Schneier on Security
A blog covering security and security technology.
« Twofish Cryptanalysis Rumors |
| Hoofnagle's Consumer Privacy Top 10 »
November 24, 2005
Vote Someone Else's Shares
Do you own shares of a Janus mutual fund? Can you vote your shares through a website called vote.proxy-direct.com? If so, you can vote the shares of others.
If you have a valid proxy number, you can add 1300 to the number to get another valid proxy number. Once entered, you get another person's name, address, and account number at Janus! You could then vote their shares too.
Definitely a great resource for identity thieves.
Posted on November 24, 2005 at 10:41 AM
• 41 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I think this happens because security costs too much and many customers don't understand anything about security anyway. What's the diffrence to the customer whether you invested $10,000 or $10 on security? They don't know, so companies don't bother. To make the Internet more secure, we need to teach greater security awareness. It is any suprise that this happens when most people still believe that 512 bit RSA is more secure than AES-256?
But it says "Verisign Secure Site", so it must be secure, right? Right?
Even better, I can easily AUTOMATE the process of adding 1300 and then voting the shares.
A little perl, a little curl, and voila.
>It is any suprise that this happens when most people still believe that 512 bit RSA is more secure than AES-256?
Most people *I* meet believe that 512-bit RSA and 256-bit AES are a bunch of gibberish letters and numbers that couldn't possibly concern them. These are the same people who don't know how to tweak the ROMs in their car's on-board computer to advance the spark and get better acceleration.
But maybe we probably travel in different circles.
since janus is a two-headed god, it stands to reason that i could vote one way, advance 1300, look in the other direction and vote again. thank god i don't own any of this. happy thanksgiving!
This makes me worry about all the existing idiocies as yet undiscovered, and all the future idiocies not invented yet.
The best part isn't just knowing how much they suck, it's reading about it here first. I'm glad you took the time to let the world know.
what's the chances that Bruce will be sued under the DMCA?
How is this breaking the DMCA?
I don't know how widely reported this is. I would be surprised if this blog was being used to break security items like this. Do you have a reference site?
Definitely a great resource for identity thieves.
Wonder if this works with any of the other (large number of) companies' proxy voting that they handle?...
From the help menu on the site:
"If this feature is supported you will see a text box titled Electronic Vote Confirmation. The system can send you an e-mail notifying you that your vote has been processed by the system and has been added to the total pool of votes for the campaign. Such notification is not sent immediately after submitting your voting instructions because it may take up to 72 hours to actually process them.
If you wish to receive such confirmation, please enter a valid e-mail address into the textbox.
IMPORTANT NOTE: We do not validate your supplied e-mail address in any way so make sure that you have entered it correctly. Also, e-Mail is not 100% reliable therefore we cannot guarantee that such confirmation will reach the specified destination."
So, you can enter an email address *at the time of voting*; if the email address was entered at the time of registration you would at least have an indication that somebody used your vote without your permission.
And, why does it take 72 hours to process an electronic vote? Is the vote printed on paper and snailmailed to a processing office outsourced in Somewherestan?
So what will happen?
Probably they'll change the magic number to 1301 and move on... *sigh*
Was there any effort to contact them before this was let out into the public?
ok kids, if you're gonna have fun today voting the shares of 20-30 other people, be sure to vote against the positions recommended by management. typically, management looks out for itself before anybody else.
An example of a company highlighting that they are a Verisign Secured Site but forgetting that Application Security is just as/if not more important.
Karsten: more likely they'll change it to 2600 to *double* the security.
Yes 2600, that's a strong number in the history of computer and telephone security. I hope they do it until it hertz. *rim shot*
"Was there any effort to contact them before this was let out into the public?"
Of course not. I just read the beginning of Bruce's homepage and figured out what he's all about. I wonder if he's in violation of his ISP's or web host's TOS. Some ISPs voluntarily filter out certain kinds of internet scum these days. Unfortunately, some large ones don't.
your statement that some isp's voluntarily filter out certain kinds of "internet scum" these days is false. an isp is a common carrier of information; under the law it is immune from liability for the information it transmits **just so long as it exercises no editorial or censorship functions**. it can only be forced to act in certain instances upon receipt of a complaint. why don't you complain to his isp and report back to us with the results? **smirks**
I remember reading recently about an ISP that won a lawsuit against the government by arguing that it can't block certain URLs. The government commented that if it can't, then it's not doing it the right way.
That same article mentioned some other ISPs cooperating and blocking the URLs to avoid bad publicity, because they were the URLs of alleged child porn sites, or something like that.
