Soemone from a list I frequent was concerned, and rightly so, about someone getting into her account and downloading items. This has happened to me in the past as well, and I know from many times this has happened to other folks. Now she may have gotten a bit too upset or whatever, but emails were sent to he merchants to warn them of what has happened to their products...with the intention of getting them to mention this problem to renderosity admin. You would assume the merchants would be concerned if their products were being stolen. She also wrote to Rendo admin...and had a less than pleasant email back from --- name with-held. The feedback she got from rendo admin is simply mindboggling. She was told to quit spamming the merchants. and she was reprimanded for disrupting the site and would be banned if it continued. There was more. Now perhaps this individual got a bit carried away... however, as a merchant, you should be happy somebody gives a shit about you...and so should rendo. I know if I persume someone is stealing from my account, quite frankly, you won't hear about it. This is one lame-ass attitude to have, no matter what the deal. This used to be a community. I've been a member here basically since day 1.... I can't believ ewhat has happened to this place. And I know someone will chime in with the love it or leave it deal...they always do....

.

bkmark

interesting...

seems a pretty daft line from the Rendo staff. I agree that Renderosity care less about the community (THEIR ROOTS) and more about, well, being corporate dicks. Still, I'd like to hear their side of their story.

..

Until such time as we know both sides of this story (which we don't) -- and not just second-or-third-hand information ----------

I'd strongly recommend witholding any snap judgements until that time.

"Love it or leave it"? Hardly. But I would suggest being fair. No matter how much fun it might be to assume the worst, and then go wild.

I agree with Xeno...quite frankly I find this interesting, yet at the same time, I get annoyed with only 1/4 of the story being told, in these type threads. W/Out knowing the FULL story all it leads to is rampant speculation and therefore nothing is accomplished or solved. In reality all that is gained is hostility & ill will. As the old saying goes "it takes 2 to tango". We've only heard the step 1 in this dance sequence. I have to add, I doubt we will hear anymore either ~shrug~ I have to add I almost find this hard to believe, as my experience with customer service has been stellar(Clint/Debbie/StacyG). All of course IMHO :)

Message edited on: 07/25/2005 18:00

The big question is HOW can anyone steal from your account? Yes, I know ONE way, something I have alerted Rosity about a few times and which they don't seem to take very seriously (most times, if you send someone a link to a thread or something on MSN, it will include the Sess.Id effectively logging you in as whoever sent the link. So in THAT case you can download all the other person's purchases. But that would be someone you knew (You send the link to that peep) Of course you can hack Rosity just as well as anything else, but I'd be VERY interested in knowing how this theft should have taken place. Has Rosity been hacked on a larger scale? As a merchant, I DO care. And as a "common" customer, I also wouldn't like to one day come in and see all my download attempts being used up. Of course they can be reset, but...

yes..it was the old link deal...what's interesting, I just went in to dl a few things from my acct...and 2 of them were used up..which I for sure only downloaded once.

I kinda agree about getting all sides...I do not know what happened on the rendo or merchant side other than what I was told, but I do know the issue was presented to the group first ... and in fact, that is where the issue lies...the person originally had put up a link with the session id, etc ....

but anyway...the original postings on the list were a bit over the top as the person was extremely concerned about the issue...and perhaps the merchants whose products were illegally downloaded and rendo were bombarded with concern.....my take on it is if Rendo doesn't worry about it to fix it, why should I, as long as I can get the dl reset.

Message edited on: 07/25/2005 18:38

Those session ID things expire after 10 or 15 minutes, so thgey're not a major security risk.

except once you've caught one, you can keep it going as long as you like. me and Xenic ended up swapping our ID's for about 20 minutes, until we both logged out, flushed out caches and logged back in again.

I would assume they keep logs of downloads vs. IP address, so at least they can take legal action against the thieves whose IP address doesn't match that of the legit purchaser. However, they are apparently not even taking the simple steps of limiting the original download by time or valid IP address. Not very professional, in my opinion.

