FRIHOSTFORUMSSEARCHFAQTOSBLOGSCOMPETITIONS
You are invited to Log in or Register a free Frihost Account!


TOS





NoneYet
WTF is up with this???

Email address, name and potential other information is also collected during registration and optional subsequent forms. This information is stricly not shared with third-party websites or services. We however cannot be held responsible for any leaked or compromised data.

How are you not to be held responsible??? You are keeping our personal information, which means that YOU are to be responsible for it. It is the same that if I gave a friend my credit card information so he can make a purchase, it is inherently perceived that he will not give that information out and he is responsible if it becomes lost/stolen/leaked/compromised. Here is a better analogy:

I leave my child at a sitter's (my personal belonging). I come back to pick my child up, and he is missing! The SITTER is held responsible for the LEAKAGE. I understand that this is a bit more dramtic than my personal information, however, the concept of who is held responsible is the same.

I think that you guys need to look into some of the compliances because I am quite sure that you are not being compliant with this statement in your Terms of Service. Just remember that Visa recently sued TJ Maxx for not being PCI compliant. This means that the users have the potential of sueing you if you are not compliant. Just my thoughts and I hope that everyone here sees the misconceptions being caused here.


---Anonymous (for now)

Sig ->
How come companies are not willing to accept any kind of responsibility? What has our world come to??
rvec
We will of course try to be as careful with your data as possible but this is just there to cover us when a hacker breaks in or something else, which we can't do much about, happens.
as stated in this line:
Quote:
This information is strictly not shared with third-party websites or services.

We will always try to keep your data safe.

And if it makes you feel safer; our data is saved on the same servers as your data, so if something happens to your data it also happens to ours.

my real name, email, my 2 most used passwords and probably more of my data is on the 3 frihost servers. If cracked I am also screwed.
NoneYet
It does not make me feel better that your data is on the same server. I believe that to be a lack of planning and scalibility. Nonetheless, I am not talking about your sharing OUR personal information, but instead about your responsibility of it being lost. I am only trying to give you some helpful criticism, so please do not take offense.

I believe that you, as the keepers of our personal information, should be held accountable and responsible for any misconduct or vulnerabilities on your systems that cause our personal information to be leaked. If you are not held accountable how can WE (as users of your services) be expected to be comfortable and believe that you are trying everything in your utmost powers to help preserve our identities? If you are not held accountable, you can say what you will, but actions always speak louder than words.

---NoneYet
Fire Boar
That's what you get from a free service, mate. Smile

You're paying nothing at all, for a pretty good hosting service that rivals some budget plans out there. The details are kept on Server 1 simply because there is no better place for it to be kept. Ultra-uber-tech security costs a bomb, and is rarely needed.

If Frihost were a profit organisation then no doubt personal details would be kept with near-bank-like security. It's not, so they're not. In any case, all you need to give are your email address and name. Hardly your credit card details, hm?

Quote:
I think that you guys need to look into some of the compliances because I am quite sure that you are not being compliant with this statement in your Terms of Service. Just remember that Visa recently sued TJ Maxx for not being PCI compliant. This means that the users have the potential of sueing you if you are not compliant. Just my thoughts and I hope that everyone here sees the misconceptions being caused here.


Oh no. I'm going to sue Frihost because I chose to use their excellent service for free, and an evil hacker bent on untold destruction managed to find out my name. Good Lord, how thick can people get? Is this the future of the world: sueing people just for the sake of a bit of extra cash? Thankfully, Frihost have covered their backs in this respect by explicitly pointing out that they cannot be held responsible for any leaked or compromised data.

On signing up, you must agree to the terms of service (whether you have read it or not) and are bound by those conditions. Legally, I suppose you could say. If you don't like it, then don't sign up, don't receive the service. It's quite simple. Legally, it is impossible to hold Frihost responsible if the worst comes to the worst and a hacker does manage to gain access to their systems.

