Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
News

RealNames Customer Data Stolen 101

Sc00ter writes "C|Net News reports 'RealNames, a company that substitutes complicated Web addresses with simple keywords, is warning its users that its customer database has been hacked, and that user credit card numbers and passwords may have been accessed.' Complete story here." Remember when NSI teamed up with Centraal, the creators of RealNames?
This discussion has been archived. No new comments can be posted.

RealNames Customer Data Stolen

Comments Filter:
  • by Anonymous Coward
    Look at the stupid protocol: I transmit a magic number, and the number grants access to tons of money to anyone who finds it.

    I want to have a cryptographic protocol, more like this: the merchant says my bill comes to (say) $73.95 and presents me with an invoice. I authorize the invoice with my private key and transmit it back to the merchant. The merchant presents the authorized invoice to my bank, which verifies the authorization and transfers the money from my account to the merchant.

    No more lost CC numbers (if you lose your private key you are about as hosed as if you lose your CC now: call your bank immediately). No more overcharges (I hate it when I buy something and the merchant hits me with a shipping fee that I didn't notice). No more mass compromises a la Netcom and Realnames. No more zillion pieces of paper lying around the typical restaurant with CC numbers on them.

  • Check out E-Gold [e-gold.com]. You can trade in gold, electronically. You can use it, among other places, at the Anonymizer.com.


    Mark
  • by willey ( 997 ) on Monday February 14, 2000 @03:08AM (#1277371) Homepage

    The way to fix this problem, quite simply, is to never store the credit card numbers on a public server, or for that matter, any machine that is connected to the net. Before anyone whines that this is too hard to do, let me tell you -- I do things this way.

    There are a number of other bonehead things that many e-commerce sites to that are IMHO grossly negligent. The big ones:

    • home page is unnecessarily on a machine that has scripts or cgi enabled -- strip down Apache or use 'publicfile', a secure static content server
    • web server does double duty as FTP server, email server, name server, godknowswhatelse
    • failure to keep up with security patches

    Security: It's not that hard.


    Mark
  • The RSA site that was cracked was running Redhat/apache while the main site, which wasn't hacked, runs NT/IIS 4.0.

    If this situation had been reversed, I bet it would have been all over /.

  • ...and make sure the key to decrypt them isn't on the same server as they are stored on. (At the very least) Best if machine the decryption key is on is not even connected to the internet, at least not directly.

    Sounds pretty obvious, but many a programmer goes half-way for security, and leaves something simple out/does something dumb, that leaves a hole.
  • For an interesting view of what is alleged to be the real reason why the U.S. went off of the gold standard (so that the rich could get richer moving in and out of the currency markets)see Taylor Caldwell's "Captains and Kings".
  • by Now15 ( 9715 ) on Monday February 14, 2000 @02:22AM (#1277375) Homepage
    "The perpetrator was able to access customer records, credit card numbers and passwords. But Teare said there was no evidence that any credit card numbers have been used."

    "The perpetrator was able to access a stolen copy of Windows 2000 server. But Gates said there was no evidence that this criminal has actually installed it on his machine and fiddled around with the menu font"

    "The perpetrator stole a BMW from some old couple up in the hills. But Jones said there was no evidence the car had been used to do wheelies, or pick up chicks."

    "The perpetrator was able to get his hands on a very large amount of stolen hankerchiefs. But Smith said there was no evidence the hankerchiefs weren't sold at a ridiculously low price to a bargain basement store out in the suburbs."

    "The perpetrator was able to install Linux on his computer. But Linus said there was no evidence he has read slashdot."

    "The perpetrator was able to access customer records, credit card numbers and passwords. But Teare said there was no evidence that any credit card numbers have been used."

    --

  • You know, any fraud perpetrated with these credit card numbers is going to get covered either by RealNames or some other middleman company in the credit card business.

    So who is going to sue whom? Is Visa going to sue RealNames? Is Bank Of America going to sue RealNames? Will RealNames just have to eat any fraudulant purchases made with these cards, and then sue their contract network administrators?

