-Caveat Lector- >From O'R Net
}}}>Begin Published on The O'Reilly Network (http://www.oreillynet.com/) http://www.oreillynet.com/cs/user/wlg/1482 Sure, Security Is Hard, But.... by Marc Hedlund Jun. 1, 2002 URL: http://www.nytimes.com/ref/membercenter/help/qpass_redir.html ...this is ridiculous. The New York Times recently switched from one paid membership management system to another, and they changed the username and password of every paid account. For some reason, they've posted the system they used to choose new usernames and passwords on the Web for anyone to see. Security is certainly a difficult problem, and password management is even harder than most security problems, but it's much worse when you don't even try. If you have a paid nytimes.com subscription, be sure to read this. The New York Times' Web site offers some excellent paid features, including online archive searches and crossword puzzle downloads. In the past, they used a horrible service called Qpass to manage their paid accounts. Qpass was hard to use and unreliable, and many nytimes.com members (myself included) complained about it frequently. Apparently the people at the Times agreed, because in March they dropped Qpass and moved to a new account management system. The new system is a big improvement in usability and reliability. My jaw dropped, however, when I got the email from nytimes.com telling me how to access the new system. It read: Now enter the following Member ID and password which we have created for you and click the "Log In" button. You will need to use this Member ID and Password to access your NYTimes.com premium products in the future. Member ID: marc_hedlund Password: Your password is your Qpass User Name. I quickly wrote them a note pointing out that usernames are easily guessable (my Qpass username was "mhedlund") and often repeated across many sites, and were often not kept as secrets (for instance, message board posts are often tagged by username). Furthermore, I wrote, I thought this message violated their privacy policy, which states: Data Security: To prevent unauthorized access, maintain data accuracy, and ensure the appropriate use of information, we have put in place appropriate physical, electronic, and managerial procedures to protect the information we collect online. I certainly wouldn't count sending password-guessing instructions to all of their users as "appropriate [...] managerial procedures." I asked if there had been some mistake, and suggested they revoke all the guessable passwords and send out new, random passwords as a stop-gap. They replied that there was no mistake and that I could always change my password if I found myself concerned about security. (And I did.) Today I noticed that the same instructions I had been emailed are available on the nytimes.com FAQ page, <http:// www.nytimes.com/ref/membercenter/help/qpass_redir.html>. It's always disappointing when a site is negligent with security. What's a little more surprising about this case is that this is a prominent commercial site -- the New York Times is paid by each of its premium subscribers -- so you'd think (or hope) they would care more about protecting their customer's security. If I can get access to your account, I can buy articles from the New York Times' archive and have them charged to your credit card without you knowing about it (particularly, but not exclusively, if you've enabled one-click checkout on your account). That right there is the core definition of an ecommerce vulnerability, and here's one of the premier media organizations in the world making such an attack trivial. How hard would it have been for the New York Times to send random passwords to its premium users rather than easily guessable passwords? They were already sending a customized email to each subscriber, and they already had to write a password update system. Alternatively, they could have had each subscriber choose a new password for themselves the next time they logged in. The cost of doing things much more securely instead of insecurely would have been $0.00. If you are a premium subscriber, you should definitely change you password so that it is something hard to guess. You can change your password at <http://www.nytimes.com/ mem/profile.html>. Information about the importance of choosing a good password can be found at <http://www.nytimes.com/2001/12/27/technology/circuits/ 27PASS.html?ex=1010480> -- yup, that's right, in an article published by the New York Times. Marc Hedlund was co-founder and CEO of Popular Power, the first commercially released P2P distributed computing platform. Before Popular Power, he founded Lucas Online, Lucasfilm's Internet division. oreillynet.com Copyright © 2000 O'Reilly & Associates, Inc. End<{{{ ~~~~~~~~~~~~~~~ Forwarded as information only; no automatic endorsement + + + + + + + + + + + + + + + + + + + + + + + + + + + + In accordance with Title 17 U.S.C. section 107, this material is distributed without charge or profit to those who have expressed a prior interest in receiving this type of information for non-profit research and educational purposes only. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + "Do not believe in anything simply because you have heard it. Do not believe simply because it has been handed down for many generations. Do not believe in anything simply because it is spoken and rumored by many. Do not believe in anything simply because it is written in Holy Scriptures. Do not believe in anything merely on the authority of Teachers, elders or wise men. Believe only after careful observation and analysis, when you find that it agrees with reason and is conducive to the good and benefit of one and all. Then accept it and live up to it." The Buddha on Belief, from the Kalama Sutta + + + + + + + + + + + + + + + + + + + + + + + + + + + + "Always do sober what you said you'd do drunk. That will teach you to keep your mouth shut." --- Ernest Hemingway <A HREF="http://www.ctrl.org/">www.ctrl.org</A> DECLARATION & DISCLAIMER ========== CTRL is a discussion & informational exchange list. Proselytizing propagandic screeds are unwelcomed. Substance—not soap-boxing—please! These are sordid matters and 'conspiracy theory'—with its many half-truths, mis- directions and outright frauds—is used politically by different groups with major and minor effects spread throughout the spectrum of time and thought. That being said, CTRLgives no endorsement to the validity of posts, and always suggests to readers; be wary of what you read. CTRL gives no credence to Holocaust denial and nazi's need not apply. Let us please be civil and as always, Caveat Lector. ======================================================================== Archives Available at: http://peach.ease.lsoft.com/archives/ctrl.html <A HREF="http://peach.ease.lsoft.com/archives/ctrl.html">Archives of [EMAIL PROTECTED]</A> http:[EMAIL PROTECTED]/ <A HREF="http:[EMAIL PROTECTED]/">ctrl</A> ======================================================================== To subscribe to Conspiracy Theory Research List[CTRL] send email: SUBSCRIBE CTRL [to:] [EMAIL PROTECTED] To UNsubscribe to Conspiracy Theory Research List[CTRL] send email: SIGNOFF CTRL [to:] [EMAIL PROTECTED] Om