This is Interesting: Free Magazines for Graphics designers and webmasters
Home > Archive > Webmaster forum > March 2007 > Insecure Transmission
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Insecure Transmission
|
|
| Fred Atkinson 2007-03-28, 7:19 pm |
| I have a hosting provider that I have been using for a while.
I wanted shell access to my account. I was told that I would have to
email a picture (they did not say picture ID) with an email request to
have this access enabled.
When I sent them a picture and an email request for this
access, I was told that I would have to send my picture ID as an
attachment on email.
I told them I would fax it but that I was not about to send my
picture ID over an insecure medium. He told me that they could not
accept it via FAX. I told him that email was unacceptable. When the
CSR wouldn't budge, I demanded to speak to his supervisor. He kept
resisting transfering me to his supervisor and kept insisting that
email was the only means that they would use to accept it.
I pointed out to him that this was unacceptable security.
People are out there sniffing packets and grabbing secure information
off of email and other insecure mediums. I told him to put his
supervisor on the line *NOW*.
He reciting the policy saying that that was really the only
way they could do it (compromise security to protect security as it
were).
When he finally saw that I wasn't going to back down until he
put me through to his supervisor (which was arrived at by five to ten
minutes of arguing with me), he finally did put his supervisor on the
phone.
His supervisor said that interception of email happened very
rarely and therefore it wasn't a concern. I told him different and
told him I was very shocked that they would suggest to their customers
to send something as sensitive as a picture ID over an insecure
medium.
Finally, he let me go to their ticket system under secure
sockets and attach it to a trouble ticket.
I told him that they needed to rewrite the policy and not have
their CSRs telling people to send something like that over an insecure
medium. He said that you could mark the ID number and other sensitive
information out when you sent it. And he pointed out that he had as
an alternative let me send it to them via a secure medium.
I pointed out to him that they never gave me that option until
I got on the phone with him and that they shouldn't be telling their
customers to send something like that over an insecure medium. I
suggested they change their policy immediately. It didn't sound to me
like they were interested in doing it.
I can't believe that a high tech company would be that
ignorant of proper Internet security practices.
Regards,
Fred
| |
| The little lost angel 2007-03-28, 7:19 pm |
| On Wed, 28 Mar 2007 12:30:01 -0400, Fred Atkinson
<fatkinson@mishmash.com> wrote:
>
> I told them I would fax it but that I was not about to send my
>picture ID over an insecure medium. He told me that they could not
>accept it via FAX. I told him that email was unacceptable.
Wouldn't it had been easily solved by sending the picture ID using a
password protectable container like .zip/.rar and email using SSL?
--
A Lost Angel, fallen from heaven
Lost in dreams, Lost in aspirations,
Lost to the world, Lost to myself
| |
| Andy Dingley 2007-03-28, 7:19 pm |
| On Wed, 28 Mar 2007 18:13:20 GMT, a?n?g?e?l@lovergirl.lrigrevol.moc.com
(The little lost angel) wrote:
>Wouldn't it had been easily solved by sending the picture ID using a
>password protectable container like .zip/.rar and email using SSL?
PGP rather than Zip please!
And then you can send it by carrier pigeon, not just SSL.
Besides which, why do they need a picture of you when they have no way
to verify it? That's not authentication, it's audit trail in case you
turn out to be a spammer in the future. So how can they know just who's
photo it was? Anyone got any Spamford Wallace clip art?
| |
| Andy Dingley 2007-03-28, 7:19 pm |
| On Wed, 28 Mar 2007 12:30:01 -0400, Fred Atkinson
<fatkinson@mishmash.com> wrote:
> I can't believe that a high tech company would be that
>ignorant of proper Internet security practices.
I needed to send some code off for escrow a while back, which involved
PGP to both sign it and to encrypt it for transmission. The escrow
provider is a major name in UK IT, a body of almost governmental stature
that grew out of academia (and they have the world's ugliest building,
which looks like a white tiled-brick fridge).
They were happy to send me their public key _after_ I'd signed an NDA!!
(And for crypto they use an unregistered copy of PGP, which further
dents their credibility)
| |
| Dick Gaughan 2007-03-28, 7:19 pm |
| In <pssl03tkega2sv33pvgu0gqj14fcm58g0q@4ax.com> on Thu, 29 Mar
2007 00:03:11 +0100, Andy Dingley <dingbat@codesmiths.com> wrote:
>Anyone got any Spamford Wallace clip art?
