Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Bay Area Amusements - Poor Security

302 views
Skip to first unread message

Andrew

unread,
May 15, 2012, 12:24:46 PM5/15/12
to
I feel obligated as somebody who works in the technology field to bring this to everybody's attention. Bay Area Amusements stores customer information in an unsecured and unencrypted database.

This is a very poor security practice and has led to data leaks time and time again.(See below for links) I attempted to notify somebody at Bay Area Amusements and by suggestion was closed and not resolved.

Now the only reason I decided to bring this out like this is because my attempt to warn them of this went unheard.

I for one can't justify the risk to my personal information and as a result cannot continue to order from Bay Area Amusements.

If they resolve this issue I will delete this post and consider the matter closed and continue to order my supplies through them.

Links:
http://www.nytimes.com/2011/06/12/technology/12digi.html
http://security.stackexchange.com/questions/12298/password-security-in-databases-today-still-best-practice
http://www.huffingtonpost.com/2011/06/08/sony-hack-problems_n_873443.html

John Incontro

unread,
May 15, 2012, 12:53:27 PM5/15/12
to
Andrew <edg...@gmail.com> wrote in
news:21165442.201.1337099086346.JavaMail.geo-discussion-forums@vbtf35:

> If they resolve this issue I will delete this post and consider the
> matter closed and continue to order my supplies through them.
>

You can't delete usenet posts.
--
John

Fursphere

unread,
May 15, 2012, 12:55:41 PM5/15/12
to

Doing it "right" costs money. IT is just a big money sink, so they
probably don't care.


--
Fursphere
This USENET post sent from http://rgparchive.com

FredMaine

unread,
May 15, 2012, 1:14:00 PM5/15/12
to

That would be enough for me. A large grocery chain in my area had their
customer debit card database hacked, we all had to change our debit
cards out etc. and the company took a lot of heat for it. And they
-were- security aware. Companies that are not, should not be doing
business online. Having said that, I can't verify that BAA is actually
not secure.


--
FredMaine

BlueMalibu

unread,
May 15, 2012, 1:21:16 PM5/15/12
to
On May 15, 12:24 pm, Andrew <edg...@gmail.com> wrote:
> I feel obligated as somebody who works in the technology field to bring this to everybody's attention. Bay Area Amusements stores customer information in an unsecured and unencrypted database.
>
> This is a very poor security practice and has led to data leaks time and time again.(See below for links) I attempted to notify somebody at Bay Area Amusements and by suggestion was closed and not resolved.
>
> Now the only reason I decided to bring this out like this is because my attempt to warn them of this went unheard.
>
> I for one can't justify the risk to my personal information and as a result cannot continue to order from Bay Area Amusements.
>
> If they resolve this issue I will delete this post and consider the matter closed and continue to order my supplies through them.
>
> Links:http://www.nytimes.com/2011/06/12/technology/12digi.htmlhttp://security.stackexchange.com/questions/12298/password-security-i...http://www.huffingtonpost.com/2011/06/08/sony-hack-problems_n_873443....

So how many of you just tried to access this BAA database? ;)

Parker

Pacpin

unread,
May 15, 2012, 1:22:17 PM5/15/12
to

Andrew;1940463 Wrote:
> I feel obligated as somebody who works in the technology field to bring
> this to everybody's attention. Bay Area Amusements stores customer
> information in an unsecured and unencrypted database.
>
> This is a very poor security practice and has led to data leaks time and
> time again.(See below for links) I attempted to notify somebody at Bay
> Area Amusements and by suggestion was closed and not resolved.
>
> Now the only reason I decided to bring this out like this is because my
> attempt to warn them of this went unheard.
>
> I for one can't justify the risk to my personal information and as a
> result cannot continue to order from Bay Area Amusements.
>
> If they resolve this issue I will delete this post and consider the
> matter closed and continue to order my supplies through them.
>
> Links:
> http://www.nytimes.com/2011/06/12/technology/12digi.html
> http://tinyurl.com/7xrgsnh
> http://tinyurl.com/5uwxchu

Well VISA will insure all the transactions should something happen to
your account. But i'm pretty sure in order to be allowed to accept VISA
that the business has to be verified by VISA as following all their
guidelines and stuff. I'm sure BAA has some means of a safeguard in
line or VISA wouldn't feel comfortable enough allowing him to accept
payments.


--
Pacpin

Andrew

unread,
May 15, 2012, 1:24:54 PM5/15/12
to
When you order from them you will receive an email that has a link for "Checking order status online".

You will look at the URL and it will contain "Customer_Password=YOUR ACTUAL PASSWORD"

The only way for that link to work is if your passwords were stored as plain text and then read about and emailed to you.

Password that are stored insecurely leave us vulnerable.

jammer74

unread,
May 15, 2012, 1:17:33 PM5/15/12
to
On May 15, 12:24 pm, Andrew <edg...@gmail.com> wrote:
> I feel obligated as somebody who works in the technology field to bring this to everybody's attention. Bay Area Amusements stores customer information in an unsecured and unencrypted database.
>
> This is a very poor security practice and has led to data leaks time and time again.(See below for links) I attempted to notify somebody at Bay Area Amusements and by suggestion was closed and not resolved.
>
> Now the only reason I decided to bring this out like this is because my attempt to warn them of this went unheard.
>
> I for one can't justify the risk to my personal information and as a result cannot continue to order from Bay Area Amusements.
>
> If they resolve this issue I will delete this post and consider the matter closed and continue to order my supplies through them.
>
> Links:http://www.nytimes.com/2011/06/12/technology/12digi.htmlhttp://security.stackexchange.com/questions/12298/password-security-i...http://www.huffingtonpost.com/2011/06/08/sony-hack-problems_n_873443....

I'm changing my BAA password to
ndruzadush
its 10 characters.
What do ya think? ;)

David Gersic

unread,
May 15, 2012, 1:41:07 PM5/15/12
to
On Tue, 15 May 2012 10:24:54 -0700 (PDT), Andrew <edg...@gmail.com> wrote:
> When you order from them you will receive an email that has a link for "Checking order status online".
>
> You will look at the URL and it will contain "Customer_Password=YOUR ACTUAL PASSWORD"

That's bloody stupid.


> The only way for that link to work is if your passwords were stored as plain text and then read about and emailed to you.

Um, no. "plain text" is not a requirement here. It's equally possible
to store data in reversable encrypted format. Then the mailer would
just need access to the encryption key to decrypt the data.


> Password that are stored insecurely leave us vulnerable.

That's the least of your worries, since you could relatively easily
use a different password for each place you log in. If they're storing
credit card numbers, however, that would be a much bigger problem.


--
| David Gersic http://www.zaccaria-pinball.com |
| Don't worry about what people think, they don't do it very often. |
| Email address is a spam trap. Visit the web site for contact info. |

David Gersic

unread,
May 15, 2012, 1:42:26 PM5/15/12
to
On Tue, 15 May 2012 13:22:17 -0400, Pacpin <jml...@hotmail.com> wrote:
> Well VISA will insure all the transactions should something happen to
> your account. But i'm pretty sure in order to be allowed to accept VISA
> that the business has to be verified by VISA as following all their
> guidelines and stuff.

That would be "PCI Compliance" if you want to read up on it...
Start at: https://www.pcisecuritystandards.org/

--
| David Gersic http://www.zaccaria-pinball.com |
| I am a Klingon, sir. I do NOT whistle while I work! |

Bay Area Amusements

unread,
May 15, 2012, 2:02:14 PM5/15/12
to
Andrew ...

- Our site and data is as secure as we can possible be as well as we
continue to look for additional ways to keep it that way
- have never had issue in 10 years and many tens of thousands of
transactions of any security, breakins, etc.
- We are a Visa/MC accepting company and as such there are rules and
requirements, monitoring, etc.
- We use McAfee Secure which monitors our site daily for any security
issues/flaws, etc.
- The store software we use is Miva, which runs hundreds of thousands of
e-commerce site - in fact our site hardware and software is run by Miva
which we did to insure that we had the best support for the Miva store that
we run.
- We encrypt our data, especially our credit card info on the site with
strong encryption
- We provide an 'order status' in order message which sends on a customer
receipt a URL which is only sent to the customer (who setup their
Name/Address info) ONLY. Even if the order was sent to someone else, the
ONLY info that could possibly be available is Name, Address, Phone # - but
again this is sent to the e-mail address setup by the customer.
- Again, account and password ONLY give access to customer name,
address, and phone info for pre-filling order info, there is no to credit
card info (we do not ask customers to 'store' their credit card info, or
paypal info, etc - this could possibly be a concern).
- we can remove the feature, which will remove the ability for
customers to check on their order status.

