Bruce Schneier | |||||||||
Schneier on SecurityA blog covering security and security technology. « Twofish Cryptanalysis Rumors | Main | Hoofnagle's Consumer Privacy Top 10 » November 24, 2005Vote Someone Else's SharesDo you own shares of a Janus mutual fund? Can you vote your shares through a website called vote.proxy-direct.com? If so, you can vote the shares of others. If you have a valid proxy number, you can add 1300 to the number to get another valid proxy number. Once entered, you get another person's name, address, and account number at Janus! You could then vote their shares too. It's easy. Probably illegal. Definitely a great resource for identity thieves. Certainly pathetic. Posted on November 24, 2005 at 10:41 AM • 41 Comments • View Blog Reactions To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter. I think this happens because security costs too much and many customers don't understand anything about security anyway. What's the diffrence to the customer whether you invested $10,000 or $10 on security? They don't know, so companies don't bother. To make the Internet more secure, we need to teach greater security awareness. It is any suprise that this happens when most people still believe that 512 bit RSA is more secure than AES-256? Posted by: Bill Gates at November 24, 2005 11:06 AM But it says "Verisign Secure Site", so it must be secure, right? Right? Posted by: Darren at November 24, 2005 11:26 AM Even better, I can easily AUTOMATE the process of adding 1300 and then voting the shares. A little perl, a little curl, and voila. Posted by: Otto Mat at November 24, 2005 11:52 AM @ Bill Most people *I* meet believe that 512-bit RSA and 256-bit AES are a bunch of gibberish letters and numbers that couldn't possibly concern them. These are the same people who don't know how to tweak the ROMs in their car's on-board computer to advance the spark and get better acceleration. But maybe we probably travel in different circles. Posted by: Ungeek at November 24, 2005 12:01 PM since janus is a two-headed god, it stands to reason that i could vote one way, advance 1300, look in the other direction and vote again. thank god i don't own any of this. happy thanksgiving! Posted by: another_bruce at November 24, 2005 12:08 PM This makes me worry about all the existing idiocies as yet undiscovered, and all the future idiocies not invented yet. Posted by: Roy Owens at November 24, 2005 12:10 PM The best part isn't just knowing how much they suck, it's reading about it here first. I'm glad you took the time to let the world know. Posted by: Jacob Appelbaum at November 24, 2005 03:02 PM what's the chances that Bruce will be sued under the DMCA? Posted by: Ianal at November 24, 2005 03:24 PM I don't know how widely reported this is. I would be surprised if this blog was being used to break security items like this. Do you have a reference site? Posted by: Dylan at November 24, 2005 04:16 PM "It's easy. Probably illegal. Definitely a great resource for identity thieves. Certainly pathetic." *Chuckle* Posted by: Mike at November 24, 2005 04:22 PM Wonder if this works with any of the other (large number of) companies' proxy voting that they handle?... Posted by: None at November 24, 2005 04:59 PM From the help menu on the site: "If this feature is supported you will see a text box titled Electronic Vote Confirmation. The system can send you an e-mail notifying you that your vote has been processed by the system and has been added to the total pool of votes for the campaign. Such notification is not sent immediately after submitting your voting instructions because it may take up to 72 hours to actually process them. IMPORTANT NOTE: We do not validate your supplied e-mail address in any way so make sure that you have entered it correctly. Also, e-Mail is not 100% reliable therefore we cannot guarantee that such confirmation will reach the specified destination." So, you can enter an email address *at the time of voting*; if the email address was entered at the time of registration you would at least have an indication that somebody used your vote without your permission. And, why does it take 72 hours to process an electronic vote? Is the vote printed on paper and snailmailed to a processing office outsourced in Somewherestan? Posted by: Kees at November 24, 2005 05:40 PM So what will happen? Posted by: Karsten W. Rohrbach at November 25, 2005 06:18 AM Was there any effort to contact them before this was let out into the public? Posted by: ARL at November 25, 2005 07:02 AM ok kids, if you're gonna have fun today voting the shares of 20-30 other people, be sure to vote against the positions recommended by management. typically, management looks out for itself before anybody else. Posted by: another_bruce at November 25, 2005 07:42 AM America has become as bad as the government our colonial forefathers overthrew. Only traitors would allow this to happen: http://www.mixposure.com/song.php?songid=14027. Posted by: DEAN BERRY -- REAL AMERICAN at November 25, 2005 08:02 AM An example of a company highlighting that they are a Verisign Secured Site but forgetting that Application Security is just as/if not more important. Posted by: CP at November 25, 2005 09:02 AM Karsten: more likely they'll change it to 2600 to *double* the security. Posted by: Kieran at November 25, 2005 11:15 AM Yes 2600, that's a strong number in the history of computer and telephone security. I hope they do it until it hertz. *rim shot* Posted by: Jacob Appelbaum at November 25, 2005 12:07 PM "Was there any effort to contact them before