Just got propositioned by a logos forum user...

Page 3 of 5 (86 items) < Previous 1 2 3 4 5 Next >
This post has 85 Replies | 3 Followers

Posts 8893
fgh | Forum Activity | Replied: Thu, Dec 2 2010 10:50 AM

tom collinge:
And this issue is why I do not want any of my personal data (notes, prayers,...) in L4 to also be in the cloud.  Our data will be hacked (it is not a question of if, but when).  And this is why I would like a setting in L4 that allows us to have the option of letting us decide what L4 information can be sent to L4's cloud.

...

"The Christian way of life isn't so much an assignment to be performed, as a gift to be received."  Wilfrid Stinissen

Mac Pro OS 10.9.

Posts 3163
Dominick Sela | Forum Activity | Replied: Thu, Dec 2 2010 11:09 AM

Phil Gons:

There was no breach of security. Your credit card info is safe.

There was a bug in the code in the forum software that used your email address in the RSS feed. It was hidden in the source code, so it's gone unnoticed until now. We've fixed it, but there's no way to retract the feeds once they've been fetched. So you may continue to get some SPAM on your forums email address.

We're very sorry for this inconvenience.

 

Ah - thanks for the explanation Phil. If I understand this correctly, this answers the question why some forum users got the spam and others didn't.  I bet those who subscribe to one or more forums (I do), i.e. the web site RSS feed delivers emails to you, got the spam, and those that just read the forum messages directly on the web site via their browser, did not. Correct?

Posts 2744
Bohuslav Wojnar | Forum Activity | Replied: Thu, Dec 2 2010 11:20 AM

Dominick Sela:
Ah - thanks for the explanation Phil. If I understand this correctly, this answers the question why some forum users got the spam and others didn't.  I bet those who subscribe to one or more forums (I do), i.e. the web site RSS feed delivers emails to you, got the spam, and those that just read the forum messages directly on the web site via their browser, did not. Correct?

Looks you are right Dominic. I read forums only on the Internet and haven't got the SPAM. I used to be on the old newsgroups.

Bohuslav

Posts 9226
Forum MVP
Mark Smith | Forum Activity | Replied: Thu, Dec 2 2010 11:43 AM

Bohuslav Wojnar:
I read forums only on the Internet and haven't got the SPAM.

Ditto.

One suggestion to those who've been compromised: strengthen your email server password if it would be easy to hack or guess. Your account could get used by other spammers if they can use your email address and you have a simple password (1-2-3-4 ala Space Balls). Won't be a concern for all but might be for some.

Pastor, North Park Baptist Church

Bridgeport, CT USA

Posts 18886
Rosie Perera | Forum Activity | Replied: Thu, Dec 2 2010 11:48 AM

Phil Gons:

There was no breach of security. Your credit card info is safe.

There was a bug in the code in the forum software that used your email address in the RSS feed. It was hidden in the source code, so it's gone unnoticed until now. We've fixed it, but there's no way to retract the feeds once they've been fetched. So you may continue to get some SPAM on your forums email address.

Thank you, Phil! Two hour turnaround on solving that problem! Wow! And I'm glad it was not as serious as we were speculating. 

Dominick Sela:

Ah - thanks for the explanation Phil. If I understand this correctly, this answers the question why some forum users got the spam and others didn't.  I bet those who subscribe to one or more forums (I do), i.e. the web site RSS feed delivers emails to you, got the spam, and those that just read the forum messages directly on the web site via their browser, did not. Correct?

I subscribe to the RSS feed. But I doubt it has to do with who has subscribed, rather who has posted (as their email addresses would have come out in that feed). Maybe the spammers just scoured one of the forums for email addresses so the spam only went to people who ever posted on that forum.

This is precisely why I create separate email addresses for different online uses, which all forward to my main one. If the spammers sell my Logos email address and I start getting lots of spam on it from all over, I can just create a new one, change my address on my forum profile, and delete the old email address.

Posts 2744
Bohuslav Wojnar | Forum Activity | Replied: Thu, Dec 2 2010 12:31 PM

Rosie Perera:
This is precisely why I create separate email addresses for different online uses, which all forward to my main one. If the spammers sell my Logos email address and I start getting lots of spam on it from all over, I can just create a new one, change my address on my forum profile, and delete the old email address.

I might consider doing it that way also. I have many addresses but for Logos I use my main one. Thanks for your advice. However, changing the email address as your Logos ID is a pain. It messed up some things like forum posts counts etc.

Bohuslav

Posts 3701
BillS | Forum Activity | Replied: Thu, Dec 2 2010 12:40 PM

Rosie Perera:

This is precisely why I create separate email addresses for different online uses, which all forward to my main one. If the spammers sell my Logos email address and I start getting lots of spam on it from all over, I can just create a new one, change my address on my forum profile, and delete the old email address.

