Done. Thanks for the warning.....I think I´ll came a little more "anxious" everytime I used his site. I wonder why he has been doing things like this and comments as seen in his forums against other sites.....it´s supposed to be a big modelling community, with every site seeking different directions, but interested in modelling after all.....
Too bad for Mr. Owen´s site
Cheers
Site Talk
Site announcements, comments, or feedback about the site.
Site announcements, comments, or feedback about the site.
Hosted by Darren Baker, Jim Starkweather
Alert for all Users - Security Breach..
dexter059
Region de Valparaiso, Chile
Joined: July 28, 2005
KitMaker: 1,569 posts
Armorama: 1,385 posts
Joined: July 28, 2005
KitMaker: 1,569 posts
Armorama: 1,385 posts
Posted: Friday, January 13, 2006 - 10:31 PM UTC
ericadeane
Michigan, United States
Joined: October 28, 2002
KitMaker: 4,021 posts
Armorama: 3,947 posts
Joined: October 28, 2002
KitMaker: 4,021 posts
Armorama: 3,947 posts
Posted: Friday, January 13, 2006 - 11:06 PM UTC
EVERYBODY CALM DOWN!!
My name is Roy Chow (armorama ID: ericadeane). I serve as the Allied DG moderator. Jim Starkweather offered me the role and I'm glad to serve this great site.
I ALSO serve on the admin team with Paul Owen over on TL. While I don't condone Paul's logging into Jim Rae's account here, here's the reason it happened.
Yesterday, one of our administrators demanded to resign because someone had tampered with one of his postings on Track-Link. The only ones who can edit postings are members of the admin team. He concluded that one of his fellow admin people were tampering with him and he was irate. Paul Owen, figured out that one of us must have been hacked -- as many of us are registered on multiple boards (and sometimes with the same password). That is why he immediately posted a warning to the TL administrators and the entier TL community to switch their passwords.
Paul emailed the admin team to say that he was able to do the same (get into another website) as an experiment and warned the admin team that this was a security loophole with TL (and other sites). In working with Paul for several years (and frequenting his site since 1996), he's been a straight shooter.
Paul has also worked with Jim Starkweather to try to assemble the various modelling website principals in a webmasters guild to work on joint problems and to promote unity.
Jim: I would agree that it requires an apology. The steps Paul took weren't judicious at all. You've said he's done other things to other Armorama staff: I can't speak to that and have to trust that you're correct that "frostyness" exists btn Paul and this site. However, I dont' believe yesterday's actions were meant to harm you or Armorama at all. There really was a security breach at TL. My word on it.
For anyone else who says "Let's go to war" or wants to pile on personal attacks on people's family or marriages, please remember what Armorama, Finescale, Track-link, Missing-lynx (etc) are all about. It's a hobby that each of us delve into to relax and enjoy some community. I don't know many of us who are starving, live in the Third World, or are trying to extract someone trapped in a mine somewhere or trying to survive because your village was flattened by an earthquake. Please let's use some common courtesy (even if it hasn't been given to us).
Roy Chow
My name is Roy Chow (armorama ID: ericadeane). I serve as the Allied DG moderator. Jim Starkweather offered me the role and I'm glad to serve this great site.
I ALSO serve on the admin team with Paul Owen over on TL. While I don't condone Paul's logging into Jim Rae's account here, here's the reason it happened.
Yesterday, one of our administrators demanded to resign because someone had tampered with one of his postings on Track-Link. The only ones who can edit postings are members of the admin team. He concluded that one of his fellow admin people were tampering with him and he was irate. Paul Owen, figured out that one of us must have been hacked -- as many of us are registered on multiple boards (and sometimes with the same password). That is why he immediately posted a warning to the TL administrators and the entier TL community to switch their passwords.
Paul emailed the admin team to say that he was able to do the same (get into another website) as an experiment and warned the admin team that this was a security loophole with TL (and other sites). In working with Paul for several years (and frequenting his site since 1996), he's been a straight shooter.
Paul has also worked with Jim Starkweather to try to assemble the various modelling website principals in a webmasters guild to work on joint problems and to promote unity.
Jim: I would agree that it requires an apology. The steps Paul took weren't judicious at all. You've said he's done other things to other Armorama staff: I can't speak to that and have to trust that you're correct that "frostyness" exists btn Paul and this site. However, I dont' believe yesterday's actions were meant to harm you or Armorama at all. There really was a security breach at TL. My word on it.
