TulipTools Internet Business Owners and Online Sellers Community

River Rat, whether or not Sneaky knew and didn't bring it up until now really doesn't matter where you are concerned. the fact is that attempting to place Sneaky on the defensive is not going to absolve you of blame for what you did.

What you did was to knowingly put all users of thetraderspost.com at risk by refusing to purchase a decent script so that an SSl could be installed. That is highly unethical, no matter how many mitigating factors you throw out there. It was dead wrong.

Sneaky is not wrong. You are. Stop trying to shift the topic to her. It is boinking ticking me off.

[quote author=BellisimaJ. link=topic=9139.msg71135#msg71135 date=1215396949]
River Rat, whether or not Sneaky knew and didn't bring it up until now really doesn't matter where you are concerned. the fact is that attempting to place Sneaky on the defensive is not going to absolve you of blame for what you did.

What you did was to knowingly put all users of thetraderspost.com at risk by refusing to purchase a decent script so that an SSl could be installed. That is highly unethical, no matter how many mitigating factors you throw out there. It was dead wrong.

Sneaky is not wrong. You are. Stop trying to shift the topic to her. It is boinking ticking me off.
[/quote]

Belle...I'm not sure where you keep thinking I'm trying to shift any blame anywhere.  I simply wanted to know why there is a sudden interest in what I do.

Agreed there should have been SSL on the site.  That's why we told everyone up front there wasn't.  The only information submitted to us was the same info most online sellers have posted on their Website 'Contact Us' page...Name, address, phone number and email address. 

I personally have this information on every one of my sites, as well as on all of my domain registrations.

It's not like I posted pictures of someone else's children on the internet just so they would quit saying stuff about me.  So lets not even go down the 'ethical' path, ok?

That being said, you want to continue to vilify me over this, go right ahead. 

[quote author=RiverRat link=topic=9139.msg71141#msg71141 date=1215398934]


Belle...I'm not sure where you keep thinking I'm trying to shift any blame anywhere.  I simply wanted to know why there is a sudden interest in what I do.[/quote]

I didn't say that you were trying to shift blame. I said that you were attempting to place Sneaky on the defensive. What I didn't say, but intended, was that you were doing it to divert attention from the situation with TTP. The diversionary tactics employed were far too obvious.

Quote:Agreed there should have been SSL on the site.  That's why we told everyone up front there wasn't.  The only information submitted to us was the same info most online sellers have posted on their Website 'Contact Us' page...Name, address, phone number and email address. 

I am certain that you realize that that info is all that is required for identity theft. But, I am curious. You state that they ALL knew that they were at risk of ID theft, and that they agreed to this? If so, then that is another thing altogether.
If you did not explain the risk to them, then you are still wrong. i wouldn't have done it no matter if the others wished me to or not. I wouldn't be able to live with myself if something happened and someone's life was destroyed by an id theft.

Quote:I personally have this information on every one of my sites, as well as on all of my domain registrations.

That isn't the point, Rat. That is your decision to make. However, if you made that decision for others, and if they did not understand the risks, you were wrong.

Quote:It's not like I posted pictures of someone else's children on the internet just so they would quit saying stuff about me.  So lets not even go down the 'ethical' path, ok?

Whose children? And who posted them? I really hope that you aren't inferring it was I. What a fool you are.

Come on Rat, bring it. Or do you plan to wait until both Sneaky and I are gone again. Just like a friggin' coward. 

[quote author=BellisimaJ. link=topic=9139.msg71143#msg71143 date=1215400261]

Quote:Agreed there should have been SSL on the site.  That's why we told everyone up front there wasn't.  The only information submitted to us was the same info most online sellers have posted on their Website 'Contact Us' page...Name, address, phone number and email address. 

I am certain that you realize that that info is all that is required for identity theft. But, I am curious. You state that they ALL knew that they were at risk of ID theft, and that they agreed to this? If so, then that is another thing altogether.
If you did not explain the risk to them, then you are still wrong. i wouldn't have done it no matter if the others wished me to or not. I wouldn't be able to live with myself if something happened and someone's life was destroyed by an id theft.

