Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

ISP Emails Customer Database To Thousands

samzenpus posted more than 4 years ago | from the give-me-a-list dept.

Privacy 259

Barence writes "British ISP Demon Internet has mistakenly sent out a spreadsheet containing the personal details of more than 3,600 customers with one of its new ebills. The spreadsheet contains email addresses, telephone numbers and what appears to be usernames and passwords for the ebilling system. It was attached to an email explaining how to use the new system. Police forces and NHS trusts are among the email addresses listed in the database. A spokesman for Demon Internet confirmed that the company "was aware this happened this morning"."

cancel ×

259 comments

Sorry! There are no comments related to the filter you selected.

Meanwhile ... at Demon Internet Corporate Offices (5, Funny)

eldavojohn (898314) | more than 4 years ago | (#29522995)

Demon Internet Yesman: Christ! We're getting murdered out there!
Demon Internet CEO: Okay, okay, calm down. We've got a little issue on our hands here and we kinda need to sweep this little thing under the carpet. Now, you're not getting paid six figures to agree with me, what have you got?
Demon Internet Yesman: I've drafted an e-mail that explains to our customers that for Halloween we decided to be evil -- after all, we are Demon Internet? Huh? Huh?
Demon Internet CEO: Not bad, not bad ... if it was fucking October! And we're dealing with internet users here, not AOL USERS! Jesus, has anyone else got something better?
Demon Internet Yesman: I've got it! We tell them that we're trying to be transparent and an "open information" company because information wants to be free and so we sent everyone everyone's log on and contact information so they can ...
Demon Internet CEO: Did you just personify the noun 'information'? That's the stupidest fucking thing I've ever heard. Who are you? Pack your shit, you're fired. Next.
Demon Internet Yeswoman: *tentatively raises her had* Well, we could tell them that we suspected one of them was an evil dirty file sharer ...
Demon Internet CEO: ... I'm listening ...
Demon Internet Yeswoman: ... and now that the evil person tried to do something evil with that data, we have caught them and they are safely behind bars but if you're receiving this message you are not evil so you have nothing to worry about and only good people have your information.
Demon Internet CEO: *nods slowly and approvingly* Yes, yes, that's good. We are law enforcers, we are providers, in their eyes we have done only good and now they fear and respect us and think they have escaped the sickle of justice. I like it. Sally, you're off of blow job duty. Frank, you're on blow job duty -- it's simple: my office every weekday at noon. Sally, I knew that equal opportunity employment shit that made me hire you was on to something. Okay folks, listen up, I want everyone in Great Britain to open their mouths 'cause I'm about to put my big fat cock in it.

Re:Meanwhile ... at Demon Internet Corporate Offic (4, Funny)

Reason58 (775044) | more than 4 years ago | (#29523023)

Demon's going to have hell to pay.

Re:Meanwhile ... at Demon Internet Corporate Offic (3, Funny)

moon3 (1530265) | more than 4 years ago | (#29523137)

If they follow evil corporation best practices manual -- they obviously do so, then I doubt that.

Bad start: Name the company "Demon". (-1, Troll)

Anonymous Coward | more than 4 years ago | (#29523125)

eldavojohn reveals talents as a Hollywood script writer.

Re:Meanwhile ... at Demon Internet Corporate Offic (3, Funny)

keytoe (91531) | more than 4 years ago | (#29523279)

Demon Internet Yesman 2: Uh, um .... SPLUNGE!
Demon Internet CEO: What does splunge mean?
Demon Internet Yesman 2: It means it's a great idea, but possibly not, and I'm not being indecisive!
Demon Internet CEO: GOOD!

Re:Meanwhile ... at Demon Internet Corporate Offic (2, Funny)

girlintraining (1395911) | more than 4 years ago | (#29523291)

Six months later, the Demon Internet CEO is replaced with the Fluffy Bunny CEO, after a sexual harassment lawsuit is filed by half of the board of directors. Fluffy Bunny commits to network neutrality, and cheap, high speed internet access for all. Demon Internet CEO seen a short while after the trial on the corner wearing black boy shorts and a bow tie as the newest strawberry in the unemployment line. Fluffy Bunny calls Sally into the office, makes her the new head network administrator, and she installs linux on everything, saving the company a fortune. And since this wouldn't be slashdot without some kind of sexual commentary -- Sally also sets up her own dungeon between several racks of blade servers, a webcam, and begins posting her payback sessions to fund some much-needed hardware upgrades. :P

Re:Meanwhile ... at Demon Internet Corporate Offic (5, Funny)

Reason58 (775044) | more than 4 years ago | (#29523359)

Six months later, the Demon Internet CEO is replaced with the Fluffy Bunny CEO, after a sexual harassment lawsuit is filed by half of the board of directors. Fluffy Bunny commits to network neutrality, and cheap, high speed internet access for all. Demon Internet CEO seen a short while after the trial on the corner wearing black boy shorts and a bow tie as the newest strawberry in the unemployment line. Fluffy Bunny calls Sally into the office, makes her the new head network administrator, and she installs linux on everything, saving the company a fortune. And since this wouldn't be slashdot without some kind of sexual commentary -- Sally also sets up her own dungeon between several racks of blade servers, a webcam, and begins posting her payback sessions to fund some much-needed hardware upgrades. :P

The stories are funnier when they are fictitious, Sally.

