lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: jftucker at gmail.com (James Tucker)
Subject: Please help me update my address book on Ringo

I find it most amusing to read why they claim to be able to justify
making the service free:

"Free?
Yes, Ringo is a free service. The costs of running it are pretty low,
actually. We have no plans to charge our users for this service. We
plan to pay for the costs of operating the service by putting ads on
some parts of the site, although we haven't done it yet."

These days there is little of real concern with a site like this
anyway. I use e-mail for communication (E-MAIL IS NOT AN FTP(tm)). For
communication to work, people need to know how to contact me, and that
requires that they KNOW MY ADDRESS. Because this is the case, my
e-mail address must get exposed on a not infrequent basis. This means
that over a longer period of time, I will get spam.

So, should I still worry about it?
<rant>
The more spam you receive the more it is a problem. The more it is a
problem the better the solution you need. After a short time of this
balancing (say, about 3 years ago) the spam problem is very much
resolved by adding filtering systems.

Now, as for preventing spam by the rule "don't give out your e-mail
address" or "use a separate address". Well the prior leads to an
inability to communicate, thus making the medium largely useless. This
method will also put significant restriction on sites which
un-necessarily ask for e-mail addresses and often other registration
details. The latter solution is really no solution at all. Apart from
reducing exposure on your main e-mail account, anything that actually
gets past your filters will have to be manually filtered anyway, and
moving it to a separate account ONLY MEANS MORE WORK period.

Spam cannot be 'solved' by these methods, it can merely be delayed.
Frankly, I can see no good reason to bother.

If you really want to slow some spammers down, why not buy yourself a
shotgun and cull the populous that actually generate these company's
profits? Some of you speak so passionately but of course realise that
such actions are simply ridiculous. Can't you make the same
realisation about your other actions?
</rant>

What I am far far more concerned with is the fact that unsuspecting
customers are giving these companies their hotmail and yahoo mail
account passwords. This is also common on SMS.AC, hi5, etc.

How many people read their privacy policy? How many people are
qualified to _understand_ the full extent of the lawful meaning of
that policy given it's position of statement and method of agreement;
are there loopholes? The normal user can't tell, IANAL, I often have
to look really carefully.

The fact that passwords are exchanged means that the site will receive
a higher target profile from attackers. Even if it's intentions are
genuine. Right now, the pages that request hotmail and yahoo passwords
are completely un-encrypted. Without breaking their privacy policy
they could easily have a router somewhere along the path reporting
address password pairs to lists anywhere else in the world. There
would be no illegal interaction here, and that is what is most
important. Users need to be informed of _that_.

Most people know spam is bad. Telling them again isn't going to stop
the idiots who won't listen. The issue here is different though, it's
account disclosure. They are giving away the works. Many people will
also have been using their hotmail accounts for years, and will have
an account full of user names and passwords which are commonly
stupidly paired in mails from the numerous sites that un-necessarily
request that you sign up to view the next page for thirty seconds and
in the process send you your login details so you don't forget them in
future.

It's a pathetic state of affairs.

Next, the agreement. I can't be bothered to tear this apart completely
so I'll just do one section:

"These Terms & Conditions were last modified on January 25, 2005. At
any time and without prior notice, Ringo shall have the right, in its
sole discretion, to modify, add or remove terms of these Terms &
Conditions, without notifying our customers of such modifications,
additions or removals, and all such changes shall be effective
immediately. Your continued participation and use of this website
and/or the Ringo services following our posting of any such change on
our site will constitute binding acceptance of such change. You agree
that Ringo shall not be liable to you or to any third party for any
modification, suspension or discontinuance of the service."

This means, they could change the agreement to $1000 a month. They
don't have to notify you. You don't _have_ to return to the site and
see it. You can, and would, incur those charges for the monthly update
mails they send you. This is just one poor example of how dangerous it
really is to just 'accept' any old disclaimer or term of service on
the Internet. It comes down to trust, as many people have said
correctly before.

As for ownership, they are part of Monster Worldwide.

> Ahmad: Nobody gives a shit.  Fully Disclosing that you are dumb enough
> to let an untrusted third party have full control over private and
> personal information serves only to disclose that you shouldn't be
> hanging around lists where concepts like privacy are given serious
> discussion.

Well, I laughed quite hard when I read this, not because I thought it
was funny how Ahmad has decided to trust this company. Not that Mr
Terranson has once again made a totally blown out of proportion
statement of 'the worlds going to end for you because your more stupid
than me'. Because all of these people are bold enough to make direct
and totally unjustified judgements about other people and other
peoples hard work. This goes for both people, and shows a poor trust
policy on both sides. Frankly the error you both made is the same,
only in different directions. Shut up and observe a little longer in
future.

Specifically, third parties have access to most of my information if
they try hard enough to get it, and the same goes for most of the
people on this list. Whilst you may be anonymous behind an e-mail
address on the Internet, your interactions in the physical world very
quickly lead to great amounts of information disclosure.

You trust all of your Internet data to your ISP and yet no one
complains about that on a regular basis. I don't trust my ISP, but at
the same time, if they really want to read my information, I know they
can, and I am prepared for the repercussions of that. That way I don't
have to devote my life to sensational paranoia. I have fraud
insurance, and pay a reasonable amount of attention to what I disclose
where, that way I can make physical threats to the people who rip me
off, which tend to be far more effective ;-)

Making rash judgements and un-founded cynical comments on this list is
simply shitting in your own back yard. By making such judgements you
simply de-value the opinion held by the collective contributors. Of
course for someone to trust a comment from this list completely is
also bad practice, I hope you know what I mean.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