Here is a beautiful example of poking around inside an application to gather what otherwise would be proprietary data. John Graham-Cumming has hacked the social book marking application Digg to discover how many registered users they have. He noticed that inside the html code associated with each user was the date they signed up and a unique user ID that he pretty convincingly argues is sequential and relates to the number of users at that date. Clever. And, potentially very damaging to the owners of Digg who may be involved in valuation exercises with potential investors and may have other ways of telling their story. In other words, through an oversight they have have left themselves vulnerable to a hacker who revealed confidential information.
Lesson learned: Question every sequential assigning of user ID's whether they are exposed or not. It costs nothing at the begining to code up a simple hash algorithm to obfuscate sequential data.
From the Customer Support Rant Desk.
OK, this is totally unrelated to security but I think once in a while I should be forgiven if I use my blog to rant a bit. Everybody else gets to write about their seedy hotel experiences and nightmare help desk calls, why can't I?
First the good: I got a note from SecondLife a few weeks ago notifying me that they had dinged my credit card for my automatic annual renewal. While SecondLife is very cool my foray into using it as a way to reach a greater audience in security was a complete bust. I talked a friend into creating a Virtual Trade Show in SecondLife to run simultaneously with the RSA Security Conference last year. He sent out announcements to 600 marketing people at security vendors. Number of responses asking for more info? Zero. Not a single person. So, too early for them and I never took the SecondLife stuff further. When I got the notice that they had billed me I thought "oh no, here we go" as I opened a trouble ticket. Was this going to be as bad as AOL in their hyped up ponzi scheme days when people had to cancel credit cards in order to unsubscribe? I even used my full signature with this blog address in an unabashed attempt to threaten all of my blogger's wrath and public invective if they did not get my money back. Next day I get a response: "You're problem is fixed". They refunded my money! No questions asked, just "OK here you go, no problem". Now that is customer service and I owe the folks at Linden Lab this tribute in my blog. As soon as I get a better laptop I'll be back!
Now the bad: Blockbuster Video. This past weekend my son and I rented a couple of videos. (I know, I know, how 1995 ) One of them was scratched. You know how frustrating it is to queue up a video, sit through all of the stupid warnings, and previews, get through the opening credits only to have a DVD freeze up on you? And when I tell you this was Curse of the Golden Flower, you will remember just how riveting that opening scene is. It was too late to return the scratched CD so I took it in to the Blockbuster store the next day. I politely told the guy behind the counter that I was returning a defective DVD and would like a credit to my account. He got the manager who informed me that they could not do that. All they could do was replace the defective DVD. "But this is Monday, and my son is not with me this week. How can we watch it now?" Sorry sir was all I got. I was steamed, what could I say? I said the only thing I could: "Well I guess you just created another NetFlix customer" and stomped out.
Last night I signed up for NetFlix and my wife and I sat on the couch and watched The Remains of the Day as it downloaded. The experience was incredible. This is the future. Goodbye Blockbuster. Forever.