Please refrain from posting animated GIFs, memes, joke videos and so on in discussions other than those in the off topic area.

Dismiss this message to confirm your acceptance of this additional forum term of use.
You must be 16 or over to participate in the Brickset Forum. Please read the announcements and rules before you join.

SKIMWORDS

donutboydonutboy U.K.Member Posts: 550
I'm aware that this feature is a money making/saving exercise on Brickset's behalf but i've recently had some skimword links in PMs. Seems a bit iffy. @drdavewatford@CapnRex101

Comments

  • HuwHuw Brickset Towers, Hampshire, UKAdministrator Posts: 5,846
    It won't differentiate PMs from forum posts since the script is on every page.

    They are not ideal, but the forum has to pay for itself.
  • donutboydonutboy U.K.Member Posts: 550
    That's cool. I just thought i'd check. Thanks
  • cheshirecatcheshirecat Member Posts: 5,330
    edited May 2016
    Could it not be removed from private messaging? Seems to kind of make the term private redundant (although i recognise they're not officially called private messages anywhere).
  • MattsWhatMattsWhat Studley, UKMember Posts: 1,639
    edited May 2016
    ^but skimwords works at the end, not in the middle.  It literally skims any paged served up to a user and shoves in ads.  It doesn't know what is being served, probably can't differentiate and it doesn't store or read them - they are not SSLed anyway so they aren't really private at all, just not viewable by the wider userbase. 
  • paul_mertonpaul_merton UKMember Posts: 2,764
    ^ No, it doesn't work like that. In fact, I didn't realise how bad it was until I tried it out just now by looking at some of my own private messages (I was curious to see how it all worked).

    Anyway, here's the shocker: The content of my private messages got sent off to i.skimresources.com in a big JSON structure. Names, addresses, political affiliations, embarrassing admissions, Jack Stone is my favourite theme, whatever - it wasn't fussy about what it took from those pages.

    @Huw, I think Skimwords needs to be removed from inbox pages.
    cheshirecatkiki180703
  • MattsWhatMattsWhat Studley, UKMember Posts: 1,639
    edited May 2016
    ^isn't that just where the link redirects through? How could it possibly be sending off the pages to a server in real time (you can check it's doing it in real time as links come and go), the server load would be astronomical if it checked a page server side each and every time?!
    Surely it only checks server side for the database of links and keywords. 
  • paul_mertonpaul_merton UKMember Posts: 2,764
    ^ No, it does exactly what I said. Trust me, I'm not wrong :)
  • MattsWhatMattsWhat Studley, UKMember Posts: 1,639
    Fair dos. Impressive stuff this Internet thing. 
  • aldreddaldredd United KingdomMember Posts: 203
    edited May 2016
    The site, and all the 'private messaging' is ran over an un-secure connection anyway, so there's already nothing private about it - 'anyone' could snoop in on it pretty easily.

    (For anyone doubting this, try the URL https://bricksetforum.com  -see what message you get)

    I don't mind the skimlinks, only bother they give me is when trying to differentiate between links the author included intentionally (and therefore want you to follow). But that's kind of the point I guess!
  • cheshirecatcheshirecat Member Posts: 5,330
    There's quite a difference between a message not being sent over a secure connection and a message being deliberately sent to a third party.

    As a measure of "'anyone' could snoop in on it pretty easily", please feel free to find the content of my last private message.
    paul_mertonkiki180703
  • aldreddaldredd United KingdomMember Posts: 203
    edited May 2016
    I thought putting it in quotes would be sufficient to qualify that statement, but for the avoidance of doubt..

    'anyone with the necessary skills and tools' (which are easily picked up online)

    my point is, you should be more concerned with someone intercepting traffic than the skimlinks.

    Incidentally, for anyone using gmail, yahoo mail, hotmail et al, this is exactly what they do with just about every email you send (hence why for personal correspondence I use my privately hosted email server)

    No such thing as a private message on the internet I'm afraid.

    (A quick search also reveals many hacks on Vanilla forums, which would presumably expose messages too)
  • cheshirecatcheshirecat Member Posts: 5,330
    edited May 2016
    Yet once again you go undermining your own 'qualifications'... "anyone with the necessary skills and tools' (which are easily picked up online)"

    Go on then?
    No? Its really not that simple is it. Obviously they're not secure, anyone with access to the database can get them as they're plain text, depending on the config forum admins might be able to read them, cracking my password wouldn't be hard either. Those are much bigger insecurities than not using HTTPS between myself and the server. That content is automatically sent to a third party is a much bigger concern to me - not a problem with the forum posts as they're in the public domain anyhow - but messages have the impression of privacy.

    But ultimately, although I work in IT, as I understand it @paul_merton works in internet security so I'll tend to defer to his judgement.
  • MattsWhatMattsWhat Studley, UKMember Posts: 1,639
    aldredd said:

    my point is, you should be more concerned with someone intercepting traffic than the skimlinks.