So, I'm sure that you are concerned about online security, as are we in
running a complex online store.

Please be careful in the statements regarding someone's business unless you
are absolutely sure about what you are saying. That being said, we will
always be evaluating our site, our security, and the tradeoffs that exist to
insure we offer the best shopping experience and protect customer
information.

ri...@bayareaamusements.com


"Andrew" <edg...@gmail.com> wrote in message
news:21165442.201.1337099086346.JavaMail.geo-discussion-forums@vbtf35...

Frank Furhter

unread,
May 15, 2012, 2:11:51 PM5/15/12
to
Its kinda funny you talk as if you know something, then point to
huffingtonpost and the NYTimes of all things for 'back up' to your claims.

Then you say you want to delete a post, to the USENET, which can't be
done since its a distributed and known to propagate rather quickly to
other servers.

Basically, you are a noob, an idiot, and someone that needs to spend
more time watching the sky fall than to warn others that the pot of
water is now boiling.

Andrew

unread,
May 15, 2012, 2:17:14 PM5/15/12
to
Well Rick that would have been a better response than the one I got when I raised the issue in privacy to your site.

The most accepted best practices for password storage is not to store our passwords in a reversible encryption.

Also I never said you stored our credit card information poorly, I'm mostly concerned with the passwords of user accounts.

A better method for allowing users to return to their account information would be with a session based cookie or hash string. Building a URL with a password is sloppy and exposes my password over a network. URLS that are visited can be logged and aren't securely transmitted.

Also it isn't just my personal information that I submitted the rewards system would also be valuable to somebody trying to steal an account.

And as a gesture of good faith, I will take back my previous statement regarding needing using other sites. I do have a System 1 board I do need, and having this issue personally resolved, I feel better about using your site again. I'd feel even better never seeing my password in a URL again.

Bay Area Amusements

unread,
May 15, 2012, 2:22:07 PM5/15/12
to
As an update, as this has created a ton of confusion and overstatement, we
have removed the 'offending feature' which was to allow order status from
the e-mail send to 'your' email addresses. Unfortunately this
mis-understanding of this feature has been mis-represented into our overall
security, which we are confident in, as well as continue to insure that we
offer the best that we possibly can.

ri...@bayareaamusements.com

"Bay Area Amusements" <ri...@bayareaamusements.com> wrote in message
news:ddmdnXF8rOWzBy_S...@earthlink.com...

Bay Area Amusements

unread,
May 15, 2012, 2:24:58 PM5/15/12
to
And finally, what is a bit absurd is that the customer information that is
compromised by having the user and password is that SAME information that is
in the customer e-mail.

ri...@bayareaamusements.com

"Bay Area Amusements" <ri...@bayareaamusements.com> wrote in message
news:9t-dnf0pKcJPAy_S...@earthlink.com...

Andrew

unread,
May 15, 2012, 2:25:18 PM5/15/12
to
But you have to understand that when I actually click that link that contains my password, my password will be sent via my browser as an unencrypted request that will be viewable to every hop along the way.

Bill DeLeo

unread,
May 15, 2012, 2:24:02 PM5/15/12
to
I work in IT for a fortune 100 company and security for sensitive web
information is one of my responsibilities. Bay Area's reply is more
than adequate for me to come to the conclusion "they know what they're
doing".

Did you completely miss the fact that anything regarding checking our
login is encrypted via HTTPS?

Bay Area Amusements (in my opinion) is the best parts reseller on the
net. They have lightning fast shipping, responsive customer service
and competitive prices.

Andrew- working in the technology field might not be your strong suit.
I would highly recommend a career switch, or ongoing education.

Bay Area Amusements

unread,
May 15, 2012, 2:28:36 PM5/15/12
to
Andrew ... that password points to the SAME information that is in the order
information ... no credit card info, only name, address info which is no
different than most any other site (which none of which I use send my order
confirmation encrypted as this would require a key by the customer to read
...).

ri...@bayareaamusements.com


"Andrew" <edg...@gmail.com> wrote in message
news:32332985.41.1337106318415.JavaMail.geo-discussion-forums@yngr17...

Andrew

unread,
May 15, 2012, 2:28:51 PM5/15/12
to
Bill go check the URL that is being created in an email. IT IS NOT SSL. It is http:// , and contains both my username and password as plain text.

Please check your facts and enjoy your fortune 100 job.

seymour.shabow

unread,
May 15, 2012, 2:43:00 PM5/15/12
to
haha, "highly recommend a career switch".

I'm putting that one down for insult candidate for 2012. (For those
interested, the best insult hurled on RGP in the last 9 years or so is
still "Bite me, Kemper". Just the way it flows off the tongue.)

Bill DeLeo

unread,
May 15, 2012, 2:28:22 PM5/15/12
to
On May 15, 2:25 pm, Andrew <edg...@gmail.com> wrote:
> On Tuesday, May 15, 2012 1:22:07 PM UTC-5, Bay Area Amusements wrote:
> > As an update, as this has created a ton of confusion and overstatement, we
> > have removed the 'offending feature' which was to allow order status from
> > the e-mail send to 'your' email addresses. Unfortunately this
> > mis-understanding of this feature has been mis-represented into our overall
> > security, which we are confident in, as well as continue to insure that we
> > offer the best that we possibly can.
>
> > r...@bayareaamusements.com
>
> > "Bay Area Amusements" <r...@bayareaamusements.com> wrote in message
> > > r...@bayareaamusements.com
>
> > > "Andrew" <edg...@gmail.com> wrote in message
> > >news:21165442.201.1337099086346.JavaMail.geo-discussion-forums@vbtf35...
> > >> I feel obligated as somebody who works in the technology field to bring
> > >> this to everybody's attention. Bay Area Amusements stores customer
> > >> information in an unsecured and unencrypted database.
>
> > >> This is a very poor security practice and has led to data leaks time and
> > >> time again.(See below for links) I attempted to notify somebody at Bay
> > >> Area Amusements and by suggestion was closed and not resolved.
>
> > >> Now the only reason I decided to bring this out like this is because my
> > >> attempt to warn them of this went unheard.
>
> > >> I for one can't justify the risk to my personal information and as a
> > >> result cannot continue to order from Bay Area Amusements.
>
> > >> If they resolve this issue I will delete this post and consider the
> > >> matter closed and continue to order my supplies through them.
>
> > >> Links:
> > >>http://www.nytimes.com/2011/06/12/technology/12digi.html
> > >>http://security.stackexchange.com/questions/12298/password-security-i...
> > >>http://www.huffingtonpost.com/2011/06/08/sony-hack-problems_n_873443....
>
> But you have to understand that when I actually click that link that contains my password, my password will be sent via my browser as an unencrypted request that will be viewable to every hop along the way.

What you hopping through a phishing proxy? LOL

Unless BAA is using a 3rd party email open-rate tracking solution
(where the links redirect and leave a database impression on another
server), the only "hops" that will be viewable will be from Email
client to BAA.

Bill DeLeo

unread,
May 15, 2012, 2:35:54 PM5/15/12
to
You are completely misunderstanding how SSL works... but I don't feel
like going into that. Do some googling.

I'm failing to see the issue if the email (sent to the customer),
which already contains the password in the body, has a convenient link
where you don't need to type the password (because its embedded in the
anchor). Either way, if someone "intercepted" the email (not
happening), they would be able to prune your password from the body,
as well as the URL.

As I said before, unless your computer has a proxy, or is infested
with malware that intercepts your URL's, this will not be an issue.
You're going directly from email hyperlink to bay area amusements.

I am enjoying my fortune 100 job, its awesome. What is your current IT
role again? Junior Web Developer? Jr. Web analyst? Unpaid intern? lol

Andrew

unread,
May 15, 2012, 2:38:19 PM5/15/12
to
You're forgetting the hops that the http:// request takes on its way back to their servers. All the while that can be logged as a visited site, password included.

Andrew

unread,
May 15, 2012, 2:42:00 PM5/15/12
to
I'd like to bet that a lot of people do things at work they shouldn't, for example buy things online. And providing they did this, it would leave their account exposed to network administrators who are logging traffic. It would also expose their password to that administrator. While there are other ways that administrator could steal this information the job is made all too easy.

Also insure proxies aren't the ways in which http traffic is logable.

Brian Shepherd

unread,
May 15, 2012, 2:44:35 PM5/15/12
to
On May 15, 2:24 pm, Bill DeLeo <bill.de...@gmail.com> wrote:
> I work in IT for a fortune 100 company and security for sensitive web
> information is one of my responsibilities. Bay Area's reply is more
> than adequate for me to come to the conclusion "they know what they're
> doing".