I have the worst luck trying to re-find stuff like this after hearing it for the first time. There was also a case in which a politician in the New York area wanted to sue a telephone company to get them to provide tracing of 800 numbers. I heard it on the news and figured I could find it on the internet, but I couldn't. Maybe someone else can confirm these things for me.
yes, pennsylvania had a law requiring isp's, upon notice from the state attorney general, to block sites deemed by the ag to be child porn. the isp's argued that they couldn't block individual sites, just whole swaths of sites sharing the same host, and the ag, one of those rare lawyers who is apparently also an expert in technology, told them they weren't doing it right. some other isp's apparently knuckled under, until the federal court declared the law to be an unconstitutional infringement of free speech and interstate commerce, thwarting once again the censorious bluenoses who are so concerned about what free people might be viewing in private on their computers. i'm not into child porn, but i am into civil rights and i'm on the side opposite from the moralists who continually hold up child porn as a straw bogeyman to justify wholesale speech restrictions.
as far as tracing 800 numbers, if you're referring to calls made to those numbers, they're all traceable through automatic number identification. you cannot block identification of your number in a call to an 800 number the same way you can with calls to other area codes, so if you're making a sensitive call and don't want to be identified, use a pay phone and wear enough of a disguise to thwart surveillance cams.
I didn't hear about any straw bogeymen being held up. I was all about child porn. Though if you consider all the other stuff that's online--the top post of this thread, for example--it's obvious that the problem with the internet isn't just kiddie porn.
Since the ISPs were concerned about their image (as opposed to morality, unfortunately), I'm sure there are some who continue to block some websites without a court order. I never got the impression that they were legally required to do it before a law got overturned.
With 800 numbers, it was the calls from 800 numbers that someone wanted the telephone company to provide tracing of. I forget whether there was a law proposed or just a court case.
Thanks for bringing the attention to more security in our lives...as for Janus...of course, people need to jump on old news ... nice to know that there performance this year is some of my investments are HOT!...much too do about nothing is my guess !!
i for one am not interested in having an isp with a moral sense determining which content is appropriate for me to view. your initial post suggested that bruce schneier's revelation of the janus thing was somehow improper. if you ran an isp, would you have blocked this content from your subscribers?
It depends on how sure I am that something is wrong and illegal. I'd go out of my way to use an ISP that blocked things like Schneier's post. If enough ISPs did that, he'd be forced to notify Janus and give them time to fix things before writing about it. He wouldn't be as well known then, but that's the price you pay for doing what's right. Even if just one ISP did it, it could prevent fraud.
Whether I'd block it if I were an ISP depends on what kind of infrastructure there was. I don't how hard it would have been for Pennsylvania ISPs to sniff the pages served when they came from a certain host, to determine the website, or something similar, but I'd consider it, and I'd consider blocking all of a web host's pages. I think most web hosting services (if that's what you meant by "hosts") disallow such websites anyway. I wouldn't feel sorry for those who allow them, and unfortunately, their customers would have to make a sacrafice to keep things secure or kittie-porn-free.
Barry, as someone who has worked for an ISP I can tell your information is pretty far off base.
An ISP's main function is to simply transfer traffic from one network to another through a series of routers. These routers have an OS on them that in almost every case is VERY BASIC. When you turn filtering on these routers, you get an ungodly amount of overhead which makes ALL OTHER TRAFFIC SUFFER. Since ISPs have a monetary obligation to their customers (and in almost every case, an agreement of service) they're not typically inclined to inspect ALL TRAFFIC to make sure every single customer is doing what they should. Now if a specific customer is complaining about something illegal WITHIN THEIR NETWORK, then they have an obligation to do something about it.
This is further compounded by HTTP and web pages in general. An IP Address or Host can have as many websites on it as they want. In fact, most hosting companies use one box or a series of boxes to host thousands of websites (the specific term is "shared hosting"). If you were to get an ISP to block one address it wouldn't affect just www.kiddieporn.com, but every single customer linked to the web hosting company. This is why web hosting companies THEMSELVES have strict legal contracts that give them the authority to shut down any site deemed inappropriate by law. Any good hosting company scours every one of their web sites to make sure anything illegal isn't allowed or THEY get sued. This is the same for hosting companies in China or other areas of the world where they must adhere to the law of the land they abide in.
Now that you know who is responsible, maybe you can refine your knowledge to attack those who hold all the cards. Since nothing Bruce has done now is considered illegal based on the contract between him and his hosting company, you'll have a tough time trying to convince them to take it down. If you knew Bruce's articles in any way you would also understand that 98% of what is reported here is WIDESPREAD and something he gathered from a rather reliable source. Bruce isn't making this crap up nor is he the only one saying it.
The Proxy Direct™ trademark and the proxy-direct.com domain belong to Alamo Direct Mail Services, of Hauppauge, NY (www.alamodirect.com).
Junk mail jockeys doing security ....
> Karsten: more likely they'll change it to 2600 to *double* the security
> I hope they do it until it hertz. *rim shot*
*sfx: appreciative pun groan*
> I just read the beginning of Bruce's homepage and figured out what he's all about.