For anyone else who says "Let's go to war" or wants to pile on personal attacks on people's family or marriages, please remember what Armorama, Finescale, Track-link, Missing-lynx (etc) are all about. It's a hobby that each of us delve into to relax and enjoy some community. I don't know many of us who are starving, live in the Third World, or are trying to extract someone trapped in a mine somewhere or trying to survive because your village was flattened by an earthquake. Please let's use some common courtesy (even if it hasn't been given to us).
Roy Chow
Teacher
England - North West, United Kingdom
Joined: April 05, 2003
KitMaker: 4,924 posts
Armorama: 3,679 posts
Joined: April 05, 2003
KitMaker: 4,924 posts
Armorama: 3,679 posts
Posted: Friday, January 13, 2006 - 11:11 PM UTC
Whilst I trust you Roy, as a member of this site. I know you have been misled by Paul. He's left things out, and he's lied about other things. Don't trust him or believe what he says.
Vinnie
Vinnie
Posted: Friday, January 13, 2006 - 11:15 PM UTC
Roy,
I am in no way interested in these site vs. site antics. For the record I think TL is a great site. However Paul has all but admitted that his password schema is flawed and NOT encrypted. He was able to easily look up both Saul's and Jim's account password without any problem.
As for Saul's post being modified I don't know how TL works but here any moderator can edit posts or delete them. An IP stamp is left on the updated post indicating the IP address of the last person to modify the post. So I can say confidently that if that was done here we would have a pretty good idea of who did it.
Also you can refer to my post today (also in Site Talk) about how Armorama's passwords are encrypted.
Thanks,
Jim
I am in no way interested in these site vs. site antics. For the record I think TL is a great site. However Paul has all but admitted that his password schema is flawed and NOT encrypted. He was able to easily look up both Saul's and Jim's account password without any problem.
As for Saul's post being modified I don't know how TL works but here any moderator can edit posts or delete them. An IP stamp is left on the updated post indicating the IP address of the last person to modify the post. So I can say confidently that if that was done here we would have a pretty good idea of who did it.
Also you can refer to my post today (also in Site Talk) about how Armorama's passwords are encrypted.
Thanks,
Jim
ericadeane
Michigan, United States
Joined: October 28, 2002
KitMaker: 4,021 posts
Armorama: 3,947 posts
Joined: October 28, 2002
KitMaker: 4,021 posts
Armorama: 3,947 posts
Posted: Friday, January 13, 2006 - 11:21 PM UTC
Hi Jim:
I don't think there is any "leads" on who breached TL's security at this moment. All that logic points to is that one of us TL admins probably had our account hacked (thru careless use of passwords). And once in, that person played with a post or two of Saul's and the edited posts brought Saul some hard feelings. It wouldn't make sense that any of the TL admins did anything strnge. Saul is well-liked by all.
That is to say: I don't think Paul's coming into Jim's account was a tit-for-tat issue at all. Thnx for your quick reply Jim.
RC
I don't think there is any "leads" on who breached TL's security at this moment. All that logic points to is that one of us TL admins probably had our account hacked (thru careless use of passwords). And once in, that person played with a post or two of Saul's and the edited posts brought Saul some hard feelings. It wouldn't make sense that any of the TL admins did anything strnge. Saul is well-liked by all.
That is to say: I don't think Paul's coming into Jim's account was a tit-for-tat issue at all. Thnx for your quick reply Jim.
RC
Posted: Saturday, January 14, 2006 - 12:19 AM UTC
I don't really care what the excuse is.
Doing stuff like that goes against ethics and integrity.
Doing stuff like that goes against ethics and integrity.
keenan
Indiana, United States
Joined: October 16, 2002
KitMaker: 5,272 posts
Armorama: 2,844 posts
Joined: October 16, 2002
KitMaker: 5,272 posts
Armorama: 2,844 posts
Posted: Saturday, January 14, 2006 - 12:35 AM UTC
Roy,
Frankly I don't care what his motivation was and no I won't CALM DOWN. You, Paul, Jesus, Mary or Mohammad use my user name to post something in a forum and I am going to want to, using the good ol' Hoosier parlance here, stomp a size 13 mud hole in your @ss. It is like wearing white shoes after labor day, it just isn't done, esp. by site owners and admins who ought to know better.
No excuse for this kind of behavior. None. What so ever.
Shaun
some emiticons to make everyone thing I was only kidding
:-)
There...
Frankly I don't care what his motivation was and no I won't CALM DOWN. You, Paul, Jesus, Mary or Mohammad use my user name to post something in a forum and I am going to want to, using the good ol' Hoosier parlance here, stomp a size 13 mud hole in your @ss. It is like wearing white shoes after labor day, it just isn't done, esp. by site owners and admins who ought to know better.
