Text 2012, 447 rader
Skriven 2005-01-17 09:33:22 av Rich (1:379/45)
Kommentar till text 2010 av Geo (1:379/45)
Ärende: Re: Usage history
=========================
From: "Rich" <@>
This is a multi-part message in MIME format.
------=_NextPart_000_0760_01C4FC77.967A6D10
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Only your ISP can track where you go and what you buy without the =
sites you buying from selling this info.
If you were not employed by your ISP you would have no idea whether =
or not they are tracking you.
Doesn't Amazon use an email address for sign-in? Do you create =
unique email addresses for all such sites?
Rich
"Geo" <georger@nls.net> wrote in message news:41eba0f1@w3.nls.net...
My ISP doesn't track dns requests or sniff traffic to see where people =
are going, granted some like AOL do keep stats but the ISP I use could = care
less. My browser cache and history are purged each time I end crazy = browser
as are my cookies. Like Ellen I use different usernames and = passwords at
sites like amazon, my bank, my credit card company, etc but = I use the same
username at sites I don't care about like the NYT site = and other stupid sites
that require a login for no apparent reason.
The last thing I want is some service that can track where I go and =
what I buy. I only accept this from my credit card company because I = have no
other choice.
Geo.
"Rich" <@> wrote in message news:41eaf6bc@w3.nls.net...
No true. There is plenty to betray you. Your ISP of course =
knows the sites you visit as does anyone that can see even the small = subset
of traffic for DNS resolution. Your browser's cache and history = also serve
this purpose. There are plenty more.
The attacker can also take a different approach that is likely =
more effective anyway. Pick a high value site and try the stolen IDs on =
them. Amazon may not use single sign-in but you don't care because it = does
not matter. Then try them again at Citibank. Then again at = whatever site
you want. This approach will have more value then trying = to sign in at
match.com using AOL's screenname service or Microsoft's = Passport, both of
which it supports.
Rich
"Geo" <georger@nls.net> wrote in message =
news:41ea4570@w3.nls.net...
the difference between single sign on and the practice of using =
the same username/password on multiple sites is that with the single = password
there is no function to betray the user. In other words there = is nothing but
the user to connect all those sites together. With the = single sign on, all
you need is a list of sites that uses that single = sign on service.
Geo.
"Rich" <@> wrote in message news:41e9f6c1@w3.nls.net...
There was an optional wallet service and you are right, this =
additional optional service could not be anonymous. You aren't = comparing
apples to apples if you include the people that made a choice = to use this.
Folks that wanted to be anonymous would not choose this.
Really, this argument is silly. I don't know you but too =
many people I know use the same password on the many sites that require = them
to register, whether they lie or not. Their intent is to have = something that
acts like single sign-in. Now I'm sure the people =
arguing against single sign-in here are not hypocrits and all use = distinct
unique usernames, email addresses, passwords, etc for each and = every account
they have. Don't you?
Rich
"Ellen K." <72322.enno.esspeayem.1016@compuserve.com> wrote in =
message news:ldqju0pdbclq8l54fbhi21220l86uibp28@4ax.com...
Well, if you only use Passport as a signin, yes. But there =
was a piece
to it where it would know your credit card information so when =
you used
it to log on to a site where you wanted to buy stuff you =
wouldn't have
to enter the credit card information. It would be impossible =
to use
that part and be anonymous.
On Mon, 10 Jan 2005 15:09:44 -0800, "Rich" <@> wrote in =
message
<41e30b2c@w3.nls.net>:
> I disagree. Passport is no less anonymous than other =
signin mechanisms. You are in control of the information you provide to =
create your signin. If you want to lie then lie.
>
>Rich
>
> "Ellen K." <72322.enno.esspeayem.1016@compuserve.com> wrote =
in message news:c5h4u0p76hl80msc3pis0v1puf9k7erkpn@4ax.com...
> I think he wasn't addressing services claiming they don't =
disclose...
> his message gave examples of people trying to be =
anonymous... but
> someone trying to be anonymous wouldn't use Passport =
(unless they were
> REALLY stupid) so I'm not quite following the logic either.
>
> On Sun, 9 Jan 2005 10:04:25 -0800, "Rich" <@> wrote in =
message
> <41e1720a@w3.nls.net>:
>
> > The fragment you chose to quote is interesting. How =
many services claim that they do not disclose info as required by law?
> >
> > The rest is garbage.
> >
> >Rich
> >
> > "Mike N." <mike@u-spam-u-die.net> wrote in message =
news:e8b2u0hias1bdkdgbe34mf26snbcna0ov4@4ax.com...
> > On Sun, 9 Jan 2005 01:48:12 -0800, "Rich" <@> wrote:
> >
> > > If you mean to question what Passport is to Microsoft =
you should use Microsoft's claims about the service
> >
> > =
http://www.passport.net/Consumer/PrivacyPolicy.asp?lc=3D1033
> >
> > "NET Passport may disclose personal information if =
required to do so by law
> > or in the good-faith belief that such action is =
necessary to: (a) conform
> > to legal requirements or comply with legal process =
served on Microsoft;"
> >
> > This confirms the information I already had. A =
single signon is for
> > convenience, not security. Sure your ISP can see what =
you're doing. They
> > can initiate a wiretap when served by a subpoena. =
However there are many
> > people for which this won't suffice -
> > o terrorists who jump from Cafe to Cafe.