    I don't disagree with any of the technical stuff but I do with this.  The chances of anyone even wanting to intercept my personal messages on a random forum is as close to zero as it is possible to get.  It's not like it's my bank account afterall - you would have to waste a lot of time individually hacking personal message on forums to get anything worthy of stealing.
    However, all the information from everyones personal accounts on many forums going to a server (assuming this is actually what happens of course) that is programmed to sort that information for specific strings of characters is more concerning.  How hard would it be for it to also skim for bank account numbers etc. for example.  It's pretty unlikely, but way more likely a target for someone than my pretty mundane personal messages.
    princedravenkiki180703
  • aldreddaldredd United KingdomMember Posts: 203
    edited May 2016
    MattsWhat said:
    It's not like it's my bank account afterall - you would have to waste a lot of time individually hacking personal message on forums to get anything worthy of stealing.

    Actually, it's a bigger risk that you're giving it credit for. Large amount of ID theft, bank account theft etc is the result of large scale hacks, where they scrape all the usernames, emails and passwords from unsuspecting sites like this, or others identified as storing passwords as plaintext), then use those same credentials on other, securer sites, starting with your email account (so they can then request banking password resets etc)

    So yes, you should be aware of sites not using encrypted connections and act accordingly - like using different passwords (ok, that ones Internet Security 101, but you'd be amazed how few people mix up their passwords)

    Not trying to undermine the argument of passing data to a 3rd party - I'm a very 'personal data aware' person, but it's not the biggest risk to your personal data here.
  • TigerMothTigerMoth Member Posts: 2,343
    To everybody apart from those who are arguing about it:

    It is never about what YOU think or know you can do.

    It is never about what information YOU think is worth having.

    It is never about what YOU think is worth doing.

    It is always about what somebody else can do, and the ways they can think of using that information.

    You can be, or think you are, the smartest cookie in the world, and the above is still true.
  • aldreddaldredd United KingdomMember Posts: 203
    edited May 2016
    But ultimately, although I work in IT, as I understand it @paul_merton works in internet security so I'll tend to defer to his judgement.
    Good choice, I agree with him - it's pretty much how the whole internet advertising platform works - every email on gmail is scanned in this way.

    All I'm trying to say is don't be fooled into thinking the messages you're sending are secure (with or without skimlinks) - they're not, and don't pretend to be, a method of securing communication.

    That said - @MattsWhat raised a good point, think people may send bank account numbers via messaging when buying/selling. If you're worried about these being passed through skimlinks, then again, you need also to be worried about these being sent over unsecured connections, and stored in plaintext.
  • paul_mertonpaul_merton UKMember Posts: 2,764
    aldredd said:

    'anyone with the necessary skills and tools' (which are easily picked up online)
    I have the skills and the tools, but I still wouldn't be able to passively eavesdrop on your unencrypted traffic because it doesn't flow through any system I have access to.

    This is why the indiscriminate collection by a third-party of everyone's private messages (evidently without their knowledge) is a much bigger issue.

  • MattsWhatMattsWhat Studley, UKMember Posts: 1,639
    edited May 2016
    "I don't have money, but what I do have are a very particular set of skills and tools. Skills and tolls I have acquired over a very long career. Skills and tools that make me a nightmare for people like you."

    cheshirecatkiki180703
  • cheshirecatcheshirecat Member Posts: 5,330
    edited May 2016
    "Now, the next part is very important. They are going to take you."

    Such a cool film. 
  • MattsWhatMattsWhat Studley, UKMember Posts: 1,639
    You mean
    "Now, the next part is very important.  They are going to take your private messages."
    cheshirecatkiki180703
  • MattsWhatMattsWhat Studley, UKMember Posts: 1,639
    @Huw I haven't been seeing as many of these since this was changed - I used to get a lot more for shops like Amazon and Argos.  Is this because we are not clicking on them and building revenue, did the code change happen on other pages too or is it just the way it is and they are still paying for the forum?
  • HuwHuw Brickset Towers, Hampshire, UKAdministrator Posts: 5,846
    Since I made the change discussed above revenue dropped to zero, possibly due to an error in its implementation.

    I believe I corrected earlier today but it will now appear on all pages again.


    MattsWhatbendybadgerkiki180703MattDawson
  • Lego_StarLego_Star ... in a galaxy far, far away.Member Posts: 1,404
    Skimlinks appeared in a pm last night but there is no Skimlinks notice showing on any forum pages, threads or otherwise @Huw.

    Off topic, hope you enjoyed the event in Portugal, would love to hear a report on the workshops, particularly as this was the first of a new recurring event in the calendar? :o)
Sign In or Register to comment.
Recent discussions Categories Privacy Policy