DO NOT USE IT!!!!

I went there and looked it over. Yes it's slow. They have a notice that
if you had an account prior to the 19 you need to sign up for a new one.

I clicked the account button to create a new account.

Instead of getting any type of account log in or sign-up page I was sent
to the account of a person who lives in the 914 area of NY. It listed
the name,address,phone numbers and recent orders for this person.

Thinking this was a glitch I tried to exit and reload the page.
It brought up a new page with the account information of a person in
Wisconsin!

I closed down the browser, flushed the memory and went back to the site
to see if I could get in. Went to the same "secure" section of the site
and tried the account button again. It took me to yet another members
account information!

I just sent the customer service an E-mail about it but don't know if
they will take action.


--
Steve W.
(\___/)
(='.'=)
(")_(")

"Steve W." wrote in message
...
DO NOT USE IT!!!!

I went there and looked it over. Yes it's slow. They have a notice that
if you had an account prior to the 19 you need to sign up for a new one.

I clicked the account button to create a new account.

Instead of getting any type of account log in or sign-up page I was sent
to the account of a person who lives in the 914 area of NY. It listed
the name,address,phone numbers and recent orders for this person.

Thinking this was a glitch I tried to exit and reload the page.
It brought up a new page with the account information of a person in
Wisconsin!

I closed down the browser, flushed the memory and went back to the site
to see if I could get in. Went to the same "secure" section of the site
and tried the account button again. It took me to yet another members
account information!

I just sent the customer service an E-mail about it but don't know if
they will take action.

They will I am sure.

It's a nice looking website. More clean and professional rather than
industrial looking. The search function works better. Now if they would
just add all the service and repair parts from the master catalog. That was
the main thing I found lacking in the old cart system. They had never done
all the data entry for all the repair and service parts. You could search
by item number if you knew it, but if you didn't it was impossible to find
via the site.

Some folks may not like the clean and professional look now. The old cart
system had that rough oily feel of actually being in a Harbor Freight store.
You could almost smell the machine oil and the cosmoline. I kinda liked
that. Then I think a shop that doesn't smell of oil, old varnishes, and
spilled paint just isn't a shop.

On 2010-04-30, Bob La Londe wrote:
Some folks may not like the clean and professional look now. The old cart
system had that rough oily feel of actually being in a Harbor Freight store.
You could almost smell the machine oil and the cosmoline. I kinda liked
that. Then I think a shop that doesn't smell of oil, old varnishes, and
spilled paint just isn't a shop.

I am OK with either look, but I realized there is one more problem:
the old system let me keep my stuff in the shopping cart for weeks. So
I would just put stuff in it for a while and then place an order. The
new system empties the cart very quickly. This is EXTREMELY STUPID.

McMaster Carr also lets me keep a shopping cart almost forever. This
is the way it should work.

i

"Ignoramus9191" wrote in message
...
On 2010-04-30, Bob La Londe wrote:
Some folks may not like the clean and professional look now. The old
cart
system had that rough oily feel of actually being in a Harbor Freight
store.
You could almost smell the machine oil and the cosmoline. I kinda liked
that. Then I think a shop that doesn't smell of oil, old varnishes, and
spilled paint just isn't a shop.

I am OK with either look, but I realized there is one more problem:
the old system let me keep my stuff in the shopping cart for weeks. So
I would just put stuff in it for a while and then place an order. The
new system empties the cart very quickly. This is EXTREMELY STUPID.

McMaster Carr also lets me keep a shopping cart almost forever. This
is the way it should work.

That could be related to the other issue. If its loosing track of your
cookies and thinking you are somebody else its not going to show what is in
your shopping cart properly either.

I can't GARDEN TOOLS, LAWN EQUPIMENT stand the pop up
windHAND TOOLSows that interfere any time AIR TOOLS that I
try and mouse to CLEARANCE CLOSE OUTS something.

--
Christopher A. Young
Learn more about Jesus
www.lds.org
..


"Bob La Londe"
wrote in message
...

Some folks may not like the clean and professional look now.
The old cart
system had that rough oily feel of actually being in a
Harbor Freight store.
You could almost smell the machine oil and the cosmoline. I
kinda liked
that. Then I think a shop that doesn't smell of oil, old
varnishes, and
spilled paint just isn't a shop.

