IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

New Dim bulbs at lowes.com
I ordered an extension cord for the server on lowes.com for pickup at a store.

All went well, and then I noticed that they emailed me my password after I created the account.

"OK, well, that's not too cool, but I can just change it." So I did.

They emailed me the CHANGED password "for my reference".

So basically it's impossible to have a secure account on their website. Any time you change your password, it will be handily emailed to you in plaintext for all and sundry to see.

I sent them a nastygram, and here's the response:

Thank you for your recent e-mail concerning our e-mail verification procedure.

E-mail distribution of username and password is service we provide to our users so they are able to save the e-mail as a ready reference for future use. This policy is considered to be industry standard and is currently the only option we offer for this type of inquiry feedback. We apologize if this has created any inconvenience for you.
Emphasis mine.

I've sent another, more detailed discussion of their inadequacies. This could get fun.
Regards,

-scott anderson

"Welcome to Rivendell, Mr. Anderson..."
New More than likely...
...it will just go into a black hole, and you'll not hear from them again.

In the unlikely event that you do, however, I eagerly await reading responses all around. :)
-YendorMike

"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
- Benjamin Franklin, 1759 Historical Review of Pennsylvania
New There was another line telling me to respond...
... if I wasn't satisfied with the answer. ;-)
Regards,

-scott anderson

"Welcome to Rivendell, Mr. Anderson..."
New Ahh, industry standard
We get audited occasionally.
Real security gurus.
Hah!

They want to know why we don't have virus scanning software on our Linux systems.

Fucking idiots.

We have been forced to install ClamAV on 100% isolated linux systems - no email, no Samba, etc, so we can nod and say we have virus scanning on our Linux boxes.

And then we have the reverse, to most stupid stuff on our windows systems. And the Windows admin pulls out the MS tech bulletin that tells him to do it. So they nod, and tell us OK.
New Had an audit like that once
They said we really should have some file and print servers. And email servers. They said we should have lots of things. Things that we actually did have. But they were on the three monster Novell boxes. The ones they completely ignored. Their entire evaluation was written on the basis that the two NT4 boxes that ran the document management system represented the entire network.
===

Purveyor of Doc Hope's [link|http://DocHope.com|fresh-baked dog biscuits and pet treats].
[link|http://DocHope.com|http://DocHope.com]
New This is why you're supposed to use a unique password.
So if it *is* compromised, you don't have someone loose in all your internet accounts.

But of course, you already know that.

Then, too, if many of them are following "industry standard" (which it's now - someone just thinks it is), then the same hacker is probably going to snarf all those accounts, too.

But I imagine you already know that, too.

So good luck on the education. :-)

Wade.

"Insert crowbar. Apply force."
     Dim bulbs at lowes.com - (admin) - (5)
         More than likely... - (Yendor) - (1)
             There was another line telling me to respond... - (admin)
         Ahh, industry standard - (broomberg) - (1)
             Had an audit like that once - (drewk)
         This is why you're supposed to use a unique password. - (static)

Be still, my beating heart.
40 ms