Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
When will Online Retailers get it

By radar bunny in Op-Ed
Mon Dec 11, 2000 at 03:27:18 AM EST
Tags: News (all tags)
News

Ok this isn't a new debate, and by now it should almost be dead, but so far no one gets it. Haven't online retailers figured out that they need to design their services with security and privacy in mind? Well, no. At least not from what I just found out after buying something at wwf.com, who seem content to leave your information out in the open for all to see.

Update [2000-12-12 13:21:27 by rusty]: It has been incorrectly reported that this story is related to iCommerce and AutomatedShops.com's "ShopZone" software. This is not true. Whatever WWF ShopZone is running, it is not the aforementioned software of the same name. Any information on what ecommerce system they are running would be appreciated.


I just got something for my dad for christmas at wwf.com. After the purchase they send me an email with a confirmation/tracking number and neat little url I can go to and see the status of my order. The url works like this:

http://www.wwfshopzone.com/receipt.asp?order_id=xxxxxxx
where the xxxxxxx is a 7 digit number (my tracking number)

OK so i get curious and have to wonder, "surely a major site like this isn't stupid enough to make it that easy to view other people's personal information, right??"
WRONG!!!

I take my number and subtract a single damned digit and there is the order placed before mine with not only the order number, but what was ordered, the name of the person who placed the order, and even -- yes- their home address. So I play a little more and here's basically what I discovered.

you take the 7 digit tracking number xxxxxxx
The first X is 2-4
The 2nd X seems to always be a zero.
From there all bets are off. It's not completely sequential, but if you start at 2000000 and count up, it wont take long to see what I mean here.

The scariest/dumbest thing I found is orders dating back to march 13, 1999. Now why the hell would a web site need to keep year and a half old info stored in a manner that is visible through a web browser?

When are companies going to learn that they need to take better care of the private information of their customers? And, when are they going to learn that even then, personal information doesn't need to be stored such a manner for extended periods of time? I mean, once the order is has been delivered can't that information be stored in a more secure manner? Or, why couldn't they at least of password protected this information. When I registered with them, I had to choose a password, now I wonder why I needed to bother.

Well, what do you guys think? And more importantly, how many of you are going to be shopping online for christmas?

On a side note, I put this under news because to my knowledge, no one else has discovered this about the site in questions - wwf.com. In other words, you heard it here first. And I put it under op-ed because there is no RANT! Section any more.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Poll
online retailers wil get a clue
o eventualy 27%
o some time next year 14%
o never 52%
o who cares about privacy anyway 5%

Votes: 105
Results | Other Polls

Related Links
o wwf.com
o Also by radar bunny


Display: Sort:
When will Online Retailers get it | 57 comments (55 topical, 2 editorial, 0 hidden)
compromise (3.00 / 13) (#1)
by www.sorehands.com on Mon Dec 11, 2000 at 12:34:02 AM EST

As a rule, the more convienent to use, the more convenient to hack. Now, I don't mean hack in the sense of breaking into the computer -- but an unauthorized person getting useful information.

Having cookies in Yahoo make it easier for someone to log out at public computer, allowing others access. But it saves you from having to log in at home every time you look at your portfolio.



------------------------------------------------------------------------------
http://www.barbieslapp.com
Mattel, SLAPP terrorists intent on destroying free speech.
-----------------------------------------------------------

Public computers (4.00 / 3) (#43)
by kallisti on Mon Dec 11, 2000 at 07:00:40 PM EST

When I has just moved to California, I was relying on library public computers for email and such. I found that the librarians had locked out the ability to flush the cache or erase cookies. I couldn't even get rid of the history list, so everything I saw could be seen by the next person.

I suppose they did this to avoid "hackers" or something, and I don't use public computers except as a last resort, but what about those people who don't have any other access?

[ Parent ]

Privacy Statement (3.92 / 14) (#2)
by rusty on Mon Dec 11, 2000 at 01:10:10 AM EST

First, I have confirmed that this article is true. At least they don't show your credit card number. But full name, address, and contents of the order are all right there. Lovely.

Ironically, right on the first page of their ShopZone is the statement:

Don't feel comfortable ordering online? Call xxx-xxx-xxxx to place your order or click here for more information.
Matter of fact, I don't think I feel so comfortable ordering online anymore.

____
Not the real rusty
phone number (3.83 / 6) (#3)
by radar bunny on Mon Dec 11, 2000 at 01:17:35 AM EST

I came within an inch of just doing that but would have to wait until tomorrow to talk to someone and order and that would mean the order probably wouldnt go out until tuesday. I have no idea what else to get my dad, and i wanted to make sure it got here in time. Should have planned a head and ordered amonth ago--- sighs. Well live and learn.



