CNR exposing 'hidden' email addresses.

[PGTips91]

I have very recently discovered, much to my surprise, that the CNR web site is exposing not a few email addresses that the owners may believe, wrongly, that they are 'hidden'. I found this out while doing a Google search on my forum alias and noticed my full email address being shown to the world at CNR.com.

I have notified Customer Support, the CNR Community and am bringing it up here too as many will not be reading the CNR Forums very frequently.

You can see the problem yourself if you visit : --
http://community.cnr.com/people

Paul

[revhouse1]

Um.... Paul...
the email address is shown in a google search, because you used your email address as your cnr forum user ID when you registered.

tom

[S3Indiana]

Quote:

Originally Posted by PGTips91

I have very recently discovered, much to my surprise, that the CNR web site is exposing not a few email addresses that the owners may believe, wrongly, that they are 'hidden'. I found this out while doing a Google search on my forum alias and noticed my full email address being shown to the world at CNR.com.

I have notified Customer Support, the CNR Community and am bringing it up here too as many will not be reading the CNR Forums very frequently.

You can see the problem yourself if you visit : --
http://community.cnr.com/people

Your email is hidden, but your email address is your username, so just modify your username (duplicate post)...

[PGTips91]

Quote:

Originally Posted by revhouse1

Um.... Paul...
the email address is shown in a google search, because you used your email address as your cnr forum user ID when you registered.

tom

Yes, Tom, I see that now, but I can be forgiven for thinking that when I am asked for my email address in a form, that is what I should enter. Looking at the form as it is now I can see no way that I would have entered my email address as my 'User Name' and am convinced that the form has been altered since I first registered.

By the way, there are quite a number of others who have fallen into the same trap. I can't help but think that there is a common cause that is not related to a lack of common sense. I, for one, have been very vigilant about protecting my email address for many years and would never consciously reveal it the way that has happened at CNR.com. That is why I reacted so swiftly and strongly when I made the discovery.

Quote:

Originally Posted by S3Indiana

Your email is hidden, but your email address is your username, so just modify your username (duplicate post)...

Thank you Ken, you are helpful as always. I had looked for but not found a way to modify that field. It is not usually possible to change such a primary field and the fact that it can be so easily changed increases my suspician that there was a fault in the original form design whereby I, and many others, were fooled into revealing our email addresses to the world.

Paul

[PGTips91]

I might add that I am having lots of problems on the CNR.com web site and will be creating an album on Picasaweb documenting this and the original problem.

It now seems to me that the problem has arisen due to the migration of data from the old CNR Warehouse to CNR.com and the transfer of my email address as the secure ID.

Even after changing my ID at the CNR Community, my CNR.com ID is still the same and will still be shown to the world via Google.

I stick to what I orignially said, this is a problem of design and CNR needs to fix it, fast.

Quote:

The page isn't redirecting properly

Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

* This problem can sometimes be caused by disabling or refusing to accept cookies.

... when trying to log out.

Quote:

• Name: PGTips91
• Email: paul*******91@gmail.com (Private: hidden to everyone) [edited by me]
• Member Since: Apr 7, 2008
• Status Level:
• Distribution: Linspire

... my current data at : --

Code:

http://community.cnr.com/people/paul*******91%40gmail.com?view=profile

[edited by me]

Paul

[DrHu]

Quote:

Originally Posted by PGTips91

Even after changing my ID at the CNR Community, my CNR.com ID is still the same and will still be shown to the world via Google.

query is your name PGTips91
You live forever in cyberspace..
--you mean that search, an email appears in one entry, possibly it will just be easier to create another email address and redirect your emails..
--cnr probably can't do anything about data that is already out there

Google tends to block email name searches., they have been made aware of the issue of identity theft.

Unfortunately banks and other institutions see fit to plaster NAD (Name & Address) data everywhere they go..as well as lose that data via third parties or themselves
--I don't think they perceive that as being personal information.
http://news.scotsman.com/latestnews/...ter.4428760.jp

[zoic]

Quote:

Originally Posted by PGTips91

The page isn't redirecting properly

Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

* This problem can sometimes be caused by disabling or refusing to accept cookies

I had that problem going on awhile ago, at Yahoo. I decided rather than wasting a lot of time on it after reading many web articles about various procedures to fix it, that I would solve it the easy way.

In the location bar of Firefox, type in

Code:

about:config

then search for redirection. Once you locate it (network.http.redirection-limit), change the default value from 20 to 100. Perhaps overkill, but why waste time trying many lower #'s when I have confirmed 100 works flawlessly.

