ATTN: Security of Personal Identity!! NOT

[birdmom]

Attention Everyone:

Somebody is probably going to get very upset with me, but I am sorry, there is something very wrong with this website.

 

I have noticed that you ask for address and phone numbers on the member's profiles. Does everyone realize that the site administrators do not provide any security of that information? It is totally unprotected.

 

All you have to do is pull up this website, you don't even have to be logged in--or a member. You can click on anyone's name you see listed on a topic on the bottom half of the home page, or where there name shows as Who's Online over on the right. It will pull up their Profile and display all of their Personal Information, if they were foolish enough to place it there in a public forum.

 

Sorry guys, but I have an MS in Technology Management (telecommunications) and worked for an ISP for several years. This is reallly bad but if I didn't say something, I wouldn't be worth the paper my $60,000 degree is printed on. You may revoke my privileges for writing this, but who in the heck is running this thing?

 

Shame shame! Don't you guys know that there are bad people out there, and anyone can register here, anyone can just happen along and find this site (as I did) and steal personal information to create fake identities; or, they can notify bird thieves who support a very large black market for stolen exotic birds, and they especially like the ones who talk.

 

You simply must protect the personal information of your members, I am very disappointed. This data should be encrypted. If you don't like hearing this from a woman, just ask danmcq. He'll know, I am very sure.

 

Joanne aka birdmom

 

PS: and no, I am not trolling. I am serious. This is a problem you should take very seriously before it jeopardizes the website or results in irreparable harm to any of your registered members.<br><br>Post edited by: birdmom, at: 2007/12/30 09:02

[birdmom]

Okay, I'm not done this really irritates me. I am recommending some changes that I think should be made to this website design, asap. Please notify the website owner and website editor AT ONCE, I'm perfectly serious about this:

 

You need to advise all members to remove their personal data from the profile, and notify them properly that anyone can see it, anywhere in the world. I would send everyone an email now.

 

I think you really need to reformat the personal information page, so that only the user can access it; and only they can allow their 'buddies' or anyone they choose to see it. (However, even if you do that, you are making yourself very liable should a buddy become a stalker.)

 

I really do not see why you need to have member's addresses or phone numbers. Are you planning to send us Christmas Cards? Because, I didn't get one, but then I didn't put my address on there, either.

 

Really, I mean be sensible, if a member gets friendly with another member it is up to them to exchange such person information, that way you are not liable for anything happening to them or their personal identity information. I think the website owner is taking a really big liability here, and the website owner could be sued.

 

I am sorry, but again, I have worked for an International ISP and two phone companies, and I also worked in Internet Security for the HackerSafe people.

 

Please take these suggestions as helpful critique and don't be defensive about it. I am offering you valuable advice and won't send a bill. On the up side, it is a beautiful website and I love the flexibility, the tools, format and members, most are great.

 

Thanks for letting me play. Unfortunately, until such changes are made, I don't think I am comfortable associating here for obvious professional reasons.

Sorry. I really enjoy the forum. I need to sleep on this one. Joanne

[Guest]

birdmom, everybody is perfectly free not to fill in any information at all

[danmcq]

Joanne,

 

You are absolutely correct in your comments regarding personal information being kept safe and secure on the Internet. But, as with all non-secure websites, as this is, the individual is responsible for their personal information and whether they wish to make it available or not.

 

As Fairy said and I of course know that you understand this too, just don't fill it in.

 

But, you have brought up a very important topic that some people may not realize. Information you put out on the Internet about yourself is easily found by anyone unless it is on a secure https site that incorporates at least 128 (256 bit preferred) encryption and only you are allowed to chose to make that available to another individual via a link that is also password protected and encrypted that you personally send that individual and can also place a time constraint on that access if so desired.

 

Thanks for bringing this important information to light Joanne. Many of us are keenly aware of security on the Internet, but a larger portion of people are not.

 

Karma to you! :-)

[lovemyGreys]

Yes i agree with Dan, a very good thread which highlights the security risk, it is up to each member to fill their profile in accordingly.

