Pages in topic:   < [1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24] >
Illegal use of data from ProZ.com profile
Thread poster: RoxanaTrad (X)
Neil Coffey
Neil Coffey  Identity Verified
United Kingdom
Local time: 10:19
French to English
+ ...
Password confirmation sent over non-encrypted connection Jul 23, 2009

Henry/Jason--

Something to bear in mind if you're looking at the password system at the moment.

It seems that when you change your password, you're sent a link via e-mail to confirm the change. When you click on that link, your user name and password are then displayed in a non-encrypted web page. Is there really any need for this? Could it not just say "thank you for changing your password" without actually sending your user name and password over a non-encrypted conne
... See more
Henry/Jason--

Something to bear in mind if you're looking at the password system at the moment.

It seems that when you change your password, you're sent a link via e-mail to confirm the change. When you click on that link, your user name and password are then displayed in a non-encrypted web page. Is there really any need for this? Could it not just say "thank you for changing your password" without actually sending your user name and password over a non-encrypted connection for all to sniff?

Neil
Collapse


 
Uldis Liepkalns
Uldis Liepkalns  Identity Verified
Latvia
Local time: 12:19
Member (2003)
English to Latvian
+ ...
Let's not fall into paranoia Jul 23, 2009

I'm on Internet since it appeared in our country - that is about 18 years, in all this time I have no reason to think that my email was hacked even once. Much more important is to protect your computer from hacking, but that is in your own hands and no 3rd party can help you there (except by selling you soft for the purpose).

Uldis

Neil Coffey wrote:

Henry/Jason--

Something to bear in mind if you're looking at the password system at the moment.

It seems that when you change your password, you're sent a link via e-mail to confirm the change. When you click on that link, your user name and password are then displayed in a non-encrypted web page. Is there really any need for this? Could it not just say "thank you for changing your password" without actually sending your user name and password over a non-encrypted connection for all to sniff?

Neil


 
Henry Dotterer
Henry Dotterer
Local time: 05:19
SITE FOUNDER
Right, Neil Jul 24, 2009

Neil Coffey wrote:
Something to bear in mind if you're looking at the password system at the moment.

It seems that when you change your password, you're sent a link via e-mail to confirm the change. When you click on that link, your user name and password are then displayed in a non-encrypted web page. Is there really any need for this? Could it not just say "thank you for changing your password" without actually sending your user name and password over a non-encrypted connection for all to sniff?

Yeah, it is on the todo list. Thanks.


 
Neil Coffey
Neil Coffey  Identity Verified
United Kingdom
Local time: 10:19
French to English
+ ...
Didn't want to suggest TOO MUCH paranoia Jul 24, 2009

Uldis-- I agree that too much paranoia is not helpful. But a tiny bit is useful.

The networks we use are inherently insecure, be it because of network traffic sniffed by the criminally run Internet cafe you used last week, the rogue IT officer running your campus network, or a rogue AT&T employee with access to network routers (bearing in mind every packet you send down the network probably passes through 20 or 30 of these to reach its destination, and in a day your traffic probably
... See more
Uldis-- I agree that too much paranoia is not helpful. But a tiny bit is useful.

The networks we use are inherently insecure, be it because of network traffic sniffed by the criminally run Internet cafe you used last week, the rogue IT officer running your campus network, or a rogue AT&T employee with access to network routers (bearing in mind every packet you send down the network probably passes through 20 or 30 of these to reach its destination, and in a day your traffic probably goes through hundreds of them-- it only takes ONE of those to have been hacked...). The rogues in question are probably looking for credit card numbers or access to politicians' e-mail accounts rather than ProZ logins. So there's definitely no need to panic.

But on the other hand, if it takes a five minute code change to remove a vulnerability, why not remove it?

P.S. Don't base your security assumptions on the Internet of 18 years ago. In those days, the entire Internet population consisted of a bearded physicist in Switzerland and a Dachsund called Collin, and on average, a greater proportion of the network traversed by the average user's data was "trusted" (or at least, "semi-trusted"). The threats are somewhat more numerous nowadays...
Collapse


 
Viktoria Gimbe
Viktoria Gimbe  Identity Verified
Canada
Local time: 05:19
English to French
+ ...
You are better off that way Jul 24, 2009

Narasimhan Raghavan wrote:

Nobody seems to love me then.

Boy, would I love to be walking in your shoes right now!


 
Anne-Marie Grant (X)
Anne-Marie Grant (X)  Identity Verified
Local time: 10:19
French to English
+ ...
I am pleased that the breach has been identified and corrected Jul 24, 2009

but am concerned that a site user is having to advise management about how to keep our data secure. I second the calls for a public announcement and apology.

