Shoutbox

[split] MyPlus! Logs Security - Printable Version

-Shoutbox (https://shoutbox.menthix.net)
+-- Forum: MsgHelp Archive (/forumdisplay.php?fid=58)
+--- Forum: Messenger Plus! for Live Messenger (/forumdisplay.php?fid=4)
+---- Forum: WLM Plus! General (/forumdisplay.php?fid=23)
+----- Thread: [split] MyPlus! Logs Security (/showthread.php?tid=96757)

[split] MyPlus! Logs Security by Chrissy on 02-11-2011 at 01:18 PM

What's the server IP address for MyPlus(A)


RE: Plus! 5 is out! by traxor on 02-11-2011 at 01:21 PM

quote:
Originally posted by Chrissy
What's the server IP address for MyPlus(A)

- Echo a list of your connected IPs into a text file.
- Connect to MyPlus!
- Repeat the previous command into a different text file.
- Diff the two.
RE: Plus! 5 is out! by Chrissy on 02-11-2011 at 01:23 PM

I am not going near MyPlus :|


RE: Plus! 5 is out! by Menthix on 02-11-2011 at 01:29 PM

quote:
Originally posted by Chrissy
I am not going near MyPlus
:( Fine, I'll bite, let's say the servers are in China. What were you going to moan about?
RE: Plus! 5 is out! by Chrissy on 02-11-2011 at 05:20 PM

What's stopping 'Yuna' from reading our logs?


RE: Plus! 5 is out! by Thor on 02-11-2011 at 05:31 PM

quote:
Originally posted by Chrissy
What's stopping 'Yuna' from reading our logs?
That's one I'm actually interested in myself. I would presume it's encrypted on the server -- but with what?

For all I know it could be that it requires you to use the encryption password within Plus!, so that when you try to read logs online you have to use that to decrypt the passwords.

Otherwise, I'm not too fond of it unless it's host-proof.
RE: Plus! 5 is out! by Chrissy on 02-11-2011 at 05:57 PM

Even If it is encrpyted on the server, Yuna can still see it. And If It's encrypted here then sent, the amount of data Yuna has they can easily come up with an algorithm to decrypt most of them, and sell them to marketing companies or spammers. 


RE: Plus! 5 is out! by CookieRevised on 02-11-2011 at 06:12 PM

quote:
Originally posted by Chrissy
What's stopping 'Yuna' from reading our logs?
What's stopping MS from reading your hotmails?
What's stopping FB admins from publishing your private data?
What's stopping your ISP from reading your internet traffic (incl. password sends (like POP3 logins) over an insecure connection).
What's stopping the admins here from tampering with your account?
And I can go on and on and on like a duracell bunny on steroids.

If you don't trust them, then don't use the online logging and stop moaning for the sake of moaning.

quote:
Originally posted by Chrissy
And If It's encrypted here then sent, the amount of data Yuna has they can easily come up with an algorithm to decrypt most of them, and sell them to marketing companies or spammers.
And it's stuff like this which makes it very hard for people to take you seriously and to not call you an idiot.
RE: RE: Plus! 5 is out! by Thor on 02-11-2011 at 06:30 PM

quote:
Originally posted by CookieRevised
quote:
Originally posted by Chrissy
What's stopping 'Yuna' from reading our logs?
What's stopping MS from reading your hotmails?
What's stopping your ISP from reading your internet traffic (incl. password sends (like POP3 logins) over an insecure connection).
What's stopping the admins here from tampering with your account?
And I can go on and on and on like a duracell bunny on steroids.

Microsoft: laws/EULA?
ISP: laws?
Admins on these forums: nothing?

You're not making a big point, even if you base it all on goodwill of the provider. When highly personal information is stored in the hands of someone else, it makes perfect sense to set out every inch of doubt available. It's your personal information.

I don't see any reason why wanting a good reason as to what is in place for making sure his data stays private - regardless of "why anyone would be interested in reading it in the first place" ideas.

I do agree that if they have a system that works in an X manner and he doesn't like it, he should stop moaning about it. However, wanting clarity in how your own personal data is handled makes perfect sense if you look at Chrissy as a customer/client, instead of as someone who's just moaning about how horrible Plus! is.