[ Parent ]
make or break? (3.83 / 6) (#5)
by rusty on Mon Dec 11, 2000 at 01:26:47 AM EST

All the TV pundits are calling this the "make or break" season for online retailing. From what I've seen so far, it looks like "break". I think a lot of people are learning similar lessons around now, which doesn't bode well for the online retail industry.

____
Not the real rusty
[ Parent ]
break (3.85 / 7) (#6)
by radar bunny on Mon Dec 11, 2000 at 01:36:08 AM EST

cnn did a story today about all the online retailers goign belly up and they made a loose reference to http://www.fuckedcompany.com/ -- making a point that they couldn't say the website's name.

Personally, I think that that it a kinda break. I think most sucessful online retailers are going to figure out that the net was originally built around the concept of sharing information and that is where they will take their web sites. For example. IF you goto bestbuy.com or compusa.com you can buy all kind of items off their web sites. Also though, you can look up and find out different information about (and prices on) various items. Also, you can type in your zip code and they will tell you which stores have the item in stock. Notice the information aspect here. I think this is where the future of online retailers will go. There will always be exceptions though.



[ Parent ]
More Informatio (3.33 / 3) (#22)
by Kartoffel on Mon Dec 11, 2000 at 12:18:39 PM EST

Also though, you can look up and find out different information about (and prices on) various items. Also, you can type in your zip code and they will tell you which stores have the item in stock.

Yup. That's the nicest thing about CompUSA. They're not my favorite retailer, but it's super nice to be able to walk into the store already knowing that they have exactly 7 of SKU#12345 on hand.

[ Parent ]

break?! what does that mean? (3.40 / 5) (#26)
by Cuthalion on Mon Dec 11, 2000 at 01:51:01 PM EST

So what, if things work out badly, after this holiday season everyone's going to entirely abaondon the notion of online sales? Perhaps this season is going to see either the raipd acceleration or minor setbacks in the field of online commerce, but ... make or break? come on...

[ Parent ]
granted (3.60 / 5) (#29)
by rusty on Mon Dec 11, 2000 at 02:09:02 PM EST

Granted that's the normal TV-news moronspeak. God knows what's in their heads when they say "make or break", but what it means to me is, we're going to see a lot of online retailers close up shop after Christmas this year. FC will be jumping in January, I tell you. And why? Because people have finally figured out that there is no "new economy". It still costs a lot of money to ship 50 lbs. of dogfood, and selling products below cost is not a viable business plan ever, anywhere, for anyone, online or off.

No, selling things online will not go away. But the bloom is off the rose, and the morons.com have had their day. I think next year we'll start to see ecommerce return from the land of make believe, and start being treated like any other new business. Theoretically, this could be a banner season for online sales, and confirm all the rosiest analyst predictions, but the early returns are saying that's not happening. That's what I mean when I say "make or break".

____
Not the real rusty
[ Parent ]

The Flaw... (4.00 / 3) (#35)
by kagaku_ninja on Mon Dec 11, 2000 at 03:47:18 PM EST

Online businesses do not have to charge sales taxes (for out of state purchases; guess what my first criteria is when selecting an online retailer?). They can also locate in inexpensive parts of the country then ship to California. I happen to live in one of the most insane real estate markets in the US, and all local merchants have to pass that cost on to consumers.

I have made a number of successful online purchases and saved buckets of cash. Certain items, such as computer hardware and music gear, I now buy almost exclusively online. It works for some industries and not for others...

[ Parent ]
Sales Tax vs. Use Tax (4.00 / 1) (#51)
by nstenz on Tue Dec 12, 2000 at 12:08:32 PM EST

I also love shopping online so I can avoid sales tax if the shipping and handling doesn't make up for it and then some...

However- in most states, you have to declare everything you've bought from out of state and pay taxes on them if you haven't paid sales tax from the other state. It's called a 'use tax', and it's the states' way of getting around the freedom of interstate trade provided for by the Constitution. I feel the use tax is unconstitutional, but I can't guarantee someone won't hunt me down if I don't pay it, sooo... Tough decision. However... most people filling out their taxes probably don't pay much attention to that part of the form.

I wonder how much more money the states would rake in if everyone paid up?



[ Parent ]
bugtraq anyone? (4.21 / 14) (#8)
by bgalehouse on Mon Dec 11, 2000 at 02:52:37 AM EST

Most of the website problems anounced on bugtraq have been regarding online trading accounts. (cross-site scripting attacks are persistant problems) While this might seem tame in comparison, it is probably still worth posting there.

It might also be worth sending a note to their security email address. If you call it a security problem and they blow it off, going full disclosure is considered more than reasonable by most people. On the other hand, some people do believe in not making public announcements without having given warnning. How much is reasonable, and the strict necessity for this is the subject of much debate.