    Certainly the RealName customers aren't going to get harmed (other than the minor hassle of being issued a new card), so what grounds would they have for a lawsuit?
    --
  • by arivanov ( 12034 ) on Monday February 14, 2000 @03:05AM (#1277377) Homepage
    Are all these attacks recently somehow related?

    Yes, they are related by the fact that:

    • Lots of companies have jumped on the Internet bandwagon without understanding what they deal with
    • Lots of companies who have been around for a while have grown to the point of "let's make exclusive agreements, long live marketing"
    As a result of both of these there is a lot of sites whose security is at best "relaxed". Worst of all some companies who used to deploy high quality equipment and personnel are dropping to inferior stuff due to the inability to maintain the quality in sight of quantity or even worse due to "exclusive marketing agreements". So the result is lots of dots (in guess which domain).
  • Gold has no intrinsic value. Oxygen, now THAT has intrinsic value.

    Currency systems are only what you make of them.


    Bad Mojo
  • I didn't say water and air made good currency. I said they had intrinsic value. Anything non-essential to life has implied value. 'nuff said.


    Bad Mojo
  • Isn't there some old saying about locking the stable door after the horse was stolen? What is there left to "secure further"?

    Yes, but what about the new "horses". If they were stolen once, then shouldn't RealNames do something to protect future customers data?

    -Brent
  • Comment removed based on user account deletion
  • The idea is that you don't have to risk sending your CC number over and over again, unfortunately some companies don't seem to understand that if their going to hold onto CC numbers they should:

    a) store them on a machine not directly connected
    to the internet,
    b) encrypt them,
    c) give users the choice of keeping their CC
    number or not.

  • Yes it looks like they do run IIS/NT on their front end, but can you tell what the backend really is just from looking it up at Netcraft? This break-in may not mean that the front end webserver was cracked, it would more likely mean that a backend database machine was broken into.

    $ telnet web.realnames.com 80
    Trying 216.86.227.154...
    Connected to web.realnames.com.
    Escape character is '^]'.
    HEAD / HTTP/1.0

    HTTP/1.1 200 OK
    Server: Microsoft-IIS/4.0
    Date: Mon, 14 Feb 2000 18:30:36 GMT
    Connection: Keep-Alive
    Content-Length: 11376
    Content-Type: text/html
    Expires: Mon, 14 Feb 2000 18:30:36 GMT
    Set-Cookie: ASPSESSIONIDGQGGGGOP=CJKDLDFCJOOOOOOJGBBLMONM; path=/
    Cache-control: private

    Connection closed by foreign host.

  • Have you looked at AOL subscription numbers lately? Unfortunately most net users tend to be fairly unclueful... *sigh*

  • I know why they'd have credit cards online. How do you reconcile these three requirements:

    1. The site must be easy to use, and you want people to come back, so you want them to have their profiles stored and not require them to enter their credit cards each time.
    2. The web server (or applications server as the case may be) needs to know their credit card number so it can arrange payment for the order.
    3. The site must be secure so that nobody can get at people's personal info, esp. credit cards.

    I was recently hit with this problem... and didn't find a solution that was secure enough, so we're ditching 2 and doing that seperately.

  • messing is a yellow metal to. It's not an element, but it is metal...

    ----------------------------------------------
  • Actually, in my opinion, keeping credit card data on any system at all accessible from the net for more than a few minutes should be called criminal negligence. Sue them out of existence _and_ throw them in jail.
  • Id argue that e-commerce very much _needs_ such a setback. What's the use of encrypting with ssl or anything when the real risk is the morons on the recieving end keep the creditcard info accessible for every script kiddie and their dog anyway?

    You're perfectly right, of course. Investing in stocks in companies doing what any guy in a basement could do is only playing a pyramid game. Very popular in countries such as Albania, but you'd imagine investors in more industrial parts of the world would have better sense.
  • You'd think that at some point these damned companies that collect sensitive information would start treating it like it was sensitive. I wonder if it'd be possible to put the screws to some of these guys?
  • by voop ( 33465 ) on Monday February 14, 2000 @02:35AM (#1277390)
    Are all these attacks recently somehow related?

