The all new and only slightly recycled off topic thread (read post 1)

awec

Tina Turner was on the other night with a 2008 concert.

69 at the time, she still had some figure!

mfceiling

awec wrote: »

Tina Turner was on the other night with a 2008 concert.

69 at the time, she still had some figure!

You were or she was?

Molester Stallone II

mfceiling wrote: »

They're all the same size on their back!!

Christ that sounded creepy...even worse was the fact I typed it.

Ah, I was going to reply, but mine would get me a perma ban

.ak

You are, without doubt, the creepiest bunch of lads I know.


Well done.

Teferi

Super star dogs on RTE one. Absolute poison.

CatFromHue

It's on for an hour too, bizarre thinking to mke the show in the first place.

Molester Stallone II

Teferi wrote: »

Super star dogs on RTE one. Absolute poison.

Jordan and Georgia Salpa is it?

mfceiling

Molester Stallone II wrote: »

Jordan and Georgia Salpa is it?

I wouldn't class Salpa as a dog...




Jordan however...

Molester Stallone II

Met her once and I can honestly say every time she opened her mouth I expected her to go woof

mfceiling

Darts final anyone?

One word...holysh*t!!

awec

Trying to sleep the night before going back to work after two weeks off is going to be difficult.

Two weeks of drinking, eating and staying up to stupid oclock.

Right now my body screams BEER and I'm screaming SLEEP.

.ak

awec wrote: »

Trying to sleep the night before going back to work after two weeks off is going to be difficult.

Two weeks of drinking, eating and staying up to stupid oclock.

Right now my body screams BEER and I'm screaming SLEEP.

Ditto. I've been sleeping in till 10 or 11 every day after a few beers... Gonna be hell tomorrow!

dregin

mfceiling

I've 3 gits to try and get up for school in the morning. They only went to sleep about 20 mins ago and are used to getting up at 9 every morning!! 7 bells will be good value in this house in the morning!!

Seems that 1 has stayed awake, probably for the craic like. War in this gaff in the morning.

irishbucsfan

http://ifc0nfig.com/moonpig-vulnerability/

This is atrocious stuff.

.ak

Amateur hour.

awec

irishbucsfan wrote: »

http://ifc0nfig.com/moonpig-vulnerability/

This is atrocious stuff.

Yea saw that earlier, real bad.

17 months unfixed too, which is shocking. That's a priority 0 bug, the sort where you get people out of bed and turn things off until it's fixed.

Also: they say your info has always been safe which is balls. They have no way of knowing if anyone else figured this out who instead of warning them used it to grab huge amounts of their data. All that person would have to do would be to stagger their requests so as not to show up on any monitoring that they presumably don't even have anyway.

.ak

Well the issue there is it isn't a bug. It's a totally lazy way of trying to secure the access. You'd imagine because they got someone under qualified or in-house to do it and they're not willing to shell out to have someone re-build it from the ground up, nor pull the server access in the meantime as it'd accrue in loss of revenue.

I'd say the equivalent of the DP guys over there would slap them with a heavy fine though, so you'd wonder if it's even worth that.

awec

There are legal standards that you have to adhere to if you store customer credit card data. There is a three letter acronym for it that I forget, but before you can legally store credit card data you have to have it.

This sort of design would presumably not meet that criteria, or even close.

durkadurka

awec wrote: »

There are legal standards that you have to adhere to if you store customer credit card data. There is a three letter acronym for it that I forget, but before you can legally store credit card data you have to have it.

This sort of design would presumably not meet that criteria, or even close.

PCI?

awec

durkadurka wrote: »

PCI?

YES! That's the one!

durkadurka

It's a pain in the neck but the reputational damage caused by a data leakage is nasty

irishbucsfan

PCI is a complete pain in the neck, it's completely arbitrarily accredited despite being fairly well defined, but at least it gives some basic guidelines. Would have been pretty useful if the Moonpig guys had been aware of it.

I'd like to assume they kept the rest of the card details encrypted at least...

molloyjh

irishbucsfan wrote: »

PCI is a complete pain in the neck, it's completely arbitrarily accredited despite being fairly well defined, but at least it gives some basic guidelines. Would have been pretty useful if the Moonpig guys had been aware of it.

