Done. Thanks for the warning.....I think I´ll came a little more "anxious" everytime I used his site. I wonder why he has been doing things like this and comments as seen in his forums against other sites.....it´s supposed to be a big modelling community, with every site seeking different directions, but interested in modelling after all.....

Too bad for Mr. Owen´s site

Cheers

EVERYBODY CALM DOWN!!

My name is Roy Chow (armorama ID: ericadeane). I serve as the Allied DG moderator. Jim Starkweather offered me the role and I'm glad to serve this great site.

I ALSO serve on the admin team with Paul Owen over on TL. While I don't condone Paul's logging into Jim Rae's account here, here's the reason it happened.

Yesterday, one of our administrators demanded to resign because someone had tampered with one of his postings on Track-Link. The only ones who can edit postings are members of the admin team. He concluded that one of his fellow admin people were tampering with him and he was irate. Paul Owen, figured out that one of us must have been hacked -- as many of us are registered on multiple boards (and sometimes with the same password). That is why he immediately posted a warning to the TL administrators and the entier TL community to switch their passwords.

Paul emailed the admin team to say that he was able to do the same (get into another website) as an experiment and warned the admin team that this was a security loophole with TL (and other sites). In working with Paul for several years (and frequenting his site since 1996), he's been a straight shooter.

Paul has also worked with Jim Starkweather to try to assemble the various modelling website principals in a webmasters guild to work on joint problems and to promote unity.

Jim: I would agree that it requires an apology. The steps Paul took weren't judicious at all. You've said he's done other things to other Armorama staff: I can't speak to that and have to trust that you're correct that "frostyness" exists btn Paul and this site. However, I dont' believe yesterday's actions were meant to harm you or Armorama at all. There really was a security breach at TL. My word on it.

For anyone else who says "Let's go to war" or wants to pile on personal attacks on people's family or marriages, please remember what Armorama, Finescale, Track-link, Missing-lynx (etc) are all about. It's a hobby that each of us delve into to relax and enjoy some community. I don't know many of us who are starving, live in the Third World, or are trying to extract someone trapped in a mine somewhere or trying to survive because your village was flattened by an earthquake. Please let's use some common courtesy (even if it hasn't been given to us).

Roy Chow

Whilst I trust you Roy, as a member of this site. I know you have been misled by Paul. He's left things out, and he's lied about other things. Don't trust him or believe what he says.


Vinnie

Roy,
I am in no way interested in these site vs. site antics. For the record I think TL is a great site. However Paul has all but admitted that his password schema is flawed and NOT encrypted. He was able to easily look up both Saul's and Jim's account password without any problem.

As for Saul's post being modified I don't know how TL works but here any moderator can edit posts or delete them. An IP stamp is left on the updated post indicating the IP address of the last person to modify the post. So I can say confidently that if that was done here we would have a pretty good idea of who did it.

Also you can refer to my post today (also in Site Talk) about how Armorama's passwords are encrypted.

Thanks,
Jim

Hi Jim:
I don't think there is any "leads" on who breached TL's security at this moment. All that logic points to is that one of us TL admins probably had our account hacked (thru careless use of passwords). And once in, that person played with a post or two of Saul's and the edited posts brought Saul some hard feelings. It wouldn't make sense that any of the TL admins did anything strnge. Saul is well-liked by all.

That is to say: I don't think Paul's coming into Jim's account was a tit-for-tat issue at all. Thnx for your quick reply Jim.
RC

I don't really care what the excuse is.

Doing stuff like that goes against ethics and integrity.

Roy,
Frankly I don't care what his motivation was and no I won't CALM DOWN. You, Paul, Jesus, Mary or Mohammad use my user name to post something in a forum and I am going to want to, using the good ol' Hoosier parlance here, stomp a size 13 mud hole in your @ss. It is like wearing white shoes after labor day, it just isn't done, esp. by site owners and admins who ought to know better.

No excuse for this kind of behavior. None. What so ever.

Shaun

some emiticons to make everyone thing I was only kidding

:-)

There...

Hey Jim,

Sorry, just trying to help you by pointing out a poor password practice. Don't use the same passwords for different sites. As I demonstrated, there can potentially be problems

I guess people like you will always look for trouble and where none exists then create your own. Says more about you than me.

In a few days you'll have an epiphany and will feel regret about all the stuff you're typing, so I forgive you now :-)

FYI: my passwords are encrypted, however there is a way to get them on my site and every other site too. All you have to do is change the e-mail address of the person's password you want and then request it. Something to consider, eh.

Paul.