    ....well, damm good question, I'll say yes. Not necessarilly because they're committed by the same group of people. But because they are DUE TO the same group of people. Yes, I am of course talking about the group of people, commonly known as "system administrators", "network administrators", the "IS-department" etc.

    Without casting blame on anyone, my general experience from all too many years as an independant consultant is, that most of the people in charge of managing security at various sites know next to nothing (if even that much) about what they are doing and what they are up against. I've seen horrifying examples from within the financial sector as well as the public health sector, which makes me everything but surprised when security is violated or sites taken down (sites being used in a more general term than "www-servers").

    It's probably not the network administrators who are to blame either - it's their managers and organization who are often clueless as to what is required and therefore hire the first the best guy who can spell "Windows NT" without making too many mistakes. Being a bit harsh - I know - but these days people are hired on "vendor certificates" (as in MCP and CNE) rather than generic skills - for example within networking or computers in general. Having completed a "vendor certification program", one surely must know the products one has been certified for. But that's (unfortunately) no guarantee that the person has the knowledge required to manage a network.

    As an example I've time and time again been surprised to see the amount of "MCP's" (and those "microsoft certified engineers" or what their title be), who had superiour skills when it came to managing their NT-boxes - but for whom solving even the simplest networking problems was impossible. Most people who've grown up with computers are very familiar with tools such as ping, traceroute, tcpdump and friends and know some of the working of the commonly used protocol stacks - and most of those new-born administrators are barely familiar enough with networks to know what an IP-address is.

    I know it is difficult to find people with good qualifications. I've been looking for some for clients for the past 2 years with little luck. Most applicants put up a blank face when presented with technical questions that goes beyond "point-and-klick". Yet they still get jobs in different companies....

    So yeah, I am not surprised....and yeah, those attacks are somehow related...

    Just my $0.02

  • 128-bit encryption does not make a secure server-client relationship. The data also needs to be encrypted and protected on the server. I baffles me that supposedly tech oriented companies can't figure this out.

    This sounds good, but it becomes very cost/time prohibitive with database growth. Accessing a database takes time anyway, as does generating a report or searching for data ... now imagine performing (insert favorite encryption technique here) on just 1,000,000 records of 20 fields apiece;Every search, sort, merge, add ... very CPU expensive. Unless you have the resouces to procure a behemoth of a machine, it's going to bog alot of stuff down.

    Now granted, I'm no security or DB expert, and I'm not claiming to be; I'm just putting it in my perspective. Certianly, for small databases/companies, this may very well be the solution. And larger companies that can afford to do so, I'm sure do. Mid-range companies, however, I'm doubtful can. If there is a better solution, by all means, tell me; I enjoy learning.

  • Hmm ... it seems that not a day goes by without some sort of hacking/DOS incident making the news. Given the somewhat crazy valuation of internet/e-commerce companies, one must wonder how stable the current boom is. Most of these companies don't have much in terms of sales revenue or profit (especially when compared to the traditional brick and mortar business companies), so their valuation (and to some degree their success) depends on the image they evoke. As such, their valuation is really determined by the public believing the great future these companies hope for. How much would it take to shake this confidence? Is 1 incident a day enough to make Joe Public loose confidence? Because once that happens, they money that has been pumped into the .coms might just evaporate very quickly ...

  • Ok you want security, its going to cost you $1000 an hour. You don' like it, take a fsck hike cause some teenager is going to take you down. Sure my billable rate seems high but my sites don't get hacked (well the real old one does from time to time but hey its a damn old box {10+ yrs} and its like the pet you can't let be put to sleep).

    The scary thing is there are people much better than me out there for securing boxes. Are you one? If so why they he0x6c0x6c aren't you asking for your fair share?

    The marketteers that run this crud are making billions.

