Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Gaining Info On Tech Execs With Just Their Email

Unknown Lamer posted about 2 years ago | from the mark-zuckerburg-revealed-as-closet-myspace-fan dept.

Privacy 75

jfruh writes "Did you know that Craigslist founder Craig Newmark has a loyalty points account with the Starwood hotel chain? Did you know that both Tim Cook and Steve Ballmer have Dropbox accounts? All this information — and much more — can be found out because so many prominent executives use their corporate email address for their account logins, and most sites make it possible to see if an email address is associated with an account even if you don't have the account password. Just knowing that such an account exists can lead to technical and social engineering attempts to crack it, as happened in the case of Wired's Mat Honan."

cancel ×

75 comments

I can tell you what his problem was (-1)

Anonymous Coward | about 2 years ago | (#40996947)

Don't be a toolbag and spell your name "Mat". Spell it "Matt" and you will slip into the crowd and be indistinguishable from your peers (a safety method used by countless species around the world, since the beginning of life on earth). Step out of the crowd, and you better be ready to have your ass handed to you.

Any way around this? (5, Interesting)

jbuk (1581659) | about 2 years ago | (#40996951)

Is there any alternative to throwing out a "this email address is already in use" error if a user attempts to register with someone else's email?

Re:Any way around this? (5, Insightful)

jeffmeden (135043) | about 2 years ago | (#40997065)

Is there any alternative to throwing out a "this email address is already in use" error if a user attempts to register with someone else's email?

Sure, flag the account for extra auditing in the following x number of hours. Or, start any registration with an email call-back and let anyone "start" the registration even if it exists, and in the email just put "you're already registered, your work here is done. That or, someone is trying to hack you, please ratchet paranoia accordingly". Since you shouldn't be registering with an email that isn't yours and the web page will just be a "please check your email for registration info" this will not tell the illegitimate user anything useful.

Re:Any way around this? (0)

Anonymous Coward | about 2 years ago | (#40997139)

So basically display the message "a confirmation e-mail has been sent, thank you", and sort the situation out in private through the email address.

Re:Any way around this? (0)

Anonymous Coward | about 2 years ago | (#40997889)

only works for those site that require you read the mail and click a link to register, there are sites where you get instant access even with a bogus email address

Re:Any way around this? (1)

nedlohs (1335013) | about 2 years ago | (#40999447)

And for those the fact that some address is already registered tells you exactly nothing since anyone could have done that. So that doesn't matter in the slightest.

Re:Any way around this? (2)

vlm (69642) | about 2 years ago | (#40997183)

in the email just put "you're already registered, your work here is done. That or, someone is trying to hack you, please ratchet paranoia accordingly"

And if you're trying to attack an enemy on that site, its something of a three sided coin flip if you're better off freaking them out by re-registering them exactly once, or once per day psuedo-stalking, or a thousand times per hour mailbomb.

Re:Any way around this? (2)

jeffmeden (135043) | about 2 years ago | (#40997293)

in the email just put "you're already registered, your work here is done. That or, someone is trying to hack you, please ratchet paranoia accordingly"

And if you're trying to attack an enemy on that site, its something of a three sided coin flip if you're better off freaking them out by re-registering them exactly once, or once per day psuedo-stalking, or a thousand times per hour mailbomb.

You could cap it at one message per day, week, etc. The message doesn't really have to be sent ever since it's for a registration that will not take place, except for the case where the user forgot they had an account altogether and are trying to create a new one, so you want some kind of personalized notification of such an incident. Once a week is probably enough to avoid having someone forget about it before they do it again. Also, you could give the option to turn the notification off entirely if you are indeed being "e-Stalked" by some masked marauder.

Re:Any way around this? (1)

rodrigoandrade (713371) | about 2 years ago | (#40997935)

its something of a three sided coin flip

Wow, a d3 coin!! My AD&D group would kill to own one!!

Re:Any way around this? (1)

GonzoPhysicist (1231558) | about 2 years ago | (#40998537)

Roll a D12 modulo 3 add one, no killing necessary.

Re:Any way around this? (1)

Tanktalus (794810) | about 2 years ago | (#41001429)

Roll a D12 modulo 3 add one, no killing necessary.

Wow, that's way more obtuse than we ever did. We took a d6, divided the result by two, round up. And even that is an obtuse explanation for simple groupings: 1-2 = 1, 3-4 = 2, 5-6 = 3.