Come on: less law, more justice, eh?
NoneYet
I never said that "I" was going to sue if my personal information was leaked. Hell I know better than to give my accurate information to online sites (unless it is an absolute requirement, then I do research on said sites).

I was just pointing out that there are compliances out there that must be met when holding someone else's personal information, even if it is stated within the TOS that they are not held responsible. TJ Maxx still would have been sued if they printed the same statement on each receipt that a customer was given. (Yes I know they are not signing the receipt, however, they can say that "By not protesting this, you knowingly acknowledge that TJ Maxx is not responsible for your personal information being leaked or otherwise exploited.") Even with this, Visa would still be able to sue them for not meeting the PCI compliance. So no, just because it is in their statement they still have the possiblity of being sued.

--NoneYet
Peterssidan
The only personal data you have to enter is the username and E-mail address. The username will be displayed on the forum anyway so it doesn't matter if someone steal that infomation. The E-mail is the only thing I can see is the problem. There is more data to enter but you will always be able to see it in the profile so the information is public anyway.
rvec
Quote:
I believe that to be a lack of planning and scalibility.

I have the same hosting package and am a member of the same forum as everyone else. I don't think this is a problem as long as the data is save and I think it is.

Quote:
If you are not held accountable how can WE (as users of your services) be expected to be comfortable and believe that you are trying everything in your utmost powers to help preserve our identities?

Because our own information is on the same place. So we will protect your information as if it is our own.

Quote:
If you are not held accountable, you can say what you will, but actions always speak louder than words.

What actions do you have in mind? Very Happy
NoneYet
Just because the information is held on the same server, does not mean that Frihost will not better protect theirs. For instance, they could encrypt just their data into a logical volume using a program like TruCrypt, but not the user information (makes sense since the user information will be expanding and constrasting for more so than that of the Frihost "employee" [not sure what else to call you guys] information.) So yes, I do not believe that they will keep ours just as secure as theirs since they have never even met 5% of their users (I just pulled this number out of my head, I can almost guarantee it is far less, but I say 5% since I think they would have at least met each other ?? Maybe)

Some actions include using PGP to encrypt the entire harddisk, or even hasing the field values prior to putting them into the database. This way if their system is compromised the chances of the exploiters gaining any information is very slim.
NoneYet
It should be "hashing" not "hasing". I apoligize for any confusion.
mynd
NoneYet,

First and foremost, why are you going by NoneYet. Are you too cowardly to actually show yourself to us? Furtermore, it is a *FREE* hosting site and I think that you need to get your head out of the sand an take a look around.

For instance,
Quote:
Just because the information is held on the same server, does not mean that Frihost will not better protect theirs.


You are thinking WAY too much about this whole issue. IIRC, you said that you do not even use your actual information on sites like these..WTF is your issue than? use some fake information and just sign up. I believe that you are way too analytical and you need to take a step back to view what is really going on here.

Furthermore, you said
Quote:
Some actions include using PGP to encrypt the entire harddisk, or even hasing the field values prior to putting them into the database. This way if their system is compromised the chances of the exploiters gaining any information is very slim


To use PGP to encrypt the harddrive will require about a days worth of downtime for the intial encryption. And as for the encrypting of the DB fields that will take some time for implementation, therefore, causing more down-time.

However, I would like to thank you for taking the time to point this out to people and looking on the security side of things.

-Mynd
rvec
I am sorry if I didn't make this clear, my files, the files of the owner, the files of all other staff members and the files of all normal members are all stored the same way on the same servers. We have the same hosting accounts (if we have one) as you will get when (/if) you register and apply for an account.

Encrypting all files would take a lot of time and would make the servers a lot slower.

BTW I hope you register, I already like you Smile
minty
I have joined b/c you (rvec) seem to really like me...LOL. Nah, I understand your standpoint, however, I still think that this should require some more looking into. I will look into some compliances to see if you fall under any. You very well may not; Still, I strongly encourage you take more preventative measures...

