TNA OR Reviews

[HankChristine]

Looks like they got the site back up, but at lease when I went to look there was no content loaded at all.

Guess we will see how much the providers missed it / were able to get by with other sites.

Wonder if they offered cut rate deals to get the providers going again. Or if anyone has heard from the local providers who depended on tna if they had less business without it.

[NachoCheese]

What you have is mere speculation. Whereas there is the actual data that Blue States, as a whole, give billions more Federal tax money than they receive.

I can easily speculate that the blue / red deficit would worse if Blue states actually charge red states to use their big freight ports. Because red states are using them for free.

Mere speculation? If you're talking about my assertion of an inverse correlation between international shipping ports and federal dependency, the actual data on shipping volume through US ports is a google search away for the curious and capable. You're missing my point though, a point that is actually mirrored in the article itself:

But a correlation between states' economic health and political affiliation may reflect economic factors beyond those explained by political philosophy.

"If red states pay less in taxes than they receive in benefits, that's because they are generally poorer and program rules are progressive not because they are 'takers' while blue states are 'donors' in any value-laden sense," says Mark Shepard, assistant professor at the Harvard Kennedy School of Government and faculty research fellow at the National Bureau of Economic Research (NBER).

That's followed by a very clear indication that there's a stronger correlation between GDP per Capita and Federal Dependency.

You wouldn't be hating on poor people now, would you?

[TmiSmith2000]

I think you are right. Nothing will change except prices will go up even more to make up for lost wages.

Zero redesign. Seems they prioritized getting up and running over a quality experience, which only means nothing has changed at TNA.

Just seeing the interface resurfaces the terrible feelings that site gives. Given that nothing has changed on its face, I'd expect the things we all hate. Entitled providers, honest reviews removed, etc. - to be even worse in this iteration. The site owners clearly make good money if they went through the trouble to recreate it. They'll cater even harder to providers and that will only diminish the experience for hobbyists further.

I have no idea if the underlying architecture has changed. At this point, I'd assume not. Assume it's the same old TNA, just worse.

(I remember the good 'ol days when the site was actually moderated pretty fairly by Mr. J. I hope he's doing well.).

[Mizunate]

Looks like they got the site back up, but at lease when I went to look there was no content loaded at all.

Guess we will see how much the providers missed it / were able to get by with other sites.

Zero redesign. Seems they prioritized getting up and running over a quality experience, which only means nothing has changed at TNA.

Just seeing the interface resurfaces the terrible feelings that site gives. Given that nothing has changed on its face, I'd expect the things we all hate. Entitled providers, honest reviews removed, etc. - to be even worse in this iteration. The site owners clearly make good money if they went through the trouble to recreate it. They'll cater even harder to providers and that will only diminish the experience for hobbyists further.

I have no idea if the underlying architecture has changed. At this point, I'd assume not. Assume it's the same old TNA, just worse.

(I remember the good 'ol days when the site was actually moderated pretty fairly by Mr. J. I hope he's doing well.).

[Dexxzy]

Even if they have IP addresses, what can the world do with them? Sure, your ISP has the assignment, and other sites may aggregate and sell the data, but it's unlikely that it would ever actually point back to you personally. And even if it does, what proof is there that the data wasn't fabricated?

Not much. Most people have WiFi routers and it's difficult to prove that your device operating within that WiFi router did the specified activities.

You're doing it again. Here's an alternative hypothesis that hopefully better illustrates my point: States without large international freight ports are leeches subsidized by states with large international freight ports.

While there are still exceptions to that statement, there's an even stronger positive correlation of this hypothesis in the supporting data, but it is still not a clear indication of causation.

What you have is mere speculation. Whereas there is the actual data that Blue States, as a whole, give billions more Federal tax money than they receive.

I can easily speculate that the blue / red deficit would worse if Blue states actually charge red states to use their big freight ports. Because red states are using them for free.

[HankChristine]

Looks like they got the site back up, but at lease when I went to look there was no content loaded at all.

Guess we will see how much the providers missed it / were able to get by with other sites.