Same here, though I don't bother to forward them to my main one... I just make the other email addresses part of a set of web pages that are my home page.

Grace & Peace,
Bill


MSI GF63 8RD, I-7 8850H, 32GB RAM, 1TB SSD, 2TB HDD, NVIDIA GTX 1050Max
Samsung S9+, 64GB
Fire 10HD 64GB 7th Gen

Posts 3163
Dominick Sela | Forum Activity | Replied: Thu, Dec 2 2010 1:01 PM

Rosie Perera:

I subscribe to the RSS feed. But I doubt it has to do with who has subscribed, rather who has posted (as their email addresses would have come out in that feed). Maybe the spammers just scoured one of the forums for email addresses so the spam only went to people who ever posted on that forum.

I don't think so, Rosie.  The RSS feed is one way - Logos to us.  That's what the subscription uses.  So the security hole was that our email address was in the message sent to us through their RSS feed.  That's my understanding...

Posts 1141
Juanita | Forum Activity | Replied: Thu, Dec 2 2010 1:23 PM

Dominick Sela:

Rosie Perera:

I subscribe to the RSS feed. But I doubt it has to do with who has subscribed, rather who has posted (as their email addresses would have come out in that feed). Maybe the spammers just scoured one of the forums for email addresses so the spam only went to people who ever posted on that forum.

 

I don't think so, Rosie.  The RSS feed is one way - Logos to us.  That's what the subscription uses.  So the security hole was that our email address was in the message sent to us through their RSS feed.  That's my understanding...

FWIW, I am not subscribed to any RSS feed--that I know of-- and I got the email.

 

Posts 5573
Forum MVP
Rich DeRuiter | Forum Activity | Replied: Thu, Dec 2 2010 1:33 PM

Joan Korte:
FWIW, I am not subscribed to any RSS feed--that I know of-- and I got the email.

I am not subscribed to any forum RSS feeds either, though I may have tried it briefly a long time ago (would that be enough?).

 Help links: WIKI;  Logos 6 FAQ. (Phil. 2:14, NIV)

Posts 397
T Gerold Castle | Forum Activity | Replied: Thu, Dec 2 2010 1:49 PM

Joan Korte:

FWIW, I am not subscribed to any RSS feed--that I know of-- and I got the email.

 

I am not subscribed to ANY RSS feed. I also got the email.

 

 

In HIS Eternal Service,
Tom Castle
**If we will do God's work, in God's way, at God's time, with God's power, we shall have God's blessings!!**

Posts 13399
Mark Barnes | Forum Activity | Replied: Thu, Dec 2 2010 1:58 PM

It's not about what feeds you're subscribed to. Logos publishes four feeds for every user, our announcements, comments, activities, and our friends' activities. As the forum is public, the feeds are too - they're supposed to pull together information that we post publicly, but obviously in this case they also published private data - our email address.

I don't know whether to be pleased that at least the database wasn't hacked so no other data was at risk, or disappointed that such a simple privacy breach occurred.

Posts 18886
Rosie Perera | Forum Activity | Replied: Thu, Dec 2 2010 2:05 PM

Dominick Sela:

Rosie Perera:

I subscribe to the RSS feed. But I doubt it has to do with who has subscribed, rather who has posted (as their email addresses would have come out in that feed). Maybe the spammers just scoured one of the forums for email addresses so the spam only went to people who ever posted on that forum.

I don't think so, Rosie.  The RSS feed is one way - Logos to us.  That's what the subscription uses.  So the security hole was that our email address was in the message sent to us through their RSS feed.  That's my understanding...

Yes, but one of the things they post to us via one of their RSS feeds is stuff that users have posted on the forums. It isn't supposed to include the posters' email addresses, but due to a bug, it was. So all the spammer had to do to collect a bunch of email addresses was subscribe to the RSS feed for forum posts for a while. Blecchh! I'm hoping it was just a one-time thing and they don't sell our email addresses off to other spammers.

Indeed it would be a pain to change my email address for Logos. Besides, I like what it is now. Easy for me to remember. I don't want to have to append a 2 to it. But that's what I'll do if I have to.

Posts 5573
Forum MVP
Rich DeRuiter | Forum Activity | Replied: Thu, Dec 2 2010 2:07 PM

Mark Barnes:
I don't know whether to be pleased that at least the database wasn't hacked so no other data was at risk, or disappointed that such a simple privacy breach occurred.

In a situation where there are probably close to a hundred places where my personal information is probably stored at Logos in databases, forums, RSS feeds (a few blogs I subscribe to), emails they send out, plus the web site, I'm glad they focus their attention on the big stuff, even if they missed one minor thing. If you're going to get a security breach, it might as well be a relatively harmless one that puts you back on your toes and makes you look at everything anew.

