Even My Mom Could Hack These Sites 233
I figured that if I wrote to them saying "I forgot my password, please mail it to me," that would be too obvious. Instead, at the time I had set up shop with these hosting companies, I entered a domain name at the time of creating my account, and asked them to register it on my behalf (long before I had this experiment in mind). Then when I wrote to them recently from my Hotmail address, I sent each of them a message saying: I need to transfer this domain somewhere else, can you give me the login at the registrar where you registered the domain, so I can change the domain settings. Five of the ten companies either (a) gave me the registrar login, (b) transferred the domain to my registrar account on request (even though I never provided any proof that the owner of that registrar account was really me, either), or (c) changed the domain to point to a new IP address that I specified -- all of which, of course, would allow an attacker to take over a site temporarily or even permanently, if it hadn't really been me writing from the Hotmail address.
But slow down before you go off to try this out on Yahoo, eBay or Google hoping to get the same 50% success rate. First, these were all low-budget hosting companies, so the people handling my queries were likely not highly trained professionals who would have developed all the right habits about when to get suspicious. Second, this ruse only worked because the hosting companies registered the domains on my behalf. Most sites that are really worth taking over, are hosted on dedicated servers, and this trick wouldn't work on a dedicated hosting company because they usually don't register domains on behalf of customers; they assume that anybody buying an expensive dedicated server, knows enough to buy the domain and point it at the server that the company gives them.
But even for small-time hosting, a 50% success rate for a trick like this is uncomfortably high. So what can we do about it? Well, every problem has a non-solution that requires changing human nature ("People should just stop buying from spammers and they'd go out of business!") and a non-solution that ignores the economics of the situation ("ISPs should devote more resources to stopping spammers on their own network!"). In this case, the corresponding non-solutions would be (a) "People who work for hosting companies should be less gullible" and (b) "ISPs should hire smarter people, without charging more to their hosting customers".
The solution that doesn't require any cheating, though, is to have procedures in place for anything remotely security-related, and drum into employees' heads that they have to follow those procedures. Here's some good news: Of the five companies that fell for the ruse asking for my registrar login information, when I followed up with them saying "Hey, I forgot my account password, can you mail it to me", only two of them actually sent my password to the Hotmail account. To those two, I replied with some terse words about having a six-inch-thick steel door while leaving the window wide open. But at least it was only two out of ten that fell for that ruse, compared to five out of ten that fell for the registrar trick. The difference is that hosting companies have procedures in place to deal with password resets -- a script that sends the existing password, or sends a reset-password link, only to the customer's e-mail address on file.
Similarly, any hosting company that registers domains on behalf of users, should have procedures in place for transferring the domains to users or letting them change domain settings. In fact, of the five companies that didn't fall for the ruse, most of them said "Go to the customer control panel here and log in" -- it wasn't that their guard went up because I was writing from a Hotmail account, it was that they already had procedures in place for a customer wanting to change domain settings, and what's what the idiot-proof book told them to do. Kevin Mitnick always said that the weakest link in any security chain was people. Sometimes the way for ISPs to tighten security is to make the people in the chain act more like machines.
Until then, there are probably many sites out there that are this easy to "hack", using a method that could charitably be called low-tech. After seeing which hosting companies fell for the trick, I pointed out that they had sent the login information to an unverified address and admonished them to be more careful in the future, but I didn't storm out vowing to take all of my business elsewhere -- after all, if 50% of all low-budget hosting companies out there fall for this, what would be the point?
well what ISPs released the info? i want to avoid (Score:4, Interesting)
Re:well what ISPs released the info? i want to avo (Score:3, Insightful)
Re: (Score:3, Insightful)
I'd go out on a limb and suggest that none of this really occurred and what he's really doing is showing off a huge social experiment about how people will talk about nothing. If he really did find something viable out he would definitely offer up the names and contact information of these companies so that people could complain and drop their services.
1: "Aaaah, now I know who these weak companies are I can be pretty sure of hacking some sites they host!".
2: Ill gained PROFIT!!!
It is responsible of the poster to not reveal which companies have weaknesses he has discovered.
Re:well what ISPs released the info? i want to avo (Score:4, Insightful)
WARNING! WARNING! You are entering a ethical gray area in which arguments either way have valid points, please give this issue the respect it deserves and don't try to treat this like some cut-and-dry right-or-wrong answer.
