Good evening ladies and gentlemen,
Its now the 2nd week of the new year and already I have received my first 'your database has been hacked because someone knows information about me that I only posted in private entries'.
I've been dealing with this kind of complaint before, and invariably after I spend days scrutinizing logs, checking firewalls, checking remote systems I discover that in fact what has really happened is that once upon a time 2 diarists were friends and everything was going splendidly.
The pattern seems to be that the 2 diarists talked a lot, on MSN Messenger perhaps. E-Mail addresses were shared, personal conversations entered into and all the while MSN logs such information. Initially of course such logs are just a matter of course because that's what MSN does. Or ICQ. Or AIM. You get the idea. Each conversation just happens between two friends and everything is fine. That is, until the friendship turns sour - as is often the case with online friendships (though by no means always of course). And when the friendship turns sour suddenly all that harmless information that was 'socially engineered' and gathered over the last 6 months to a year, becomes useful ammunition.
And then I get an e-mail saying that such and such a diarist has access to my database because they know information about you that is only in private entries, so that must be how they got it. And such e-mails usually say that I know who the person is talking about because it's happened before, and they quote that I have given this person access to the DearDiary database to 'help' with security issues.
Yes, this comes up at least three times a year and has done for the last 5 years and this time is unlikely to be any different - and I've spent ages scrutinizing logs and checking things out yet again so I am going to put the record straight.
The server at DearDiary.Net has a very large number of security measures in place to ensure that only authorised people have access to the database. Even Hamiko employees have not had access to the DearDiary.Net database. All communications to the server are encrypted using SSH which, in order to login requires a pre-arranged and authorised SSH public/private key pair. The only machines that have the private key are owned by me. In fact there are only 2 people who have ever had access to the database, that's me and Matt.
The server has a significant number of systems dedicated to watching what goes on to block unauthorised access and to ensure that if someone manages to gain unauthorised entry I know about it quickly. To date, no such event has occurred, and I do watch it closely every hour, of every day. Alerts are generated to seperate systems if intrusions attempts occur (and they regularly do).
I have been managing internet servers since 1993, before most of you even knew the internet existed. That doesn't mean the systems I run are totally secure, because the only totally secure system is one that isn't connected to the internet. But so far I have stayed ahead and managed to keep intruders out. This isn't a challenge to try my system's security, it's just a statement of fact. The underlying fact is that I have not needed to enlist the assistance of anyone else - particularly someone whom I have never met personally and don't know from a bar of soap, to secure my system. That's not to say I haven't spoken to various people about the system when they've come to me and said they think there might be a security hole - but no-one has EVER been granted access to fix any security hole, nor look for new ones. No-one has ever been granted system access to the server on which DearDiary.Net runs and no-one ever will be.
I've a personal vested interest in this of course. My web sites are hosted on this server. My diaries are on this server, with a good deal of information in private entries that I'd rather no-one saw. If you want to prove that someone has access to my database perhaps you'd be kind enough to e-mail me something from one of my own private entries that they've sent you.
The only holes in DearDiary security that I am aware of are in the wetware. If you befriend someone at this site and you give them personal information there is a risk that information will be used against you if/when you fall out.
I won't tolerate bun fighting at this site, you all know that. But equally I am tired of hearing vague 'security' issues about the site that are totally unsubstantiated. If you can substantiate your claims that there are holes in my security system I will gladly talk to you and we'll get to the bottom of it, but it's more likely that you'd be better off choosing carefully who you give your personal information to. There are an awful lot of vindictive people in the world - get used to the fact that internet is absolutely no different.
I shan't be getting involved in situations such as this any more unless you can come to me with sufficient evidence of wrongdoing, backed up by a court order requesting such information. Of course I will co-operate with any legal enquiry that could come from a true database hack and people using information obtained unlawfully from my database - but if you wish me to deal with it you need to do me the courtesy of showing there really is sufficient evidence AND back it up by a court case because I have wasted SO much time dealing with cases where people are making such claims.
Please note this does not in any way change the Acceptable Use Policy relating to bun fights between diarists. It does not give anyone license to start fighting publicly in their diaries. Such events will still result in the deletion of diaries in line with the Acceptable Use Policy