 
Angela Dickson (X)
Angela Dickson (X)  Identity Verified
United Kingdom
Local time: 10:19
French to English
+ ...
Me too Jul 24, 2009

I've just returned from holiday and found that this has all blown up in my absence, and that some of my data has also been purloined (minimal amounts in my case, and nothing that can't be seen openly here).

I'd support action by Proz to force removal profiles en masse and/or legal action, mostly because I don't have time to chase this.


 
Maria Elena Martinez
Maria Elena Martinez  Identity Verified
Netherlands
Local time: 11:19
Member
English to Spanish
+ ...
I've just discovered I'm also there Jul 24, 2009

I've just discovered I'm also there, after reading all this thread, I went to the site and I don't appear searching by my name or surname but I do appear with my user name at Proz.
Now, should I try to remove that fake profile myself or better wait to see if Proz can do it for us all?


 
Kevin Lossner
Kevin Lossner  Identity Verified
Portugal
Local time: 10:19
German to English
+ ...
Words are optional, actions mandatory Jul 24, 2009

Anne-Marie Grant wrote:
I second the calls for a public announcement and apology.


I had actually understood one of Henry's posts as more than sufficient for an apology. I don't need sackcloth and ashes - I need information and better security, and it looks like we're a little further down that path now. A public announcement would be useful to the extent that it informs users how to take advantage of improved security measures and of what steps are being taken to pursue the culprits.

I think the incident was handled rather well on the whole after some initial delays in which I presume staff were getting oriented. They were a bit slow to acknowledge that it wasn't just a matter of crawling publicly visible content, but it usually does take a while to get facts sorted out.

I'm sure that incidents like this will recur; this is the second one I can remember, though the last incident was (I think) stolen data that were publicly visible, and the ProZ response was quite adequate then too.

I do appreciate the current effort to improve security by developing a longer password option. Like many things, though, our benefit will depend on getting off out behinds and making use of the feature.


 
Textklick
Textklick  Identity Verified
Local time: 10:19
German to English
+ ...
In memoriam
Well handled Jul 25, 2009

Kevin Lossner wrote:

I think the incident was handled rather well on the whole after some initial delays in which I presume staff were getting oriented. They were a bit slow to acknowledge that it wasn't just a matter of crawling publicly visible content, but it usually does take a while to get facts sorted out.

I'm sure that incidents like this will recur; this is the second one I can remember, though the last incident was (I think) stolen data that were publicly visible, and the ProZ response was quite adequate then too.

I do appreciate the current effort to improve security by developing a longer password option. Like many things, though, our benefit will depend on getting off out behinds and making use of the feature.


I'm with Kevin on this. As Henry pointed out, the reason for our being here is to be in the public domain, which we all know bristles with e-nasties, e-crooks and where s**t happens.

A rational and well thought-through solution is infinitely preferable to panic measures IMO.

I also think that Neil Coffey deserves a round of applause
for his useful contributions both here and on 'Don Vito's' thread: http://xrl.us/be5ua5

Neil's allusion to early web users was at least a brief pearl of humour amidst all the howling, justifiable though some of that may have been.

Cheers,
Chris


 
Viktoria Gimbe
Viktoria Gimbe  Identity Verified
Canada
Local time: 05:19
English to French
+ ...
Can we have a report, please? Jul 28, 2009

As of right now, "my" account is still showing on that site. I believe Henry said that ProZ communicated last week with the site in question to request removal of all content "borrowed" from ProZ. I would like to know what's up with that.

Did you get a reply? Did you get any information? Are you even in touch with those people?


 
Viktoria Gimbe
Viktoria Gimbe  Identity Verified
Canada
Local time: 05:19
English to French
+ ...
Filing a complaint in Canada Jul 28, 2009

I just called the Royal Canadian Mounted Police, who have taken a report of what happened in my case. I also made them aware that it seems that virtually all ProZ users have fallen victim to this identity theft, among them many Canadians.

The RCMP has informed me that they do in fact handle cases like this one and that any person whose identity was stolen by the site in question should contact them. The woman on the phone said "the more, the merrier"--she seemed to imply that the mo
... See more
I just called the Royal Canadian Mounted Police, who have taken a report of what happened in my case. I also made them aware that it seems that virtually all ProZ users have fallen victim to this identity theft, among them many Canadians.

The RCMP has informed me that they do in fact handle cases like this one and that any person whose identity was stolen by the site in question should contact them. The woman on the phone said "the more, the merrier"--she seemed to imply that the more people file a complaint, the higher the case is placed on their list of priorities.

My file number with them is PQ90700545. The RCMP says that it may be a good idea to mention this file number when you call them so that they can group together all complaints related to my case.