Wow. You might want to think it through a little more.

> Did you completely miss the fact that anything regarding checking our
> login is encrypted via HTTPS?

But that is only during the time of a transaction. The system, while
somewhat secure still poses a security risk. Here's why:

1. While Bay Area might store the passwords in an encrypted state,
it's not one way. Bay Area's software obviously has the ability to
decrypt this password so it can be sent to the user in an email. This
info has to be stored *somewhere*, so it's likely in a config file for
whatever software they are using.

2. Since this ability exists to decrypt the password, if Bay Area's
site got hacked and the entire system was copied, then hackers could
*easily* reverse all of the passwords stored in the database.

Password's should be stored encrypted, but it's a one way encryption
-- a site's authentication system compares encrypted values and
should NEVER have the ability to decrypt a password. It should never
have a need too.

This is horrible security.

-- Brian


Andrew

unread,
May 15, 2012, 2:49:07 PM5/15/12
to
Rick I understand that the information given from a compromised account is also the same as contained in the email, I would also venture to say the rewards given to an account are valuable as well. And could motivate somebody to steal an account.

I would also like to point out that when somebody actually clicks that link that request crosses the network unencrypted and with the password and user exposed. So it could be logged without the email. Thus it would be new information.

I for one would not like my name, address, phone number, other, exposed to others online.

I'm glad to hear the "feature" was removed.

Pacpin

unread,
May 15, 2012, 2:57:21 PM5/15/12
to

Bill, i know you think Andrew is a major idiot and you want to beat him
up and that he sucks at pinball or whatever, but maybe Andrew has a
point. I don't know enough about the subject to know for sure if he has
a point or not. Andrew says you are a huge moron and he thinks he can
destroy you with one hand tied behind his back and was telling everyone
your butt smells, but let's hear both sides of the story before things
get too out of hand.


--
Pacpin

Andrew

unread,
May 15, 2012, 2:33:08 PM5/15/12
to
I understand that the only information currently seen to a compromised account is my address and other information I entered. But what about the rewards that each account carries? Should an account password be discovered, it is possible for somebody to change that password, and steal that account with a high level of rewards.

Also I wouldn't want people to actually have my address, phone number, etc.

Bay Area Amusements

unread,
May 15, 2012, 3:06:37 PM5/15/12
to
We have checks to see what discounts are being applied, so this would be
easily detected. In any event, if so, then the only one that would be
damaged would be BAA as in your theoretical case we would be giving away
somethings at a discount ... at this point Andrew, I can only see that you
are intent on damaging our reputation and regardless of what this started
out to be.

"Andrew" <edg...@gmail.com> wrote in message
news:2712431.50.1337106788468.JavaMail.geo-discussion-forums@yneh4...

TheKorn

unread,
May 15, 2012, 3:14:16 PM5/15/12
to
David Gersic <usenet_s...@zaccaria-pinball.com> wrote in
news:jou4fi$g3u$1...@dont-email.me:

> On Tue, 15 May 2012 10:24:54 -0700 (PDT), Andrew <edg...@gmail.com>
> wrote:
>> When you order from them you will receive an email that has a link
>> for "Checking order status online".
>>
>> You will look at the URL and it will contain "Customer_Password=YOUR
>> ACTUAL PASSWORD"
>
> That's bloody stupid.

Seconded.

>> The only way for that link to work is if your passwords were stored
>> as plain text and then read about and emailed to you.
>
> Um, no. "plain text" is not a requirement here. It's equally possible
> to store data in reversable encrypted format. Then the mailer would
> just need access to the encryption key to decrypt the data.

Very true; AES encryption for example is easily reverseable, yet can be recovered
with the right password.

>> Password that are stored insecurely leave us vulnerable.
>
> That's the least of your worries, since you could relatively easily
> use a different password for each place you log in. If they're storing
> credit card numbers, however, that would be a much bigger problem.

Good point, but then BAA wouldn't be PCI compliant if they were storing
recoverable CC data. It'd take a pretty monumental screw-up to do that (plus
you'd fail your PCI audit), so I'd say the *most likely* scenario is that BAA has
an external payment processor and hands everything off to them.

...which isn't great, mind you. Biggest thing would be somehow losing the entire
customer database, possibly to a competitor. Valuable to the competitor, not-so-
valuable to most everyone else.

If having your CC stolen is an 8 and full-on identity theft is a 10, this would be
maybe a 3. Annoying, but that's about it.

--
Have a home video that's trapped on your camera? Want to share it on the web or
on DVD?

http://www.webwidevideo.com/

TheKorn

unread,
May 15, 2012, 3:15:02 PM5/15/12
to
jammer74 <pban...@yahoo.com> wrote in
news:b9608da8-3a7f-4e97...@h10g2000pbi.googlegroups.com:

> I'm changing my BAA password to
> **********
> its 10 characters.
> What do ya think? ;)

All that came through was asterisks. Try typing it in again. :D

Andrew

unread,
May 15, 2012, 3:10:41 PM5/15/12
to
Rick, My intent is to protect my personal information and the bottom line being able to reverse my password and send it across a network is not doing a good job of protecting my personal information that I gave you to complete an order.

I have no competing business and stand no gain from your loss or your gain. So your assessment of my intent being to damage your image is false.

Why would I have raised the issue in privacy FIRST if my intent was to make it public and damage your name?

You ignored my concerns first, and brought this upon yourself.

chuck

unread,
May 15, 2012, 3:17:30 PM5/15/12
to
Best practice for passwords is to encrypt the password upon entry and never decrypt it again. Any login to a site encrypts the password from the login and compares the two encrypted values. When a user wants to reset their password the old one is deleted and the user is forced to enter a new password which is then encrypted. Many people use the same user/pass pair for many sites. If you recover a password from one site you can potentially use it for many. This is the preferred method in case user data is compromised from any site only the username can be obtained and not the password.

This is not a comment on BAA in any way, this is just the proper way to store passwords.

psk445

unread,
May 15, 2012, 3:18:45 PM5/15/12
to
Why this is marked as abuse? It has been marked as abuse.
Report not abuse
I have NO technological background but you still at 236 ***********,
New Libson, WI? (This took me all of 2 minutes to find.)

Also, if you are so concerned about security and what information of
yours is out there, then why in the world would you have a Facebook
account?


On May 15, 11:33 am, Andrew <edg...@gmail.com> wrote:
>
> I understand that the only information currently seen to a compromised account is my address and other information I entered. But what about the rewards that each account carries? Should an account password be discovered, it is possible for somebody to change that password, and steal that account with a high level of rewards.
>
> Also I wouldn't want people to actually have my address, phone number, etc.- Hide quoted text -
>
> - Show quoted text -

Bill DeLeo

unread,
May 15, 2012, 3:31:42 PM5/15/12
to
I'd be more concerned at your (presumed) employer publishing your
name, job title and a photograph on their site.
http://www.bentonbank.com/directory.html

In my opinion, thats much more offending than BAA sending passwords in
an email (addressed to you) that can MAYBE be intercepted and lead to
PII theft. With some quick googling I am able to turn up real-deal
PII, published by who appears to be your employer, for the world to
see...

jammer74

unread,
May 15, 2012, 3:32:01 PM5/15/12
to
Andrew,please for the record how many orders have you placed with BAA
or any pinball parts distributor for that matter ?

You'd be on my banned customer list if I were a distributor for the
public bashing.

Pacpin

unread,
May 15, 2012, 3:39:28 PM5/15/12
to
Why this is marked as abuse? It has been marked as abuse.
Report not abuse
Checkmate! Andrew got schooled!

kjohn

unread,
May 15, 2012, 3:52:43 PM5/15/12
to
Thank you all for the amusing thread... I work in IT as well, however,
not in a security role. There are certainly plenty of opinions on how
one achieves the needed security level for their network/domain.
Andrew, I think you should spend a few more years gaining some
experience and growing your resume. And judging from the other post
you have on rgp, you may wish to work on your electronics trouble
shooting skills as well. Have a nice day. ;)

kj

seymour.shabow

unread,
May 15, 2012, 4:07:20 PM5/15/12
to
Andrew wrote:
>
> Rick, My intent is to protect my personal information and the bottom line being able to reverse my password and send it across a network is not doing a good job of protecting my personal information that I gave you to complete an order.
>
> I have no competing business and stand no gain from your loss or your gain. So your assessment of my intent being to damage your image is false.
>
> Why would I have raised the issue in privacy FIRST if my intent was to make it public and damage your name?
>
> You ignored my concerns first, and brought this upon yourself.