Now, the totally cool thing to do would be to see if they are using a third party shopping cart engine. That would definatly be bugtraq material, especially if it had a large user base.

oh dear... (3.23 / 13) (#9)
by 31: on Mon Dec 11, 2000 at 03:01:18 AM EST

for 2 reasons... 1, that's terible... 2... just wait till they say 'oh no! We got hacked by kuro5hin.org!'.

That's right, right now 1000s of "hackers" have gained the personal information of users of the popular site, wwfshopzone.com. While there hasn't been an official response, it can only be assumed that there is tacit acceptance of this sort of hacking, as the operator of the popular website, who goes by the alias 'rusty' voted the story be shown.

And neat, I found a canceled order that's still up there... I feel like I ought to have just broken a law...

-Patrick
oops (2.50 / 2) (#10)
by 31: on Mon Dec 11, 2000 at 03:02:32 AM EST

that second 'popular website' ought to have been kuro5hin... time for sleep...

-Patrick
[ Parent ]
Write a book! (3.00 / 13) (#11)
by job on Mon Dec 11, 2000 at 03:05:56 AM EST

They'll probably never get a clue on this. The embarrasing thing is that this shop isn't designed by the sales-droids. There is some programmer who did this stupid mistake, probably due to a lack of understanding what he was writing and blindly following an imperfect spec.

And specs are imperfect. Always. So what is there to do? Write a good book! A book that'll tell people what to think about when going online. No good such books exist (I'm probably wrong here so please correct me) which has a technical perspective on how to build these businesses and what mistakes to avoid.



A good book? Right here. (none / 0) (#46)
by svanegmond on Mon Dec 11, 2000 at 08:47:27 PM EST

Philip and Alex's Guide to Web Publishing . Philip published his methodology and source, and is chairman of 200-person, cool-ass, god-damn-I-wish-they-had-a-Toronto-office company called ArsDigita.
-- Steve van Egmond http://svan.ca/
[ Parent ]
Genepool (3.55 / 9) (#12)
by Nickus on Mon Dec 11, 2000 at 04:19:43 AM EST

This relates a little to the article about thinning of the programmer gene pool. Bad programmers tend not to think about all issues, especially not security issues. And this is the result.

I wrote a weblog system a couple of weeks ago and even though it won't be used extensively anywhere I really considered security aspects. It takes a little longer but it also means you have to think through every aspect of your program. But then again, I probably missed a lot :-).



Due to budget cuts, light at end of tunnel will be out. --Unknown

A view from the inside (4.73 / 19) (#13)
by seb on Mon Dec 11, 2000 at 06:27:52 AM EST

Until recently I worked for a high-profile international web agency, which I won't name, but it wasn't agency.com. The standards there were shocking. One of the last projects I worked on was for a large sports brand ($millions deal). Here are some highlights from the project:
  • the password on the database which contained customer details was "password"
  • the sysdamin employed by the sports company to run the boxes for the site had never heard of Apache nor did he know how to add a route to the routing table
  • it turned out that the 3rd party who supplied us with the newsfeed had never supplied it in xml before
  • it also emerged that the fulfillment company who did everything from credit card validation to delivery had never used xml either (and xml was part of our design from the beginning). They were also an international brand but their software was cobbled together badly from various third party components. They didn't know what a DTD was.
I could go on, but you get the drift. There was no weakest link in the chain that produced the final, ropey result: every single link was dubious.

Of course, my company made most of the third-party decisions, so I think that these failures are entirely their responsibility. The problem was, the company just didn't understand how critical their software was to their success. Their focus was on strategic partnerships, client-partners, project managers, brand specialists, etc blah etc. Sure, the quality of the techies was not of the highest quality (in some cases it was downright embarrassing), but this was not the root of the problem. There was a fantasy world built up around what we were doing. Contrary to what the management believed, we weren't building end-to-end digital change solution strategies; we were making websites. Yet the people who actually made the websites, the designers and programmers, were way down at the bottom of the food chain.

In short, I don't believe that the quality of programmers is the root of the problem. The problem is a dotcom mentality which prizes form over substance, which throws launch parties instead of investing in regression testing, which thinks a requirements document is an irritating formality but a free trip to Vegas for all its employees worldwide is a very important team-building exercise. Not surprisingly, this attitude is exactly what clients want to see (although I think they might wonder about the Vegas thing). No-one is taking any steps to show them, the people who are paying for these sites, that they're wrong. As a consequence, technology is not taken seriously and web projects are not treated like software engineering projects. As a further consequence, the screening of new software engineers is not thorough enough.

I'm not sure what can be done about this. I think the rest of the software world better understands that it is in the business of engineering, although this is by no means universally true. Can anyone older than me point to historical precedents for areas of software engineering 'growing up'? What were the motivators in such situations?

