Some basic forum (and internet) precautions
Posted: Tue May 15, 2012 2:15 pm
There are a lot of newbie (just a month or two) registrants posting on the forums these days, and as I was catching up on threads this morning, I was noticing a lot of things that can really put an individual's privacy at risk. I don't know if that's because people aren't used to posting on forums, or aren't used to taking some basic privacy precautions - but either way, the behavior can really compromise you in ways you weren't expecting. So I thought I'd repost this from another privacy discussion we had after an attack of spammers in 2010 - unfortunately, it's all still true today. 
= = =
All forum software has weaknesses...phpBB, which is the software Colon Club uses, is not the strongest software out there. However, with any internet access or website software, the main reason that a hacker can get in is that the site is not using the most up-to-date version (which theoretically has the most up-to-date spam and hacking protections.) This board's copyright notice says 2007, which could mean it's not running the most current and most secure version released earlier this year, or any of the four versions released between 2007 and 2010 - unless the most current version was installed and the copyright notice didn't update. In my experience, phpBB and other forum software updates the year in the copyright notice with every version upgrade...but only if the upgrade has been installed.
However, a few things to be aware of that can make your forum experience safer or riskier, depending on your choices...
1) This is a highly searched forum (those MSNBot users at the bottom of the topic list are not human beings.) Everything you post here is captured by these spyders - including your usernames, your posts, your links to your profile. If you don't want to let the world know where you live, or other intimate details of your life, keep the parts of your profile that show up on every single post a little obscure. Put "northeastern US," not your specific little small town plus state.
2) People here tend to use their real names in conversations. Even if they have a screen name, they slip into calling each other by real name. That can be deadly if someone decides to play childish games to harass you. It's a short leap to find out your real name, adopt it as their pseudonym and then use it to sign up for things with your email address, or to make comments on other websites. They can even register with your real name but their email address on forums where you personally wouldn't be caught dead (or alive.) If you have a kind of unique real name, that can also mean that they can locate you out in the world, or at least find your other online accounts (Facebook, Twitter) and extend any harassment to those areas, too. If you don't already have one set up, set up a Google alert on your real name, in quotes, so that you'll get a report if your real name is used anywhere on the web. You may discover that the person using YOUR name isn't you. And here, on the forums, if someone is using a screen name, refer to them BY THEIR SCREEN NAME. That's one of the simplest precautions any of us can take.
3) How will someone get your email address from this forum? If you have your profile set to accept email from other users, any registered approved user of this forum (even a hacker/spammer) can email you and when s/he does so, will see your forum-registered email address. If that's an email address you use routinely, it opens up your email address to malicious mischief. Most of it is just annoying, but it can also be overwhelming. Imagine having your address registered for, say, 50 porn websites within an hour, and getting all of those confirmations from Hot babes in Dallas in your regular inbox. Which your spouse sees.
Yeah - some people have forum only email addresses. But other people (like me) try to keep my number of email addresses under two dozen.
I have three websites (each with email addresses), and I have forum addresses on the servers of the forums I manage. I have at least a dozen email addresses for work servers - all variations of my real name @ where I work.com. Email address overload means that I tend to stick to a single personal email address, which I use to register for forums. Simple. But it can also be risky. Shouldn't be risky. But the safety precautions of the forums you frequent are also responsible for determining your risk level - especially for the non-computer-literate computer users.
4) Secure passwords are cool - but how many of you use your kid's or common pet's name as your standard password on every forum you are on, and leave your ID set to "remember me" so that you never have to actually use the password. THAT is how logger software on public computers (say the computers in the waiting rooms at MSKCC, or in the library) can get your information. And if someone hacks the log file on that public machine, your information is right out there. By using the same simple password for everything, you risk not only your account here, but any other accounts someone malicious may want to find for your name.
Now - for those of you who love wireless and hotspots and pirating connections - if you use unsecured (no password required) wireless connections, and you login to sites like this, the person who captures your login information doesn't even need to be any kind of a hacker. You won't see them, or they could be the person sipping cappucino next to you or someone sitting in a car in the parking lot running a capture program. Depending on capture program, s/he can get access to both typed and auto-login information, and most encryption protocols also have accessible DEcryption protocols. Smart enough to run a capture protocol outside a Starbucks? they're probably also smart enough to own a decription algorithm.