In fact, I guess I kind of jumped to conclusions by not asking what you do for preventative measures to help ensure that our personal information is not compromised. So what do you guys do?

Thanks for the quality feedback and hope to talk some more.

BTW, mynd, I was waiting to have my questions answered prior to making an account.

-minty
minty
Almost forgot.

This is directed mainly towards mynd and rvec.

The PGP encryption will take a while for the intial encryption, yes; however, once the intial encryption is completed, the entire harddrive will be decrypted/encrypted on the fly as the data is accessed and saved. Therefore, you will NOT notice a performance hinderance after the encryption. Furthermore, you can configure PGP to encrypt the HDD using minimal CPU resources. This will force the encryption to occur in the background and the users will notice very little performance hinderance. The only drawback is that it will take a lot longer to encrypt the HDD this way.

Just some thoughts.

-minty

edit: LOL, I originally said directed towards "minty and rvec." Whoops!!
rvec
I will ask the big boss to answer here. I don't know how much he wants to tell about the security but he at least knows more than I do.

About the PGP: I thought it would slow the server down :S But if it doesn't it sounds like a good idea. Although there would probably be more things to think about when applying this. Some programs might not be compatible with this and I don't know how long it will take.
mOrpheuS
I'm sure everybody here can see the reason for having that clause in the TOS.

But since you want to talk more about it -
NoneYet aka minty wrote:
Just remember that Visa recently sued TJ Maxx for not being PCI compliant. This means that the users have the potential of sueing you if you are not compliant.

We know this all too well.
We also know that
- we are not a giant corporation with a dedicated army of lawyers to defend us.
- we do not have a self-owned multi-million dollar datacenter, manned by security guards hired by us, to protect the data that we hold.
- the people who actually physically hold this data (the data center) categorically disown any responsibility on their part in case of data theft/leakage - using clauses very similar to the ones we have in our TOS.


NoneYet aka minty wrote:
How are you not to be held responsible??? You are keeping our personal information, which means that YOU are to be responsible for it.

We are not to be held responsible by the virtue of the fact that you provide the "personal" information only when you agree to not holding us responsible.

I'll dismiss these analogies for the simple reason that they do not take into account the above fact.
NoneYet aka minty wrote:
It is the same that if I gave a friend my credit card information so he can make a purchase, it is inherently perceived that he will not give that information out and he is responsible if it becomes lost/stolen/leaked/compromised. Here is a better analogy:

I leave my child at a sitter's (my personal belonging). I come back to pick my child up, and he is missing! The SITTER is held responsible for the LEAKAGE. I understand that this is a bit more dramtic than my personal information, however, the concept of who is held responsible is the same.


Now back to the real life scenario -
NoneYet aka minty wrote:
I think that you guys need to look into some of the compliances because I am quite sure that you are not being compliant with this statement in your Terms of Service. Just remember that Visa recently sued TJ Maxx for not being PCI compliant. This means that the users have the potential of sueing you if you are not compliant. Just my thoughts and I hope that everyone here sees the misconceptions being caused here.

I'm not sure what's your point here.
The VISA privacy policy (that every merchant is bound by) and our TOS are two entirely different things.
One is meant to hold the party responsible for data security, the other is meant to relieve the party of any such responsibility.

When TJMaxx use a VISA merchant account, they agree to being held responsible for any breach of the privacy policy. They can be sued by VISA for any such breach.
When you agree to our TOS, you agree to the fact the we are not to be held responsible for any such breach. This protects us from lawsuits, or atleast that's the intention.

NoneYet aka minty wrote:
there are compliances out there that must be met when holding someone else's personal information, even if it is stated within the TOS that they are not held responsible.

Most of them seem to be negated by the fact that we are not a business (financial one at that), but if there are any that still apply, we'll be glad to know more about them.