Andrew ********
236 east ******** st
*** ******, Wisconsin *****
United States

You might want to re-think your original premise. I was sort of nice
and **** out your info but it's certainly out there in a much easier to
find method than hacking into BAA's site.

seymour.shabow

unread,
May 15, 2012, 4:11:15 PM5/15/12
to
Point to Bill....

I know a couple jobs back the IT director wanted us all to start
facebook pages etc. and everyone in the dept. refused. One of my
co-workers took it to the union who nixed it. This is the same place
that sells what I call the "stalkers' directory" - a book anyone can buy
with personal information (name, married name, address, occupation,
phone #).

It was also non-optional to have our names, pictures, and addresses
removed from the printed employee directory. They did let you have your
phone # as "unlisted" (if it actually was).

Apparently someone sued them and got them to just list her name and
photo. Still too much info, IMO.

Christopher Stinebrink

unread,
May 15, 2012, 4:00:40 PM5/15/12
to
I know little about internet security and I would agree with Bill and
psk445. If your worried about your info out there. Then don't use
the website. Do a check of there practices before you order from
anyone from now on. So that new set of flipper rubbers you want to
order takes 3 weeks to get to you because you have to send a check,
wait for it to clear and then ship. If your that worried. Roll up
the sidewalk and move to that cave in the hills.

No one's info is safe. If someone wants it they will get it. BBA is
such a great supplier to our hobby and the fact that you feel you can
take to a newsgroup to flame someone is disgusting. Stop crying like
a child. "I didn't get what I want so now I'm going to cry and flame
someone"

Its Embarrassing

chris

jammer74

unread,
May 15, 2012, 4:00:47 PM5/15/12
to
I think the bank he's working for might need to rethink their choice
for an "it guy".lol

Christopher Stinebrink

unread,
May 15, 2012, 4:03:23 PM5/15/12
to
On May 15, 3:00 pm, Christopher Stinebrink <chrisstinebr...@gmail.com>
wrote:
Wow. I had myself so wound up I posted the worst thing ever. All the
spelling issues and punctuation issues. Man I'm cracking myself up
over here. Thanks for the wind up today. I needed my blood pressure
raised. :)

chris

Andrew

unread,
May 15, 2012, 4:03:01 PM5/15/12
to
While an actual valid point Seymour-Shabow, the time at which that information was valid, I've tried to do things a lot better in terms of PII.

That doesn't change the fact that I do, and others should as well, try to limit PII from reaching the internet.

TheKorn

unread,
May 15, 2012, 4:08:18 PM5/15/12
to
Bill DeLeo <bill....@gmail.com> wrote in
news:7f680553-43a5-4418...@5g2000vbf.googlegroups.com:

> I'm failing to see the issue if the email (sent to the customer),
> which already contains the password in the body, has a convenient link
> where you don't need to type the password (because its embedded in the
> anchor). Either way, if someone "intercepted" the email (not
> happening), they would be able to prune your password from the body,
> as well as the URL.

It's trivially easy to intercept this type of information. Run a wireless sniffer
by any coffee shop, mcdonalds, or other wi-fi hot spot and record traffic. As
soon as the person reads that particular email (or worse, clicks the link), then
boom, you have their username and password.

If they're a "bad user" (the majority of users out there), you likely now have
their password (or password base) to lots of sites.

> As I said before, unless your computer has a proxy, or is infested
> with malware that intercepts your URL's, this will not be an issue.
> You're going directly from email hyperlink to bay area amusements.

...which WOULD be great if you could trust the internet end to end. But with an
untrusted link at the user side being EXTREMELY COMMON, the house of cards starts
falling. (And don't even get me started on SSL... DigiNotar, anyone?)

seymour.shabow

unread,
May 15, 2012, 4:27:09 PM5/15/12
to
Andrew wrote:
> While an actual valid point Seymour-Shabow, the time at which that information was valid, I've tried to do things a lot better in terms of PII.
>
> That doesn't change the fact that I do, and others should as well, try to limit PII from reaching the internet.

True. Bill went a little farther and probably ran a search after that
on your full name while I just used first name and email address.

The point with my old employer was that any information on internet was
information I *wanted* to put there, not what he wanted instead.
(personal cell #, city, etc.) His thinking was that as a salaried
employee, I would always be 'on the clock' and if people happened to
live near me, it would be no problem for them to call me on my time off
for assistance.

I do agree with everyone that doesn't like to see the password in the
clear though, regardless of if its passed along to other people or not.
If you happen to save that email and you email gets compromised,
they've now got your password. While not a great tragedy if it were
only used for BAA, a slight tragedy nonetheless.

TheKorn

unread,
May 15, 2012, 4:14:34 PM5/15/12
to
Bill DeLeo <bill....@gmail.com> wrote in news:0d95923f-9db5-4af4-921a-
8b27e1...@b1g2000vbb.googlegroups.com:

> In my opinion, thats much more offending than BAA sending passwords in
> an email (addressed to you) that can MAYBE be intercepted and lead to
> PII theft. With some quick googling I am able to turn up real-deal
> PII, published by who appears to be your employer, for the world to
> see...

...you can't POSSIBLY be arguing that two wrongs make a right. Please, PLEASE tell
me you aren't.

seymour.shabow

unread,
May 15, 2012, 4:30:34 PM5/15/12
to
TheKorn wrote:
>
> If they're a "bad user" (the majority of users out there), you likely now have
> their password (or password base) to lots of sites.
>

I used to tell users that a lot of people used "PENCIL" as their
password because that's the password of the week in the movie War Games
- and they started to use that.

And of course, their passwords were always on post it notes under their
keyboard. Security was treated as a joke - even by the security
officers. The password to their camera system recording server was
"PASSWORD". Which was also written on a post it note and stuck to the
monitor.

When they had us set up remote viewing software for some executive level
people, their passwords were "PASSWORD" as well. nice, guys.

Foo

unread,
May 15, 2012, 4:16:44 PM5/15/12
to

Bill DeLeo;1940584 Wrote:
> I'd be more concerned at your (presumed) employer publishing your
> name, job title and a photograph on their site.
> http://www.bentonbank.com/directory.html
>
> Vicki
> Assistant Computer Operator
> Computer Department
>
> Computer department?? :p


--
Foo

TheKorn

unread,
May 15, 2012, 4:18:35 PM5/15/12
to
Bill DeLeo <bill....@gmail.com> wrote in
news:6842736d-3448-4cd6...@s27g2000yqd.googlegroups.com:

>> But you have to understand that when I actually click that link that
>> contains my password, my password will be sent via my browser as an
>> unencrypted request that will be viewable to every hop along the way.
>
> What you hopping through a phishing proxy? LOL
>
> Unless BAA is using a 3rd party email open-rate tracking solution
> (where the links redirect and leave a database impression on another
> server), the only "hops" that will be viewable will be from Email
> client to BAA.

Welcome to 2012 -- wifi is everywhere. If you do any amount of traveling AT ALL,
chances are at some point you're going to connect to a hot spot of who-knows-what
security. McDonalds, local library, coffee shop, etc. Unless you other steps to
secure that link (*cough*VPN*cough*) then it's an easy game over right there.

That's without someone doing *active* hacking, just passively capturing packets that
are broadcast.

Bill DeLeo

unread,
May 15, 2012, 4:23:04 PM5/15/12
to
On May 15, 4:08 pm, TheKorn <TheK...@TheKorn.Net> wrote:
This begs the question of one of my original points... who the hell
cares to sniff through MASSIVE traffic logs to find that password in a
query string. If you're logging public wifi, or going through a proxy,
or jumping through a phishing scheme, you're log entry (with the
password query string) will be just one of thousands. You'd need to
know exactly what you're looking for (that special query string
param), and know what its used for (login for BAA).

That said, I find it EXTREMELY unlikely someone's account will ever be
compromised due to this scenario. Sure, in theory it could happen.
Sure, its not optimal security. Has it happened yet? Not that we know
of. Has the "issue" (I use that term loosely) been resolved on BAA's
end? According to Rick, yes.

I suppose the take away from today is no website's security is
perfect. I could pick apart flaws in much larger websites all day (for
example, Geico emails you auto-login links when you join, they don't
even prompt for the password!!!) Look at Sony (lol)

Now for the fun part, lets see how strong Benton Bank's security
is ;-)

JOKING!!!