[GolphPro]

Said it before and I'll say it again: Why providers choose to pay for that site is beyond me.

It's unreliable, is offline far too often, and only serves to create animus within the community providers need to survive.

The only draw I can see is toxic: people can snipe at each other with often baseless accusations and misleading statements.

Anyway, rant over, and for the providers reading this, take a minute and think about it. TNA is a shitshow and you're the ones suffering.

Almost a month later.

Private information was hacked and the site is still down.

[GoBengals]

The * Twitter account deleted their tweet that said they'd be opening back up tomorrow / Sunday, and they haven't Tweeted or posted anything to clarify.

Would really like to know what's actually going on. I doubt the story that a competitor brought them down (perhaps that's what the hackers said, but I doubt it's true). But I wonder if the board was more compromised / damaged than they've let on so far.

[Barnie]

From Twitter:

We have to delay the live date to Sunday the 24th as we need to ensure security of our site. We are almost here after days of testing. Here is what happend.


This is a copy and paste of the information on their Twitter account. Not going to take the time to put in the paragraphs or correct typos.

What happened? On June 26th our site was hacked by a professional hacking group who claims to have been paid by a competitor to steal our database and publish it. When we activated our twitter account to let users know of our status we were verbally attacked andthreaten by a particular user who also knew details about our database that someone without direct access to it shouldn't know. This user has apparently been doing her best to shut down sites like ours that she's allegedly workedfor in the past. You can draw your own conclusions as to her involvement with this illegal attack. The hackers also gained access to our backups and deleted them. Luckily we had an offline backup, although it is 2 weeks older than the date of the attack. So recent data will no longer exist. The hackers then started emailing certain users extortion attempts. *Note: Every single user who was extorted received the same threatening email and given the same Bitcoin address to submit payment to. This means that they have no way of knowing YOU sent them payment. So, they are either going to publish everything anyway, or they are not publishing anything and it was a scare tactic to steal money from people. In either case, you should not pay them a cent. What did they steal? Usernames, email addresses, IP addresses, saved private messages. They sat on this information for over a week. Given that this attack was specifically geared towards removing a platform from the internet that is intended to provide a safe environment for people to connect, and to extort it's users, we can be assured that anything they publish will have been modified by them to cause the most damage. Nothing published can be considered true or accurate information. What did they NOT steal? Real names, physical addresses, passwords, deleted private messages. As you know we do not collect personal information for Hobbyist accounts. Documentation submitted by providers for age verification never reaches our servers in any way and is stored offline, so none of this information was compromised.

Passwords were hashed and salted. This means it is very unlikely they would have access to this data. Still, in your best interest you should change your password to any site where you use the same username / email. Password combination. Private messages are permanently removed from the database when you delete them. What have we done about it? Since we've been down we've taken multiple steps to secure our platform, including but not limited to: Thoroughly reviewing and updating our codebase. Implementing high-end protections not normally required on a site like ours. Customizing additional server protections to work with some of the limitations we previously faced with our VB4 platform. Hiring our own team of professionals to attempt to hack into our system to ensure our efforts have been effective. What are we doing going forward? Even the biggest corporations with many more resources than us have been hacked in the past. Once someone becomes the target of this illegal act it's hard to say if anyone could 100% guarantee they could prevent it. We certainly never thought we were important enough to become the target for something as cruel as this. Now that we know there are forces out there who wish to weaken your support base, and who will go to great lengths and expense to do so, we will remain focused on monitoring and improving our defenses on a regular basis. We will also begin working on building out a new site over the coming months, which will provide even more benefits to our users. We have listed to your requested and these will all be taken into account with the new site. Some additions will include: Credit Card payments- Blocking of users-There will be more and as you request them will we liaise with our developers to have all these implemented. We initially stated that we will be live on Wednesday but as need to extend this till Sunday (24th) as we do not want to "jump the gun". We will only put the site online only if it it secure and we can assure members that the site will be secure from future attacks which come Sunday we are confident we will be.

