SKIMWORDS

donutboy

I'm aware that this feature is a money making/saving exercise on Brickset's behalf but i've recently had some skimword links in PMs. Seems a bit iffy. @drdavewatford; @CapnRex101

Huw

It won't differentiate PMs from forum posts since the script is on every page.

They are not ideal, but the forum has to pay for itself.

donutboy

That's cool. I just thought i'd check. Thanks

cheshirecat

Could it not be removed from private messaging? Seems to kind of make the term private redundant (although i recognise they're not officially called private messages anywhere).

MattsWhat

^but skimwords works at the end, not in the middle.  It literally skims any paged served up to a user and shoves in ads.  It doesn't know what is being served, probably can't differentiate and it doesn't store or read them - they are not SSLed anyway so they aren't really private at all, just not viewable by the wider userbase. 

paul_merton

^ No, it doesn't work like that. In fact, I didn't realise how bad it was until I tried it out just now by looking at some of my own private messages (I was curious to see how it all worked).

Anyway, here's the shocker: The content of my private messages got sent off to i.skimresources.com in a big JSON structure. Names, addresses, political affiliations, embarrassing admissions, Jack Stone is my favourite theme, whatever - it wasn't fussy about what it took from those pages.

@Huw, I think Skimwords needs to be removed from inbox pages.

MattsWhat

^isn't that just where the link redirects through? How could it possibly be sending off the pages to a server in real time (you can check it's doing it in real time as links come and go), the server load would be astronomical if it checked a page server side each and every time?!
Surely it only checks server side for the database of links and keywords. 

paul_merton

^ No, it does exactly what I said. Trust me, I'm not wrong :)

MattsWhat

Fair dos. Impressive stuff this Internet thing. 

aldredd

The site, and all the 'private messaging' is ran over an un-secure connection anyway, so there's already nothing private about it - 'anyone' could snoop in on it pretty easily.

(For anyone doubting this, try the URL https://bricksetforum.com  -see what message you get)

I don't mind the skimlinks, only bother they give me is when trying to differentiate between links the author included intentionally (and therefore want you to follow). But that's kind of the point I guess!

cheshirecat

There's quite a difference between a message not being sent over a secure connection and a message being deliberately sent to a third party.

As a measure of "'anyone' could snoop in on it pretty easily", please feel free to find the content of my last private message.

aldredd

I thought putting it in quotes would be sufficient to qualify that statement, but for the avoidance of doubt..

'anyone with the necessary skills and tools' (which are easily picked up online)

my point is, you should be more concerned with someone intercepting traffic than the skimlinks.

Incidentally, for anyone using gmail, yahoo mail, hotmail et al, this is exactly what they do with just about every email you send (hence why for personal correspondence I use my privately hosted email server)

No such thing as a private message on the internet I'm afraid.

(A quick search also reveals many hacks on Vanilla forums, which would presumably expose messages too)

cheshirecat

Yet once again you go undermining your own 'qualifications'... "anyone with the necessary skills and tools' (which are easily picked up online)"

Go on then?
No? Its really not that simple is it. Obviously they're not secure, anyone with access to the database can get them as they're plain text, depending on the config forum admins might be able to read them, cracking my password wouldn't be hard either. Those are much bigger insecurities than not using HTTPS between myself and the server. That content is automatically sent to a third party is a much bigger concern to me - not a problem with the forum posts as they're in the public domain anyhow - but messages have the impression of privacy.

But ultimately, although I work in IT, as I understand it @paul_merton works in internet security so I'll tend to defer to his judgement.

MattsWhat

aldredd said:

my point is, you should be more concerned with someone intercepting traffic than the skimlinks.

I don't disagree with any of the technical stuff but I do with this.  The chances of anyone even wanting to intercept my personal messages on a random forum is as close to zero as it is possible to get.  It's not like it's my bank account afterall - you would have to waste a lot of time individually hacking personal message on forums to get anything worthy of stealing.
However, all the information from everyones personal accounts on many forums going to a server (assuming this is actually what happens of course) that is programmed to sort that information for specific strings of characters is more concerning.  How hard would it be for it to also skim for bank account numbers etc. for example.  It's pretty unlikely, but way more likely a target for someone than my pretty mundane personal messages.

aldredd

MattsWhat said:

It's not like it's my bank account afterall - you would have to waste a lot of time individually hacking personal message on forums to get anything worthy of stealing.

Actually, it's a bigger risk that you're giving it credit for. Large amount of ID theft, bank account theft etc is the result of large scale hacks, where they scrape all the usernames, emails and passwords from unsuspecting sites like this, or others identified as storing passwords as plaintext), then use those same credentials on other, securer sites, starting with your email account (so they can then request banking password resets etc)

So yes, you should be aware of sites not using encrypted connections and act accordingly - like using different passwords (ok, that ones Internet Security 101, but you'd be amazed how few people mix up their passwords)

Not trying to undermine the argument of passing data to a 3rd party - I'm a very 'personal data aware' person, but it's not the biggest risk to your personal data here.

TigerMoth

To everybody apart from those who are arguing about it:

It is never about what YOU think or know you can do.

It is never about what information YOU think is worth having.

It is never about what YOU think is worth doing.

It is always about what somebody else can do, and the ways they can think of using that information.

You can be, or think you are, the smartest cookie in the world, and the above is still true.

aldredd

cheshirecat said:

But ultimately, although I work in IT, as I understand it @paul_merton works in internet security so I'll tend to defer to his judgement.

Good choice, I agree with him - it's pretty much how the whole internet advertising platform works - every email on gmail is scanned in this way.

All I'm trying to say is don't be fooled into thinking the messages you're sending are secure (with or without skimlinks) - they're not, and don't pretend to be, a method of securing communication.

That said - @MattsWhat raised a good point, think people may send bank account numbers via messaging when buying/selling. If you're worried about these being passed through skimlinks, then again, you need also to be worried about these being sent over unsecured connections, and stored in plaintext.

paul_merton

aldredd said:

'anyone with the necessary skills and tools' (which are easily picked up online)

I have the skills and the tools, but I still wouldn't be able to passively eavesdrop on your unencrypted traffic because it doesn't flow through any system I have access to.

This is why the indiscriminate collection by a third-party of everyone's private messages (evidently without their knowledge) is a much bigger issue.

MattsWhat

"I don't have money, but what I do have are a very particular set of skills and tools. Skills and tolls I have acquired over a very long career. Skills and tools that make me a nightmare for people like you."

cheshirecat

"Now, the next part is very important. They are going to take you."

Such a cool film. 

MattsWhat

You mean
"Now, the next part is very important.  They are going to take your private messages."

Huw

As it happens it was easily fixed so the skimlinks script will now only run on discussions pages.

MattsWhat

@Huw I haven't been seeing as many of these since this was changed - I used to get a lot more for shops like Amazon and Argos.  Is this because we are not clicking on them and building revenue, did the code change happen on other pages too or is it just the way it is and they are still paying for the forum?

Huw

Since I made the change discussed above revenue dropped to zero, possibly due to an error in its implementation.

I believe I corrected earlier today but it will now appear on all pages again.

Lego_Star

Skimlinks appeared in a pm last night but there is no Skimlinks notice showing on any forum pages, threads or otherwise @Huw.

Off topic, hope you enjoyed the event in Portugal, would love to hear a report on the workshops, particularly as this was the first of a new recurring event in the calendar? :o)