greetings,
seems a few feathers were kind of ruffled. the point was made that only fools would use the same name or password in different urls.
there's a lesson there, it could of been somebody else doing some real damage and who would be to blame. look in the mirror...
about kicking a.s and trusting does not speak well of the writer.
by the way, am also a member of t-l and a few other forums and i read more than one newspaper...
cheers and be thankful.
c6o
carpe diem

To access the password, Mr. Owen needed to use his administrator's access to change Jim's email address to his own. He then used TL's "I forgot my password" link to have the password emailed to him. Once he had this password in hand, he then used it to login as Jim on Armorama. This is roughly akin to the banker stealing from his own vault and then trying to say he was only pointing out a security flaw. In short, this is not a security flaw as a regular user would not be able to obtain passwords in the manner that Mr. Owen stole Jim's password.

Also, the fact that a plain text password can be emailed to a user when they have forgotten it indicates that passwords on Track Link are being stored in the database as plain text (not encrypted). One way encryption schemes are just that, they can only be encrypted and one cannot extract the plain text password from any good one way encryption algorithm. To determine if a password supplied by a user at login is correct, the user's guess is encrypted and comparred to the encrypted password stored in the user database. If the two encrypted passwords match then it is assumed that the correct password has been provided and the user will be allowed to login.

Enterprise systems that have been written with security as a design requirement will only store encrypted passwords. If a user forgets their password then it will be reset with a randomly generated character string (eg. sV$.b89tH2) and the user will be allowed to login using this new password (really paranoid systems will require them to change their password immediately after logging in with the randomly generated password).

So, what does this whole incident tell you?

1.) Track Link stores user password in plain text (or in some really lame encryption scheme such as rot-13).

2.) Paul Owen finds it acceptable to breach professional ethics to prove how clever he thinks he is but really all he has proved is that he cannot ever be trusted.

3.) One should have a separate password that one uses for public logins (such as these modelling forums) that is different from say an online banking password (because if someone has your password and they can get ahold of your account number you are pooched).

4.) If one needs to have a login account at a site run by administrators with no professional ethics then use a special password on that site that is only ever used there (ie. don't use the same one on other properly run sites).

5.) One should regularly change all passwords to avoid this kind of game.

And that's just my humble opinion ... and by the way I started my career as a system's administrator but now I design and implement enterprise software systems.

Cheers - Dan

Speaking of what the web sites are here for, Paul Owen once proudly exclaimed to me in one of his nasty e-mails that he wasn't a modeler and thought modelers were pathetic and that it was a "childish pastime".