Site security: general discussion

GroErr

GroErr

Well-Known Member
Hi all, I'd just like to voice some concerns about this site's security. Not trashing the site as it's a great resource, very helpful and for the most part the members are here to help each other out and have some fun.

With a background of 30 years in IT, not growing in a legal area, and general paranoia (particularly after smoking certain strains!), I frequently question some practices on this site and wonder if there are any plans to make it a little more comfortable for members.

Again, let's have a reasonable discussion, not here to trash the site, I understand to takes resources and shit happens, sometimes.... I'd just like understand where it's going and how others feel about some basic security practices.

Myself, I'm only still here because I am in the (IT) field, thereby have a bunch of tools available to me that can manage the holes in security, understand how sites work, and use those tools to reduce any risk associated with posting here. If I didn't, but had an understanding of how sites and internet security work, I would have never posted a single post here. I have access to many tools, servers, like proxies that can hide the source of my location and allow me to post without being traced to my true location. I doubt if there are a handful of people here that can do that though.

A couple of basic examples to start off that would improve what I'm referring to above:
1) Is there any option (I've tried with no success, perhaps under a different URL?) to access this site via https vs. http?
This is a pretty basic security measure which at least forces any potential hacker (including government agencies) sniffing/capturing traffic to decode that traffic, a hassle and additional step/layer of security that becomes a deterrent.

2) When sending/forwarding email from the site to personal mail addresses, more generic or stripped/modified subject lines could be used. Nothing like getting an email with "My Bubba Kush grow".
Again, not an issue for me as I have a separate address specifically for this site and don't access that site/email for anything. But some do from comments I've seen here.

Any comments or clarification (I don't know a lot of details of how this site is setup) from those in the know would be great.

Cheers, happy growing and be safe...
 
NorthofEngland

NorthofEngland

Well-Known Member
I'm not too worried
That little Swedish bitch from The Girl with the Dragon Tattoo
takes care of all my IT security.
At the moment this message is coming from the hi-jacked IP address of an international charity
then being bounced off 177 different communications satellites
then being filtered through a LANGUAGE DIALECTS RANDOM AUTO-CHANGE
so the authorities won't be able to track me down by studying my use of language
AND/OR the subjects I use that leave CULTURAL, RACIAL, GEOGRAPHICAL and SOCIO-ECONOMIC clues to my identity and background.

So the security authorities could never discover that I am a middle aged, white, working class,
male who lives in a 3 bed terraced house on Walsingham Street, Hillford West, Rotherham.
Or maybe I'm an aristocratic teenage girl from Huelva, on the Andalucía/Algarve border....?
Or I could be the senior permanent private secretary to President Karzai, Curzon House, Diplomatic Quarter, Kabul, Afghanistan....?

The only thing I know for sure is that the security services of the Western World are far too busy to prioritise the surveillance and prosecution of someone growing 12 plants.

I could be wrong....
I could be wrong to think that Lee Harvey Oswald actually DID shoot JFK
or that the TWIN TOWERS actually WERE brought down by a hand full of Islamic Terrorists
and that the US Government and military were not part of a conspiracy to do it.

I'm not important enough to need worry about being watched from afar....
and I'm not mental enough to convince myself otherwise.

But I do have enough tinfoil to wallpaper my entire house
AND have enough left over to fashion several protective hats!!!!


THEY ARE WATCHING YOU!
IT IS NOT PARANOIA...
THEY CAN READ YOUR THOUGHTS
AND SEND CANCER CELLS INTO THE BRAINS OF THEIR ENEMIES.
YOU KNOW THE TRUTH
THEY ARE COMING FOR YOU
TINFOIL HATS ARE YOUR ONLY CHANCE
TINFOIL HATS ARE YOUR ONLY PROTECTION

YOU KNOW THE SECRET!
YOU CAN EXPOSE THEIR CONSPIRACY
ALWAYS BE READY TO KILL BEFORE BEING KILLED
ALWAYS BE READY TO SEE THE ENEMY IN THE ONE'S YOU LOVE THE MOST
 TINFOIL and CARVING KNIVES
MOTHERS, WIVES and GIRLFRIENDS
WILL TRY TO MAKE YOU STOP....
THEY ARE THE ENEMY
YOUR REAL LOVED ONES ARE BEING KEPT PRISONER
THE IMPOSTERS WILL MANIPULATE YOUR DESTRUCTION.

ANYONE WHO ADMITS TO WORKING IN IT IS SUSPECT!
IT IS NOT JUST A PLACE FOR THE VERY DULL
IT IS ALSO A PLACE WHERE THE VERY EVIL HIDE
BEHIND THE MASK OF THE VERY DULL.
 
sunni

sunni

Administrator
Staff member
you dont need to have emails sent to you you can stop that by going to
myrollitup
left hand side
general settings
messaging & notification
go to Through my control panel only.

that was you are subbed but dont receive the emails.


and as always with any website, people need to be self aware when signing up to this website like any other and take their own personal security in mind.
 