  • Comment removed based on user account deletion
  • Encrypt those damn f* CC numbers ! There's nothing as secure and cost effective as encryting the database (and storing the private key out of the server of course !). Any system is supposedly crackable, but we have yet to see a cracker brute-forcing a 2048 bit/PGP encrypted CC number...
  • I'm wondering what sort of security they managed to buy/write and integrate in 48 hours. It was either a very small problem, a basic oversight, or 48 hours work won't solve very much.
  • Here's an updated story [newsbytes.com] indicating a second cracker replaced the 'fixed' page.

  • Potentially the most worrisome (at least to the general public), but least covered in the press of the recent cracker attacks against major websites, early Sunday crackers managed to replace the main page of www.rsa.com [rsa.com] with their own message.

    Here is the Newsbytes story [newsbytes.com].

  • If you go to a shop, they take your credit card, send the information through electronically and the payment process starts. They do not keep a copy of your credit card information forever!

    Why are these internet companies doing this. We should get it stopped. I don't think that these databases should be allowed to keep hold of our information longer than necessary to complete the transaction.
  • Gold is itself not immune to inflation. The difference is that while inflation in paper money is controlled by the people who issue the paper, inflation in gold is totally dependent on external events. Find a big new source of gold and its value drops. This is not farfetched. It happend to the spanish in the 16th century.

    Also bear in mind that the price of gold is today about what it was twenty years ago, despite the fact that inflation has just about doubled prices over that time period.

    A gold backed currency works on the theory that it prevents the government from mucking with things too much. The government can't create new gold like it can new paper money, and this prevents governments from causing too much inflation. But it does not prevent any control. Imagine what would happen to the price of gold if the US government decided to sell everything in Fort Knox tomorrow... And it also depends on the amount of gold in circulation being basically related to the size of the population.
  • One thing that is rarely mentioned when talking about the German hyperinflation of the thirties is the boon it was to the German farmer. Farmers that had previously been in hock up to their eyeballs (much like the American farmer today) found themselves able to pay off their mortgages with the equivalent of $100.

    Just for kicks, I through the following numbers into my calculator with my salary: Inflation of 10% a month. Salary increase of 5% a month. In other words, a salary not keeping up with inflation. Yet over that time, my food+housing costs actually decline in real terms, because while my food costs double, my monthly mortgage is effectively halved. Since my mortgage is a lot higher then my food cost, I am actually better off even with inflation increasing faster than my salary, at least in the short term!

    Then add to that the fact that the value of my house goes up 1.79 times.

    (All this ignores the secondary effects, being that all those lower mortgage payments hurt the banks, which make it harder for companies to borrow, which causes layoffs, which could take my salary to $0, etc, etc.)

  • Already some around here are making the 'well, OS Brand X is more secure than OS Brand Y' kind of statment. This poster is saying something that many of us know, but for some reason many commerce sites have not caught on to ...

    it does not matter how secure the OS is if you set it up and administer it insecurely

    Moving the database to a secure machine that is not accessible from the internet (as well as the other measures this poster lists) is a minimum precaution. True, you have to actually know something about communicating with a DBMS and more than HTML and the server scripting language of your choice. But this is not amateur hour anymore -- not when you are handling live financial information.

  • Really. What is the problem with highly encrypting things like credit card information?
  • I've got a credit card, and I avoid using it. I acutally only use it for paying hotels and at airports. I don't understand how people can use credit cards online: the vendor has all information to pay himself twice or as many times as he likes! Or someone who steals the information can do this too.

    I'm actually more afraid of the vendors than the thieves.

    One day I rented a car in Antwerp, Belgium. The contract said "unlimited kilometers". Well, when I brought the car back, the company charged me for excess kilometers, saying that I had gone over the limit specified in the "General Terms & Conditions" to which the contract refers, but which are not specified in the contract. He charged me without my consent: he actually paid himself from my funds. I complained about this to my bank,because it violates the general conditions for the use of the credit card. These general conditions say that I must sign the slip in order to pay. Nonetheless, the Bank Card Company refused to refund this payment. Even though I would probably win the case in court, because I may have agreed to the contract, I have never agreed to the payment, regardless of the contract, the Bank Card Company knows very well that it's not worth going to court for 200$.