Re:Meanwhile ... at Demon Internet Corporate Offic (5, Funny)

eldavojohn (898314) | more than 4 years ago | (#29523399)

Great, I just got an diabetes and an erection from reading your post.

"Too good to be true" says the empty bottle of Three Philosophers Quadruple sitting next to me.

Re:Meanwhile ... at Demon Internet Corporate Offic (2, Funny)

Reason58 (775044) | more than 4 years ago | (#29524021)

Great, I just got an diabetes and an erection from reading your post.

Sounds like you need an insulin erection.

Re:Meanwhile ... at Demon Internet Corporate Offic (0, Troll)

Runaway1956 (1322357) | more than 4 years ago | (#29524119)

Fluffy. Bunny. Girlintraining says fluffy bunny. /me ponders the probability that if a MAN came up with that name, he would be carted away on pedo and bestiality charges. Reality: stranger than fiction.

Re:Meanwhile ... at Demon Internet Corporate Offic (0)

Anonymous Coward | more than 4 years ago | (#29523617)

Where was Demon Internet Noman?

Free market will fix this (3, Insightful)

cryfreedomlove (929828) | more than 4 years ago | (#29523039)

Is there a good alternative ISP available to the same customers. If so, then I would expect a stampede away from Demon ISP to their competitor. There is no need for government intervention.

Re:Free market will fix this (5, Insightful)

Anonymous Coward | more than 4 years ago | (#29523139)

Storing user passwords unencrypted in an excel spreadsheet should be a crime.

Maybe it isn't. But I consider it to be a criminal level of negligence with significant public harm.

Re:Free market will fix this (5, Insightful)

icebike (68054) | more than 4 years ago | (#29523293)

Having a company be able to SEE any user's password should be a crime. Standard practice is that NOBODY, not even sysadmins can see it. They can change it but not see it.

Re:Free market will fix this (1)

sgbett (739519) | more than 4 years ago | (#29523473)

I thought it was bad when places emailed you your own password, but this is prettty 'special'...

Re:Free market will fix this (1)

sabernet (751826) | more than 4 years ago | (#29523707)

That's one of the first things I thought of when reading the summary.

What kind of jackass stores passwords in plain text on a DB? At the least: store the hash+salt, compare the input's hashe+salt. You should NEVER store the password in a retrievable manner.

Then again, I suppose it's the same kind of jackass that doesn't do a QA run to make sure something pesky, like say, the ENTIRE client list, gets attached to your invoices.....

Someone please ID this idiots+management and post it out for the world to see so it comes up in their next job hunt.

Re:Free market will fix this (1)

gabba_gabba_hey (309551) | more than 4 years ago | (#29524221)

Ugh, one of my main clients insists that their client user logins on one of their sites be stored in plain text so it can be emailed out/their admins can see the passwords.

I've tried to explain to them time and time again why this is not so great, but they won't listen...

Re:Free market will fix this (1, Informative)

Anonymous Coward | more than 4 years ago | (#29524057)

"Standard practice is that NOBODY, not even sysadmins can see it."

Damn, I guess I won't mention which big webhosting company I just stopped working for then...but suffice to say they just merged with another big webhosting company... fellow slashdotters, if you have webhosting at a large hosting company that has recently undergone a merger, and you value the secrecy of your passwords, tread carefully.

Re:Free market will fix this (1)

selven (1556643) | more than 4 years ago | (#29524329)

Standard practice is that nobody knows the password - you just store the hash.

Re:Free market will fix this (1)

Hatta (162192) | more than 4 years ago | (#29523193)

That's all well and good until the ISP everyone flocks to has a data breech.

Re:Free market will fix this (5, Interesting)

Penguinisto (415985) | more than 4 years ago | (#29523257)

Their biggest competitor is BT [bt.co.uk] ... Not quite seeing a stampede happening in that direction.

There's always Orange, I guess...

(...and to think that I bitch about Comcast...)

/P

Re:Free market will fix this (1)

cryfreedomlove (929828) | more than 4 years ago | (#29523389)

If there is no stampede then maybe the customers don't care about the breach enough to jump. They are making a voluntary decision to stay.

Re:Free market will fix this (1)

Goldberg's Pants (139800) | more than 4 years ago | (#29523465)

A voluntary decision to stick with a reliable ISP. Seriously, most ISP's in England are terrible. I know people using various ones, and the only I NEVER hear complaints about is Demon.

So, do you want privacy or reliability? You only get to pick one apparently.

Re:Free market will fix this (4, Interesting)

clive_p (547409) | more than 4 years ago | (#29523501)

I'm amazed that you never heard complaints. I was with them for 14 years, but left a few months ago, as their service deteriorated to a level that was completely intolerable. The original company was good, but was successively taken over several times, and all the competent people left. Have a look at the Usenet newsgroup demon.service and you will find plenty of complaints...