Rolling d12s were annoying - of all the dice, they were the most likely to accidentally roll off the table because they often just didn't stop. Even the d20s didn't have that problem. (d100's did, too, but I only ever knew one guy who was so pathetic in his attempt to fit in with us social rejects in high school that he bought a d100 and tried to show it off.)

Re:Any way around this? (1)

camperdave (969942) | about 2 years ago | (#40998617)

its something of a three sided coin flip

Wow, a d3 coin!! My AD&D group would kill to own one!!

Grab any standard coin: Obverse, Reverse, Edge.

Re:Any way around this? (4, Insightful)

omnichad (1198475) | about 2 years ago | (#40997075)

Sending the verification email at this step before letting them pick a password or complete their profile. The web site acts like it's a new account registration. The contents of the email sent will tell you whether it's already been registered or if it's a new account - and the link would either be to reset the password or to continue creating the account.

That seems to do it. It's not terribly convenient for some, but it shouldn't be that much worse than the already existing email verification you see every day - just at an earlier step.

Re:Any way around this? (0)

Anonymous Coward | about 2 years ago | (#40999543)

Sounds like a nice way to get a website to spam someone I don't like. Thanks!

Re:Any way around this? (0)

Anonymous Coward | about 2 years ago | (#41002519)

How is it different from creating an account for someone you don't like, 1000 times?

Re:Any way around this? (1)

vlm (69642) | about 2 years ago | (#40997089)

Is there any alternative to throwing out a "this email address is already in use" error if a user attempts to register with someone else's email?

Unfortunately yes, and its called "login with your facebook account"

The other alternative since no one uses email anymore except old people, spammers, and presumably old people spammers, is to use something equally trendy. Require twitter handle. Or /. nickname. Or that MS live gamer-tag gamer-handle whatever its called (you can tell the only thing I've ever used it for is GTA4 on a PC)

Re:Any way around this? (0)

Anonymous Coward | about 2 years ago | (#40997321)

So basically these sites are stealing the abuse-prevention system of another site instead of implementing their own.

Re:Any way around this? (2)

vlm (69642) | about 2 years ago | (#40997477)

So basically these sites are stealing the abuse-prevention system of another site instead of implementing their own.

Only stealing if they don't have permission. They are collecting all kinds of tasty data mining information in exchange for hosting a login service. So FB knows when and where and who is logging into my local newspaper to post inane comments to their newswire stories. Because 99% of the newspaper site comments are repetitive political sloganeering spam that means FB knows exactly who are not-too-bright active proselytizer political "true believers", on one side or another anyway. That's monetizable information when you sell a mailing list to political parties. Title of the spamlist is probably something like "recently active political activists in zip code 12345" Some database JOINs can fine tune the list to your specific target audience.

Re:Any way around this? (2)

chill (34294) | about 2 years ago | (#40997279)

Yes, display a "registration confirmation e-mail sent" and do it early on in the process. Require a confirming click before continuing.

Send the e-mail. In the e-mail have a statement like "you already have an account -- would you like a reminder? If you didn't try and register here, just ignore this."

The person looking for active accounts by rejection on the web site gets no feedback. Problem solved.

Re:Any way around this? (1)

fast turtle (1118037) | about 2 years ago | (#40997595)

Yes and the answer is damn simple realy. Block access to any/all cloud storage providers, external smtp servers, email accounts and such at the network edge. If you're going to provide any access to outside services like that, it needs to be on systems that are completely locked down, isolated to their own network and with removable media completely disabled.

Why any company would allow access to these kinds of services w/o a contract is beyond me since it makes it so damn easy for someone to simply copy any important docs and give them to someone who shouldn't have them. Basic Security 101 covers this. If you don't own the system, then it's not authorized and various rules/regs/laws will nail your ass to the wall for violating them.

Re:Any way around this? (1)

ColdWetDog (752185) | about 2 years ago | (#40997751)

Because people need to get work done and not every company can provide every thing for every employee. Security is always a balance.

If you locked out Dropbox, then I could 'steal' documents using my USB Flash drive. Or just photograph screens with my iPhone. In fact, my iPhone has this nifty 'scanner' app that takes pictures of documents, does OCR and converts them to PDFs. Just the thing for industrial espionage (as if the 8MP camera wasn't enough).

