Social Engineering Techniques and DearDiary.Net Security
Good evening ladies and gentlemen,
Its now the 2nd week of the new year and already I have received my first ‘your database has been hacked because someone knows information about me that I only posted in private entries’.
I’ve been dealing with this kind of complaint before, and invariably after I spend days scrutinizing logs, checking firewalls, checking remote systems I discover that in fact what has really happened is that once upon a time 2 diarists were friends and everything was going splendidly.
The pattern seems to be that the 2 diarists talked a lot, on MSN Messenger perhaps. E-Mail addresses were shared, personal conversations entered into and all the while MSN logs such information. Initially of course such logs are just a matter of course because that’s what MSN does. Or ICQ. Or AIM. You get the idea. Each conversation just happens between two friends and everything is fine. That is, until the friendship turns sour – as is often the case with online friendships (though by no means always of course). And when the friendship turns sour suddenly all that harmless information that was ‘socially engineered’ and gathered over the last 6 months to a year, becomes useful ammunition.
And then I get an e-mail saying that such and such a diarist has access to my database because they know information about you that is only in private entries, so that must be how they got it. And such e-mails usually say that I know who the person is talking about because it’s happened before, and they quote that I have given this person access to the DearDiary database to ‘help’ with security issues.
Yes, this comes up at least three times a year and has done for the last 5 years and this time is unlikely to be any different – and I’ve spent ages scrutinizing logs and checking things out yet again so I am going to put the record straight.
The server at DearDiary.Net has a very large number of security measures in place to ensure that only authorised people have access to the database. Even Hamiko employees have not had access to the DearDiary.Net database. All communications to the server are encrypted using SSH which, in order to login requires a pre-arranged and authorised SSH public/private key pair. The only machines that have the private key are owned by me. In fact there are only 2 people who have ever had access to the database, that’s me and Matt.
The server has a significant number of systems dedicated to watching what goes on to block unauthorised access and to ensure that if someone manages to gain unauthorised entry I know about it quickly. To date, no such event has occurred, and I do watch it closely every hour, of every day. Alerts are generated to seperate systems if intrusions attempts occur (and they regularly do).
I have been managing internet servers since 1993, before most of you even knew the internet existed. That doesn’t mean the systems I run are totally secure, because the only totally secure system is one that isn’t connected to the internet. But so far I have stayed ahead and managed to keep intruders out. This isn’t a challenge to try my system’s security, it’s just a statement of fact. The underlying fact is that I have not needed to enlist the assistance of anyone else – particularly someone whom I have never met personally and don’t know from a bar of soap, to secure my system. That’s not to say I haven’t spoken to various people about the system when they’ve come to me and said they think there might be a security hole – but no-one has EVER been granted access to fix any security hole, nor look for new ones. No-one has ever been granted system access to the server on which DearDiary.Net runs and no-one ever will be.
I’ve a personal vested interest in this of course. My web sites are hosted on this server. My diaries are on this server, with a good deal of information in private entries that I’d rather no-one saw. If you want to prove that someone has access to my database perhaps you’d be kind enough to e-mail me something from one of my own private entries that they’ve sent you.
The only holes in DearDiary security that I am aware of are in the wetware. If you befriend someone at this site and you give them personal information there is a risk that information will be used against you if/when you fall out.
I won’t tolerate bun fighting at this site, you all know that. But equally I am tired of hearing vague ‘security’ issues about the site that are totally unsubstantiated. If you can substantiate your claims that there are holes in my security system I will gladly talk to you and we’ll get to the bottom of it, but it’s more likely that you’d be better off choosing carefully who you give your personal information to. There are an awful lot of vindictive people in the world – get used to the fact that internet is absolutely no different.
I shan’t be getting involved in situations such as this any more unless you can come to me with sufficient evidence of wrongdoing, backed up by a court order requesting such information. Of course I will co-operate with any legal enquiry that could come from a true database hack and people using information obtained unlawfully from my database – but if you wish me to deal with it you need to do me the courtesy of showing there really is sufficient evidence AND back it up by a court case because I have wasted SO much time dealing with cases where people are making such claims.
Please note this does not in any way change the Acceptable Use Policy relating to bun fights between diarists. It does not give anyone license to start fighting publicly in their diaries. Such events will still result in the deletion of diaries in line with the Acceptable Use Policy
I never really thought of such issues..I have always look at things as if it is a private entry the only other person who would be able to read it would be you..and well who has the time to run a site and go around reading peoples private entries. 😉
Makes a lot of sense…
[PRIVATE COMMENT]
Steve, I know Monstergue (assuming this is the one complaining) and I think you are absolutely right about why she’s having the probs. I’m sure it’s not the site, you do a great job. I don’t know the details of what she is going through and don’t know who she thinks is bugging her as I really don’t get into all the details. A bit of paranoia there too . . .