Re:Free market will fix this (0)

Anonymous Coward | more than 4 years ago | (#29524155)

Indeed, the ADSL2+ "upgrade" was such a clusterfuck it reached BBC Radio 4 apparently.

Re:Free market will fix this (1)

Nefarious Wheel (628136) | more than 4 years ago | (#29524195)

Being generous, I often allow my service providers one mistake. They never get a third.

Re:Free market will fix this (1, Informative)

Anonymous Coward | more than 4 years ago | (#29524087)

There are quite a lot of ISPs for DSL in the UK, if you can get BT DSL then you can get the competition. There is a range of small-large ISPs which gives the UK a pretty good selection.

http://www.dslzoneuk.net/isp_ratings.php

Re:Free market will fix this (3, Informative)

MrBandersnatch (544818) | more than 4 years ago | (#29523539)

Demon, once upon a time at least, was a VERY good ISP (ex-customer and I don't recall leaving them due to dis-satisfaction, I think it was the move to ADSL which prompted the switch).

Anyways, http://forums.thinkbroadband.com/ [thinkbroadband.com] is a good place to get real user feedback on ISPs. Somewhat strangely there are 666 new posts for Demon (I kid you not). I personally am unable to recommend any ISP though. Clara.net shafted me for £100 years ago when their channel bonded ISDN service just wouldn't work for me so I'd recommend you avoid them like the plague; Nildram used to be GREAT but apparently have been taken over by talktalk and users don't look happy; and personally I'm currently stuck with Virgin who routinely cause my blood pressure to rise but because they offer the best speeds blah blah blah.

On the business side I'll say that NewNet and Spitfire have done what they say on the packet overall.......

Anyways, yes, if someone finds a decent ISP let us know please.

Re:Free market will fix this (1)

easyTree (1042254) | more than 4 years ago | (#29523653)

Somewhat strangely there are 666 new posts for Demon

Amazingly it's still at 666 - I guess noone wants to break the magic number by posting.

Re:Free market will fix this (0)

Anonymous Coward | more than 4 years ago | (#29523733)

Demon is one of those formerly world-famous ISPs, like xs4all.nl. Now they're just a relic.

Re:Free market will fix this (3, Interesting)

Anonymous Brave Guy (457657) | more than 4 years ago | (#29523751)

Anyways, yes, if someone finds a decent ISP let us know please.

I've been with Zen's ADSL service for a couple of years now, since moving house. Give or take rare small glitches (and even then, they've had fewer of those than anyone else I've used) their service has always been fast and reliable. They don't have 24/7 tech support available, which did worry me to start with, but since I've never needed to call tech support once the service was set up that no longer bothers me. It does cost significantly more than the cheap providers as well, but I guess you get what you pay for. YMMV, caveat emptor, etc., but I'd sign up with them again.

Re:Free market will fix this (1, Informative)

Anonymous Coward | more than 4 years ago | (#29523757)

I remember when Demon was THE ISP for knowledgeable users. Hell their Welcome Pack used to include instructions for Amiga users!

Then they got bought by THUS and, well...you can read the story for how that worked out.

Re:Free market will fix this (1)

NoYob (1630681) | more than 4 years ago | (#29524169)

Spitfire have done what they say on the packet overall....

That's right. I used to be with Messerschmidt and Spitfire beat them!

Sadly The market is the Problem (1)

omb (759389) | more than 4 years ago | (#29523833)

Demon used to be the best British ISP, but they got too big and were bought out and are now owned by Thus PLC (nee Scottish Telecom) which is a clueless PHB, marketeer run POS.

The problem in the UK, unlike Switzerland, I operate in both, is that the UK only has copper local (last mile) loop. Here we have fiber and copper 'im haus' which means that ISPs can form Internet+TV+Phone at reasonable price. Off peak I see 100mB down + 10 gB up with DTV and phone. Reliability is excellent.

I use Cablecom (CH) and Tiscali Business (UK), and once I got Tiscali up, and configured for Linux (hard work, support sucks) has been quick, >8mB and reliable.

The funniest problem, but part of the hell of using multiple ISPs for mail, is that their SMTP mail acceptor dosnt understand the RFC for domain names and rejects those ending in '.' so First.Last@foo.bar. is rejected, but Cablecom requires the trailing '.'.

Re:Free market will fix this (2, Informative)

digitig (1056110) | more than 4 years ago | (#29524027)

There are a lot of ISPs available in the UK, so there's plenty of choice [thinkbroadband.com] for fleeing customers.

So what? (5, Funny)

should_be_linear (779431) | more than 4 years ago | (#29523045)

Security through obscurity never helped anyone.

Re:So what? (0)

Anonymous Coward | more than 4 years ago | (#29523837)

Lol I don't think they were referring to a list of usernames and passwords when they were thinking of obscurity.

Re:So what? (1)

pete-classic (75983) | more than 4 years ago | (#29524183)

A secret, such as a password, is not the same thing as an obscure fact, like running a service on a non-standard port*.