[S3Indiana]

Quote:

Originally Posted by PGTips91

... my current data at : --

Code:

http://community.cnr.com/people/paul*******91%40gmail.com?view=profile

There are two databases that synchronize (doesn't happen instantaneously), but now the data appears to be updated (http://community.cnr.com/people/PGTips91)...

[PGTips91]

Quote:

Originally Posted by DrHu

query is your name PGTips91
You live forever in cyberspace..
--you mean that search, an email appears in one entry, possibly it will just be easier to create another email address and redirect your emails..
--cnr probably can't do anything about data that is already out there

Google tends to block email name searches., they have been made aware of the issue of identity theft.

Unfortunately banks and other institutions see fit to plaster NAD (Name & Address) data everywhere they go..as well as lose that data via third parties or themselves
--I don't think they perceive that as being personal information.
http://news.scotsman.com/latestnews/...ter.4428760.jp

Hi DrHu,

Google must do a very good job of filtering out SPAM. In spite of my address being 'out there' in the wild, I only get the odd SPAM email, all of which are in Chinese characters and filtered to my SPAM folder any way. Even those have fallen off to virtually nothing, now, so maybe the Chinese know that I'm on to them!

I have never ever seen a SPAM email in my Gmail 'In Box'. Most remarkable.

I'll probably just keep on with what I've got for the present. I have other addresses that I can use for more secure purposes, such as at Safe-mail. I would never give that address out to anyone without some security being in place, so that one should be good for the duration.

I think that I will just delete my account with CNR.com and hope that time will bury the information deep enough in cyberspace that the Spammers won't go looking for it any more. That, or just rely on Gmail to filter the SPAM out as they are doing.

BTW your news-link is no longer working.

[DrHu]

Quote:

Originally Posted by PGTips91

BTW your news-link is no longer working.

If you mean the scotsman news link, it does work for me when I click-it..

I used to use hushmail
http://www.hushmail.com/
--but I forgot my password once, and couldn't into my email data again..

I forget the name was? ..
Somebody mentioned a free emailer service for Linux on these forums at some point, which used oss security programs, eg ssl
--I did look it up at the time, and they provided a comparison with gmail, which had all the boxes ticked except for secure session, login-to-logout..

[PGTips91]

Quote:

Originally Posted by DrHu

If you mean the scotsman news link, it does work for me when I click-it..

I was taken to an error page saying that the article could not be found, more than once.

Quote:

I used to use hushmail
http://www.hushmail.com/
--but I forgot my password once, and couldn't into my email data again..

Most services have a way of resetting your password - some question you personally set or some way of verifying your identity. Better still would be a thumb drive with a finger-print reader that offers your passwords as needed, for those on the move.

Quote:

I forget the name was? ..
Somebody mentioned a free emailer service for Linux on these forums at some point, which used oss security programs, eg ssl
--I did look it up at the time, and they provided a comparison with gmail, which had all the boxes ticked except for secure session, login-to-logout..

As to secure sessions with Gmail, if you type 'https://mail.google.com/mail/' into the browser, you stay in a secure session the whole time. BTW Google runs on Linux afaik!

[S3Indiana]

Quote:

Originally Posted by PGTips91

I think that I will just delete my account with CNR.com and hope that time will bury the information deep enough in cyberspace that the Spammers won't go looking for it any more. That, or just rely on Gmail to filter the SPAM out as they are doing.

Disabling your account will result in losing access to both CNR and Linspire servers due to the shared database (used to Sign-in both systems). Once the changes have been made, then there's no history on the *spire servers of the previous username (IOW it doesn't resolve anything to disable the account). Hope this clarifies...

[LioNiNoiL]

Quote:

Originally Posted by S3Indiana

Your email is hidden, but your email address is your username

So it's not really hidden, is it?
We should note the following: back in the Lindows days, our e-mail addresses were required for login, and when the Lindows name was bought off by Micro$oft (for $20_million) those e-mail addresses were imported without notice to the CNR.com site and put on display for all to see (whose st00pid idea was that??) -- so it's hardly surprising that many former Lindows users (like me) have still not changed their usernames.

[PGTips91]

Quote:

Originally Posted by S3Indiana

Disabling your account will result in losing access to both CNR and Linspire servers due to the shared database (used to Sign-in both systems). Once the changes have been made, then there's no history on the *spire servers of the previous username (IOW it doesn't resolve anything to disable the account). Hope this clarifies...

Yes, that's true. However I have my doubts about the value of CNR.com.