[judygram]

Thanks Joanne for bringing this subject to light, and it is not the first time someone has brought this very topic up. I am agreement with Dan that no one should put their actual street address or phone number on their profile page. It really is up to each of us as individuals to keep that private information to ourrselves and only share it with ones they feel they can trust.

[Toni]

Yea Joanne makes good points, and for security reasons I am smart enough not to add that info,,,Its a shame we have people in the world that would hurt other people.

[birdmom]

FairY,

THAT IS REALLY LAME.

 

To dump it off on the member is really irresponsible.

You know perfectly well, and so does Dan, that they do not realize it. I feel you are obligated to be more portective of your members' private information. If not (and obviously you dont care) then, why in the heck should I participate on this forum.There are many other forums.

 

I will not be on this one any longer.

 

As I asked before, please remove my registration. Obviously, you did not take me seriously. As long as I can still log in, you have denied my request to remove me from this forum.

 

I want to be removed now please do it.

[birdmom]

OK, I know you guys own a website, and the more hits on it the higher the google ranking, the more member profiles the better its marketability to sell the site someday. I don't care. Yes Frank, i know its not online banking, Frank but havent you ever heard of identity theft? You dont have to be a bank to enable a persons identity to be stolen. Frank, you obviously don't know it, but yes sites do prevent others from reading personal data, ask DanMcq he'll explain it to you):

 

For everyone to see, here is Frank Venutos .............

 

 

 

 

I, FairY, have removed this. Private Messages are PRIVATE MESSAGES. You as feeling so concerned about privacy should know that best.

 

It takes some ethics to know the rules for behavior on the internet. Placing PRIVATE MESSAGES on a public forum is crossing those rules, and I don't agree with those.<br><br>Post edited by: FairY, at: 2007/12/31 11:21

[judygram]

Joanne, even though I agree with you in part, it is up to each individual to protect their own identity by not putting any of their personal information on the site. Each one of us is responsible for our own actions and stupidity is no excuse.

 

I do have a problem with posting your exchange with Frank on the site in this thread, that was uncalled for and certainly goes against your belief that putting personal info on the site since it contains your personal email address with your last name.

 

I don't like to see any of the members leave and that certainly includes you but this is a free country and if you want to leave then that is your choice. The admins do not own this site and do not have much control over how it is operated other than make suggestions so don't blame Frank for any of this mess.

[Toni]

Ok as Frank has put it in a PM to Joanne,,,,, the word christ sakes..... Ok for christ sakes remove her so we dont have to hear her whine. OMGosh..You are bein lame Joanne. Dont like the way this forum is programed then go. Its up to you. Like Judy says,, hate to see a menber leave but if you feel necessary then leave. Hope you find a forum that can accomodate your needs. Sorry

[dblhelix]

Wow. This post seems to have started out well intended, but sheesh...this is a public forum. You dont need to add any personal info to have an account here. While we want users and members to participate and have fun, the truth is you dont need to participate at all. The site has no obligation to protect users and never indicated that information will be private. If you made that assumption and expect a free public forum to protect your identity then you are being foolish. I agree, THIS IS NOT ONLINE BANKING. Use the site, learn/share about our birds, have fun...or dont. Its up to you, just as it is up to you to use common sense and only share information in a public forum that is appropriate.

[Toni]

Amen !!!!!

[Nychsa]

*sigh* I wanted to stay out of this one, but I guess maybe I shouldn't.

 

Joanne - I acknowledge your credentials as an IT professional. I'm an IT Security professional - yes, with multiple graduate degrees, and professional certifications in the field and over 17 years of experience serving some very interesting organizations.

 

Now that we have the credential issues out of the way - here's my take on this matter:

 

1. Is it a good Web administration practice to allow users to provide detailed residential information into a public forum? Probably not. As a general rule of thumb, any web site administrator should only gather as much information as needed. It's best for the user and it's best for the web owners (the less information they store, the less oversight they need to exercise over said data)

 

2. Does a user's home address and telephone number pose a significant risk to a user's identity, thus exposing a user to identity theft or stalking? Stalking - yes, identity theft - not as much as if it were the SSN. Telephone numbers and addresses can be easily found in telephone books. If someone wished to steal someone else's identity and would require the home address and telephone number, they could look it up on line in the "White Pages" - or easier yet - Google the person. We leave countless electronic bread crumbs all over the Internet - everyone should Google themselves every now and then. However, this information would really only be required if your SSN or account numbers have been compromised. They are secondary forms of identification.