Just you go and try to block USB ports from a typical business. Maybe if you're military or do high end research - it might be warranted and doable at that point. But for a social media company? Right.

Re:Any way around this? (0)

Anonymous Coward | about 2 years ago | (#40998219)

Some social media start-up probably has little worth protecting (even complete attacks on their customer database often prove to be recoverable) but "real" companies like the world's largest retailer (guess who) does exactly what you are proposing. No files come or go by HTTP or email. No thumb drives are available on any workstation attached to the LAN. Services like Dropbox are completely off the table. If you need to move a file you put it where it belongs (a controlled file repo) and you tell others where to find it.

The military? They will throw you off the base and revoke any future access if you even *carry* a thumb drive into a classified area. Yes, security matters in the real world Facebook or Craigslist or whatever, sure, they don't give two shits. Of course they don't have a lot (like billions of dollars, or life threatening national secrets) on the line so they can get away with acting irresponsible.

Re:Any way around this? (2)

KhabaLox (1906148) | about 2 years ago | (#40998701)

"real" companies like the world's largest retailer (guess who) does exactly what you are proposing. No files come or go by HTTP or email. No thumb drives are available on any workstation attached to the LAN. Services like Dropbox are completely off the table.

I'm guess you're talking about a company like Wal-Mart. Are you saying that the Procurement department there can't receive any PDFs, spreadsheets, word docs or any other file from a prospective supplier via email? I'm pretty sure that's not correct. I used to work for a food company that did business with both Wal-Mart and Sam's Club, and I don't ever recall getting a request for help sending files to them (and trust me, my users would not have been able to follow whatever instructions they were given for alternative delivery methods).

I currently work for a large post-production company in the entertainment industry, where security is a big deal. But they don't impose the draconian security measures that are required for the production areas/networks on the rest of the business. The HR and Finance department have their own security needs (physical and electronic) that are different from Operations, and it wouldn't make sense to apply one rule to all areas.

Re:Any way around this? (0)

Anonymous Coward | about 2 years ago | (#40997843)

Is there any alternative to throwing out a "this email address is already in use" error if a user attempts to register with someone else's email?

Sure!
"I'm sorry, jbuk, I'm afraid I can't do that."

Re:Any way around this? (0)

Anonymous Coward | about 2 years ago | (#40999421)

Here are a couple options:

1) Sites that don't use email addresses as usernames
2) Use a non-business, non-identifiable email address

With regards to #1, of course there will still be an email associated with the account for the purposes of password resets and such but the username is not the email. Sorry to people that can't remember usernames because in this situation your account will be lost.

As for #2, if the concerns of using an identifiable email address don't matter to you why should they matter to me, in terms of a site operator. Sites should not have to compensate for outright stupidity. What's worse is the case of using a business address - this should be a no-no everywhere if the account is not for business use. If it's for business use then have a separate email set up for use with the site.

It's the business who owns the email address that should be concerned, not the site.

Yes, I've seen this many many times (-1)

Anonymous Coward | about 2 years ago | (#40996953)

Did you know Dr Steven Jobs got a first post? True dat.

steve@apple.com

A counter to this...? (1)

tomknight (190939) | about 2 years ago | (#40996999)

So could a counter to this be to create accounts on as many systems as possible using your corporate account just to create noise?

Maybe an early task for the IT department could be to create such accounts on the executive's behalf, and release them as required? Obviously this will be borderline (or plain beyond) the standard T&Cs for these sites, but at least they'd be able to claim another valued user (advertising viewer).

Clearly you'd need to use a list of sites that won't get the corporation into trouble, but which encompasses all the sorts of sites its employees are likely to log in to with such credentials. Playboy might or might not be on such a white list, but should an exec need such...relief... (s)he could ask to have that site added to the list.

Re:A counter to this...? (1)

ameen.ross (2498000) | about 2 years ago | (#40997097)

Why would it be a problem to just use one's personal email address? It seems to me that using your corporate email for anything else than just plain email and P2P communication is a bad idea.

Re:A counter to this...? (2)

KhabaLox (1906148) | about 2 years ago | (#40998769)

Well, at the mid-management level, I know that I had accounts on vendor/customer websites (e.g. newegg, Dell, Costco) because I had to do business with them for my job. In some cases, like Newegg, I had my on personal account as well.

