[cstaylor]

That's why you never give a single user permission to access a critical database like that. MxN security is the most appropriate (M - number of combined passwords required to unlock access, N - number of users with admin access, M <= N, M > 1), which means you'd need two people on the take if M was the smallest possible value, 2.

This goes for other things as well, like that Aomori scandal with that accountant and Chilean hostess. If the city had required two signatures, inkans, whatever, for all financial transactions concerning the cooperative, that sleazeball couldn't have siphoned off all that cash.

[cstaylor]

135 people had that kind of access? That's insane... WAY too many people.

Sounds like the system worked like this:

-- web server -- --[connection pool as full access user]---> -- database --

Users can only see their own data, but anything can be accessed via url. Once you figure out the pattern for certain query parameters, you can pass them in nonvalidated to the server, and see things you shouldn't be able to see.

[Caustic Saint]

Wired LAN?

Primitives. :P

[canman]

My friend's information was accidently released and within a day he received over 30 spam mails, two including viruses. He got an apology from YahooBB and a 500 yen gift certificate. He said he will never use YahooBB again, as long as he lives. I can't blame him. I think the company really mishandled this situation, and it will prove to be very costly to them.

[DrBru]

I use YBB as well, now how do I get my compensation money?
This is really causing me emotional stress

[Captain Japan]

My friend's information was accidently released and within a day he received over 30 spam mails, two including viruses. He got an apology from YahooBB and a 500 yen gift certificate. He said he will never use YahooBB again, as long as he lives. I can't blame him. I think the company really mishandled this situation, and it will prove to be very costly to them.

Even before this mess I was pissed at these people. I cancelled my Yahoo! BB account in November. I went through the process online and sent back the modem (with a printout of the receipt that shows up online when you finish clicking your way through). Well, they kept charging my credit card for two months after (and will likely do it again this month). So I wrote to them. They claim that I didn't sign some paper work I was supposed to have received. (This might be true]in November[/i]. I imagine getting this refund will take 4 more mails.




[/i]

[hyogojoe]

You have to wonder why the media is making such a fuss about this leak. It's certainly not based on the "merits" of the leak itself.

Yes, the number of records stolen is indeed large, but it's just names, addresses, phone numbers and email addresses. The first three items can be found in a phone book. The Osaka white pages alone has more records. Why no fuss about that!!

As for the email addresses, those fall into the hands of spammers sooner or later, anyway.

canman1 mentioned a friend getting spam after his details were leaked. I doubt it. I've seen no suggestion that the data escaped beyond the guys who stole it. There was a huge surge in spam over the last two months which had nothing to do with Yahoo's leak and is probably the real source of the spam.

I think the real reason for the fuss over this leak has to do with the fact that Yahoo! BB is foreign-owned (Korean, actually) and is causing serious stress for NTT.

Do you recall a huge fuss over these leaks?:

Aug. 12, 2003 LITTLE ROCK, Ark. (AP) -- A computer hacker gained access to private files at Acxiom Corp., one of the world's largest consumer database companies [which] manages consumer databases for. . . Microsoft Corp., IBM, Sears Roebuck and Co., AT&T, General Electric, Bank of America [and]14 of the top 15 credit card companies, seven of the top 10 auto manufacturers and five of the top six retail banks.

8:13 a.m. EST (1313 GMT)
(IDG) -- A computer hacker has breached the security of the SalesGate.com and other sites, stealing credit-card numbers and posting them on the Internet.

25/09/2003 at 21:03 GMT
(SecurityFocus) At least 1,000 automobile shoppers who submitted online credit applications to any of 150 different automotive dealerships around the U.S. had their personal and financial details exposed on a publicly-accessible website, according to a computer security consultant who stumbled across the privacy gaffe.

Two of those leaks included card info posted on the internet and the other put the card data of credit card companies at apparent risk (they're too smart to actually say what was taken)!! Where were the screaming headlines? The weeks of follow-up strories?

Nowhere--that's where. They just evaporated into the mist.