Growing up (3.50 / 4) (#23)
by pkej on Mon Dec 11, 2000 at 12:27:35 PM EST

I suspect that the following industries have grown up:

- auto industry
- home electronics industry

You never see an appliance crash it's software, do you?

According to this Salon article there are some companies in India which is doing something about the problem with their methodology.

The problem is not taking responsibility for your failures. The auto industry was forced to take responsibility for its products. Today all software manufacturers throw lisences at you which relieves them from all and any responsibility for anything with regards to their software.

Laughingstocks, all of us.

[ Parent ]

This is becoming LESS true! (3.33 / 3) (#25)
by Cuthalion on Mon Dec 11, 2000 at 01:48:09 PM EST

You never see an appliance crash it's software, do you?

Appliances are more and more complicated as their controls continue to move over to firmware and microcontrollers. What this means is: They crash!

I have had to reboot my stereo before.

As appliances gain the power and flexability of computers, they also gain the associated headaches.

[ Parent ]
Do they need this power? (none / 0) (#59)
by pkej on Tue Dec 19, 2000 at 07:04:39 AM EST

Why should they have more computing power and complexity... Do we need it? Probably not. Do the companies need it? Yes, to sell new appliances.

That, of course, is a different discussion, which touches on many other problems.

[ Parent ]
Same old, same old (3.00 / 1) (#34)
by kagaku_ninja on Mon Dec 11, 2000 at 03:33:00 PM EST

Now I've finally read the Salon article, mentioned here multiple times, as well as on /. I found it ironic that in one paragraph, the author notes the importance of software quality guru Watt Humphries, then recounts personal experiences of computer glitches, all involving hardware. Those motherboards are most likely manufactured in Taiwan...

I don't want to dismiss the possibility entirely, of India eating our lunch. On the otherhand, I remember back in the 80's, when Japan was going to take over the entire computer industry, thanks to their massive Fifth Generation Computing research project... (PROLOG! AI! Fuzzy Logic!) What happened to that? Fuzzy logic rice cookers seems to have been the most practical application.

This is about the fifth article I've read in the last year, with the common threads: ignored cassandra Humphries (the "Demming of the software industry"), with comparison to the near death of the US auto industry (ignoring the fact that software isn't hardware) I get the impression that writers keep rediscovering old Ed Yourdon books and think this is current news...

Try reading Humphries book some time... Not an easy task.

[ Parent ]
Not exactly true (none / 0) (#57)
by twixel on Sat Dec 16, 2000 at 02:54:56 AM EST

>> You never see an appliance crash it's software, do you?


My Sony TV occasionally refuses to listen to the remote. The only solution is to "reboot the TV".



[ Parent ]
Oh my... (3.22 / 9) (#14)
by Phil the Canuck on Mon Dec 11, 2000 at 08:59:28 AM EST

You see, this is why I never shop online. With the number of things that can go wrong, I just don't feel that I can risk it.

This baffles the people around me for some reason. They always say something like, "but you're a computer guy. You know all about this stuff". My response? "Exactly."

Stories like this make me feel oh so smart...

------

I don't think being an idiot comes with a pension plan though. Unless you're management of course. - hulver

Can't risk it? What's "it"? (2.75 / 8) (#18)
by Kaa on Mon Dec 11, 2000 at 10:42:22 AM EST

You see, this is why I never shop online. With the number of things that can go wrong, I just don't feel that I can risk it.

And what is it that you can't risk? $50 if your credit card company decides to be mean to you? And because of that you never shop online, right?

It always amazed me that people will readily give a credit card to a less-than-minimum-wage waiter in a restaurant to carry away and do something with it, but will get their panties in a bunch about the risk to their credit card if they buy something online.

Kaa

Kaa
Kaa's Law: In any sufficiently large group of people most are idiots.


[ Parent ]

Not just cc# (3.60 / 5) (#19)
by fvw on Mon Dec 11, 2000 at 11:02:32 AM EST

This company isn't even leaking your CC#, only name/address and what you bought. To me, my privacy is worth more than $50.

[ Parent ]
Privacy (4.00 / 5) (#20)
by Kaa on Mon Dec 11, 2000 at 11:14:57 AM EST

To me, my privacy is worth more than $50

Granted.

But you understand, of course, that your credit card issuer knows all purchases you make using its credit card. Your phone company knows exactly whom you call, when and for how long. Your ISP knows precisely which porn you download. Your bank knows how much money you have and in which patterns you spend it. Etc. etc. etc.

It is possible to be private in the current society, but it's hard and quite inconvenient. So I tend not to take seriously the online-privacy concerns of people who use credit cards.