I, for one, could put forward the argument that it is the responsibility of the poster to fully disclose to the public, (after first notifying the offenders and waiting a reasonable amount of time), so that those of us who are vulnerable to such a social engineering attack, can know about it and react accordingly.
Re: (Score:3, Interesting)
What so you can wear the cost and disruption of moving to another provider that he didn't test and will probably do the same thing anyway?
Wouldn't he be better off just posting a list of providers
Re: (Score:2, Insightful)
Re: (Score:2)
Regards,
--
*Art
Re:well what ISPs released the info? i want to avo (Score:5, Insightful)
If this guy actually has 10 businesses or unique sites or whatever (unlikely), wouldn't you pick the one hosting service with the best service plan and just use it?
Re: (Score:2)
Re: (Score:3, Insightful)
Re:well what ISPs released the info? i want to avo (Score:4, Informative)
Most tech or web consultants deal with a variety of hosting companies and call clients website, 'my website'. As far as I'm concern, if it's my responsibility, then its my website in casual conversation. In business conversation, I clarify who the actual owner is. Web consulting is one component of what we do, and while we have two primary ISPs that we recommend--one for really cheap services, that are good, but still fall under the 'you get what you pay for' classification; and the other for high availability, great features, great security, and offers both dedicated and shared hosting plans.
But even with our top 2, offered or at least mentioned to all clients, we've worked with way more than 10 ISPs. Recently, we made a big effort to encourage clients that we providing continued website maintenance for to switch ISPs as well as to switch CMS and domain registers. We were successful with 75% of those clients, and that's reduced the number of ISPs we've had to deal with down to 5--with GoDaddy, and AT&T two of the ISPs we'd love to say goodbye to. AT&T (formerly SBC) is fine for DSL and connectivity, but hosting, ick.
Whether or not the experiment took place, I can't say, but I'd agree with the results even if they were just a random estimate. There are a number of small ISPs who perform a slew of tasks based on name recognition; or other random things. I can't state the number of times as a consultant, I've called up ISPs simply stating that I'm the new web developer for so and so site; and need access to this, that, and that; and have it happen without any secondary verification to the company that I did have privileges.
Re: (Score:3, Insightful)
Sounds like that's what he was doing (Score:4, Insightful)
Re: (Score:2, Funny)
As a 48 yo grandmother, I am offended that technical incompetance is equated with being a mother. I don't think anyone would have said "even my dad could hack these sites".
I am incidentally, a C programmer of 20+ years.
Re:well what ISPs released the info? i want to avo (Score:4, Funny)
There, that should be inoffensive enough for everyone now.
-(Anonymous for safety)
Re:well what ISPs released the info? i want to avo (Score:4, Funny)
You just offended everyone's mother.
Re: (Score:3, Interesting)
Every time the anti-bushies raised my score, that allowed the pro-bushies to expend more negative mod points to try to knock my post down. All in all, I got like 27 positive mods and 25 negative mods. And for getting 25 negative mods, I got my posting privileges suspended for almost a month.
Now, if none of the anti-Bush crowd had modded me up, the pro-Bushies cou
Re: (Score:2)
Re: (Score:3)
Re:well what ISPs released the info? i want to avo (Score:4, Funny)
Re: (Score:2)
You're a feminist? How cute! (Score:4, Insightful)
One swallow does not a summer make.
As long as there's far more tech-savvy men than women, the generalization by assuming a gender serves a useful purpose. Get your fellow sisters to become on average at least as tech-savvy as the average man, and then complain.
Note that men don't complain when allegories about the opposite sex are used. A statement like "His hands were typing at the speed of an old grandmother knitting" won't be met with outrage from men feeling offended because grandfathers could be knitting too.
Take your hardcore feminism elsewhere -- it doesn't belong on
Re:You're a feminist? How cute! (Score:5, Interesting)
I'm not condoning racism, I'm just pointing out how much sexism is often seen as O.K. whereas racism is seen as an eternal evil. The line "As long as there's far more tech-savvy men than women, the generalization by assuming a gender serves a useful purpose" in particular would not go down well if made on racial rather than sexual grounds, despite probably being equally valid.
Re:You're a feminist? How cute! (Score:5, Funny)
How was that?
Re:You're a feminist? How cute! (Score:5, Funny)
How was that?
