Members: Your thoughts on a more secure ATS.

I like the idea of security especially on the internet, a slight slow down in performance seems a small price to pay for better security.

And on a side note S.O. that whole Navy thing sounds quite juicy.

Now if you really want to get serious about security may I suggest something totally ridiculous. I believe the ultimate security would be some form of facial recognition software. The only way you could access or post on the site would be through facial recognition.

The only draw back to this plan is that:

a) everyone would have to go out and purchase some sort of touch screen capable monitor.

b) you'd have to keep your whole face smushed up against your monitor the entire time while logged on.

Sure it's bad for the eyes and probably your posture; plus reading, viewing and posting would probably leave a lot to be desired but it would certainly keep out the riff raff.

Just a thought.

Spiderj

Originally posted by Majic
If I were to look at an area of ATS security that I would want to upgrade, it would be the member login process and profile data.

The login process controls access to member account data and guards against account hijacking and misuse.

The member profile data contains the sole "hard" link back to a user's identity: an email address.

Thus I see the member's login and profile data as the most important member data to protect, and it may make some sense to beef that up with SSL and perhaps other schemes as appropriate.

However, for everything else, I think cookie-based security is probably fine. It's not like ATS is an online bank.

Backstage Pass

Another area worthy of ensuring a high level of security for would be all access by staff members: moderators, super-mods and admins.

Any form of interception of any of these accounts or access points would have grave consequences for the security and integrity of the site. So for staff accounts, full-time https might be a good idea.

This pretty much covers what might be needed.
Imho, of course

Originally posted by SkepticOverlord
Given this story: www.abovetopsecret.com... which most of us suspected was happening anyway, I've been considering some options for our members.
]

I applaud your efforts. Couple of things. Keep in mind I'm not an IT expert.

Many of the links we post and click here are .gov and .mil, meaning our IPs can be easily traced by said domains. Taking ATS out of the loop, as far as security goes.


We have no idea what all the NSA tricks are in sucking information into its database, for that I am pessimistic in locking down any system.

Hate to sound like a party pooper S.O.

I dont see SSL as being of any use in protecting the site but rather a false sense of security for members. There is no assurance at all that the NSA doesnt know of weaknesses in the SSL suite and uses them daily to read encrypted traffic. Even if the data is encrypted in-transit the motherlode of juicy stuff (if you believe the site has any such data in the first place) is sitting on the server in plain text. Securing ATS against the Federal Goverment is not possible at all, so why entice people with something that will provide no real protection from having their information snagged, especially when even if they did use the crypto their home machines would still be at a fairly high risk of being sniffed or logged given the common level of computer knowledge?

I have only midling knowledge in this area but I cannot see what ATS can do to protect the annoniminity of its members.

The best that ATS can do is be out there: in the open and courageous in getting out the truth even if it conflicts with the views at times of management and ownership in my opinion.

The only thing you can do is make it difficult for third parties to access your data base that I know of.

If somebody is posting here and needs annoniminity beyond the norm then maybe a page to suggest some legit techniques is in order to teach people. I have seen this on other forums I go to that are much more contenious than ATS btw.

It is the posters liability to take the risks that they are comfortable with in any information they profer to others.

Lastly, it is always best to make yourself more visible in the hopes that if you are in trouble that many know your situation and can come to your assistance if need be. The person that is alone and believes they are hidden is often the most vulnerable it seems.

My Thoughts on this...

I like the idea of it being a member option, and paying points like 1000 or so to have this option.

However, The Gub'ment is likely already here posing as any old casual user. They were onto us before we were onto ourselves.

Just take the whole indymedia fiasco, it was shut down for having too wild of left-wing thoughts.

Making this site too secure, will deter any new users, as it will be a hassle to get the secure access.

Now I love this site, but much of it in any of the government/terror/UFO stuff, has a decent percentage of disinfo fed to us by undercover agents from The N.o S.uch A.gency, and soforth.

So while the security would be nice it's a little moot at this point.