[Cheap shot] And those who like WWF deserve all they get, anyway [/Cheap shot]



Kaa
Kaa's Law: In any sufficiently large group of people most are idiots.


[ Parent ]

How much do they _know_ ? (3.33 / 3) (#21)
by yojimbo-san on Mon Dec 11, 2000 at 12:00:13 PM EST

... your credit card issuer knows all purchases you make using its credit card. Your phone company knows exactly whom you call, when and for how long. Your ISP knows precisely which porn you download. Your bank knows how much money you have and in which patterns you spend it

A slight calming down is in order. All these people have the ability to know these things about you. Some of them definately do make use of that ability. Others do not.

Do not under-estimate the stupidity of "them" - in either direction. Some data-collectors will abuse the data they collect, and come to your attention. Some will not collect data that you expect them to, and come to your attention.

The bricks and mortar CD store who didn't know their own current inventory - they should have used their collected data. The targetted advertiser - they probably shouldn't have used the data available to them. The "government"? Most of them definately aren't using the information they should, and are mis-using the data they shouldn't.

But don't go looking for the conspiracy where stupidity is a sufficient explanation.


Quick wafting zephyrs vex bold Jim
[ Parent ]

Need we remind you? (3.50 / 2) (#36)
by Miniluv on Mon Dec 11, 2000 at 04:13:51 PM EST

There have been articles all over about online retailers, and brick'n'mortar joints, abusing privacy recently. The thing is, none of this information is hard to gather, and it's already being done EVERY day. When I signed up for my credit cards, the day I got them I called to have my name removed from the myriad mailing lists and phone lists it's automatically added to. Credit card companies make money on a person something like four times for every transaction from what I've heard, and they do that by selling information that you agree to them being allowed to sell just by signing up for the card.
Credit bureau's do it too, and they have more information than the CC companies do. Equifax, for example, knows every credit card you have, how long you've had it, what addresses you've had it at, how much you spend on it, if you pay your bills, how much your car loan is, your student loans, your mortgage, your home equity loan, your checking account balance, your savings account balance, etc. That information is readily available too.
The only thing shopping online exposes you to is the risk of about a $50 fraud charge from the credit card company, because your privacy is violated far before that point. It's not a conspiracy, it's business as usual.
All that said, the violations aren't really that grievous, and while I might mind being called by telemarketers, I've learned to enjoy their calling by responding in turn and giving them good natured grief when they do call. Junk mail doesn't hurt me, not even seriously inconvience me.
The only privacy violations I'd get worked up about are things of a far more personal nature, like my medical records, transcriptions of psychologist visists, things like that. Since those are few and far between, I don't stay up nights worrying, but I will be screaming if it ever happens to me.

"Its like someone opened my mouth and stuck a fistful of herbs in it." - Tamio Kageyama, Iron Chef 'Battle Eggplant'
[ Parent ]
re: privacy (3.50 / 2) (#40)
by fvw on Mon Dec 11, 2000 at 05:30:53 PM EST

Yes, _they_ have the info. However, _they_ don't publish it for all the net to see (most of the time anyway)

[ Parent ]
Wow. (5.00 / 1) (#42)
by Phil the Canuck on Mon Dec 11, 2000 at 06:56:22 PM EST

You really read a lot into my post. Scan it again for the words "credit" and "card". They're not there.

------

I don't think being an idiot comes with a pension plan though. Unless you're management of course. - hulver
[ Parent ]

Be afraid... (3.77 / 9) (#15)
by James Mulholland on Mon Dec 11, 2000 at 09:07:05 AM EST

I can confirm that all the companies I've worked for over the last couple of years (all involved with web stuff and e-commerce of some sort) have wide-open security flaws which could, if exploited, cause them considerable embarassment, lose them money or get them into legal trouble. Or all three, of course.

The whole system is to blame: hasty programmers, ill-informed managers, the sheer greed of people who think they can make a quick buck from the naivete of web users. Then there are the clueless (or overworked) sys admins, the users who choose lousy passwords ... If you want to gain unauthorised access to information, reconfigure someone's router, crash or deface their web-server, you can do it. Just don't kid yourself you're some l337 h4x0R d00d, because you're not ;-)

BTW, I mailed these people to let them know what's going on. Despite the fact they've been a bit lame in causing the problems, it's generally good PR (for kuro5hin, at least) to let them know in advance of giving the info to the whole web...

I sense a trend. (3.00 / 2) (#17)
by Kartoffel on Mon Dec 11, 2000 at 10:25:10 AM EST

This is the second article I read just this morning that points out sloppy security and low quality in computer software. It's really dissapointing to see how low the standards for quality are these days.

