Technical Problem No https + inbox quota unacceptable

[starkid]

It's been years now and this site still does not use HTTPS.

You are endangering people's lives.

Also, 5 message limit for private messages???

There are many people who are not receiving help because of this ridiculous message limit. You are harming people's lives by keeping it this low for no good reason.

 

[alasdairm]

calm down.

lack of https is a privacy issue and the site will consider its implementation. https is just one factor and there are many other ways in which people can take responsibility for their own online privacy. suggesting that people's lives are in danger because the site uses http is hyperbolic nonsense.

the 5 message pm limit for greenlighters is in place to slow down suppliers and other troublemakers, many of whom waste the volunteer staff's time and some of whom who put bluelight's existence at risk. it's a perfectly good reason, even if it's one with which you happen to disagree.

you'll have access to a larger pm box when you become a bluelighter - 37 posts from now - and, again, so suggest that this limit somehow is endangering lives is laughable nonsense.

alasdair

 

[swilow]

I think you are mistaken in your assessment here. In truth, disallowing excessive PM's for greenlighters is probably saving lives by decreasing the heat that LE might place on the site (if unchecked, such sourcing could feasibly lead to the site being closed by LE, and people dying through lack of the HR information that Bluelight provides).

As alasdairm has said, https is something that could be looked into. But I can't see how using https would save lives, rather then further protect peoples privacy from unwanted intrusion; that's a hugely different thing to protecting someones physical wellbeing. Bluelight encourages you to take personal responsibility for your behavior, both IRL and on BL. You are responsible for what you say, and who to, when you post on Bluelight. Be cautious, and you will have no problems.

Its good that you care about this sort of thing, but just have a think about the presented reasons.

 

[starkid]

You are both dismissing it and are not actually understanding the legitimate issue.

Say someone is extremely suffering and needs help and cannot get that help outside of this site (for whatever reasons).

That is reality. I personally am right now having to deal with people in serious need of help (because their doctors/family won't provide it to them, in fact it was their doctors who destroyed their lives to begin with). They are dealing with severe negative long term consequences and there is little help/information out there on the Internet for them save sites like these.

And here they are, some of them probably on the verge of suicide, unable to contact people who have gone through the same thing they're going through because the administrators of this site can't be bloody bothered to double the greenlighter message limit.

It's not going to hurt you to do that. It will help. Just increase it to 10, that's all I'm asking.

And regarding HTTPS, are you crazy? People come to this site discussing a myriad of probably not-so-very-legal, extremely private things, and you want those conversations to be broadcast to everyone in plain text?

Not only that, but you are allowing random hackers to hijack your user's credentials and impersonate them. WTF. Why would you allow this for so many years?

 

[alasdairm]

i understand what you are saying. i just disagree with it.

if people are genuinely suffering, need help and cannot, for some reason, get that help outside of this site, then they can post in the public forums and seek help that way. indeed, the audience will be larger and the likelihood of their receiving help - in this hypothetical situation of yours - is greater.

and if, for some reason that my simple brain can not comprehend, the help they need can only possibly happen privately, rather than in the public forum, they can always use one pm to ask somebody for their email address then continue the dialog over a regular email channel.

furthermore, if your pm box is full, you can (optionally) download your messages then delete your inox to make space. you have complete control over this and it can happen without anybody else being insulted or having to do anything for you. take a little responsibility for your own experience?

so, again, limiting the ability of new members to pm does not endanger people in any way.

on the https thing, as i said, the site is currently in the process of considering migrating the entire site to https but there are other factors to consider - not least the performance hit on the server.

bluelight is run entirely by volunteers and depends on donations for its funding. if you want to speed this along and not just sit on the sidelines criticising people, get your checkbook out. $10,000 should do for starters

alasdair

 

[starkid]

indeed, the audience will be larger and the likelihood of their receiving help - in this hypothetical situation of yours - is greater.

1. They have posted in a public forum, but apparently they still want to ask me for help.

2. This is not even a hypothetical situation. It is a real situation.

furthermore, if your pm box is full, you can (optionally) download your messages then delete your inox to make space.

I can do that, but they can't (for whatever reason). Some users are technically challenged. Others are suffering so much they probably can't figure their way around your forums.

What is wrong with you?

