RootsChat webspace is not secure

[Paul Blair]

RootsChat is a UK-based genie forum that coincidently offers "members"
free webspace.

The problem is that anyone who figures out the URL to your space could
simply download anything you have stored there. It might be family
stuff, a backup of anything, etc.

They are addressing the situation, but be aware that, for the present,
the space is not secure.

Paul Blair

[[email protected]]

Paul Blair wrote:

RootsChat is a UK-based genie forum that coincidently offers "members"
free webspace.

The problem is that anyone who figures out the URL to your space could
simply download anything you have stored there. It might be family
stuff, a backup of anything, etc.

They are addressing the situation, but be aware that, for the present,
the space is not secure.

Paul Blair

Why on earth would one assume that free webspace is secure??

Free webspace is free space on the web- an entirely different animal
from free secure online storage.

There can't be THAT much difference between American English and that
spoken abroad... can there?

[Paul Blair]

[email protected] wrote:

Paul Blair wrote:
RootsChat is a UK-based genie forum that coincidently offers "members"
free webspace.

The problem is that anyone who figures out the URL to your space could
simply download anything you have stored there. It might be family
stuff, a backup of anything, etc.

They are addressing the situation, but be aware that, for the present,
the space is not secure.

Paul Blair

Why on earth would one assume that free webspace is secure??

Free webspace is free space on the web- an entirely different animal
from free secure online storage.

There can't be THAT much difference between American English and that
spoken abroad... can there?

It may have something to do with the fact that it's meant to be
userID/password protected.

Paul

[Dave Hinz]

On 1 Dec 2006 17:33:28 -0800, [email protected] <[email protected]> wrote:

Paul Blair wrote:

The problem is that anyone who figures out the URL to your space could
simply download anything you have stored there. It might be family
stuff, a backup of anything, etc.
They are addressing the situation, but be aware that, for the present,
the space is not secure.

Why on earth would one assume that free webspace is secure??

Right. This just in: If you don't want people seeing your stuff, then
don't put it on a webpage.

[Hugh Watkins]

Dave Hinz wrote:

On 1 Dec 2006 17:33:28 -0800, [email protected] <[email protected]> wrote:

Paul Blair wrote:

The problem is that anyone who figures out the URL to your space could
simply download anything you have stored there. It might be family
stuff, a backup of anything, etc.
They are addressing the situation, but be aware that, for the present,
the space is not secure.


Why on earth would one assume that free webspace is secure??


Right. This just in: If you don't want people seeing your stuff, then
don't put it on a webpage.

and some password systems are so bad that google can map the site
and the rest of us can view it in google's cache

Hugh W


--

Beta blogger
http://nanowrimo3.blogspot.com/ visiting my past
http://hughw36-2.blogspot.com/ re-entry
http://snaps4.blogspot.com/" photographs and walks

old blogger
http://hughw36.blogspot.com/ MAIN BLOG

[Paul Blair]

Hugh Watkins wrote:

Dave Hinz wrote:

On 1 Dec 2006 17:33:28 -0800, [email protected]
[email protected]> wrote:

Paul Blair wrote:

The problem is that anyone who figures out the URL to your space could
simply download anything you have stored there. It might be family
stuff, a backup of anything, etc.
They are addressing the situation, but be aware that, for the present,
the space is not secure.


Why on earth would one assume that free webspace is secure??


Right. This just in: If you don't want people seeing your stuff, then
don't put it on a webpage.

and some password systems are so bad that google can map the site
and the rest of us can view it in google's cache

Hugh W

That's not the fault of the primary site, but usually the lack of a
robots file in the users webspace.

Paul

[Kerry Raymond]

Why on earth would one assume that free webspace is secure??

Right. This just in: If you don't want people seeing your stuff, then
don't put it on a webpage.

I am inclined to disagree. Web pages can be secured with usernames and
passwords. It's done all the time.

However, the poor man's solution is often to create "orphan" web pages which
are not linked from any other page. Therefore the URL is not found by web
harvesting. However, the page is completely accessible through any browser
if someone enters the correct URL. The "security" comes from the fact that
only the desired users are told the URL. Alas, this is security by obscurity
and works right up until someone works out that these pages exist and
successfully guesses what they are called. Or more commonly because someone
links to them and thus revealing the URL to every URL-harvester.

This orphan web page technique is fine if you just want to quickly pass
someone a file via the WWW and then remove it soon after. But it's not a
long-term or general solution however. Better to go with usernames and
passwords if you are trying to secure web pages.

