This article is a practical, bullshit free guide to your personal security as an ARRSE User.
This is about the risk to you of unauthorised access to, and disclosure of any private information that is stored on ARRSE. All websites are vulnerable to some extent to this threat, and ARRSE is no exception. The article covers some elements of internet security in general but only where they overlap with ARRSE use.
A slight aside before we wade in: we will not knowingly pass on any private information to anyone without a court order instructing us to do so. We send out no spam and only one newsletter per month, will never sell the ARRSE email address list and are generally decent folk.
Information That Could Be Obtained
There are five principle pieces of private information that could be obtained from unauthorised access to ARRSE:
- Your email address
- Your IP address
- Your Personal Messages (user to user messages sent through the site)
- Your password
- Your posts in private forums
Note: Your computer may also transmit information such as the browser you use, your operating system and so on when it requests pages. We don't record this although it is used to generate some [statistics]. This sort of information helps some websites send you the right content. Its disclosure excites geeks on some websites. This won't be discussed further here.
The information we hold is stored and accessed as follows.
- Our database, well over 1GB of information that IS ARRSE. It contains all the posts, all the usernames, all the blog entries etc.
- The server log. We keep 3 days of these. They are a record of access to their site and can help to debug the server, find any hack attempts etc. An entry looks like this:
918.104.22.168 - - [26/Mar/2008:06:33:40 +0000] "GET /cpgn2/Forums/viewforum/f=112.html HTTP/1.1" 200 7766
- Database backups.
Means of Access
Elements of this can obviously be accessed via the website itself - how you read the posts, and you can of course see your own email address. Privileged user accounts show all email addresses and IP addresses. The full information above requires access to the server back end. This is only open to the 'COs' and authorised employees while carrying out work on the servers.
Risk and Damage
Posts and PMs
The damage from disclosure of your posts in private forums and personal messages are down to what you post or send. Your private messages are gone when you delete them although may still exist in our backups. They are not stored encrypted in the database and could be read.
Obviously enough if your email address has your name in it then when combined with other info that you post about yourself it could reveal your actual identity. Also disclosure of it to an address list seller or just a malicious user could result in you getting more spam (if that's possible!). Fairly obvious stuff, and if by the end of this article you think the above is a serious risk and the damage significant then use an anonymous email account such as hotmail. You can change your email address here. Please makes sure you forward any emails to your normal address if you do this.
There is a lot of worry about this as it is a technical mystery to most and there is plenty of scare mongering about the disclosure of this. Firstly a one line 'what is it?'. An IP address is the virtual address of your computer that allows us to send web pages to you. You can't use the internet without showing your IP address (although it is possible to go via an intermediary, a proxy, on the internet to disguise it).
In general an IP address reveals the area you are in and the name of whichever company provides your internet service.
There are two significant types; dynamic and static.
The vast majority of home users have a dynamic IP address. This means that every time you connect, or periodically if you stay connected, your IP address is different or changed. (IP addresses are in short supply on the internet and this allows the ISP (your service provider) to have more customers than IP addresses, on the assumption that not all customers are online at the same time. It also effectively stops you hosting your own websites on your cheap connection). Therefore to get your actual location from a dynamic IP address it is necessary to take the address and exact time you used it to your host company and force them (via a court order) to find the real details.
A static IP address is one that is tied to your house and doesn't change, and it's quite possible that a search for it on a site such as SamSpade will give your name and address. The good news is that if you have a static IP address as a home user you will almost certainly know it - you will have asked for it and paid more for the pleasure.
Your company is more likely to have a static IP address, especially if large. You will share the use of that IP with other employees so it won't lead to your desk, without access to your company internal data at least, but it will be possible to work out who you work for.
In summary, for most people disclosure on an IP address is not worth worrying about. To check what it does show, firstly go HERE and read the big number off the top of the page - your IP, then go to SamSpade, type it in and see what comes up. Probably junk.
Your password is stored in the ARRSE database so that the system can compare it with what you type when you log in. It is however encrypted using one way encryption. This means that it cannot be unencrypted even if you know the key that was used to encrypt it, without first cracking the encryption algorithm, and this is truly a task of hercules and you should certainly be applying for a job with GCHQ if you can do it. (The software compares what you type with the encrypted version mathematically - it knows if the passwords match or not, but not more).
When you access ARRSE the link is not encrypted. While passing data over the wider internet itself is safe enough, at the beginning and end of its journey, your (and our) local network, it can be surprisingly easily 'packet sniffed'. View it as the internet version of the entering and leaving the patrol base threat. Anyway, this means that at some stages during its journey from your computer to our server, what you type can be read by the wrong person in the right place; the reason that you get an encrypted link when connecting to banks, paypal, shopping sites and so on.