That was horribly offensive. As a white I feel very excluded.
Re: (Score:2, Funny)
Even a nappy-headed ho could hack these sites.
Yours truly,
D. Imus
Re:You're a feminist? How cute! (Score:4, Insightful)
While discrimination may be wrong, being overly sensitive to remarks that are true just raises the amount of discrimination and prejudice in the air. I don't know anyone that thinks women should be second class citizens, but I also know very few people who don't hate feminists.
parent is a troll (Score:5, Insightful)
Re:well what ISPs released the info? i want to avo (Score:5, Funny)
Re: (Score:2)
Not a mother -- his mother.
Re:well what ISPs released the info? i want to avo (Score:2)
I guess I can let you off this time...
The moral of the story is: (Score:5, Insightful)
Re:The moral of the story is: (Score:5, Interesting)
Obviously for many accounts, it is possible to get accurate, useful information. Then again, when a company views it that you are holding their website hostage they get a little upset too! We have several lawyers get froggy with us on behalf of their clients when we did try to verify things. Also, with so many hosting companies its a very cut throat business. Its hard to make money when you get $10 a month at best from most customers. That's less than most Internet access accounts.
Now if you pay verio through the roof for hosting they will go through quite a few steps to verify you are you but they won't keep spam off their network. I had an account with them a few years ago and they actually had an open relay setup. Anyone could impersonate your website and if you had an account, it was easy to enumerate the domains on the server your site was on. Some of this might be resolved with their costly VPS services, but its also resolved with a dedicated server you can lock down yourself too. These days I won't run anything on a server I do not control. I've also found that ISPs are much more careful with dedicated server or VPS account customers.
As far as listing companies, I think most people are scared of lawsuits these days. Since I happened to pick on my verio experience, I should be just as unfair to my own former employer. http://www.customweb.net/ [customweb.net] (myeasyhost.com now i believe) There is something wrong with every hosting company. The trick is finding one that you can live with.
Why not use the simple, obvious solution? (Score:5, Interesting)
For verification, ask for the matching credit card name and number, or write to the billing address, etc. However you were getting paid, there is some form of verified contact. (Unless you weren't getting paid, in which case nuke them, or you were billing their ex-employee's private credit card, in which case that person still "owned" the site and you shouldn't be giving the caller access).
Re: (Score:2)
Re: (Score:2, Insightful)
Sounds like a pretty crappy setup right from the start. You needed a better plan, bro, instead of being so damned greedy to take the customer's bucks. You did NOT plan for all contingencies, that's your fault. Sure, the customer is stupid. But you have to look out for them if you're doing business with them; that's YOUR responsibility, and that's why they paid you.
Just hand out their user name and password? That's dumb. And now YOU are
Re: (Score:2)
Re: (Score:2)
Darn tootin'!
Oh, wait - is this still part of the Falwell thread?
Re: (Score:2)
No, you get who you pay for.
Case in point: the RegisterFly.com debacle.
Many of us had solid, reliable, moderately-priced hosting accounts through RegisterFly for MANY years, and then one day, the world just turned upside down. The proverbial cover on the book always looked great, and they, in fact, proved themselves to be very reliable for a long time. But just like that, it just fizzled away. And related to the article, I managed to transfer 23/23 domains away from Registerfly.com
Statistical sample (Score:5, Insightful)
Am I wrong? (Score:5, Interesting)
I would have thought the opposite: The big monoliths would have out-sourced unmotivated help desks that might do this. Smaller companies, I thought, where actually run by real people with a connection to their customers... Am I wrong?
Big, out-sourced ISPs (Score:5, Interesting)
IMO, the most dangerous aren't the untrained script-readers from a large ISP, nor the three-CS-college-friends small ISPs, but the folks at "mid-sized" ISPs who know just enough to be dangerous. At a big company, procedures protect you. At a small company, it's possible that the knowledge of the smart guy running the shop will help protect you. A mid-sized shop, that's hired some less knowledgable folks but doesn't have procedures yet, seems to me to be the most likely to screw up.
Re: (Score:3, Insightful)
I on the other hand have worked for a company where hosted sites payed upwards of $50.000 for the site and $500+ for hosting per month, we knew our customers and never had to consider such problems.
Both my
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I would have thought the opposite: The big monoliths would have out-sourced unmotivated help desks that might do this. Smaller companies, I thought, where actually run by real people with a connection to their customers... Am I wrong?