PS: Jim S.: What's that name of that site that doesn't like Armorama, the one on Sweden (or whereever)? Have any of the admins here registered there and used the same password? Maybe you could check into that

I doubt it :-)

OK, what happened to my rank ????? I remember I was at least a corporal........I think,,,,,,but I had rank nonetheless. Anyone want to explain ???? Site Administrator ................................................................................................would you know what happened ????

Enough. I've registered a complaint with RECOL.

Vinnie

It certainly is unethical what Paul Owen did. Hiding behind the lame excuse of exposing a security flaw is certainly unjustified. If one had the good intentions of exposing such flaws, he/she would have formally discussed it with the administrators of the site without breaching the boundaries of trust.

Ive never been to Track Link but based on the actions on the administrator alone, first impressions certainly arent high and as staff_jim mentioned, he obviously left passwords unencrypted so that he could view them.

On that point alone, i wont be recommending anyone register for that site.

Well, I guess Paul Owen has pointed his reasons, and IF that are ok with Staff Jim, fine by me I like that site too, and it will be a shame that this become a not wanted conflict between them.

So, we´re all in peace, I guess

Cheers to all

Paul,
This sounds a little like a threat to me. Perhaps that was not your intent but I would warn you not confuse me for Andrew Dextras. If you hack this site or cause any more problems there will be serious legal consequences.

I have no regrets. Everything I have posted is fact. If you are encrypting your passwords then how is it that you were able to read Saul and Jim Rae's passwords in your database?? If you logged into their accounts and request the password most systems would have to modify the password (being unable to decypher an MD5 encryption) and send that user the new password. So then you would have a new password which does not match the password they use on Armorama. If you are NOT using MD5 encryption or something similar then you still have a security hole. I cannot do what you describe above, but obviously you can.

Jim

Paul Owen,
I don't know you and I don't want to know you. I have never been to Trak Links and, now, never will. There is absolutely NO excuse for what you did
Mal

Hmmm,


What a professional method of informing someone that there may be an issue. Would have thought that an email or PM may have been the better way to do this. I can only imagine the "mud-slinging" that will continue out of your lack of good sense [edit - unprofessional behavior].

Too bad for you and your site....good site too. I'm willing to believe that this "stunt" is going to hurt a lot of folks.

Mike

Yes this certainly can be done however thats a feature most administrators have and it is implied that administrators DO NOT abuse administrative powers to breach an individual's privacy.

Normal members do not have the ability to simply change an email address and retrieve the password as the password recovery tool only works when the registered email is supplied.

This is a poor response on your part and certainly unprofessional in every respect.

One word...Weasel

That's just...too bad and sad. Well, I'll not visit there again.

Most places will only send a password request to the E-mail that they have on record for that member.

In order to send a password to another E-mail account, the member should have to E-mail the site admin from the E-mail account on record with all relevant member information to request the change.

Personally, it doesn't really matter to me because anything connected to something sensitive such as credit card or bank account, I change the passwords on a monthly basis. For a site like this, I'll change them every 6 months to a year. Some of the more political orientated sites I'm on, I change them every 3 months.

Hi Paul

I don't have reason to visit TL, but I can't understand the way you went about things: even giving you the benefit of the doubt that you were trying to highlight a security problem, your response to the criticism only makes matters worse - you imply that you can (and do) abuse your members' personal information. There's a saying in Britain "When you're in a hole... stop digging..."

Rowan

Paul:

As a programmer and IT professional, I believe what you did isnt right. When you discover a flaw u contact the individual(s) and discuss it. What u did would be considered malicous and a court of law will not stand for it. Did u miss the computer ethics class in school?

There is always ways around passwords and there are always ways to find the "backdoor". Does it mean that we should look for them or try to exploit them? If you have this much time on your hands perhaps u should try to better your site instead of jerking with someone elses.

Rant done

1.If you are a member of a few sites and especially if you have admin access in any of these sites never forget to have different passwords or encryptions but also remember this saying '' Social Engineering Specialist: Because there is no patch for human stupidity.''

2. Armorama is a friendly hosted modelling community not a training field to check out vulnerabilities of any other websites or individuals. there are some websites like this to legally and basicly check your skills or your own sites security...

3. You signed up to a website and the owner of the website abused your account using the same information in another website for any reason without your permission. guess who is this?
my account is ONLY MY ACCOUNT and thanks Jim for remembering this since 2001.

4. Thanks to Roy Chow for being so conciliatory and honest.I agree him totally.this shouldnt be turned to a family plot or a website war. I am sure members of the TL and Armorama are more interested in modelling not personal shows.....

bestest regards

James, there is absolutely no reason to lock this thread. What you see as mudslinging is our users voicing their feelings on this reprehensible 'man'.

Vinnie