I can easily see the need for an account on Dropbox or Twitter or FB or some other service that was tied expressly to your job, and not for you personally. I don't see as much of a case for C level positions, but I guess if you want to easily share files across computers it makes sense.

And re security, if you can't trust your CEO not to steal files, then you have bigger problems.

Re:A counter to this...? (1)

mickey.moose (2574325) | about 2 years ago | (#41013291)

Having a business need was covered with...

"If it's for business use then have a separate email set up for use with the site."

Re:A counter to this...? (1)

KhabaLox (1906148) | about 2 years ago | (#41014123)

So if the user has accounts on 15 different sites, you would have them set up 15 different email address?

Hate using my Email address as log in (5, Interesting)

Nyder (754090) | about 2 years ago | (#40997005)

Always thought it was a bad idea. I was helping a buddy of mine get some online game going, and the place (EA Games) wants your email address as your log in ID. But my buddy, is like, "why do they want my email's password?" I try to explain, "They don't. They want you to use your email as your log in info, but make a new password." I'm pretty sure he used the same password as his email password. And honestly, that is way too easy to do like that.

Re:Hate using my Email address as log in (2)

Minwee (522556) | about 2 years ago | (#40997239)

Always thought it was a bad idea [...] (EA Games)

You were right. Anything to do with EA Games is a bad idea.

Re:Hate using my Email address as log in (2, Funny)

History's Coming To (1059484) | about 2 years ago | (#40997723)

They've got very good security - when I tried to contact them regarding something they refused to talk to me because I "gave the wrong date of birth". I used the Data Protection Act (UK) to get all the information they hold on me, and the date of birth was correct. So they wouldn't talk to me even though I had the right details, now that's what I call social engineering secure.

Re:Hate using my Email address as log in (2)

Trepidity (597) | about 2 years ago | (#40997327)

I agree, but I think they used it because it sweeps under the rug the other problem that usernames traditionally have, that people get frustrated that they can't find a username that's not taken. Your site can spend time building username-suggestion generators to try to help people find an unused one. But email addresses as usernames are guaranteed not to be taken by someone who can't access that email account. Also, it's one less thing the person has to make up on the spot, which means one less potential barrier to them bothering to register.

Re:Hate using my Email address as log in (1)

jeffmeden (135043) | about 2 years ago | (#40997371)

Always thought it was a bad idea. I was helping a buddy of mine get some online game going, and the place (EA Games) wants your email address as your log in ID. But my buddy, is like, "why do they want my email's password?" I try to explain, "They don't. They want you to use your email as your log in info, but make a new password." I'm pretty sure he used the same password as his email password. And honestly, that is way too easy to do like that.

What is needed is a check process during setup of the new account, wherein the server will attempt to log into the appropriate site (Yahoo, Gmail, or whatever) with the same password. If it succeeds, a message appears chiding the user for being such a dolt. It would take some work to have a flexible and comprehensive list of such check procedures for different email services (a list of valid pop3 servers, web site login pages, etc) but it would be worth it in the long run so that sites could advertise (and deliver) above-average account security. I smell a start-up.

Re:Hate using my Email address as log in (1)

icebraining (1313345) | about 2 years ago | (#40998105)

Of course, that's a crime in most jurisdictions, so any startup would get their website shutdown and their asses in court.

Re:Hate using my Email address as log in (1)

jeffmeden (135043) | about 2 years ago | (#40998253)

Of course, that's a crime in most jurisdictions, so any startup would get their website shutdown and their asses in court.

lolwat. Not familiar with Mint.com, are you? Just build the appropriate text into the EULA and the "Accept" checkbox before you do it and you are golden. You are doing it with the user's explicit permission.

Re:Hate using my Email address as log in (0)

Anonymous Coward | about 2 years ago | (#40999435)

Alas, with the current balance of power, the user's permission is absolutely irrelevant. The only permission that matters would be that of the operators of the target site.

Re:Hate using my Email address as log in (1)

PPH (736903) | about 2 years ago | (#40997541)

Some want your e-mail address. They send a verification URL to that account prior to activating it. To make sure that you are a real person and that you aren't signing up for GoatLovers.com in someone else's name.

Better designed sites will allow you to select an alternate ID and keep your e-mail (still required) private.

And then there are those who make their money mining e-mail addresses for spammers.