Just admit it: You don't care about your users.

bluelight is run entirely by volunteers and depends on donations for its funding. if you want to speed this along and not just sit on the sidelines criticising people, get your checkbook out. $10,000 should do for starters

To increase a number from 5 to 10 you need $10k?

I can't believe anyone uses your site.

From now on, I will tell anyone who contacts me that I am no longer using your site or recommending that they use it.

You are behaving irresponsibly at your user's expense for no good reason.

on the https thing, as i said, the site is currently in the process of considering migrating the entire site to https but there are other factors to consider

Right. Other factors like maybe someone will hijack your credentials and bury this site in the ground where it belongs. That would probably be a good thing if it happened. A tool used irresponsibly is a tool that causes real harm to people. Maybe there's already another site out there run by people who care about their users. Then your users can migrate over there.

 

[alasdairm]

1. They have posted in a public forum, but apparently they still want to ask me for help.

see my comment about an email dialog.

Some users are technically challenged. Others are suffering so much they probably can't figure their way around your forums.

posting in the public forum is no more or less difficult than sending a pm.

Just admit it: You don't care about your users.

i don't admit it because i don't believe that to be true.

I can't believe anyone uses your site.

ok.

From now on, I will tell anyone who contacts me that I am no longer using your site or recommending that they use it.

that's certainly your prerogative. we'll find a way to live with your disappointment.

You are behaving irresponsibly at your user's expense for no good reason.

i disagree. as i said, a good reason is a good reason, even if it's one with which you happen to disagree.

Right. Other factors like maybe someone will hijack your credentials and bury this site in the ground where it belongs. That would probably be a good thing if it happened.

i thought this site was crucial to people's well-being but they're just not able to use it? now it would be good if the whole site was gone? make your mind up.

Maybe there's already another site out there run by people who care about their users. Then your users can migrate over there.

maybe.

i've told you the https issue is in process.

it's the easiest thing in the world to tell everybody what they're doing wrong. thanks for the feedback.

alasdair

 

[alasdairm]

starkid, if my responses seem curt, consider that they're a reflection of your own comments. you've been a member here 3 years and you've contributed 16 posts to the community. your posts are aggressive, insulting and you seem less interested in a constructive dialog than in just ranting and telling everybody else how they're wrong and you're right.

people should be encouraged to seek help in the public forums wherever possible. you seem to have a pretty high opinion of yourself and you may well have the best advice in the world. if one person gets that advice in a pm, that's great. but if the discussion happens in the public forum, literally thousands of people have a chance to see it.

you talk about the importance of helping people and serving users but, to me, you take a rather narrow, somewhat self-centered view of things.

alasdair

 

[stlouisgirl]

I am new on this site and after reading top post I am worried--if someone googled my name are my posts going to somehow show up?

 

[alasdairm]

if somebody googles, for example "stlouisgirl", pages and posts on bluelight may appear in those search results. anything you type on bluelight can be viewed by anybody with an internet connection - millions if not billions of people can potentially read what you are writing.

alasdair

 

[swilow]

Yeah, Greenlighters can't send many PM's. They can post THREADS on Bluelight asking for assistance. That is what the site is for. Its a public harm reduction resource that is free for anyone to use. Because people have abused it in the past, restrictions have been placed. But all users can ask for help in one of the many forums here.

I don't think you've really got a point unfortunately.

 

[DrGreenthumb]

No https is a serious problem that you need to fix right now, or about 5-10 years ago really. It's basic stuff.

The inbox quota is ridiculous too.

There are at least two good reasons this person hasn't posted much, same reasons most other drug users don't post here, lack of basic security, aggressive staff & lack of features, you've been told & you're ignoring it.

It costs less than $10 for https, not $10,000, it shows you don't care at all. I'll donate the $10 if you do it & I'm even more broke than this site.

 

[alasdairm]

you're entitled to your opinion but we've explained why the inbox issue is far from ridiculous.

we already have the certificate. the issue is server load and performance hit.

with respect, lack of ssl hasn't stopped you sticking around a year and posting 1300 posts. nobody's life is in danger because of this issue.

thanks for your feedback - i'll keep my eyes open for that donation

alasdair

 

[starkid]

we already have the certificate. the issue is server load and performance hit.

That is bullshit.

nobody's life is in danger because of this issue.

That is also bullshit.

