# Security issue from old TUGBBS?



## Sydney (Mar 31, 2014)

Hi there, 
I was just googling my email address and came across the old posts from the old BBS with details such as the email addy and ISP that are fully visible. Is there a way to close this security issue please?
Here's an example when I type in my email address.
https://www.google.com.au/search?q=...0j7&sourceid=chrome&espv=2&es_sm=122&ie=UTF-8


----------



## Passepartout (Mar 31, 2014)

Unfortunately, once some tidbit of information is enshrined in Google's computers, as far as I know, it is there to stay. If there is a way to purge it, a lot of people would be wanting to remove things they posted.


----------



## Sydney (Mar 31, 2014)

I'm not worried about things I posted but it shows my email address and isp which it shouldn't. How did it get that information? Isn't that private information protected?


----------



## TUGBrian (Mar 31, 2014)

tis one reason we suggest never to use your email as your login....sadly even if we took down that forum google search index would still keep the data...and there is no way to edit that old forum at this time...its been shut down for many years unfortunately and is just read only.

per your ip address showing, I doubt its the same one you had 4 years ago =)

its pretty rare to have a static IP these days.


----------



## Sydney (Mar 31, 2014)

I didn't use my email as my log in. Which is why I wonder why it shows both my email and my isp. If a forum is shut down, why did/does it reveal private details to the www? Very strange.


----------



## TUGBrian (Mar 31, 2014)

sadly once something is "on the internet" its pretty impossible to remove for good.

I will repeat that your "isp"..which I assume you meant to say your IP address from 5 years ago is not likely the same.

edit, that board hasnt been active since 2005...nearly 10 years ago


----------



## Sydney (Mar 31, 2014)

Yes I meant ip. Thanks Brian. No it's not the same but the email addy is.
I haven't had an answer to why the email would appear. Does anyone have a suggestion?
A few years ago, our kids' school put their newsletter on the Internet with our home number in it. They were able to ask Google to remove its record and it did. I'm not as concerned with the email address but am perplexed as to why a site that is shut down would reveal private account information. Does anyone know please?
As far as I can ascertain, despite the site being shut down, the details are on the site not Google. Google just links to it in this instance I think. Which makes me wonder if anything can be done on the site to remove everyone's private information. Thanks.


----------



## TUGBrian (Mar 31, 2014)

Its not shut down, the site still exists and is read only.

however you cannot post/edit/etc anything on it...its essentially just a copy of the previous TUGBBS forum as it existed the last day before we brought this one online.


----------



## Sydney (Mar 31, 2014)

Ok. So why does it show private account info?  Can that be hidden, as it was when it was operating? I do think that it is an inadvertent security breach.


----------



## TUGBrian (Mar 31, 2014)

I guess in that version of cgibulletin that information wasnt hidden is my only guess.

might have been one of the reasons we migrated to vbulletin


----------



## Sydney (Mar 31, 2014)

Thanks for your answers Brian. I'm pretty sure it didn't. I would have noticed (and so would many others?). I have been on tub bbs since around 2000 and have always been very conscious of online privacy.
Is there anything TUG can do please?  I'd rather not have to change my email address as had the expectation of email privacy at least when I posted.
I'm not the only one it affects.  Everyone on the old bbs is vulnerable.