For instance, today, just for experimentation purposes, I logged in to CNR.com. I noticed LPhoto, which I used in Linspire but haven't had in Klikit-Linux and decided to install it from CNR.com. I located the Kubuntu version, downloaded the .deb file, and started to install it with Gdebi. This told me that it was available from the Kubuntu repositories and recommended that I install it from there. So, what need is there of CNR.com?

Besides, I cannot reliably even log in and out of CNR.com at present, getting all sorts of strange error messages. My interest in it is achademic only.

Also, I tried enabling the Freespire apt repostiories and got errors that broke everything. Had to go into root-user mode, edit /etc/apt/sources.list

Code:

# deb http://apt2.freespire.org/ feisty main
# deb http://apt2.freespire.org/feisty Release.gpg

to get things back on track.

Quote:

Originally Posted by LioNiNoiL

So it's not really hidden, is it?
We should note the following: back in the Lindows days, our e-mail addresses were required for login, and when the Lindows name was bought off by Micro$oft (for $20_million) those e-mail addresses were imported without notice to the CNR.com site and put on display for all to see (whose st00pid idea was that??) -- so it's hardly surprising that many former Lindows users (like me) have still not changed their usernames.

That is the conclusion that I have come to. I know that I am not so stupid as to set my user name to my email address deliberately. It did happen once, I can't remember on what service, and I left no stone unturned until I had got it corrected.

When I first got my Gmail account I had no SPAM at all. Then it started, mainly in Chinese characters. I cannot prove it but my guess would be that this started soon after the transfer of data from CNR Warehouse, which was a secure web site, to CNR.com, which was open to the web crawlers [and the Spammers]. Brilliant design by somebody, NOT!

Conclusions.

• I'm not impressed with CNR.com doing this to us.
• I'm unimpressed with CNR.com full-stop.
• I've changed my log-in ID so as to no longer disclose my email address.
• I'll live with the consequenses of the past lapses of security.
• Gmail does a very good job of handling SPAM. Down to less than one per day at present and always filtered out of my 'In Box'.
• Everyone who still has their ID set to their email address needs to be notified so that they can correct this, if they wish. Expecting them to come to these forums and find out here is unrealistic. Most never will.

I'm done here. Nothing more to add, afaik.

[S3Indiana]

Quote:

Originally Posted by LioNiNoiL

We should note the following: back in the Lindows days, our e-mail addresses were required for login, and when the Lindows name was bought off by Micro$oft (for $20_million) those e-mail addresses were imported without notice to the CNR.com site and put on display for all to see (whose st00pid idea was that??) -- so it's hardly surprising that many former Lindows users (like me) have still not changed their usernames.

In reality (posted previously) the same database is used for both CNR and Linspire, so to be fair nothing was imported w/o notice...

[LioNiNoiL]

Quote:

Originally Posted by S3Indiana

In reality (posted previously) the same database is used for both CNR and Linspire, so to be fair nothing was imported w/o notice...

If you're trying to tell me the old Lindows database was not imported without notice to the CNR/Linspire sites for display, then you're wrong.

[RevJack]

Ummm...Ken worked for Linspire, so he ought to know.

[DrHu]

Quote:

Originally Posted by PGTips91

As to secure sessions with Gmail, if you type 'https://mail.google.com/mail/' into the browser, you stay in a secure session the whole time. BTW Google runs on Linux afaik!

By secure hushmail means encrypted within that session, as did that Linux email application (name which I forgot)

That is not usually the case for an https session on a commercial site, which is only related to the login name
--they do want their advertisers to find you, as well as themselves
http://www.hackszine.com/blog/archiv...o_prevent.html
http://blog.wired.com/27bstroke6/200...https-doe.html

Of course one can always use PGP to encrypt email messages..

For the trusting or non-paranoid types, then the https session is enough protection

[DrHu]

Quote:

Originally Posted by PGTips91

* Everyone who still has their ID set to their email address needs to be notified so that they can correct this, if they wish. Expecting them to come to these forums and find out here is unrealistic. Most never will.

I'm done here. Nothing more to add, afaik.

Everyone who still has their ID set to their email address needs to be notified so that they can correct this, if they wish
That's a good idea, but given resources probably wont happen, and it would increase the workload to fix accounts names..
--I do remember that Freespire , also wanted or indicated that an email address was needed to get an account (like Linspire, guessing!), and as such was an abhorrent security lapse, and I think I also fell into the trap of making my account my email address, at one time..

