Topic: How Secure is BitcoinTalk? (Read 585 times)

Yes it is really possible to post images as long as your current rank allows it. junior member and up is the ideal minimum rank that can be able to do it.

I forgot , copper members  that pays for membership is also another rank that can be able to allow images on their post.

And about the ip address thing , i dont thing any of us is concerned about it. ip address isnt really accurate because some of us are using a vpn or a virtual private network in order to browse the forum, so i think it is still pointless to trace the user.

Bitcointalk.org  is now verry secure because the forum has upgraded its security lately after the hacking had occur.

A Bitcoin ban means (In my case) that holding/transacting Bitcoin is illegal and could be punishable by law (fines and penalties) if caught.

is it really possible to place an image - even an invisible image - that works like the traking things that are sent via e-mail? the images that services like mailchimp uses.

edit. sorry, i should have read the second page too before asking this question.

You would be correct.

The more end nodes you control in the network the more likely you are to control all the nodes in a circuit. If the NSA or any entity for instance controlled all nodes within the circuit you are using then they would be able to determine the IP that you use. This is why more nodes means more security, because it's more unlikely for one entity to control all the nodes. Although, with the spending power, and resources of someone like NSA there are concerns from a select few.

This probably isn't too much of a concern for someone who's accessing a forum that they aren't suppose too, but it's quite well known that journalists use the Tor project to communicate with "whistleblowers" and the like, and you can imagine why the government would want to listen into these. The motives are there, but I'm skeptical of how much of a problem it really is.

If you want extra protection some people connect to Tor via a VPN. Then you have to trust that VPN provider.

What I understand from this is, It's not gonna work. So seems like we are safe.

---

Update:
Ok seems like I have missed this from shahzadafzal.

What exactly is a bitcoin ban? I am probably assuming the ban from this forum? Also do explain your last point.

-Thank you theymos for the clarification,I really appreciate that.
I also hope that you will implement the public-key-registration system in the near future as I'm sure alot of people living in countries banning crypto are also worried about tracks they leave behind them please don't forget us.I'm a bit more reassured atleast not all actions leave permanent IP record

-Correct me if I wrong but I don't think that Tor having nodes backed by the NSA would cause a lot of troube to users as a node can't directly link to your real IP unless all the nodes your tor client picked are backed by the NSA

Even if the unlikely scenario happened you could use a VPN/Tor browser to access the forum, and that's how you would avoid it. Even if theymos did receive a court order to restrict certain countries from accessing the forum he would likely be able to argue that it's down to the users if they break the law in their jurisdiction, and therefore isn't down to him. Cour

Would you ban my country's IP from accessing this forum if there is a court order? I'm not talking about crime related bans, just a pure access to information? if so then how would you suggest to avoid this?

Not to mention that you supporting Bitcoin is equal to be a rebel where I come from.

I'm well aware that to be the case, but the OP registered well after the known database leak which I believe was in mid 2015. This is also why I mentioned it's not much of a big deal due to most IPs would have changed by now as you said here:

This is also generally bad advise. Just because you are using a VPN doesn't mean you can trust those behind it, especially when confronted by a government authority they may release the information without even putting up a fight.

No log VPNs are good practice, but even these in the past have been caught keeping logs. Even, if you use Tor Browser there's speculation that a lot of the end nodes are actually NSA owned.

First of all, I admire you for having the guts to continue engaging with crypto and also for not feeling discouraged at all despite the fact that it is banned in your country. At the same time, I'm a little bit worried to you because you may possibly punished by the law if ever you are proven guilty.

I'm not a total geek about computer stuffs but what I can suggest you is to use a VPN to hide your IP because that makes you anonymous everytime you will access the internet. I hope it helps.

Actually Theymos is pointing out that it's not possible anymore. bitcointalk is using image proxy which prevents any request being forwarded to the source directly from client's browser.

If you haven't notice all [img] tages are replaced like, so you will not get IP Address of the user but all requests will be coming from bitcointalk's image proxy server.

---

I seriously think, bitcointalk should enable Image caching on proxy server, currently it looks like caching is not enabled or used that's why we don't see any image for few [5+] seconds.

I haven't  looked into the programming required for this, as individual IPs are of no interest to me. View counts and referring URLs are about as far as I want to go.

This was actually done many years ago, many people viewed this person to be a scammer as a result. The forum currently uses an image proxy that makes this attack useless.