-Peter

*I'm aware that this is actually pretty useful in practice, but it isn't a security measure per se.

One more reason... (2, Insightful)

popo (107611) | more than 4 years ago | (#29523063)

... that privacy 'policies' don't mean squat...

Who is to blame? (4, Funny)

Monkeedude1212 (1560403) | more than 4 years ago | (#29523105)

10 Bucks says it comes down to a cat on the keyboard.

Re:Who is to blame? (1)

bertoelcon (1557907) | more than 4 years ago | (#29523167)

10 Bucks says it comes down to a cat on the keyboard.

50 bucks says that cat was pictured in the act in a lolcat image.

Re:Who is to blame? (2, Insightful)

SlashDev (627697) | more than 4 years ago | (#29523557)

or an overworked employee, who decided to take a nap, at their desk.

Re:Who is to blame? (1)

easyTree (1042254) | more than 4 years ago | (#29523669)

Seems more likely to be an unhappy (ex-?) employee to me. Surely this can't have been a mistake.

Re:Who is to blame? (1)

Plug (14127) | more than 4 years ago | (#29523883)

Like this? [youtube.com]

To err is human... (3, Insightful)

Smidge207 (1278042) | more than 4 years ago | (#29523119)

Human error is understandable, but the fact that Demon seems to have very little internal security seems very disappointing.

A spreadsheet with customers username and password should have been able to be distributed outside of the company system, I find it to be gross incompetence on the part of companies and organisations who have little or no internal document security system to prevent small breaches such as this.

Re:To err is human... (2, Interesting)

Hatta (162192) | more than 4 years ago | (#29523237)

There's absolutely no reason to store passwords in the first place. In fact, in a well designed system it would be impossible for the ISP to know the passwords. They'd be hashed and salted first. This is so obvious and simple to do that failing to do so should be considered criminally negligent.

Re:To err is human... (0, Troll)

peragrin (659227) | more than 4 years ago | (#29523329)

they are on an excel spreadsheet. that means windows. That means security and encryption is beyond the users abilities.

In a true system that file should never have been able to be copied let alone emailed.

Re:To err is human... (3, Informative)

MichaelSmith (789609) | more than 4 years ago | (#29523427)

A lot of their customers will be Dear Old Ladies who call their ISP when they have lost the little bit of paper their daughter wrote the password on. You don't want to give them a new password at that point because their daughter isn't around to write it down again. And in practice, the password isn't protecting anything of value anyway.

Re:To err is human... (3, Funny)

sgbett (739519) | more than 4 years ago | (#29523499)

You're hired!

Re:To err is human... (1)

geekoid (135745) | more than 4 years ago | (#29524097)

Email there new password to them AND their daughter.
Also give it to her over the phone.
Here's a thought, Mail it to them.

"the password isn't protecting anything of value anyway."
you seem to suffer from a lack of imagination.

Re:To err is human... (1)

ThePengwin (934031) | more than 4 years ago | (#29524105)

Dear old ladies who think internet is the devil?

But seriously. If they forget the password then tough luck, you get a new one. Use it and then remember it or change it, the world goes on. These days a users password can be the same for everything. a lot of people on the internet do recycle passwords, and a password their email may very well be the password to their bank account.

Re:To err is human... (0)

Anonymous Coward | more than 4 years ago | (#29524207)

SHIT!

*changes password on email, leaving original password on bank account*

Re:To err is human... (1)

certain death (947081) | more than 4 years ago | (#29523705)

Mmmmm....Hash and Salt, that reminds me of a good breakfast!

Re:To err is human... (0)

Anonymous Coward | more than 4 years ago | (#29523945)

mmmm, salty marijuana

Re:To err is human... (4, Informative)

mortonda (5175) | more than 4 years ago | (#29524025)

Unfortunately, that's not the case. CHAP authentication requires cleartext passwords to be stored. See my other post [slashdot.org]

They shouldn't even have the passwords (5, Informative)

danlip (737336) | more than 4 years ago | (#29523133)

I can't believe this still happens. They shouldn't even be storing the passwords anywhere, even in their primary database, much less an Excel spreadsheet. Use a one was hash with salt, folks!

Also "the company introduced a different ebilling system some months ago, but returned to paper billing following technical difficulties". Who hasn't managed to implement an ebilling system by 2009? Especially an ISP. They must be truly incompetent.

Re:They shouldn't even have the passwords (1)

MichaelSmith (789609) | more than 4 years ago | (#29523475)

Ummm. Where I work spreadsheets are called "databases". I get stupider things in my email every morning at work than the email described here.

And incidently, since POP and SMTP were switched off to force us to use outlook the number of misdirected emails has gone through the roof. Humans search by first name but Outhouse searches by last name. I have a common last name... And so does a certain senior manager.

Re:They shouldn't even have the passwords (2, Informative)

danlip (737336) | more than 4 years ago | (#29523605)

Ummm. Where I work spreadsheets are called "databases".

But surely you don't have an ebilling login system trying to look up passwords in an excel spreadsheet? Or even an MS Access database? Although maybe Demon Internet does, given their extreme lack of clue.