Er, you should try reading more of the site before jumping to conclusions. There's 116 different search results for "disclosure", including this one:
Which does a pretty good job of detailing the issues surrounding full disclosure.
Quite frankly, in this particular case, it makes the most sense to publish this as widely as possible. Once this is published, there will be pressure to fix vote.proxy-direct.com or take it offline until they address this issue.
Just contacting vote.proxy-direct.com and telling them that their security is laughable isn't going to necessarily produce results.
"When you turn filtering on these routers, you get an ungodly amount of overhead...If you were to get an ISP to block one address it wouldn't affect just www.kiddieporn.com, but every single customer linked to the web hosting company"
I'd like the ISP in question to be checked out to determine how bad such a filter would be for business. There must be a reason when the government goes after an ISP as opposed to a web host. ISPs that can't handle the filter shouldn't exist, but I think they'd all be fine.
"Just contacting vote.proxy-direct.com and telling them that their security is laughable isn't going to necessarily produce results"
There are government agencies to report these things to, but a simple attempt to just contact the company via their form would be better than nothing.
I'm no fan of any writer of a book that "the National Security Agency wanted never to be published." What a thing to brag about! I trust the government much more than the people I've seen gravitate towards people like Bruce Schneier and his writing.
What are you going on about? First, you don't know if Bruce did or did not inform proxy-direct of their security problem. Since you assume that he did not, I will assume you have a hidden agenda and cannot be trusted. See, you're learning about security already.
Secondly, the quote you picked was from Wired Magazine, not Bruce. As far as "Bruce Schneier and his writing"; if you were in the least bit educated about the topic at hand, you would know that the book to which the beforementioned quote refers, "Applied Cryptography", is frequently used as a textbook in CS programs. How many crytography texts have you written?
#1 You have no idea what you are talking about. Please spare us the "it must be illegal somewhere," and the "it should be filtered [because somebody somewhere might not like it]" crap.
#2 Trusting in "established power figures" NEVER leads to increased saftey from things that those power figures either have a role in perpetuating, are not affected by, or DON'T HEAR ENOUGH COMPLAINTS ABOUT TO CARE ABOUT FIXING. This is where widely respected folk like Bruce Schneier (whom publicize those things that really should be getting attention and make note of those that really shouldn't) come in.
#3 Please put away the talking points you're reading from (whatever uniformed moron/scaremonger wrote them, I really don't care) and leave us alone.
(It is worth noting that all things in quotes in this post are to be taken as exemplars and not as exact quotes...)
I'm the one who reported this issue to Bruce.
I did so because I detected this issue about four years ago and reported it directly to Janus at that time.
I reported it again to Janus, Proxy Vote, and Verisign recently.
I got zero response.
Therefore, it seemed appropriate to broadcast the issue to apply pressure to get it resolved.
What government agency should I report it to also?
William: I'd try reporting it to http://www.sec.gov/complaint.shtml but it sounds like you reported it to the right companies. I also might try looking for particular people within the company who are involved with security and snail mail each of them a letter, but that shouldn't be necessary.
Someone who's not hiding and reports this thread to the companies you mentioned would presumable recieve a reply from at least one of them. They surely care about this.
One problem might be that you're the hacker and people are reluctant to thank someone who breaks their security and views the private information of others. It's probably illegal too. Maybe they set up a system to try to catch people like you. Things should be set up and laws should be made to make that easier.
As for the anti-government rant, I believe that terrorists and other criminals are fans of Schneier more than of the U.S. government, and they have good reason to be. I'm not.
In a similar situation, Colorado in 2002 went to a web-based corporation annual report filing system. Unfortunately, it had absolutely NO authentication! Anyone could go to their web site and file, albeit a false, annual report for ANY Colorado-registered corporation. I sent a gagle of CO officials numerous complaints and NOTHING happened. As far as I know it is still this way. I surmise that this kind of gaping hole is more common than everyone realizes.
Another ISP employee here. I work at an ISP that has a grand totaly of 7 employees and barely scrape by. We have some nice servers, and some good routers, and we have some not as good routers and not as good servers. I can tell you right now that as an ISP we could provide this service to the detriment of other services. We could perhaps join a black list that took care of administration overhead. That might make it feasible on an administration level.
However this would essentialy derail our customers out to china. We do not agree with cencorship, especialy in cases such as this where it truely is a public security issue. This is not an "I don't think 10 year olds should pose naked on the interweb". This is a "You are a customer, they have had this security issue for 4 years, you need to know about this becuase you are being defrauded."
Barry, if this is something that really tears you up, I'm sure there are ISP's out there that filter reasonable security posts. Or you could even go through the trouble of filtering pages your self with a decent router or host file. But in regards to the free movement of information and the principles that have built the web and made it what it is to day, what your suggesting is internet suicide.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.