Silicon Investor (SI) -- The First Internet Community

STOCKTALK

We've detected that you're using an ad content blocking browser plug-in or feature. Ads provide a critical source of revenue to the continued operation of Silicon Investor. We ask that you disable ad blocking while on Silicon Investor in the best interests of our community. If you are not using an ad blocker but are still receiving this message, make sure your browser's tracking protection is set to the 'standard' level.

Non-Tech : Quote.com QCharts -- Ignore unavailable to you. Want to Upgrade?

To: Nazbuster who wrote (15180)	12/15/2001 8:44:12 PM
From: (Bob) Zumbrunnen	Read Replies (2) \| Respond to of 17977

I'm glad you mentioned that. I'd forgot that QCharts and RB were part of the same company. It might be part of the solution to a mystery I've been pondering. First, keep in mind that I'm using a brand new machine (maybe 3-4 weeks old) that I'd never been to RB with. I didn't even import anything from the old machine. The old machine resides on tape now so I can selectively restore as needed. Everything here is "from scratch". Including a new ISP as of a few days ago. Someone told me about RB being screwed up (I like/dislike the changes), so I went there for the first time in ages last night. Saw a post by someone in which they made a point of not ending a sentence with a preposition (even though it was very clumsy), but instead ended it with an infinitive. I know that's the norm in German, but didn't know if it was acceptable in English, so I decided to reply to him to ask. Yeah, weird things motivate me. <g> Anyway, I hit the Reply button, expecting to have to ask it to send me my password. It didn't. It took me write to a message composition screen. Remember: New computer, new ISP. I typed a reply and posted it and it took. The mystery part is that it seemed to have an alias selected for me. The alias it'd selected turns out to be the loginID I use exactly two places: QCharts and my new Earthlink account. I use it nowhere else. At first I thought it must've somehow grabbed my loginID for the ISP, but when I saw your message, it reminded me that I use that loginID on QCharts. So, I am now wondering if QC stores a cookie and RB accessed it, or if RB read it from my ContinuumClient.ini Either way, it's most uncool. A friend of mine told me the site now labels him by his real name rather than the alias he'd chosen. That's just as bad. Anyone else experience a similar identity problem over there or have any guesses why RB made my loginID for another site public? Oh, and the site shows that I've only made the one post and says that I've been a member since 11/13/01. Perhaps they made accounts there for all of the QC users on that date? I did notice a QC button to go to RB boards for a stock, and hit it to see what it was, but I think I did that on my old machine. I couldn't swear to it, though. Might've been on the new machine and might've been on 11/13/01. Could it be that my doing that caused a new account to be made on RB? Edit: OH SH*T!!! My last guess turns out to be exactly what happened! I just went to the Account Info screen and it prompted me for my password before continuing. I tried several different "the usual" passwords, and no luck. Then I tried the really bizarre, difficult password I use on QC. Presto! It recognized me. I really thought no other programming crew (or programming decision-makers) on the planet were half as brain-dead as the ones at Silicon Investor, and that nobody else would make the mistake of making one's loginID their screen name, making it only half as difficult to hack their account. But QC just proved me wrong. People, if you're reading this, allow me to jump up and down on the table and draw your attention to a very basic security concept that you really need to know: DISPLAYING SOMEONE'S LOGINID PUBLICLY IS A BAD THING!!! BryanB, I know you're over there. Was this your decision? Remember the uproar when it happened accidentally one night on SI? Remember how much complaining I did when it was decided that new users would always have screen names matching their loginID (I was ignored, of course)? Suppose for a moment that I happened to use that loginID and password multiple places. It can happen. LOTS of people do that. Suppose further that Hacker Wannabe has a website and has lots of loginID's and passwords for his users. He'd like to be able to post as me and maybe even access my brokerage accounts and Quote.com (remember -- I'm using the same loginID and password everywhere in this scenario). He only knows me as "(Bob) Zumbrunnen", though. Kinda tough for him, eh? Now suppose I use the loginID "geddyfan" everywhere and the password "rush". Still with me? Suppose I post somewhere in a style that's unique to me (as I did in my post on RB last night). Suppose further that I sign the post "Bob Z." (which, fortunately, I didn't). Stick with me. I'm almost done. Now suppose some imbecile who shouldn't be making any programming/database decisions is actually doing so and my post shows up as having been written by "geddyfan". Hacker Wannabe says "Hmmm..... That rings a bell." He looks the account up on his site and presto! He's got my identity. He can log in to RB as me and post as me or go to the account screen and see my real name, phone number, and address. A bit too much of a stretch? Okay, say Mr. Wannabe doesn't have a website. Instead, he's got a batch of loginID's that've suddenly been made public on RB. He's got plenty of time on his hands since his parents only make him take out the trash every other day, so he prints out the list of ID's and goes to a silly site (like SI?) that gives password hints online and goes down the list. He enters "geddyfan" for a loginID and asks for the password hint. It comes back "Favorite band". Hmmmm.... Easy enough. Voila! He's posting on SI as me. Reading my PM's. All kinds of boring stuff. This is not even remotely a far-fetched scenario. A loginID is just as much a security item as a password is. DO NOT DISPLAY IT TO THE PUBLIC!!! To anyone who's read this, if you're using QC, I strongly recommend that you never hit the button that takes you to an RB discussion. It's a serious security problem. The real (Bob) Zumbrunnen. Or is it?