Thanks,

-ADHDsux4me

Originally posted by SkepticOverlord

I'd like your feedback on this idea... would you give up a slight performance hit in favor of encrypted communications with ATS?

Since I know next to nothing about the technical issues involved, I'll just say, whatever YOU think. If you think encrypted communications are a good idea, I'm ok with a slight performance hit.

Very recently, a vocal and hostile member turned out to be accessing ATS from the Navy Intelligence network.

...and I can't wait to hear more about that, if and when you can share it.

Just out of curiosity,

Does anybody here actually Know how SSL/HTTPS works? I've set up a few credit card thingies for various web sites before, so I had a rough idea... I just went and read up on it some more, so now I have an even better idea.

Honestly, I don't see how a Secure Socket Layer between me and ATS is going to help protect me or my identity in Any Way.

Yes, AFTER a lengthy 'handshake' procedure, once my computer is finally convinced that it is talking to your server, some certificates and code keys are exchanged and transmissions between our two machines are now done via some encryption process.

How do I Really know that my computer is talking to your server via an encrypted channel? I don't. My computer Thinks it is, and that's about all any of us will ever really know...

How do I know the certificate my computer is being asked to accept is really from you? I don't. My computer may think it's on the up and up, but (and I think everyone else here would agree) when I click on that YES button I'm pretty much doing so on good faith. So What if the thing says it's signed by Simon Grey, (or VeriSign or any one of a number of other third party 'impartial' CA providers) what does that 'prove'? Anything?

SSL encrypts data as it leaves my machine, and the data is decoded as it enters your server.... but it doesn't protect your server or my machine from anything.

It doesn't really stop the 'man in the middle', either, if the 'man in the middle' happens to be AT&T (or some other big provider)

The whole SSL thing was invented by Netscape way back when to facilitate online shopping... it was a way to encode credit card numbers for broadcast.

I don't think that SSL is going to do anything but lag us and tick some of us off...

I think that if people want to surf anonymously and hide under rocks and erase their tracks or what not, then it is the individuals responsibility to take the appropriate actions to protect themselves, not ATS...

rock on
twj

I think bikereddie summed it up pretty well for me.

I haven't seen anything on here that could be of much interest to the government, unless it was just trying to gauge the opinion of people who post on ATS and extrapolate something broader out from there. Good luck on that one...

Some timely advice came from Valhall the other day, about things to consider when posting your picture in forums. Maybe a more comprehensive "syllabus" on this type of thing.

As far as anything that gets said on here, folks just need to use commonsense. Freedom of Speech is still protected in The West (I think). I haven't seen anyone here yelling "Fire" in a crowded theatre.

I really enjoy the site so, whatever you guys do, I'm fine with it. After all, nobody is forced to come here.

I'm no computer genius, as should be evident from my attempts at avatars, but it seems to me that you folks have established a really great place to visit, with a high attention to quality.

I can't imagine you would do anything to "shoot yourself in the foot", so to speak.

Carry on, I say.

The illusion of security is probably not worth the extra hassle. I've never said anything I'd be ashamed to go on trial for, and I think I speak for most of us when I say that.

I think it's scandalous that it's even possible for them to waste our tax dollars probing the boundaries of our innocence.

And Spiderj, as far as the Navy Intelligence bit, it's not juicy, to me anyway, it's just sad. :shk:

Originally posted by Gemwolf
Is there a real need for high-security?

No. In fact, isn't this place more of a ... get it out in the open..
kind of place? Isn't the whole point to bring things up that
people need to know and to get people to see it? Wouldn't
being cloak and dagger just kill that?

How many of us really share the kind of Top Secret Area 51 Classified information ..

No one.

Personally I have nothing to hide

Me either. AND is there really anything here that puts a red flag
out for the government? Nope. I don't think so. I doubt they
care.




[edit on 4/12/2006 by FlyersFan]

Originally posted by FlyersFan
No. In fact, isn't this place more of a ... get it out in the open..
kind of place?

