Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

FC: Amazon UK retaliates after author exposes security flaw (Fwd)

From: William Knowles <wk () C4I ORG>
Date: Fri, 11 Aug 2000 04:16:39 -0500
---------- Forwarded message ----------
Date: Thu, 10 Aug 2000 15:45:53 -0400
From: Declan McCullagh <declan () well com>
To: politech () politechbot com
Cc: carthur () independent co uk
Subject: FC: Amazon UK retaliates after author exposes security flaw

**********

Date: Wed, 9 Aug 2000 15:19:12 +0100
To: [snip], declan () well com
From: "Charles Arthur, The Independent" <carthur () independent co uk>
Subject: Amazon UK gets heavy with innocent author

Folks..

I filed this for my paper but for various reasons it apparently didn't
appear. (Perhaps appeared in 1st edition - of 4 - and then fell out.)
Anyway, for your interest.

The Register is at http://www.theregister.co.uk/ and you can find Matt
Thorne's books by searching at http://www.amazon.co.uk/ . I did do a
piece about people faking on the US website, which is at
http://www.independent.co.uk/news/Digital/Update/2000-08/writer020800.shtml

At the time, Amazon UK refused to say what their "security" was
against people faking being an author. Obviously, they don't have one.
But they get really pissed off when people point that out.

I pointed out to Steve Frazier, MD of Amazon (a former Wall Street
Journal writer, MBA, and stuff like that) that security through obscurity
doesn't work. He professed not to know what I was talking about.

        Charles
----------------------------------


BY CHARLES ARTHUR
Technology Editor

The internet bookshop, Amazon UK, which invites authors to post
comments about their own books has tightened its security after an
impostor posed as an author and posted comments on the web site.

The comment was posted without the real authors' agent or publisher
being consulted. The deception was sanctioned by the real author, who
gave his permission for the experiment to reveal the weaknesses in
Amazon's security. Yesterday however Amazon appeared to be punishing
the author by stripping its site of book covers and even readers'
comments about his books. The fact that the online bookseller's
Website is open to deception came less than a week after an Amazon UK
spokeswoman had insisted that masquerading as an author to post
comments visible to any casual surfer was not possible because of the
company's "security procedures" - though she would not specify them.

Such faking on the American website, Amazon.com, had infuriated a
number of British authors, including John Christopher, the science
fiction author, and the children's author Philip Pullman. The faked
comments were often badly spelt and had grammatical errors - but
apparently were not checked before being shown off to millions of
people. Amazon's Website invites anyone who has bought a book, record
or video which it offers to add their comments and a rating on the
site, as a guide for future shoppers.

It also offers the chance for authors to post their own comments about
their work - and it is this which has been abused in the US and now
the UK. Security against such faking at Amazon US or UK to prevent
faked comments appearing seems to be minimal. Anyone trying to post a
comment as an author is simply asked "Are you really the author?" but
not required to provide any identifying information such as a
publisher's or agent's contact. The fake comment was posted by Robert
Blincoe, a journalist with the online newspaper The Register, who is a
friend of the author Matt Thorne, author of three books. The most
recent is "Dreaming Of Strangers." Mr Blincoe set up a free email
account and posted comments from it last Friday. They appeared on the
site on Saturday, even though Amazon made no contact with anyone
connected with the book. They were however removed on Monday when
Amazon was asked about the lack of checks.

Steve Frazier, managing director of Amazon UK, yesterday dismissed the
fake posting as a "parlour trick". He said Amazon UK has thousands of
comments written by authors. "This comment seems to me to have been
consistent with what the author would say, except it wasn't published
by him," he said. But he said Amazon UK would "ratchet up" its
security checks on author postings. But Amazon subsequently felt it
was necessary to check the provenance of every comment associated with
Mr Thorne's books - even those posted by Web surfers - as well as the
front covers of two of the three books. Amazon's own reviews of the
books were also apparently suspect, as those too were removed. Other
authors' comments, and reader comments, were left untouched. "We took
the decision to review all of the materials relating to [Mr Thorne's]
titles on Amazon.co.uk," said a spokeswoman. "He is sending us author
reviews for all his titles". Speaking on Monday, Mr Thorne said he was
"surprised by how easy it was for him to do that."

He added, "The idea that people could put up bogus writer information
is worrying. People might start emailing that person, and carry on a
whole conversation with someone who is completely fake." In a
statement, Amazon said: "Amazon.co.uk has always believed that our
author's comments section, along with customer comments and publisher
comments, has provided an unique forum for discussion between our
various audiences. In general, the honour system upon which it
operates has been observed."

------

  -------------------------------------------------------------------
The Independent newspaper on the Web: http://www.independent.co.uk/
         It's even better on paper
Live in the US? Get a new worldview: http://www.independenceavenue.com

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".
Previous By Date Next
Previous By Thread Next

Current thread: