While it may be unwelcome to raise this in public, it affects the data protection of all members. As it concerns senior members of the forum, my thought is that it should be left in public as that is the only way of protecting the interests of the masses.
Much of this refers to the HJ Backroom, but as this is the old software with the same webmaster, this *probably* equally applies here. I think the information should be made public.
This site needs a privacy policy and terms publishing quickly. Especially in light of info I have been given.
First questions.
I have been told the passwords here are encrypted (as they should be).
***
When a user creates an account, is the password visible in plain text to webmaster or moderators at any stage?
And is the username emailed or sent in some other form to webmaster or moderators?
And is the username/password stored in any other form (by these people) off the main server of the forum, apart from secure backups containing only encrypted passwords?
***
I have evidence that all the above things are happening.
Having any plain text copy of an encrypted password is extremely dangerous. Why? Because most people tend to use the same password for several online apps, and therefore access can be gained to other accounts of that user, like Facebook and email. Once access has been gained to other private accounts, further information is available to the thief and things like bank accounts and credit card accounts can be compromised. This is not an argument about your own use of data, it trying to establish the truth about the storage/transmission and use of data on this forum.
Why am I bothered? Because I have been asked to invite my customers/visitors here, and I want to be sure data is not being misused. As there is no privacy policy I am forced to ask these questions.
|
Who cares though LIng?
Why not just emaIl the mods and Stephen dIrect?
From what I saw on the other place It mIght be better If you don't refer anyone ;-)
Last edited by: Kharon on Mon 1 Mar 10 at 08:23
|
Every user is at risk through this.
Every user who uses a password that is not unique to this forum or the HJ forum seems to be having their password and email stored in plain text away from the secure database where I am told all passwords are encrypted.
This makes a mockery of storing them securely. It totally negates any security.
This could be a massive security risk if this information gets into the hands of someone who will act maliciously. It is completely against all DP practice.
It seems to be against the law, storing plain text passwords in a database or list by a 3rd party most certainly does not "ensure a level of security appropriate to the harm that might result from such unauthorised or unlawful processing or accidental loss" as required by the law.
You can even read about why this is bad on Wikipedia: "Some computer systems store user passwords as cleartext, against which to compare user log on attempts. If an attacker gains access to such an internal password store, all passwords-and so all user accounts-will be compromised. If some users employ the same password for accounts on different systems, those will be compromised as well."
I want to know if my own information is being stored in this way. It seems to be, as a post was made, and then hidden, in my name on the HJ forum, allegedly.
I have certainly emailed Stephen Khoo.
All this "couldn't care less" is fine, until something (catastrophic, accidental or malicious) happens. Then, all users of this forum and of HJ forum will be at great risk of having personal accounts hacked and abused.
People should know how their personal info is stored, and what happens to it. This policy is highly secretive at the moment. Matter of fact, there is no policy at the moment.
Think what would happen if YOUR email and plain-text Password fell into the wrong hands.
Ling
Last edited by: LINGsCARS on Mon 1 Mar 10 at 08:42
|
...Think what would happen if YOUR email and plain-text Password fell into the wrong hands...
Not much, actually.
My email address is hardly a secret and my password is unique to this site.
All the wrong hands could do is post an offensive message as me and get my account binned.
I've always regarded this sort of thing as like betting - only put on, or in this case type in - what you are prepared to lose.
Plus I have some faith in the people with whom I'm dealing.
Those who are running and modding this site are well-motivated people who believe in treating others in the right way.
My details - and everyone else's as far as I know - on the HJ site were compromised at least once.
And what happened? It just made more work for hotmail's junk filter.
Big deal.
|
>> You can even read about why this is bad on Wikipedia
Sorry Ling, but I take anything on Wikipedia with a huuuuge pinch of salt! When my daughter has to research a topic for her homework she is specifically told NOT to use Wikipedia but to corroborate her sources from reputable (ie non-public-edited) websites.
I view the internet as a big toy really, it's never been essential for my work and probably never will be. That's why I'm not worried what happens if I put my name on it.
|
Actually I agree with Ling to an extent. She may well be paranoid, but she does run a well known and successful web based business so it is in her interest to ensure that her business is protected. If she is confident that her customers are secure when she passes them over to us, then we are also secure.
So I would urge Khoosys to answer the questions Ling has asked. I do not think they are unreasonable.
|
It may not be a big deal for you (ifithelps and Dave_TD), but it may well be a big deal for others.
Apart from that, people should know this information about what happens to their private details. At the moment there is no indication of any of these answers.