We are extremely apologetic and we will do better to ensure our members can feel safe to again use our platform. This has been a wake-up call and we have taken this seriously and we will assure members that moving forward, the privacy and security of both members and our site is paramount. What can you do? If you're concerned about your anonymity, start operating using best practices if you haven't already: Create and use an email address not associated to your personal life in any way. Use a VPN when connecting to the site (given our new security measures, you will likely need to make sure the VPN address is US-based). Do not save private messages you're not comfortable potentially being exposed. Instead copymessages you wish to save to your personal device and delete them from our system, and make sureyour personal device is secure. These tips should be applied to any site or service where you value your privacy above all else. Warm Regards, Admin.

Wow. For all we know, the goverment now has the information.

I don't believe a word they say.

[Boomer14]

I wouldn't put much stock into their inactive Twitter. Likely they grabbed the handle specifically to be used as an information disseminator for events just like this. That or they had marketing ambitions that were promptly abandonded.

As far as trust: I'm not sure you should have ever trusted them in the first place. You potentially had reputation-ruining spi on it, and no assurance your data was safe. They were running outdated forum software on outdated php, likely on an outdated os, and potentially even on vunerability-ridden firmware. I wouldn't trust them aby more than I do this site, which operates on http, which means absolutely all your information is sent in clear text. What that means is that anyone on the same network as you can see all the info you send and receive: username, password, posts, messages. But that site was and this site is still best in class.

Imo, it's more likely that a group targeted TNA because they were running outdated software with known vunerabilities. The group probably recognized that people had sensitive info and would be easily scammed into paying to keep it from "being leaked". But in reality, paying doesn't stop the info from being leaked. They also probably tried to target the site owners thinking they would pay up instead of risking their reputation. Both targets would be unlikely to go to LE due to the nature of the site.

In reality, you should treat any data that isn't end-to-end encrypted* as potentially exploitable. You may trust some institutions more than others, but I wouldn't put much trust into any site where your activity could burn your reputation.

*Only trust e2 e if you are the sole owner of your keys, and you've verified they are never sent off of your local device. In which casw they are only as secure as your device.

Other types of message boards are also targets. Sports boards and cooking boards are just as frequently hacked and mined for information.

[Valinor]

I can't trust that site anymore.

Someone has it in for them. These people want to do damage to the members.

Does anyone find it interesting that the twitter account was inactive for over a decade?

I wouldn't put much stock into their inactive Twitter. Likely they grabbed the handle specifically to be used as an information disseminator for events just like this. That or they had marketing ambitions that were promptly abandonded.

As far as trust: I'm not sure you should have ever trusted them in the first place. You potentially had reputation-ruining spi on it, and no assurance your data was safe. They were running outdated forum software on outdated php, likely on an outdated os, and potentially even on vunerability-ridden firmware. I wouldn't trust them aby more than I do this site, which operates on http, which means absolutely all your information is sent in clear text. What that means is that anyone on the same network as you can see all the info you send and receive: username, password, posts, messages. But that site was and this site is still best in class.

Imo, it's more likely that a group targeted TNA because they were running outdated software with known vunerabilities. The group probably recognized that people had sensitive info and would be easily scammed into paying to keep it from "being leaked". But in reality, paying doesn't stop the info from being leaked. They also probably tried to target the site owners thinking they would pay up instead of risking their reputation. Both targets would be unlikely to go to LE due to the nature of the site.

In reality, you should treat any data that isn't end-to-end encrypted* as potentially exploitable. You may trust some institutions more than others, but I wouldn't put much trust into any site where your activity could burn your reputation.

*Only trust e2 e if you are the sole owner of your keys, and you've verified they are never sent off of your local device. In which casw they are only as secure as your device.

[NachoCheese]

Tor may not be explicitly blocked, but any non-domestic exit nodes sound like they will be by virture of their physical location anyway.

Cloudflare will challenge requests from tor exit nodes with nearly continual captchas due to the sheer volume of automated malicious traffic that passes through them unless the site operator fully disables that behavior on the Cloudflare console, which nobody does. That's on top of new circuits with different exit nodes being created every few minutes, many of which won't be domestic as you correctly point out.

