Questions for Michael Ferro, Chairman of Wrapports, LLC.

About This Message Board
1

Dear Mr. Ferro:

Hello. I’m a former member of this message board, back because of the recent hacking.

You purchased the Chicago Reader and its related entities, including this website, almost two years ago. You’ve made public comments that set the Reader as a key investment. “The Reader is what we wish everything was like. Self-sufficient. They make money,” you said. You are also on record as identifying, correctly I believe, the waning of print media and the need to establish a profitable digital strategy for the content previously distributed in printed periodicals You impressed Reader publisher Allison Draper with your “digital savvy.”

So here we are. Digital. I don’t know much about how to run a profitable digital content-generation business. Maybe no one does yet. But I do know this: the digital world is a social one, information hates being hidden in darkness here, and transparency is paramount to anyone with aspirations to profit from the trust of digital customers. Which is to say, in the wake of the recent hacking of the Straight Dope Message Board’s database, your digital customers are not going to write a letter to a snail mail address and they’re not going to call an old-fashioned, 20th Century “1-800” number. No, Mr. Ferro, if you want to profit to digital customers you’ll have to get used to dealing with digital failures in a public digital space.

In connection with that, I have some questions about the recent hacking of the message board’s software.

We are told that a “security team” “recently” discovered that the database had been hacked. How recently? Specifically, how much time elapsed between the discovery of this hacking and the disclosure of it?

When did this hacking occur? Was it a one-time event or did it occur over time?

How did the hacking occur? There are rumors of a zero-day security issue with the message board’s software vendor VBulletin, which rumors the owners of VBulletin dispute. Was this hacking a result of a VBulletin vulnerability, of poor password practices by administrators of the site, of a sustained brute-force attack which was undetected while it was ongoing or some other way? If another way, how? If through a VBulletin failure, is the message board still vulnerable? Is it still vulnerable anyway?

The notice specifies that the information stolen included usernames, email addresses and passwords. Was that all the information taken, or was other information taken? I’m asking here about text information which users may have included in their profiles, IP information, status as a paid, free, or administrative member or any other information.

The notice claimed that the message boards do not collect or store Social Security numbers or credit card information. Yet, many members have provided exactly that information to Paypal using this message board as a conduit. What method does the message board software use to determine who has paid and when? Do they use a transaction number from PayPal? Can that number or other information which the software does retain be in turn be associated with a credit card number by a sufficiently diligent hacker? Can you reinforce the claim the notice made that users’ credit card numbers were not obtained by the hackers and further, can you make it clear that no other information was stolen might be used to obtain such numbers?

The notice which was sent by email employed links back to this message board which were formatted in such a way as to resemble a “phishing” email, alarming many who received the email and in some cases causing the email to go to users’ spam folders. Does your team now understand that that was a poor idea, particularly in an email discussing a security breach?

Like any message board, this one has turnover. Only approximately 5% of the accounts registered to this website are active. Will you agree to purge the accounts of those users who are not active (say, who have not signed in for a year) to minimize the damage done by future security breaches? If not, why not? What benefit is gained by retaining a large database of usernames, passwords and other information if the users are not active?

More broadly, Mr. Ferro, we’d like to hear your voice on this hacking generally. You can’t be happy about it. You doubtless know both that no site is 100% safe from the kind of security breach which occurred here and that such events erode trust in the sites to which it happens, even if that eroded trust is undeserved. In this case, what you may not know is that the site has now been successfully hacked at least three times. What assurance can you give your customers here that you are making the necessary investments in personnel, hardware and software to minimize the chance of a recurrence of this breach? What other thoughts do you have about what happened? It’s very difficult to believe that the over-lawyered notice your organization originally sent out and your employess’ subsequent radio silence reflects your view of how such things should be handled.

Thank you for your attention to this matter. I’ll be leaving after this issue is settled; I never intended to return but for the hack. However, after addressing this issue, you may want engage the remaining users in a discussion about ad blockers, malware and the class of advertiser you allow to access your customers on this site.

MODERATOR NOTE: Please be aware this thread is from Jan 2014, resurrected in Post #17 in Jun 2014. – CKDH

2

Nice post manhattan, and good to see you around.

(!!!)

…I mean, cite?!?!? :slight_smile:

3

Very nice. Excellent questions that deserve thoughtful answers.