 

[alasdairm]

do you find this entitled, arrogant, aggressive ranting is generally a good approach when asking for help or making suggestions?

to you, 5% might not seem like a lot of overhead. but of course you're intimate with bluelight's hardware setup so it's not like you're just making an assumption here...

thanks for your feedback. your comments are noted.

alasdair

 

[swilow]

No https is a serious problem that you need to fix right now, or about 5-10 years ago really. It's basic stuff.

The inbox quota is ridiculous too.

There are at least two good reasons this person hasn't posted much, same reasons most other drug users don't post here, lack of basic security, aggressive staff & lack of features, you've been told & you're ignoring it.

It costs less than $10 for https, not $10,000, it shows you don't care at all. I'll donate the $10 if you do it & I'm even more broke than this site.

Can i ask why you think the pm limit is ridiculous?

I think its quite harsh to say that volunteers on a website don't care.

Sorry but i don't think you're making sense tbh...

 

[DrGreenthumb]

It's not a 5% performance hit, there's basically no performance hit these days & often some performance gain to be had by configuring tls properly. It's an outdated bullshit excuse, it's been bullshit for over 5 years, maybe 10 years. Encryption takes no measurable amount of time at all on modern processors & newer web technologies mean there's no latency hit either.

Not having TLS on a website in 2015 is just showing a complete disregard for security. You don't care if your website gets hacked. You don't care if your users lose information they thought was private. You don't care if user accounts get spoofed. You don't care if your website is hijacked in transit & serves malware to some visitors.

You're taking unnecessary risks with everybody's security for no reason other than laziness & apathy.

Not having TLS doesn't make sense TBH, it's reckless behaviour.

http://www.chapterthree.com/blog/why-your-site-should-be-using-https

 

[alasdairm]

yet it's not enough of a problem to prevent you from posting. your actions speak louder than your insulting words.

alasdair

 

[swilow]

Not having TLS on a website in 2015 is just showing a complete disregard for security. You don't care if your website gets hacked. You don't care if your users lose information they thought was private. You don't care if user accounts get spoofed. You don't care if your website is hijacked in transit & serves malware to some visitors.

You are raising a valid concern, but you (and the OP) are doing it really poorly. Its negates the value of your opinion and advice.

 

[DrGreenthumb]

You're running the site really poorly, it's been politely requested & ignored before. It's not new advice. It's not an opinion either, fact is you're endangering users & the whole website for no good reason. I'm not insulting anybody, I'm clearly stating concerns about the security of your website, stop being so arrogant about the safety of your users.

Please explain why you think it's safe to not use encryption, it should be enforced on every website with a user login, you're not fit to run a website if you don't understand that. Anybody who objects to TLS should be kicked out of the admin team for your own safety. The only reason for any objection is if they want their government employers to retain the ability to easily subvert the website.

There is no valid argument against using TLS, you can't trust any website that doesn't, it's a technical fact not opinion. You don't control your internet connection, it passes through large companies who are required to pass on data & host black boxes for their governments, large cables get tapped, any one of those places can read & alter any plain text. Any common criminal working at an ISP or just using a public wifi spot can do the same simple attacks.

I might use the website, but I can't trust that I'm not using a spoofed website. I wont use the PM function (except for things I understand are really not private & to reply to people who PM me). My password isn't used for anything else. I accept that my user account can easily be stolen & so can anybody else's accounts. I accept that anybody who wants to can easily identify me. I wont put anything more private than my email address on here. Other users might not understand the risks, those are the people at risk, as well as the website itself. My use is a calculated risk, that I'm not happy to be forced to take, but I feel reading/sharing drug harm reduction information is more important than my personal security. I wouldn't be here if I felt I had anything to lose, just my life is at rock bottom already. Other people may take a different view & feel unable to share information here, or they may be unaware of the risks. No doubt lots of people use the same password for their email address & log in on public wifi hotspots without giving it a second thought.

It is impossible for you or anybody else to run a secure website without Transport Layer Security, it undermines everything else you do. It's totally wrong & it's very dangerous to not use TLS on a website like this.

When you decide to use TLS you should force all users (especially staff) to change their passwords before they can login for the first time on the secure site & delete all session keys. You should assume that each password & session key has been compromised every time anybody logs in using plain text, that probably is happening. You could also use this opportunity to update your password hashing in case your database gets hacked.

If you need any technical help improving performance & security then I'm willing to donate my time.