No excuse for this kind of behavior. None. What so ever.
Shaun
some emiticons to make everyone thing I was only kidding
:-)
There...
Paul_Owen
British Columbia, Canada
Joined: May 11, 2002
KitMaker: 140 posts
Armorama: 108 posts
Joined: May 11, 2002
KitMaker: 140 posts
Armorama: 108 posts
Posted: Saturday, January 14, 2006 - 01:46 AM UTC
Hey Jim,
Sorry, just trying to help you by pointing out a poor password practice. Don't use the same passwords for different sites. As I demonstrated, there can potentially be problems
I guess people like you will always look for trouble and where none exists then create your own. Says more about you than me.
In a few days you'll have an epiphany and will feel regret about all the stuff you're typing, so I forgive you now :-)
FYI: my passwords are encrypted, however there is a way to get them on my site and every other site too. All you have to do is change the e-mail address of the person's password you want and then request it. Something to consider, eh.
Paul.
PS: Jim S.: What's that name of that site that doesn't like Armorama, the one on Sweden (or whereever)? Have any of the admins here registered there and used the same password? Maybe you could check into that
Sorry, just trying to help you by pointing out a poor password practice. Don't use the same passwords for different sites. As I demonstrated, there can potentially be problems
I guess people like you will always look for trouble and where none exists then create your own. Says more about you than me.
In a few days you'll have an epiphany and will feel regret about all the stuff you're typing, so I forgive you now :-)
FYI: my passwords are encrypted, however there is a way to get them on my site and every other site too. All you have to do is change the e-mail address of the person's password you want and then request it. Something to consider, eh.
Paul.
PS: Jim S.: What's that name of that site that doesn't like Armorama, the one on Sweden (or whereever)? Have any of the admins here registered there and used the same password? Maybe you could check into that
markm
California, United States
Joined: September 11, 2005
KitMaker: 1,757 posts
Armorama: 1,148 posts
Joined: September 11, 2005
KitMaker: 1,757 posts
Armorama: 1,148 posts
Posted: Saturday, January 14, 2006 - 01:51 AM UTC
I doubt it :-)
Spades
California, United States
Joined: February 08, 2003
KitMaker: 776 posts
Armorama: 477 posts
Joined: February 08, 2003
KitMaker: 776 posts
Armorama: 477 posts
Posted: Saturday, January 14, 2006 - 01:57 AM UTC
OK, what happened to my rank ????? I remember I was at least a corporal........I think,,,,,,but I had rank nonetheless. Anyone want to explain ???? Site Administrator ................................................................................................would you know what happened ????
Teacher
England - North West, United Kingdom
Joined: April 05, 2003
KitMaker: 4,924 posts
Armorama: 3,679 posts
Joined: April 05, 2003
KitMaker: 4,924 posts
Armorama: 3,679 posts
Posted: Saturday, January 14, 2006 - 02:04 AM UTC
Enough. I've registered a complaint with RECOL.
Vinnie
Vinnie
jazza
Singapore / 新加坡
Joined: August 03, 2005
KitMaker: 2,709 posts
Armorama: 1,818 posts
Joined: August 03, 2005
KitMaker: 2,709 posts
Armorama: 1,818 posts
Posted: Saturday, January 14, 2006 - 02:17 AM UTC
It certainly is unethical what Paul Owen did. Hiding behind the lame excuse of exposing a security flaw is certainly unjustified. If one had the good intentions of exposing such flaws, he/she would have formally discussed it with the administrators of the site without breaching the boundaries of trust.
Ive never been to Track Link but based on the actions on the administrator alone, first impressions certainly arent high and as staff_jim mentioned, he obviously left passwords unencrypted so that he could view them.
On that point alone, i wont be recommending anyone register for that site.
Ive never been to Track Link but based on the actions on the administrator alone, first impressions certainly arent high and as staff_jim mentioned, he obviously left passwords unencrypted so that he could view them.
On that point alone, i wont be recommending anyone register for that site.
dexter059
Region de Valparaiso, Chile
Joined: July 28, 2005
KitMaker: 1,569 posts
Armorama: 1,385 posts
Joined: July 28, 2005
KitMaker: 1,569 posts
Armorama: 1,385 posts
Posted: Saturday, January 14, 2006 - 02:18 AM UTC
Well, I guess Paul Owen has pointed his reasons, and IF that are ok with Staff Jim, fine by me I like that site too, and it will be a shame that this become a not wanted conflict between them.