Get a grip, folks.

hyogojoe

[hyogojoe]

[quote="Captain Japan"]Even before this mess I was pissed at these people. I cancelled my Yahoo! BB account in November. I went through the process online and sent back the modem (with a printout of the receipt that shows up online when you finish clicking your way through). Well, they kept charging my credit card for two months after (and will likely do it again this month). So I wrote to them. They claim that I didn't sign some paper work I was supposed to have received. (This might be true]

So you admit you may not have cancelled properly (i.e., didn't return the signed cancellation post card) and it's STILL their fault??

In any case, while asking Yahoo for a refund you should be aware that bills for two months after quitting Yahoo is normal. The phone calls you make are posted to your account in the middle of the month following the month they are made. Then they are billed in the 2nd month following. So, if you quit in November, your last payment--if at the bank--would be about Jan. 27th. If you're paying by card, it could even be later, depending on your card company's billing cycle.

All in all, I think your complaint about being billed is unfounded. It's natural to be unhappy, but if you looked at that page you included with your modem, I think you'd find it said your cancellation would not be official until you return the card.

hyogojoe

[GargoyleTS]

The phone calls you make are posted to your account in the middle of the month following the month they are made. Then they are billed in the 2nd month following. So, if you quit in November, your last payment--if at the bank--would be about Jan. 27th. If you're paying by card, it could even be later, depending on your card company's billing cycle.

What calls? DSL is not calls, it is internet access. Secondly, you are right about the Spam problem on Yahoo. Its not from leaked details, its from the latest rounds of Viruses turning boxes into relays and forging all kinds of header info to escape Yahoo's Spamguard so it hits your inbox. I was down to 5 Spam a day until this latest round hit, then went up to 20+ in the Spambox and 3-10 in my Inbox. All Spam and from IP relays that Spamguard doesn't block. My thanks goes out to those ISP's who are beginning to do something about compromised customers.

Remember folks, Update your AV and OS weekly (For MS clients) and don't open email from people you don't know. (and for the love of Mike, get a firewall or router (also called a hardware firewall) and learn how to use it!)

[hyogojoe]

What calls? DSL is not calls, it is internet access.

Yes, DSL is not 'calls' but Yahoo! BB is. All Yahoo! BB customers get BBPhone, which is an IP phone service. If one plugs the telephone into the Yahoo modem (as shown in the instructions), then calls are billed by Yahoo! BB, not NTT or the MyLine carrier.

Because BBPhone is much cheaper than NTT or MyLine, BBPhone is one of the best reasons to use Yahoo! BB. For example, the MyLine rate is 8.5 yen for local calls (within the area code) and then it goes up from there according to distance:
over 100 km = 80 yen/3 minutes
over 80 km = 60 yen/3 minutes
over 60 km = 40 yen/3 minutes
etc.

Yahoo on the other hand charges 7.5 yen/3 minutes to call anywhere in Japan. International calls are very cheap, too. For example, to the U.S., it's just 2.5 yen/1 minute.

But I digress . . .

I just mentioned the charge for calls because it seemed Captain Japan was negotiating for a full refund and I thought it should be pointed out that at least part of the billing was legitiment. You can find info in English about Yahoo's billing cycle (and lots of other info about using Yahoo BB) here:
http://www.eikaiwa.net/cgi-bin/ubb/ultimatebb.cgi?ubb=get_topic&f=20&t=000004

Hope this helps.

Jimmie

[Captain Japan]

Even before this mess I was pissed at these people. I cancelled my Yahoo! BB account in November. I went through the process online and sent back the modem (with a printout of the receipt that shows up online when you finish clicking your way through). Well, they kept charging my credit card for two months after (and will likely do it again this month). So I wrote to them. They claim that I didn't sign some paper work I was supposed to have received. (This might be true]

So you admit you may not have cancelled properly (i.e., didn't return the signed cancellation post card) and it's STILL their fault??

They made it sound like I was all finished. I mean, heck, they asked for the modem back. It was only later that I found out that I didn't sign some piece of paper that I had never heard about before.