 

The bottom line: this is not the only web site that provides fields for address and telephone entry. Like I said, it's not the best practice in the world and I'm not sure why the owners put those fields there - my guess is it was benign with an eye towards social networking.

 

I don't know how invovled it would be to remove those fields and then update the system - if the information is stored in a regular relational database - should be fairly easy. If the owners prefer not to do so, then maybe a good pre-emptive measure to ensure people understand their information is not protected might be to post a notice when users create a log on that advises users that the information is indeed public. I would recommend the owners do this for the saftey of their users as well as for their own sake as if a stalking incident does occur and can be traced back to this site as the source for information for the stalker, the owners could face some ugly civil suits. Case law to date has held Web site owners responsible for information they've asked for (and an empty field for input could imply the information is being requested by the web site owners).

 

So LOL! For those who are asking what the bottom line risk is - I would characterize the risk as medium.

 

Cheers!

Terri

[Laurie]

Ok, I have practically no knowledge on internet security, but I do have the common sense not to put anything out there that I don't want the whole world to have access to.

I think Bird Mom over-reacted.

[Nychsa]

Laurie, protecting one's self is really the best way to ensure nothing untoward ever happens to your information. Unfortunately the many different ways to have your information stolen is too numerous to list and most of the ways are quite low tech - your mail box, your trash, all those things are wonderful locations to find information about people. Paying with a credit card at a restaurant where someone is using a device to copy credit card numbers. Those then get sold on line, in chat rooms - for pennies. So, it really is important for all of us today to take care of our own data - you are absolutely right!

 

:cheer:

Terri

[judygram]

I'm so glad you have stayed with us Terri, you have provided us with some very good information and I thank you for that.

 

But it really boils down to everyone has to take the responsibility for their own safety and not put that info in their profile in the first place.

[nevjoe]

OK I really live in England. I tried to hide it but I'm busted.

I think we all got it, so lets move on and get back to posting

 

Admins: you need to send one of those systems PMs to all members. They rest of you just CHILL, and change what you think you need to.

 

Now how are all those women going to find me.

 

Joe

[judygram]

Don't you worry honey, I will find you.:kiss:

[nevjoe]

Just across the water

 

Joe

[CeasarsDad]

You make me laugh Birdmom. You cry about internet security yet you take a PRIVATE EMAIL I sent to you and ONLY YOU and post it in public. YOU ARE THE JOKE HERE. If I wanted that email public I would have posted it here.

 

It's interesting to see the other members take on this matter. Like many have noted, YOU are responsible for your security.. Not me, this site, or any other admin or moderator that spends countless time here without pay.. Give me a break already. By your standard all the telephone books in the world violate security. What a laugh.

 

Take some common sense classes to go along with all your other "degrees" I think you need them..

 

Of course I do think you started this thread just to hear yourself talk... or write.. and for that I think you got your way.

 

CD<br><br>Post edited by: CeasarsDad, at: 2007/12/31 10:15

[Toni]

Thank you Boss Man !!!! You Rock !!

[judygram]

Thank you Frank.

[CeasarsDad]

birdmom wrote:

For everyone to see, here is Frank Venutos reply to me when I requested a second time to remove my profile from this site, what a nice individual:

 

 

Just so you know, I am a "nice individual" You clearly don't know me very well. I do appreciate the personal attacks though. I find them very revealing about just the kind of person you are..

 

Cd<br><br>Post edited by: CeasarsDad, at: 2007/12/31 04:14

[Nychsa]

Well shoot, I'd rather call you Ceasar's Dad, not Frank! LOL I think its a hoot how we sometimes are more associated with our birds rather then with ourselves!