So, we´re all in peace, I guess
Cheers to all
So, we´re all in peace, I guess
Cheers to all
Posted: Saturday, January 14, 2006 - 02:20 AM UTC
Quoted Text
In a few days you'll have an epiphany and will feel regret about all the stuff you're typing, so I forgive you now :-)
FYI: my passwords are encrypted, however there is a way to get them on my site and every other site too. All you have to do is change the e-mail address of the person's password you want and then request it. Something to consider, eh.
Paul.
Paul,
This sounds a little like a threat to me. Perhaps that was not your intent but I would warn you not confuse me for Andrew Dextras. If you hack this site or cause any more problems there will be serious legal consequences.
I have no regrets. Everything I have posted is fact. If you are encrypting your passwords then how is it that you were able to read Saul and Jim Rae's passwords in your database?? If you logged into their accounts and request the password most systems would have to modify the password (being unable to decypher an MD5 encryption) and send that user the new password. So then you would have a new password which does not match the password they use on Armorama. If you are NOT using MD5 encryption or something similar then you still have a security hole. I cannot do what you describe above, but obviously you can.
Jim
Posted: Saturday, January 14, 2006 - 02:22 AM UTC
Paul Owen,
I don't know you and I don't want to know you. I have never been to Trak Links and, now, never will. There is absolutely NO excuse for what you did
Mal
I don't know you and I don't want to know you. I have never been to Trak Links and, now, never will. There is absolutely NO excuse for what you did
Mal
TacFireGuru
Colorado, United States
Joined: December 25, 2004
KitMaker: 3,770 posts
Armorama: 2,263 posts
Joined: December 25, 2004
KitMaker: 3,770 posts
Armorama: 2,263 posts
Posted: Saturday, January 14, 2006 - 02:26 AM UTC
Hmmm,
What a professional method of informing someone that there may be an issue. Would have thought that an email or PM may have been the better way to do this. I can only imagine the "mud-slinging" that will continue out of your lack of good sense [edit - unprofessional behavior].
Too bad for you and your site....good site too. I'm willing to believe that this "stunt" is going to hurt a lot of folks.
Mike
Quoted Text
Sorry, just trying to help you by pointing out a poor password practice. Don't use the same passwords for different sites. As I demonstrated, there can potentially be problems
What a professional method of informing someone that there may be an issue. Would have thought that an email or PM may have been the better way to do this. I can only imagine the "mud-slinging" that will continue out of your lack of good sense [edit - unprofessional behavior].
Too bad for you and your site....good site too. I'm willing to believe that this "stunt" is going to hurt a lot of folks.
Mike
jazza
Singapore / 新加坡
Joined: August 03, 2005
KitMaker: 2,709 posts
Armorama: 1,818 posts
Joined: August 03, 2005
KitMaker: 2,709 posts
Armorama: 1,818 posts
Posted: Saturday, January 14, 2006 - 02:27 AM UTC
Quoted Text
FYI: my passwords are encrypted, however there is a way to get them on my site and every other site too. All you have to do is change the e-mail address of the person's password you want and then request it. Something to consider, eh.
Yes this certainly can be done however thats a feature most administrators have and it is implied that administrators DO NOT abuse administrative powers to breach an individual's privacy.
Normal members do not have the ability to simply change an email address and retrieve the password as the password recovery tool only works when the registered email is supplied.
This is a poor response on your part and certainly unprofessional in every respect.
PvtParts
New Jersey, United States
Joined: June 18, 2003
KitMaker: 1,876 posts
Armorama: 1,120 posts
Joined: June 18, 2003
KitMaker: 1,876 posts
Armorama: 1,120 posts
Posted: Saturday, January 14, 2006 - 02:51 AM UTC
One word...Weasel
95bravo
Kansas, United States
Joined: November 18, 2003
KitMaker: 2,242 posts
Armorama: 504 posts
Joined: November 18, 2003
KitMaker: 2,242 posts
Armorama: 504 posts
Posted: Saturday, January 14, 2006 - 03:06 AM UTC
That's just...too bad and sad. Well, I'll not visit there again.
2CAVTrooper
Alabama, United States
Joined: October 21, 2005
KitMaker: 310 posts
Armorama: 302 posts
Joined: October 21, 2005
KitMaker: 310 posts
Armorama: 302 posts
Posted: Saturday, January 14, 2006 - 03:18 AM UTC
Quoted Text
FYI: my passwords are encrypted, however there is a way to get them on my site and every other site too. All you have to do is change the e-mail address of the person's password you want and then request it.