Maybe. The other running theory is large companies have enough people to actually have procedures in place to catch these kind of things.
But it's been my observation that you're correct as well. Large companies lose any connection to customers, and tend to treat them as commo
past mistakes (Score:2, Interesting)
Re: (Score:3, Insightful)
Re:past mistakes (Score:5, Insightful)
Re: (Score:2)
And don't forget that computers are not that simple. They just appear simple to you because you *are* already used to them. Things like pressing the start but
Re: (Score:2)
Re: (Score:2, Insightful)
Social Engineering Expert... because there is no patch for human stupidity.
[/blatantly stolen]
Re: (Score:3, Funny)
never underestimate a person's unwillingness to learn something new.
"You would think ..." (Score:2)
Re: (Score:3, Funny)
And yet... (Score:2)
Gee thanks (Score:5, Funny)
Get a real ISP... (Score:4, Interesting)
Re: (Score:2)
I don't know. That sounds quite reasonable to me. It provided security and a modest charge for your negligence. BUT God help you if you had, say, 50 domains, and someone maliciously sent requests for all of those on your behalf, and then you got dinged $5.00 each....
Re: (Score:2)
> A "real ISP" doesn't charge to reset your password.
He could have been referring to his cell phone service.
Re: (Score:2)
passwords should be hashed (Score:5, Insightful)
Re: (Score:3, Interesting)
Of course, if they don't bother to hash it then that's probably another symptom of complacent or non-existent security policies and could be a red flag that kind of problem is a possibility. And to the converse, if they bother to hash the password they're probably smart enough to have stricter policies in place.
Still...
Re:passwords should be hashed (Score:5, Informative)
a) Store a password as plaintext instead of hashing. (And, obviously, they were not salting the passwords.)
b) To display the password on screen, where anyone shoulder-surfing could take a look.
A few months later, I was running into some problems, and emailed them for support. Somewhere along the interchange (they didn't believe that the option I needed was missing from the control panel), they actually asked me for my password (over email) so that they could go and change it themselves. This baffled me, and I sent them a very long letter explaining in detail why it is a bad idea for a company to ask its own customers for their passwords, and why email should never be used to exchange password data. Moreover the idea that they didn't have the admin privileges to go check for themselves struck me as odd.
Anyways, I never gave them my password, and told them to fix it from their end, which they eventually did. Needless to say, at the end of the contract, I didn't renew. So I guess I have to agree with the article's point: many small or medium hosting companies are not bothering to implement basic security protocols (like hashing). But, more importantly, somehow the employees are not being trained with even the minimum skills regarding security.
Re: (Score:2)
That's exactly what my hosting company does (cheapcheap [cheapcheap.biz]). Support reps can reset your password, but not tell you what it is. Furthermore, if requesting changes, you have to provide all kinds of account information to verify your identity -- customer #, account pin #, last several digits of the credit card used to pay for the domain, billing street address, etc. Honestly it was a pain in the ass to get my account reset a few months ago, but I'd rather it be difficult than something anyone could do.
Pick any two... (Score:5, Insightful)
This seems pretty simple though (Score:2)
It's probably easier than you think (Score:5, Insightful)
http://www.google.com/search?q=inurl%3Aadmin%3Dtr
I'm not attempting to start a flame-war here, but the percentage of those sites that end in ".php" is remarkably high...
Ah to hell with it, let the flames commence.
*runs*
Re: (Score:3, Interesting)
Re: (Score:2)
Troll? Me? (Score:2)
Re: (Score:2, Interesting)
Your Mom (Score:2, Funny)
I try this everywhere (Score:5, Informative)
For more fun, forge your from: and reply-to: headers. Attach an empty file called signature.asc. Or make it appear to have been sent from a Blackberry, with a fake tag line "Sent via BlackBerry(r)" at the end. You could even go so far as to forge a "conversation" between 2 people which you are forwarding to make it look like the officers of the company authorized you dealing with the company.
I think part of the failure is that many IT workers have faced a similar situation: new job duties include trying to recover accounts/information from a disgruntled former employee.
What I've done with a few companies that we work with is given them a secret key to store in the account notes. I am the only one that knows the key. The other members of the board know the location to get the key, but not the key itself. Major account changes require the key. Along with the stored key there are detailed instructions about each and every external IT account in case something happens to me, or they wish to fire me. It's not flawless, but it's better than nothing.