Of course, if you are using a web-hosting service provided by someone, you
may not know what is going on under the covers as far as their security is
concerned. And for that reason, you might want to be somewhat circumspect
about what you store on such a server. But it's all a question of risk
management, weighing up what you think the probability of the risk is and
what the severity of consequences would be if the information became
unintentionally available to others.

But of course storing the same information on your own Internet-connected
computer is not without its risks either. You might be more in control of
some of the risks but it doesn't mean you are capable of doing a better job
of protecting your system than a 3rd party site is.

Kerry

[Denis Beauregard]

Le Sun, 3 Dec 2006 10:52:32 +1000, "Kerry Raymond"
<[email protected]> écrivait dans soc.genealogy.computing:

successfully guesses what they are called. Or more commonly because someone
links to them and thus revealing the URL to every URL-harvester.

Or because they appear in your stats and since most stats softwares
are using standard names, then you can often find hidden pages that
way.


Denis

--
0 Denis Beauregard -
/\/ Les Français d'Amérique - http://www.francogene.com/genealogie-quebec/
|\ French in North America before 1721 - http://www.francogene.com/quebec-genealogy/
/ | Maintenant sur cédérom, début à 1765
oo oo Now on CD-ROM, beginning to 1765

[David Harper]

Kerry Raymond wrote:

Why on earth would one assume that free webspace is secure??

Right. This just in: If you don't want people seeing your stuff, then
don't put it on a webpage.

I am inclined to disagree. Web pages can be secured with usernames and
passwords. It's done all the time.

However, the poor man's solution is often to create "orphan" web pages which
are not linked from any other page. Therefore the URL is not found by web
harvesting. However, the page is completely accessible through any browser
if someone enters the correct URL. The "security" comes from the fact that
only the desired users are told the URL. Alas, this is security by obscurity
and works right up until someone works out that these pages exist and
successfully guesses what they are called. Or more commonly because someone
links to them and thus revealing the URL to every URL-harvester.

Or because some web servers will helpfully list the contents of a
directory if you simply trim back the URL as far as the last '/'.

I have a "private" sub-directory on my web site which I use for sharing
files with friends (so I don't have to send 10-megabyte email
attachments!), but it's protected so that anyone who tries to list the
directory sees a polite message asking them to go to the home page

David Harper
Cambridge, England

[Dave Hinz]

On Sun, 3 Dec 2006 10:52:32 +1000, Kerry Raymond <[email protected]> wrote:

Why on earth would one assume that free webspace is secure??

Right. This just in: If you don't want people seeing your stuff, then
don't put it on a webpage.

I am inclined to disagree. Web pages can be secured with usernames and
passwords. It's done all the time.

Well of course. .htaccess and friends are secure, and are widely used.
But I don't think that applies to these free pages.

However, the poor man's solution is often to create "orphan" web pages which
are not linked from any other page. Therefore the URL is not found by web
harvesting. However, the page is completely accessible through any browser
if someone enters the correct URL. The "security" comes from the fact that
only the desired users are told the URL. Alas, this is security by obscurity
and works right up until someone works out that these pages exist and
successfully guesses what they are called.

Right. Security through obscurity is exactly the same as hiding the key
under the doormat. Great unless someone knows that trick.

This orphan web page technique is fine if you just want to quickly pass
someone a file via the WWW and then remove it soon after. But it's not a
long-term or general solution however. Better to go with usernames and
passwords if you are trying to secure web pages.

Right. Not always an option though depending on the host.

But of course storing the same information on your own Internet-connected
computer is not without its risks either. You might be more in control of
some of the risks but it doesn't mean you are capable of doing a better job
of protecting your system than a 3rd party site is.

I use a balanced approach. My sites and the sites of my clients are on
managed hosts - OS patching and general revision control are handled by
the datacenter I hire to host my systems. I also admin the apps and
keep an eye on security patches, new versions, and so on of the apps I
use. And then the user-level security is handled on an individual basis
as well. Firewall blocks the usual, and yup, it's all layers on the
onion. You need to know what you're doing, or hire someone who does.
If security is important, do it yourself and/or have your hosting
provider help.

[Paul Blair]

To demonstrate their touchiness about this topic, RootsChat have now
banned me. A neat way of dealing with unpleasant truth.

