Major problem with AS and ZoneAlarm

No-one at AS is taking this seriously. It is a major security oversight, yet they are pretending it does not happen.

Have you emailed http://support.auctionsniper.com/ ?

Mrs.M

I thought that's what this forum is supposed to be for. Quoted from the header on the pevious page:

"The best place to get your questions answered. Post any issues here and get answers both from Auction Sniper support and from other Auction Sniper users!"

Kinda says it all, eh?

Please note the part where it says "Post any issues here and get answers both from Auction Sniper support..."

I'm still waiting for an answer.

I really think this is a serious enough issue that it deserves to be answered in a public way.

If this is truly happening, and not just a fluke of an over-protective ZoneAlarm I think every AS user needs to be aware of it and concerned about the possible problems that can ensue from theft of their passwords. The AS people are in the best position to make a statement on this and I feel they should do so post haste. If it does exist, they should advise their users to stop using the system until they can fix it or supply a workaround, and if it doesn't truly exist then they should say so with an explanation of what's actually causing the warnings. But to just ignore the complaints does a disservice to the people who pay them them good money for a service that's supposed to be secure. If the problem truly exists and as a result people are hurt financially by having their passwords stolen, then no amount of contrition on their part will be useful or helpful. The damage to their reputation will be tremendous. It's kind of like politicians and public oficials who lie. Once they're found out, no one ever believes them again. On the other hand, those that come clean in the beginning may lose some support for a while, but people generally forgive them for their mistakes and give them another chance. Businesses in general, and
AS in particular, need to be aware of how much time and effort goes into building a reputation of honesty and integrity (which I think they have to this point), and how fast it can all come apart when they don't do the right thing. I'm not saying that AS is trying to avoid a known problem because it might hurt their bottom line, but they, on the other hand, are not giving any indication that the opposite is true, and I think it's imcumbent upon them to do so as soon as they're aware of a problem that could hurt their customers.

As I said, I'm still waiting for an answer...

Gary

Last Bidder, you misunderstood me. I did not say not to post your question here, but asked if you had sent anything to support. They are NOT here! This forum is for people like you and I to post and help each other when possible. (It is maintainted by Infopop.) Sometimes we can, sometimes it is too tech and support needs to step in. Sara from A S does come in fairly regularly, but not on any kind of time schedule.

Mrs.M,

Thanks for your reply. I am in the process of sending them copies of my posts right now.

However, I think that if they are not going to monitor and respond to posts in this forum daily then the line about this forum being "The best place to get your questions answered. Post any issues here and get answers both from Auction Sniper support and from other Auction Sniper users!" should me modified to read "The best place to get your questions answered by other AS users. AS Support may visit this forum on an irregular basis but does not routinely answer concerns here." or words to that effect.

I was simply under the assumption that they did monitor this forum daily based on the wording of that header.

Still waiting for an answer...

Gary

You know that on you My Snipes page there is a place for suggestions? We have made many changes to the forum that way!

I found this in the archives that I thought you might like to read. Sara said:

quote:

---

posted March 12, 2004 09:16 AM
--------------------------------------------------------------------------------
Use the secure link on the bottom of the login box on the home tab.

Too many people were using every page on our site in secure mode which is not needed, and requires a huge amount of server resources, thus slowing the site down for everyone else.

---

This does rather look like a valid problem.
So why no response from AS?
Is it because AS support went on the pop last night to celebrate and are all still in bed with hangovers?
Is it because it would mean extensive re-programming?
Is it because they have no solution?
Is it because they are furiously devising a solution?
Is it because their lawyer said they could be sued for $2m and they shouldn't admit to anything?
Is it because these users are stupid and haven't ticked the right box?
Is it because these users are paranoid about their passwords?*
Or is it simply because Sara is ill?

*If somebody stole my password and bid $10,000 on a huge nude Garden Gnome, would I be liable anyway?

Just troublemaking - as usual.

(Doubtless some of you will give me a good kicking shortly - as usual!)

(Doubtless some of you will give me a good kicking shortly in response!)

Actually, I found it to thump the brain a bit! Hmmmmmmm..which is it??????????????

Mrs.M,

Sorry, and no disrespect meant, but this is not a suggestion or a request for
a new feature. This is a valid concern about a potentially serious threat to
my personal financial well-being!

This forum is listed on the AS home page on the second tab and when on the
forums page the AS Support Forum is the second one listed with the assurance,
again, that it is "The best place to get your questions answered." To my eyes,
this looks like the official Support Forum for Auction Sniper. Should that
then be changed to "The second best place to get your questions answered
as long as you don't want any official AS response"? I generally don't have
the time to go searching for alternate sources for help when it appears I
have the official one staring me in the face, nor do I feel I should have to.
If they're not going to monitor it and respond to concerns here, then they
should say so in the header along with a link to http://support.auctionsniper.com/

I still feel that this is an issue that they need to address in this forum ASAP.