:p
quote:
Originally posted by CookieRevised
quote:
Originally posted by Chrissy
And If It's encrypted here then sent, the amount of data Yuna has they can easily come up with an algorithm to decrypt most of them, and sell them to marketing companies or spammers.
And it's stuff like this which make it very hard for people to not call you an idiot.
Now that I fully agree with.
RE: Plus! 5 is out! by Chrissy on 02-11-2011 at 06:31 PM

quote:
Originally posted by CookieRevised
What's stopping MS from reading your hotmails?
What's stopping FB admins from publishing your private data?
What's stopping your ISP from reading your internet traffic (incl. password sends (like POP3 logins) over an insecure connection).
What's stopping the admins here from tampering with your account?
And I can go on and on and on like a duracell bunny on steroids.
We know HARDLY anything about Yuna. Compared to MS or FB that we know A LOT about we know barely anything, why would people trust Yuna compared to MS.
All that people know is that it's an add-on for WLM (A LOT OF Add-ons are spyware/dodgy) and it wants to store their chats on there on servers.

Microsoft is a well known company, that people have used for decades.
RE: Plus! 5 is out! by Menthix on 02-11-2011 at 06:47 PM

At the moment online logs are send and viewed using a secure (encrypted) connection. But they are not stored on the server in an encrypted form, no. Source: Jieff's reply to Messenger Plus! 5 information.
It is something I would like to see in a future version too: Allowing users to save encrypted logs online and doing a client-side decryption. In fact maybe even force users to use encryption, or at least make it default. And in a way the hashed MyPlus! password couldn't possibly used to decrypt the logs of a user. It would also be much less of a liability for Yuna should they get hacked.

quote:
Originally posted by Chrissy
Even If it is encrpyted on the server, Yuna can still see it. And If It's encrypted here then sent, the amount of data Yuna has they can easily come up with an algorithm to decrypt most of them, and sell them to marketing companies or spammers. 
Not when users set their own encryption key, just like local logs can be encrypted at the moment. Sure, you could try to bruteforce weak passwords, but you can do that with every type of encryption and service in the world. You don't need a large amount of data for that, just a dictionary. As always: don't use weak passwords.

quote:
Originally posted by Thor
Admins on these forums: nothing?
Being a global admin on the site i can tell you I don't have access to any logs except my own. As for bigger picture (server admins / corporate), I agree these are things people are right to ask and should get a proper and detailed answer to. Preferably in the form of an updated privacy policy. Personally in addition to that I would still like to see encrypted storage as in the top of my post.
Although even when we do know information like this it still comes down to trust. Yes, Microsoft is a huge well-known company. So are Facebook and Google, still doesn't stop them from doing things users are shocked by.
RE: Plus! 5 is out! by Chrissy on 02-11-2011 at 06:55 PM

Okay.

So if someone hacks into the server or access the data on it, they have all our chats?


RE: Plus! 5 is out! by Menthix on 02-11-2011 at 06:59 PM

quote:
Originally posted by Chrissy
if someone hacks into the server or access the data on it, they have all our chats?
I don't know the level of other security on the server, for example file permissions. But generally if someone would manage to get root access and files are unencrypted, they could get all the contents, yes.
RE: Plus! 5 is out! by blessedguy on 02-11-2011 at 06:59 PM

quote:
Originally posted by Chrissy

Okay.

So if someone hacks into the server or access the data on it, they have all our chats?
Just as they had people's emails and passwords when they hacked Gawker, I guess. I hope Yuna is prepared for that :rolleyes:

*Menthix beat me...
RE: Plus! 5 is out! by Thor on 02-11-2011 at 08:52 PM

quote:
Originally posted by Menthix
Being a global admin on the site i can tell you I don't have access to any logs except my own. As for bigger picture (server admins / corporate), I agree these are things people are right to ask and should get a proper and detailed answer to. Preferably in the form of an updated privacy policy. Personally in addition to that I would still like to see encrypted storage as in the top of my post.
Although even when we do know information like this it still comes down to trust. Yes, Microsoft is a huge well-known company. So are Facebook and Google, still doesn't stop them from doing things users are shocked by.
I was replying to CookieRevised in the context of the admins on this forum doing anything to a user's profile, not in the context of accessing logs. Sorry about that, might've been an idea to be a bit more specific. :p

RE: RE: Plus! 5 is out! by CookieRevised on 02-11-2011 at 11:17 PM

quote:
Originally posted by Thor
quote:
Originally posted by Menthix
Being a global admin on the site i can tell you I don't have access to any logs except my own. As for bigger picture (server admins / corporate), I agree these are things people are right to ask and should get a proper and detailed answer to. Preferably in the form of an updated privacy policy. Personally in addition to that I would still like to see encrypted storage as in the top of my post.
Although even when we do know information like this it still comes down to trust. Yes, Microsoft is a huge well-known company. So are Facebook and Google, still doesn't stop them from doing things users are shocked by.
I was replying to CookieRevised in the context of the admins on this forum doing anything to a user's profile, not in the context of accessing logs. Sorry about that, might've been an idea to be a bit more specific. :p
It doesn't matter if it is messing with profiles or accessing logs (or in this case PMs) for that matter. The point of the re-questions where that almost every service on the net you trust your data on, needs to be ... well... trusted.... Even if there are NDAs or EULAs in place it doesn't physically stop some people (like root admins) from doing the 'wrong' thing in many cases, not even if it is a 'well known company'. In the end, it always comes down to trust. And if you don't trust it, don't use it.

