Here is a privacy policy which we will probably use for Alpha and beyond (This does not apply currently!). Thoughts?
Privacy Policy v2.6.1
Acknowledgement
Before you read this, note that the promises stated herein don’t actually guarantee that we are following these or that things are exactly as they are stated here. Therefore this may or may not be accurate at the time you read this. However, you shouldn’t take away from this that we don’t follow this, instead, take away that just because you read something on the internet doesn’t make it entirely true and that you should be paranoid especially on a website dedicated to the art of penetration and exploitation.
One other acknowledgement, we have received exactly zero secret court orders from law enforcement and spy agencies. We would expect to challenge an order if served on us. Watch closely for this notice to disappear. We also have received exactly zero non-secret court orders from law enforcement and spy agencies.
Introduction
Unfortunately, due to how the internet works (TCP/IP and HTTP(S)), you give us a lot of information about you. Since you generously give us so much information, we thought we would return the favor and tell you what we do with your information, what we keep, for how long, and who can access it.
We here at the EvilZone network keep the bare minimum level of information required to keep EvilZone secure and safe. Of the limited information that we keep, only the following people have access to it: ande, bluechill, Xires, Factionwars, and Kulverstukas. Of the limited information that we keep, we give out information about you to no one EXCEPT a valid court order deemed reasonable and applicable by the staff of EvilZone.
Information You Send to Us
IP Address (We don’t log this*)
Your Browser (We don’t log this)
Your Operating System (including version) (We don’t log this)
The date and time you accessed us (We don’t log this**)
What you view on the site (We don’t log this***)
*In order to keep EvilZone secure whenever you post a message on the forum or send a private message we hash your IP address and store it in the database using per user "salt". This means that we cannot actually view your IP address but can do checks against it. For instance, if we want to IP ban someone we just ban the hash and whenever you visit the site, the website will hash your IP address and check it against the ban list.
**The only exception to this is private massages and forum posts. When you send a private message or post to our forum we log the time stamp into a database so we can organize them and keep track of who posted what and when.
***In order to make the site easier for you to use, if you’re logged into the forum, and unless you turn this feature off, we log whether you have viewed a topic since it’s last post to let you know whether you have more information to read in a specific thread.
Information We Share
We do not share any information with anyone except if we receive a valid court order deemed reasonable and applicable by the staff of EvilZone. If the request is not reasonable or applicable we will deny giving them any of our limited stored information and will challenge or ignore the order if possible.
Security
To the highest degree possible, we try to ensure that our software is secure and free of vulnerabilities and privacy-related exploits. It is impossible to prevent all exploits however, we try our best to make sure that we have as few as possible and that when we become aware of one we minimize the damage and fix it as soon as possible. To do this we make sure we have the latest updates to all of our non-in-house software and try to do as much of our software in-house as possible. The list of software we do in-house includes but is not limited to:
EvilCMS (Otherwise known as the website)
EvilIRCd (Otherwise known as the software that our IRC servers run)
[redacted]
Unfortunately, due to the variety of virtualization software our hosting providers use, we are not able to use Full Disk Encryption (FDE) on our servers nor would we be able to guarantee on the servers that do support it that the disk is actually secure. Therefore we are always looking for new and better solutions to our issues that still maintain the security we want or enhance our current security.
One example is how on our nodes we use TrueCrypt to encrypt sensitive information such as logs, configurations, user data, source code, among other things. Ideally we would use FDE but unfortunately we cannot therefore we use TrueCrypt containers for the things that need the most security. TrueCrypt containers should work on both dedicated servers and virtual private servers (VPS).
Another area where this is evidenced is in how we encrypt your passwords. Unlike most websites and companies out there we at EvilZone do not employ one-way cryptography methods designed to be fast such as MD5 or SHA1, instead we use methods that are designed to be slow to hash data. The reason for this is that it makes it harder for people to brute force the data, in some cases taking magnitudes longer than MD5 or SHA1. The method we use for this is multiple rounds of SCrypt and SHA512 together to produce a unique hash. We also uniquely (per user) “salt” each password to make “rainbow tables” and other precomputed hash tables unusable. Your password will also never be sent over the internet in plaintext or even as part of SSL, instead, as you'll note if you dig into the source code, we do part of the SHA512 hashing locally to add another layer of security in addition to the forced SSL.