> > o commuters who use wireless internet services from =
Starbucks, at work,
> > airports, etc.
> > o Those who attempt to escape identity by wardriving =
from open wireless
> > to open wireless LAN.
> > Investigators would need to obtain subpoenas from =
thousands of ISPs to
> > cover all activities of a person. Alternatively, =
assuming that .NET is in
> > widespread use, they would just need to subpoena =
Microsoft to get a
> > complete profile of sites where a signon was used, and =
the IP
> > address/date/time they were accessed from.
> >
> > It still appears that if anyone gets your passport =
login, they can
> > assume your signon, just as if they are you.
------=_NextPart_000_0760_01C4FC77.967A6D10
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.3790.1289" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2> Only your ISP can track =
where you go=20
and what you buy without the sites you buying from selling=20
this info.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2> If you were not employed =
by your ISP=20
you would have no idea whether or not they are tracking = you.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2> Doesn't Amazon use an =
email address=20
for sign-in? Do you create unique email addresses for all such=20
sites?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Rich</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"Geo" <<A =
href=3D"mailto:georger@nls.net">georger@nls.net</A>> wrote=20
in message <A=20
=
href=3D"news:41eba0f1@w3.nls.net">news:41eba0f1@w3.nls.net</A>...</DIV>
<DIV><FONT face=3DArial size=3D2>My ISP doesn't track dns requests or =
sniff=20
traffic to see where people are going, granted some like AOL do keep =
stats but=20
the ISP I use could care less. My browser cache and history are purged =
each=20
time I end crazy browser as are my cookies. Like Ellen I use different =
usernames and passwords at sites like amazon, my bank, my credit card =
company,=20
etc but I use the same username at sites I don't care about like the =
NYT site=20
and other stupid sites that require a login for no apparent=20
reason.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>The last thing I want is some service =
that can=20
track where I go and what I buy. I only accept this from my credit =
card=20
company because I have no other choice.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Geo.</FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"Rich" <@> wrote in message <A=20
=
href=3D"news:41eaf6bc@w3.nls.net">news:41eaf6bc@w3.nls.net</A>...</DIV>
<DIV><FONT face=3DArial size=3D2> No true. There =
is plenty to=20
betray you. Your ISP of course knows the sites you visit as =
does=20
anyone that can see even the small subset of traffic for DNS=20
resolution. Your browser's cache and history also serve this=20
purpose. There are plenty more.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2> The attacker can also =
take a=20
different approach that is likely more effective anyway. Pick =
a high=20
value site and try the stolen IDs on them. Amazon may not use =
single=20
sign-in but you don't care because it does not matter. Then =
try them=20
again at Citibank. Then again at whatever site you want. This =
approach=20
will have more value then trying to sign in at match.com using AOL's =
screenname service or Microsoft's Passport, both of which it=20
supports.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Rich</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"Geo" <<A =
href=3D"mailto:georger@nls.net">georger@nls.net</A>>=20
wrote in message <A=20
=
href=3D"news:41ea4570@w3.nls.net">news:41ea4570@w3.nls.net</A>...</DIV>
<DIV><FONT face=3DArial size=3D2>the difference between single =
sign on and the=20
practice of using the same username/password on multiple sites is =
that=20
with the single password there is no function to betray the user. =
In other=20
words there is nothing but the user to connect all those sites =
together.=20
With the single sign on, all you need is a list of sites that uses =
that=20
single sign on service.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Geo.</FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"Rich" <@> wrote in message <A=20
=
href=3D"news:41e9f6c1@w3.nls.net">news:41e9f6c1@w3.nls.net</A>...</DIV>
<DIV><FONT face=3DArial size=3D2> There was an =
optional wallet=20
service and you are right, this additional optional service =
could not be=20
anonymous. You aren't comparing apples to apples if you =
include=20
the people that made a choice to use this. Folks that =
wanted to be=20
anonymous would not choose this.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2> Really, this =
argument is=20
silly. I don't know you but too many people I know use the =
same=20