this was let out into the public?" Of course not. I just read the beginning of Bruce's homepage and figured out what he's all about. I wonder if he's in violation of his ISP's or web host's TOS. Some ISPs voluntarily filter out certain kinds of internet scum these days. Unfortunately, some large ones don't. Posted by: Barry at November 25, 2005 11:05 PM @barry Posted by: another_bruce at November 26, 2005 08:07 AM I remember reading recently about an ISP that won a lawsuit against the government by arguing that it can't block certain URLs. The government commented that if it can't, then it's not doing it the right way. That same article mentioned some other ISPs cooperating and blocking the URLs to avoid bad publicity, because they were the URLs of alleged child porn sites, or something like that. I have the worst luck trying to re-find stuff like this after hearing it for the first time. There was also a case in which a politician in the New York area wanted to sue a telephone company to get them to provide tracing of 800 numbers. I heard it on the news and figured I could find it on the internet, but I couldn't. Maybe someone else can confirm these things for me. Posted by: Barry at November 26, 2005 09:18 AM @barry Posted by: another_bruce at November 27, 2005 09:25 AM I didn't hear about any straw bogeymen being held up. I was all about child porn. Though if you consider all the other stuff that's online--the top post of this thread, for example--it's obvious that the problem with the internet isn't just kiddie porn. Since the ISPs were concerned about their image (as opposed to morality, unfortunately), I'm sure there are some who continue to block some websites without a court order. I never got the impression that they were legally required to do it before a law got overturned. With 800 numbers, it was the calls from 800 numbers that someone wanted the telephone company to provide tracing of. I forget whether there was a law proposed or just a court case. Posted by: Barry at November 27, 2005 09:19 PM Thanks for bringing the attention to more security in our lives...as for Janus...of course, people need to jump on old news ... nice to know that there performance this year is some of my investments are HOT!...much too do about nothing is my guess !! Posted by: average joe at November 28, 2005 11:45 AM @barry Posted by: another_bruce at November 28, 2005 12:28 PM It depends on how sure I am that something is wrong and illegal. I'd go out of my way to use an ISP that blocked things like Schneier's post. If enough ISPs did that, he'd be forced to notify Janus and give them time to fix things before writing about it. He wouldn't be as well known then, but that's the price you pay for doing what's right. Even if just one ISP did it, it could prevent fraud. Whether I'd block it if I were an ISP depends on what kind of infrastructure there was. I don't how hard it would have been for Pennsylvania ISPs to sniff the pages served when they came from a certain host, to determine the website, or something similar, but I'd consider it, and I'd consider blocking all of a web host's pages. I think most web hosting services (if that's what you meant by "hosts") disallow such websites anyway. I wouldn't feel sorry for those who allow them, and unfortunately, their customers would have to make a sacrafice to keep things secure or kittie-porn-free. Posted by: Barry at November 28, 2005 01:35 PM Barry, as someone who has worked for an ISP I can tell your information is pretty far off base. This is further compounded by HTTP and web pages in general. An IP Address or Host can have as many websites on it as they want. In fact, most hosting companies use one box or a series of boxes to host thousands of websites (the specific term is "shared hosting"). If you were to get an ISP to block one address it wouldn't affect just www.kiddieporn.com, but every single customer linked to the web hosting company. This is why web hosting companies THEMSELVES have strict legal contracts that give them the authority to shut down any site deemed inappropriate by law. Any good hosting company scours every one of their web sites to make sure anything illegal isn't allowed or THEY get sued. This is the same for hosting companies in China or other areas of the world where they must adhere to the law of the land they abide in. Now that you know who is responsible, maybe you can refine your knowledge to attack those who hold all the cards. Since nothing Bruce has done now is considered illegal based on the contract between him and his hosting company, you'll have a tough time trying to convince them to take it down. If you knew Bruce's articles in any way you would also understand that 98% of what is reported here is WIDESPREAD and something he gathered from a rather reliable source. Bruce isn't making this crap up nor is he the only one saying it. Posted by: Jeremy Brayton at November 28, 2005 03:02 PM The Proxy Directâ„¢ trademark and the proxy-direct.com domain belong to Alamo Direct Mail Services, of Hauppauge, NY (www.alamodirect.com). Junk mail jockeys doing security .... Posted by: Fennimore at November 28, 2005 05:19 PM @ Kieran > Karsten: more likely they'll change it to 2600 to *double* the security (chuckle) @ Jacob > I hope they do it until it hertz. *rim shot* *sfx: appreciative pun groan* Posted by: Pat Cahalan at November 28, 2005 06:36 PM @ Barry > I just read the beginning of Bruce's homepage and figured out what he's all about. Er, you should try reading more of the site before jumping to conclusions. There's 116 