Now there's a name I haven't seen in many a year. He still alive?
--
DG
| |
| Andy Dingley 2007-03-28, 11:18 pm |
| On Thu, 29 Mar 2007 00:16:56 +0100, Dick Gaughan <usenet@gaelweb.co.uk>
wrote:
>
>Now there's a name I haven't seen in many a year. He still alive?
Regrettably:
http://www.theregister.co.uk/2007/0..._sues_spamford/
--
Die Gotterspammerung - Junkmail of the Gods
| |
| Dick Gaughan 2007-03-28, 11:18 pm |
| In <sqvl03hg0f9vqq5j9ok13oc32sb7h2k38r@4ax.com> on Thu, 29 Mar
2007 00:51:13 +0100, Andy Dingley <dingbat@codesmiths.com> wrote:
>On Thu, 29 Mar 2007 00:16:56 +0100, Dick Gaughan <usenet@gaelweb.co.uk>
>wrote:
>
>
>Regrettably:
>http://www.theregister.co.uk/2007/0..._sues_spamford/
Thanks for that.
Ruined my day, though. Not having seen or heard of him since his
cyberpromo days, I'd always hoped he'd died or become a nun.
--
DG
| |
| Andy Dingley 2007-03-29, 7:17 am |
| On 29 Mar, 02:53, Dick Gaughan <use...@gaelweb.co.uk> wrote:
> [Spamford Wallace]
> I'd always hoped he'd died or become a nun.
I'd been hoping for a eunuch
| |
| SpaceGirl 2007-03-29, 7:17 am |
| On Mar 28, 5:30 pm, Fred Atkinson <fatkin...@mishmash.com> wrote:
> I have a hosting provider that I have been using for a while.
> I wanted shell access to my account. I was told that I would have to
> email a picture (they did not say picture ID) with an email request to
> have this access enabled.
<snip>
My American co-lo host required photo ID when we bought our rank
space. I paid with a personal creditcard. I had no problem sending ID
over email - I first PhotoShopped out the passport number and other
important information. That seemed fine for them.
| |
|
| SpaceGirl wrote:
> My American co-lo host required photo ID when we bought our rank
> space. I paid with a personal creditcard. I had no problem sending ID
> over email - I first PhotoShopped out the passport number and other
> important information. That seemed fine for them.
So, what good is an ID if it can be PhotoShopped first? :-)
--
Els http://locusmeus.com/
| |
| SpaceGirl 2007-03-29, 7:19 pm |
| On Mar 29, 1:26 pm, Els <els.aNOS...@tiscali.nl> wrote:
> SpaceGirl wrote:
>
> So, what good is an ID if it can be PhotoShopped first? :-)
>
> --
> Els http://locusmeus.com/
LOL. Well, I didn't like the idea of passing my passport number
around. They didn't need to know that. They had my credit card
details, and my photo id. I could easily have PhotoShopped photo ID
from scratch :) And I have been known once or twice to do what when
required :P (Handy having a photo printer and laminator...)
| |
|
| SpaceGirl wrote:
> On Mar 29, 1:26 pm, Els <els.aNOS...@tiscali.nl> wrote:
>
> LOL. Well, I didn't like the idea of passing my passport number
> around. They didn't need to know that. They had my credit card
> details, and my photo id.
Exactly - they *think* they have your photo ID. It could easily be
your neighbour's ID with your aunt's photo on it :-)
The only thing they really know they have, is a credit card number.
They can't be sure it's yours though.
> I could easily have PhotoShopped photo ID
> from scratch :) And I have been known once or twice to do what when
> required :P (Handy having a photo printer and laminator...)
Bad girl!! <g>
--
Els http://locusmeus.com/
| |
| SpaceGirl 2007-03-29, 7:19 pm |
| On Mar 29, 2:00 pm, Els <els.aNOS...@tiscali.nl> wrote:
> SpaceGirl wrote:
> Exactly - they *think* they have your photo ID. It could easily be
> your neighbour's ID with your aunt's photo on it :-)
> The only thing they really know they have, is a credit card number.
> They can't be sure it's yours though.
All this time they've been billing my poor neighbour for my hosting :P
>
> Bad girl!! <g>
Sometimes, media-passes are a killer to get in time... even if you are
part of the event!
|
|
|
| | Copyright 2003 - 2008 forum4designers.com Software forum Computer Hardware reviews |
|