On 2010-04-30, Bob La Londe wrote:
"Ignoramus9191" wrote in message
...
On 2010-04-30, Bob La Londe wrote:
Some folks may not like the clean and professional look now. The old
cart
system had that rough oily feel of actually being in a Harbor Freight
store.
You could almost smell the machine oil and the cosmoline. I kinda liked
that. Then I think a shop that doesn't smell of oil, old varnishes, and
spilled paint just isn't a shop.

I am OK with either look, but I realized there is one more problem:
the old system let me keep my stuff in the shopping cart for weeks. So
I would just put stuff in it for a while and then place an order. The
new system empties the cart very quickly. This is EXTREMELY STUPID.

McMaster Carr also lets me keep a shopping cart almost forever. This
is the way it should work.

That could be related to the other issue. If its loosing track of your
cookies and thinking you are somebody else its not going to show what is in
your shopping cart properly either.

I think that you got it perfectly right.

i

Bob La Londe wrote:
"Steve W." wrote in message
...
DO NOT USE IT!!!!

I went there and looked it over. Yes it's slow. They have a notice that
if you had an account prior to the 19 you need to sign up for a new one.

I clicked the account button to create a new account.

Instead of getting any type of account log in or sign-up page I was sent
to the account of a person who lives in the 914 area of NY. It listed
the name,address,phone numbers and recent orders for this person.

Thinking this was a glitch I tried to exit and reload the page.
It brought up a new page with the account information of a person in
Wisconsin!

I closed down the browser, flushed the memory and went back to the site
to see if I could get in. Went to the same "secure" section of the site
and tried the account button again. It took me to yet another members
account information!

I just sent the customer service an E-mail about it but don't know if
they will take action.

They will I am sure.

It's a nice looking website. More clean and professional rather than
industrial looking. The search function works better. Now if they
would just add all the service and repair parts from the master
catalog. That was the main thing I found lacking in the old cart
system. They had never done all the data entry for all the repair and
service parts. You could search by item number if you knew it, but if
you didn't it was impossible to find via the site.

Some folks may not like the clean and professional look now. The old
cart system had that rough oily feel of actually being in a Harbor
Freight store. You could almost smell the machine oil and the
cosmoline. I kinda liked that. Then I think a shop that doesn't smell
of oil, old varnishes, and spilled paint just isn't a shop.





Got an Email reply from them. Seems that they tested the site and found
the same thing I did. The message said they were putting the site on
maintainance mode to test it more. Haven't tried it again but last night
I could pull up random names just about every time.

--
Steve W.

On 2010-04-30, Steve W. wrote:
Bob La Londe wrote:
"Steve W." wrote in message
...
DO NOT USE IT!!!!

I went there and looked it over. Yes it's slow. They have a notice that
if you had an account prior to the 19 you need to sign up for a new one.

I clicked the account button to create a new account.

Instead of getting any type of account log in or sign-up page I was sent
to the account of a person who lives in the 914 area of NY. It listed
the name,address,phone numbers and recent orders for this person.

Thinking this was a glitch I tried to exit and reload the page.
It brought up a new page with the account information of a person in
Wisconsin!

I closed down the browser, flushed the memory and went back to the site
to see if I could get in. Went to the same "secure" section of the site
and tried the account button again. It took me to yet another members
account information!

I just sent the customer service an E-mail about it but don't know if
they will take action.

They will I am sure.

It's a nice looking website. More clean and professional rather than
industrial looking. The search function works better. Now if they
would just add all the service and repair parts from the master
catalog. That was the main thing I found lacking in the old cart
system. They had never done all the data entry for all the repair and
service parts. You could search by item number if you knew it, but if
you didn't it was impossible to find via the site.

Some folks may not like the clean and professional look now. The old
cart system had that rough oily feel of actually being in a Harbor
Freight store. You could almost smell the machine oil and the
cosmoline. I kinda liked that. Then I think a shop that doesn't smell
of oil, old varnishes, and spilled paint just isn't a shop.





Got an Email reply from them. Seems that they tested the site and found
the same thing I did. The message said they were putting the site on
maintainance mode to test it more. Haven't tried it again but last night
I could pull up random names just about every time.


