this is from a concerned web master

Quote:

So, OG's Gone...Think you're safe?
So, OG's Gone...Think you're safe?
By rick at Sun, 2006-02-05 18:41

Better Think again!

Nearly all of the major Marijuana Cultivation websites on the Internet run a bulletin board software by the name of vBulletin. This is not an open source project, however, the source code is available and easily modified to suit any developers needs. Through the years, website owners have believed that they have been safe by not logging IP address with users posts. This is an option in the administration section of the vBulletin software; Dont log IP, Log IP, Log for only admin".

The typical setup is to completey shutoff, or "Dont Log IP". However, this severely missleading! Please take note and re-read this if you need to! vBulletin stores your registering IP Address as well as the exact time of that registration. This info is stored automatically and is typicaly not known to the developer. With these two pieces of information it would be possible to uniquely identify anyone who was not using additional security precautions such as a proxy server.

How does this relate to the recent news of OG? Well, assuming that RC did not know about this, just as I did not know about this until early this morning during an additional security audit of HempCultivation.Com, it could mean that potentially comprimising information was obtained, plain and simple. This "feature" is used on every version of vB that I have tested and ran myself. I imagine it was in the original versions and always carried along. Not sure why...But be aware.

What we need to know is if RC had manually disabled this...I dont know.

Now, this is directly to Gypsy of ICMAG.Com. IF YOU KNOW GYPSY, PLEASE BE CERTAIN THAT HE SEE'S THIS!~

Gypsy, please do not take this as an attack. I tried to post this directly to you but it appears that my posting priviledges at ICMag have been removed or there is some other problem. This is the best way for me to reach you.

Your vBulletin installation is probably vulnerable to the ip information stored above. You have a great deal of the OG refugees on your site, and that's great that they have come together, however, these folks have already been jeopordized once to at least some degree. I am going to post some directions for you to follow to eliminate all IP addresses stored in your database as well as eliminate the future storage of this information by the database. This is something that we need to do immediately for the sake of the users.

First, you will need to edit the file registration.php - look for the line:

'$userdata->set('ipaddress', IPADDRESS);'
Replace that line with this:
$userdata->set('ipaddress','');

This will prevent new users registering from having their ip address stored in the db.

Next you are going to want to access you mySQL db and issue the following command:

UPDATE user SET ipaddress='';

This will empty out all ip adresses that have been stored from user registrations.

If you dont know how to do any of this or if you would simply like assistance I'd be happy to help you. The most important this is that this be done immediately.

Other cultivation websites should also pay attention to the "feature" of discussion boards and you may wish to manually disable it yourself.

~r

this issue was addressed by Gypsy and the webmaster here a while back
whether RC had this turned off or on I don't know
but rest assured we have it turned off and only when you are logged on is your IP stored
within a minute or two of you logging off its gone.

OP

[Sleepy]

thanks for reassuring us.

Gypsy, Dutchgrown, Green Lantern Old Pink, & crew always look after our security.

[Protostele]

Quote:

Originally Posted by oldpink

..... and only when you are logged on is your IP stored
within a minute or two of you logging off its gone.

OP

If I shut down my computer at night I always logged off OverGrow, but if my wife shut down my computer for me she always just closed Opera. Did the server retain my IP address at such times? I am not too concerned about it, but perhaps I should change my habits if it makes a difference.

Now....I wonder who shut down my computer last time I was on OG, me or the wife.

Protostele

<edit> Oldpink's tirade below was aimed at a since deleted post from someone else.....not me....I think...LOL

what does the NSA have to do with a RCMP bust on a seed company have in common
Nothing,
sorry your talking crap here and have no idea of the subject in hand so please stay out of it till you have anythng usefull to post

OP

[johnboi2006]

Does anyone know this? I mean does your local internet provider store data on your traffic out of their servers? Does anyone know if you can access local proxy servers without accessing your internet providers servers?

[Ron Bennett]

Quote:

Originally Posted by johnboi2006

Does anyone know this? I mean does your local internet provider store data on your traffic out of their servers?

Many ISPs log resources, such as websites, accessed by its users. The logging often isn't that detailed beyond that ... so it's not like they log everything, but one should assume, at minimum, the remote IPs of sites visited along with possibly urls to be logged by their ISP.

Dynamic IP allocation doesn't affect logging in any meaningful way - even users on shared IPs are a cinch for an ISP to log. Again, assume all remote IPs and possibly urls to be logged.

Quote:

Originally Posted by johnboi2006

Does anyone know if you can access local proxy servers without accessing your internet providers servers?

No. To effectively avoid one's ISP, one needs to use someone elses, such as in a coffee shop, via wifi, etc.

But as I replied to Rick's post on HempCultivation, IP addresses are the least of one's worries ... it's personal communications, such as email, PM, IM, meeting in person, exchanging goods, etc where the real threat to one's safety / privacy really is.

IPs in and of themselves are of little value; near impossible to build any court case on IPs alone for both technical and social reasons...

An IP, assuming its correct [an assumption one can't always bank on] doesn't identify who is actually conducting the activity ... it could be a friend, relative, rogue program, or simply a stranger from elsewhere else piggybacking on one's IP.

Ultimately, privacy is one's personal responsibility, not that of a website, etc; be wary of revealing personal details one doesn't want others to know. Simple as that.

Ron

p.s. many VB boards have IMG turned on by default ... before even bothering with proxies or whatnot, turn off IMG in UserCP, at least for PMs.

WTF!

op....?????
whats happening?
more confused now

[ixnay007]

Most ISPs, unless they're required to by law, won't be monitoring where their clients are going, unless the have tons of empty space on their hard drives going to waste. About all most ISPs will keep is a record of the user name, password, connecting number (if dialup) or some other identifer with DSL or cable, IP address assigned, and when you requested the IP (disconnection times also with dialup). Basic Radius type info.

If you do have reason to believe your ISP might be monitoring your web browsing habits, read their TOS, and if necessary change providers.

What about the chat server? Is this located in the same place as the servers or hosted in a different place? also how secure is this vs the board? thx.

[potheadpixie]

Is there any less security in PMs than posting on the boards for any reason?