Most places will only send a password request to the E-mail that they have on record for that member.
In order to send a password to another E-mail account, the member should have to E-mail the site admin from the E-mail account on record with all relevant member information to request the change.
Personally, it doesn't really matter to me because anything connected to something sensitive such as credit card or bank account, I change the passwords on a monthly basis. For a site like this, I'll change them every 6 months to a year. Some of the more political orientated sites I'm on, I change them every 3 months.
Posted: Saturday, January 14, 2006 - 03:34 AM UTC
Hi Paul
I don't have reason to visit TL, but I can't understand the way you went about things: even giving you the benefit of the doubt that you were trying to highlight a security problem, your response to the criticism only makes matters worse - you imply that you can (and do) abuse your members' personal information. There's a saying in Britain "When you're in a hole... stop digging..."
Rowan
I don't have reason to visit TL, but I can't understand the way you went about things: even giving you the benefit of the doubt that you were trying to highlight a security problem, your response to the criticism only makes matters worse - you imply that you can (and do) abuse your members' personal information. There's a saying in Britain "When you're in a hole... stop digging..."
Rowan
thedutchie
Ontario, Canada
Joined: February 01, 2005
KitMaker: 1,299 posts
Armorama: 919 posts
Joined: February 01, 2005
KitMaker: 1,299 posts
Armorama: 919 posts
Posted: Saturday, January 14, 2006 - 03:35 AM UTC
Paul:
As a programmer and IT professional, I believe what you did isnt right. When you discover a flaw u contact the individual(s) and discuss it. What u did would be considered malicous and a court of law will not stand for it. Did u miss the computer ethics class in school?
There is always ways around passwords and there are always ways to find the "backdoor". Does it mean that we should look for them or try to exploit them? If you have this much time on your hands perhaps u should try to better your site instead of jerking with someone elses.
Rant done
As a programmer and IT professional, I believe what you did isnt right. When you discover a flaw u contact the individual(s) and discuss it. What u did would be considered malicous and a court of law will not stand for it. Did u miss the computer ethics class in school?
There is always ways around passwords and there are always ways to find the "backdoor". Does it mean that we should look for them or try to exploit them? If you have this much time on your hands perhaps u should try to better your site instead of jerking with someone elses.
Rant done
Graywolf
Senior Editor
Izmir, Turkey / Türkçe
Joined: December 01, 2001
KitMaker: 6,405 posts
Armorama: 1,850 posts
Joined: December 01, 2001
KitMaker: 6,405 posts
Armorama: 1,850 posts
Posted: Saturday, January 14, 2006 - 03:50 AM UTC
1.If you are a member of a few sites and especially if you have admin access in any of these sites never forget to have different passwords or encryptions but also remember this saying '' Social Engineering Specialist: Because there is no patch for human stupidity.''
2. Armorama is a friendly hosted modelling community not a training field to check out vulnerabilities of any other websites or individuals. there are some websites like this to legally and basicly check your skills or your own sites security...
3. You signed up to a website and the owner of the website abused your account using the same information in another website for any reason without your permission. guess who is this?
my account is ONLY MY ACCOUNT and thanks Jim for remembering this since 2001.
4. Thanks to Roy Chow for being so conciliatory and honest.I agree him totally.this shouldnt be turned to a family plot or a website war. I am sure members of the TL and Armorama are more interested in modelling not personal shows.....
bestest regards
2. Armorama is a friendly hosted modelling community not a training field to check out vulnerabilities of any other websites or individuals. there are some websites like this to legally and basicly check your skills or your own sites security...
3. You signed up to a website and the owner of the website abused your account using the same information in another website for any reason without your permission. guess who is this?
my account is ONLY MY ACCOUNT and thanks Jim for remembering this since 2001.
4. Thanks to Roy Chow for being so conciliatory and honest.I agree him totally.this shouldnt be turned to a family plot or a website war. I am sure members of the TL and Armorama are more interested in modelling not personal shows.....
bestest regards
Teacher
England - North West, United Kingdom
Joined: April 05, 2003
KitMaker: 4,924 posts
Armorama: 3,679 posts
Joined: April 05, 2003
KitMaker: 4,924 posts
Armorama: 3,679 posts
Posted: Saturday, January 14, 2006 - 03:51 AM UTC
James, there is absolutely no reason to lock this thread. What you see as mudslinging is our users voicing their feelings on this reprehensible 'man'.
Vinnie
Vinnie