LogMeIn.com Security/Data breach affecting many users – LogMeIn largely quiet

Today I found that, like many other LogMeIn.com (NASDAQ: LOGM) Users (at least 6 pages worth on their support forums), I was the victim of a data breach. Somehow, the e-mail address I use to manage my LogMeIn.com account had been accessed by an unauthorized party, and used to send me spam e-mail.

Like many technology professionals, I use a variety of email technologies that allow me to create individualized e-mail addresses for specific services. Only the said service has knowledge of this email address. The address is not provided to any other service, or entered on any other website. Under most circumstances, I’m not even able to send email from these aliased addresses, so there is very, very few ways a spammer can get an address without a data breach.

Adding credibility to my concerns are the 6 pages of concerned tech-savvy individuals on LogMeIn.com’s support forums, making exactly the same claims. The real concern here, is what exactly was compromised? Was it just e-mail addresses? Was it an entire table with username/password data? Was my password properly hashed?

There are no responses from LogMeIn.com (other than an annoying “Don’t share your password with anyone and don’t click on any links!” response) on the forum, and only one other researcher has heard from LogMeIn. The response being that while an investigation is ongoing, there is no evidence a breach occurred.

I dispatched an e-mail to Marton Anka, CTO of LogMeIn.com, regarding this issue, but thus far, have not received any response. The forum is also filled with comments about how the issue remains unaddressed, and inquires continue to go unanswered. At the bottom of this post is a copy of the e-mail I dispatched to Mr. Anka.

Have you been affected by this issue? Leave a comment below.

Marton,

I’m writing to you today to let you know about a potential data breach with LogMeIn.

As a security process, I register different websites/services using different e-mail addresses on a variety of domains that I use. My primary domain, {redacted}, is a domain that I use for services that I consider to be important, containing personal information, or services that I use often. LogMeIn received an e-mail address on my domain.

Today, I received an e-mail, forged from adp.com, with a virus attached to it today. This e-mail was addressed to {redacted}, which is my logmein username.

This e-mail address exists nowhere else in the world. It has never been typed in or entered into another website, other than logmein.com, and has never been typed into a computer that I did not directly control and personally maintain. I do not use it for any correspondence. The address cannot send e-mail (It’s technically not possible at the moment, due to the fact that the address doesn’t actually exist, but is just aliased to my domain), so it’s not as though the e-mail was obtained via some FWD that I sent on to my grandma and list of 15 friends.

In my mind there are a few possibilities, in no particular order:
A. LogMeIn was compromised, either internally, or externally
B. LogMeIn sells personally identifiable information to 3rd party sources, which then resold my information to a spammer
C. My LogMeIn clients were compromised, and the LogMeIn software clients do not adequately protect the credentials they have
D. My personal client/browser was compromised, and observed me entering credentials into your website

I’m not sure which of these is the case. Perhaps there’s an element I haven’t yet considered. As for item D, I only use my corporate computer which has a strong domain policy, anti-virus, and the like. I work in a government regulated environment, lessening the likelihood I have some rogue, credential-capturing virus. As a computer security hobbyist, I certainly hope the fault does not lie with my machines. In remaining objective, I admit it remains a possibility.

I’m not sure how to proceed from here, but I consider the matter serious. I decided to address you directly, as I figured your support staff was unlikely to be educated on how to properly investigate and escalate this issue.

I have the e-mail in my inbox, but I did not forward to you as I didn’t want to risk your spam/virus filters intercepting the forward. I’m happy to make it and it’s headers available to you. I’m also happy to discuss the technical details of my email system, and domain configuration, as necessary, in order to validate my concerns.

If you’re not the right person to begin addressing this issue, please forward it to the right party for me. I appreciate your time.

With regards,

{redacted}

Should I have let Walmart reward me for stopping a shoplifter?

We needed to pay a visit to Walmart this evening, but we’d already done plenty of shopping, so my wife went in while I stayed with the kids in the car. Like many other men, I decided to circle the Walmart parking lot. You know, drive circles around the building, dodge other cars, that kind of thing.

Where "the goods" were being lowered onto the ground.

Where “the goods” were being lowered onto the ground.

I was doing slow, monotonous round trips around the side of the building when something caught my eye:  merchandise being slipped through the steel grates of the garden center onto the ground below. I stopped the car and continued to watch as item after item was set on the ground. All in all there was probably over 10 items there. It took only a moment to realize what was going on.

I immediately backed up the car and drove to the Walmart automotive center, maybe 50 yards away and around a couple of corners. I called into the shop and let them know what I’d seen. One of the automotive guys, we’ll call him Russell (Names have been changed) ran to a phone to let their loss prevention department know.

I went back to my car and parked a distance away to watch the rest of the story unfold. About 5 minutes later, a woman in a blue coat came out of the store with an empty basket, and immediately rounded the corner towards the merchandise now sitting on the sidewalk.