NoneYet aka minty wrote:
How come companies are not willing to accept any kind of responsibility? What has our world come to??

While we guarantee everything we can control, the security of any information that we (theoretically) hold, depends upon a number of other factors that are beyond our control - these, we cannot guarantee. Nor do we wish to get into legal trouble because of the failure in any one of them.

Therefore, even though it sounds immoderate (like this reply to your post), what's written in the TOS is just a fact - very plainly stated.


My honest advice - if your very life depends on the security of the name/email address that you give out on the internet, then please do NOT sign up ... on any site, ever.
Bondings
This isn't something that is special for Frihost. Most similar websites (with registration, like other forums) have this kind of policy (whether it is written in their TOS or not).

There isn't much personal information that we store that isn't displayed publicly. And most of that information is needed for this website to function or to display to the user and the staff. This means that the server needs to be able to generate that information. Hence any encrypted data would need to be decrypted on the server causing the encryption to be fairly unnecessary since anyone in complete control of the server would be able to decrypt it anyway. (except for passwords, since those don't need to be able to be decrypted)

Of course the password might be considered pretty sensitive information in the case that you use the same password for other websites - including important ones. Now first of all, it is a very bad idea to use such a password (of an important site) on another website. Anyway, the password is hashed with an MD5 hash, the standard phpbb2 way. Unfortunately it's not salted (I might change it to a salted one), so a short one can be found with a rainbow table. However, if someone gets complete access to the server, they can capture the password if you log in to the (now compromised) website, with a slight change of the script.

The physical security of the server is provided by the datacenter itself and should be pretty good. 2 of our servers (where this website is also hosted on) are located in the Savvis datacenter, which is considered a US national entity and protected by the national guard in case of crisis (not that it matters in our case) and a lot of important servers are located there. If someone breaks in physically, they wouldn't do it for our user data - for sure.

Now you should be assuming that there is a (albeit small) chance that a hacker could get access to your email address, encrypted password (or even decrypted, but very unlikely), name (whatever you provided there) and everything else you might have put somewhere on Frihost. And for your website, that the data could be compromised and/or erased at any time. So don't put any sensible information there and keep a backup. Wink
flyfamilyguy
Come On Man! This is a FREE hosting service. The only information that you were required to give out was your freekin' USERNAME, and Email! How much damage could come from this? Hows about a little Gratitude hmm?
cr3ativ3
Haha interesting topic! I realize this is ancient, and I appolgize for not leaving it burried Razz. Sounds alot like something I would write/post Razz

@ the point of encrypting the data on the server, this would add alot more to the cpu usage, as the CPU would have encrypt/decrypt any data being pulled from the HDD as it is being accessed, believe me this slows the I/O speed down considerably, and increases CPU usage quite a bit.

As Bondings said, it would not protect the server in much way at all from a hacker gaining access to the server remotely... As they would gain access to the server while it is on and running, and encrypting/decrypting on the fly. The only way this method of encrypting the HDD would protect user's on it, would be if something were to happen to the server physically.. (Like it getting stolen, by someone that is into breaking into top of the line secured facilities, and stealing servers Razz)

However some good points to bring up!

Interesting read for sure.
watersoul
This topic made me chuckle, demands for total security etc??! ...just use a free webmail account with anonymous details and a different password to the one you use on Frihost - it aint rocket science Laughing
Related topics
TOS is currently down
Términos del Servicio (TOS) de Frihost
Different web hosts, same TOS
An idea to stop people NOT reading TOS.
Just some suggestions for the TOS
Directly related to Bondings.Requesting against TOS actions.
What counts as "any type of IRC"? - TOS question
TOS Question
Question: TOS vs MP3.. clarify please...
Isn't advertising Web Hosting Against the TOS?
A question about the TOS
Will I break the TOS if I...?
TOS changes
TOS changes - comments
TOS?
Reply to topic    Frihost Forum Index -> Support and Web Hosting -> Guests

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.