Identity X-File 0x00

Due to serious last-minute site issues, Dale & I ended up pulling an all-nighter (fuelled by a good bottle of port and a LOT of water) the Sunday before RSA, in order to get pamelaproject.com up, running, and stable. I ended up registering with a hastily-chosen web hosting company in the wee hours of the morning. Luckily I did not have to use the account right away, as Dale & I were pursuing parallel possibilities for site hosting, and Dale’s plan materialized before mine did. My heartfelt thanks to the Olds family for letting me hijack their home MythTV linux box for a week, it was a lifesaver🙂

Once the demos finished that Friday, I prepared to port my site over to what I hoped to be a long-term home for pamelaproject.com. When I clicked the web hosting administration link from the site email, however, I was *very* surprised to be taken to my administration page without being prompted for the password I’d given when I registered. This is what I saw:


Note the line in the above screen-shot that says:

“Page contain your password and account number – please do not share this page URL and never paste this link in public forums or in instant messages softwares”

So – just to confirm my worst fears, I went to the main page and clicked on the “client login” link — and here’s what I saw:

Yep, I had paid late-night desperation money to a company who uses two static elements to authenticate – username and account number. Not only that, they allow those static elements to be passed as query string elements of a URL, which once accessed, display my FTP account password in CLEAR TEXT!!! If these guys think that keeping such a URL out of IM and public BBs is enough to keep it from being discoverable, they are on crack.

Call me crazy, but I consider this kind of protection to be just a wee tad risky. I’m certainly not going to go to all sorts of trouble to build any kind of CardSpace infrastructure on top of this service, what would be the point? Sure, the transactions would be secure, but the foundation it was built on would be just hanging out there, ripe pickings for someone with the right skills. Thinking about all the ways to get hacked makes me feel panicked in general, but for the love of Pete, there’s no point in handing it to them on a silver platter…

As a result, this web hosting service has the dubious honor of becoming the first entry in the Identity X-Files. Nice work…

(BTW, pamelaproject.com has since found a permanent home, and it isn’t at the company above. Just in case you were wondering.)

~ by Pamela on 20 Feb 07.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: