general questions Am I Safe Here?

[AstroFX 8]

This is a question I've been having since I signed up here, and nowhere does it discuss this anywhere I can find. So I myself am a security nut and I like it when my things are SAFE such as the info I release privately to Poniverse along with my IP and Email Address which are two factors I would NEVER want a Hacker to get ahold of. So my REAL question is this, am I safe here? Is all of my information secure within your servers? Or are you guys like the few other sites I left cause of this issue on where I need to protect MY information without close to any support from the Staff.

Edited July 27, 2016 by AstroFX

[cuteycindyhoney 13,282]

I don't see how it would be any less safe than any other forum type site. If you're that worried about safety, join up with a user name and email address that has no link with the ones you use with family and friends. That's what I did. Also, this computer I'm using now is NEVER used for online banking or purchases. I have never even put a photograph of myself on it. 

[Rawzy 1,302]

I've never heard of a "hacking" incident on these forums before, so I'm assuming it's perfectly safe. Yea they have the rare server crash but that's about it.

[Twilight Sparkle ✨ 8,520]

@@AstroFX,

 

I'm Poniverse's chief techpony. I'm happy to answer any specific questions you have about Poniverse's security but will also provide some general information in this post.

 

First, a disclaimer: no one can promise perfect security. An element of unpredictability exists in any system humans are involved with.

 

There's always room to improve but I like to think that we take reasonable steps to protect information that Poniverse is entrusted with, particularly considering this entire organization is a massive hobby project for all involved.

• The vast majority of our servers can only be accessed through our internal VPN.
• We block all ports by default in our firewall and only open/forward the ones we need.
• Access to the VPN and to individual servers is given to staff on a need-to-have basis.
• We outsource payment card processing to Stripe and PayPal, both PCI-compliant payment processors. If you're making payments to Poniverse, your credit card number never touches our servers.
• Our sysadmins use tools to manage all of Poniverse's servers at once, which limits our chances of a server getting compromised because no one remembered to update that old password on it.
• We won't reveal your email address, IP address, or other private information to third parties without your consent unless we're reporting criminal activity to law enforcement.
  • To be clear, Poniverse's partners are third parties. The various conventions that have their forums here do not have access to Poniverse's records of your email and IP addresses.
• We don't mess around with your password.
  • Our central login portal at Poniverse.net is the only site that you ever have to enter your Poniverse password into. All sites that use Poniverse logins use something called OAuth 2.0 to avoid ever touching your password. This vastly limits the number of ways that a hacker could intercept your password.
  • Your password is hashed with bcrypt, a modern algorithm that the security community approves for this purpose. It is not possible for us to retrieve your actual password from the version of it that we store.
  • The login portal uses HSTS.
• Most of Poniverse's sites use a modern HTTPS setup to encrypt traffic between you and Poniverse. Note that MLP Forums and Pony.fm are served entirely over HTTPS.

I hope that sheds a little light on things. Let me know if you have further questions.

[NazmiFR 84]

Well I wrote quite a lot of words, but at first I just wanted to thank my upper neighbor ↑↑↑ for his post that was really interesting to read... and also note the fact that AstroFX and cuteycindyhoney, you might be a tiny little bit paranoïd, no offense but I feel that when I read you (and that's from someone that is often called paranoïd by other people that you hear it ), but at least all this gave me an idea for an article to write on my blog (in french)

 

 

So, I'm new here, and I find that the poniverse system is a great idea however, personally, I don't like that kind of services, as if the top service is compromised/your account on it, you don't lose one but all the services associated with the general account...

 

and also you can't have multiple strong passwords, which are the start for security even though it's a challenge to learn them all (and not forget any)

 

also for sure when you use a service you put trust in the guys behind, also nothing is 100% invulnerable to anything, an error might have happened somewhere (Errore humanum est) or some new exploit might have been used before being discovered and fixed, however I just read the listing that Feld0 did, and I have to admit you guys taking things seriously here...

 

but well AstroFX, not feeling safe (and we are and will never be 100% safe) in that way is not good,

 

first if you don't want something to leak, just don't post it in the first place

(celebrities who happen to share privately naked photos, and afterwards who complain that they have leaked, if you hear me...)

 

also you don't need the same level of security between when you post a pony related public message and when you are a journalist talking important stuff to a political opponent whose life depends on whether he is discovered or not... (it's of course an example from fictional facts)

 

or a personal example: would I chat on skype with someone about ponies or random stuff, yes of course, but would I use skype to talk about any professional/strategic/sensitive/serious matter no I wouldn't and I would laugh at the face at anyone who would propose that to me...

 

(that example only refers to my opinions, you might trust skype if you want, but personally it's (with gmail and facebook) one of the perfect examples of services that are not secure for their users, they might be from random nasty people but not from all threats))

 

 

lastly it's all a matter of common sense, logic and evaluation, you have to think the "hacker" way:

 

who that person would be,

what would they want to do with your data/credentials,

how could they get their hands on them ?

why would they even care about that data/credentials?

 

for instance in this case:

 

why would a random person on the internet try to get access to my account on a forum ?

 

well if you got a pseudonym, they will usually not know you so the typical person who would do

that is someone who just want to be mean or to know you more, but why you between all the other

people they can annoy/stalk ?

 

what could they do with it ?

 

if they get access to a few accounts they can troll and post ads with bots and things, they also

can annoy the people who will lose access to their account, know the few things you shared

"privately" ("" cause then it's not private anymore )

 

what are my weaknesses he could use to get the credentials ?

 

do I have a strong password ? do I trust the admins ? is my own machine secure ? do I trust my

ISP (even though all the sensitive stuff is normally encrypted so not reachable by the ISP, in

theory)

 

 

also like cuteycindyhoney said, get yourself an e-mail adress that is dedicated for the pony stuff or public things or something like that, separate your mailboxes ! so that the one you use for communications with humans is not clogged with spam and random notifications ! there you got another benefit !

 

about your IP, it's not that sensitive, they are widely used as a way to recognize people online and also your router should have the proper firewalls to prevent anything from happening (one more time, nothing is 100% safe but again do you trust the company that made the router(well on this one I personally don't but that personal), (also even though it was mentioned by no one, never believe in the paid/free random VPNs/Proxies, because you have to trust them to protect your communications, and you're adding someone else in the chain so you add risk of leak)

 

so it's all a question of being clever which I'm sure you are ! (cause you wouldn't have been concerned about that if you were not...)