    If you generalize this case, it means that companies may very well state in their terms and conditions that, for example, a subscription to a magazine will silently be renewed, and that they are allowed to charge your credit card at the end of every term. They may add all kinds of costs in small print that you've never seen and charge you for that too.

    I don't want a payment method in which a vendor could potentially serve himself a second time without my consent! It's too risky because it's simply inviting abuse! That's why credit cards are simply too dangerous to use frequently.

    An online payment system should open 3 secure connections at the same time:
    customer clearinghouse
    vendor---token2,confirmation,amount->clearinghou se

    The vendor should never,ever see the information that the customer transmits to the clearinghouse (token1) to validate the payment.
  • I mean you know that you are at risk when you shop online. The first thing my card company told me when I got mine was to never use it on the net. They were quite clear that this form of payment isn't safe (yet).

    I think that one way to make it less attractive for these people to hack those sites is to try and ignore 'm a bit more. I wonder how many money they can make with the stuff in the databases they hacked and if its really worth the effort.

    The best way offcourse would be to stop using cards on the net alltogether. And I just can't understand why nobody has come up with something else. The electronic wallet (chipcard) is allready very common to use. You load it up & have some amount of money on it. Want to pay online? Hookup a cardreader to your pc and when you need to pay you just insert the card.

    Sure; even this system can be tampered with but I'd rather loose 100 guilders which was stored on my chipcard then the whole amount of money I may spend on my creditcard (which lies around 78.000 guilders iirc).

  • Keeping credit card data in the database is nothing short of gross negligence. We're going to see a lot of lawsuits over security practises now that the internet's gone commercial, and we're going to start finding how how piss poor most security is. This [techweb.com] is going to start the trend -- release the hounds!

    In this case, a class action lawsuit is a surefire winner. There's no reason those bozos had to store credit card data in the database.

  • This story is a little confused compared to what I posted up to /. some days ago...

    Hackers do spoof to hide their origin address, but what these perps did was to change URLs to a box in China.

    My thought is: due to the control the Chinese Gov't exerts on their populaces boxes, and even stronger one would suppose on a 'government site'; how come there was a page waiting at the other end? (allegedly).

  • "We've added further security over the last 48 hours," Teare said.

    Hmm - I'm just wondering why this 'further' security wasn't in place to start with.
  • Just did a quick check in Netcraft. Not surprisingly, the site is hosted on an NT/98 server. I am shocked when people acutally use an NT machine to run a web site on the Internet (I guess NT can host a low traffic, zero-security intranet). We have a client want to use NT & IIS as the Server, SQL Server 7.0 as the backend database, and Windows CE as the Terminals. I laughed my a*s off and ask how much incentive Microsoft gave to you. Of course, the project manager told me the software is almost free from Microsoft if they actually get the project done and online. None of these e-commerce site thought about using Linux not because they are ignorant, but because Microsoft did a good job in marketing, I actullay heard a sales from Microsoft said, "If Linux is good, why is it free?" What the fsck he's talking about. Matt
  • The hit to perform a simple symetric encryption should not be huge. And any decent server OS would even allow for concurrent key changes, so that no human being would every need to know the key.

    The quality metric of an encryption algorythm is the ratio of times that conversion from plaintext to cyphertext and back takes with and without the key. Frankly, we aren't talking about anything really high tech as far as the encryption requirement goes. You even have the advantage of a small, uniform-length plaintext, of which much of the crack-useful data can be stripped. (For instance, you could use 2-3 bits for the type of CC header, instead the actual 3-4 digits usually used.)

    Also no expert, but with a little experience, your search algorythms will give you more efficiency issues.

  • I saw this on CNN about a dozen times last week. Emmet, I recommend you spend less time with your friends / lovers and more time watching the news.