----------



## Sydney (Mar 31, 2014)

See example below. As you can see, it shows members' username, their email address and ip.
A||||18||shagnut||Update on my coworker!!!!!||||1|| Z||000000||shagnut||05-28-2005||09:46 PM||_email address removed_||She just put in her 2 week notice!!! Happy dance, Happy dance!!! And she had just started talking to me again (lol) She is going back to Sears in GBS. I really can't blame her. The commute was horrible. Plus she doesn't have to put up with me anymore (lol) I know you all can see my tears. I wish her well and am glad I acted with class. Thanks for your support. It meant more than you know. My stress level has gone down a couple of notches. Shaggy ------------------Leslie Michael||_IP removed_||reg||1 Z||000001||BarCol||05-28-2005||10:23 PM||_email address removed_||Good news all around and not a moment too soon!!!!!!!!!regards------------------Barb||_IP removed_||reg||12 Z||000002||JBRES1||05-29-2005||05:16 AM||_email address removed_||Well, will you have cake and party hats at her going away party ?Glad it worked out for you.Jim Breslin||_IP removed_||reg||1 Z||000003||capekong||05-29-2005||05:48 AM||_email address removed_||Great news!||_IP removed_||reg||1 Z||000004||Jaybee||05-29-2005||06:20 AM||_email address removed_||Shaggy, the gods are smiling upon you. Wonderful news! Hugs...------------------Jean||_IP removed_||reg||1 Z||000005||grest||05-29-2005||06:49 AM||_email address removed_||Well that's a red letter day!! Yippee...Connie||_IP removed_||reg||1 Z||000006||Lynda||05-29-2005||06:52 AM||_email address removed_||No surprise here. She was a bad fit and I could questioned her longevity. She sounds like every copmany's nightmare... Big hug to you!||_IP removed_||reg||1 Z||000007||jackio||05-29-2005||08:19 AM||_email address removed_||Congratulations on being the better person.------------------Jacki||_IP removed_||reg||1 Z||000008||luckster||05-29-2005||02:29 PM||_email address removed_||I have a smile on my face for YOU.Tina||_IP removed_||reg||1 Z||000009||Wonka||05-29-2005||03:58 PM||_email address removed_||Do you suppose all those TUG voodoo dolls worked?||_IP removed_||reg||1 Z||000010||Kathy Q||05-29-2005||06:57 PM||_email address removed_||Wonka,I'm just happy I can now retire mine!Leslie, Honey works so much better than vinegar. Congrats!Kathy Q||_IP removed_||reg||1 Z||000011||shagnut||05-29-2005||07:50 PM||_email address removed_||Wonka, I knew I could depend on you!! Shaggy ------------------Leslie Michael||_IP removed_||reg||1 Z||000012||SydneyTugger||05-30-2005||01:00 AM||_email address removed_||Great news. Am happy for you.||_IP removed_||reg||1 Z||000013||mischelle||05-30-2005||03:17 AM||_email address removed_||VooDoo Dolls?Lol.I won't be surprised.Luck You!!!


----------



## TUGBrian (Mar 31, 2014)

if someone is searching google for your email address, they likely already have your email address =)

and that site has been static for many many years...its not something new.  I do not believe there is any realistic way to remove the email addresses from that page like that.

It is google that is indexing the raw page data like that, the old board looks like this:

http://www.tug1.net/cgi-bin/Ultimate.cgi?action=intro&BypassCookie=true

looking at the old board, the email addresses were indeed public on there...you can click on any of the "email" links next to usernames and the email address is displayed publicly even if not logged in.


----------



## Sydney (Mar 31, 2014)

Ahh. Well that explains why I never noticed it then, if one had to click on the email link to see the email. That's dreadful. Glad you changed to this vbulletin then. Much better that it now sends an email without revealing the person's email address (is this correct? )
Thanks Brian.


----------



## TUGBrian (Mar 31, 2014)

yes that is correct, you cannot get someones email address off the forum here.

tis also the same way with the marketplace.


----------



## Sydney (Mar 31, 2014)

Hi Brian, can I email the below bbs' admin addy to request a change of my email on my old bbs profile, or even admin can't change it now? I figure if I change the email, at least it won't link my current email to my personal info on the old bbs. See below when I tried to change it myself.
Modify Your Profile
Thank you! We have confirmed your identity, SydneyTugger (TUG Member)

Feel free to modify any of the fields below. (See red note re email address)

Email Address for TUG BBS
NOTE: We are having trouble with the ability to change one's email address online. IF YOU SEE A BLANK SCREEN after submitting an email address change, your email address and password WILL NOT CHANGE so please ignore the email you receive from the bbs. We can update your email address for you manually. Please email your request to bbsadmin@tug2.net, giving:
1)your bbs username, 2)your bbs password, 3)your current bbs email, 4)your new bbs email.


----------



## TUGBrian (Mar 31, 2014)

as mentioned above, that old board is just a copy of how it existed when we took it offline.

it cant be modified/changed/edited/etc.


----------



## Sydney (Mar 31, 2014)

Yes. I just wasn't sure whether admin could do it or not, and whether that applied to forum posts or also personal profile.


----------



## rhonda (Mar 31, 2014)

Brian,

It appears that the old site is publishing user's email addresses (normally not seen) in the metadata of the webpage.  I can see mine in the same way the OP describes.  I think the OPs request to strip out the email address from the old site should be considered, please?

Thank you.


----------



## Sydney (Apr 1, 2014)

Yes, it would be good to remove my private email address from the old bbs profile. It won't even let me remove my real name in the profile page after logging in. At this stage, as far as I know,  my real name is not visible but since my email and ip is already, who knows whether my real name in the profile is/will be also. I really feel like my privacy has been breached with the old bbs software and feel quite let down that it has been allowed to happen with no forseeable remedy to the breach. Not sure that there's much that Brian can do since I do not know whether he can make any changes but I am thinking of reporting it for privacy breach and maybe the software developer can do something about it. Who in the US would be responsible for online privacy? And what is the online privacy policy of the TUGBBS?
Having studied law in Australia, I know that the law is fairly strict on online privacy but I am unfamiliar with the US laws.
If you are able to remove my email and real name from my old profile, I request that you please do so Brian. Please let me know if you can/will do this or not. Thank you.