Bill DeLeo

unread,
May 15, 2012, 4:28:30 PM5/15/12
to
On May 15, 4:14 pm, TheKorn <TheK...@TheKorn.Net> wrote:
> Bill DeLeo <bill.de...@gmail.com> wrote in news:0d95923f-9db5-4af4-921a-
> 8b27e1864...@b1g2000vbb.googlegroups.com:
>
> > In my opinion, thats much more offending than BAA sending passwords in
> > an email (addressed to you) that can MAYBE be intercepted and lead to
> > PII theft. With some quick googling I am able to turn up real-deal
> > PII, published by who appears to be your employer, for the world to
> > see...
>
> ...you can't POSSIBLY be arguing that two wrongs make a right.  Please, PLEASE tell
> me you aren't.
>
> --
> Have a home video that's trapped on your camera?  Want to share it on the web or on
> DVD?
>
> http://www.webwidevideo.com/

Not arguing that two wrongs make a right, not at all. For someone as
"security aware" as Andrew claims to be, he should be more careful
with his PII. Thats the point i was making.

TheKorn

unread,
May 15, 2012, 4:31:06 PM5/15/12
to
Bill DeLeo <bill....@gmail.com> wrote in
news:0d36c140-eede-4c88...@t23g2000yqj.googlegroups.com:

> This begs the question of one of my original points... who the hell
> cares to sniff through MASSIVE traffic logs to find that password in a
> query string. If you're logging public wifi, or going through a proxy,
> or jumping through a phishing scheme, you're log entry (with the
> password query string) will be just one of thousands. You'd need to
> know exactly what you're looking for (that special query string
> param), and know what its used for (login for BAA).


cat CAPTURE_FILE.pcap | grep -i password

relavent results in less than 3 seconds. Give me a hard one next time!

> I suppose the take away from today is no website's security is
> perfect. I could pick apart flaws in much larger websites all day (for
> example, Geico emails you auto-login links when you join, they don't
> even prompt for the password!!!) Look at Sony (lol)

Beating up on Sony's security is like beating on a child in a wheelchair -- it's
so easy it's not even funny. But yeah, that's really stupid on GEICO's part.

(Yes, no connected system's security is perfect. But there's a large distance
between doing things right and perfect, and we should try and go as far as
reasonably possible along the 'doing things right' continuum.)

> Now for the fun part, lets see how strong Benton Bank's security
> is ;-)
>
> JOKING!!!

Mannnnn, I wouldn't even joke around with that. Somebody hacks benton bank four
months from now and people are going to come looking for Bill DeLeo!

Andrew

unread,
May 15, 2012, 3:42:40 PM5/15/12
to
I placed the information in a private format and was ignored. The amount in which I've ordered I feel is irreverent to the actual issue. Would my point be any more valid or less valid in proportion to the amount in dollars that I bought?

I'll stand by what I said or I wouldn't of said it.

No more needs to be said on my part. The password practice has been pointed out and what changes is dependent on them.

Bill DeLeo

unread,
May 15, 2012, 4:46:24 PM5/15/12
to
On May 15, 4:31 pm, TheKorn <TheK...@TheKorn.Net> wrote:
Oh you clever unix guys ;)

Again, beating a dead horse here, but you would (in theory) need to
know the magic query string is "password". If you're sniffing traffic,
thats probably part of your grep already... but just to play devils
advocate here... you'd have to make a pretty good guess to find the
magic parameter.

Anywho...

Frank Furhter

unread,
May 15, 2012, 9:01:45 PM5/15/12
to
TheKorn wrote:
> Bill DeLeo<bill....@gmail.com> wrote in
> news:6842736d-3448-4cd6...@s27g2000yqd.googlegroups.com:
>
>>> But you have to understand that when I actually click that link that
>>> contains my password, my password will be sent via my browser as an
>>> unencrypted request that will be viewable to every hop along the way.
>>
>> What you hopping through a phishing proxy? LOL
>>
>> Unless BAA is using a 3rd party email open-rate tracking solution
>> (where the links redirect and leave a database impression on another
>> server), the only "hops" that will be viewable will be from Email
>> client to BAA.
>
> Welcome to 2012 -- wifi is everywhere. If you do any amount of traveling AT ALL,
> chances are at some point you're going to connect to a hot spot of who-knows-what
> security. McDonalds, local library, coffee shop, etc. Unless you other steps to
> secure that link (*cough*VPN*cough*) then it's an easy game over right there.
>
> That's without someone doing *active* hacking, just passively capturing packets that
> are broadcast.
>

You can capture all the packets you want, but if its secure with 1024 or
high you are hard pressed to do anything with the data. So what if
someone captures your data, if it is HTTPS and done right you don't
really have much to worry.

macrossplus

unread,
May 15, 2012, 9:08:41 PM5/15/12
to

What I can't believe is that no one knows who this guy is??? Don't know
if anyone noticed or not but Andrew is also "Blue Shirt" from Spooky
Pinball podcast...So anyone that is concerned with his troubleshooting
skills and ordered a BHZA pinball from Jpop and Ben Heck may want to be
worried as he is a full-fledged member of "Team Heck". Andrew in IT from
Wisconsin was just a coincidence, but when I saw the pic on the web site
with "KT" on there as well, gotta admit, pretty funny! Blue Shirt, does
Charlie know you are up to this? LOL


--
macrossplus

TheKorn

unread,
May 15, 2012, 11:07:17 PM5/15/12
to
Frank Furhter <fr...@furhter.com> wrote in
news:jouu9p$kns$7...@dont-email.me:

> You can capture all the packets you want, but if its secure with 1024
> or high you are hard pressed to do anything with the data. So what if
> someone captures your data, if it is HTTPS and done right you don't
> really have much to worry.

You missed the forest for the trees. The link (as it was being sent) was not an
https link. Further, there are opportunities to capture the url before the link is
even clicked, which may (or may not) be secure. Fat lot of good locking the door
does if you can talk the housekeeper into letting you in. Far better to make sure
the house has no valuables in the first place, which was the original point.

Craig Tiano

unread,
May 16, 2012, 12:03:17 AM5/16/12
to
On Tue, 15 May 2012 19:14:16 GMT, TheKorn <The...@TheKorn.Net> wrote:

>Good point, but then BAA wouldn't be PCI compliant if they were storing
>recoverable CC data. It'd take a pretty monumental screw-up to do that (plus
>you'd fail your PCI audit),

Ignoring BAA specifically, one should be aware that at the lowest
levels of PA/PCI DSS only require a self certification questionaire.
No vulnerability scanning and no audit. Only when you're over 1M
annual VISA transactions a year do you require an external audit. Over
20k are where you begin to require vulnerability scanning on your
external servers. In no case, not even level 1 (over 6M annual VISA
transactions), is there a requirement to prove that your system is
intelligently designed.

Companies I've worked for, using systems I've designed, have been
selling e-goods since the 1980's with credit cards. If you totalled
the dollars over the last 10 years alone, it would be about $6B.
There's a huge difference in e-goods versus regular goods. e-goods are
delivered immediately through a browser, and there's no way to get
them back. Regular goods are shipped to a physical address, giving you
at least some time to have a human being review and pick the order and
possibly notice something amiss.

Follow the standard PA-DSS guidelines and you can still create a
system that has tremendous holes just by not thinking about the whole
ecosystem of the e-commerce model. BAA was sending unencrypted
passwords through email. Email isn't secure. It's delivered in plain
text and transported in plain text. The embedded clickable url was not
encrypted. There are lots of hops between your laptop/phone/desktop
and the server at the other end, all of which could be a point of data
leakage. Even though BAA's system doesn't allow you to exploit access
to the account (although, a spoofed email with details of an order
saying I, pretending to the real customer, specified the wrong
shipping address at the time of the order and asking to substitute
another address might work on an unsuspecting BAA customer service
rep), it opens the door to the user losing control of other accounts
where he may have used the same password (which is incredibly common).
There are a few "plug and play" e-commerce systems out there that
intelligently encrypt login urls, but allow you to use the same url
over and over and over, which means anyone can log in to your account
if they capture the url in transit. Encryption, used wrong, doesn't
really do anything other than to obfuscate the details. It certainly
doesn't prevent exploits.

Craig







metallik

unread,
May 16, 2012, 12:47:50 AM5/16/12
to
> Many people use the same user/pass pair for many sites. If you recover
> a password from one site you can potentially use it for many. This is the
> preferred method in case user data is compromised from any site only the

This. While users should, in best practices, use separate passwords
for every login, few do so. It is indeed bad security to reveal ANY
user password in plaintext, as it could be tied to other (more
valuable) accounts. Those bashing Andrew over this are misguided. He
asked about it privately and was ignored - it is a legitimate issue
that anyone who uses the site should be aware of. Same with the issue
of reversible encryption. It isn't a huge deal - people can mostly
remedy it by ensuring their BAA password is unique and unlike their
other passwords.

