Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




12872 posts

Uber Geek
+1 received by user: 2111

Trusted
Subscriber

Topic # 220394 9-Aug-2017 08:16
Send private message quote this post

Library Elf is a service that does things like send reminders before books are due, to avoid overdue fees. It's compatible with Wellington City Libraries.

 

It hasn't been working for a while, but emailed me today saying it's working again. I went to delete my account, because I haven't been into a library since I got my Kindle. I didn't remember my password, so I used the "forgot password" function.

 

Library Elf emailed me my password. This shows that they store the actual password, rather than best practice of storing a secure hash. It's possible that they store the password unencrypted in a database, but the only way to work that out would be with system access. Either way it means user passwords are more vulnerable than they should be.

 

I don't know how Library Elf knows about Wellington Library (WL) loans. It could be that I gave them my WL password so they can log in as me. Maybe WL has provided an integration point for Library Elf. It potentially adds to the risk.

 

I'll point this out to Library Elf. I don't think Wellington Libraries are directly associated, but if anyone wants to tell them please go ahead.





AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
555 posts

Ultimate Geek
+1 received by user: 160

Subscriber

  Reply # 1841601 9-Aug-2017 08:53
Send private message quote this post

Scary as a lot of people use the same password for their email which then gives a hacker pretty much free reign to reset passwords on other systems.

 

 


2694 posts

Uber Geek
+1 received by user: 1364

Subscriber

  Reply # 1841915 9-Aug-2017 15:44
3 people support this post
Send private message quote this post

kryptonjohn:

 

Scary as a lot of people use the same password for their email which then gives a hacker pretty much free reign to reset passwords on other systems.

 

 

 

I have very little sympathy for anyone still using their email password for any other system (or simply reusing passwords in general). 





Information wants to be free.
The Net interprets censorship as damage and routes around it.


 
 
 
 


444 posts

Ultimate Geek
+1 received by user: 89

Subscriber

  Reply # 1841933 9-Aug-2017 16:01
One person supports this post
Send private message quote this post

Report it to cert.govt.nz This is one of the reasons why they exist.





Geoff E



12872 posts

Uber Geek
+1 received by user: 2111

Trusted
Subscriber

  Reply # 1841950 9-Aug-2017 16:25
Send private message quote this post

geocom:

 

Report it to cert.govt.nz This is one of the reasons why they exist.

 

 

They're not based in NZ.





AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


444 posts

Ultimate Geek
+1 received by user: 89

Subscriber

  Reply # 1841958 9-Aug-2017 16:48
One person supports this post
Send private message quote this post

I don't know how Library Elf knows about Wellington Library (WL) loans. It could be that I gave them my WL password so they can log in as me. Maybe WL has provided an integration point for Library Elf. It potentially adds to the risk.

 

If you think this then cert should do some investigating to see if there is any link with wellington library and their systems. I don't know anything about the system however if it is able to get loan information from wellington lib then there is some level of integration. If they are just scraping a site linked to wellington lib using a password that you have given them then Wellington Library are more than able to block the requests.

 

Chances are that anyone you can talk to at Wellington Library are going to have no idea what needs to happen however cert have a bit more ability to get to the higher levels.





Geoff E

1669 posts

Uber Geek
+1 received by user: 825


  Reply # 1842969 9-Aug-2017 17:22
One person supports this post
Send private message quote this post

timmmay:

geocom:


Report it to cert.govt.nz This is one of the reasons why they exist.



They're not based in NZ.


But the library IS




Location: Dunedin

3074 posts

Uber Geek
+1 received by user: 891

Subscriber

  Reply # 1842971 9-Aug-2017 17:28
Send private message quote this post

I don't profess to know much about databases (i can struggle around phpmyadmin haha) and such things.. but isn't it entirely possible the back-end is in fact hashed and then encrypted? Then the front end program that sends the emails out and decrypt the password and send it?

 

The other thing I think here is... this is a library we are talking about... not banking, email etc.


'That VDSL Cat'
6264 posts

Uber Geek
+1 received by user: 1172

Trusted
Spark
Subscriber

  Reply # 1842972 9-Aug-2017 17:29
Send private message quote this post

Lias:

 

kryptonjohn:

 

Scary as a lot of people use the same password for their email which then gives a hacker pretty much free reign to reset passwords on other systems.

 

 

 

I have very little sympathy for anyone still using their email password for any other system (or simply reusing passwords in general). 

 

 

I have empathy, but no sympathy for this.

 

 

 

I have seen businesses get completely rolled by this....





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.


444 posts

Ultimate Geek
+1 received by user: 89

Subscriber

  Reply # 1842974 9-Aug-2017 17:33
One person supports this post
Send private message quote this post

chevrolux:

 

I don't profess to know much about databases (i can struggle around phpmyadmin haha) and such things.. but isn't it entirely possible the back-end is in fact hashed and then encrypted? Then the front end program that sends the emails out and decrypt the password and send it?

 

The other thing I think here is... this is a library we are talking about... not banking, email etc.

 

 

Nope.

 

The only situation where this would work is if the Password is emailed in the same request as the generation of the password or if a new password is generated when clicking on I forgot my password however this is not something I would recommend.

 

There should be no way for a developer to get the password from a hashed string. If they can then it is not secure.





