(engineer attention) message security
- Thread starter Zephyn
- Start date
Zephyn
Bluelighter
- Joined
- Oct 31, 2020
- Messages
- 2,054
No more than they are already...
Foreigner
Bluelighter
- Joined
- Mar 18, 2009
- Messages
- 8,290
You have a reasonable right to privacy, which the forum software already provides. You don't have a right to fort knox. If you want more security then it's up to you to use additional measures.
MsDiz
Bluelight Crew
- Joined
- Mar 31, 2020
- Messages
- 8,428
Correct and that should be the end of this thread.
dalpat077
Bluelighter
- Joined
- Oct 14, 2019
- Messages
- 3,092
@Zephyn.
Much as I hate to be the one to tell you this (but which should be obvious):
If you're concerned about security generally or the contents of PM's etc. then you you shouldn't be posting and sending PM's anywhere on the Internet. Let alone on a site such as this. And that includes emails. This in spite of any encryption methods being used. As long as there is an Internet connection involved: you're vulnerable. It doesn't get much simpler than that. The only question is just how difficult you wish to make it for somebody e.g. law enforcement to be able to read your messages and how much they're prepared to invest, both in time and in money, in order to achieve the same.
People seem to put a whole lot of faith into encryption. And that's misguided. It doesn't matter what encryption method is used: bear in mind that the message has to be decrypted in order for it to be intelligible to the recipient. And right there is where it falls down (for most all but THE most security conscious). Not that it's an easy endeavor for interested parties. But if all else fails: there's the failure point of last resort.
The above not just applicable to PM's or emails by the way i.e. documents etc. too.
VPN's? If you're that important to law enforcement: the only thing they're good for are fooling Netflix or YouTube or your other average Internet user or stalker (type of thing). Some may be better than others. But none are infallible.
Tails? Not privacy, encryption of stored data, or destruction or obfuscation of evidence that I'd stake my life on. Not unless you're prepared to physically destroy pieces of hardware after each and every session. And even then: note some of the above i.e. by that stage it could be too late anyway.
I'm not trying to put the fear of God into you or anyone else. And you'd have to have a very big target on your back and be a person of major interest to law enforcement in order for most of the above to be of concern. But don't be fooled into thinking that the better the technology, and the more in use, the more secure you are.
If it's just this site or forums generally: let's assume that somehow somebody does just happen to get a hold of your login details. Then? Worst case scenario they have access to your email address used to register (and which should be a throwaway email address) (but even that's an exercise in futility I assure you) and your PM's here.
With regards to PM's: well then you have to question the actual content of your PM's i.e. always be playing Devil's advocate when sending PM's. In other words: what would happen if the PM I'm about to send were to be made public or fall into the wrong or unintended hands i.e. would there be any adverse consequences or ramifications. If the answer is yes: then don't send it (matter of fact don't even start typing it).
Posts: they're public. No need to even comment on that.
Deleted threads, posts, and PM's, and not to mention drafts: this topic has already been adequately covered before.
Toning it down a bit though: for sure if you're worried about some personal or potentially embarrassing content being made public or read by staff or accessed by somebody who may have obtained your login details on this site then by all means use some sort of encryption. Matter of fact simple obfuscation would probably suffice. Unless I'm grossly out of touch with reality: I cannot see anybody here, that may have access to your PM's, having the time on their hands nor the inclination to go trying to decrypt or decipher a PM that may or may not contain some little bit of juicy gossip.
Much as I hate to be the one to tell you this (but which should be obvious):
If you're concerned about security generally or the contents of PM's etc. then you you shouldn't be posting and sending PM's anywhere on the Internet. Let alone on a site such as this. And that includes emails. This in spite of any encryption methods being used. As long as there is an Internet connection involved: you're vulnerable. It doesn't get much simpler than that. The only question is just how difficult you wish to make it for somebody e.g. law enforcement to be able to read your messages and how much they're prepared to invest, both in time and in money, in order to achieve the same.