EM Pins

unread,
May 16, 2012, 4:54:42 AM5/16/12
to
On May 15, 3:42 pm, Andrew <edg...@gmail.com> wrote:

You know, there are vendors who would be glad to take your check. You
won't need to worry about a password, and
You won't get any emails. :-). Problem solved.

In the mean time I'm just glad we have vendors like BAA supplying us
parts.


djcharlie17

unread,
May 16, 2012, 6:57:32 AM5/16/12
to
The views and opinions expressed by Andrew are strictly his. The
contents of this post have not been reviewed nor approved by Spooky
Pinball... especially Charlie who immediately called the young man to
inform him he was in fact... a dumb ass.

He's a good kid, and I know he feels pretty bad about the stir-up
here. I hope he learns from it, and I hope KT smacks him up side the
head at work today.

Charlie
http://www.spookypinball.com

Brtlkat

unread,
May 16, 2012, 7:57:36 AM5/16/12
to
Call the BBB and make a statement. as for seeing my phone# and address
and password NOT GOOD:eek:. Statement: You say watch what you say about
a company, FYI if it is a fact then everyone that has an account there
has right to know. It would be slander if this was not true. But in your
statement this is true.This should be disclamed in your site about,,
someones abiliaty to see your info (address,phone#) that we thought was
secure. Someone knowing your address and phone# opens up a wide variaty
of scammers, That have all that info....


--
Brtlkat

pins4fun

unread,
May 16, 2012, 8:29:32 AM5/16/12
to
On May 15, 12:24 pm, Andrew <edg...@gmail.com> wrote:
> I feel obligated as somebody who works in the technology field to bring this to everybody's attention. Bay Area Amusements stores customer information in an unsecured and unencrypted database.
>
> This is a very poor security practice and has led to data leaks time and time again.(See below for links) I attempted to notify somebody at Bay Area Amusements and by suggestion was closed and not resolved.
>
> Now the only reason I decided to bring this out like this is because my attempt to warn them of this went unheard.
>
> I for one can't justify the risk to my personal information and as a result cannot continue to order from Bay Area Amusements.
>
> If they resolve this issue I will delete this post and consider the matter closed and continue to order my supplies through them.
>
> Links:http://www.nytimes.com/2011/06/12/technology/12digi.htmlhttp://security.stackexchange.com/questions/12298/password-security-i...http://www.huffingtonpost.com/2011/06/08/sony-hack-problems_n_873443....

I will start by stating emphatically that, IMO, Bay Area Amusements is
as secure, if not more, as any other online business that accepts
credit card payments these days. To start something like this in a
public forum is irresponsible. I'm not Rick Butler, but my gut
reaction to your doing this here is pretty severe nonetheless -- I
feel offended. BAA has been a very reliable small business for the
pinball community for years, and I have never had any problems with
them or their customer information security not even once during all
the years I've been dealing with them (I always charge my orders to my
credit card, btw). BAA has an extremely functional website, they
maintain a wide and deep inventory, their prices are competitive, and
their customer service is at a personal level and caring, with
integrity and sincerity. BAA is place of business I never hesitate to
go to for my pinball parts, and your posting here is not going to
change that. To give you a small example, I was looking for rat's
hole cliffy for my BSD recently, and Sarah from their warehouse called
me at least 3-4 times to follow up on its incoming stock status (it's
in now, but I never got off my butt to order it yet). I have all the
respect for your expertise in matters related to technology field, but
I feel you're falling a little short on the ethical end of this
undertaking. Respectfully.

Frank Furhter

unread,
May 16, 2012, 8:36:23 AM5/16/12
to
Or just not do business with them at all and have it be a non issue
regarding the OPs concerns with BAA.

Joe Grenuk

unread,
May 16, 2012, 9:05:57 AM5/16/12
to
On May 16, 8:29 am, pins4fun <pins4...@gmail.com> wrote:
> On May 15, 12:24 pm, Andrew <edg...@gmail.com> wrote:
>
> > I feel obligated as somebody who works in the technology field to bring this to everybody's attention. Bay Area Amusements stores customer information in an unsecured and unencrypted database.
>
> > This is a very poor security practice and has led to data leaks time and time again.(See below for links) I attempted to notify somebody at Bay Area Amusements and by suggestion was closed and not resolved.
>
> > Now the only reason I decided to bring this out like this is because my attempt to warn them of this went unheard.
>
> > I for one can't justify the risk to my personal information and as a result cannot continue to order from Bay Area Amusements.
>
> > If they resolve this issue I will delete this post and consider the matter closed and continue to order my supplies through them.
>
> > Links:http://www.nytimes.com/2011/06/12/technology/12digi.htmlhttp://securi.......
>
> I will start by stating emphatically that, IMO, Bay Area Amusements is
> as secure, if not more, as any other online business that accepts
> credit card payments these days.  To start something like this in a
> public forum is irresponsible.  I'm not Rick Butler, but my gut
> reaction to your doing this here is pretty severe nonetheless --  I
> feel offended.  BAA has been a very reliable small business for the
> pinball community for years, and I have never had any problems with
> them or their customer information security  not even once during all
> the years I've been dealing with them (I always charge my orders to my
> credit card, btw).  BAA has an extremely functional website, they
> maintain a wide and deep inventory, their prices are competitive, and
> their customer service is at a personal level and caring, with
> integrity and sincerity.  BAA is place of business I never hesitate to
> go to for my pinball parts, and your posting here is not going to
> change that.  To give you a small example, I was looking for rat's
> hole cliffy for my BSD recently, and Sarah from their warehouse called
> me at least 3-4 times to follow up on its incoming stock status (it's
> in now, but I never got off my butt to order it yet).  I have all the
> respect for your expertise in matters related to technology field, but
> I feel you're falling a little short on the ethical end of this
> undertaking.  Respectfully.

That could have been written by me; it is a perfect response.

If I am Rick, no more soup for the OP.

And to the OP...if you are so damn scared of Rick's security or lack
thereof, take it up with him. Don't like his response or lack thereof?
DON'T BUY FROM HIM. Or, send him cash, money orders. Wire him some
money. Send him a MoneyGram. Fly to SFO and shop in person, I bet he'd
be glad to see you.

I am just sick and tired of all the vendor bashing that goes on here.
Don't like them, STFU and buy elsewhere. Every time I see one of you
bash a vendor, that is the vendor that gets my next order. Except
Wayne, we can bash him all we want.

Xerico

unread,
May 16, 2012, 9:29:14 AM5/16/12
to

pins4fun;1940914 Wrote:
> On May 15, 12:24*pm, Andrew <edg... (AT) gmail (DOT) com>
> wrote:[color=blue]
>
> I will start by stating emphatically that, IMO, Bay Area Amusements is
> as secure, if not more, as any other online business that accepts
> credit card payments these days. To start something like this in a
> public forum is irresponsible. I'm not Rick Butler, but my gut
> reaction to your doing this here is pretty severe nonetheless -- I
> feel offended. (snipped section regarding BAA's excellence) I have all
> the
> respect for your expertise in matters related to technology field, but
> I feel you're falling a little short on the ethical end of this
> undertaking. Respectfully.

Andrew (OP) reached out privately and did not receive a response.

So he escalates to a public forum to bring attention to this security
question/issue.

Outside of the pissing contest regarding IT positions, this has been a
very educational and respectful discussion.

Where is the ethical lapse? As far as I can tell, Andrew is not an
employee of BAA or of a competitor. He is simply a concerned customer.

BAA is a company that provides a service to the pinball collecting
public. Rick is also a stand up gentleman who has stepped up and
addressed his company's position.

Discussion regarding their online security is absolutely germane to our
hobby.

I feel that any attempt to censor public conversations regarding online
security is a greater breach of ethics than any particular thread within
this public discussion.

Marcus


--
Xerico

seymour.shabow

unread,
May 16, 2012, 9:54:17 AM5/16/12
to
Xerico wrote:
>
> I feel that any attempt to censor public conversations

Much more powerful when truncated. I agree. Everyone regardless of
what they're saying has a right to make an ass out of themselves.
Individual decisions as to if you want to read it or not is up to the
individual.

Moderation and Censorship is bullshit.

k...@evolve-studios.net

unread,
May 16, 2012, 10:02:26 AM5/16/12
to
HANG ON HANG ON
Andrew do you live in WI 53950 - does your phone number have 0541 in it, does your last name start with Edg????