Sometimes stuff like this gets under my skin and I'll try to explain my concerns to friends or coworkers, but most of the time I cut myself short. I'm not terribly eloquent, and they're not always totally up to speed. Sometimes I worry about sounding like the unabomber or something, ranting about the corruption of our modern society. Sheesh. ;-)

Anyways, the lack of concern for quality really bothers me. If you're curious the other discussion was over at the OpenBSD Journal, where they plugged an article in salon called "High tech's missinaries of sloppiness".

[ Parent ]

Just Say No (3.36 / 11) (#16)
by Kartoffel on Mon Dec 11, 2000 at 10:15:16 AM EST

This is why I refuse to own a credit card. This is why I really don't like shopping online.

I retrieved real customer info from that WWF site on the first try. Just made up a fake number and voila, there was some guy's order for WWF merchandise.

Usually, when I want to purchase something I'll call the INDIVIDUAL who's selling it. That rules out 98% of the big faceless corporations. I usually know who the person is and how to reach them. I tell them the same info about myself, and we agree on a method of payment. Sometimes it's a check, sometimes money order or wire transfer. This method doesn't work with big business, but then again I have no real desire to buy something online.

Places like Amazon.com are really tempting but I have *always* been able to beat their prices significantly by shopping a local half-price bookstore. IF the half-price place doesn't have what I'm looking for, there's always Barnes & Noble or one of the other megastores.

One thing that would be nice is a large vending machine where you can buy music CDs. I had a bad experience with a brick & mortar music store the other day. The idiot staff could not tell me whether they had an album in stock, even after I told them the artist, album name, and label. What's the point of even having a physical store when you're staffing it with morons? It would be so much nicer to just walk up to a big box, search the database of what's inside the box, swipe a card or feed some bills into a slot, and retrieve your CD.

Thank you K5! (2.36 / 11) (#24)
by barzok on Mon Dec 11, 2000 at 12:47:23 PM EST

When I read this this morning, I almost brushed it aside. But then it got me thinking, and when I arrived at work, my fears were confirmed.

Thanks to all the folks who voted this story up to the front page and heightening my, and my co-workers', awareness of things like this.

So what? (2.40 / 10) (#27)
by GreenCrackBaby on Mon Dec 11, 2000 at 01:56:28 PM EST

Sure, the programmer was stupid. So what? Oh no...you can see an person's address and order...it's the end of the world!

I can use Yahoo Peoplefinder and locate everyone that I know in the US, most with full addresses. It's information that's already out there. And who cares that it is? So some marketing company gets your address...oh no, one more piece of spam to throw in the garbage. Is that really such a hard thing for people to do?

As it is, finding useful information through this bug is a crapshoot.

I really wish people would quit screaming that the sky is falling. Your personal information has long since been pilliaged, get used to it.

It's not that someone can get your name & address (3.00 / 1) (#50)
by scratch on Tue Dec 12, 2000 at 12:03:22 PM EST

It's that your name and address are available at this site for all to see. If, for instance you're purchasing drugs for a disease you don't want your employer or insurer to know about, there's great reason for concern. It would be a trivial task to harvest this sort of data that's publicly available.

The idea behind privacy is that you have a right (which is steadily being eroded) to travel, shop, congregate, etc., without anyone logging that information and/or sharing it with others. An objection of "you can look up my address in a phone book" is analgous to saying you don't care if there are cameras recording your whereabouts because everyone knows what you look like.

[ Parent ]

Overblown (none / 0) (#53)
by GreenCrackBaby on Tue Dec 12, 2000 at 01:05:35 PM EST

If, for instance you're purchasing drugs for a disease you don't want your employer or insurer to know about, there's great reason for concern.

But that's not the case here, is it?

The idea behind privacy is that you have a right

You do? Where are you awarded this right?

If you don't want people to know what you are buying, then go in person and pay in cash. Otherwise, you left a trail of info that is available for others to get a hold of.

[ Parent ]

The items in question don't matter (WWF vs. drugs) (none / 0) (#55)
by scratch on Tue Dec 12, 2000 at 05:55:07 PM EST

You do? Where are you awarded this right? If you don't want people to know what you are buying, then go in person and pay in cash. Otherwise, you left a trail of info that is available for others to get a hold of.

Well, you can look at the Warren and Brandeis article "The Right to Privacy" in the Harvard Law Review.

I believe this sentence is particularly relevent " The common law secures to each individual the right of determining, ordinarily, to what extent his thoughts, sentiments, and emotions shall be communicated to others." (Look for footnote #16.)

Certainly living in today's world (at least in the US) in a way that provides as much privacy as one might like is very difficult to do. Using a credit card is required in many cases (reserving a hotel room, renting a car). Using a little shopping discount card at your local FOOD MART might save you some money. Perhaps neither one of these things or others on their own is really worth too much worry, but it's easier than ever for all the data collected about you to be synthesized into one global profile of you.