But really no more of a lapse than everyone you meet in a business relationship, like employment agencies, HMO or even employers taking the lazy step of using your sin or part of it in their databases for user accounts..
--again, they are just being lazy, we don't have to be. we can insist on correct security and data handling procedures

I personally think NAD (Name & Address) data is also a security risk
--and shouldn't be dispensed into the wild with abandon

Also when using a shipper, get them to remove the credit card data from the shipping forms
--the only item of data they should really need is your account # and name (nothing more), at least not for their external suppliers
--external suppliers should have extremely limited access to any customer data of the owner of that data. unfortunately many companies are lax when it comes to this: their customer(s) data, news items reveal this problem continuously.

[DrHu]

Quote:

Originally Posted by S3Indiana

In reality (posted previously) the same database is used for both CNR and Linspire, so to be fair nothing was imported w/o notice...

the same database is used for both CNR and Linspire, so to be fair nothing was imported w/o notice...
That's just sophistry
As in, we have the data (we own the data), we can manipulate the data
--as the data author, you no longer own it once it has been created

Notice to the customer (creator of the said data) is what is missing there!. Although one could assume it, even without knowing that cnr & Linspire used the same DB: their customer accounts !

But then, I doubt many people are that worried that both Linspire, the company and cnr ( Linspire service) have access to the user's data
Google and the usual suspects do it all the time

The cross-bundling of user data is a problem that privacy advocates are well aware of.
--and trying to prevent..

[S3Indiana]

Thx. RevJack...

Quote:

Originally Posted by LioNiNoiL

If you're trying to tell me the old Lindows database was not imported without notice to the CNR/Linspire sites for display, then you're wrong.

Unless you have another credible source; there has been one main database (that originally supported Lindows.com) currently supporting Linspire and CNR.com (but Yes the fields were modified where the Sign-in email address turned into a username)...

[S3Indiana]

Quote:

Originally Posted by DrHu

As in, we have the data (we own the data), we can manipulate the data --as the data author, you no longer own it once it has been created

The data has always been available to the account holder for modification and correction...

Quote:

Originally Posted by DrHu

Notice to the customer (creator of the said data) is what is missing there!. Although one could assume it, even without knowing that cnr & Linspire used the same DB: their customer accounts ! But then, I doubt many people are that worried that both Linspire, the company and cnr ( Linspire service) have access to the user's data Google and the usual suspects do it all the time The cross-bundling of user data is a problem that privacy advocates are well aware of. --and trying to prevent..

It would've made it difficult to access software that was purchased if a common database wasn't used after the separation of Linspire OS and CNR.com (Note: agree that notification could've been handled better)...

[DrHu]

Quote:

Originally Posted by S3Indiana

The data has always been available to the account holder for modification and correction..

Again that is a misreading of the question, access by the profile author (user account holder) wasn't the issue presented, only the control of it (the data)

The data has always been available to the account holder for modification and correction..
I don't disagree with you about that, it is just the answer in #15 ..to be fair
--is simply a legalistic (corporate-speak) way of saying, sorry no can help you, let me repeat it for your ears, as I think you may have misunderstood the first replay.
Sorry, no can help you..

Of course I understand the position you take, that you can only explain the rules, not the reasons; especially if you cannot agree or accept that position, from the account author.
--I also understand that it is a service you (the company) is providing, and there are no guarantees of a lifetime membership.

That process (the repeating rulebook explanation) is the well-worn practice of any business.
--I don't specifically object to your use of it, I see it often enough..

And once repeated a few times, an impasse is reached and the user feels slighted. Oh well such is life in a consumer society

[PGTips91]

Well I said that I had finished here, but, since there is an ongoing problem and there is an on-going attempt to white-wash the problem, I will come back in again.

This morning, in response to an email from the new owners of CNR.com stating that they believed the problem to have been fixed but asking me to confirm this, I went through the on-line database of members who have registered since 1st August 2008, which I at first thought was about 10% of those in the database, and found that 20% of those have their email addresses exposed - 60 out of 300 checked. That would translate to approximately 500 in total affected.

Interestingly enough, I tried to go to the last shown '285th' page, found nothing, and worked by dividing the gap until I found the earliest members listed : --

2521 - 2523. The other pages up to 285 are empty so I don't know why they are shown as available. The oldest members listed are : --

Quote:

Username Name Email Registered Status Level http://forum.cnr.com/people/S3Indian.../22.png?a=1049
S3Indiana S3Indiana (Hidden) Nov 26, 2007
Location : Sorrento Hills, CA | Biography : Aviator, IT, then Linux... | Expertise : Community | Distribution : Freespire
http://forum.cnr.com/people/Ariel22/avatar/22.png?a=-1
Ariel22 Ariel22 (Hidden) Nov 19, 2007
N/A
http://forum.cnr.com/people/Dr.Jones.../22.png?a=1023
Dr.Jones Dr.Jones (Hidden) Nov 15, 2007

Funny that the same Dr.Jones, aka S3Indiana, is now trying to make excuses for this lapes of security.