The member's table has leaked at least once, and the forum has been hacked multiple times. Your registration IP address and your last recorded IP address as of when the members table leaked is more or less public information now. An unknown amount of additional information from the other hacks is potentially essentially public information as well.

I would advise against this.

Over time, you will inevitably lose some of this information for a variety of reasons, and you can potentially be in legal trouble if you are unable to produce specific information you say you retain indefinitely, especially if you are close to the person.

I would suggest, as an alternative to instead either retain the name of the person's ISP, geolocation data, or truncated IP address (or a combination thereof) over the very long term. This is likely what you essentially will use for things like account recovery anyway and in most instances, a user's IP address will have changed after several months (and to a much greater extent, after multiple years) anyway.   

This isn't a good example of me being a "rebel", since there's ~no legal risk in refusing to help police who don't have a court order, and there's even less risk when they're not even trying to enforce a law which exists in the forum's jurisdiction. Anyone in the US who would help foreign police with a Bitcoin ban is seriously misguided, at the very least.

This is what I like about you. a true rebel.

Your mental model should always be that the forum logs everything, especially since it is behind Cloudflare, which is almost certainly an NSA-backed operation. But here is some more detail. Currently there are four classes of IP logs:
 - Every time your session refreshes (about every 10 minutes while you are browsing the site), your current IP is momentarily logged. This is only kept until a new such entry replaces it, except that whenever the daily database backup happens, the current value will be captured and then possibly kept for a long time.
 - A tuple (time, userID, ip) is logged whenever you view a forum ad in order to produce ad stats. These are kept for only a few weeks, and are not backed up.
 - Every HTTP request creates an access log, but while these contain IPs, they do not contain user IDs, and so on the whole they probably cannot be provably associated with users. These are usually deleted after a few months, and are not backed up.
 - Certain actions trigger a long-term IP log. This includes posts (but not PMs), security-log entries, certain errors, and registration. Long-term logs are currently kept indefinitely.

I don't like that IPs are sometimes kept indefinitely. To prevent abuse, it would probably be sufficient to keep them for ~6 months. But keeping these logs long-term is extremely useful for account recoveries. I've been thinking about this issue, and I think that in the future I might let users opt out of long-term IP logging if they have a public key registered in a (currently-not-existing) public-key-registration system. Though, again, even then you should model this site and all sites as keeping complete logs.

Unless I am somehow required to do so by law (though I can't see how in this case), I will not assist police who are seeking to enforce any Bitcoin ban.


Try it and see how many IPs you get...

Yeah,that's what I learned from this,thanks.But as I said if IPs are recorded from the beginning it's too late now to conceal my identity.
Meh, what a feeling to live in a third party world..
Thanks everyone.

I would strongly suggest the OP learn to conceal his true identity for all sites dealing with Crypto.  If you live in a place where you go to jail for using Crypto trust no website.  Theymos runs a decent place but the authorities can force owners/Admins to comply.  It has happened before here.  Going back a few years some PM's were required to be given and the users smart enough to have GPG'd their messages were fine, while others communicating in plain text had a harder time.  My point is not that Theymos is lacking in OPSec, but that YOU should maintain your own security.  If Theymos gave "THEM" absolutely everything his has on me they would have NOTHING.  Get it?  If I were going to make a site specific suggestion, I don't like the current sign in because the passwords are exposed (security wise).  In a perfect world we would have U2F and then I could change my now exposed password and associated email account to this username.

People also change ISPs and thus their IP changes. I was referring it not being a problem too much for the ones that were leaked if someone has changed providers not particularly you.



 

This has happened before, and isn't allowed. See: https://bitcointalksearch.org/topic/tracking-pixels-split-from-mike-hearns-blacklist-thread-341146
Rauol Duke who was a member of the staff at the time removed it, and we can only assume that this isn't tolerated and these sort of things are checked.

See the discussion for ways to avoid this through extensions. E.g Request Policy You are also susceptible to this sort of breach of privacy anywhere you visit. For example, if someone posted a link of a image on Reddit/r/Bitcoin and, you viewed it.  It would require the person to actually own the website, and have the image hosted on their server. Therefore, they are pretty easy to identify, and as long as you have some sort of protection like requestpolicy (discontinued) you are fine. For example, uMatrix is pretty good especially when used in conjunction with uBlock. Although, it can make some ugly viewing at default settings you can whitelist/blacklist what you want.