The only thing that a no-js site kind of kills is e2 e where the server can never know your secrets. You can encrypt-at-rest in a server-only framework, but at some point that server will have to encrypt / decrypt in memory, which could cause an issue if an attacker plays mitm. With js, you could store encrypted creds on the server then decrypt them locally in brower, then encrypt with decrypted creds, such that the server never gets access to the decrypted data. But even then an attacker could inject malicious js and mitm the client-side decryption / encryption.

Yes, though e2 e is nonsensical for a review board. The majority of the data being uploaded is either intended for a wide audience through public posts, or a narrow audience through private messages without any kind of trust framework in place. Encrypting a public post would therefore be completely pointless, and encrypting private messages only make sense if you can verify that you received the correct recipient private keys.

Based on TNA's track record, I'm not holding my breath.

Really the only way to solve that is via an installed app where the hash matches peer reviewed code to be sure the server can never grab secrets.

Imagine Apple or Google approving that app on their store.

[FakeGnus]

Even if they have IP addresses, what can the world do with them? Sure, your ISP has the assignment, and other sites may aggregate and sell the data, but it's unlikely that it would ever actually point back to you personally. And even if it does, what proof is there that the data wasn't fabricated?

I can't trust that site anymore.

Someone has it in for them. These people want to do damage to the members.

Does anyone find it interesting that the twitter account was inactive for over a decade?

[Valinor]

What's worse is that they're likely going to block tor if they haven't already, not that a Cloudflared site isn't already a pain to use with tor, but for a site that's so concerned with "valuing privacy," it doesn't get much more bone-headed than that.

Agreed. It makes no sense to block international IPs. My only guess is that they think this will somehow prevent foreign attackers. But those same attackers could just tunnel through a domestic IP themselves.

Tor may not be explicitly blocked, but any non-domestic exit nodes sound like they will be by virture of their physical location anyway.

It's pretty funny too. For a site like TNA that seemed to have mininal js play, it would be advantageous for them to run a no-js, no-script variant of their site. Just pass every request through servers, which seemed to be happening largely in their archaic setup anyway.

The only thing that a no-js site kind of kills is e2 e where the server can never know your secrets. You can encrypt-at-rest in a server-only framework, but at some point that server will have to encrypt / decrypt in memory, which could cause an issue if an attacker plays mitm. With js, you could store encrypted creds on the server then decrypt them locally in brower, then encrypt with decrypted creds, such that the server never gets access to the decrypted data. But even then an attacker could inject malicious js and mitm the client-side decryption / encryption.

Really the only way to solve that is via an installed app where the hash matches peer reviewed code to be sure the server can never grab secrets.

[NachoCheese]

Literally makes zero sense to block international VPN's.

What's worse is that they're likely going to block tor if they haven't already, not that a Cloudflared site isn't already a pain to use with tor, but for a site that's so concerned with "valuing privacy," it doesn't get much more bone-headed than that.

I agree with you, the more granular the data is, the more facts and trends you know. Let me know if you find information on such granularity as you described.

In the meantime, the best correlation we have is that, overall and with few exceptions, Red states are leeches subsidized by Blue states.

You're doing it again. Here's an alternative hypothesis that hopefully better illustrates my point: States without large international freight ports are leeches subsidized by states with large international freight ports.

While there are still exceptions to that statement, there's an even stronger positive correlation of this hypothesis in the supporting data, but it is still not a clear indication of causation.

Additionally I can't agree with calling red states (or states without large international freight ports) leeches. In your last post you stated that "Most Red states can only survive by leeching off wealthy blue states," which is fine since you used leeching as a verb, but switching to a noun is a slippery slope, and descending into dehumanization and tribalism isn't my idea of a productive Wednesday.

Even if they have IP addresses, what can the world do with them? Sure, your ISP has the assignment, and other sites may aggregate and sell the data, but it's unlikely that it would ever actually point back to you personally. And even if it does, what proof is there that the data wasn't fabricated?

Not much. Besides it being trivially easy to change your ISP provided IP address, even if someone were to correlate your IP address to you visiting the site, so what?