At least I expect that there were some interesting conversations in Bellingham this morning, and quite a few nervous web developers double-checking their security protocols. Over all, that's a good thing -- even if we never hear about the near miss that may have been averted because someone did a double-check and found a 'minor' security issue and fixed it (of course, I just made that part up - for dramatic effect).

 Help links: WIKI;  Logos 6 FAQ. (Phil. 2:14, NIV)

Posts 5615
Todd Phillips | Forum Activity | Replied: Thu, Dec 2 2010 2:11 PM

Dominick Sela:

Rosie Perera:

I subscribe to the RSS feed. But I doubt it has to do with who has subscribed, rather who has posted (as their email addresses would have come out in that feed). Maybe the spammers just scoured one of the forums for email addresses so the spam only went to people who ever posted on that forum.

I don't think so, Rosie.  The RSS feed is one way - Logos to us.  That's what the subscription uses.  So the security hole was that our email address was in the message sent to us through their RSS feed.  That's my understanding...

FYI, RSS feeds aren't sent to you.  RSS feeds work the same way web pages do, except they're formatted differently.  It's just a URL (http://community.logos.com/forums/aggregaterss.aspx?Mode=0). Your browser or feed aggretator has to go out and get them.  Everyone sees the same data on the feed.

Wiki Links: Enabling Logging / Detailed Search Help - MacBook Pro (2014), ThinkPad E570

Posts 8893
fgh | Forum Activity | Replied: Thu, Dec 2 2010 3:50 PM

Mark Barnes:
I don't know whether to be pleased that at least the database wasn't hacked so no other data was at risk, or disappointed that such a simple privacy breach occurred.

My feelings too. I was a bit disappointed when Phil Gons wrote that "There was no breach of security. Your credit card info is safe.". To me this was a breach of security. Certainly a minor one than what could have been, but a breach of security nevertheless. 

"The Christian way of life isn't so much an assignment to be performed, as a gift to be received."  Wilfrid Stinissen

Mac Pro OS 10.9.

Posts 5573
Forum MVP
Rich DeRuiter | Forum Activity | Replied: Thu, Dec 2 2010 3:59 PM

fgh:
I was a bit disappointed when Phil Gons wrote that "There was no breach of security. Your credit card info is safe.". To me this was a breach of security

They were not 'breached' that is, their security system wasn't hacked. No one came into Logos and took stuff that was behind a defensive wall. What happened was that Logos was inadvertently exporting email addresses in a way that some spammers could capitalize on. That would be a security leak (not breach), and while the results can be the same, the level of vulnerability for us is quite different. It's also easier to fix.

 Help links: WIKI;  Logos 6 FAQ. (Phil. 2:14, NIV)

Posts 128
Derek | Forum Activity | Replied: Thu, Dec 2 2010 4:32 PM

Mark Barnes:

I don't know whether to be pleased that at least the database wasn't hacked so no other data was at risk, or disappointed that such a simple privacy breach occurred.

I would focs on the latter, because it is extremely important that they know -- what are they doing now that is not safe and secure...

I hope this incident results in an internal complete IT audit of their own security standards... 

 

Posts 8893
fgh | Forum Activity | Replied: Thu, Dec 2 2010 4:50 PM

Richard DeRuiter:
They were not 'breached' that is, their security system wasn't hacked. No one came into Logos and took stuff that was behind a defensive wall. What happened was that Logos was inadvertently exporting email addresses in a way that some spammers could capitalize on. That would be a security leak (not breach), and while the results can be the same, the level of vulnerability for us is quite different. It's also easier to fix.

Sorry if I used the wrong word!

I'm not sure you're helping Logos, though. What you're saying is essentially that no one broke into the safe; Logos just left things out in the open for anyone to take. Yeah, that makes me feel safer...

"The Christian way of life isn't so much an assignment to be performed, as a gift to be received."  Wilfrid Stinissen

Mac Pro OS 10.9.

Posts 5615
Todd Phillips | Forum Activity | Replied: Thu, Dec 2 2010 4:54 PM

fgh:

Richard DeRuiter:
They were not 'breached' that is, their security system wasn't hacked. No one came into Logos and took stuff that was behind a defensive wall. What happened was that Logos was inadvertently exporting email addresses in a way that some spammers could capitalize on. That would be a security leak (not breach), and while the results can be the same, the level of vulnerability for us is quite different. It's also easier to fix.

Sorry if I used the wrong word!

I'm not sure you're helping Logos, though. What you're saying is essentially that no one broke into the safe; Logos just left things out in the open for anyone to take. Yeah, that makes me feel safer...

Certainly it does me. It means that the exposure is limited.  If someone broke in, then it would be more uncertain what data and which systems were compromised.

As it is, it's forum data, not financial data.

 

Wiki Links: Enabling Logging / Detailed Search Help - MacBook Pro (2014), ThinkPad E570

Page 3 of 5 (86 items) < Previous 1 2 3 4 5 Next > | RSS