Can I ask what is the point of data protection and secure encrypted storage of passwords, if plain text passwords, together with emails, are stored separately at someone's work or on private computers? You have no way of knowing a) the security employed on these other systems, or b) who owns these other systems, c) the security of the transmission used.
Look, when people register, no information is given about this, no indication of security or lack of it. This is simply not good enough at all. No warnings are given about using a unique password, or that it will be stored by a 3rd party in plain text.
If you use a common password (so many people do) than all your online applications and data is instantly at risk.
Passwords seem to have been used maliciously to post on my behalf (on HJ) and I have evidence to suggest others have been compromised in this way, too.
I have evidence that these have been used to log into an account while users were online, and then details changed in order to forcibly log users off.
I have evidence that people have used the passwords to log in falsely as a backroomer(s) or access backroomer accounts without the express permission or knowledge of those backroomers. And as the set up is identical, that could be happening on this site too.
You may not care about your own data, but that is not the purpose of managing it securely and lawfully. It is to protect innocent users who will not be aware of this stuff.
Until this is all clarified and out in the open, I can only surmise that from emails I have been receiving, quite a few others are unhappy about this stuff, too.
It simply should not happen, it is in gross contravention of web security.
It seems passwords are/were passed between mods in plain text on a private forum within the backroom. Also have evidence that private addresses of at least one member had been "found" and discussed in plain text between mods.
All this stuff is completely unacceptable, if true. I have no reason not to believe it, as I have full transcripts. This is exactly my point, the information has "escaped" thanks to a whistleblower.
I have not solicited this information and I am copying in a journalist to protect myself, but the fact remains that all users seem to be at risk and private information (at least on the old Honest John forum) was bandied around. Was that YOUR info?
For instance, from the information bandied around, I have found that one of the people who seems privvy to the discussions works for a UK police force. If I mentioned the industry another works in, I guess this thread would be instantly deleted.
I should not know this info, yet it is bandied around "hidden" forums between mods in plain text. That's very bad.
I think answers should be given, and a clear Privacy Policy published here. I am taking this up separately with the publisher of the Honest John site. Surely, not everyone else is so relaxed about this as you, ifithelps?
Ling
Last edited by: LINGsCARS on Mon 1 Mar 10 at 10:46
|
Ling,
the posting has now been brought to the publisher's attention and a response will be made. All I know is that passwords are secured with the benefit of experiences - I know nothing of the minutia or the Tech behind it.
|
HondaDriver,
Are you sure that is all you know?
8< Snip. Information discussed ina private area on the HJ forum was just that - private.
How you could "log in" without knowing the user's password, I am not sure?
Therefore, I am afraid I would question this statement: "All I know is that passwords are secured with the benefit of experiences" - whatever that means. Clearly the password in the case discussed was NOT being secured.
Although I say again, the context leads me to believe you were completely ignorant of the fact you could do that to someone's account.
The fact that I know all this, surely shows anyone that stuff on these forums is NOT being secured?
Ling
Last edited by: VxFan on Mon 1 Mar 10 at 13:18
|
...Surely, not everyone else is so relaxed about this as you, ifithelps?...
Ling,
The reason I am so relaxed is the only information this site has is my email address, a password, and, of course my user name ifithelps.
This is only a motoring forum, one I happen to rather like, but it is only a motoring forum, it is not a bank, the DSS, the police national computer, the national DNA database, or even anything to do with MI5, MI6 or the SAS, even though you seem to think it is.
The points you make apply in some instances, but they do not apply to this forum.
As I said, only type in what you are prepared to lose, I don't want to lose it, I don't suppose I will, but ultimately it matters little if I do.
It's like sending a postcard - the postman - or anybody else - could read it.
|
Yes, it matters.
Say I gained your email and your password (if you used it commonly on other sites).
I could then, for example, log into your facebook page and post defamatory stuff, or simply remain silent and gather information. I represent as you on Twitter or other forums. I could access your emails and read your whole inbox. Remember, I would know who your email provider was. I would easily find your date of birth from your emails (happy birthday!).
This is not just the "playful" or "punishment" or "public humiliation" matter of posting in someone else's name on this or HJ forum. It is far more serious than that (although that is bad enough).
The scope for ruining someone's life is massive. Say I published private info from your email account? If you use the common password for anything work related, I could easily compromise your work or get you fired.
8< Snip. Information discussed in a private area on the HJ forum was just that - private.
While you may think you are well protected ifithelps, everyone has vulnerabilities.
With no privacy policy, how does anyone know what has happened, or what should happen to their data? I highly suspect that a copy of passwords from here (and from the HJ site) and another forum, are being stored on private computers, unsecured.
So dangerous and probably illegal.
=====
Thanks Honda Driver.