If so - I found out all your personal information in 1 sec, and it had nothing to do with Bay Area Amusements.

Bottom line is people can find out your personal information no matter what - Its your credit cards you want to protect. And that information is not stored in your account area. They probably use Authorize. net or some other payment gateway to handle the secure transaction.

k...@evolve-studios.net

unread,
May 16, 2012, 10:26:58 AM5/16/12
to
Siri told me, she also said you have a dog and I should try its name for your login to bay area amusements :) Just kidding his password is not... herewego

jammer74

unread,
May 16, 2012, 10:37:45 AM5/16/12
to

>
> > You'd be on my banned customer list if I were a distributor for the
> > public bashing.
>
> I placed the information in a private format and was ignored. The amount in which I've ordered I feel is irreverent to the actual issue. Would my point be any more valid or less
> I'll stand by what I said or I wouldn't of said it.
>
> "No more needs to be said on my part. The password practice has beenpp pointed out and what changes is dependent on them. "

No more needs to be said on your part is your prerogative if you
think its appropriate .

Doesn't seem you have posted many times here and maybe you jumped the
gun on starting the witch hunt. If you look at some of ricks most
recent posts about the current computer virus floating around and him
giving claim to being able to help solve the problems if anyone needs,
you'll see he publicly posted his cell phone number .

If you were disregarded by an employee of BAA ,then the best thing
to do would be to call him directly.
I maybe wrong,but, I personally think maybe him offering his
"computer skills" put him and his company in your sights.
Maybe in the movies that works for computer hackers and IT guys to
aquire a consulting job testing security or computer systems but this
isn't the movies.

In the pinball community we are fortunate MOST suppliers are
hobbyists also so they can be approached a little easier than a
fortune 500 company and usually with open arms to take suggestions and
positive critisms. Good people appreciate honest help.
That being said, I think most will accept your actions as an attempt
at good intentions,if that is the case.
At the same time,most will agree you executed it poorly.

So in hindsight,maybe an apology for your approach is all that is left
to be said on your part. It is your choice to show what kind of
gentleman you are...or are not.

pins4fun

unread,
May 16, 2012, 10:25:17 AM5/16/12
to
Regarding the shortcoming (I never said a total lapse) of ethics on
this matter, to me, ethics means all matters generally pertaining to
morality, as defined and interpreted by the society's system of
values. This sytem is not a superficial thing; it has its roots in
things like tradition, religion, sense of fair play, and freedom from
fear-mongering, etc.

I agree that discussing online security is germane to our hobby and
Rick is a stand up gentleman who has stepped up and addressed his
company's position. What I find objectionable and unethical though is
anyone feeling licensed to try to publicly intimidate and leverage a
decent small business because of their perceived expertise in certain
areas, such as technology, law, science, etc. This is not only
unethical, it's also arrogant, unfair, and unacceptable. I also agree
with seymour-shabow that "everyone regardless of what they're saying
has a right to make a fool out of themselves and individual decisions
as to if you want to read it or not is up to the individual, and that
moderation and censorship is not desirable". All I'm asking for here
is a little bit of self-imposed restraint and respect for others well-
being and vital interests, that's all.

Below, I'm re-inserting the snipped section reargding BAA's
excellence:

metallik

unread,
May 16, 2012, 7:26:52 PM5/16/12
to
> So he escalates to a public forum to bring attention to this security
> question/issue.
>
> Outside of the pissing contest regarding IT positions, this has been a
> very educational and respectful discussion.

Yep. Some people seem to have to react overly-emotionally to anything
that could be construed as an attack on something they like. I notice
it tends to be the same group of people :) This issue that Andrew
discovered is not an attack on BAA - it is simply notice that their
email option will expose your BAA site password in plain text, and
that those passwords are stored with reversable (or no) encryption.
This is a potential security problem, even if the BAA account itself
isn't valuable, because of the 'same password for other sites' issue.
There is absolutely nothing wrong with informing people of this
problem, and it looks like Rick fixed it anyway.

> I feel that any attempt to censor public conversations regarding online
> security is a greater breach of ethics than any particular thread within
> this public discussion.

Again, to some people, it's impossible to participate in an
intelligent discussion without taking sides. Methinks they're so used
to taking sides and bashing the side they disagree with, they don't
even notice it happening anymore.

Classic Arcades Inc.

unread,
May 16, 2012, 8:12:04 PM5/16/12
to
With all the new licenses that Rick has got recently, expect allot of
never before seen products coming out soon.

Jeff
Classic Arcades Inc.

seymour.shabow

unread,
May 16, 2012, 8:41:42 PM5/16/12
to
Classic Arcades Inc. wrote:
> With all the new licenses that Rick has got recently, expect allot of
> never before seen products coming out soon.
>
> Jeff
> Classic Arcades Inc.
>

Which has to do with the topic how.....?

Frank Furhter

unread,
May 16, 2012, 8:44:02 PM5/16/12
to
Classic Arcades Inc. wrote:
> With all the new licenses that Rick has got recently, expect allot of
> never before seen products coming out soon.
>
> Jeff
> Classic Arcades Inc.

And this has what to do with online security and storage of client
information? You a stoolie for the aforementioned?

pins4fun

unread,
May 17, 2012, 12:37:19 AM5/17/12
to
On May 16, 7:26 pm, metallik <larry.sc...@dlptech.com> wrote:

> Again, to some people, it's impossible to participate in an
> intelligent discussion without taking sides.  Methinks they're so used
> to taking sides and bashing the side they disagree with, they don't
> even notice it happening anymore.

And what do you think you are doing with this post of yours, adding
anything new to the merits of the intelligent discussion?

cody chunn

unread,
May 17, 2012, 7:20:06 AM5/17/12
to
HATER!

-cody


"pins4fun" wrote in message
news:a74cdc08-080a-428e...@s27g2000yqd.googlegroups.com...

cody chunn

unread,
May 17, 2012, 7:21:52 AM5/17/12
to
I hope he allots me some of those parts!

-cody


"Classic Arcades Inc." wrote in message
news:d361d242-8544-42bb...@h10g2000yqn.googlegroups.com...

metallik

unread,
May 17, 2012, 12:27:50 PM5/17/12
to
Yes - pointing out how the issue in question could be a problem
(despite others' insistence that it is not), and why it needed to be
addressed (which it was). And yes, some comments about the peanut
gallery here as well :) I don't normally mess with subject warfare
either, but since the issue was corrected, no reason to leave it out
there. I don't want to impact Rick's business at all, but I do agree
with others that he needed to fix the plaintext problem.

pins4fun

unread,
May 17, 2012, 1:09:09 PM5/17/12
to
Metallik,

Thank you for your response. You sound like a nice gentleman, so I
think I will try to get my point of view across one more time with
you. Like yours, a great majority of the posts on this thread do not
seem to have any issues with BAA, but they, unintentionally, are
putting an excellent merchant's public image in a negative light and
hurting his business simply by virtue of highlighting such a minor
flaw in such a high-profile public forum. Regardless of BAA's alleged
initial lack of response, such a sensitive issue should never have
been escalated to a public forum. I personally would have shown more
restraint. Of course, this is a totally personal judgement call.

I felt incensed that while people were having this detached pseudo-
intellectual, "intelligent" discussion from the comfort of their
armchairs, somebody's lifetime struggle to build an honest business
was being (unintentionallly?) undermined. I know you and many others
will not see eye-to-eye with me on this matter, but please at least
consider that I am not and have never been a hater, do not know Rick
personally, and never taken sides on any issue without very careful
consideration. To me, this is a deeply ethical issue; nothing more,
nothing less. Rgds.

chuck

unread,
May 17, 2012, 3:02:54 PM5/17/12
to
On Thursday, May 17, 2012 1:09:09 PM UTC-4, pins4fun wrote:
> Regardless of BAA's alleged
> initial lack of response, such a sensitive issue should never have
> been escalated to a public forum. I personally would have shown more
> restraint.

Here's proper etiquette for reporting a security breech, perceived or real.

1) Privately inform the company, site, service of the breech.
2) Give that company time to fix the issue.
3) If the company doesn't fix the issue send another communication that you intend to reveal the breech in X amount of time if it's not fixed.
4) If the company fails to fix the breech report if publicly which will force the company to fix it.

