26 April 2005

Rojo releases private e-mails

In apparent violation of their own written policy stating that they will not release private information to any party, Rojo.com appears to have wasted no time in tripping.

Rojo has a problem with its platform. Non-members can enter codes and names to have passwords sent. Anyone, not just members, can type in a member name, and have the e-mail sent. Small problem. Rojo publicizes the e-mail it is sending the password to.

In other words, if you guess the name of a Rojo.com member, and then say that you want the password reminder sent to “you, the member,” Rojo will gladly forward the password reminder to “you, the member”.

And at that critical juncture, when Rojo promises to send the password reminder to you, guess what? Rojo also publicly displays the e-mail that it is sending the password to.

Let me say that again: You do not have to be a member of Rojo.com to enter any member name and have the “e-mail that the password reminder is sent” revealed to you.

How foolish is that?

This means that anyone, even non-members, could create an automated sign-in procedure that would request to have passwords sent. As soon as Rojo.com confirms the member name, the non-member-bot would have access to the e-mails, download this information, and then use it for other purposes.

It appears as though such a security flaw is not only a problem, but appears to be a violation of the Rojo.com membership agreement.

Rojo. Com would be smart to remedy this well known problem. Bluntly, Rojo needs to fix this problem before e-mails are downloaded and non-members are able to use Rojo-member-emails for spamming or other illegitimate purposes.

It is disturbing that Rojo.com would apparently ignore repeated reports of problems with the sign-in procedures.

It remains to be understood through discovery whether Rojo developers failed to ensure that the e-mails were released; to what extent they were informed of the problem and recklessly failed to ensure their platform protected the e-mail; and whether they were negligent in ensuring that private information was not released.

We remain skeptical that Rojo.com has a straight story. Rather, we remain confident that we’ll continue to hear more non-sense on par with the absurdity heard from other platforms.

Allegation: Rojo.com failure to comply with the Rojo.com user-member agreement

If Rojo was in compliance with their own agreement, would it not be reasonable to expect that there would be requisite security procedures in place to prevent anyone from getting access to another members e-mail account?

Rojo has a problem with its sign in procedures. Users if they are foolish enough to sign-up for Rojo, are given the opportunity to have their password e-mail sent to them.

Small problem. Rojo publishes the e-mail that they’re sending the e-mail confirmation to. This means that anyone can get access to this private information.

Allegation: Creating a platform which does release e-mails to non-authorized users

It remains to be understood through discovery the number of beta-error reports related to the sign-in problems.

Based on information and belief, Rojo.com was fully aware of the security problems and did know that there were problems with sing-ins.

It remains to be understood why, despite the apparent numerous complaints related to the sign-in procedures, Rojo.com has apparently continued to assert that they protect members’ privacy.

Based on the current Rojo.com design after beta, Rojo.com appears to have not fixed this error; and Rojo.com continues to release to non-members the e-mails of those who are members.

Allegation: Failure to protect private information, in violation of the clearly promulgated user agreement

We remain unclear why Rojo.com would go to the extreme measure of requiring members to sign in with their postal codes, as if this is part of some service.

If Rojo.com was truly providing a service, would it not be reasonable to expect that they would also comply with their member agreement?

Sadly, at the other end of the spectrum Rojo.com then allows member’s e-mails to be released.

Is this the intent of Rojo: To allow non-members to get access to private information on members; to get access to private e-mails accounts?

Allegation: Existence of a known security problem and failure to remedy a known defect

Based on information and belief we also allege that Rojo.com was fully aware of the security problems and was in direct receipt of specific complaints related to the design flaws.

It remains to be understood through discovery whether Rojo.com management was in receipt of this information; to what extent the known problems with the security access was discussed; and to what extent, if any, management knew of the problem and has failed to ensure that private information was protected despite the clear membership agreement terms to the contrary.

Again, there is no merit to the defense that Rojo didn’t know. Rojo publicly stated numerous times that it was aware of security problems.

Allegation: Rojo issued a contract and has breached the terms of that contract

The reasonable person would expect that this security problem would be resolved, not ignored; and that the firm issuing the membership agreement would be in compliance with those terms it offered as valuable consideration in exchange for valuable membership feedback.

Does Rojo.com management want the world to believe that the terms of the membership agreement [“contract”]

  • are not enforceable?

  • are not specific, clear, and obvious?

  • are somehow vague, not enforceable, and ambiguous?