Re:Hate using my Email address as log in (4, Informative)

Leif_Bloomquist (311286) | about 2 years ago | (#40997613)

This is where services like Mailinator [mailinator.com] are invaluable. Just create a throwaway email address for each of all these stupid logins.

I take it a step, further, though: I own my own domain and have made it a practice of using a custom email address for each site I need to log in to, i.e. sitename@mydomain.com . This way, each login is unique *and* I can track who is giving out my email address as spam.

Yet the emails all go to one central inbox, so it's not inconvenient to get/search the confirmation messages.

Re:Hate using my Email address as log in (1)

element-o.p. (939033) | about 2 years ago | (#40998257)

Yep, I used to do the same thing. Unfortunately, I let my domain name expire a few years ago and haven't bothered to renew it, but it probably wouldn't be difficult to create a couple of Google/Yahoo/whatever throwaway addresses for login credentials and still have a separate e-mail address that you actually use to communicate with friends, peers, or other contacts.

Re:Hate using my Email address as log in (3, Insightful)

KhabaLox (1906148) | about 2 years ago | (#40998975)

You don't have to create extra email address with Gmail. You can use periods or '+' to create custom email address [blogspot.com] that still get delivered to your inbox. Then you can set up filters or rules to treat them accordingly. For example, you could sign up with a site with "yourname+sitename@gmail.com" and the email will go to "yourname@gmail.com". So you can track address leaks/sales, or auto-delete/auto-star/auto-file emails from certain sites.

Re:Hate using my Email address as log in (1)

element-o.p. (939033) | about 2 years ago | (#40999061)

Very cool -- I didn't know Google would let you do that. Thanks for sharing!

Re:Hate using my Email address as log in (4, Interesting)

Cormacus (976625) | about 2 years ago | (#40999141)

Unfortunately a lot of the same sites where you would want to use this kind of information gathering (adding the "+thisSite" to your email address) refuse to validate email addresses with the '+' character. I've run into this in more than a few places.

Re:Hate using my Email address as log in (1)

KhabaLox (1906148) | about 2 years ago | (#40999975)

You could add a dot/period before the last character of your user name and filter that way too, though it makes it more difficult to keep track of a wide variety of sites that way.

Re:Hate using my Email address as log in (0)

Anonymous Coward | about 2 years ago | (#40998723)

I wasn't familiar with Mailinator so I went to check it out. I cannot imagine how this would possibly be a useful service. Their website does not offer a lot of details on how this service works, but in essence, I make up a random_email_address@mailinator.com and then I go to their web page to check it. And if I don't read it in a day (or less) then it's deleted. They had POP3 signup, but it doesn't describe how all addresses you create would automatically go to that single POP email. I hope you're not suggesting I set up a new POP account in my email program every time I think up a new email address but if that's not the case then I don't get how this would work.

I'd rather just buy a domain name, park it, and then set the catch-all forward address to my real email. Then I really can make up any email address at that domain and other than paying a couple bucks a year for the domain, I know nothing gets lost (and more importantly) is not public and under my control.

Re:Hate using my Email address as log in (1)

flonker (526111) | about 2 years ago | (#41008363)

You're using it wrong. You want to download an attachment from some forum post, but the site only allows logged in users to download attachments. So, you register an account. You make up an email address@mailinator.com on the spot, and only check it after the sign up. (You check on the website itself, not via POP3.) You get the email to confirm your address, and click the link. Then you forget about the email address and never think about it again.

It is not intended for any site where you need security. Rather, it's intended for those millions of stupid accounts others expect you to create.

Re:Hate using my Email address as log in (1)

TCM (130219) | about 2 years ago | (#40998781)

Don't use sitename@... use sitename-$rnd@... with $rnd being 4+- random chars.

Makes guessing adresses harder in case some rogue forum admin tries to defame a competitor's forum or somesuch.

Re:Hate using my Email address as log in (2)

Bourdain (683477) | about 2 years ago | (#40999273)

I do the same thing (re: custom email addresses) though since I use gmail to manage the domain, I also use subdomains as well to sort them (i.e., in order of importance of general class of address)

note that the free gmail version using a "+" both exposes your address and doesn't work with a lot of sites whereas subdomains work just fine (if you host a domain w/gmail)

Re:Hate using my Email address as log in (2)

Eil (82413) | about 2 years ago | (#40999309)

I take it a step, further, though: I own my own domain and have made it a practice of using a custom email address for each site I need to log in to, i.e. sitename@mydomain.com

This is what I liked about using gmail: you can append a +whatever to the username part of the address to let you know when a company sells or misuses your address. The downside is that in 2012, a good 50% of websites still don't understand that "+" is a valid character in an email address.