Last edited by: VxFan on Mon 1 Mar 10 at 13:18
|
Certainly in a previous incarnation of this forum, passwords were stored in plain text form - so that mods could email passwords to users as required.
Anybody who uses a "common" password for security-sensitive sites will get - and indeed has probably already long-since had - his just deserts.
|
>> I represent as you on Twitter or other forums
Which is about as much threat to me as my postcard-reading postman, frankly.
>> The scope for ruining someone's life is massive .... I could easily compromise your work or get you fired.
No you couldn't. Pure scaremongering.
|
No, you are wrong. There is a real risk.
8< Snip. Information discussed in a private area on the HJ forum was just that - private.
We all have enemies somewhere, or there are people who simply take pleasure from hacking/being malicious.
I think you downplay the risks. Many people here have important careers and to have their identity manipulated could be very damaging. Even if not in a career, embarrassing information could easily be published, in your name.
I don't think damage potential should be minimised.
Last edited by: VxFan on Mon 1 Mar 10 at 13:19
|
Ling
Ok its simple then.
All this happened on the old site. Your complaint and beef is with the publisher of that site. Take up the matter there.
This is a new and different site. You are not keen on how its run? No problem, Thank you for contribution to date, and we will no doubt see you on some other part of the web.
Good bye and good luck.
|
Zero, All that is true about the old site.
I am in touch and discussing with the publisher...
and you would be correct ...except the software here is EXACTLY the same software (not even a copy, but the very same) run by the same company, on the same server, with the same webmaster, and (many) of the same moderators.
Simply, the name has changed, and no privacy policy has been published.
In that case, I think it is extremely relevant to people here, as the situation is virtually identical as on the old Honest John forums.
I discard your argument.
I am not suggesting the company running the software is complicit. I just don't know that.
Ling
Last edited by: LINGsCARS on Mon 1 Mar 10 at 12:03
|
|
It wasnt an argument Ling, it was advice.
|
With the fast-changing pace of the internet we always have to stay on top of security issues as best we can. The forum software here is version 3 which is an upgrade to what was used on the honestjohn website.
All websites have to be assessed for trust; not just car4play.com. The bottom line is that if you feel that you cannot trust this site, then do as you would with any other - just don't use it.
Last edited by: car4play on Mon 1 Mar 10 at 12:10
|
That is not an acceptable argument.
It's not "as best we can". There is no security or privacy policy. How can anyone make a judgement?
Most of the people referred to in the posts above (not by real name) are the same people running it. What evidence do you have that things have changed (in a week or so after the migration of tons of traffic)?
I was specifically asked to link and invite my website users here. Therefore I think I have quite a reason to ask for clarification.
Even if I was not asked to link or invite (I may be happy to do so, if the matters are cleared up) that is not the point. I'm not being high and mighty about this. I just think users should be protected.
The point is - no one knows if users data is at risk.
Ling
Last edited by: LINGsCARS on Mon 1 Mar 10 at 12:09
|
That is the argument.
Clearly you have reservations about those who run the site, their procedures and policies, and the software they use.
The answer then, is dont use it. The fact you have put your details in here, and continue to use the site are proof you are not really that bothered, and your argument is fatuous.
pish or get off the pot
|
>> All websites have to be assessed for trust
I've been contributing to this and previously the HJ forum for 8 years now. I trust the people I converse with on here. End of argument.
Please Ling, stop going on about it as you're starting to sour my experience of the whole forum. If the site owners do implement an "ignore" button, I know I'd use it on you.
Last edited by: Dave_TD {P} on Mon 1 Mar 10 at 12:29
|
Ling
If you were told that your password were being stored securely, would it make a difference? Would it really?
Would you THEN use the same password for this site and your business email or bank account? Really?
Let's take it a step further. If you KNEW that your password were being stored securely. Would it then make a difference? Would you THEN use the same password for this site as for something that mattered?
I take it the answer to both questions is "No, not even under those circumstances." If it isn't, you are not so sharp as you pretend. If it is, then your whole argument is fatuous and very dull.
Please may we have an ignore button?
|
Ling you obviously have a good business head so why not make the obvious 'good budsiness decision' to steer well clear of this website?
But that isn't enough for you, is it?
We are all happy here, just learn to live with it woman.
Pat
|
We are closing this thread now because it is like a fight in the corner of the bar. Most distracting, and not particularly helpful to those regulars who want to come here for a quiet pint and have fun chatting.
We will also be editing some of the posts here because it is private information from another website that was always meant to be private. Information shared here from private and confidential emails will also get removed if this is brought to our attention.
|
Moderation questions and data protection - Ling - Vicar of Bray