----------



## TUGBrian (Apr 1, 2014)

im not sure why you guys think im somehow declining the request....if I were able to do it...i most certainly would =)

That forum hasnt been active in nearly 10 years, and was likely put in place perhaps 12-14 years ago.


----------



## Sydney (Apr 1, 2014)

Sorry if it came across as though I thought you were declining. I was just checking. And just to clarify that I am disappointed in the software that allowed the breach not TUG.


----------



## TUGBrian (Apr 1, 2014)

If we come up with a way to remove the emails or alter them in some way, I have no problem at all with doing it...just to be clear =)


----------



## Sydney (Apr 1, 2014)

Thank you. Appreciate that Brian. I just discovered that my full profile (the profile page one sees after logging in displaying real name & email) is visible on the internet too. So is everyone else' no doubt!! How dodgy is that software!  :-O
Have a good night Brian.


----------



## TUGBrian (Apr 1, 2014)

one would imagine that 10-15 years ago, this was a much smaller concern (internet privacy)


----------



## Makai Guy (Apr 2, 2014)

The Ultimate Bulletin Board (UBB) software we were using back then was considered state of the art when we switched over to it (from a crude home brew setup by Laurence Chan).  Not sure when this took place, but I THINK it may have been December 2000 based on user registration dates of some folks (like myself) that I know were around then. The world wasn't so concerned about online security back then as the bad guys were just getting started.  

But as the years went by Laurence moved on, leaving us with nobody knowledgeable enough to install updates and still carry our modifications over to the new version.  As the online world advanced, our version of UBB became more and more antiquated to the point that its publisher would no longer support it.  We moved to vBulletin in June 2005.


----------



## Passepartout (Apr 2, 2014)

Nice history lesson. Since the information the OP seems concerned about seems to pretty much be part of the 'public domain' now and available to a Google search and probably many other avenues, the only defense would be to abandon one's ISP, and email addresses and start fresh. From Doug's description, that's basically what TUG did when the old software became unusable.

We often don't realize what a different digital world we live in now compared to 20 years ago. And in another 20 years???

Jim


----------



## Sydney (Apr 2, 2014)

I suspect the security hole occurred after TUG moved over to the vbulletin software and the old site was abandoned. There is no longer any security measures in place with the old software which now readily displays ips and emails. I hope the same thing does't occur with v bulletin down the track.
Any internet security experts out there? Is there anyone who can access the old bbs as admin to delete my email and real name in my user profile? Anyone at all?
It actually lets me log in but not make any changes.


----------



## TUGBrian (Apr 2, 2014)

as mentioned (numerous) times before, that version of hte forums hasnt changed in 10+ years...its existed in its exact same format from then..until now....its not like something happened last week that suddenly made that info visible.

Ill also repeat, that if we had the ability to delete your info, we would.  I am not sure how to answer the same question you keep asking any better than that =)


----------



## Makai Guy (Apr 3, 2014)

Sydney said:


> I suspect the security hole occurred after TUG moved over to the vbulletin software and the old site was abandoned. There is no longer any security measures in place with the old software which now readily displays ips and emails. I hope the same thing does't occur with v bulletin down the track.
> Any internet security experts out there? Is there anyone who can access the old bbs as admin to delete my email and real name in my user profile? Anyone at all?
> It actually lets me log in but not make any changes.


Yes, I have been somewhat surprised that I could still log in and do that, and I did remove your email address and real name from your old profile.   But I don't think it is the information in the profiles that is being retrieved by Google, it is the old threads themselves, and they had the names and email addresses hardcoded in.   I have no way to remove personal information from those as they are static files that were only updated when messages were added, removed, or edited, so they are "frozen" as they were when the old board was shut down.  

And there never were any security measures of that sort in place with UBB -- that was one of many reasons we moved to vBulletin which keeps all personal information in a database not accessible by the search engines.


----------



## dioxide45 (May 6, 2014)

Sydney said:


> I suspect the security hole occurred after TUG moved over to the vbulletin software and the old site was abandoned. There is no longer any security measures in place with the old software which now readily displays ips and emails. I hope the same thing does't occur with v bulletin down the track.
> Any internet security experts out there? Is there anyone who can access the old bbs as admin to delete my email and real name in my user profile? Anyone at all?
> It actually lets me log in but not make any changes.



Odd, Sydney shows as GuestGuest under their TUG handle. Also the post count shows 'n/a'. The user also does not show up in the list of current BBS users? Where did Sydney go?


----------



## Makai Guy (May 7, 2014)

dioxide45 said:


> Odd, Sydney shows as GuestGuest under their TUG handle. Also the post count shows 'n/a'. The user also does not show up in the list of current BBS users? Where did Sydney go?


This individual's TUGBBS account was deleted at her request.


----------