GroErr

GroErr

Well-Known Member
Lol, nice post :) I'm not overly paranoid, just when I smoke sometimes ;) Definitely agree with the too small to worry about post but would feel better sometimes with some basic security and discreteness on these sites... It would likely help maintain and attract some members that are paranoid conspiracy theorists like the some of the one's you mention above - lmao
 
GroErr

GroErr

Well-Known Member
sunni said:
you dont need to have emails sent to you you can stop that by going to
myrollitup
left hand side
general settings
messaging & notification
go to Through my control panel only.

that was you are subbed but dont receive the emails.


and as always with any website, people need to be self aware when signing up to this website like any other and take their own personal security in mind.
Click to expand...
Thanks, did that day 2 I think, once I saw what was coming across, don't even login to that email anymore so not an issue.

Any thoughts/comments on the https item?
 
bird mcbride

bird mcbride

Well-Known Member
How did you guys know about my tinfoil hat? That comes from some of my jokes and sarcasms from back in the 1980's:)
 
B

BSD0621

Well-Known Member
GroErr said:
Hi all, I'd just like to voice some concerns about this site's security. Not trashing the site as it's a great resource, very helpful and for the most part the members are here to help each other out and have some fun.

With a background of 30 years in IT, not growing in a legal area, and general paranoia (particularly after smoking certain strains!), I frequently question some practices on this site and wonder if there are any plans to make it a little more comfortable for members.

Again, let's have a reasonable discussion, not here to trash the site, I understand to takes resources and shit happens, sometimes.... I'd just like understand where it's going and how others feel about some basic security practices.

Myself, I'm only still here because I am in the (IT) field, thereby have a bunch of tools available to me that can manage the holes in security, understand how sites work, and use those tools to reduce any risk associated with posting here. If I didn't, but had an understanding of how sites and internet security work, I would have never posted a single post here. I have access to many tools, servers, like proxies that can hide the source of my location and allow me to post without being traced to my true location. I doubt if there are a handful of people here that can do that though.

A couple of basic examples to start off that would improve what I'm referring to above:
1) Is there any option (I've tried with no success, perhaps under a different URL?) to access this site via https vs. http?
This is a pretty basic security measure which at least forces any potential hacker (including government agencies) sniffing/capturing traffic to decode that traffic, a hassle and additional step/layer of security that becomes a deterrent.

2) When sending/forwarding email from the site to personal mail addresses, more generic or stripped/modified subject lines could be used. Nothing like getting an email with "My Bubba Kush grow".
Again, not an issue for me as I have a separate address specifically for this site and don't access that site/email for anything. But some do from comments I've seen here.

Any comments or clarification (I don't know a lot of details of how this site is setup) from those in the know would be great.

Cheers, happy growing and be safe...
Click to expand...
#1) This site lacks HTTPS... Retarded IMHO. I've posted way's to self sign a SSL cert.. No response back about it. Very easy and simple to do. I agree with you on "sniffing" and how easy it is to do. But you heard about PRISM right? regardless all data (telephone and Internet) is stored from the past 10 years. Thanks bush!

#2) Email or you mean PM's? Yeah but like i've said. it's till being stored/has been stored for the past 10 years...


So if you REALLY want to be secure, use proxies, VPN's, TOR and NEVER use your home connection. I hacked into a few residential home routers and back doored them so I have a nice proxy chain going on here with a VPN. This shit is not that hard to do and I never went to college.
 
GroErr

GroErr

Well-Known Member
BSD0621 said:
#1) This site lacks HTTPS... Retarded IMHO. I've posted way's to self sign a SSL cert.. No response back about it. Very easy and simple to do. I agree with you on "sniffing" and how easy it is to do. But you heard about PRISM right? regardless all data (telephone and Internet) is stored from the past 10 years. Thanks bush!

#2) Email or you mean PM's? Yeah but like i've said. it's till being stored/has been stored for the past 10 years...


So if you REALLY want to be secure, use proxies, VPN's, TOR and NEVER use your home connection. I hacked into a few residential home routers and back doored them so I have a nice proxy chain going on here with a VPN. This shit is not that hard to do and I never went to college.
Click to expand...
Yeah, https should be a must for a site like this, agreed. Like I mentioned in my first post, I do my own stealth using other connections/servers I have access to so never post from the same source IP, most though have no clue what or how this shit works, it's not rocket science but most don't care to know the details, even if they're capable of doing it.
 
tip top toker

tip top toker

Well-Known Member
It's the internet, if you don't want to potentially compromise your security or privacy, do no post anything that might potentially compromise your security or privacy. Not rocket science.

