Newbie - FAQ

That's not a security hole..
Ripped_Van_Winkle 994 reads
posted

And folks should be smart enough to use a hobby email address.

The search function works with the email address that you have registered with TER.
If you want to "cloak" yourself, you can change your registered email address through "account manager", or use an alternative email address when contacting providers.

Hi folks,

Is it just me, or is there a security risk in the Whitelist search?

I had contacted a provider and she checked my e-mail address in the TER whitelist search and found my whitelist and handle.  

I did NOT give her my handle!

So, can anyone search an e-mail address and figure out someone's TER handle?  That wouldn't be very nice if someone is using their personal or professional e-mail address to contact providers.  

Of primary concern is that anyone could determine a person's TER handle just with their e-mail address.  I am tempted to search some of my co-workers e-mail addresses, because I know in my heart at least some of them must be punters!

A second concern is for those who want to keep their reviews confidential from providers in case they fear retaliation in response to a sub-par review.

Do you see where I'm going with this and why I am concerned?

Thanks,
RedCloak

SweetGirl20061252 reads

But you are going to search out your co-workers on here? WOW! Talk about indiscreet and nosy :(

La-Tee-Da747 reads

keep my lil world a secret but I wanna know everyone elses business. lol  cute...

Jeez, it was a joke.  Lighten up! I don't have time to kick up dirt on my co-workers. :)

you uncheck the box on your profile that says "show whitelist?"  Still searchable?

It has always been searchable in the whitelists,
The best thing for anyone who is still using their regular email addy for ter is to go into your account manager and change it.
BUT
remember to let your regular providers and references know about hte changes,otherwise you'l run into problems down the road when you give an email that does not match.
Stay Safe & Hobby Smart
xoxoxoxo
Leigh

How does a provider go about tracing the email that we use to set up our TER accounts and then connecting that to the White List and hence our screen names?

Granted, the email you set up the TER account with should be a private one with an alias to boot, but I thought that only TER had access to that.  How does a provider or other TER member get a hold of it?

Isn't the whole idea of TER's PM system a way for TER members to communicate with one another without ever revealing our true identities?

Granted the the White List only works for clients who do not mind linking their real names to their TER handles, but that is an individual choice, or should be.  Many clients feel that they can not write a review honestly without that anonyminity.

For those who don't mind, the provider can send a PM to the client who claims to be the White Listed person and thereby confirm that they are not stealing someone else' screen name identity.

> How does a provider go about tracing the email that we use to set up our TER accounts and then connecting that to the White List and hence our screen names?

The cross reference procedure I was planning on using last night was "Hey baby, I am going to PM you from my TER account to verify that this e-mail is linked to my TER whitelist."

But the cutie beat me to it!  She searched using my e-mail address and said she saw my whitelist.

Please see my post below "...PLEASE READ THIS"
which describes levels of access control.

Ripped_Van_Winkle995 reads

And folks should be smart enough to use a hobby email address.

The search function works with the email address that you have registered with TER.
If you want to "cloak" yourself, you can change your registered email address through "account manager", or use an alternative email address when contacting providers.

You should have a completely separate email address for hobbying. Not a business email, not even your primary personal email. To not do this is just plain stupid.  If you want to further insulate yourself I would use a different email address for TER than I do for providers.  This is what I do and have done fr years.


Okay, I can write an elaborate analysis on the security flaw(s), and ways to get around at least some of those flaws, but I think the respondents earlier have already covered it for you.  It would involve using multiple e-mail addresses similar to what BostonGuy57 wrote.  

I totally understand the need to cross reference!
But I should be able to limit who gets to see my TER handle and reviews.  

Here's a (rough) simplified analysis:

There are levels of users that are pertinent in communicating with providers:

Level 1 - Public Internet User
Level 2 - Registered User
Level 3 - Limited VIP Member
Level 4 - VIP Member
Level 5 - Provider You Contact
Level 6 - Provider With Whom You Wish To Share Your Whitelist

It seems that once someone has your e-mail address that is linked with your TER account, they only have to be at level 2 or 3 to do at least the following:
1. Test membership in TER
2. Get at your review and posting history
3. If your account manager "show whitelist?" checkbox is checked, see your whitelist.

What I am saying is that TER could have implemented a scheme limiting showing the whitelist to only "Level 6" members above.  Such a scheme would have been more secure.  

Instead the levels are collapsed more than they need to be.

I agree it is a dumb idea to use your personal (and especially your professional) e-mail address to register in TER, but I am sure many folks are using at least the former with their TER accounts and are not aware of the above security flaw.


spooky_one789 reads

If you want true anonymity, use a separate email for contacting providers via the internet, and one for your TER registration as suggested.

You can only search for the TER registered email address as a member, true. But anyone half-dumb-assed enough to give you their hobby email doesn't care about this.

Never rely on electronic/computer security to replace good old fashioned counter-intel trade craft.

When you start your own website you can set it up any way you like.  In the meantime, here on TER, you are just going to have to accept the way things are.  Honestly, this is not really a newbie issue, if you want to try and change the way things operate (not that you have an ice cube's chance in hell of doing it in this case) your post belongs in the suggestion and policy section.

I agree with others, this is not a security hole, it's exactly the way TER wants it.

LMAO. Sorry, but that "When you start your own website you can set it up anyway you like. In the meantime, here on TER, you are just going to have to accept the way things are." line reminded me sooooo much of my grandfather. He used to say the same thing about "when you get your own place and pay your own bills you can make the rules...till then my house, my rules".

Sooo yea...I'm basically saying you sound like someone's grandfather. : p  

You're right though, that shouldn't really be posted on the newbie board.

-- Modified on 3/22/2010 8:13:41 AM


I posted on the newbie board because being a newbie myself (and a diligent one at that, if I may so myself - been reading the boards everyday since November '09), it wasn't obvious to me that this was a TER as-designed, as-desired feature until so many people said so.

The nuances of the TER Whitelist are not discussed nearly as much as STDs, LE, screening, and provider website advice.  And they should be, IMHO.

So, I disagree that my original post belongs elsewhere.  

My last post however, might be converted into a "Suggestion & Policy" post, although from what BostonGuy57 says, it seems it will probably languish there, ignored for eons.

Emily, Some of us are someone's grandfather.

Register Now!