  • What if the page hack actually subtley changed the web site instead of "owning" the home page. I bet there are a few of them around, unreported and unfixed. As web applications grow this kind of unathorized entry could be a real menace. For now I'm glad the www crackers are having fun because it should make it harder for the feds sneak in via the web door.

    I worked at an ISP and people building web sites for big clients seemed quite happy to put the database INSIDE the web space. Happy that ftp would protect them and that not publishing the url to the db was enough to keep it safe. I did manage to help the few I spotted but god knows how many were content to do that. Frontpage Extensions use an _private directory that is excluded from the web space but if doodz can hack in I don't know what they can get to and extract.

    Changing form pages to direct the script elsewhere or changing the scripts themselves to do something different are two exploits. If the overall result to the website is the same how long before someone notices?

    Hopefully Webpage hacks are important because their footprints help make better bolts for the stable doors.

    RSA getting done is ironically funny.

    Servers are only as safe as their weakest link.
    Which is the weakest NT, Redhat, sysadmin, dept. budget, webmaster, client demands, browesr?
    As each tier presents itself the complexity opens holes on it's own as the application often overeaches the capabilities of one of the functional units. "Get the job done" can "Do the right thing" in the mind of the person who pays the piper.


    .oO0Oo.
  • FROM: RealNames@bayarea.realnames.com

    Dear Real Names User,

    We've been 0wn3d.

    Your new password will be IOWNYOU
    Please log in and change it so we can all get access.

    J R Cracker

    p.s. please do not reply to this e-mail as it is fake. I just put FROM: RealNames@bayarea.realnames.com in the header but you probably don't know that and trust an email just by the from address.
    .oO0Oo.
  • If you have a PDQ machine in your shop you are instructed to keep the bottom copy of the slip for your own reference.

    We stored ours in the cellar. You are not told for who long to keep them. We ended up shredding them regularly. Anyone who broke into our shop could run off with plenty of slips.

    btw. We don't have this shop any more.

    While they were there they could steal the computer with all of our customers details too. We have a monthly subscription for which we keep a copy of the CC number. We keep 'em encrypted but a client program decypts them so someone can type them into the PDQ every month.

    I know it all sounds lax on the security front but I'm telling you because it's a real world example of how a real small business runs itself. CC's are not secure by any stretch. Thinking otherwise is dumb.
    .oO0Oo.

  • Seems like only "Face saving" efforts to me. The usual spin put on after blatant failure. In this case, I really think they were just unlucky that they got hit. With the lax effort put forth on most dot com's when it comes to security, I think their practices are the rule rather than the exception. With all the press the DoS and other attacks in the news recently, maybe the positive path is that companies will take a more serious attitude towards information security post the knee jerk period and really firm up defenses for the long haul.
  • Are all these attacks recently somehow related? It makes you begin to wonder. Technically any online business is at risk, since most businesses have some form of database that is hooked to the internet and also stores sensitive information such as credit card numbers.
    The question is, how do you protect yourself, and of course someone is always going to come along and figure out how to break through that barrier as well. I still think e-commerce is very insecure however the internet has forced us to adopt it so I guess we are not left with much of an alternative... Any suggestions?


    Nathaniel P. Wilkerson
    NPS Internet Solutions, LLC
    www.npsis.com [npsis.com]
  • Isn't there some old saying about locking the stable door after the horse was stolen? What is there left to "secure further"?

    From the /. moderator guidelines: If you can't be deep, be funny

  • This is work of the U.S. Federal Government.

    They are trying to create a general mood of worry in the public to justify new "security" laws. Why so many different sites cracked in such a short time? Who has the resources and the knowledge for that? There's No Such Agency...

    From the /. moderator guidelines: If you can't be deep, be funny

  • Given the somewhat crazy valuation of internet/e-commerce companies

    Is this what people call an "understatement"?

    Red Hat, for instance, has a total market value of about a thousand times its yearly sales. I would call it "utterly", rather than "somewhat" crazy.