(and spreadsheets aren't databases, you can't write SQL queries against them)

Re:They shouldn't even have the passwords (1, Interesting)

RoFLKOPTr (1294290) | more than 4 years ago | (#29523739)

(and spreadsheets aren't databases, you can't write SQL queries against them)

A. Just because Excel isn't an SQL database doesn't mean it's not a database.

B. Who says you can't write SQL queries against a spreadsheet? Give me 20 minutes and I can write up a simple program that will accept basic SQL input to modify an XLS file. Spreadsheets are simply tables, columns, and rows, after all... just like SQL databases.

Re:They shouldn't even have the passwords (1)

danlip (737336) | more than 4 years ago | (#29524045)

A. It doesn't have to be SQL, but there does have to be some sort of query language. I suppose I could have said "relational database". Just rows and columns does not make it a database. MS Word has tables too :-)

B. Give me 20 minutes and I could too. I would probably find a lib that would load an excel spreadsheet into a real database and run the query against that. Although a CSV file would be easier.

Re:They shouldn't even have the passwords (1)

RoFLKOPTr (1294290) | more than 4 years ago | (#29524149)

So you're saying that an XLS file isn't a database. Then I say it is a database. Then you say it is a database but it's still not a database because just rows and columns does not make it a database. Well what DOES make something a database?

According to Merriam-Webster [merriam-webster.com] , a database is "a usually large collection of data organized especially for rapid search and retrieval (as by a computer)." Based on that definition, how is an SQL database (which, you agree, could use a spreadsheet format for storing data) AT ALL different from a "spreadsheet"?

Re:They shouldn't even have the passwords (1)

danlip (737336) | more than 4 years ago | (#29524213)

According to Merriam-Webster, a database is "a usually large collection of data organized especially for rapid search and retrieval (as by a computer)." Based on that definition, how is an SQL database (which, you agree, could use a spreadsheet format for storing data) AT ALL different from a "spreadsheet"?

The "rapid search and retrieval" part. Yes, you could store a database in any fricking format you want: XLS, CSV, even English text. But Excel (the software) does not support database functionality, e.g. queries, joins, etc. Databases are software and data, and a "real" database has auxiliary data as well (e.g. indices) to help with the "rapid search and retrieval" part.

Re:They shouldn't even have the passwords (3, Interesting)

MichaelSmith (789609) | more than 4 years ago | (#29523741)

(and spreadsheets aren't databases, you can't write SQL queries against them)

I know. Where I work they would probably employ an intern to copy and paste passwords between the database and the spreadsheet because the database in complicated while everybody understands excel. SQL has been pretty much replaced by the scripting and macro languages supported by excel anyway.

Re:They shouldn't even have the passwords (0)

Anonymous Coward | more than 4 years ago | (#29523691)

Quite clearly it was someone in marketing sending someone who sends out email marketing messages the spreadsheet of mail-merge data to put into the email telling the customer of their ebilling function, and their username and password. Unfortunately the email system/application mail-merged in the spreadsheet itself!

Appalling behaviour to have access to the unencrypted password - I definitely won't be using Demon ever because of that.

Also appalling that marketing can dredge the customer database for such information as their passwords. Marketing should come up with the blurb and the design, and someone competent should merge in the per-customer details. A simple email-template database for marketing to twiddle with, and a mass mailing system that uses the results of an sql query to populate the email template. Easy, most people here could design the guts of such a system in a day or two, maybe even with a primitive email template editor.

Passwords are needed - CHAP (4, Informative)

mortonda (5175) | more than 4 years ago | (#29523953)

I can't believe this still happens. They shouldn't even be storing the passwords anywhere, even in their primary database, much less an Excel spreadsheet. Use a one was hash with salt, folks!

While having it in an excel document is unexusable, there is a real reason why password are stored as plain text, and I hated it as a sysadmin. Look up CHAP vs PAP authentication... Basically, PAP sends the password in plain text across the wire from the modem server to the radius server, which can then look up the salt, hash it, and then verify the password.

However, since this means sending passwords in the clear, most modem concentrators (most ISP's resell for a handful of large telcos that operate the modems nowdays) prefer to use CHAP, which hashes the password with something at the terminal server and sends both to the radius server. In order for the radius server to authenticate the session, it must have access to the original plain text to hash with the provided salt. Thus, the ISP must store all passwords in plaintext somewhere.

That said, it should be stored in a hardened and dedicated server that only handles the storage (sql or ldap) and the radius server. Any billing interaction should only be to update the password, never to read. And it should never be put into a excel or word doc!

Re:Passwords are needed - CHAP (1)

danlip (737336) | more than 4 years ago | (#29524101)

Your talking about modem protocols, authentication to get onto a network - but TFA was talking about passwords onto an ebilling system. Which you should be accessing with https, so the password should be encrypted (albeit reversibly) at that point, and there should be no reason it isn't a one-way hash in the database.

computer billing story (5, Interesting)

innocent_white_lamb (151825) | more than 4 years ago | (#29523135)

I run a movie theatre and send and receive a lot of freight (film cans and advertising materials) by bus. I have an account with the provincial bus company so they send me a bill once per month containing all of the waybills for that month.
 