different search results for "disclosure", including this one: http://www.schneier.com/crypto-gram-0009.html#1 Which does a pretty good job of detailing the issues surrounding full disclosure. Quite frankly, in this particular case, it makes the most sense to publish this as widely as possible. Once this is published, there will be pressure to fix vote.proxy-direct.com or take it offline until they address this issue. Just contacting vote.proxy-direct.com and telling them that their security is laughable isn't going to necessarily produce results. Posted by: Pat Cahalan at November 28, 2005 06:51 PM "When you turn filtering on these routers, you get an ungodly amount of overhead...If you were to get an ISP to block one address it wouldn't affect just www.kiddieporn.com, but every single customer linked to the web hosting company" I'd like the ISP in question to be checked out to determine how bad such a filter would be for business. There must be a reason when the government goes after an ISP as opposed to a web host. ISPs that can't handle the filter shouldn't exist, but I think they'd all be fine. "Just contacting vote.proxy-direct.com and telling them that their security is laughable isn't going to necessarily produce results" There are government agencies to report these things to, but a simple attempt to just contact the company via their form would be better than nothing. I'm no fan of any writer of a book that "the National Security Agency wanted never to be published." What a thing to brag about! I trust the government much more than the people I've seen gravitate towards people like Bruce Schneier and his writing. Posted by: Barry at November 29, 2005 08:40 AM @Barry Secondly, the quote you picked was from Wired Magazine, not Bruce. As far as "Bruce Schneier and his writing"; if you were in the least bit educated about the topic at hand, you would know that the book to which the beforementioned quote refers, "Applied Cryptography", is frequently used as a textbook in CS programs. How many crytography texts have you written? Posted by: Anonymous at November 29, 2005 02:52 PM @Barry Posted by: RvnPhnx at November 30, 2005 08:53 AM I'm the one who reported this issue to Bruce. I did so because I detected this issue about four years ago and reported it directly to Janus at that time. Nothing changed. I reported it again to Janus, Proxy Vote, and Verisign recently. I got zero response. Therefore, it seemed appropriate to broadcast the issue to apply pressure to get it resolved. What government agency should I report it to also? Posted by: William_K_F at November 30, 2005 03:17 PM William: I'd try reporting it to http://www.sec.gov/complaint.shtml but it sounds like you reported it to the right companies. I also might try looking for particular people within the company who are involved with security and snail mail each of them a letter, but that shouldn't be necessary. Someone who's not hiding and reports this thread to the companies you mentioned would presumable recieve a reply from at least one of them. They surely care about this. One problem might be that you're the hacker and people are reluctant to thank someone who breaks their security and views the private information of others. It's probably illegal too. Maybe they set up a system to try to catch people like you. Things should be set up and laws should be made to make that easier. As for the anti-government rant, I believe that terrorists and other criminals are fans of Schneier more than of the U.S. government, and they have good reason to be. I'm not. Posted by: Barry at December 3, 2005 06:06 AM In a similar situation, Colorado in 2002 went to a web-based corporation annual report filing system. Unfortunately, it had absolutely NO authentication! Anyone could go to their web site and file, albeit a false, annual report for ANY Colorado-registered corporation. I sent a gagle of CO officials numerous complaints and NOTHING happened. As far as I know it is still this way. I surmise that this kind of gaping hole is more common than everyone realizes. Posted by: rich at December 16, 2005 01:44 AM @barry, Another ISP employee here. I work at an ISP that has a grand totaly of 7 employees and barely scrape by. We have some nice servers, and some good routers, and we have some not as good routers and not as good servers. I can tell you right now that as an ISP we could provide this service to the detriment of other services. We could perhaps join a black list that took care of administration overhead. That might make it feasible on an administration level. However this would essentialy derail our customers out to china. We do not agree with cencorship, especialy in cases such as this where it truely is a public security issue. This is not an "I don't think 10 year olds should pose naked on the interweb". This is a "You are a customer, they have had this security issue for 4 years, you need to know about this becuase you are being defrauded." Barry, if this is something that really tears you up, I'm sure there are ISP's out there that filter reasonable security posts. Or you could even go through the trouble of filtering pages your self with a decent router or host file. But in regards to the free movement of information and the principles that have built the web and made it what it is to day, what your suggesting is internet suicide. ~Anders Posted by: Anders at December 18, 2005 08:28 PM Post a comment
Powered by Movable Type 3.2. Photo at top by Steve Woit.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT Counterpane. |
|
Comments