password on the many sites that require them to register, =
whether they=20
lie or not. Their intent is to have something that acts =
like=20
single sign-in. Now I'm sure the people arguing =
against=20
single sign-in here are not hypocrits and all use distinct =
unique=20
usernames, email addresses, passwords, etc for each and every =
account=20
they have. Don't you?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Rich</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<BLOCKQUOTE=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: =
5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"Ellen K." <<A=20
=
href=3D"mailto:72322.enno.esspeayem.1016@compuserve.com">72322.enno.esspe=
ayem.1016@compuserve.com</A>>=20
wrote in message <A=20
=
href=3D"news:ldqju0pdbclq8l54fbhi21220l86uibp28@4ax.com">news:ldqju0pdbcl=
q8l54fbhi21220l86uibp28@4ax.com</A>...</DIV>Well,=20
if you only use Passport as a signin, yes. But there was =
a=20
piece<BR>to it where it would know your credit card =
information so=20
when you used<BR>it to log on to a site where you wanted to =
buy stuff=20
you wouldn't have<BR>to enter the credit card =
information. =20
It would be impossible to use<BR>that part and be =
anonymous.<BR><BR>On=20
Mon, 10 Jan 2005 15:09:44 -0800, "Rich" <@> wrote in=20
message<BR><<A=20
=
href=3D"mailto:41e30b2c@w3.nls.net">41e30b2c@w3.nls.net</A>>:<BR><BR>&=
gt; =20
I disagree. Passport is no less anonymous than other =
signin=20
mechanisms. You are in control of the information you =
provide to=20
create your signin. If you want to lie then=20
lie.<BR>><BR>>Rich<BR>><BR>> "Ellen K." =
<<A=20
=
href=3D"mailto:72322.enno.esspeayem.1016@compuserve.com">72322.enno.esspe=
ayem.1016@compuserve.com</A>>=20
wrote in message <A=20
=
href=3D"news:c5h4u0p76hl80msc3pis0v1puf9k7erkpn@4ax.com">news:c5h4u0p76hl=
80msc3pis0v1puf9k7erkpn@4ax.com</A>...<BR>> =20
I think he wasn't addressing services claiming they don't=20
disclose...<BR>> his message gave examples of people =
trying=20
to be anonymous... but<BR>> someone trying to be =
anonymous=20
wouldn't use Passport (unless they were<BR>> REALLY =
stupid)=20
so I'm not quite following the logic =
either.<BR>><BR>> On=20
Sun, 9 Jan 2005 10:04:25 -0800, "Rich" <@> wrote in=20
message<BR>> <<A=20
=
href=3D"mailto:41e1720a@w3.nls.net">41e1720a@w3.nls.net</A>>:<BR>><=
BR>> =20
> The fragment you chose to quote is =
interesting. =20
How many services claim that they do not disclose info as =
required by=20
law?<BR>> ><BR>> > The =
rest is=20
garbage.<BR>> ><BR>> =
>Rich<BR>> =20
><BR>> > "Mike N." <<A=20
=
href=3D"mailto:mike@u-spam-u-die.net">mike@u-spam-u-die.net</A>>=20
wrote in message <A=20
=
href=3D"news:e8b2u0hias1bdkdgbe34mf26snbcna0ov4@4ax.com">news:e8b2u0hias1=
bdkdgbe34mf26snbcna0ov4@4ax.com</A>...<BR>> =20
> On Sun, 9 Jan 2005 01:48:12 -0800, "Rich" <@> =
wrote:<BR>> ><BR>> > > If you =
mean to=20
question what Passport is to Microsoft you should use =
Microsoft's=20
claims about the service<BR>> ><BR>> =
> =20
<A=20
=
href=3D"http://www.passport.net/Consumer/PrivacyPolicy.asp?lc=3D1033">htt=
p://www.passport.net/Consumer/PrivacyPolicy.asp?lc=3D1033</A><BR>>&nbs=
p;=20
><BR>> > "NET Passport may disclose =
personal=20
information if required to do so by law<BR>> =
> or in=20
the good-faith belief that such action is necessary to: (a)=20
conform<BR>> > to legal requirements or =
comply with=20
legal process served on Microsoft;"<BR>> =
><BR>> =20
> This confirms the information I =
already=20
had. A single signon is for<BR>> > =20
convenience, not security. Sure your ISP can see what =
you're=20
doing. They<BR>> > can initiate a =
wiretap when=20
served by a subpoena. However there are =
many<BR>> =20
> people for which this won't suffice -<BR>> =
> o terrorists who jump from Cafe =
to=20
Cafe.<BR>> > o commuters =
who use=20
wireless internet services from Starbucks, at =
work,<BR>> =20
> airports, etc.<BR>> > =
o Those=20
who attempt to escape identity by wardriving from open=20
wireless<BR>> > to open wireless =
LAN.<BR>> =20
> Investigators would need to =
obtain=20
subpoenas from thousands of ISPs to<BR>> > =
cover all=20
activities of a person. Alternatively, assuming =
that .NET=20
is in<BR>> > widespread use, they would just =
need to=20
subpoena Microsoft to get a<BR>> > complete =
profile=20
of sites where a signon was used, and the IP<BR>> =
> =20
address/date/time they were accessed from.<BR>> =20
><BR>> > It still =
appears that=20
if anyone gets your passport login, they =
can<BR>> =20
> assume your signon, just as if they are=20
=
you.<BR></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE>=
</BODY></HTML>
------=_NextPart_000_0760_01C4FC77.967A6D10--
--- BBBS/NT v4.01 Flag-5
* Origin: Barktopia BBS Site http://HarborWebs.com:8081 (1:379/45)
|