What if someone gained access and started posting some of the comments their doctors were making in private in a more public venue (like a blog)? What if that posting has enough information to identify someone, even tho the doc thinks it doesn’t?

If Sermo had wanted to have an open community with a loose registration process, they would’ve simply asked you to agree to a statement that says, “I verify that I’m a licensed physician.” Since they didn’t do that, that would imply they understand the importance of securing their borders. They certainly wouldn’t add yet another authentication token to their registration process (as they did after this problem was published).

Oh, and yes, Sermo and its investors are concerned. Just because they don’t post a press release doesn’t mean they haven’t been reacting to this issue. In fact, I’ve been contacted privately by someone associated with one of their investors to talk further.

I suppose those most likely to attempt to hack into the site would be people who have a financial investment in a certain medication. I would expect that nothing but glowing reports from a particular person for a certain drug would arouse suspician, however, at which point their status could be looked into.

I guess I’m just not seeing how internet security is something that they are heavily invested in. Sure they have a paragraph talking about security – but I think you would be hard pressed to find a message board site with some professional input that doesn’t mention security.

As a doctor… What does it matter to you if you are thinking you are talking to doctors and it turns out that you aren’t?

- They might misconstrue some thoughts as a medical advice, act on it, experience a negative reaction, then sue you. Given the guidelines of the site lawsuits against you on these grounds are unlikely to be successful.
- They might start asking you for professional opinions. Given the guidelines of the site such a person would be blocked fairly swiftly.
- They might insist on sharing their ‘folk theories’ which go against scientific research. Given the guidelines of the site such a person would be investigated and blocked fairly swiftly.

What more could you want from a site where you want to ask some serious questions about medicine and receive some serious answers from people who know what they are talking about?

I don’t really see how investigating every member manually would provide much more benefit. Unless… People are set to send in a constant stream of identity-stealers, of course.

Perhaps the fact that they didn’t seem concerned that it was possible to breech the site this way… Shows you that… They are not concerned.

So yeah, it kinda matters to them.

Inadvertent or otherwise this looks like providing information as to how to get around the security, to me.

It might be the case that it doesn’t take a mastermind to figure it out but then it similarly doesn’t take a mastermind to figure out how to get around being locked out of any other kind of community either.

My point was: How much does it matter to them that only doctors post there? Maybe… It is more of a cursory gesture so that doctors feel freer to say what they think without people insisting on misconstruing it as ‘endorsement’ or ‘advice’. If someone were to attempt to sue then perhaps the defence could be ‘I thought s/he was a doctor hence would not be silly enough to actually try that’. Once it became apparent that the person was, in fact, passing themself off as a doctor and had actually ‘borrowed’ someone elses identity to do so I’m fairly sure a litigation would not be successful. Maybe… It is good enough for their purposes…

I did *not* “advise others” on how one actually goes around their registration process. I pointed out the troubles with using public-knowledge authentication tokens, contacted Sermo about the issue, and received a polite brush off.

Again, as I said in the post (which was apparently read sparingly for content) I like the idea of Sermo. My post isn’t about not liking Sermo or being a fan of their model. My post was about asking how could one have so many resources and not do a security audit to check for this.

How easy would it be for a poster who is blocked at psychcentral to re-register and post under a new username completely undetected by the moderators here?

I’d provide the step by step process for doing that, but I personally believe that providing a step by step process to enable people to get around security measures is bordering on the unprofessional.

I wouldn’t expect someone of professional standing to advise others how to hack into a bank or any other system for that matter. I’d also expect the general attitude to online hackers to be one of sympathy for those whose security measures are breeched rather than glee (and outright endorsement) of hacking activities.

> if you want to gain a professional’s trust by emphasizing how “secure” your community is, you should be prepared to stand by your current registration practices. The fact that their registration is so easy to game at present means their community is less-than-secure.

And the fact that it is indeed possible for a blocked poster at your site to reregister under a new posting name without being detected by moderators means that your site is similarly less-than-secure.

My understanding is that doctors like to chat to doctors because they get sick to death of non-doctors asking them for professional advice and then threatening to sue. So long as it cuts down on people asking for advice and / or people threatening to sue for advice received (as it will if people have to at least pretend to be professionals) then I’m happy for them.

But I believe they are stonewalling and being disingenuous suggesting it’s not really a problem (especially their suggestion that the federal gov’t would go after anyone impersonating a physician on their service, which is just laughable).

That’s not the kind of attitude we’d expect from a company trying to gain physicians’ trust.

Sermo has nothing to do with government money, as it is a private company, so i am afraid that you are mistaken.

My point is simple — there’s no reason Sermo needed to go with this weak authentication model for its registration, other than to increase its membership numbers as quickly as possible. I believe Sermo did so at the sacrifice of security, and now has a community where I believe it can legitimately make no guarantees that all of its members are indeed doctors (as they claim).