Paul

[Dave Hinz]

On Tue, 12 Dec 2006 15:50:33 +1100, Paul Blair <[email protected]> wrote:

To demonstrate their touchiness about this topic, RootsChat have now
banned me. A neat way of dealing with unpleasant truth.

Maybe it's your presentation, not your message. It's one thing to say
"If you put something on the Internet people may find it", it's another
to make it sound like that's surprising.

[Paul Blair]

Dave Hinz wrote:

On Tue, 12 Dec 2006 15:50:33 +1100, Paul Blair <[email protected]> wrote:
To demonstrate their touchiness about this topic, RootsChat have now
banned me. A neat way of dealing with unpleasant truth.

Maybe it's your presentation, not your message. It's one thing to say
"If you put something on the Internet people may find it", it's another
to make it sound like that's surprising.

No, I just believe they don't know how to lock down their site to
protect their users. A very careless way to operate, they are wide open
to legal action the way they are.

Paul

[Dave Hinz]

On Wed, 13 Dec 2006 07:02:08 +1100, Paul Blair <[email protected]> wrote:

Dave Hinz wrote:
On Tue, 12 Dec 2006 15:50:33 +1100, Paul Blair <[email protected]> wrote:
To demonstrate their touchiness about this topic, RootsChat have now
banned me. A neat way of dealing with unpleasant truth.

Maybe it's your presentation, not your message. It's one thing to say
"If you put something on the Internet people may find it", it's another
to make it sound like that's surprising.

No, I just believe they don't know how to lock down their site to
protect their users. A very careless way to operate, they are wide open
to legal action the way they are.

See what I mean? (I know, no, you don't.)

[Paul Blair]

Dave Hinz wrote:

On Wed, 13 Dec 2006 07:02:08 +1100, Paul Blair <[email protected]> wrote:
Dave Hinz wrote:
On Tue, 12 Dec 2006 15:50:33 +1100, Paul Blair <[email protected]> wrote:
To demonstrate their touchiness about this topic, RootsChat have now
banned me. A neat way of dealing with unpleasant truth.
Maybe it's your presentation, not your message. It's one thing to say
"If you put something on the Internet people may find it", it's another
to make it sound like that's surprising.

No, I just believe they don't know how to lock down their site to
protect their users. A very careless way to operate, they are wide open
to legal action the way they are.

See what I mean? (I know, no, you don't.)

I do, but many don't!

If you know what is involved (and your posts suggest you do) then that's
all fine. But if you don't, and no warnings are provided, then you've
left the door wide open. That's the danger.

Paul

[Dave Hinz]

On Wed, 13 Dec 2006 11:42:44 +1100, Paul Blair <[email protected]> wrote:

Dave Hinz wrote:

See what I mean? (I know, no, you don't.)

I do, but many don't!

I meant about your tone and emotionally charged language, more than the
"problem" you're discussing.

If you know what is involved (and your posts suggest you do) then that's
all fine. But if you don't, and no warnings are provided, then you've
left the door wide open. That's the danger.

Warnings? "If you put things on the internet, people may see them"?
Are you SERIOUS?

Warning: If you go in the bathtub, you may get wet.

[Paul Blair]

Dave Hinz wrote:

On Wed, 13 Dec 2006 11:42:44 +1100, Paul Blair <[email protected]> wrote:
Dave Hinz wrote:

See what I mean? (I know, no, you don't.)

I do, but many don't!

I meant about your tone and emotionally charged language, more than the
"problem" you're discussing.

If you know what is involved (and your posts suggest you do) then that's
all fine. But if you don't, and no warnings are provided, then you've
left the door wide open. That's the danger.

Warnings? "If you put things on the internet, people may see them"?
Are you SERIOUS?

Warning: If you go in the bathtub, you may get wet.

Plain talk is plain talk.

I note the considerable lengths you go to to protect your data. Is there
a reason for this?

Paul

[Dave Hinz]

On Wed, 13 Dec 2006 13:31:18 +1100, Paul Blair <[email protected]> wrote:

Dave Hinz wrote:

I meant about your tone and emotionally charged language, more than the
"problem" you're discussing.

Warnings? "If you put things on the internet, people may see them"?
Are you SERIOUS?
Warning: If you go in the bathtub, you may get wet.

Plain talk is plain talk.

Indeed.

I note the considerable lengths you go to to protect your data. Is there
a reason for this?

I do? What specifically have you noted on which of my hosts? A quick
check of my logs show nothing unusual.

Paul. If you put something on the public internet, the public can get
to it. This isn't, or shouldn't be, surprising.