I just don't really see the big issue, it's not like members are getting popped on any kind of basis. The ones who did get nicked, got nicked because they were being investigated for actions outside of the site, and when the site then came into question, it was because their computer got seized during an arrest anyway.

We're all still alive and kicking and quite happy ,doesn't seem to bother us, so you do things your way with your proxy's and we'll do things our way and live happily ever after :p
 
potroastV2

potroastV2

Well-Known Member
I've never understood the need for https either. If you believe that the government is reading everything that is passed through routers, then you should also believe that they have a method to beat an encryption scheme. The tunneling protocol is not necessary then either, and would slow down a site with this much traffic.

Believe me, I'm all for keeping every member safe, and to our knowledge no one has ever been busted for posting here. The site owner has taken every precaution to protect our servers. We don't log IP addresses, so your proxy method of posting is not required, but please do whatever makes you feel comfortable enough to participate.


:mrgreen:
 
GroErr

GroErr

Well-Known Member
rollitup said:
I've never understood the need for https either. If you believe that the government is reading everything that is passed through routers, then you should also believe that they have a method to beat an encryption scheme. The tunneling protocol is not necessary then either, and would slow down a site with this much traffic.

Believe me, I'm all for keeping every member safe, and to our knowledge no one has ever been busted for posting here. The site owner has taken every precaution to protect our servers. We don't log IP addresses, so your proxy method of posting is not required, but please do whatever makes you feel comfortable enough to participate.


:mrgreen:
Click to expand...
Thanks for the reply, that makes me feel a little more comfortable, wasn't sure whether you logged certain things like source IP's, by default most sites do. The thing with logging is not the logging itself, it's how well they're protected/stored, and even with the greatest protection, anything can and will be hacked if there's someone interested in the data. I get hired to clean up after someone has been hacked (thereby a little more paranoid than most, I see first hand what "best practices" mean to different people). The funny thing is that 90% of data that has been hacked is never used by the company storing it, companies just store it because that's what the default is, or the old if you're not sure, store it, "just in case", much like the shit in your garage, mostly useless, but nevertheless stored :)

As far as sniffing data, a strategically placed old school hub and free/readily available sniffer software package is all that's needed if traffic is clear-text, BUT if your physical security (recorded access cards, recorded video cameras, sign-in/sign-out processes and the like) within your network is good there's not much to worry about. Where this falls down and is more common these days, is with outsourced (hosted) services. Let's just say there are professional level service providers, and "less than professional" service providers. I've been in sites where I can more or less do anything, including placing a sniffer under the guise of repairing something, and in sites where your every move is being recorded.... Again, it's low risk but it happens every day. Caveat emptor.

And absolutely agree that all of what we're discussing is nothing risk-wise, in comparison to someone being lazy about basics like smell control, a big mouth or need to tell someone about their grow op, tell nobody, or shoot them afterwards - lol

G
 
WeekendSupervisor

WeekendSupervisor

Well-Known Member
Sorry for reviving zombie thread, but this is an ongoing issue on the internet, and the dialogue should be continued. I was just going to post something, and now had to think twice for this very reason. Not all of us can be out-in-the-open-grower-showers. So granted it is probably low risk, but even so I've decided to strip exif data before upload. I am also thinking about a VPS in a place where there is less risk associated. I don't think the cost of SSL Certificates are that great, and it is certainly best practice for any website that people trust and log into to have one. My $0.02USD : (
 
S

spek9

Well-Known Member
The
WeekendSupervisor said:
Sorry for reviving zombie thread, but this is an ongoing issue on the internet, and the dialogue should be continued. I was just going to post something, and now had to think twice for this very reason. Not all of us can be out-in-the-open-grower-showers. So granted it is probably low risk, but even so I've decided to strip exif data before upload. I am also thinking about a VPS in a place where there is less risk associated. I don't think the cost of SSL Certificates are that great, and it is certainly best practice for any website that people trust and log into to have one. My $0.02USD : (
Click to expand...
The cost of the certificate is miniscule, but the resources to perform the encryption/decryption is not. For a site this busy, that would mean tens of thousands of dollars in SSL offload equipment at least.

imho, if you don't keep personally sensitive data on this site, then encryption isn't even necessary. Since we're all anonymous, worst that can happen is someone can sniff your password on the wire. If you're worried about people in your wired (wireless) location sniffing you going to the site, then use an external SSL-enabled proxy service.

-spek
 
WeekendSupervisor

WeekendSupervisor

Well-Known Member
I hadn't thought of the SSL overhead. Oh well, it is what it is. To quote Pulp Fiction...
Lance: Are you talkin to me on a cellular phone?!? I don't know you. Who is this. Don't come here. I'm hanging up the phone. Prank caller. Prank caller.​
 
You must log in or register to reply here.
Top