This story goes back several years, as you will see.
 
Originally, I got a monthly bill that consisted of a strip of adding machine paper stapled to an invoice that totalled up my waybills for the month. Then the bus company decided to modernize and send out bills printed by computer, which were apparently aggregated by having a computer in each bus depot send in each days transactions by modem to a central computer that printed the monthly bills.
 
For the next year and a half, I got bills for anywhere from $10 to $30/month, nowhere near the $600-plus that I usually spent on bus freight.
 
18 months later I got a (manually generated) bill for $13,000.
 
The bus company has since stayed with manually generated bills and has never tried to computerize that part of their operation again.

Re:computer billing story (1)

DigiShaman (671371) | more than 4 years ago | (#29524095)

You did end up paying the bill, right?

Re:computer billing story (0)

Anonymous Coward | more than 4 years ago | (#29524099)

This story goes back several years, as you will see.

I wore an onion on my belt....which was the style at the time...you couldnt get those white ones, you could only get those big yellow ones.

Re:computer billing story (1)

geekoid (135745) | more than 4 years ago | (#29524111)

Tge moral of the story is:

When sonmeone implements a crappy system , it can effect that company and customers for years afterwords.

Really, there is no reason not to modernize this shit.

I'm glad (1)

Grimnir512 (1449641) | more than 4 years ago | (#29523141)

I'm glad we switched away from Demon near the start of this year. >_

And this is partly why I refused eBilling (4, Interesting)

PipingSnail (1112161) | more than 4 years ago | (#29523149)

Demon wanted all customers to take up eBilling several years ago. You had to opt out of eBilling. I opted out because I wanted a printed invoice to give to the accountants and because I thought sooner or later so cockup like this would happen. My choice has been vindicated. And no, I won't be looking for another vendor. Demon are more expensive than other vendors, but other than the eBilling foulup, they are generally good and no bandwidth restrictions or upper limits at all. And that is what I want.

Re:And this is partly why I refused eBilling (2, Interesting)

VisualD (1144679) | more than 4 years ago | (#29523541)

Im assuming your on one of the business rates? I ask because I'm on HomeOffice 2+ (have been with demon for a good 8 years now) and have a cap of 60GB per rolling 30 day period. I've been capped to 128kbps twice now, so I rang for my mac code thinking I might try Be, and they offered me Demon Business 2+ Pro for £30 a month, which apparently is a no limits service. Would be nice to get your impressions of the service before committing to a 12 month contract, if you have the time :) BTW, I also opted out of e-billing at the time, for very similar apprehensions, it is nice to be vindicated.

Re:And this is partly why I refused eBilling (1)

RoFLKOPTr (1294290) | more than 4 years ago | (#29523939)

Are you guys sure that only the eBilling customers are the ones on that spreadsheet? Maybe I missed something in the article, but I'm willing to bet that all customers are on it.

Someone had better lose their job. (5, Insightful)

olsmeister (1488789) | more than 4 years ago | (#29523151)

Hard to believe that anyone in that type of position working for an ISP could be so careless. If anyone should know better, they should.
I'd be curious to know if the passwords that were lost are ISP-assigned gibberish passwords, or user selected ones.
If they are passwords selected by the users, look out. Too many people use the same passwords for many or all of their accounts.

Re:Someone had better lose their job. (2, Interesting)

ZekoMal (1404259) | more than 4 years ago | (#29523697)

Apparently you've never worked at an office. A bulk of computer complaints at such corporations tends to be from a combination of boredom and stupidity. Frankly, it's amazing that the entire world hasn't collapsed given the sheer number of "why can't I watch porn on our secure network??!!!11!!" type of inquiries; now imagine the same average cubicle corp running your internet.

Really! (3, Interesting)

joggle (594025) | more than 4 years ago | (#29523863)

This reminds me of when I was hired to do some maintenance on a small fantasy racing team website. The website seemed pretty well implemented and the database seemed reasonable. I then took a look at the account info table and was horrified to find that everything was stored in plain text, passwords, real names, user names, CC numbers, addresses, etc. I'm not exactly a database/web guru, but come on! How hard is it to use md5() to store passwords?? And I don't like the idea of some random guy (me in this case) being entrusted with everyone's credit info. There has to be a better way.

I learned my lesson though. I will never pass my credit info to a small-time website. To think that a fairly large ISP would be this stupid in the year 2009 is mind boggling.

Re:Really! (2, Insightful)

Kalriath (849904) | more than 4 years ago | (#29523967)

Credit Card info? That's a violation of PCI DSS right there along the lines of the great Web Hosting Talk fuck-up of last year. You can be fined millions for that.

You gave me a business idea (3, Funny)

NoYob (1630681) | more than 4 years ago | (#29524117)

I'll call The Goat, LLC.

You see, when a company fucks up, they call us at The Goat and we send them a person. Said person "works" there and takes all the blame and gets fired. The company looks good and we make money.