Still waiting for an answer...

Gary

Mrs.M

I saw that and I tried the secure login. However when I click the login button
I just get a warning from windows that says:

"You are about to be redirected to a connection that is not secure.

The information you are sending to the current site (my user name and password) might
be retransmitted to a nonsecure site."

Besides, that only gets me to the main page. Anywhere I go from there starts
starts getting me the clear text passwords warnings again.

Back to square one...

Still waiting for an answer...

Gary

I was speaking of this!

quote:

---

However, I think that if they are not going to monitor and respond to posts in this forum daily then the line about this forum being "The best place to get your questions answered. Post any issues here and get answers both from Auction Sniper support and from other Auction Sniper users!" should me modified to read "The best place to get your questions answered by other AS users. AS Support may visit this forum on an irregular basis but does not routinely answer concerns here." or words to that effect.

---

At any rate YOU DESERVE AN ANSWER FROM A S!!!!

That's all I'm looking for

Thanks,

Gary

Support have told me that they occasionally view the forum but the only place to get stuff done is via the support pages. I agree - the heading on the Auction Sniper Support section of the forum is slightly misleading - perhaps it should be modified to point people at the AS Help page for 'serious' problems?

quote:

---

Mrs M said:
We have made many changes to the forum that way

---

I've tried to get lots of changes to the forum but none have been accepted. A few changes to AS have been made though!

R2

Turn off zone alarm. Then turn it back on after leaving our site. Otherwise click the thing 50 zillion times.

You get email? Everyone does. Password sent in the clear, has been for since day one. Dozens of years of plain text passwords sent billions of times a day. Is there a field in zone alarm for your email password? Do you honestly believe most people use different passwords for eBay as they do their email? So in 99% of cases the dumb zone alarm setting doesn't do jack crap since people use the same password anyways. The point being there are easier ways to get passwords.

eBays sign in page only began even using a secure page with in the past 18 months or so. Before then for 6+ years it was just a normal old login page.

Alternately take your eBay password and userId out of zone alarm for now. It's only there to keep morons from falling for those dumb hoax emails that people get. You wouldn't fall for one of those would you?

It's plain and simple. Dont give out your eBay password anywhere but on eBay or here. That's the only thing zone alarm is saving you from.

We will address this as time permits.

quote:

---

Originally posted by Sniper Sara B.:

You get email? Everyone does. Password sent in the clear, has been for since day one.

---

Secure authentication is now a common standard feature in most email clients and on most servers;
secure login is also becoming common, even on Yahoo, for example, and of course on eBay.

I must tell you that I refrained from registering at AS for six months, just because my browser indicated that AS did not even
seem able to construct a correctly secured "subscribe" page -- I don't write this as criticism, but just to indicate that there are people who take this issue seriously, and who will not become (or remain) customers if they are not convinced that the companies they deal with are being careful enough, because this "identity theft" thing is very damaging, if it ever happens to you.

Also, no matter what the past has been like, we now know that, for example, every Computer Science student here is probably monitoring network traffic and getting passwords -- one of our CS professors even tells us that he's got most of the passwords for everyone in our university, which impresses us with it being a good idea to close up any previously loose ends (as you know, Microsoft is smarting greatly from the perpetual embarrassment of their past, non-rigorous programming).

So I write to suggest that AS management simply keep it in mind to plug any loopholes, if there are any. I'm sure that AS doesn't deserve flames or heavy criticism, but at the same time, it's better not to respond so defensively.

Meanwhile, though I've been using AS for merely a couple of days, I can see that it is so well done; it's probably blowing away all competitors.

Don't lose your cool, Sara B; just take in any information that comes, appreciate the customers' concerns, and help AS to become even better.

Afer all, the only thing that could really be bad for AS (and its imitators) is if eBay were to fix its own fundamentally flawed auction and bidding rules, so as to eliminate the ability to snipe!
(and to allow a "max bid" to be lowered to the amount of a current bid) -- so just concentrate on making sure that eBay never does things right, which will perpetuate the need for AS to exist!

Peace be with you, and with all of us.

quote:

---

Originally posted by Sniper Sara B.:
Turn off zone alarm. Then turn it back on after leaving our site. Otherwise click the thing 50 zillion times.

[snip]

---

Rather than turning off zone alarm you could always get a program to automate the clicking "50 zillion times".

Here's a link to PTFB (Press-The-Freakin-Button) which, believe it or not, actually works quite well.

PTFB

Of-course, you'll also need to increase the size of your tool bar so you can see all those useful little programs sitting in the background... ;-)