    I’m sure there’s a perfectly illogical explanation for this absurdity. Feel free to outline the non-sense Rojo.com plans to rely on to justify confidence that the contract terms, that somehow implied that the e-mails would not be released, are in fact to the contrary and actually permit the release of information despite an apparent promise otherwise.

    However, it seems very clear to me that the CONTRACT terms were clear, specific, and unambiguous. Part of the promotional campaign, inducement, and offer was the Rojo.com management assertion that in exchange for getting access to this valuable personal information, Rojo.com would provide, in exchange, access to the platform.

    That sounds like a bargain, a free exchange, and consideration.

    Also, the parties have freely engaged in a contract; and have represented that they are over 18 years of age. So, the contract, when the member agrees to that contract, is between persons who have the capacity to form contracts.

    I see no missing element to this contract, nor a flaw in the contract formulation or structure. Please point out where we might be missing something.

    Again, it appears that Rojo.com has created a platform and allowed to exist a system which, contrary to its own membership agreement, does in fact do the opposite, inter alia:

  • Fails to remedy the problem;

  • Does not protect information as promised;

  • Allows private information that was promised to be protected to be, in fact, released;

  • Permits this information to be accessed by anyone; and

  • Fails to ensure that the promised protections are in place and in fact work.

    At this juncture, Rojo.com has some explaining to do.

  • Why was Rojo released from beta and formally launched without solving this problem with the sign-in?

  • Why are e-mails being issued to non-members?

  • Why is the public able to get access to private e-mail information on other members?

  • Why does Rojo.com publicize the e-mails of members to anyone?

    We look forward to a spirited debate. Rojo.com you have some explaining to do. Please outline why your platform allows private e-mails to be accessed by anyone, even non-members; and discuss your plan to ensure this no longer continues.


    LEGAL NOTICE


    Creative Commons License

    This work is licensed under a Creative Commons License.

    You may not copy any of this work to promote a commercial product on any site or medium in the universe.

    If you see this work posted on a commercial site, it violates the creative commons license; and the author does not endorse the commercial product.

    Free to use for non-commercial uses. Link to this original blogspot and cite as .


    -- This is the end of the content --
  • In apparent violation of their own written policy stating that they will not release private information to any party, Rojo.com appears to have wasted no time in tripping.

    Rojo has a problem with its platform. Non-members can enter codes and names to have passwords sent. Anyone, not just members, can type in a member name, and have the e-mail sent. Small problem. Rojo publicizes the e-mail it is sending the password to.

    In other words, if you guess the name of a Rojo.com member, and then say that you want the password reminder sent to “you, the member,” Rojo will gladly forward the password reminder to “you, the member”.

    And at that critical juncture, when Rojo promises to send the password reminder to you, guess what? Rojo also publicly displays the e-mail that it is sending the password to.

    Let me say that again: You do not have to be a member of Rojo.com to enter any member name and have the “e-mail that the password reminder is sent” revealed to you.

    How foolish is that?

    This means that anyone, even non-members, could create an automated sign-in procedure that would request to have passwords sent. As soon as Rojo.com confirms the member name, the non-member-bot would have access to the e-mails, download this information, and then use it for other purposes.

    It appears as though such a security flaw is not only a problem, but appears to be a violation of the Rojo.com membership agreement.

    Rojo. Com would be smart to remedy this well known problem. Bluntly, Rojo needs to fix this problem before e-mails are downloaded and non-members are able to use Rojo-member-emails for spamming or other illegitimate purposes.

    It is disturbing that Rojo.com would apparently ignore repeated reports of problems with the sign-in procedures.

    It remains to be understood through discovery whether Rojo developers failed to ensure that the e-mails were released; to what extent they were informed of the problem and recklessly failed to ensure their platform protected the e-mail; and whether they were negligent in ensuring that private information was not released.

    We remain skeptical that Rojo.com has a straight story. Rather, we remain confident that we’ll continue to hear more non-sense on par with the absurdity heard from other platforms.

    Allegation: Rojo.com failure to comply with the Rojo.com user-member agreement

    If Rojo was in compliance with their own agreement, would it not be reasonable to expect that there would be requisite security procedures in place to prevent anyone from getting access to another members e-mail account?

    Rojo has a problem with its sign in procedures. Users if they are foolish enough to sign-up for Rojo, are given the opportunity to have their password e-mail sent to them.