Legal fuck ups cost $100,000 for the goat plus our markup of 100% for a total of $200,000. The $100,000 for the goat allows him to live for a while until the public forgets about him. Goats for white collar illegal activities will run on a sliding scale. But let's say you have another Enron type of thing. That'll run you well in the tens of millions but the upside is you get away with it (and your hundreds of millions or billions) and our Goat goes to trial and maybe even jail for you (extra million per year sentenced). Sorry, we won't offer any services for violent crimes, mafia stuff, or political hanky panky - sorry Congressmen, Senators, and any ex-Presidents.

This is Epic (1)

surfdaddy (930829) | more than 4 years ago | (#29523249)

...the country that has cameras on every corner is now sending accounts/passwords to everybody!!?? WTF? Sounds like the ISP has some major process issues; just like putting software into production, you need to have a couple of approval points to prevent this sort of thing.

Looking forward (4, Interesting)

vrmlguy (120854) | more than 4 years ago | (#29523353)

I think that we should start putting ficticious information (something blob-like, like a customer name) into sensitive databases that matches one or more virus signatures. This would cause email filters to block the content before it leaves the premises. (Yes, I realize that we'd need to be filtering out-going mail, but unless you're a spam generator, that's a small fractgion of your incoming email. Some of use are already doing this, although not for this reason.)

Re:Looking forward (1)

dissy (172727) | more than 4 years ago | (#29524247)

That is going to be _awesome_ once the local antivirus program deletes it off a system with stale exception lists :D

no biggie (1)

bugs2squash (1132591) | more than 4 years ago | (#29523391)

just choose recall this message from the actions menu and the damage will be undone.

Oops? (0)

Anonymous Coward | more than 4 years ago | (#29523531)

my bad.

That's too bad (1)

dave562 (969951) | more than 4 years ago | (#29523559)

My very first email address was on a ...demon.co.uk host, back in the early 1990s.

Another reason... (2, Informative)

SlashDev (627697) | more than 4 years ago | (#29523561)

... why emails originating from ISPs, should be audited first then approved / denied.

I can fix it if you let me at the code (1)

w0mprat (1317953) | more than 4 years ago | (#29523993)


[window pop up] "Are you sure you want to send this?"
[countdown timer on OK button] 5...4...3...2...1...
[user clicks OK prematurely]
[window pop up] "NO! Penalty timeout!"
[countdown timer on OK button] 39...38...37...36...

My experience of the same thing... (4, Interesting)

w0mprat (1317953) | more than 4 years ago | (#29523635)

I ROFLd very hard at this. Now who hasn't heard of something like this happening or been in a work place where this has happend? Of all the security measures companies fret over these days they fail to recognise the threat of abject stupidity.

Yes some asshat will accidentally forward whatever. How this occurs is demonstrated by my example below (I witnessed this, details altered). I've see co-workers make this mistake, and I've been a customer when the same fault happend and I got sent a 700kb spreadsheet of confidental information. But anyway, here is the two step method to epic fail:

Step 1: Email staff with a template for them to send, and attach a spreadsheet of the customers

-----Original Message-----
From: Bob Smart [mailto: Bob.Smart@[-------].co.--]
Sent: Thursday, 23 September 2008 10:53
To: [-------] Outbound Contact Team
Subject: FW: eBill template


Hi Team,

Please send this template below to all customers in the attached spreadsheet. You three can divide the work amongst yourselves.

>

Dear customer-name-here,

[etc..]

.....

Step 2: Your keyboard jockeys forward the email, deletes the header and Boss's message. Inserts customer details into template. Send, Boom, Done.

By default, forwarding in pretty much all mail applications keeps the attachment.

I'm sure this is the principal way documents are leaked from just about any organisation.

Re:My experience of the same thing... (5, Funny)

Ronald Dumsfeld (723277) | more than 4 years ago | (#29523775)

I ROFLd very hard at this. Now who hasn't heard of something like this happening or been in a work place where this has happend? Of all the security measures companies fret over these days they fail to recognise the threat of abject stupidity.

Many moons ago, I was told a tale about sending out mass mailings, not this "slip of the mouse" email stuff.

The bank's marketing and finance guys have come up with this glossy brochure of stuff for their top customers, based on something like highest 5% balance holders. There's a letter drafted to accompany the brochure, it just remains to do the little personalising touches for the final run.

Someone forgets to replace the output placeholder with the salutation generation program that'll even spew out "Dear Sir Whimsey-Porpoise".

The final letters are printed, enveloped, and mailed. The salutation from the placeholder piece of code? "Dear Rich Bastard,".

Re:My experience of the same thing... (1)

Kalriath (849904) | more than 4 years ago | (#29523999)

That's old. And it's probably an urban legend, as it's usually a charity emailing or sending letters to their biggest donors.

Re:My experience of the same thing... (3, Insightful)

7 digits (986730) | more than 4 years ago | (#29524089)

Snopes [snopes.com] says it is true.

I also like the idea of Wells Fargo sending this to customers:

You owe your soul to the company store. Why not owe your home to Wells Fargo? An equity advantage loan can help you spend what would have been your children's inheritance.