To find the phone number to call the RCMP, please visit this page: http://www.rcmp-grc.gc.ca/detach/index-eng.htm

Please, do not write them an e-mail--they do not take complaints by e-mail.

[Edited at 2009-07-28 04:13 GMT]
Collapse


 
Aniello Scognamiglio (X)
Aniello Scognamiglio (X)  Identity Verified
Germany
Local time: 11:19
English to German
+ ...
Yes, can we have a report, please? Jul 28, 2009

ViktoriaG wrote:

As of right now, "my" account is still showing on that site. I believe Henry said that ProZ communicated last week with the site in question to request removal of all content "borrowed" from ProZ. I would like to know what's up with that.

Did you get a reply? Did you get any information? Are you even in touch with those people?


Thanks, Viktoria!

Unfortunately, "my" account (I didn't not create it, I didn't register with "that" company) is still showing on "that" site, too, although I asked for removal 9 days ago.

@ProZ staff: Did you get a reply? Did you get any information?

Thanks for updating us!
Aniello


 
Michele Johnson
Michele Johnson  Identity Verified
Germany
Local time: 11:19
German to English
+ ...
Elance dealing with this much more professionally Jul 28, 2009

It's interesting to compare the response of proz.com and elance (about half the size of proz.com, if my research is correct) to the security breach. At proz.com, the issue has been addressed in a forum, but there certainly has not been email communication with affected parties (IMO every single user of the site), no password changes have been forced as of yet, there is no indication of communication with industry watchdogs, no mention of working with 3rd party auditors, no mention of working wit... See more
It's interesting to compare the response of proz.com and elance (about half the size of proz.com, if my research is correct) to the security breach. At proz.com, the issue has been addressed in a forum, but there certainly has not been email communication with affected parties (IMO every single user of the site), no password changes have been forced as of yet, there is no indication of communication with industry watchdogs, no mention of working with 3rd party auditors, no mention of working with law enforcement, no security alert, and everyone is still pretty much up in the air as to whether this has been resolved. I can see how some people think this is not being handled seriously or professionally.

In comparison, this is the kind of security alert I would have expected to see in a very public place at proz.com by now:

http://www.elance.com/p/trust/account_security.html
What is Elance doing about it?
We have taken a ‘drop-everything’ approach to this security breach in an effort to react as swiftly and decisively as possible. Here’s what we’ve done so far:

* Openly communicated with all affected parties via email, the Elance blog, our Twitter feed, and via our Trust & Safety center on Elance.com to alert all parties of the security breach
* Strengthened our password requirements and forced password changes to ensure that all Elance users have their accounts protected by “strong” passwords
* Communicated openly with TRUSTe who act as an industry watch-dog for security breaches online to validate our response to this
* Closed the recently identified security hole by releasing updated code on Elance
* Collaborated with our 3rd party security audit service to ensure that they now can identify this particular security hole in all cases
* Worked with authorities to take down sites that are unlawfully exposing any user information
Collapse


 
Sophie Dzhygir
Sophie Dzhygir  Identity Verified
France
Local time: 11:19
German to French
+ ...
Public announcement or general mailing Jul 28, 2009

Henry D wrote:

As I wrote, "We have begun efforts with relevent parties -- including outsourcingroom.com directly -- to have the unauthorized publishing of the data stopped." and "I will be sending notification by email soon to those who may have been affected."
Hi Henry,

May I request that you inform all the people registered on ProZ and not only the ones you know are having trouble? Be it by a general announcement on the homepage or by an e-mail sent to all people registered...

I hardly ever read this part of the forums (for sure I am not the only one, many people don't read the forums at all) and thus, I heard of that problem only today. And my data has been stolen from that site too. It means I'm involved, although I never knew I was. And so are probably thousands of ProZ users. I think they all have a right to know what's going on with their data. Please note that I agree with Kevin that we don't need sackcloth and ashes, we just need information.

Thanks in advance!


 
Pages in topic:   < [1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24] >


To report site rules violations or get help, contact a site moderator:


You can also contact site staff by submitting a support request »

Illegal use of data from ProZ.com profile






Protemos translation business management system
Create your account in minutes, and start working! 3-month trial for agencies, and free for freelancers!

The system lets you keep client/vendor database, with contacts and rates, manage projects and assign jobs to vendors, issue invoices, track payments, store and manage project files, generate business reports on turnover profit per client/manager etc.

More info »
Trados Business Manager Lite
Create customer quotes and invoices from within Trados Studio

Trados Business Manager Lite helps to simplify and speed up some of the daily tasks, such as invoicing and reporting, associated with running your freelance translation business.

More info »