I think that what happens is that they give everyone the same cookie
(one cookie value given to everyone).

i

"Ignoramus9191" wrote in message
...




Got an Email reply from them. Seems that they tested the site and found
the same thing I did. The message said they were putting the site on
maintainance mode to test it more. Haven't tried it again but last night
I could pull up random names just about every time.


I think that what happens is that they give everyone the same cookie
(one cookie value given to everyone).

i

I wonder then if that was the case, if one could then deliberately fool the
system by generating your own cookies and thus harvesting personal
information deliberately?

--

Roger Shoaf

About the time I had mastered getting the toothpaste back in the tube, then
they come up with this striped stuff.

On 2010-04-30, Roger Shoaf wrote:

"Ignoramus9191" wrote in message
...




Got an Email reply from them. Seems that they tested the site and found
the same thing I did. The message said they were putting the site on
maintainance mode to test it more. Haven't tried it again but last night
I could pull up random names just about every time.


I think that what happens is that they give everyone the same cookie
(one cookie value given to everyone).

i

I wonder then if that was the case, if one could then deliberately fool the
system by generating your own cookies and thus harvesting personal
information deliberately?


On decent websites, cookies are hard to guess. My site algebra.com
gives cookies like this:

Set-Cookie: algebra_session=99c16b978354929m73a48ag2e1d7a850; path=/; expires=Mon, 05-Jul-2010 21:21:30 GMT

(cookie slightly altered but looks same as the original). It is not
easy to guess someone else's cookie.

i

"Ignoramus9191" wrote in message
news
On 2010-04-30, Roger Shoaf wrote:

"Ignoramus9191" wrote in message
...




Got an Email reply from them. Seems that they tested the site and
found
the same thing I did. The message said they were putting the site on
maintainance mode to test it more. Haven't tried it again but last
night
I could pull up random names just about every time.


I think that what happens is that they give everyone the same cookie
(one cookie value given to everyone).

i

I wonder then if that was the case, if one could then deliberately fool
the
system by generating your own cookies and thus harvesting personal
information deliberately?


On decent websites, cookies are hard to guess. My site algebra.com
gives cookies like this:

Set-Cookie: algebra_session=99c16b978354929m73a48ag2e1d7a850; path=/;
expires=Mon, 05-Jul-2010 21:21:30 GMT

(cookie slightly altered but looks same as the original). It is not
easy to guess someone else's cookie.


Do the cookies progress randomly or could one deduce the progression or
regression from a limited sample? It would seem to me that if the cookie
generation was not given a lot of thought, then on commercial sites, one
might have the ability to sneak in and poke around.

--

Roger Shoaf

About the time I had mastered getting the toothpaste back in the tube, then
they come up with this striped stuff.

Ignoramus9191 wrote:
Got an Email reply from them. Seems that they tested the site and found
the same thing I did. The message said they were putting the site on
maintainance mode to test it more. Haven't tried it again but last night
I could pull up random names just about every time.


I think that what happens is that they give everyone the same cookie
(one cookie value given to everyone).

i

I pulled the ones I had and all were different. I had saved them in a
file in case they didn't believe it. Deleted it when I called and found
they were working on it.

Talked to a human about it and was told that soon after my message came
in they received more asking the same questions. I'm sort of surprised
others didn't catch it first.

Should have asked for a unlimited gift card....

Anyway she said they were pulling the site until they could figure out
the problem.

--
Steve W.
(\___/)
(='.'=)
(")_(")

On Fri, 30 Apr 2010 18:20:26 -0400, "Steve W." wrote:


I pulled the ones I had and all were different. I had saved them in a
file in case they didn't believe it. Deleted it when I called and found
they were working on it.

Talked to a human about it and was told that soon after my message came
in they received more asking the same questions. I'm sort of surprised
others didn't catch it first.



It's always a bit scary when you realise that you're the first person to
report a bug!

BTDT

Mark Rand
RTFM

On 2010-04-30, Roger Shoaf wrote:

"Ignoramus9191" wrote in message
news

[ ... ]

On decent websites, cookies are hard to guess. My site algebra.com
gives cookies like this:

Set-Cookie: algebra_session=99c16b978354929m73a48ag2e1d7a850; path=/;
expires=Mon, 05-Jul-2010 21:21:30 GMT

(cookie slightly altered but looks same as the original). It is not
easy to guess someone else's cookie.