Re:My experience of the same thing... (0)

Anonymous Coward | more than 4 years ago | (#29523789)

This is why when any moron half witted manager asks me for a report or a dump of users data I ALWAYS encrypt the file or zip password protect it.
If nothing else I know the weak link between two dumbasses asking for stuff they half understand don't accidentally forward it.

Hell I had one manager using "fake" password to test an email reset to a sensitive system that generates a one time password for you. He didn't see any problem sending it to some domain he figured it wasn't real nobody gets it. I had to "kindly" explain that @test.com actually goes somewhere!

Re:My experience of the same thing... (0)

Anonymous Coward | more than 4 years ago | (#29523851)

Who the fuck would do something like that by hand??
Export the Excel data to text, write a perl script that uses mutt/mail/pine/whatever to send the stuff out and go to the pub.
I mean, we are talking about a ISP here...

Cleartext Passwords? Really? (2, Insightful)

algae (2196) | more than 4 years ago | (#29523825)

The real WTF is that all those passwords were in the clear. What the hell business does anyone have these days, doing anything more than storing a one-way hash?

Re:Cleartext Passwords? Really? (2, Funny)

w0mprat (1317953) | more than 4 years ago | (#29523963)

Huh? My is password cleartext it's always ******** no matter what I type, so insecure!

Re:Cleartext Passwords? Really? (1)

mortonda (5175) | more than 4 years ago | (#29524003)

Yes, really. It's called CHAP authentication, and it requires plain text passwords. see my other post [slashdot.org]

Why is this even available? (2, Interesting)

Anonymous Coward | more than 4 years ago | (#29523829)

I realize most people don't use negabases or other things that would prevent marketing twats from getting their filthy grubby hands on information--but why was there a password field even available to anybody to start with?

Four years ago I inherited an application with plaintext passwords. Yes, it took me *two years* to fix it because of other even worse problems--but it was fixed in the end (SHA1, salted per user in the front and tail).

Our support team bitched and moaned that they could no longer troubleshoot problems by looking up the user's password to login as them--then moaned even louder when I took away their database access entirely (I would have done that *first* if I could have gotten away with it). Now they log in as an admin and switch to a "user view" where they can't break anything without clicking an "edit account" button, and have read-only access to some predefined views on the database they can't edit. No more worrying about IT writing to my database or starting transactions they don't finish. No more tools playing with SQL on their lunch hour taking down production by dropping the wrong table... Best practices exist for a reason. Because sooner or later you grow, and the new guys don't get properly indoctrinated and do something stupid.

Our old supportteam staff wouldn't even be able to find the password column in the account table anymore--because it *doesn't exist*. It's basically a "passwordImage" table joined on accountids, with permissions set on the entire table such that only the authenticator service can read it.

For a company with an actual budget--it just seems inexcusable that plaintext passwords could be made available, much less were given to somebody who was foolish enough to let it leave a terminal.

When will people be held accountable for their complete absence of best practices and willful ignorance?

Anyone else with horror stories with Demon? (4, Informative)

Fredde87 (946371) | more than 4 years ago | (#29523889)

I would love to see Demon crash and burn. The most horrible company to deal with. We run a lot of our customers email and domains. We used to buy the domains through demon, then one month they forgot to send us a renewal bill for one of our many domains. Instead of calling us or emailing us like a normal company to check why we hadn't paid they decided to suspend all of our domains for this one outstanding bill. We finally got the missing bill in the post a few days later, dated the same day that they suspended all of our accounts. Then the same things happened a second time a few weeks later. Obviously after the first time we asked them to double check that there where no more outstanding bills we hadn't received and they assured us that we were all up to date. Turned out they missed one of our accounts when they checked. Awful company to deal with in general, any DNS changes to a domain has to be done via fax on a letter with the company's header. Seriously? A large ISP like Demon cant make DNS changes over the phone/email or even have a management site online where the customer can change this? Of course they refused to give us our AuthInfo codes when we requested them. They said we could not get them for 6 months as we had just bought the domains. Turned out that when they "suspended" our domains they actually just canceled all of them and then put them through as a new orders to reactivate them. Finally got the AuthInfo code but had to put through the cancellation first which was scary to do as I had a feeling they were just going to cancel it and give us the AuthInfo code at the same time as they remove all our DNS records from their NS server. Luckily the move went through smoothly. Now with Zen and 1&1 which in comparison are top notch. All of this for a stupid outstanding amount of £12 renewal fee for 1 domain. Our customers ended up having 3 days of no emails or web services. Thank you and goodbye Demon!

Notice the words carefully... (3, Insightful)

freedom_india (780002) | more than 4 years ago | (#29523913)

...when a corporate is involved it always is a MISTAKE.
When an individual hacker exposes weak security, he is a terrorist.
Wow!
Talk about double standards.
Why can't the corporate be sued on SAME grounds like hackers?

Re:Notice the words carefully... (3, Informative)

geekoid (135745) | more than 4 years ago | (#29524127)

intent.

A hacker didn't accidentally get into a system,

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>