When I set up my personal email server, I added this line to /etc/postfix/main.cf:

recipient_delimiter = .

Which does the same thing as the gmail "+" delimiter, but is accepted by every website I've come across. (Since firstname.lastname@example.com is a very common address format.)

Re:Hate using my Email address as log in (1)

Anonymous Coward | about 2 years ago | (#40997663)

This is why my EA Games login is steveb@microsoft.com

Re:Hate using my Email address as log in (0)

Anonymous Coward | about 2 years ago | (#40998341)

An approach I use is a real catchall email address (e.g. catchall@mydomain.com) and signing up for various website services with "fake" addresses (e.g. netflix@mydomain.com, twitter@mydomain.com, dropbox@mydomain.com) in addition to the commonly recommended strong independent password for each service. That severely limits the collateral damage that can be caused by a breach/database leak on any one of those services and limits most phishing attacks. Of course anyone who is actively targeting me won't be fooled but that's a whole different level. Plus I have the added advantage of seeing where my spam originates and easily identifying it if it passes through a filter - for example I know that an email trying to sell me DirecTV services that is addressed to slashdot@mydomain.com is probably bullshit, and someone probably scraped it from comments.

boring, I can do better (2)

vlm (69642) | about 2 years ago | (#40997013)

Starwood hotel chain... Dropbox accounts ...

Boring. Next thing you know we'll have a breathless account of how the secret leaked that they have facebook accounts too.

A much more entertaining social hack would be to sign up for "exotic" hard core pr0n services, then change the sock puppet account email address to these famous execs addresses, then "leak" to journalists. Oh, look, a certain well known patent troll has an account on sheeplovers.com and NORML, whoever would have guessed?

Or how about signing up prominent Republicans (Even better, Democrats!) for Pravda and Russia Today and CPUSA type-of accounts.

Re:boring, I can do better (2)

OzPeter (195038) | about 2 years ago | (#40997689)

Oh, look, a certain well known patent troll has an account on sheeplovers.com and NORML, whoever would have guessed?

NORML? How quaint. In this day and age of witch hunts I would have thought NAMBLA would be a better choice.

Re:boring, I can do better (2)

icebraining (1313345) | about 2 years ago | (#40998075)

Most websites nowadays require you to validate any email address, even if it wasn't the one you used when registering.

Re:boring, I can do better (1)

real gumby (11516) | about 2 years ago | (#41015769)

Boring. Next thing you know we'll have a breathless account of how the secret leaked that they have facebook accounts too.

Much more clever. More interesting (on a nerd basis, not the social basis) would be a covert channel constructed entirely of fake registration addresses.

Not surprising (1)

bsDaemon (87307) | about 2 years ago | (#40997033)

I don't think many people, if any, here should be surprised by this. However, if you really want to see just what the extent of OSINT that you can acquire on people starting with something as simple and common as an email address, check out Maltgeo (http://paterva.com/web5/). That thing is great for building OSINT-based profiles on individuals and organizations.

No matter how much we worship them... (0)

Anonymous Coward | about 2 years ago | (#40997137)

They're still normal old farts. My dad, 62, uses his corporate e-maild to register on every-fucking-thing he needs online.

First, they're busy men and need to keep everything in one place. Having one email account for registering on every site is pure madness.

Second, it's really hard for him to remember passwords. The fewer, the better. Even if he tries to use a bookmark/login/password manager, like Xmarks, he'll forget the master password to that. So he uses corporate e-mail, which uses the same password as his workstation.

Oh, and to avoid double posting, has anyone done some type of cross-check? Does Steve B. have an iTunes account? Does Cook use Hotmail?

Re:No matter how much we worship them... (1)

vlm (69642) | about 2 years ago | (#40997315)

Oh, and to avoid double posting, has anyone done some type of cross-check? Does Steve B. have an iTunes account? Does Cook use Hotmail?

Boring examples. Which upper level DEA executive leadership email accounts have NORML / 420 discussion site type of accounts? Which "family values" politicians have "frequent visitor" accounts at Nevada brothels (well, probably easier to ask which don't)?