    I guess this will have a sobering effect on the market. Only thing is, will the bubble burst now? It looks like all companies, not just Internet, are somewhat overvalued.

    Luckily, it's not October. The approaching winter in the Northern Hemisphere, with the resulting pessimism in the minds of people, has been the most important factor in market bubble-bursting in the last century.

    From the /. moderator guidelines: If you can't be deep, be funny

  • We should go back to gold coins.

    Gold has an intrinsic value, it's the only yellow metal, is present in nature in about the right abundance to be valuable but not too hard to find, and is one of the most resistant metals to corrosion.

    Gold, as mentioned in a bank ad I once saw, has a "5000 years warranty".

    From the /. moderator guidelines: If you can't be deep, be funny

  • Mässing is the swedish word for brass, and it's not a metal, it's an alloy made of copper and zinc. "Messing" is the english word for the act of "förvirra" in swedish.

    Anyway, brass is not very resistant to corrosion and it's too easy to obtain. Good for very small value coins.

    From the /. moderator guidelines: If you can't be deep, be funny

  • Water and oxygen are not good for currency because they are too easy to obtain, just like paper and bits.

    Of course, we can all agree that exactly these bits in a binary file or exactly those ink smudges in a piece of paper are worth so many tons of water. But it never works in the long range, because people will find means to multiply that kind of "currency", legally or illegally.

    Look at what happened to the value of the US$ since Franklin Roosevelt abolished the legal requirement for gold equivalency in the 1930s.

    Or even worse, what happened to the British Sterling after the metal equivalency was suspended in World War 1. The Sterling Pound had a stable value for about a thousand years, because it had always had a well defined worth in metal equivalent: a Sterling Pound was the value of one pound (454 grams) of "sterling" silver, i.e. an alloy containing 92.5% of silver.

    These crimes amount to stealing from the people, because the currency one has is the accumulated value of work we have done. Inflation is a legal crime committed by the politicians who are always glad to put their hands in our pockets.

    A metal base for currency has this advantage: it is impossible to duplicate, at least with current technology. When we have such cheap energy that fabricating gold becomes economically feasible, our economy will be vastly different from today, maybe then nobody will have to work and we will have a perfect communist society, who knows...

    From the /. moderator guidelines: If you can't be deep, be funny

  • I think inflation is theft because it takes wealth from those who have worked to accumulate that wealth, and gives it to those who have spent what they didn't work to obtain. Or how else should we define "theft"?

    The US dollar hasn't been stable at all in the last decades. I have some Popular Science magazines from the 1930's and 1940's whose cover price was 25 cents. Houses, cars, wages, bread, almost anything you can imagine costs 10 to 20 times as much now than it did in 50 years ago. It's just that when inflation is at a steady 1% to 2%/year, with some higher peaks, people think prices are "pretty much stable now", but it adds up after a few decades.

    From the /. moderator guidelines: If you can't be deep, be funny

  • Inflation hurts people who do not accumulate wealth, though.

    It depends a lot on apparently unrelated details. I live in Brazil, which has gone from 83% inflation in a single month, in March, 1990, to less than 2% in the whole year of 1998. When inflation was highest, it hurt mostly the poorest people, who receive their salaries in cash and had to spend it all as soon as they got it. I, as an investor, profited a lot from it, because interests are usually bigger. I remember getting 14% / month when inflation was at 6% / month. Think of it as 150% / year, tax free, since it was all "capital gains", not income. But I still think it's stealing. I will not give it back, because the government steals from me in other ways, like a 25% sales tax, for instance, but I think inflation is immoral. It's an unacknowledged theft that takes away from the poorest to give to politicians and a few other lucky people on whom some random benefits may fall.

    From the /. moderator guidelines: If you can't be deep, be funny

  • I can see, for reasons of improved business process, why they might want credit card details in their database.

    A successful class action would probably set e-commerce back a number of years, but would be a good thing for consumers if providfers ultimately got this right.

