IceTV is a provider of TV Electronic Program Guide (EPG) data in Australia, and I signed up years ago to try their services, but never ended up paying the monthly subscription fees. I’ve recently started receiving SPAM at an email address I’ve only ever provided to IceTV, so it’s fairly safe to say that their customer database has been hacked. The first thing I did when I realised they’d been hacked was to notify IceTV. So far, I’ve received an email stating “We take the security of our customer’s information very seriously.”

So, let’s test IceTV’s claim… do they take security seriously? My three pet security peeves for any organisation that stores my data are:

1. Storing my information insecurely, particularly passwords
2. Sending sensitive information in insecure ways (non-SSL, email, etc.)
3. Not giving me reasonable ways to protect my own data

1. Store customer information in the clear

So, I went to IceTV to try and log in and see what information they had about me. It’s been years, so I didn’t remember my password. That’s ok, they have a nice helpful password reminder option. Wait a minute… reminder? Don’t you mean, “reset”? Nope! They’ll simply tell you your password if you ask nicely.

But, don’t worry. Take a look at the tiny warning they give you – “Note: Member ID & password sent in plain text“. IceTV – why do you even KNOW my password?

Come on, IceTV! Haven’t you heard of hashing?

2. Send sensitive information insecurely

Storing passwords in plain text is bad enough, but then sending them via email? Strike number two, IceTV.

The email they send me helpfully says “Please use the following Member ID and Password to access IceTV’s services”, and then provides the password I used to sign up all those years ago.

3. Don’t allow users to have secure passwords.

So this was the final straw for me. I HATE websites that won’t let me use good passwords. There is never a good reason for it.

Alright, so I’ve figured out my password to IceTV (and so have the hackers, most likely), and while not a major concern, I did create this account back in a time when I wasn’t particularly good at making secure, unique passwords. IceTV had a password of mine that I had dedicated for “low risk” websites, but had still used for many other websites I’d also deemed to be “low risk”.

I now use LastPass to create and store my passwords, so I fired up the password generator, and created a nice secure password with upper and lowercase characters, digits and special characters.

Of course, I should have guessed. If IceTV aren’t hashing passwords, then they probably would have difficulty storing certain special characters. Trying to run something like:

INSERT INTO users (username, password) values ('myusername','mY;p@ssw'ord');

might send their SQL server into meltdown. Perhaps I should have tried a password containing “; drop table users;” just to see what happened?

Well, I was nice, and didn’t try to get up to any mischief. I simply generated a new password without special characters. Seriously, though, there is NO reason to prevent a user from selecting a good, secure password. If the password is hashed correctly (and, preferably salted), then all you’ll be storing in your database is a string of numbers and letters.

Did IceTV pass?

In a word, no. In two words, hell no! Protecting a website from vulnerabilities which may allow an attacker access to customer data is, admittedly, difficult. Even big IT security companies get hacked, and they (we would assume) actually do take security seriously, and should have some idea how to do it right. Good security doesn’t just happen, it takes time and effort, and most importantly requires a particular mindset. If your developers are only thinking about getting things to work, or aren’t given time to consider security, then I can almost guarantee that it’s just not happening.

I suppose it really should be no surprise, then, that IceTV’s customer database got hacked in the first place. Good thing they never had my credit card number…

Apparently, my Facebook account is being hacked by time travelers.

Interestingly, according to Amazon (well, according to Google’s index of Amazon), an Australian English dictionary is funny. Sure, we may have some strange words, but surely our dictionaries don’t deserve to be filed under “Humour”?!?

Hopefully now you won’t get the widget title displaying twice! As for the other issues Zer0 mentioned (i.e., that you can only get the most popular 10 items without modifying the plugin), I don’t have any immediate plans to change that, but it’s not hard to change – just look for the line “<?php akpc_most_popular(); ?>“and add whatever you like in the brackets! (obviously you need to know how akpc_most_popular works, but that’s more Alex King’s department…

As usual, visit the project page for more info, or to download the plugin.

Of course, as anyone who’s used Google Reader knows, it lacked the one thing Google has always been known to do well – that is, search! I tried various Greasemonkey scripts, but was never happy with any of them.  But now, finally GOOGLE READER HAS SEARCH!

All I can say is, … about bloody time!

View the project page for more info or to download it.

“Now Reading” is an expansive WordPress plugin which allows you to maintain a virtual library of books. If you use Google Sitemaps, however, you might miss out on all those books being included in the sitemap.xml file it generates.

View the project page for more info or to download it.

This site has just been a quick-and-dirty wordpress install, but I’ll have a play around with it when I get the time to make it a little more like home.

Welcome, to sobriquet Tech!

Brad seems to have made all the changes that I had (including linking directly to the coppermine page, rather than a popup window) and has added a number of other new features!

You can check out Brad’s update to this plugin at 55 Rue Plumet. So, until I find something that needs tweaking in Brad’s version, I think I’ll be quite happy to continue using his!

Changes I’ve made:

• Modified tag names so it plays nicely with Markdown
• Changed links to images, linking directly to the coppermine album, rather than a custom popup window.
• Fixed bug where commas after the cpg album tag would interfere with the plugin.
• Added option to only display JPG files (can be customised to other file types)

Download from the WP Coppermine Plugin Project page.