[/quote]

Actually, you do need a bit more than just a name, address, phone, and email to commit identity theft. Name, address, phone number... AT&T gives that info out. I can contact any member of any site and wait for their response to get their email address. That is freely available info. Where the concern lies is with "sensitive" information. We are talking SSN, credit cards, and even Paypal email addresses. The issue that PH, aSs, HB, and all the others in the list have is that these sites show selling history, and have Paypal email addresses stored on the site. That is all the info you need to commit identity theft with Paypal... if a thief has the dates products are paid for, then the public info becomes dangerous. But, without the "sensitive" information, the "public" information is useless to a thief.
There was nothing whatsoever on TTP that could not be found with a simple emailed question to the seller, and a quick followup in the phone book.
Does it mean it does not need SSL installed to register and use it? That is up to each user, but it will not lead to identity theft. If there is nothing to link sales to an account, then there is nothing to link into any payment system for a hacker. Without information that can be found in the auction sites, such as sales/payment dates, and a login email to a Paypal account, you can't commit ID theft with the info on TTP. But, you can with aSs, HB, Blujay, or any of the other sites without SSL that has all that info available.

[quote author=sneakymagenta link=topic=9139.msg71124#msg71124 date=1215387423]
why did you [TheTradersPost] choose a script with a history of security problems?
http://www.google.com/search?q=secunia+a...lassifieds&btnG=Search&hl=en&c2coff=1&safe=off&rls=GGGL%2CGGGL%3A2006-26%2CGGGL%3Aen&sa=2

The scriptmaker hasn't fixed a security problem which the US Government's US-CERT rates as "High Risk"
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5122

The security alert was issued in September 2007.  Why didn't you check the script's history before you bought it?

Quote:Overview

SQL injection vulnerability in store_info.php in SoftBiz Classifieds PLUS allows remote attackers to execute arbitrary SQL commands via the id parameter.

Impact

CVSS Severity (version 2.0):
CVSS v2 Base score: 7.5 (High) (AV:N/AC:L/Au:N/C/I/A) (legend)
Impact Subscore: 6.4
Exploitability Subscore: 10.0

Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type: Provides unauthorized access, Allows partial confidentiality, integrity, and availability violation , Allows unauthorized disclosure of information , Allows disruption of service

Anybody with access to Google could find the instructions for hacking the script because it is on the first page of search results for "softbiz classifieds".  Didn't you notice that 4 of the 10 results on page one of a Google search for the script pertain to the script's security problems???

Quote:Softbiz Classifieds PLUS (id) Remote SQL Injection Vulnerability      Archive
Classifieds SQL INJECTION #### #### BY IRCRASH #### ##################################################################################### # # #AUTHOR ...
www.milw0rm.com/exploits/4457

[/quote]

If you haven't done so already, I'd immediately delete the affected store_info.php file from your server because anyone could use that exploit to take full control of your server and all of the sites and databases on it.  The exploit code has been available on the web for nearly 9 months and it is a really easy vulnerability to take advantage of  (hence the 10.0 exploitability subscore).

xwpopper: I must have missed your response. Sorry.

Some of what you say is technically correct, however, id theft can be accomplished with the info on that site, and in fact, with less info.

Yes, many people permit easy access to that info, but that is their choice.

If you don't realize that you are putting yourself at risk , because the risks of a certain site owner's negligence have not been explained to you, that is not your choice.

Therein lies the difference.

TTP
SSL: minor security problem
SQL injection vulnerability: major security problem from day 1

Quote:Why didn't you check the script's history before you bought it?

rule #1: check SecurityFocus, Secunia, OSVDB, Packet Storm, Us-Cert, etc before buying or installing any script
rule #2: never install a script hat has an unpatched vulnerability

[quote author=jezebel link=topic=9139.msg71181#msg71181 date=1215536967]
TTP
SSL: minor security problem
SQL injection vulnerability: major security problem from day 1

Quote:Why didn't you check the script's history before you bought it?

rule #1: check SecurityFocus, Secunia, OSVDB, Packet Storm, Us-Cert, etc before buying or installing any script
rule #2: never install a script hat has an unpatched vulnerability
[/quote]

Lesson learned.  Problem removed and issue thereby resolved.

Quote:Stupidity is its own punishment.