    Am I the only one who thinks that the blind optimism causing the suits to bet the farm on e-commerce and 'dot com' stocks is ill-founded, given the current capabilities of the technologies ?
  • Here here! If you don't have the rescources or ability to make your CC data "safe" .... throw it away! Make the transaction, store the last five digits for accounting purposes, and THROW THE REST AWAY! So your customers have to type a CC number in every time they want to make a purchase. Oh well. I have mine memorised it's ..... oh wait .... I shouldn't post that here.
  • yes have you seen the cover of newsweek???
    man it looks like 50's propaganda...

    marc
  • Why don't we just stop using credit cards over the net, and start using good old reliable paper money... "But Teare said there was no evidence that any credit card numbers have been used" There's a nice way of putting it.."Yeah, they stole your money but we have no evidence that they're spending it.."
  • Good point. Or how about water? We can ditch our wallets and carry around flasks...
  • Why do they keep credit card numbers same database anyway? Wouldn't it be a lot more secure to move them to a separate billing database with much more restricted access?
  • Actually the American dollar has remained relatively trustworthy over the past 50 years. I'm not so sure if I trust the euro, however. As for the inflation-being-theft idea, I don't know if I agree. Inflation actually benefits you if you're in debt; something which applies to the vast majority of Americans. Which is why the powers-that-be hate it so much, and why the Federal Reserve think that inflation is a worse sin than unemployment (as in "The Federal Reserve raised interest rates today, claiming unemployment is too low).
  • Does this bring to anyone else's mind that hilarious section in one of Douglas Adam's books, where colonists on a new world decided that leaves were currency, then decided the only way to stop inflation was deforestation...
  • 128-bit encryption does not make a secure server-client relationship. The data also needs to be encrypted and protected on the server. I baffles me that supposedly tech oriented companies can't figure this out.

    Any time you give your credit card out over the internet you need to make sure that you trust the company that you are dealing with. Is it any suprise that Real Networks, a closed source, litigous, profit hungry company, didn't protect their customers? After all, they already paid for their upgrades, so it was time to move on to the next round of suckers.

    --Laplace

  • I suppose, in once sense, that the recent database hacks are all related - people so keen to get their wonderful site onto the net that they forget (aka are too lazy) to worry about basic database security.

    You can secure (effectively, not absolutely) a database: there are plenty of architectures, secure SQL gateways available. Even a firewall will help, if you can be bothered to set it up properly.

    Is this incident linked to the recent DDoS attacks? I doubt it. Cracking a database requires a more skill than launching a readily available attack tool.

    Is e-commerce secure? Probably not, but then neither is ordering over the telephone or letting somebody take your credit card out of your sight. Remember the Dilbert with the waitress and the fur coat?
  • It seems that somebody created a fictitious company with the name _RealNames to do this. It's terrible, how long will this go on?
  • it is quite possible that because of this break-in someone could steal someone else's realname. can you imagine the potential horrors? and before you know it, there are going to be realname impersonators out there. microsoft..com anyone?

    -hemos
  • it's probably not the network administrators who are to blame either - it's their managers and organization who are often clueless as to what is required and therefore hire the first the best guy who can spell "Windows NT" without making too many mistakes. Being a bit harsh - I know - but these days people are hired on "vendor certificates" (as in MCP and CNE)

    Two things that contribute to this: in past years, the manager of a techy group was probably a techy too. Nowadays, the manager is more apt to be an MBA who truly cannot distinguish talent from b.s. Anybody who understands anything about technology is brilliant to them- when you are two feet tall, everybody looks like a giant.

    As to certifications, it's CYA. If you hire a seemingly bright person with no degree and no certs and they screw something up, you are a jerk. If you hire somebody with the right degrees and the right certs, it doesn't matter: you did your due diligence and nobody will blame you.

    I'm a RealNames customer, BTW. If this was sloppiness and stupidity on their part (rather good bet, probably), I'm twice as mad as I would be if it truly was a clever hack.

Anything free is worth what you pay for it.

Working...