4

Actually, I’d like a cite for that as well.

There was some discussion in the other thread that suggested such, but TubaDiva’s quoted response did not confirm the lost content was due to a hack. It specified that a file became corrupted.

5

Nice to see you still kicking ass, manhattan.

6

I suspect that in addition to the hacking of 2000, he’s referring to the gl0worm incident. That user’s hacking seems to have been limited to inserting his/her own information into the banner addes.

7

I hope that you also sent him this message directly because I don’t expect you’ll get any kind of response here.

8

Excellent, manhatten.

We are at Day Five since Ed announced the latest hack, and not a peep since from anyone official. The deafening silence in this digital world is not a quality business practice.

9

Hey, manny! Long time, no read. IIRC* you’re one of them lawyers I’ve heard tell of, right? Not that anybody should be afraid of lawyers. ;)**

    • For the benefit of Mr Ferro’s minion who may have to read this, “IIRC” is internet jargon meaning “If I Recall Correctly.” My friend manhattan has not visited much lately and I have forgotten some details of his life. However, I believe I am correct in describing him as male. I shrug as I type that because on the internet you can never be too sure of unimportant details.

** - The :wink: is a symbol for a winking eye. This indicates to readers that I did not intend the statement preceding it as a threat. Sites getting hacked goes with the territory and there is no reason to get lawyers involved at this point. OTOH (more jargon, “On The Other Hand”), my mentioning it recognizes that someone who suffers a loss because of the hacking will disagree. I know that anybody’s first reaction is to clam up for fear of making the situation worse, or in hopes of it going away, but time and again the clamshell method has encouraged people to create their own interpretations of a company’s silence, and people do not default to making positive interpretations. Openness is an essential part of good customer relations and I hope you understand this.

We’re (mostly) all friends here, and I encourage you to join and become a part of it, both because then you will understand why we feel how we do and because you could have some fun. And you could talk about the changes in your life since buying the Sun-Times in a new Ask the Media Mogul thread. Or you could be anonymous like most of us and talk about anything you are interested in. It is a nice pressure release valve.

10

manny isn’t a lawyer. He’s in finance.

11

He wears a suit to work. They’re all the same to me, suckling at the teat of a corrupt system while grinding our bones to make their bread. :wink:

Oh, I meant manny, Mr Ferro. Not you.

But one last thing. You do know that your pal Jenny McCarthy is a dangerous crackpot whose claims have encouraged thousands of parents to not immunize their children, which has resulted in many unnecessarily sick children and not a few possible deaths, and not someone to whom a responsible and public minded media mogul would give a column, right? You did not know that and will rectify your mistake immediately, right? Right?

12

I expect a similar reaction from Mr. Ferro as when SD is the conduit for malware i.e. not our problem.

13

Well, yeah, but we can dream, can’t we?

14

In reality, I wish manny hadn’t posted that. The Reader is nearly incidental to Wrapports’ total investments and the SDMB is completely incidental to the Reader. All that was stolen was names, emails, and passwords, which can cause an invasion of privacy, if that’s what you call getting even more spam. A better choice would have been to keep our heads down.

Ferro may not read manny’s post but you can be sure he has someone who does vanity searches for him, just to know what is being said about him, so the SDMB is now on his radar. Bad idea when the board exists at his pleasure. A better choice would be to have waited until actual damage was done.

ETA: http://www.chicagomag.com/Chicago-Magazine/November-2013/michael-ferro/

15

He was bought out by Target. Who sold us to Neiman-Marcus.

It’s a long way down.

16

That’s a lot of turtles.

17

Out of curiosity, did anyone ever address any of these questions? Perhaps in another thread?

18

I’m sure the CEO will be right along to respond to your concerns.

…annnnny minute now.

19

I’ll bet he misplaced his hall pass and doesn’t dare come in.

20

What on earth is the problem with asking intelligent questions about the recent episode, questions which I’m sure many others on the board would like an answer to?

Quite frankly if such inquiries could ‘put the board on his radar’ and we’d be better ‘keeping our heads down’ then this place isn’t worth a bucket of warm spit anyway. Fortunately I believe you’re quite mistaken and if the man became aware of the questions he would not be offended at all, as there is no possible cause of offense in them.