A search on my own Identity throws up another anomaly : --

Quote:

Username Name Email Registered Status Level http://forum.cnr.com/people/pgtips91...ar/22.png?a=-1
pgtips91) PGTips91 (Hidden) Aug 30, 2008
N/A
http://forum.cnr.com/people/PGTips91/avatar/22.png?a=-1
PGTips91 PGTips91 (Hidden) Apr 7, 2008

Any way, the bottom line is that people are still signing up for the Forums at CNR.com with a user name that is their email address which is then broadcast to all the world via the search machines.

The latest, even yesterday, is

Code:

         
                                  http://forum.cnr.com/people/#####%40apexenergetics.com/avatar/22.png?a=-1                  
              #####@apexenergetics.com                                    #####@apexenergetics.com                     (Hidden)                              Sep 9, 2008         

So the person who last registered, shown as ##### to maintain their privacy, was taken in by the registration procedure and allowed their email address, though (Hidden), to be inadvertently disclosed to the entire world!

Does nobody else worry about this situation or think that something needs to be done about it urgently?

[DrHu]

Quote:

Originally Posted by PGTips91

So the person who last registered, shown as ##### to maintain their privacy, was taken in by the registration procedure and allowed their email address, though (Hidden), to be inadvertently disclosed to the entire world!

Does nobody else worry about this situation or think that something needs to be done about it urgently?

Does nobody else worry about this situation or think that something needs to be done about it urgently?
Not on this forum, which seems fairly benign..
No, because people should be using an alias for their forum name, not their real email name, even if that is also an alias..

If they inadvertently or just through laziness or convenience lapse into using real names on any sites they register with, that becomes a buyer beware issue

Now some forums do require you use an email name, which if they require that, you should have an alias email name, not a real one (your real name). Of course the forum owners can then simply cross-reference the email name and your name, which they may also require. I am thinking job search sites or job/employment sites or contracts
--the usual solution of having multiple email aliases with phony data in the email registration (gmail, yahoo, hotmail etc.), does not help much when such sites have the direct data from you on signup/registration..you also have to keep track of the phony data in case the password is changed..

So while I agree, it is a fundamental problem, but probably not much that any single individual can do anything about, as it is the business practice of such sites..

[revhouse1]

Quote:

Originally Posted by PGTips91

Does nobody else worry about this situation or think that something needs to be done about it urgently?

Look, the CNR.com site does not require you to use your email address as a user name. If peoples email addresses are showing up its because some,people are registering using thier email as their username. Perhaps not a bright thing to do, but they do it. just like some people do not use secure passwords, even using their username as a password. Not a bright thing to do, but people do it.
If you still think there's a problem right Xandros again.

tom

[JDoyle]

JD

[Bro.Tiag]

Quote:

Originally Posted by revhouse1

Look, the CNR.com site does not require you to use your email address as a user name. If peoples email addresses are showing up its because some,people are registering using thier email as their username. Perhaps not a bright thing to do, but they do it. just like some people do not use secure passwords, even using their username as a password. Not a bright thing to do, but people do it.
If you still think there's a problem right Xandros again.

tom

Actually, I think for some folk, like Paul here, they sighned up way before CnR was ever a public web sight. Back then ones e-mail addy was how one signed on to CnR. Linspire Inc & CNR.com have gone through so many changes/upgrades that it is very likely that e-mail's as user names from the old system became public. Remenber, when we all joined on @ cnr.com we had to use our e-mail addy's.

Cheers
ps - JD, I never registered on a form like that, Dr. Jones just told us to login.

[JDoyle]

Quote:

Originally Posted by Bro.Tiag

ps - JD, I never registered on a form like that, Dr. Jones just told us to login.

Very true. Existing CNR accounts at the time were migrated to the new cnr.com.
Paul stated:

Quote:

Any way, the bottom line is that people are still signing up for the Forums at CNR.com with a user name that is their email address which is then broadcast to all the world via the search machines.

Not so. The registration form for new sign-ups has a separate 'user name' field.

JD

[Bro.Tiag]

Quote:

Originally Posted by JDoyle

Very true. Existing CNR accounts at the time were migrated to the new cnr.com.
Paul stated:Not so. The registration form for new sign-ups has a separate 'user name' field.

JD

Truth be told, I didna read the whole thread. Sorry.

Cheers