In any case, while asking Yahoo for a refund you should be aware that bills for two months after quitting Yahoo is normal. The phone calls you make are posted to your account in the middle of the month following the month they are made. Then they are billed in the 2nd month following. So, if you quit in November, your last payment--if at the bank--would be about Jan. 27th. If you're paying by card, it could even be later, depending on your card company's billing cycle.

Sure, I thought of that. But not one of their email responses to me mentioned this. Basically, each one kept confirming that I wanted to actually cancel the service. It was hopelessly moronic. After about the fourth one they finally got the idea.

All in all, I think your complaint about being billed is unfounded. It's natural to be unhappy, but if you looked at that page you included with your modem, I think you'd find it said your cancellation would not be official until you return the card.

They said I'd get a refund. But so far that hasn't happened.

[hyogojoe]

They made it sound like I was all finished. I mean, heck, they asked for the modem back. It was only later that I found out that I didn't sign some piece of paper that I had never heard about before.
<snip>
They said I'd get a refund. But so far that hasn't happened.

Well, they're pretty kind at Yahoo! BB, in my experience, so I'm sure they'll gift (SIC) you your money back even though you didn't follow the instructions, making it necessary for them to engage in a long confusing discussion in a foreign language.* I hope you express sufficent appreciation to them for going to all that trouble just for you.

As for the effect of sending the modem back . . . I read somewhere that Yahoo BB signs up about 20,000 new customers every day. With that many joining and a total of over 4 million users, they've probably got lots of modems coming back every day, too. Since the procedure for quitting is to sign a post card, I doubt the billing department gives a lot of immediate attention the the modems being returned.

hyogojoe
*If you're having the discussion in Japanese, maybe that's the problem. They will communicate in English, if you request it.

[Bongo]

I know this is an old thread but, what pisses me off the most is that the YBB customer information including my own went to one of UYOKU groups.
This right wing organization was trying to squeeze YBB, probably because of the heritage of Masayoshi Son.
Also, YBB handed over all the customer information to the F*cking cops as evidence. I am not sure which of the above two groups I am more suspicious of.

[Taro Toporific]

... YBB customer information including my own went to one of UYOKU groups....

WOT "UYOKU groups"?

I hadn't noticed that right-wing connection for the leak of YBB customer information in the the newspapers (but I haven't been following this closely either).

[hyogojoe]

I know this is an old thread but, what pisses me off the most is that the YBB customer information including my own went to one of UYOKU groups.
This right wing organization was trying to squeeze YBB, probably because of the heritage of Masayoshi Son.

Where did you hear this? I've followed this case pretty closely, but haven't seen anything about this in the news. According to the reports I read, the people trying to extort YBB were former employees and that the data was never distributed beyond the extortionists.

Also, YBB handed over all the customer information to the F*cking cops as evidence. I am not sure which of the above two groups I am more suspicious of.

The info involved is pretty much the same info in telephone directories. Why isn't anyone condemning NTT for publishing phone books? Anyway, the police already have access to everyone's name and address.

My name is in the phone book and spammers all over the world seem to have my email address so to me this "scandal" is just one big yawner.

hyogojoe

[Bongo]

Seems like not only were customer records stolen from YBB and given to a right wing (UYOKU) organization but, 1,400,000 BB-phone call records were also found to have been stolen. Now all this information is in the hands of the infamous Japanese police. Not sure if I am more concerned about the police having records of my calls than the UYOKU group.

There again they are pretty much the same are they not?

[Taro Toporific]

Seems like not only were customer records stolen from YBB and given to a right wing (UYOKU) organization but, 1,400,000 BB-phone call records were also found to have been stolen.?

Ok, I found the right-winger angle to the story. I wonder which group of sound trucks was Mori's?