Geoff E

3074 posts

Uber Geek
+1 received by user: 891

Subscriber

  Reply # 1843009 9-Aug-2017 19:41
Send private message quote this post

geocom:

 

chevrolux:

 

I don't profess to know much about databases (i can struggle around phpmyadmin haha) and such things.. but isn't it entirely possible the back-end is in fact hashed and then encrypted? Then the front end program that sends the emails out and decrypt the password and send it?

 

The other thing I think here is... this is a library we are talking about... not banking, email etc.

 

 

Nope.

 

The only situation where this would work is if the Password is emailed in the same request as the generation of the password or if a new password is generated when clicking on I forgot my password however this is not something I would recommend.

 

There should be no way for a developer to get the password from a hashed string. If they can then it is not secure.

 

 

That makes sense I suppose now that I think about. If a hacker got a whole bunch of encrypted passwords they could just run it through something to decrypt it.


16741 posts

Uber Geek
+1 received by user: 1955

Trusted

  Reply # 1843030 9-Aug-2017 20:22
Send private message quote this post

Empathy or sympathy or not, when you get to a certain age, you can't even remember if you've had breakfast or not.

 

Moreover tech for some is like Greek.

 

When you get to that age you will understand. THere'll be this chip thing in your ear once your iphone 99 dies and you wouldn't be able to shut it off from keeping talking inside your head because you forgot the tongue dance code.


850 posts

Ultimate Geek
+1 received by user: 84

Subscriber

  Reply # 1844979 11-Aug-2017 09:36
3 people support this post
Send private message quote this post

I ran the question regarding Library Elf past the Wellington City Library staff, who have advised:

 

“Wellington City Libraries does not share any customer data with Library Elf or integrate it with any of its systems.  It is a separate online service which people can choose to join. Library Elf then uses the customer library card information (i.e. the same information as can be accessed via www.wcl.govt.nz/card) to source the loans & reserves that the customer has.”

 

There is also a note on their web page at http://www.wcl.govt.nz/blog/index.php/2010/01/28/library-elf-a-service-that-can-help-you-manage-your-library-card/ advising you to check out the Library Elf privacy statement regarding the library card details that you are providing them when you sign up to use the Library Elf service.

 

 

 

Disclaimer: I work for WCC


3135 posts

Uber Geek
+1 received by user: 851


  Reply # 1844995 11-Aug-2017 09:53
Send private message quote this post

I like library elf when my library used it.   Never had any overdue books. You could configure email alerts to immediately send emails for any books that are overdue. 

 

But, since my library dropped library elf, they only email 3 days before it is due, then another email a week after it becomes overdue.   When you have 30 books out at a time (lots of little books for young kids), you often don't know if you've missed a couple. 

 

Our library says it is too expensive to send emails (yes, they really said that!) and that they are only obligated to issue the paper reminder when you check out the book.   It really bugs me, as they seem completely opposed to the benefits of technology.     

 

 




12872 posts

Uber Geek
+1 received by user: 2111

Trusted
Subscriber

  Reply # 1845028 11-Aug-2017 10:38
Send private message quote this post

Ok, WCC aren't directly integrating. That's interesting. It's not the answer though.

 

Library Elf didn't reply when I contacted them.





AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


2152 posts

Uber Geek
+1 received by user: 206


  Reply # 1845100 11-Aug-2017 12:24
Send private message quote this post

Some discussion here http://blog.librarylaw.com/librarylaw/2005/11/my_library_elf_.html 

 

Wellington library uses just card number and surname so anyone wanting to know what I have currently overdue just needs my card number they don't need to hack Library Elf.

 

Some years ago I did question why they displayed this information on the screens and receipts when you checked books out and that was changed. In the above article reserved books are mentioned. I can't remember what is on the slip wrapped around your book sitting on the shelf waiting for you or anyone else to look at.

 

 


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Public Wi-Fi plus cloud file sharing
Posted 18-Aug-2017 11:20


D-Link NZ launches professional Wireless AC Wave 2 Access Point for businesses
Posted 17-Aug-2017 19:25


Garmin introduces the Rino 700 five-watt two-way handheld radio
Posted 17-Aug-2017 19:04


Garmin announces the Foretrex 601 and Foretrex 701 Ballistic Edition for outdoor and tactical use
Posted 17-Aug-2017 19:02


Brightstar announces new distribution partnership with Samsung Knox platform in Australia
Posted 17-Aug-2017 17:07


Free gig-enabled WiFi network extends across Dunedin
Posted 17-Aug-2017 17:04


Samsung expands with connect Gear S3 Frontier
Posted 17-Aug-2017 15:55


Fact-checking Southern Cross Next cable is fastest to USA
Posted 17-Aug-2017 13:57


Thurrott says Microsoft Surface is dead last for reliability
Posted 16-Aug-2017 15:19


LibreOffice 5.4 works better with Microsoft Office files
Posted 16-Aug-2017 13:32


Certus launches Cognition
Posted 14-Aug-2017 09:31


Spark adds Cambridge, Turangi to 4.5G network
Posted 10-Aug-2017 17:55


REANNZ network to receive ongoing Government funding through to 2024
Posted 10-Aug-2017 16:05


Chorus backhaul starts with 2degrees
Posted 10-Aug-2017 15:49


New Zealanders cool on data analytics catching benefit fraud
Posted 10-Aug-2017 09:56



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.