years ago | (#7863776)

To this day, I can not figure out how to change your eBay password over an SSL connection. Sure, you can login via SSL, but you can't send you new password over SSL.

This kind of defeats the purpose of using SSL. Once it's sent in plaintext, it's not secure.

University requirements (4, Interesting)

thedillybar (677116) | more than 10 years ago | (#7863814)

While taking a physics class at the University of Michigan, I was required to sign up for an "online homework" website. It was 30 some dollars, and was considered homework for the class (i.e. you take the class, you sign up and pay).

Sure enough, their Terms of Service require me to prevent others from obtaining my login/password. It goes on to say that if someone steals it, there is basically no way to reverse their actions.

Fine. Except for the fact that after signing up, they immediately e-mail me my password in plaintext. There's no SSL whatsoever on the site, and no way whatsoever to change my password.

After e-mailing the company involved, I was simply informed that the site will not be changed. I complained to both the professor and the University. Apparently no one pays attention to this, or they just don't care enough to do something about it. What else can I do? (besides leave the University, obviously)

You have got a lot to learn (0)

Anonymous Coward | more than 10 years ago | (#7863844)

Sorry. That is real life for you.

Lesson 1: no-one likes a smart-alec.
Lesson 2: no-one likes the person who points out faults in their system.
Lesson 3: no one is interested in the truth/optimal performance.
Lesson 4: EVERYTHING IS ABOUT POLITICS (this is the capital rule).

So please, for your own sake, shut the fuck up and kiss the dean's ass (or donate big bucks) if you wish to accomplish something.

FUD (3, Interesting)

segment (695309) | more than 10 years ago | (#7863863)

For most (l)users who don't understand SSL, most times they'll end up ignoring OpenSSL certs that weren't signed by so-called 'Trusted Signers', often going into a site without using SSL, thinking the cert is not to be trusted. I threw a 4096bit cert for my FOIA docs [politrix.org] , Openwebmail, and some other stuff, and people always ask me about that annoying little 'Trusted Signer" warning.

Oh well... Bruce Schneier's old but well written doc always comes to mind when thinking of this topic: "Ten Risks of PKI: What You're not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier

Computer security has been victim of the "year of the..." syndrome. First it was firewalls, then intrusion detection systems, then VPNs, and now certification authorities (CAs) and public-key infrastructure (PKI). "If you only buy X," the sales pitch goes, "then you will be secure." But reality is never that simple, and that is especially true with PKI. (source [schneier.com] )

Most people like fast content and often overlook security. Hell eBay out of all sites, billions in transactions, and SSL is an option! How sickening is that.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?