In summary, you shouldn't use the same password for a website that doesn't use an encrypted link (shown with the padlock that appears in the address bar or bottom right of your browser) as you do for 'serious stuff'; banking and so on.
Also DON'T USE GIRLS NAMES, PLACES OR SINGLE DICTIONARY WORDS (this goes for all passwords of course, not just ours). Seriously. Password cracking tools will all the usual tricks right at the start - the username backwards, names and so on, and then crack on through the dictionary. After that a hacker must rely on 'brute force' and try all combinations of characters and all lengths until it gets it right. If your password is a reasonable length and particularly a mix of upper and lower case, numbers etc., this would take hundreds of years so it's pretty damn safe.
It was suggested that there is a threat to your physical security if the information discussed is disclosed. Most reasonable people would view hacking ARRSE to get your email address as an extremely extremely extremely pointless and unlikely means of targeting service personnel, but you decide.
Of more concern to most is the disclosure of their true identity having a career impact. To put that into perspective, a very prominent member of ARRSE told his DV (developed vetting - regular access to top secret) interview board about his involvement and it did not cause a problem. ARRSE is widely accepted and your use of it is unlikely to concern anyone particularly, obviously depending on what you post. That's not to say that individual OCs might not take exception to it, but don't worry overly.
Going back to the possible information gained, you can basically reduce this threat to near zero by using an anonymous email address.
Our Defences and the Weak Points
ARRSE goes to great lengths to avoid a website hack, as result of a hack in our naive early days. The software we use was particularly chosen because of its good record, we don't share a server with anyone else (common practice), we are behind a serious firewall, our database server is not web accessible.. techno blah... . But if you got a job working for us, our hosts or possibly our data centre (where the server lives) then you could get access to the site.
Given that the information we hold is of low value, we consider this an insignificant threat. Infiltration of this type would be a disproportionately large amount of effort to go to to get some email addresses. You should be aware of it however.
A more significant weak point is unauthorised access to your account directly or to a privileged user account, perhaps a moderator has not logged out of a public machine for example. Such non-malicious accidental access is also considered by us as not a significant risk, once again given the low value of the information held, and the low probability that the next user is 'a baddy'.
An ARRSE moderator or employee could pass on your email or IP address (although has no access to PMs or private forums of course). As in any community, virtual or otherwise, it is a matter of peer trust (and in our case formal written rules) that your information is not passed on without your permission.
Your password. This is the big one. It is our assessment that the biggest risk to many ARRSE users of unwanted access an account is as a result of a weak password.
Leaving your account logged on when you leave the terminal. Think about it.
Finally, do assume that any organisation with a really serious need to get unauthorized access to our data could do so. Let's face it if GCHQ could be bothered and didn't have more important things to do, nothing we do would stop them.
What Could We Do Differently?
Just a few thoughts about the current setup:
We could use the security code next to the login box to help prevent password crack attacks. The reason that this is not enabled is that it causes too much confusion as is a pain in the arse that annoys people. This places the responsibility on the user to have a good password.
We could force a user logout after a certain time, or make a two stage login. We assess that for the vast majority of users this is an unwanted complication, and simply overkill.
We could use an encrypted connection. This causes a significant delay while the secure connection is established with your PC and has a network traffic and server overhead. We assess that the value (protecting your password while being sent) is not worth the price. Encrypted links are normally only used where personal information such as addresses and banking details are stored.
We could pay for highly secure hosting, or get our own mini data centre where we have access control. This simply comes down to money. The site cannot afford bank / government level physical security.
There are other technical measures that we could tighten. We are way ahead of most comparable sites on technical protection, and further improvements are underway as I write this. We as an organisation almost certainly have more to fear that you through a malicious site hacking and go to very great lengths to avoid it.
The level of protection against unauthorised access on ARRSE is appropriate considering the very limited user information we hold and the resulting threat. We take information protection very seriously but try not to unnecessarily complicate site use through OTT protection measures. As with all internet use a large part of the security burden must be borne by the user so...
If you find the risk of compromise significant after reading this:
- Use an anonymous email address.
- Consider not posting from a fixed IP address that can be linked to you.
Regardless of that:
- Use a good password.
- Don't use the same password as you do for 'serious stuff'.
- Don't write anything on ARRSE that will really cause you problems if linked to you.
- Don't assume private messages are 100% private.
- Log off from your account when you have finished posting (especially if it is a public PC)
I will lock this although please feel free to question or add to it in the ARRSE stuff forum. I will amend as needed.