It's important to note that the examples in the paragraph above are only ways in which you're "voluntarily" providing data about your purchasing or travel habits. In the example originally identified by the author of this article the folks buying WWF action figures were not agreeing to share that data with the entire world.

The basic problem, I believe, is that an individual should own data about himself. In some countries this is the case. In America, however, you do not own data about you. It can be freely given away (or more likely, sold for a decent price). Again, on their own lots of these instances are no more than annoyances, but when combined the possibilities become much more troubling.

[ Parent ]

I just finished writing this sort of thing... (3.42 / 7) (#28)
by dragondm on Mon Dec 11, 2000 at 01:56:53 PM EST

I just finished writing exactly this functionality for a major e-commerce site Harry and David.

I can tell you, privacy of information was a MAJOR concern. You need to log in using a password to see your orders.

As far as the info being online for that long, that isn't surprising. Usually these systems simply pull their info from the company's internal database. As long as the company has them, the website has them. This is common, but it does mean that they MUST think about what info they are exposing.

its a good thing too.... (2.50 / 2) (#38)
by doormat on Mon Dec 11, 2000 at 05:10:09 PM EST

Man, am i glad u had privacy in mind when you did that site, because I just bought something from them last night and this article hit home...
|\
|/oormat

[ Parent ]
The real question is.. (2.00 / 15) (#30)
by xmutex on Mon Dec 11, 2000 at 02:20:31 PM EST

Why the hell are you buying WWF merchandise?

bullet the blue sky

Consumerism (3.33 / 3) (#39)
by Andrew Dvorak on Mon Dec 11, 2000 at 05:20:55 PM EST

Probably for the same reason anybody might buy anything with, say, logos featuring certain brands as Nike, Adidas, Old Navy, NFL, NBA, NHL, MLB, NRA, etc. People purchase such recognizable brands and products to display their support for such an organization.

In addition, such identification allows others to recognize a common interest where a discussion may even focus upon. Some call this a form of pressure one alleges to have been pushed upon themselves by their peers .. but I say it's a socialization factor designed to expand one's contacts.

-Ending my contribution to this thread so as not to lean too far from the main point of the article.

Copyright 2000, Andrew Dvorak



[ Parent ]
My privacy (2.37 / 8) (#31)
by k5er on Mon Dec 11, 2000 at 02:22:05 PM EST

This really isn't that big of a deal. Although I definitely want to maintain my privacy, a simple search in the yellow pages will tell anyone my address and phone number. It is my credit card information that I would definitely not want anyone to find. I am pretty sure most websites have this information under lock and key, as it is this kind of information, if lost or stolen, can and will get a company in trouble.
Long live k5, down with CNN.
You might.... (3.00 / 6) (#32)
by AndyL on Mon Dec 11, 2000 at 02:55:38 PM EST

You might be more concerned if people could find out that you bought WWF merchendise. :-)

[ Parent ]
For real.. (2.33 / 3) (#41)
by k5er on Mon Dec 11, 2000 at 05:38:31 PM EST

LOL, I agree with you there.
Long live k5, down with CNN.
[ Parent ]
I'd be concerned if they didn't notice... (none / 0) (#56)
by AdamJ on Tue Dec 12, 2000 at 08:24:11 PM EST

People figure out that I buy WWF merchandise when I walk around wearing it...

(Although most of the shirts lately have been pretty blah, IMO. They have a nice poster-sized 2001 calender available right now, though.)

Adam

[ Parent ]

Link to UPS (3.33 / 6) (#33)
by pistols on Mon Dec 11, 2000 at 03:01:44 PM EST

Most interesting... the 'receites' have links to the UPS tracking system... Which in turn contains:

NOTICE: UPS authorizes you to use UPS tracking systems solely to track shipments tendered by or for you to UPS for delivery and for no other purpose. Any other use of UPS tracking systems and information is strictly prohibited.

Wouldn't this get wwf in trouble for allowing anyone to track orders made through them? Or is it 'my' fault, for following their link (which made no reference to me not being permitted to)?

Re: UPS Tracking (3.00 / 1) (#37)
by Jay on Mon Dec 11, 2000 at 04:48:53 PM EST

What prevents somebody from going and typing the number into the UPS tracking system? Nothing.

[ Parent ]
Australian Business Number Details (4.50 / 6) (#44)
by 0x00 on Mon Dec 11, 2000 at 07:08:30 PM EST

There was an identical problem to this which occurred with the online registration for Australian Bussiness Numbers (ABN) during the GST changeover. The "hacker" named Kelly, was able to gain access to the details of all businesses registered online by changing the number found in the URL which looked like this:

http://www.abr.business.gov.au/asp/abndetail.asp?ABN=XXXXXXXXXXX

He proceeded to write a script to download many of the businesses details as they were all indexed consecutively. Around 27,000 businesses had registered online already.