~...~

Yes, the issue is about the inclusion of SessionID's in the URL. However, some people don't know any better: they casually give out URL's with Session and SessionID information in it, not knowing that other people can use the URL to log in as them. Before you start ranting and raving about the "Security risk", at least wait to hear what the admins have to say about the issue. And if you are going to complain about Renderosity's security risk, be sure to complain at DAZ and PoserPros and all of the other sites that use SessionID's. :) --John

Attached Link: http://www.lavasoftsupport.com/

I'm guessing unauthorized downloads using someone else's accounts are via key loggers. In other words, it's probably the user's fault, not the merchants. Basically there's a lot of spyware around that records all your keystrokes, and sends it to a central server. I guess it's worth mentioning if you're cruising the Internet on a Windows PC without some form of firewall is an invitation for this type of mischief. Windows XP service pack 2 is supposed to help with spyware. I'd suggest using Lavasoft Ad aware, which is independent. I believe it's still free. See attached link.

Attached Link: http://www.lavasoft.de/support/download/#free

The freeware version of Ad Aware is a bit hidden.

The big question is HOW can anyone steal from your account? Persistent session cookies. Those session ID things expire after 10 or 15 minutes, so thgey're not a major security risk. Except that they don't always time out correctly. except once you've caught one, you can keep it going as long as you like. Exactly. Not very professional, in my opinion. C'mon, this IS Renderosity we're talking about. at least wait to hear what the admins have to say about the issue Fair enough, but they've known about this for years now. be sure to complain at DAZ and PoserPros and all of the other sites that use SessionID's I've never seen another site with SessionIDs that were quite as risky and sloppy as the ones here. DAZ has you re-login (I believe). Other sites have more efficient timeouts. There are ways to code session cookies so that they're not as vulnerable to this sort of thing. bonni

I've never, never had any problem with Poser Pros!

Attached Link: http://www.dtp-aus.com/cookies.htm

Regarding JHoagland's thread about the sessionID being part of the URL, I think this is an highly unusual practice. I doubt any shopping cart application would use this, except for putting the session ID with a hash of it in a cookie and matched the cookie to it. For instance, if you look at the URL for this message in Internet Explorer, you should only see the ForumID and the MessageID. The session information is kept in a cookie, stored locally on your PC. Regarding the expiration time that Khai is mentioning. The default expiration date of a cookie is the current session. If the web master doesn't set the expiration date, your cookies will expire upon exiting the browser window. Cookies can be set to never expire also. Anyhow the discussion of cookies is quite long-winded, and often repeated. Most are innocuous, except tracking cookies (Ad Aware will delete many of these). There are many resources discussing them, see attached link for one.

Could this explain how most of our stuff makes it to P2P? I never could work out someone paying good money for something and then distributing via P2P....

"Could this explain how most of our stuff makes it to P2P?" Could be, but I'd say hacking the resources is more likely... I mean if a 17-year old Norwegian kid hacks his way into Pentagon (allegedly stealing blueprints of F-18), how tough would it be for guys like him to get inside Rendo?

I don't suppose anyone has dld anything from my purchases list up to now. I do have probs with R. about mySQL toomany connections etc, but that's something else. Question is that if someone warns merchants about this, and these complain to the Rstaff, this person gets a rather nasty mail and risks to be banned (and what about your right to redownload your purchases? you can get banned from the forum and the galleries, but you do have the right to request a new download, no?). It is bizarre as I never had any unfriendly or unhelpful contact with any merchant I im'd. Anyways: I wouldn't even know whether someone dld from my account. And I now know it's better to let possible thieves go their way.

I am glad I don`t buy from here, if they have that attitude.

"Could this explain how most of our stuff makes it to P2P?" I doubt it. The session cookie times out if I mail to a 2nd machine and wait 5-10 minutes. It's a simple case that some folks do share. Either deliberately, or because they give a copy to a friend who shares that. Whats really funny is when an illegal downloader mails you and asks how you use the freebie. Or if it's an add-on can they have the original product!