What I also want to point out, in a very strong way, is that I'm equaly 'concerned' about this matter too. I too think there should at least be a more visible EULA or something in place which the user must agree with or sign before being able to upload data like logs. At least more clear than a small link at the bottom of the website pages like it is now. But of course that still wouldn't prevent some server root admins or whatever to do the 'wrong' thing though. Again, it boils down to trust.

But the moaning of Chrissy just for the sake of moaning gets ridiculous. Look at the rest of his posts in regards to Yuna, it is nothing more than trying to find something new to bitch about, nothing more. Yes he stumbled upon a good and valid question/concern, but immediatly screwed it up with his "they can bruteforce it anyway" comment. Showing again he posts that stuff just to moan and bitch imo. If anyone else would have asked the same question in regards to the online logs, I wouldn't have replied what I have replied to him.... Like I said, he makes it very hard for people to take him seriously.
RE: Plus! 5 is out! by Thor on 02-11-2011 at 11:25 PM

quote:
Originally posted by CookieRevised
It doesn't matter if it is messing with profiles or accessing logs (or in this case PMs) for that matter. The point of the questions where that almost every service of the net you trust your data on, needs to be ... well... trusted.... Even if there are EULAs in place it doesn't physically stop some people from doing the 'wrong' thing in many cases.
Unless you go with a host-proof solution, but yes. You need to trust your service provider to a certain extent regardless.

quote:
Originally posted by CookieRevised


What I also want to point out, in a very strong way, is that I'm equaly 'concearned' about this matter too. But the moaning of Chrissy just for the sake of moaning needs to stop. Look at the rest of his posts in regards to Yuna, it is nothing more than trying to find something new to bitch about, nothing more. Yes he stumbled upon a good and valid question/concearn, but immediatly screwed it up with his "they can bruteforce it anyway" comment. Showing again he posts that stuff just to moan and bitch. If anyone else would have asked the same question in regards to the online logs, I wouldn't have replied what I have replied to him.... Like I said, he makes it very hard for people to take him seriously.
Agreed. (Not exactly a very insightful reply to that, but yes. Agreed.)
RE: [split] MyPlus! Logs Security by toddy on 02-12-2011 at 02:28 AM

174.122.242.106

[Image: hands.gif]


RE: [split] MyPlus! Logs Security by blessedguy on 02-12-2011 at 02:29 AM

And their certificates are still for that placeholder domain :(


RE: RE: Plus! 5 is out! by V@no on 02-25-2011 at 06:41 AM

quote:
Originally posted by CookieRevised
What's stopping MS from reading your hotmails?What's stopping your ISP from reading your internet traffic (incl. password sends (like POP3 logins) over an insecure connection).
What's stopping the admins here from tampering with your account?
And I can go on and on and on like a duracell bunny on steroids.

none of these tried install crapware camouflaged as "EULA" agreement, which you can't say the same about MP...sorry but just that slip will make me doubt good intentions of mp online feature.

quote:
Originally posted by CookieRevised
What's stopping FB admins from publishing your private data?
nothing and they already proved that they can and will do that, because they don't care about privacy.
RE: [split] MyPlus! Logs Security by Arcticwolfx on 02-25-2011 at 08:08 PM

When it comes to the internet it's really quite simple; research as much as you can, test as safe as you can and try to use only sources you logically trust. I quite trust the Messenger Plus! team (though I personally see no need for the on-line chat logging).

quote:
Originally posted by V@no
none of these tried install crapware camouflaged as "EULA" agreement, which you can't say the same about MP....

Would you care to define "crapware?" I can not find a clear description of that word. I'd also like to know what specifically you refer to in aforementioned software install.
RE: [split] MyPlus! Logs Security by CookieRevised on 02-25-2011 at 08:45 PM

quote:
Originally posted by V@no
none of these tried install crapware camouflaged as "EULA" agreement, which you can't say the same about MP...sorry but just that slip will make me doubt good intentions of mp online feature.
There are 1001 other examples where people trust there data to, and which do not provide a clear option to opt-in or opt-out of a sponsorprogram/ad/crapware.