    Small problem. Rojo publishes the e-mail that they’re sending the e-mail confirmation to. This means that anyone can get access to this private information.

    Allegation: Creating a platform which does release e-mails to non-authorized users

    It remains to be understood through discovery the number of beta-error reports related to the sign-in problems.

    Based on information and belief, Rojo.com was fully aware of the security problems and did know that there were problems with sing-ins.

    It remains to be understood why, despite the apparent numerous complaints related to the sign-in procedures, Rojo.com has apparently continued to assert that they protect members’ privacy.

    Based on the current Rojo.com design after beta, Rojo.com appears to have not fixed this error; and Rojo.com continues to release to non-members the e-mails of those who are members.

    Allegation: Failure to protect private information, in violation of the clearly promulgated user agreement

    We remain unclear why Rojo.com would go to the extreme measure of requiring members to sign in with their postal codes, as if this is part of some service.

    If Rojo.com was truly providing a service, would it not be reasonable to expect that they would also comply with their member agreement?

    Sadly, at the other end of the spectrum Rojo.com then allows member’s e-mails to be released.

    Is this the intent of Rojo: To allow non-members to get access to private information on members; to get access to private e-mails accounts?

    Allegation: Existence of a known security problem and failure to remedy a known defect

    Based on information and belief we also allege that Rojo.com was fully aware of the security problems and was in direct receipt of specific complaints related to the design flaws.

    It remains to be understood through discovery whether Rojo.com management was in receipt of this information; to what extent the known problems with the security access was discussed; and to what extent, if any, management knew of the problem and has failed to ensure that private information was protected despite the clear membership agreement terms to the contrary.

    Again, there is no merit to the defense that Rojo didn’t know. Rojo publicly stated numerous times that it was aware of security problems.

    Allegation: Rojo issued a contract and has breached the terms of that contract

    The reasonable person would expect that this security problem would be resolved, not ignored; and that the firm issuing the membership agreement would be in compliance with those terms it offered as valuable consideration in exchange for valuable membership feedback.

    Does Rojo.com management want the world to believe that the terms of the membership agreement [“contract”]

  • are not enforceable?

  • are not specific, clear, and obvious?

  • are somehow vague, not enforceable, and ambiguous?

    I’m sure there’s a perfectly illogical explanation for this absurdity. Feel free to outline the non-sense Rojo.com plans to rely on to justify confidence that the contract terms, that somehow implied that the e-mails would not be released, are in fact to the contrary and actually permit the release of information despite an apparent promise otherwise.

    However, it seems very clear to me that the CONTRACT terms were clear, specific, and unambiguous. Part of the promotional campaign, inducement, and offer was the Rojo.com management assertion that in exchange for getting access to this valuable personal information, Rojo.com would provide, in exchange, access to the platform.

    That sounds like a bargain, a free exchange, and consideration.

    Also, the parties have freely engaged in a contract; and have represented that they are over 18 years of age. So, the contract, when the member agrees to that contract, is between persons who have the capacity to form contracts.

    I see no missing element to this contract, nor a flaw in the contract formulation or structure. Please point out where we might be missing something.

    Again, it appears that Rojo.com has created a platform and allowed to exist a system which, contrary to its own membership agreement, does in fact do the opposite, inter alia:

  • Fails to remedy the problem;

  • Does not protect information as promised;

  • Allows private information that was promised to be protected to be, in fact, released;

  • Permits this information to be accessed by anyone; and

  • Fails to ensure that the promised protections are in place and in fact work.

    At this juncture, Rojo.com has some explaining to do.

  • Why was Rojo released from beta and formally launched without solving this problem with the sign-in?

  • Why are e-mails being issued to non-members?

  • Why is the public able to get access to private e-mail information on other members?

  • Why does Rojo.com publicize the e-mails of members to anyone?

    We look forward to a spirited debate. Rojo.com you have some explaining to do. Please outline why your platform allows private e-mails to be accessed by anyone, even non-members; and discuss your plan to ensure this no longer continues.


    LEGAL NOTICE


    Creative Commons License

    This work is licensed under a Creative Commons License.

    You may not copy any of this work to promote a commercial product on any site or medium in the universe.

    If you see this work posted on a commercial site, it violates the creative commons license; and the author does not endorse the commercial product.

    Free to use for non-commercial uses. Link to this original blogspot and cite as .


    -- This is the end of the content --
    " />