"Wait till you hear the whole story." Uh-hunh. The customer probably threatened R'osity with WMDs. Made from African uranium! Haven't shopped here in years. Merchants? This is why. M

For what it's worth, I've seen the message in question, and I am horrified that this customer was reprimanded for doing what anyone in their right mind who noticed such a thing would do--that being, notifying the merchants and staff. I think an apology is in order, myself. It appears some merchants and staff members might have forgotten that customers give us money, and tend to not do so when they feel like they're being ignored or slighted.

"I would assume they keep logs of downloads vs. IP address, so at least they can take legal action against the thieves whose IP address doesn't match that of the legit purchaser. However, they are apparently not even taking the simple steps of limiting the original download by time or valid IP address. Not very professional, in my opinion." Ever heard about a dynamic IP adress? With my old ISP I had never the same IP but got a new assigned each time I went online. Sometime ago I even changed the ISP who gives IPs of a different range than the one before, but dynamic IPs as well. If they would go by your suggestion I would be declared a thief. Very funny ...

Also, please note that some people might choose to download from more than one place -- such as both at work and at home. This will generate different IP's on the same account.

also take into account firms that use NAT addressing. coupla years ago I had someone in my area constantly fluffing their renderosity password and locking the whole of Leeds out. the response from the admins here showed a clear lack of understanding of the problem since they insisted it could work the way it was working.. that they were locking an individual IP and not a router... I find it very interesting the continued denial by the admins that there is a problem. to put it bluntly, their system is not secure. yet they stick their heads in the sand and go "la la la I'm not listening!!"

Well, that's a couple of days now, and no response from Renderosity. Have they at least contacted the original poster?

If hackers can semi-regularly crack into data bases from major financial institutions, and then steal literally millions of files of detailed personal information......or if they can grab data from the FBI's or the Pentagon's servers.........

.....I wouldn't make book on any website being 100% "hacker-proof".

Well, that's a couple of days now, and no response from Renderosity. Have they at least contacted the original poster?

This is probably the sort of matter that the admins are not likely to talk about in public.

I wouldn't if I were them. No matter what they said, someone(s) would loudly condemn them for saying it. So, they'll probably just wait for this thread to fade away in a day or two (the threads always fade eventually - as does the thing that spawned them). Or perhaps they'll simply delete this thread.

Either way, the admins won't air "private matters" in public. Doing so would be a bad idea all of the way around.

They no longer announce that "so-and-so has been banned". And that used to be SOP.

So I wouldn't look for any detailed explanations to be posted in this space.

Xenophonz I agree that no site is 100% hacker proof. but leaving a loophole open that you don't even need "hacker" skills to utilize? how would you describe that?

XENOPHONZ, that's pretty worrying. It just sets them up on a pedestal above us and I don't like that. After all, they're no better than us - hell, the moderators used to be regular posters once, didn't they?

well, according to an IM i got, because I started this thread even though I'm not really involved, the issue is being addressed. It will be interesting to hear if anything else was being done ...

This is, in part, why there are other stores out there. And yes -- there is no such thing as a completely safe website.

Dude's relax. I've made many purchases from Renderosity and had no trouble. I'm a "white hat", a former hacker who goes after other hackers. (Note to black hats: this email is from a one-off anonymous account, posted through a reflection server I set up someone's PC.) I'm not going to give "how to steal from Renderosity" tips. I can tell you it's likely that the person complaining is running probably Windows without all the current patches, a proper firewall, and unwittingly running spyware on their PC. As mentioned by another, XP service pack 2 will help prevent most spyware. There are numerous commericial available spyware preventation software sold in any computer store. Anti-virus software alone is not enough. I've seen estimates that 1 in 3 PC's have some form of spyware running on it. I think this estimate's a bit high, and it depends on what you call spyware; e.g. tracking cookies. So before you vent on the web masters, take a look in the mirror. If you use Microsoft, patch, patch like the wind!

to white hat sorry, but that is not the problem. I have a fully patched machine and I am running firefox. and I still did the cookie swap logging me in as Xenic and Xenix in as me. this then allows us to download etc.. thats the problem.

Having an unpatched system will NOT cause this website to suddenly and unexpectely put a session ID in a URL.

Is that some sort of urban legend?

bonni

Message edited on: 07/27/2005 07:20