Originally published at: http://boingboing.net/2015/09/08/help-crowdfund-a-relentless-ts.html
…
FOIA Request #1: How do I buy shares in your private prison? Sincerely, Trump
FOIA Request #2, How do you bankrupt them to make money? Sincerely, Trump.
I just signed up for an account with MuckRock. Then I decided to try funding an FOIA. I was presented with a dialog box that said they had texted a confirmation code to my phone with what looked like the correct last digits of my phone number. I had not given them my phone number. So now I’m sufficiently creeped out and pissed off that I’m not donating.
Well… That seems sketchy as hell.
I’ll be back later to say if the same happened for me.
Hi Headcode, I’m really sorry about that experience, and totally understand why that’s creepy. We use Stripe as our payment processor, and what likely happened was that you clicked “Remember Me” on another site at some point. Stripe then remembers you across sites so that you don’t have to give each one your credit card number, which is ideally better for security but which they don’t do a perfect job explaining, both when you first click “Remember Me” or when you click pay on another site.
Happy to do whatever we can to make it a better experience, and thanks for taking a look at what we’re up to.
- Michael
michael@muckrock.com
Onya dude. Give those prison-industrial scumbags hell.
Come on, throw in, ya bums! ($25 donated)
Same here - great service from Stripe. Michael gave a good explanation.
I didn’t realize OAuth could be abused like that. Not only am I not soothed, I am going to delete any existing donation accounts I have set up and start all over. As far as I’m concerned, this is a security hole and privacy issue.
Additionally, I see there doesn’t seem to be a way to delete my account on MuckRock. I’m already the victim of the OPM breach. Can’t wait for Stripe to be hacked…
Hi Headcode, if you let me know your username, I will delete your MuckRock account (I’ll check either here or you can email me at michael@muckrock.com). Since your Stripe account was registered with them before you came to our site, I can’t delete it, but you can reach them at support@stripe.com.
Thank you. Also, on top of everything else I don’t even have a Stripe account. I no longer trust OAuth to do what it is supposed to be doing.
OAuth only works if you trust the OAuth providers. If you’ve given your information to one agent, you must trust that agent with the information not only to keep it safe from others but also to only distribute it to others with your consent.
Obviously it’s that last bit that’s troublesome.
That is NOT how OAuth is supposed to work. When I registered at MuckRock I should have been sent to Stripe, which would have asked me to log in and authorize MuckRock to access my info. OAuth is a system for delegation. Something is seriously messed up with Stripe, MuckRock or both. I can say, however, that no matter how inconvenient it may be I am steering clear of Stripe, Patreon and any other similar service.
This topic was automatically closed after 5 days. New replies are no longer allowed.