Unfortunately, Russell had hidden himself behind the corner, periodically peaking to see if his culprit would show up. She spotted him, immediately ditched her cart and did a brisk walk into the parking lot. I made eye contact with her, and she must’ve known I’d been watching because she immediately changed directions and began to zig-zag through the parking lot.

More sweet merchandise!

More sweet merchandise!

To make what could be an awesome part of this story shorter, I’ll simplify: I watched her about 15 minutes as she went throughout the parking lot, adjoining smoke shop, and Wendy’s restaurant before finally being picked up by a car. I was unable to get the license plate of her pick up because my view was temporarily obscured and I couldn’t see where she’d gone.

I went into the Walmart to see what they had recovered. Russell told me they’d recovered over $500 bucks worth of stuff, told me I was awesome, and said thanks. I accepted the gratitude and went on my way. On my way out, I decided to check out where she’d been dumping stuff.

I checked things out in the garden center and peeked out of the tarp to see how easy it was to slip stuff out of there. That’s when I noticed a ton of other stuff still sitting there after loss prevention had cleaned up everything on the sidewalk! This stuff was still outside the building, but stuck between a metal divider and the sidewalk, so you couldn’t see it from the outside of the building unless you knew where to look.

I went and told Russell what I’d found. He said

“Man that is awesome! You need to stick around so we can see if we can get you a gift card or something!”

I told him it was a nice gesture but it wasn’t necessary. “No way! Just stick around for a minute!”. I agreed. As Russell and another manager went and retrieved the additional merchandise, they found another $100.00+ worth of stuff! Unfortunately, it was getting late and they couldn’t find another manager to approve any sort of ‘Thank you’, so Russell said “hey man, give me your name and phone number and I’ll call you and let you know what we can do”.

I told Russell I was just happy doing the right thing and they didn’t need to do anything. He asked me if I was sure and I told him I was, and wished him a Merry Christmas.

The nail in coffin for me was the hanging around – I was just kind of “waiting” for my reward while they added up stuff and got permission from their management. So by the time they asked for my phone number it just felt odd accepting a reward for doing the right thing.

What do you think? I saved Walmart $500-600 worth of merchandise tonight, followed the would-be shoplifter around attempting to identify her, and spent time with them sewing up loose ends.

Should I have let Wal-Mart reward me for stopping a shoplifter?

The 2012 US Presidential Debates – What you need to know

Until 1988, the League of Women Voters had organized and moderated the Presidential Debates as an independent 3rd party.

They were responsible for moderation, selection of questions, location, and other details related to the debates. The only thing the candidates had to do, was show up.

In 1987, the Democratic and Republican Party then jointly created a non-profit organization called the Commission on Presidential Debates. This commission secretly created a contract called a memorandum of understanding that decided which candidates would participate in the debates, which individuals would be panelists capable of asking questions, who could be in the audience… even the height of the podiums!

In 1988, the League of Women Voters 14 trustee’s unanimously voted to withdraw from participation, with the following statement:

“The League of Women Voters is withdrawing sponsorship of the presidential debates…because the demands of the two campaign organizations would perpetrate a fraud on the American voter. It has become clear to us that the candidates’ organizations aim to add debates to their list of campaign-trail charades devoid of substance, spontaneity and answers to tough questions. The League has no intention of becoming an accessory to the hoodwinking of the American public.”

Since the LWV’s departure from the debate process in 1987, the private, jointly-held Commission on Presidential Debates has run the debate process ever since. They control virtually aspect of what you see on television, including the exclusion of additional candidates. It’s important to remember that the CPD is a private organization – not accountable to the American people in any way. It’s also important to remember that this private organization is jointly run by the Democratic and Republican parties,.

Since 1988, Memorandums of understanding have coordinated every debate, including the 2012 Romney-Obama debates. Twice, the memorandums have been made public (albeit unintentionally). 2012′s memorandum of understanding was 21 pages long, and forbade ‘direct questions from one candidate to another’, among many other things.

And that’s why I didn’t watch the debates this year. No candidate can solve the Nation’s problems with 2-minute talking points, under the comfort of a debate organized by two organizations that are attempting to ‘perpetuate fraud on the American voter’.

I have no intention of becoming an accessory to the hoodwinking of the American public.

you can barley talk english, you dumb foreigner! – and other Facebook fails

I’m always impressed by literate U.S. citizens who vocalize their opposition to immigrants based on their ability to speak English. After an intense 10 minute search on reasonstohate.com, I bring you the following gems from enlightened citizens of the United States.

speak American you dumb foreigner

i can barley talk english

SWIM BACK TO MEXICO!

Don’t worry, you don’t look stupid…

To all foreigners in this country….

Starbucks no speak english

This is America!

You spanish speaker, you!!!

What’s a forbiden?

I wonder what they speak in Canada…

I said ‘wut!’

This be merica, people!

Plenty more gems just waiting to be found in real-time. Search Facebook for your own FAIL at www.reasonstohate.com.