Information Security News mailing list archives
FC: Amazon UK retaliates after author exposes security flaw (Fwd)
From: William Knowles <wk () C4I ORG>
Date: Fri, 11 Aug 2000 04:16:39 -0500
---------- Forwarded message ---------- Date: Thu, 10 Aug 2000 15:45:53 -0400 From: Declan McCullagh <declan () well com> To: politech () politechbot com Cc: carthur () independent co uk Subject: FC: Amazon UK retaliates after author exposes security flaw ********** Date: Wed, 9 Aug 2000 15:19:12 +0100 To: [snip], declan () well com From: "Charles Arthur, The Independent" <carthur () independent co uk> Subject: Amazon UK gets heavy with innocent author Folks.. I filed this for my paper but for various reasons it apparently didn't appear. (Perhaps appeared in 1st edition - of 4 - and then fell out.) Anyway, for your interest. The Register is at http://www.theregister.co.uk/ and you can find Matt Thorne's books by searching at http://www.amazon.co.uk/ . I did do a piece about people faking on the US website, which is at http://www.independent.co.uk/news/Digital/Update/2000-08/writer020800.shtml At the time, Amazon UK refused to say what their "security" was against people faking being an author. Obviously, they don't have one. But they get really pissed off when people point that out. I pointed out to Steve Frazier, MD of Amazon (a former Wall Street Journal writer, MBA, and stuff like that) that security through obscurity doesn't work. He professed not to know what I was talking about. Charles ---------------------------------- BY CHARLES ARTHUR Technology Editor The internet bookshop, Amazon UK, which invites authors to post comments about their own books has tightened its security after an impostor posed as an author and posted comments on the web site. The comment was posted without the real authors' agent or publisher being consulted. The deception was sanctioned by the real author, who gave his permission for the experiment to reveal the weaknesses in Amazon's security. Yesterday however Amazon appeared to be punishing the author by stripping its site of book covers and even readers' comments about his books. The fact that the online bookseller's Website is open to deception came less than a week after an Amazon UK spokeswoman had insisted that masquerading as an author to post comments visible to any casual surfer was not possible because of the company's "security procedures" - though she would not specify them. Such faking on the American website, Amazon.com, had infuriated a number of British authors, including John Christopher, the science fiction author, and the children's author Philip Pullman. The faked comments were often badly spelt and had grammatical errors - but apparently were not checked before being shown off to millions of people. Amazon's Website invites anyone who has bought a book, record or video which it offers to add their comments and a rating on the site, as a guide for future shoppers. It also offers the chance for authors to post their own comments about their work - and it is this which has been abused in the US and now the UK. Security against such faking at Amazon US or UK to prevent faked comments appearing seems to be minimal. Anyone trying to post a comment as an author is simply asked "Are you really the author?" but not required to provide any identifying information such as a publisher's or agent's contact. The fake comment was posted by Robert Blincoe, a journalist with the online newspaper The Register, who is a friend of the author Matt Thorne, author of three books. The most recent is "Dreaming Of Strangers." Mr Blincoe set up a free email account and posted comments from it last Friday. They appeared on the site on Saturday, even though Amazon made no contact with anyone connected with the book. They were however removed on Monday when Amazon was asked about the lack of checks. Steve Frazier, managing director of Amazon UK, yesterday dismissed the fake posting as a "parlour trick". He said Amazon UK has thousands of comments written by authors. "This comment seems to me to have been consistent with what the author would say, except it wasn't published by him," he said. But he said Amazon UK would "ratchet up" its security checks on author postings. But Amazon subsequently felt it was necessary to check the provenance of every comment associated with Mr Thorne's books - even those posted by Web surfers - as well as the front covers of two of the three books. Amazon's own reviews of the books were also apparently suspect, as those too were removed. Other authors' comments, and reader comments, were left untouched. "We took the decision to review all of the materials relating to [Mr Thorne's] titles on Amazon.co.uk," said a spokeswoman. "He is sending us author reviews for all his titles". Speaking on Monday, Mr Thorne said he was "surprised by how easy it was for him to do that." He added, "The idea that people could put up bogus writer information is worrying. People might start emailing that person, and carry on a whole conversation with someone who is completely fake." In a statement, Amazon said: "Amazon.co.uk has always believed that our author's comments section, along with customer comments and publisher comments, has provided an unique forum for discussion between our various audiences. In general, the honour system upon which it operates has been observed." ------ ------------------------------------------------------------------- The Independent newspaper on the Web: http://www.independent.co.uk/ It's even better on paper Live in the US? Get a new worldview: http://www.independenceavenue.com ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- FC: Amazon UK retaliates after author exposes security flaw (Fwd) William Knowles (Aug 11)