The best "secure" password is to take the first initials of a phrase that can give you 10 letters, and then convert some of those letters to numbers, special characters and caps. For instance, say your favorite movie line is "I'll have what she's having" from "When Harry met Sally." In geek speak, that line can become 1hW5hvg (the 1 = I, the W = what, the 5 = s, hvg = having.) But it's only 7 characters, so tack your initials onto the end or beginning: 1hW5hvgpas. Easy to remember the phrase, and very very hard to hack.
BUT - the issue on forums, email accounts and websites isn't so much that someone can hack into your existing password. It's that if they want to be malicious, they can request a password reset by typing in your name and clicking the "forgot password" link. Sure, it'll go to your email. If you see it, you can alert the site that you didn't request it. But some sites automatically issue a reset password and disable your existing pass - and it can be a bear to get back in if that's the case.
If you use an email address for forums that you don't check regularly, you might never know that's happened until you can't log in because the forum no longer recognizes your auto-login. Sure, it's just annoying. But on some forums, IF the user can hack into an admin account and get access to profiles, then they can change registered emails and request changed passwords. If you haven't logged in with your kid's name since you created the account, and don't remember the password, you maybe SOL.
This board also allows spammers to register. If you see a screenname with a bunch of nonsense letters, trust me, it's a spambot. Some forums auto-delete or ban those IDs so that they never show up on the main board and other users and spyders never see them. CC didn't always do that, and doesn't always do it now. The presence of spam users on a forum member list or front page alerts other spammers and spambots that this forum is an easy mark. User registration may have been tightened up since our last spammer attack, but it was very loose for a long time, and many of those names are still in the member directory.
So - in brief:
Use a secure password and check the email you've registered for this forum regularly.
Don't use real names on the board unless that's how the user actually registered.
Don't post specific travel plans (dates, flights, even exact destinations), home city information, full email addresses or (goddess forbid) phone numbers on these very public boards. Remember that this is not a little community that nobody ever visits - it's a highly searched and very public forum.
Respect the privacy of your fellow members - realize that calling them out for their status after, say, surgery or scans, may tell someone who is being malicious more about that person than they ever would have revealed (like where they live, or where they are treated or hospitalized...which means maybe their home is vacant or they're not really on their A game.)
Try to remember that your "need to know" stops right before you reveal what someone else has been doing lately - and if you simply must contact someone for their latest surgical or chemo update, consider sending a PM and not posting a public thread calling out "So and so - tell us how your resection surgery went."
Remember that someone who decides to harass you can come out of nowhere, for no reason that makes any sense except to them. And if you've made your information too easy to get, they can do a lot of annoying damage that makes forum use a challenge, rather than an opportunity to connect with other survivors.
= = =
= = =
All forum software has weaknesses...phpBB, which is the software Colon Club uses, is not the strongest software out there. However, with any internet access or website software, the main reason that a hacker can get in is that the site is not using the most up-to-date version (which theoretically has the most up-to-date spam and hacking protections.) This board's copyright notice says 2007, which could mean it's not running the most current and most secure version released earlier this year, or any of the four versions released between 2007 and 2010 - unless the most current version was installed and the copyright notice didn't update. In my experience, phpBB and other forum software updates the year in the copyright notice with every version upgrade...but only if the upgrade has been installed.
However, a few things to be aware of that can make your forum experience safer or riskier, depending on your choices...
1) This is a highly searched forum (those MSNBot users at the bottom of the topic list are not human beings.) Everything you post here is captured by these spyders - including your usernames, your posts, your links to your profile. If you don't want to let the world know where you live, or other intimate details of your life, keep the parts of your profile that show up on every single post a little obscure. Put "northeastern US," not your specific little small town plus state.
2) People here tend to use their real names in conversations. Even if they have a screen name, they slip into calling each other by real name. That can be deadly if someone decides to play childish games to harass you. It's a short leap to find out your real name, adopt it as their pseudonym and then use it to sign up for things with your email address, or to make comments on other websites. They can even register with your real name but their email address on forums where you personally wouldn't be caught dead (or alive.) If you have a kind of unique real name, that can also mean that they can locate you out in the world, or at least find your other online accounts (Facebook, Twitter) and extend any harassment to those areas, too. If you don't already have one set up, set up a Google alert on your real name, in quotes, so that you'll get a report if your real name is used anywhere on the web. You may discover that the person using YOUR name isn't you. And here, on the forums, if someone is using a screen name, refer to them BY THEIR SCREEN NAME. That's one of the simplest precautions any of us can take.