I'd like to assume they kept the rest of the card details encrypted at least...

Yeah from reading it they have. You'll get nowhere with the last 4 digits. Sure credit card receipts generally have those too.

What's most amusing is that technically that Moonpig tweet is accurate. The password information and card information are safe. Despite the fact that it's ridiculously poor data security. In other words "They can't get your password or your card number, but they can get pretty much everything else".

It's also scary how lax a lot of companies are when it comes to data confidentiality. Most are well up on the financial stuff, but when it comes to contact details etc there are so many that don't even consider them in terms of data protection.

awec

Well, is your card information really safe if someone can place orders on your account?

I mean, they can't get your full card number, but they can still spend your money!

irishbucsfan

molloyjh wrote: »

Yeah from reading it they have. You'll get nowhere with the last 4 digits. Sure credit card receipts generally have those too.

I'll stop you right there, you'll get everywhere with the information available. The customer IDs were sequential and all customer info was accssible by making API requests against the IDs.

So all you need to do is create a script that will query the API consecutively adding 1 to the customer ID number each time, and save all of the output to a database. Then also query each of those customer ID numbers for the card info. You will then have a list of every customer in their database, including: Full Name, Residential Address, Email Address, Last 4 Card digits, Expiry Date of Card, Birthday, Anniversary.

Then you have a huge amount of options (some basic social engineering will give you access to some email accounts for example...)

Synode

They could also use the last 4 numbers to try access their email accounts etc. on other websites. Wasn't there a case a few years back where someone was hacked because the hacker got hold of the last 4 digits of their credit card and used it to reset their password on their mail account

Edit: Here it is https://medium.com/@N/how-i-lost-my-50-000-twitter-username-24eb09e026dd

molloyjh

irishbucsfan wrote: »

I'll stop you right there, you'll get everywhere with the information available. The customer IDs were sequential and all customer info was accssible by making API requests against the IDs.

So all you need to do is create a script that will query the API consecutively adding 1 to the customer ID number each time, and save all of the output to a database. Then also query each of those customer ID numbers for the card info. You will then have a list of every customer in their database, including: Full Name, Residential Address, Email Address, Last 4 Card digits, Expiry Date of Card, Birthday, Anniversary.

Then you have a huge amount of options (some basic social engineering will give you access to some email accounts for example...)

So in other words what I said. No password, no credit card number but pretty much everything else.

molloyjh

awec wrote: »

Well, is your card information really safe if someone can place orders on your account?

I mean, they can't get your full card number, but they can still spend your money!

I don't thint they can. There's no CVV information or anything like that there. The authorisation process would require more data and a valid session. The problem is getting access to everything else.

It looks like they protected the really obvious stuff (passwords and detailed credit card info) and left everything else completely unprotected, including order history etc. That's how they are getting the last 4 digits of the card, it's stored on the order history.

irishbucsfan

molloyjh wrote: »

So in other words what I said. No password, no credit card number but pretty much everything else.

Yes but you'll get very far with the details available over the wire from their API. If someone had picked it up in time (and it would take me, and I'm nowhere near as quick as some, literally 15 minutes to write a script to do that) then it would be one of the biggest leaks I'm aware of. They have 3.6 million customers (although not all with cards on file) supposedly... Can only imagine what that sort of database would be worth on some corners of the web, and it's only safe to assume someone has that info somewhere now.

molloyjh

irishbucsfan wrote: »

Yes but you'll get very far with the details available over the wire from their API. If someone had picked it up in time (and it would take me, and I'm nowhere near as quick as some, literally 15 minutes to write a script to do that) then it would be one of the biggest leaks I'm aware of. They have 3.6 million customers (although not all with cards on file) supposedly... Can only imagine what that sort of database would be worth on some corners of the web, and it's only safe to assume someone has that info somewhere now.

