Primus Canada gives away their customer list
Stephen van Egmond
It included this link:
http://primusstimulus.ca/landing.aspx?xid=15459722
Which led to an absurd congratulatory "viral" video campaign that made
me want to gouge out my eyes. This video gimmick features my name all
over the place. What's the hook, I wondered? Someone gets paid for this?
It gets far better though: after the video played, I was shown a page
with my name and email address prominently featured.
To reproduce:
1. Copy http://primusstimulus.ca/landing.aspx?xid=15459722 into your
browser bar. Change the xid= number up or down a few hundred or so if
you like.
2. Wait for the page to load and for the server gerbil to grind out
your video and start playing. Do not watch the video, you will want
those 2 minutes back.
3. Click this link: http://primusstimulus.ca/refer.aspx
4. Profit!
The unsubscribe link takes me through dmenet.com, a Florida-based
unwelcome-email consultant.
Way to go, guys! Thanks for the spam!
Andrew Louis
Jason Doucette and I blogged about it:
http://jasondoucette.ca/2009/06/04/primus-security-failure/
http://hyfen.net/out/writing/2009-06/how-to-harvest-the-primus-customer-database-in-3-easy-steps/
On Jun 3, 9:46 pm, Stephen van Egmond <svanegm...@tinyplanet.ca>
wrote:
>
> It included this link:http://primusstimulus.ca/landing.aspx?xid=15459722
>
> Which led to an absurd congratulatory "viral" video campaign that made
> me want to gouge out my eyes. This video gimmick features my name all
> over the place. What's the hook, I wondered? Someone gets paid for this?
>
> It gets far better though: after the video played, I was shown a page
> with my name and email address prominently featured.
>
> To reproduce:
Michael Allan
>
> Wow, this is pretty ugly.
As a breach of privacy, you mean?
> Jason Doucette and I blogged about it:
Jason is a technical expert. His blog post concludes that the breach
was probably unintentional, a technical oversight by the company. On
reflection, was posting/blogging about it the right way to respond?
I don't pretend I would have done better in your place. I don't know,
I wasn't there. But it's an interesting ethical question, all the
same.
--
Michael Allan
Toronto, 647-436-4521
http://zelea.com/
Stephen van Egmond
> I wasn't there. But it's an interesting ethical question, all the
> same.
I thought about this. As a practical matter, it is probably not going
to result in any noteworthy negative effect on those 120,000 or so
people.
It's only name + email address, after all. I'm sure that some
of them uses their last name as a hotmail password. Oh well.
The practical outcome I wanted is not a black eye for Primus; they are
doing to the telecom monopolies what Teksavvy does, minus the
rabble-rousing, and this clearly went through the marketing guys who
probably didn't guess there was a security aspect to this.
I want their supplier, "DME Enterprises" who specialize in this kind of
unwelcome intrusion, to get a kick in the reputation they so richly
deserve.
Jason Doucette
In hindsight, I think I would have done some things differently, but I still would have communicated the message. If I'd spent some time to come up with an intended outcome, I would have probably worked to a) get the word out so someone who knows someone might bring the issue to the right person (though I have no illusions that my post had anything to do with the site getting pulled), and b) educate other developers to guard against this kind of thing in the future.
So further to ethics, now that the site's gone, is it worth an edit to focus more on the technology issues and less on company reputation (noting that I don't even mention DME in the current revision)?
Jason
Stephen van Egmond
So further to ethics, now that the site's gone, is it worth an edit to focus more on the technology issues and less on company reputation (noting that I don't even mention DME in the current revision)?