Re: (Score:2)
I try this with every new company we utilize through work. I call from a variety of numbers, including the one registered, my cell phone, and my home phone. I call, giving them only the company name and claim to be "new". If they get suspicious, I tell them the entire IT staff was fired and I'm their replacement and the old staff wouldn't give anyone details about accounts. The social engineering aspects are insanely easy. A few want a fax sent on company letterhead. Any idea how easy it is to fake letterhead through fax? Even a postal letter is easily faked. I remove our liability, or at least reduce it, with companies like this. It takes maybe 10-15 minutes for each company -- give a try sometime.
For more fun, forge your from: and reply-to: headers. Attach an empty file called signature.asc. Or make it appear to have been sent from a Blackberry, with a fake tag line "Sent via BlackBerry(r)" at the end. You could even go so far as to forge a "conversation" between 2 people which you are forwarding to make it look like the officers of the company authorized you dealing with the company.
Damn ... and I used to consider myself sly for tricking people into thinking that objects in Second Life (which speak with green text) were human players (who speak with white text) by prefacing my remarks with "Wow, check this out guys, I can make my text green!"
I did something like this once... (Score:5, Insightful)
Re: (Score:3, Funny)
Did she ask what your new tart looked like?
Re: (Score:2)
Re: (Score:3, Interesting)
Re: (Score:2)
(Disclaimer, I'm a programmer, not an admin.)
Re: (Score:2)
He could just as easily have called up, claimed to have "just got back from holiday and forgotten my login details" and given Sarah his boss' name. 30 seconds later, he's got his boss' user ID and the password reset on the boss' account.
Re:I did something like this once... (Score:4, Funny)
Maybe I'm "retarted"...but I thought that's exactly what the guy did. That was the point of calling from his boss' phone, right?
Hmm.*peeks out of cubicle at boss' office and notices it's empty* Hmmmmmmmm.
uncomfortably high? (Score:5, Insightful)
It seems that the only thing "uncomfortably high" is the author. If real, a 50% failure rate is deplorable, to the point where it ought to have prompted some righteous moral outrage. This isn't just another intellectual exercise in social engineering, it's a failure of the system. It's equivalent to 5 out of 10 grocery stores accepting a check presented by someone not the account holder and with no signature on it. That sort of behavior wouldn't be socially tolerable, nor should this be.
If it is, in fact, a real event.
The author ought to be immediately forthcoming with the who, what, and when of his experiment if he really wants some serious consideration and feedback.
Re: (Score:2)
> The author ought to be immediately forthcoming with the who, what, and when of his experiment if he really wants some serious consideration and feedback.
You bet he would be getting feedback... in the form of one or more court summons.
The suits would be coming out of the woodwork at him.
This should be a day and age where social engineering should not work anymore, but it does.
It also should be a day and age where a company or person should not intimidate others into silence with possible legal action.
Re: (Score:2)
Not unexpected (Score:2)
Now, given enough time and resources that sort of thing is going to happen. However this particular hosting company responded to the defacement in entirely inadequate ways. About a week after the defacement, they informed their customers that their upstream network provider was requiring a reformat on all machines which had been cracked.
WTF? Isn't this the
Re: (Score:2)
This is actually quite common. Many companies rent cheap dedicated servers from large providers like theplanet.com and then resell shared hosting on them. It's a good way to make money and offer really cheap hosting to a lot of customers. The downside is that if an incident occurs then the reseller has to go through the support channels of their own hosting provider to get the matter resolved.
It's not like they can just
Re: (Score:2)
In other words, this should have been initiated by the hosting business, not by someone upstream. It shows a lack of responsibility on their part, a lack of planning, and a likelihood that it will happen again.
Re: (Score:2)
I wasn't defending them. Just trying to explain that chances are it wasn't actually a 'business' (in the sense of an office with employees etc.) and more likely just one or two guys running things from his PC at home renting dedicated servers for $100 / month and reselling space on them. That's what many of those $5 - $10 / month hosting "companies" actually are.