Softbank BB 'extortionist' likely had 1.4 mil. phone call logs

Yomiuri Shimbun / June 18
A man, who allegedly tried to extort money from Internet service provider Softbank BB Corp. with stolen customer information, was likely to have possessed data on 1.4 million calls made by subscribers to the company's Internet protocol telephone service, sources revealed Thursday.
Rightist organization senior member Hiroshi Mori, 67, is currently on trial on charges of attempting to extort money from Softbank with data on 4.6 million subscribers to its Yahoo! BB high-speed online service that allegedly was stolen from the company's database.

[Skankster]

-
-
A slightly more recent update is that a Japanese contract employee that was fired but his email and access to the DB was not deleted logged in and extracted the DB with all the user information.
He too is now in custody.

[Taro Toporific]

[hyogojoe]

I fail to see why this is a big deal. I couldn't care less if this Mori guy knows I called Suzuki-kun 3 times and Mari-chan twice. If they got my credit card info, that would be something else, but they didn't.

Let's talk about these incidents:

According to The Japan Times, "Police searched the Osaka branch office of NTT West on [Nov. 1, 1999] for evidence against a former employee arrested the previous day for allegedly receiving bribes from so-called Dial Q2 service companies in exchange for information on NTT customers."

According to Kyodo News Service, on March 25, 2004, "High-speed Internet access service provider ACCA Networks Co. is apparently experiencing a leakage of client data... ACCA provides ADSL to major Internet service providers, including NTT Communications Corp., NEC Corp., KDDI Corp. and Sony Corp. whose products are known by the names of "OCN," "BIGLOBE," "DION" and "So-net," respectively.

According to The Register, on Nov. 22,2002, "Microsoft made customer details - along with numerous confidential internal documents - freely available from a deeply insecure FTP server..." According to the article, "Microsoft 'published' files an estimated 11 million customer email addresses and seven million snail mail address on the server."[sic]

According to computeruser.com, on Aug. 8, 2002, "Personal data was leaked from Japan's new nationwide identification system, officials said Wednesday, just two days after the program was launched amid widespread fear it would be prone to breaches of privacy."

These are just the tip of the iceberg. Yahoo BB's leak is far from the worst. One leak I couldn't find a link for was one of the hugh credit card companies where millions of account (card) numbers were leaked. Now _that's_ a scandal!

hyogojoe

[Skankster]

[Bongo]

... YBB customer information including my own went to one of UYOKU groups....

WOT "UYOKU groups"?

I hadn't noticed that right-wing connection for the leak of YBB customer information in the the newspapers (but I haven't been following this closely either).

Sorry, my post was moved without notice and hence, I did not have time to reply. yeah, it was an UYOKU group that got hold of the information and tried to blackmail YBB. That is old news.
However, the records of phone calls made via BB-phone seems to have only surfaced today. According to NHK news.

Incidentally, as my personal information was actually amongst the info stolen, I was told by YBB that, "They are going to do something more substantial for the people who actually had their information stolen".
Now, if this means another 500 Yen on top of the pathetic 500 Yen they sent to all members plus many non members who did not actually have their info stolen, I am not sure. Anybody know anymore about their planned manner of compensation?
Now, if they were going to give us a year of free service, I could understand it.

[Bongo]

I know this is an old thread but, what pisses me off the most is that the YBB customer information including my own went to one of UYOKU groups.
This right wing organization was trying to squeeze YBB, probably because of the heritage of Masayoshi Son.

Where did you hear this? I've followed this case pretty closely, but haven't seen anything about this in the news. According to the reports I read, the people trying to extort YBB were former employees and that the data was never distributed beyond the extortionists.

Also, YBB handed over all the customer information to the F*cking cops as evidence. I am not sure which of the above two groups I am more suspicious of.

The info involved is pretty much the same info in telephone directories. Why isn't anyone condemning NTT for publishing phone books? Anyway, the police already have access to everyone's name and address.

My name is in the phone book and spammers all over the world seem to have my email address so to me this "scandal" is just one big yawner.

hyogojoe

Well, I personally have NEVER ever been in the phone book out of choice.
Even so, I have changed my phone number 5 times in 10 years because of crank calls and companies ringing up about some tosser that did a runner after borrowing money.
Got to really ask NTT who had the number previously when you change your phone number.