Do the cookies progress randomly or could one deduce the progression or
regression from a limited sample? It would seem to me that if the cookie
generation was not given a lot of thought, then on commercial sites, one
might have the ability to sneak in and poke around.

If I were generating cookies which could be used to access
personal information, I would probably start with the process ID and the
unix raw date, with the digits interleaved by some pattern, and then run
a MD5 checksum on it to generate the actual cookie numbers. Depending
on how serious the stored data was, I would probably toss another few
randomizers into the game.

Enjoy,
DoN.

--
Email: | Voice (all times): (703) 938-4564
(too) near Washington D.C. | http://www.d-and-d.com/dnichols/DoN.html
--- Black Holes are where God is dividing by zero ---

On Fri, 30 Apr 2010 08:32:44 -0700, "Bob La Londe"
wrote:

"Steve W." wrote in message
...
DO NOT USE IT!!!!

I went there and looked it over. Yes it's slow. They have a notice that
if you had an account prior to the 19 you need to sign up for a new one.

I clicked the account button to create a new account.

Instead of getting any type of account log in or sign-up page I was sent
to the account of a person who lives in the 914 area of NY. It listed
the name,address,phone numbers and recent orders for this person.

Thinking this was a glitch I tried to exit and reload the page.
It brought up a new page with the account information of a person in
Wisconsin!

I closed down the browser, flushed the memory and went back to the site
to see if I could get in. Went to the same "secure" section of the site
and tried the account button again. It took me to yet another members
account information!

I just sent the customer service an E-mail about it but don't know if
they will take action.

They will I am sure.

It's a nice looking website. More clean and professional rather than
industrial looking. The search function works better. Now if they would
just add all the service and repair parts from the master catalog. That was
the main thing I found lacking in the old cart system. They had never done
all the data entry for all the repair and service parts. You could search
by item number if you knew it, but if you didn't it was impossible to find
via the site.

Some folks may not like the clean and professional look now. The old cart
system had that rough oily feel of actually being in a Harbor Freight store.
You could almost smell the machine oil and the cosmoline. I kinda liked
that. Then I think a shop that doesn't smell of oil, old varnishes, and
spilled paint just isn't a shop.


Actually...I agree 100% with you.

Gunner


"First Law of Leftist Debate
The more you present a leftist with factual evidence
that is counter to his preconceived world view and the
more difficult it becomes for him to refute it without
losing face the chance of him calling you a racist, bigot,
homophobe approaches infinity.

This is despite the thread you are in having not mentioned
race or sexual preference in any way that is relevant to
the subject." Grey Ghost

"DoN. Nichols" wrote in message
...

If I were generating cookies which could be used to access
personal information, I would probably start with the process ID and the
unix raw date, with the digits interleaved by some pattern, and then run
a MD5 checksum on it to generate the actual cookie numbers. Depending
on how serious the stored data was, I would probably toss another few
randomizers into the game.


Seems to me (and I am no expert), that the ability to access personal info
should be blocked from cookie access. To get to that data you should have
to log in with password and ID. To do it otherwise seems to me to invite
trouble

--

Roger Shoaf

About the time I had mastered getting the toothpaste back in the tube, then
they come up with this striped stuff.

On 2010-05-01, Roger Shoaf wrote:

"DoN. Nichols" wrote in message
...

If I were generating cookies which could be used to access
personal information, I would probably start with the process ID and the
unix raw date, with the digits interleaved by some pattern, and then run
a MD5 checksum on it to generate the actual cookie numbers. Depending
on how serious the stored data was, I would probably toss another few
randomizers into the game.


Seems to me (and I am no expert), that the ability to access personal info
should be blocked from cookie access. To get to that data you should have
to log in with password and ID. To do it otherwise seems to me to invite
trouble

Yes -- but some systems *remember* that you have logged in based
on cookies set for the session time only. HTTP is a "stateless"
protocol, so it can't remember that you are logged in without some kind
of help.

Better would be double-key encryption both ways of course.

Enjoy,
DoN.


--
Email: | Voice (all times): (703) 938-4564
(too) near Washington D.C. | http://www.d-and-d.com/dnichols/DoN.html
--- Black Holes are where God is dividing by zero ---