I'm not sure if Andrew followed every step but I think he attempted to follow the spirit of the procedure. This is done everyday in the IT community. It as accepted practice. BAA fixed it so I doubt there will be as much as a hiccup in their business. Problem solved. The angry, many times uninformed, mob can go home.

jonny o

unread,
May 17, 2012, 3:50:57 PM5/17/12
to

Pacpin;1940487 Wrote:
> Well VISA will insure all the transactions should something happen to
> your account. But i'm pretty sure in order to be allowed to accept VISA
> that the business has to be verified by VISA as following all their
> guidelines and stuff. I'm sure BAA has some means of a safeguard in
> line or VISA wouldn't feel comfortable enough allowing him to accept
> payments.

You think wrong.

At one company I worked at, there was an optional inspection sort of
thing where the card processor would inspect your setup, do security
tests, etc. etc. and you got a lowered transaction rate in return.

At that company, which was very tech-phobic, they were running Microsoft
RMS with seven retail stores. The server sat on the floor (carpeted) in
the middle of a cube farm (no locked doors). The admin password was
five characters and the same as all their desktops, which at least half
the staff knew. When I unplugged the UPS, the server went down
immediately, as if there was no UPS at all.

This company had the most liberal exchange policy I've ever seen, and
they wanted exchanges to be as hassle free as possible. To that end,
for some unbelievable reason, they did not encrypt the credit card
numbers in their DB, even though the software warns you six ways to
sunday never to do that unless you're building a dev server.

So when the accountant talked about doing the inspection I showed him
all of the above and said "forget it."

In next week's episode: "Food Service!" Or: "Don't piss off your
waiter".


--
jonny o

Rompen

unread,
May 17, 2012, 4:39:51 PM5/17/12
to
On May 15, 11:24 am, Andrew <edg...@gmail.com> wrote:
> I feel obligated as somebody who works in the technology field to bring this to everybody's attention. Bay Area Amusements stores customer information in an unsecured and unencrypted database.

So does everybody else on the planet. Very few databases are
"encrypted". Facebook doesn't encrypt their databases. Microsoft
doesn't either. Do you have any idea what you're talking about?

Exactly what is the basis for this nebulous claim that their site is
"unsecured?" You could be getting into some sticky situation making
ambiguous public claims of this nature?

> When you order from them you will receive an email that has a link for "Checking order status online".
>
> You will look at the URL and it will contain "Customer_Password=YOUR ACTUAL PASSWORD"

Big whoop.

Any site that can e-mail you your password stores it unencrypted. It
is true that storing an encrypted password may be slightly more
secure, but only by a tiny fraction. Some sites offer the convenience
of telling people what their password is if they forget it. Users
should be smart enough to not use the same password on every site and
they'll be fine.

What you're making a big stink about is not a serious security issue.
At least 70% of every site on the Internet uses unencrypted passwords
in their database.

Rompen

unread,
May 17, 2012, 4:42:12 PM5/17/12
to
On May 15, 1:25 pm, Andrew <edg...@gmail.com> wrote:
> But you have to understand that when I actually click that link that contains my password, my password will be sent via my browser as an unencrypted request that will be viewable to every hop along the way.

If I were you Andrew, I'd be lawyering up. You may have some
explaining to do if Bay Area Amusments can show any loss of business
or reputation as a result of your inaccurate and sensationalized
claims about the integrity of their web site.

SpecialWhenLit

unread,
May 17, 2012, 4:58:23 PM5/17/12
to
BAA should be concerned. Have they informed all there customers of a
security breach? Not doing so could leave them open to a few lawsuits.

EK

yetterben

unread,
May 17, 2012, 5:35:45 PM5/17/12
to

Just mention Mothman and Blue shirt will run for the hills lol


--
yetterben

Xerico

unread,
May 17, 2012, 5:54:41 PM5/17/12
to

Rompen;1941644 Wrote:
Good Lord! A legal threat? Really?!

*SARCASM ON*

A Civil Suit is exactly what this situation needs! Customers need to be
put in their place! How dare they speak in public about their issues
with any business!

*SARCASM OFF*

Good luck pursuing that legal recourse.

If I were Anderw, I would call dibs on Greg The AZ Pinball Lawyer! ;-)

Marcus


--
Xerico

jammer74

unread,
May 17, 2012, 6:08:46 PM5/17/12
to
Andrew has seemed to have disappeared........

yetterben

unread,
May 17, 2012, 6:14:20 PM5/17/12
to

Maybe the Moth man got him....


--
yetterben

Ignus Fast

unread,
May 17, 2012, 6:19:55 PM5/17/12
to
Not so much. Any site that stores the password in a reversible format
is plain stupid. It should be hashed, and probably encrypted even
before that. The odds of a hash collision are remarkably low, but the
security gains from not leaking a real password are immense.

Ignus Fast

unread,
May 17, 2012, 6:20:12 PM5/17/12
to
Not so much. Any site that stores the password in a reversible format
is plain stupid. It should be hashed, and probably encrypted even
before that. The odds of a hash collision are remarkably low, but the
security gains from not leaking a real password are immense.

On 5/17/2012 3:39 PM, Rompen wrote:

jonny o

unread,
May 17, 2012, 7:12:09 PM5/17/12
to

Rompen;1941644 Wrote:
uh no.


--
jonny o

Craig Tiano

unread,
May 17, 2012, 7:16:51 PM5/17/12
to
On Thu, 17 May 2012 17:20:12 -0500, Ignus Fast <no...@none.com> wrote:

>Not so much. Any site that stores the password in a reversible format
>is plain stupid. It should be hashed, and probably encrypted even
>before that. The odds of a hash collision are remarkably low, but the
>security gains from not leaking a real password are immense.

Do you realize how incredibly inane it is to encrypt and then compute
a hash? Probably not, since you suggested it.

Best practice is to never send a customer their password. If the
customer forgets their password, you send them a single-use
replacement that's time stamped to self-destruct, or let them login
*without showing them their old password* (and then immediately force
them to put in a new password) after you have required them to
perform some task (like answering questions they previously provided,
giving you their zip code, and the like).

While there is little reason to store a password in a reversible
manner, there is reason to store a credit card that way, such as the
case where the customer is expected to purchase additional products.
It is up to the system administrator to utilize strong encryption, key
safety, multiple firewalls, and intelligent application design to
prevent the card data from being stolen and exploited.

Craig

seymour.shabow

unread,
May 17, 2012, 7:55:08 PM5/17/12
to
Rompen, new spokeman for 1-800-285-7448, some kind of referral service,
I guess.

Yeah, Rick can sue Andrew for all the lost business that Andrew is no
longer ordering from Bay Area.

Rick changing the way it works is kind of a give in that maybe it needed
to be changed, after it was brought to his attention.

chuck

unread,
May 17, 2012, 8:00:41 PM5/17/12
to
On Thursday, May 17, 2012 4:42:12 PM UTC-4, Rompen wrote:

"If I were you Andrew, I'd be lawyering up. You may have some explaining to do if Bay Area Amusments can show any loss of business or reputation as a result of your inaccurate and sensationalized claims about the integrity of their web site."

What he's really saying is, "I have absolutely no clue about IT infrastructure or legal matters."

Translated for clarity

Ignus Fast

unread,
May 17, 2012, 11:44:10 PM5/17/12
to
Untrue. If you're just going to hash alone, then you need to make sure
and use a decent salt. But while it's computationally more expensive to
encrypt then salt/hash, I've never seen anything indicate it's less
secure. There's no reason to be insulting about it, since you have no
idea at all either who the fuck I am OR what I know.

But you're right about the password not being sent to a customer. I've
seen that way too often. That and using the same bloody security
questions everywhere - do they really think it's that hard to find out
someone's mother's maiden name?

spamf...@gmail.com

unread,
May 18, 2012, 1:22:56 AM5/18/12
to
Oh, look! An e-penis measuring contest on the innerwebs series of tubes.... yawn...

OP is just another problem finder looking to make a name. I deal with this sort all too often. It seems to fade once they reach their 30s and the good ones realize problem solver is a better career path.

Craig Tiano

unread,
May 18, 2012, 8:25:39 AM5/18/12
to

I didn't say it was less secure. I said that it was inane.

<pedantic mode>
Think about the nature of a hash...It's a computation to produce a
reference value or checksum which represents a string. And encryption?
It's a computation that produces a reference value that is reversable.
Non-reversible encryption is the same as a hash. The end result of
either encryption or a hash is a representation of the original. When
you interatively hash and/or encrypt using multiple algorithms,
there's always a possible edge case where the result might be the
original plain text. So, generally, one avoids using multiple
techniques when attempting to secure something.
</pedantic mode>

You're right. I don't know who you are. You use a pseudo-nom and an
email address that's unlikely to actually be yours. On the other hand,
you can google me, because my name and email address are real.

Craig
0 new messages