People seem to put a whole lot of faith into encryption. And that's misguided. It doesn't matter what encryption method is used: bear in mind that the message has to be decrypted in order for it to be intelligible to the recipient. And right there is where it falls down (for most all but THE most security conscious). Not that it's an easy endeavor for interested parties. But if all else fails: there's the failure point of last resort.
The above not just applicable to PM's or emails by the way i.e. documents etc. too.
VPN's? If you're that important to law enforcement: the only thing they're good for are fooling Netflix or YouTube or your other average Internet user or stalker (type of thing). Some may be better than others. But none are infallible.
Tails? Not privacy, encryption of stored data, or destruction or obfuscation of evidence that I'd stake my life on. Not unless you're prepared to physically destroy pieces of hardware after each and every session. And even then: note some of the above i.e. by that stage it could be too late anyway.
I'm not trying to put the fear of God into you or anyone else. And you'd have to have a very big target on your back and be a person of major interest to law enforcement in order for most of the above to be of concern. But don't be fooled into thinking that the better the technology, and the more in use, the more secure you are.
If it's just this site or forums generally: let's assume that somehow somebody does just happen to get a hold of your login details. Then? Worst case scenario they have access to your email address used to register (and which should be a throwaway email address) (but even that's an exercise in futility I assure you) and your PM's here.
With regards to PM's: well then you have to question the actual content of your PM's i.e. always be playing Devil's advocate when sending PM's. In other words: what would happen if the PM I'm about to send were to be made public or fall into the wrong or unintended hands i.e. would there be any adverse consequences or ramifications. If the answer is yes: then don't send it (matter of fact don't even start typing it).
Posts: they're public. No need to even comment on that.
Deleted threads, posts, and PM's, and not to mention drafts: this topic has already been adequately covered before.
Toning it down a bit though: for sure if you're worried about some personal or potentially embarrassing content being made public or read by staff or accessed by somebody who may have obtained your login details on this site then by all means use some sort of encryption. Matter of fact simple obfuscation would probably suffice. Unless I'm grossly out of touch with reality: I cannot see anybody here, that may have access to your PM's, having the time on their hands nor the inclination to go trying to decrypt or decipher a PM that may or may not contain some little bit of juicy gossip.
JessFR
Bluelight Crew
- Joined
- Oct 22, 2012
- Messages
- 14,705
The beauty of modern encryption is.. You don't need bluelight's support.
You can generate a pgp key and share it and now the site owners couldn't read your messages even if they could be fucked too (they can't).
I don't think it would be a good thing for us to include though. We are a law abiding site for occasionally less than law abiding people.
The perception of the site should be exactly as it is, that it has nothing to hide.
Now if YOU have something to hide. As I said, noones gonna stop you using pgp between yourself and others here. I can't see it even being detected let alone you banned over it.
But we have rules against discussing presently illegal activity. We have a user agreement that says quite clearly how much privacy you can expect in theory, which is none.
In practice nobody on staff is gonna see your pm's unless you report them or a court order comes in. And bluelight's mission is to neither condone nor condemn drug use and to minimize the harms associated with drug use.
None of that requires that we provide systems that would draw all the wrong kind of attention to us.
Besides. Bluelight is a law abiding website providing a legal service in the country it operates from. Which means you must assume anything you say here could be compromised by big brother anyway. So you shouldn't trust such a system provided by us even if one existed. You'd still have to generate keys, validate them and do the encryption and decryption externally anyway.
You can generate a pgp key and share it and now the site owners couldn't read your messages even if they could be fucked too (they can't).
I don't think it would be a good thing for us to include though. We are a law abiding site for occasionally less than law abiding people.
The perception of the site should be exactly as it is, that it has nothing to hide.
Now if YOU have something to hide. As I said, noones gonna stop you using pgp between yourself and others here. I can't see it even being detected let alone you banned over it.
But we have rules against discussing presently illegal activity. We have a user agreement that says quite clearly how much privacy you can expect in theory, which is none.
In practice nobody on staff is gonna see your pm's unless you report them or a court order comes in. And bluelight's mission is to neither condone nor condemn drug use and to minimize the harms associated with drug use.
None of that requires that we provide systems that would draw all the wrong kind of attention to us.