After obtaining a large proportion of the details he contacted the ABC radio station, and many of the businesses whose details he had obtained, to tell everyone about the exploit. The site was taken down immediately, while the media frenzy erupted. An investigation occured, the Federal Police became involved and Kelly was basically blamed for pointing out a security flaw.

Although Kelly's intentions appear ethical, I don't believe he went about the exposition in the correct manner. He drew too much attention to himself, most likely intentionally. Rather than going straight to the media he should have notified the site administrators or someone with the power to have it fixed. The public does need to know, but wait until they have a chance to fix the problem.

His other big mistake was to download as many business details has he could. This was not required to proove the point that they could be accessed and only further aroused suspicions of more devious motives.

If you are going to expose flawed systems such as the ABN registration and now the WWF order forms, please take time to think about the consequences of announcing it to the public first and whether this is the best option. People will often over react when they don't truly understand what has happened.

--
0x00

Clowns designing secure webpages. Other Clowns believing they are secure.

Full Disclosure of security vulnerablitlies (3.75 / 8) (#45)
by unstable on Mon Dec 11, 2000 at 07:22:27 PM EST

Posting a security problem is a good idea... but you need to remember the consequences of you actions.

I believe that what you did was right (in posting this information) but there are a few steps that you could (should?) have taken before you posted this.

  • 1: I the site administrator should have been contacted and advised the
    • a: there is a problem
    • b: you know about this problem
    • c: you are going to make this problem public information
  • 2: there should be ample time allowed for said problem to be fixed
  • 3: then you should post this information
by following this method you not only can cause the hole to be fixed, insuring that the users privacy is protected (a bit more at least), but you dont expose them anymore than they already are. by posting this without the admin being notified you now exposed a hole to thousands of people whose motives you do not know.

Although i belive that the majority of K5 users will not use any of this information I am sure that there is a few that are not so well behaved, and its those few that can do real damage with knowedge of a security hole.

but by notifying the admin he can plug the site and maybe he will start to "get it" as the article says. After all how are they supposed to learn how to run a site if nobody tells them they screwed up?

there is a nice article at the L0pht that explains one groups take on full disclosure and the need and methods they use.





Reverend Unstable
all praise the almighty Bob
and be filled with slack

hah! too late. (3.00 / 4) (#48)
by monkeyfish on Mon Dec 11, 2000 at 11:33:03 PM EST

i already have devious plans in mind to get a list of wwf merchandise buyers in my area and arrive on their doorstep in the guise of their favorite wrestler. i shall force them to treat me like a god, and even beat them a little bit. the irony is they will like it, since i will be The Rock, or Stone Cold to them. (you raise good points.)

[ Parent ]
Interesting phenomenom (3.00 / 4) (#47)
by smartbomb on Mon Dec 11, 2000 at 11:27:35 PM EST

Hmm, I wonder.. is this a bit like having an open street where it's practically free for just about anyone to set up a food cart without any kind of license. So you have a few real chefs, and then hoardes of hack cooks who don't know what they're making, without a clue about being sanitary.

So the $1,000,000 question is: once people start getting poisoned (and they will), what will their response be?


Curious question: Any gurus know if it would be possible to send some kind of encrypted object rather than, say, bare emails, credit card info, etc., to order something online? So that if it resurfaced somewhere it shouldn't, you could trace it back to where you originally submitted it? Then the company that leaked it could be held accountable. Maybe something like this exists already and the public just needs to be made aware?

Possible for email addresses (none / 0) (#58)
by mesh on Sun Dec 17, 2000 at 09:22:25 AM EST

As for credit cards etc I can't really see a way around it, though for other details (adresses, names etc) you can put your own "token" into their data. Give a false middle name, or give your address as Joe Bloggs c/o "tracking id here"

For email addresses, get a domain name or free subdomain, and give out email address as "companynamehere@mydomain.org". Very nice for tracking spam-supporters.

[ Parent ]

WWF eCommerce Mgr: MS Site Server, config bug (5.00 / 1) (#54)
by kmself on Tue Dec 12, 2000 at 04:14:11 PM EST

I spoke with the WWF's eCommerce manager. According to her, the site is based on Microsoft Site Server, they are aware of the breach, the personal information security breach was the result of a local design or configuration, and not part of MS SS, and the issue has been fixed.

WWF ShopZone is not associated with the similarly named ShopZone software, iCommerce, or AutomatedShops.com. There is no relationship between these firms and products and this issue.

--
Karsten M. Self
SCO -- backgrounder on Caldera/SCO vs IBM
Support the EFF!!
There is no K5 cabal.

When will Online Retailers get it | 57 comments (55 topical, 2 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!