Oh absolutely. That's exactly why I found the tweet so amusing. It was technically 100% accurate but managed to portray that nothing was wrong when in actual fact the whole thing was a total and utter shambles. The "get nowhere" bit in my post was only in relation to the point you made re the full card numbers being encrypted. They'd get nowhere on your card with the last 4 digits. Everything else though is a different matter entirely.

Im fairly sure I know how it happened too. And it's all down to a massive lack of appreciation of data protection as a whole. Far too many people think it's just about protecting passwords and financial data. Which is exactly what happened here from what I can tell. I've seen it happen a fair bit over the years.

dregin

molloyjh wrote: »

Yeah from reading it they have. You'll get nowhere with the last 4 digits. Sure credit card receipts generally have those too.

What's most amusing is that technically that Moonpig tweet is accurate. The password information and card information are safe. Despite the fact that it's ridiculously poor data security. In other words "They can't get your password or your card number, but they can get pretty much everything else".

It's also scary how lax a lot of companies are when it comes to data confidentiality. Most are well up on the financial stuff, but when it comes to contact details etc there are so many that don't even consider them in terms of data protection.

The last 4 digits and a date of birth were all that were needed to gain access to apple accounts not that long ago.

irishbucsfan

dregin wrote: »

The last 4 digits and a date of birth were all that were needed to gain access to apple accounts not that long ago.

If you can guess the last 4 digits of an account on the phone to GoDaddy in about 50 attempts they'll give you everything

awec

irishbucsfan wrote: »

If you can guess the last 4 digits of an account on the phone to GoDaddy in about 50 attempts they'll give you everything

Yea but who actually uses GoDaddy?

molloyjh

Jaysus, it's worse than I thought so! What the hell are these companies thinking!?

irishbucsfan

molloyjh wrote: »

Jaysus, it's worse than I thought so! What the hell are these companies thinking!?

Unfortunately the average customer forgets everything they know every 30 seconds and complain when any authentication is required

Journeyman_1

awec wrote: »

Yea but who actually uses GoDaddy?

People who want a domain aod/or hosting

Totally not me though, please dont hack me!

.ak

Glad I never buy anyone cards, ever.

irishbucsfan

Journeyman_1 wrote: »

People who want a domain aod/or hosting

Totally not me though, please dont hack me!

Their turnover on domains is absolute madness, $1.6b last reported I think it was.

mfceiling

I have absolutely no idea what you lads are on about...

*la, la, la, la, la, la, la, la, la, la*

Zzippy

mfceiling wrote: »

I have absolutely no idea what you lads are on about...

*la, la, la, la, la, la, la, la, la, la*

I was going to post exactly the same. Feckin IT nerds... :rolleyes:

molloyjh

Zzippy wrote: »

I was going to post exactly the same. Feckin IT nerds... :rolleyes:

mfceiling

After reading the previous posts again, I now have this vision of you lads in my mind...

molloyjh

mfceiling wrote: »

After reading the previous posts again, I now have this vision of you lads in my mind...

I'm the one with the cool glasses!

Swiwi.

.ak wrote: »

Just watched the first episode of True Detective, very good!

Took me a while to get round to it, but me too!

Cheers to the various posters on the thread who gave it the thumbs up.

Woody Harrelson just excellent.

.ak

Swiwi. wrote: »

Took me a while to get round to it, but me too!

Cheers to the various posters on the thread who gave it the thumbs up.

Woody Harrelson just excellent.

It's in my top 3 series, defo. MMcC Is class in it. One of the best tv performances I've ever seen.

errlloyd

True Detective is absolutely excellent. Production value of a movie, writing of a novel acting of a West End play.

I hope they don't butcher the second one.

Swiwi.

The RWC thread makes me wonder just how many people do lurk on this forum without ever posting. Barely a regular poster to be found. Lots of handy travel tips though!

Swiwi.

Swiwi. wrote: »

The RWC thread makes me wonder just how many people do lurk on this forum without ever posting. Barely a regular poster to be found. Lots of handy travel tips though!

http://en.wikipedia.org/wiki/1%25_rule_(Internet_culture)

irishbucsfan

Yeah, it's not often acknowledged but this is actually the most read rugby forum on boards.ie