And yes, I can say the same about MP because, even back in the time it had the sponsor from C2Media, you always had a clear option to opt-in or opt-out. And it was certainly not hidden behind a Eula, which I can not say about many other ad-sponsored programs which do not provide any clear choice. So, on the contrary, the sole fact they always provided a choice and it never was mandatory should instead give you a bit more trust that they have the right intentions with your data. Also the fact that Plus!, nor its affiliates, nor related services (like these forums) have ever broken any privacy rules should give you trust.

This said, things have changed and C2Media is not the sponsor anymore. Neither is Yuna the same as C2Media and neither have Yuna ever broken any privacy laws or rules.

But that's all besides the point of why I answered with those questions. The point was that as soon as you do stuff online, you need to trust the companies or services you use to do the right thing. No options, no eula, no nda or whatever else will change anything of that or will prevent a malicious employee of those companies to still do the bad thing. If you don't trust them or you think 'they are evil' or have 'evil' employees, then don't use it. This goes for Yuna, but also for Microsoft, Netlog, Facebook, or any other existing online service provided by any existing company.

Hence a question like "What stopping them from reading your logs" is rather useless, and, imo, can only be answered with the same questions: "What stopping any other company from publishing your private data?". If they have a bad admin you're screwed. And that has got nothing todo with having a sponsor or not, or even with being Yuna or not.

So, in the end, it is not because they wouldn't be able to answer such a question and to completely exclude the possebility for an admin turning bad for example, that you should mistrust them on that basis alone. Because no company can garantuee something like that. If you do mistrust them for that, you shouldn't be using the internet.
RE: [split] MyPlus! Logs Security by V@no on 02-27-2011 at 01:25 AM

Ok, let me rephrase the question:
Give me a good reason why they are not encrypted when there is already a built-in encryption feature?


RE: [split] MyPlus! Logs Security by blessedguy on 02-27-2011 at 01:28 AM

quote:
Originally posted by V@no
Give me a good reason why they are not encrypted when there is already a built-in encryption feature?
Server strain.
RE: RE: [split] MyPlus! Logs Security by V@no on 02-27-2011 at 01:31 AM

quote:
Originally posted by blessedguy
Server strain.
Oh, c'mon, that's the best you got?
How about encryption on client side then?
RE: [split] MyPlus! Logs Security by blessedguy on 02-27-2011 at 01:36 AM

quote:
Originally posted by V@no
How about encryption on client side then?
Ask jieff. But it may be related to the way they store the sessions, it's not individual files.

RE: [split] MyPlus! Logs Security by Menthix on 02-27-2011 at 10:41 AM

They'll have to rewrite stuff on the server-side if they add encryption. Yes, you could easily use client-side encryption which Plus! already has and upload .ple files. But those files will still have to be decrypted somewhere at some point for the online logging feature to be useful. Decrypting files server-side wouldn't be very sufficient since then decrypted files will still reach the server, how much security does that actually add? The good way to do it IMO is perform both encryption and decryption client-side. Why they didn't add something like that already? Who knows. But Jieff did say they are considering adding encryption to online logging in the future. I rather see them taking some extra time to do it right than doing it in a way which doesn't really add much extra security in the first place.


RE: [split] MyPlus! Logs Security by CookieRevised on 02-27-2011 at 04:45 PM

quote:
Originally posted by Menthix
Decrypting files server-side wouldn't be very sufficient since then decrypted files will still reach the server, how much security does that actually add?
Not to mention that Plus! needs to send the password to the server for that.

quote:
Originally posted by V@no
quote:
Originally posted by blessedguy
Server strain.
Oh, c'mon, that's the best you got?
It _is_ a very big issue.

Imagine you have 50MB worth of logs on the server. And all that needs to be decrypted everytime you search or update a log. Now multiply that by a few million (users).

Not to mention, again, Plus! would need to send your password to the servers. And seeing people already complain and mistrusting the current logging system (for no valid reason imo) I can only imagine what they would say when their pwd is send to it.

quote:
Originally posted by V@no
How about encryption on client side then?
Same issue about the server strain will exist though. In fact, if logs would not be cached locally, you would have even more server strain because now the whole 50MB worth of encrypted logs needs to be downloaded before even a search can start.

Unless of course they disable searching encrypted online logs. But even still, server strain is and will be a big issue with stuff like this.
RE: RE: Plus! 5 is out! by Dex Luther on 03-22-2011 at 07:07 AM

quote:
Originally posted by CookieRevised
What's stopping FB admins from publishing your private data?

Nothing really, which I guess is why they do it.