3) How will someone get your email address from this forum? If you have your profile set to accept email from other users, any registered approved user of this forum (even a hacker/spammer) can email you and when s/he does so, will see your forum-registered email address. If that's an email address you use routinely, it opens up your email address to malicious mischief. Most of it is just annoying, but it can also be overwhelming. Imagine having your address registered for, say, 50 porn websites within an hour, and getting all of those confirmations from Hot babes in Dallas in your regular inbox. Which your spouse sees.
Yeah - some people have forum only email addresses. But other people (like me) try to keep my number of email addresses under two dozen.
I have three websites (each with email addresses), and I have forum addresses on the servers of the forums I manage. I have at least a dozen email addresses for work servers - all variations of my real name @ where I work.com. Email address overload means that I tend to stick to a single personal email address, which I use to register for forums. Simple. But it can also be risky. Shouldn't be risky. But the safety precautions of the forums you frequent are also responsible for determining your risk level - especially for the non-computer-literate computer users. 4) Secure passwords are cool - but how many of you use your kid's or common pet's name as your standard password on every forum you are on, and leave your ID set to "remember me" so that you never have to actually use the password. THAT is how logger software on public computers (say the computers in the waiting rooms at MSKCC, or in the library) can get your information. And if someone hacks the log file on that public machine, your information is right out there. By using the same simple password for everything, you risk not only your account here, but any other accounts someone malicious may want to find for your name.
Now - for those of you who love wireless and hotspots and pirating connections - if you use unsecured (no password required) wireless connections, and you login to sites like this, the person who captures your login information doesn't even need to be any kind of a hacker. You won't see them, or they could be the person sipping cappucino next to you or someone sitting in a car in the parking lot running a capture program. Depending on capture program, s/he can get access to both typed and auto-login information, and most encryption protocols also have accessible DEcryption protocols. Smart enough to run a capture protocol outside a Starbucks? they're probably also smart enough to own a decription algorithm.
The best "secure" password is to take the first initials of a phrase that can give you 10 letters, and then convert some of those letters to numbers, special characters and caps. For instance, say your favorite movie line is "I'll have what she's having" from "When Harry met Sally." In geek speak, that line can become 1hW5hvg (the 1 = I, the W = what, the 5 = s, hvg = having.) But it's only 7 characters, so tack your initials onto the end or beginning: 1hW5hvgpas. Easy to remember the phrase, and very very hard to hack.
BUT - the issue on forums, email accounts and websites isn't so much that someone can hack into your existing password. It's that if they want to be malicious, they can request a password reset by typing in your name and clicking the "forgot password" link. Sure, it'll go to your email. If you see it, you can alert the site that you didn't request it. But some sites automatically issue a reset password and disable your existing pass - and it can be a bear to get back in if that's the case.
If you use an email address for forums that you don't check regularly, you might never know that's happened until you can't log in because the forum no longer recognizes your auto-login. Sure, it's just annoying. But on some forums, IF the user can hack into an admin account and get access to profiles, then they can change registered emails and request changed passwords. If you haven't logged in with your kid's name since you created the account, and don't remember the password, you maybe SOL.
This board also allows spammers to register. If you see a screenname with a bunch of nonsense letters, trust me, it's a spambot. Some forums auto-delete or ban those IDs so that they never show up on the main board and other users and spyders never see them. CC didn't always do that, and doesn't always do it now. The presence of spam users on a forum member list or front page alerts other spammers and spambots that this forum is an easy mark. User registration may have been tightened up since our last spammer attack, but it was very loose for a long time, and many of those names are still in the member directory.
So - in brief:
Use a secure password and check the email you've registered for this forum regularly.
Don't use real names on the board unless that's how the user actually registered.
Don't post specific travel plans (dates, flights, even exact destinations), home city information, full email addresses or (goddess forbid) phone numbers on these very public boards. Remember that this is not a little community that nobody ever visits - it's a highly searched and very public forum.
Respect the privacy of your fellow members - realize that calling them out for their status after, say, surgery or scans, may tell someone who is being malicious more about that person than they ever would have revealed (like where they live, or where they are treated or hospitalized...which means maybe their home is vacant or they're not really on their A game.)
Try to remember that your "need to know" stops right before you reveal what someone else has been doing lately - and if you simply must contact someone for their latest surgical or chemo update, consider sending a PM and not posting a public thread calling out "So and so - tell us how your resection surgery went."
Remember that someone who decides to harass you can come out of nowhere, for no reason that makes any sense except to them. And if you've made your information too easy to get, they can do a lot of annoying damage that makes forum use a challenge, rather than an opportunity to connect with other survivors.
= = =