I agree. Most of the information that we share in these boards is not secret it has been out there for a while.

Unless it has been some knowledge of classified information leaking from ATS, I imagine that the NSA would have been all over already.

I don't have nothing to hide and most people are smart enough to be careful of what they post that can be incriminating.

But if it makes some members more happy to have stronger security measures here in ATS that is fine with me.

I have a suggestion for you guys. Okay SSL would be great for when you post, or reply. I am talking to my good freind who writes code for forums, to come up with a way to make Member information, ex: IP addresses and e-mails, encrypted, and only viewable to a person who hails from the IP, or the board admin. He told me it would probably take him a couple days to finish, it. Hes gonna test it and I will post back with my findings.

The only time i recall something that tested ATS security was when that Government agency group decided to leak something here and test how their staff handled a leak. I believed it was a training exercise (the thread can be found on RATS ). WITD also tested it too after an "apparent" FBI scare.

Ive been here for 3 years now and security has never really been an issues here. But i have my own golden rule, that if im unsure of posting a certain topic, i wont.

maybe member security and protection should be an issues here

[edit on 12-4-2006 by infinite]

I think we should keep it the way it is; I appreciate the fast speed, and I'm sure the NSA can either break any kind of encyrption, or find other ways to get whatever they might want to know.

Originally posted by apocalypticon
I think bikereddie summed it up pretty well for me.

Thanks for that.. At least we have something in common here eh?

Correct me if I am wrong, but as AT&T has demonstrated with flagrant use of 'their' database, one of the largest in the world and chock full of just about every event that has ever happened on any one of their connection points.

So every post we make here, as it bounces around on its way to its destination between ATS servers and my pc, in theory has a pretty good likelihood of bouncing off information or page views or posts, etc, off of an AT&T server, thereby being recorded into its archive. This is 'their' database, company owned and controlled, so they own it now.

And its obvious that AT&T doesn't mind using it. I haven't read all the threads but as I understand it AT&T basically willingly became a participant. You have to wonder what other commercial and non-commercial uses they have for their data.




But as far as ATS,..

SSL encryption on the login pages (make the index page login unencrypted with a lil statement below it of 'click here to log in secure'), encryption on the member center pages, and encryption on the settings pages, encryption on the post submit page. Any other pages I cannot imagine being much useful.

Or, maybe have a button in the member bar that says 'encrypt',... and a user can view and click on it only when logged in,... and when a member clicks on it it sets a bit on their member information in the database,...turns to 'un-encrypt' button,... and the member logged in stays encrypted until the 'un-encrypt' button is clicked,..or the member session expires.


Basically make it an opt-in option either at log in, or a current session recognized by the board scripts.

And maybe the option in a member control panel for settings,..to check or uncheck, 'auto-encrypt at valid session visit', or something like that.




Just some thoughts,.... but honestly we are all being data-mined all day long no matter what we do. It sucks. But it would be a nice 'option' user selected, to know that what your current activities at ATS may be,..will not be flung around on the internet and bounce off servers that store copies of the packets they relayed, unencrypted, and at least a bit hidden from outfits that do not care what it does with your data.



To make it a mandatory thing for all members though may be restrictive in the sense of some folks may not have great connections or pc's, and would be inhibited to some degree.


EDIT - and yes, I think a minimum number of posts, or as a store item for the option to show the encrypt button, would be cool too.


[edit on 12-4-2006 by smirkley]

I don't see how us offering an ecryption option equates to anyone "giving up their Liberty" or hiding ANYTHING but their personal preference data...

There is no way we could or would encrypt the posts. What exactly are you all talking about? In what way would this be relative to giving up freedoms or your "voice"?



Springer...

I dont see a point to encrypted log ins personally...especially it'll bog down the site.

I say pass on this idea.

Originally posted by Springer
What exactly are you all talking about?

Springer...

If there's going to be some obscure, subjective "knowing what you're talking about" criterion, then I'm afraid I'll have to ask you to disregard my previous post.

[edit on 4/12/2006 by yeahright]