Besides. Bluelight is a law abiding website providing a legal service in the country it operates from. Which means you must assume anything you say here could be compromised by big brother anyway. So you shouldn't trust such a system provided by us even if one existed. You'd still have to generate keys, validate them and do the encryption and decryption externally anyway.
- Joined
- Jul 22, 2002
- Messages
- 66,863
i don't understand this. why is the fact that an encrypted message has to be decrypted mean that's where the process falls down?
can you elaborate?
thanks.
alasdair
dalpat077
Bluelighter
- Joined
- Oct 14, 2019
- Messages
- 3,092
Well in its simplest and most crude form:
If there's any type of spyware or remote control or remote viewing software installed on the recipient's device then the moment any correspondence, no matter what it may be, is opened then it's visible (were that not the case the recipient wouldn't be able to read said correspondence).
And software capable of doing the above, especially when it comes to mobile devices, isn't hard to come by at all i.e. it's available for purchase on the Internet from a variety of vendors. And I'm talking about clear web sources. Some require physical access to the recipient's device in order to install and some don't (pretty much dependent on just how much you're prepared to pay i.e. it's a linear scale). But once installed either way: simple matter of hitting record on the remote side and everything that's done on said device is recorded including the screen output (not to mention audio captured via the mic. or video from the camera).
But as should be fairly obvious: somebody needs to want to see what's going on pretty badly in order to go that trouble. And you'd have to be a target or person of interest (although that'd depend on resources of course i.e. the shotgun approach to distribute said software and to then monitor several devices simultaneously requires some decent and costly hardware and connectivity). Mind you. Is that strictly true i.e. I'm talking here about consumer grade and publicly available software for purchase.
It's by no means foolproof. The caveat being the savvy, or lack thereof, of the recipient. There could be telltale signs e.g. sudden high data usage. But that all depends on just how much is being monitored i.e. just screen output (or a wide variety of other possibilities). Or high CPU usage (although the better and faster devices become and the better the software the less of a telltale sign this would be if prominent at all). Sudden sluggish performance another one but same applies.
I'm not saying there's no point in using encryption software. But the above is the weak point of last resort (for want of a better phrase). Anything in the middle i.e. between sender and recipient and that's intercepted is obviously encrypted (unless of course the sender has been compromised and keystrokes are being sent and recorded).
And then of course: I don't think any of the above really applies to your average BL user either (emphasis on the word average!
).
Zephyn
Bluelighter
- Joined
- Oct 31, 2020
- Messages
- 2,054
Like I said though, cops aren't the only concern. Only looking out for everyone, admins included. A leak could cause all sorts of problems for all sorts of people.
And you are right about encryption, especially the implementation I suggested.
And even pgp.. it only stands for "*pretty* good encryption". Personally I have nothing too serious to hide where it would be worth swapping keys with anyone, hence why I suggested building it in.
And you are right about encryption, especially the implementation I suggested.
And even pgp.. it only stands for "*pretty* good encryption". Personally I have nothing too serious to hide where it would be worth swapping keys with anyone, hence why I suggested building it in.
Zephyn
Bluelighter
- Joined
- Oct 31, 2020
- Messages
- 2,054
I was suggesting decrypting based upon the user's pw stored in php session, when it is sent to end user, it's over https. So doesn't fall down exactly.
- Joined
- Oct 15, 2004
- Messages
- 15,380
Someone correct me if I'm wrong, but BL is built on PHP. Yes? Don't passwords have to be stored in a plaintext format for PHP? I could think of an easy way to brute force a password with a python script. Give me a bit and I'd be willing to bet that I could write something that could figure it out. Then again, I really wouldn't care if you popped open my BL account. We don't source here and if we want to have those convresations we could always move it to a more secure place... Like Facebook 
Buzz Lightbeer
Bluelight Crew
- Joined
- Dec 1, 2018
- Messages
- 3,593
Passwords are hashed, and the hash is stored in plaintext
telepathetic
Bluelighter
- Joined
- Jan 16, 2010
- Messages
- 2,287
^ typically yes, hopefully salted first.. but doesn't stop someone from changing the code every so slightly to use plaintext instead