[psa] access to forum database may be given to a third party

[btcmad1337]

I haven't been given access to the database yet but will need it very soon.

Wangbus is working on the new forum software. It's not clear whether he needs the database schema or content or just specific tables, but this post gave me quite a scare considering there are many users here who need high levels of privacy.

For example, one user here who is a government whistleblower claims that letters they sent to EU officials were intercepted by corrupt customs officials. This person uses Bitcoin for all of their finances due to their bank accounts being frozen and does most of their Bitcoin transactions via members of this forum. It's not farfetched to assume that the government involved would like to learn more about this persons finances.  It is also likely that there are other users here in similar situations who may not want powerful entities reading their PM's on this forum and I'm sure the majority of users have at least one message they would like kept private.

I have no reason to believe that this software development company would spy on private messages but the problem is we can't know for sure and on top of this we have no idea how the database will be handled. If they do require the database content and if the database is not properly encrypted before transfer to Slickage Studios or not properly destroyed after it is quite possible it could be obtained by a malicious entity.

It is also possible that spyware on an employee's machine may also be able to obtain the database - governments are known to use BIOS-based spyware which is almost impossible to detect and requires specialized hardware to remove.

This is an unnecessary risk so if you have private PM's - you should be encrypting them - but if you haven't been then I'd recommend deleting them from your inbox and sent folder and also PMing the recipients and have them remove them from their inbox and sent folder also. This will remove them from the live database so you won't be exposed to any unnecessary risk should they be given to the software development company. We should always assume the worst case scenario and hope for the best...

[hilariousandco]

I haven't been given access to the database yet but will need it very soon.

This is an unnecessary risk so if you have private PM's - you should be encrypting them - but if you haven't been then I'd recommend deleting them from your inbox and sent folder and also PMing the recipients and have them remove them from their inbox and sent folder also. This will remove them from the live database so you won't be exposed to any unnecessary risk should they be given to the software development company. We should always assume the worst case scenario and hope for the best...

The NSA probably already has them archived  . As you said, any sensitive data shouldn't be transmitted over PMs here or anywhere else over the net without being encrypted.

[btcmad1337]

The NSA probably already has them archived  .

Actually thats not so likely. The forum uses SSL encryption with perfect forward secrecy. It's unlikely the NSA obtained copies of PM's unless either:

a) either you or the receipient were the victim of an SSL MITM attack when sending/receiving the PM.
b) theymos or the hosting provider has given the NSA access to the forums database.
c) spyware on recipient or senders machine.
d) backdoor in forum software

A is completely preventable thanks to Theymos. You can verify, store and manually check the SSL cert because theymos signed a PGP message containing the certs fingerprint. SSL observatories built into browsers such as TOR browser also mitigate the risk of an SSL MITM.

B is unlikely

C is probably the easiest way to do this

D is incredibly difficult to do because the forum software is open source

As you said, any sensitive data shouldn't be transmitted over PMs here or anywhere else over the net without being encrypted.

Yes, but unfortunately that is not always an option and sometimes people slip up and do not encrypt information and realizing months later that they should have.

[BadBear]

Your privacy is one of those things you should never leave to a third party to do for you.

[umairsaleem]

You should not trust any forums or website to hold your real identity in the first place. This forum has hacked been two years ago and has backdoored by not well known groups. How more if the NSA real wants your info. They have unlimited resources and manpower. There none safe from NSA if its online even if its offline. There is a news about NSA adding hardware to computers to enable them to access even it is offline.

[repentance]

You should not trust any forums or website to hold your real identity in the first place. This forum has hacked been two years ago and has backdoored by not well known groups. How more if the NSA real wants your info. They have unlimited resources and manpower. There none safe from NSA if its online even if its offline. There is a news about NSA adding hardware to computers to enable them to access even it is offline.

If the government wants access to the database, why bother doing anything other than getting it directly by issuing a subpoena for theymos to turn it over?  Or a court order allowing them to image it surreptitiously (as they did with SR)?  They don't need to fuck around and try to get it through people contracted to build a new forum. 

There already multiple investigations in place into the actions of users who are alleged to have committed crimes involving Bitcoin.  It wouldn't be hard to persuade a court to authorise the government to access the database either overtly or covertly to gather further evidence for those cases.