Anyway, I’m sorry that you have to go through all this.
I’m really happy about the friends only entries and also the private diary idea.
Keep on doing the great job you are doing. I think people understand that you run a great site and there are some . . . eccentrics out there.
Like Rodney King said – ‘why can’t we all just get along?’ Don’t let the turkeys get you down.
Anne
I think you run a great site and I am confident in the integrity of the security system, just to go on public record.
I can say that I am certain beyond a shadow of a doubt that nobody has ever hacked into my private entries.. Um… Mostly because I haven’t any private entries.. BUT!! If I DID.. I’d be secure in them being safe. So.. Yes.. Good work.
The only way people have got into my private thigns were because I left passwords dangling around.
I still don’t know what bun fighting is. I have this mental image of like hot cross buns being used as boxing gloves but I’m probably way off with that.
Thank you for making all this clear.
I am enjoying my time here, especially now that I have the ability to restrict my readers.
I guess we all have learnt not to trust people we have met online and to be careful what information we give away, because when things go sour, they use that information to their advantage. And it’s nothing to do with the server itself or the security of the server.
You have done an excellent job and I’m going to keep subscribing here. 🙂
You know what? I am rather sick of the "bun fighting" reference. I have come to you with legitimate concerns and you have ridiculed me and accused me giving information in "social situations" that I haven’t given.
There have been more than a dozen long term diarists that have been run out of here due to SheWhoShouldNotBeNamed’s harrassment and stalking. She is not an urban legend as you are suggesting in this entry. You know who she is and yet you ignore it.
What is it that she has on you that you let her get away with this? Why do you discount complaint after complaint? Why do you ridicule the victims in the same way that ignorant people say that a rape victim "deserved" it?
Ban my diary. At this point I just don’t care any more. I am sick to death of what has happened here in the last couple of years. You molly coddle the real trouble makers and vilify those of us with legitimate complaints.
I’ve had enough and this is my stand. It’s your site, do with it what you will
I personally feel very safe with my entries here. I’ve never had any problems or fears of anyone hacking into my diary. I believe this site to be very secure and thank you for the great job you do for us. I think you hit the nail on the head with your observation of the issue.
Abby
I couldn’t stop myself from leaving a comment:
The only time I ever got into trouble was when the local gal got wind of my link and busted me and Jerry, nothing big. Oopsy next time I will learn to use the "PRIVATE" button whenever I have a flaming affair and do not want to get caught. *grin*
Is that true that you mollycoddle the trouble makers *wink* (good then I’m safe for the next bazillion years or so.)
You are doing a great job Steve… Even though sometimes we all want to fire you from a position that you can’t be fired from 🙂
We still love you though…
[PRIVATE COMMENT]
Dear Steve,
I trust you and this site. Only here have I opened up alot in my private entries. I do not believe that a decent and busy man like you would have the time to even read our private entries. Lol. Not that they are interesting.
I am a believer of DD credibility and respect for privacy. I do not know her issues for am just over a year-old at DD, and am not interested to know. But this is a place where I record my thoughts and pains and joys.
I do not believe you will let nuisances destroy the mission and vision for which DD stands for.
Orient:)
I’ve never had even a whiff of a hint that there are security issues with my diary. I have absolutely no complaints with DD, or you, Steve. I know what a huge headache this place is to maintain. I give you tremendous credit for not chucking the whole thing down the loo. There have been times when I wouldn’t have blamed you if you had. Thanks for remaining our fearless leader through the thick and the thin!
Hugs,
~Cali
From: causingchaos
Date Posted: 14 Jan 2005
"I still don’t know what bun fighting is. I have this mental image of like hot cross buns being used as boxing gloves but I’m probably way off with that."
I guess ya ain’t SO far off with the above notion, causingchaos…cuz that’s damn near what *I* had in mind as well! 😉
Hey Steve, would ya like to enlighten those of us peacemongers out here who 1) dunno what the heck "bun fightin’" is all about; 2) who wouldn’t have a clue as to how or even IF our diaries were bein’ hacked into and 3) who wouldn’t ever DREAM of makin’ such a dreadful accusation even if they WERE?
——————————————————————————–
From: monstergue
Date Posted: 14 Jan 2005
"You know what? I am rather sick of the "bun fighting" reference."
Ahhh, good…..then maybe YOU can explain it all to me and to causingchaos in one fell swoop! (but DAMN girl, yer panties sure are all twisted up today, ain’t they!)
Bun Fighting in American English = Mud Slinging
Neither one good. *smile*
here, we spread peanut butter over a bun. depends if I wanna sling it to an opponent’s face once she tries to grab it from me. lol. but hey, bun fighting? okkk…..how do you fight with your buns eh?
steve, you have just started an anti-bun crusade. you gotta explain it now. **winks
ori:)