Better question is if anyone is signing those email addresses up for those "services" right now. There should be a dirty tricks wiki out there with a list of fun places to give accounts to fun people.

Which "fun" account creation sites have poor input sanitation so an enterprising Bobby Tables could try to sign up *@fbi.gov and see if there are any accounts from that domain at all? You can probably Create-a-scandal (TM) just by proving there exists at least one on the job pr0n surfer at the us post office, or whatever.

Re:No matter how much we worship them... (1)

vlm (69642) | about 2 years ago | (#40997341)

could try to sign up *@fbi.gov

Good lord its early in the morning here. %@fbi.gov obviously.

Re:No matter how much we worship them... (1)

CastrTroy (595695) | about 2 years ago | (#41000887)

You could just go the extra mile and create a whole website that your target wouldn't want to be affiliated with. Then go create "accounts" for those people you are targeting.

Re:No matter how much we worship them... (0)

Anonymous Coward | about 2 years ago | (#40997349)

And tomorrow, when he's fired for using his work email as his private email, what will he do?

Wow amazing. (0)

Anonymous Coward | about 2 years ago | (#40997163)

Web designers make stupid decisions.

People make stupid decisions.

What a freaking surprise.

Security through obscurity doesn't work (1)

metrometro (1092237) | about 2 years ago | (#40997225)

If your service can be cracked using no other information than knowing that your target uses it, your security is not good.

That reminds me... (1)

Minwee (522556) | about 2 years ago | (#40997283)

It's time to sign up a few more fake accounts on random social networks and porn sites using the email addresses of famous people. We have to keep the writers at Wired employed somehow.

This time I think I will add "mhonan@gmail.com" to the mix...

Re:That reminds me... (1)

vlm (69642) | about 2 years ago | (#40997585)

using the email addresses of famous people

Don't forget their friends and family. Via the magic of social networking this is pretty trivial to figure out.

So... republican medium level state politician with enemies Appears to have a wife who's got memberships on all the major abortion rights discussion websites. Insta-scandal! Or vice versa. You can play the race card, orientation card...

Hell it might even be true without planting evidence... I remember some major federal level candidate a few years back who endlessly spouted off about his hatred of gays who had an out of the closet daughter. Finding this sort of family situation just got a whole lot simpler.

Use a virtual email address (2)

Hillgiant (916436) | about 2 years ago | (#40997403)

Gmail will let you set up virtual email addresses. So you can register as MrBig+Facebook@gmail.com instead of MrBig@gmail.com. All the email still goes to MrBig@gmail.com, but tricks like the one in TFA do not work.

Re:Use a virtual email address (3, Informative)

Anonymous Coward | about 2 years ago | (#40998183)

+notation is not a virtual email address. It's good that gmail follows the RFC.

Re:Use a virtual email address (0)

Anonymous Coward | about 2 years ago | (#41002691)

they WROTE that rfc. qmail has been doing the same thing (with - instead of +) for decades.

Re:Use a virtual email address (2)

jader3rd (2222716) | about 2 years ago | (#40998563)

Gmail will let you set up virtual email addresses. So you can register as MrBig+Facebook@gmail.com instead of MrBig@gmail.com.

Sadly, I've run into plenty of services which won't let me sign up because they claim that my email address contains invalid characters when my email address contains the '+' character.

Excellent, excellent. (1)

fuzzyfuzzyfungus (1223518) | about 2 years ago | (#40997539)

If we all get to live in a banner-ad-riddled panopticon, it seems only fair that some of the same vulnerabilities should afflict the great and small alike.

Mat Honan (0)

Anonymous Coward | about 2 years ago | (#40997741)

I am getting so sick of hearing about this person. He got hacked, a bloo bloo, gonna write fifty articles for wired about it.

Many sites vulnerable to timing attacks (1)

defcon-11 (2181232) | about 2 years ago | (#40998887)

Even if they they take steps to avoid exposing usernames, most sites are still vulnerable to timing attacks. Try logging in to a page repeatedly with a script. Most unprotected sites will take longer to return a response when the username is valid. when the username is not valid, the response returns immediately, while if the username is valid the system usually has to hash and compare the passwords, plus log data about login attempts.

One of the reasons I use leemail.me (0)

Anonymous Coward | about 2 years ago | (#40999243)

That's why I use https://leemail.me - It lets me create permanent emails for each site, and they can be anonymous too.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...