For $80 USD you can rent a server and then hire a web design student at the local community college to make you a "corprote" we
Hosting 101 (Score:4, Informative)
Re: (Score:2)
Please send me your hotmail username and password (Score:5, Funny)
I call bluff! (Score:5, Interesting)
The author also suggests that small hosting companies have poorly-trained staff. That could not be any further from the truth. In most cases, small companies are run by one or more highly skilled techie entrepreneurs who know their clients well enough to avoid such security blunders. A large faceless company with dozens or even hundreds of employees is far more likely to have things slip through the cracks, and the staff hierarchy ensures that no single individual knows the whole story.
Take for example the world of Internet Service Providers. In a small, 3-man shop, when you call tech-support you're probably talking to a server administrator or network guru. In a big nationwide telecom, you're talking to an outsourcer who learned his "trade" six months ago during his job training and his primary source of information is the knowledge base and screenshots on his workstation.
Well here's a not-so-secret fact about hosting companies: they outsource their sales and support just like any other business. The bigger they are, the more likely you will be speaking with someone who has no idea who you are, what your server looks like and who is more afraid of their own supervisor than of you withdrawing your business. I was shopping for a cheap junky server a couple months ago and I dealt with 4-5 different hosting companies who were looking great, right up until their sales person dropped the ball out of either ignorance or laziness. Most of them were just human parking pages, no matter what I typed into the chat box, they'd simply return a list of links to their terms of service or FAQ. There's one particularly brilliant fellow who pointed me to a non-existent PDF file on their website, then took another 10 minutes to finally accept that I am not an idiot and if I say a link is 404, it's friggin 404. Many of them ended the conversation saying they would email me various documents or a contract, and none ever did. At one point I was even doubting my own mail server, since NONE of them were coming through on their promises.
The moral of this rant ? The world of web hosting is bursting with fraudsters, posers and imbeciles. I probably put in 30-40 hours of research before finally coming across a provider that suited my needs and budget, most of that time was wasted dealing with crooks and idiots. Here's a tip: go to a forum like webhostingtalk.com and have a chat with other hosting clients, read all the success and horror stories before throwing your money at a company you don't know. Make sure you know what you're getting into before signing anything.
Re: (Score:3, Informative)
Can It Be So Simple... (Score:3, Funny)
From the other side of the fence... (Score:3, Interesting)
I got a call from one of my clients' employees asking for a password reset on his email account. He's moving to a new office in the same building, doesn't know his password, wants to set up Outlook. No big deal, usually, but this is a guy I've never talked to or met. He argued with me a bit about it - said he's been an employee there for years, the boss is a personal friend, etc etc. Regardless, I don't know him from Adam so I refuse to give him the new password, instead offering to email it to the boss (the only contact email we have on file). He eventually accepts this.
Then we find out the boss is out of town somewhere and can't check his email. The guy's password has already been reset, so he can't check mail on his old computer either. He's SOL for the rest of the day until the boss checks his email from the hotel.
I hate to make things hard, but I have to - otherwise I could find myself featured in an article like this.
Quick and easy revenge (Score:2)
Seanic (Score:3, Interesting)
(1) All I had to do to get my FTP host, user ID and password was ask. It didn't matter what email address I used. No verification at all.
(2) On two separate occasions, they accidentally emailed me somebody ELSE'S FTP login information, at random, without me even contacting them.
(2) I requested a telnet account (no SSH), and the permissions were such that I could cd / and cd into any other client's home directory. I assume that other telnet users could access my home directory as well.
All for only four bucks a month.
Re:HAPPY news, Reverend Falwell dead at 73 (Score:5, Informative)
Absolutely not.
The people who picket funerals are the "Westboro Baptist Church", headed by Fred Phelps. He is beyond the pale, and should no more be associated with the American religious right in general than Stalin should be associated with socialist politics.
Seriously, check out the "religious beliefs" [wikipedia.org] section of his Wikipedia article. He seems to be simply filled with hate, and uses a veneer of religion as the excuse. He believes salvation and damnation are obtained by aligned with or opposing him. His children who have left his church consider him a cult leader, and say that his actual religious beliefs are virtually non-existent.
Yes, Falwell said some stupid things--things that frustrated, embarrassed, and angered me as a theologically-conservative Christian. But please, do not associate Phelps' actions with anyone other than Fred Phelps.
Re: (Score:2)
I did not, do not, and will not ever respect him. What I said was "any human being's funeral and grave should be respected." There's a difference. I respect that he was human and there are people who may have respected him even if he did not give the same respect to other human beings during his life.