#1  
Old 07-18-2004, 10:37 AM
Godot's Avatar
Godot Godot is offline
Petty Moralist Censor
 
Join Date: Jul 2004
Location: Sol III
Posts: LXXXVII
Default PM Access

It has been mentioned to me before that the admins of this site have access to the Private Messaging boxes and current passwords of all members of the forum. Now I can't recall who exactly told me or how they came to know, but all I could find in a brief search was this little tidbit:

In the rules, the section on Private Messages is as follows:
Quote:
Private messages, like all FF content, are stored in the database and therefore accessible by the Admins should it be required for legal purposes. Outside of that highly unlikely scenario, PMs will be seen by the sender and receiver only.
I can understand that you're trying to cover all bases here, but I have two concerns I need to raise.

1. How is it that you have access to the PM boxes of others in the first place? Is it vB standard, or do you have a hack installed to account for it? I've searched thoroughly through the FAQ at the other vB board most of us will be familiar with (IIDB) and my search turned up no similar disclosure on their part. At II they say that they do not monitor PM's, but this does not necessarily mean that they have access. Is that more of what you're saying then, that you have the access if absolutely necessary but will not be monitoring PM's either? Or are they as open as a book to the admins?

2. Does such a disclosure not strike you as perhaps something of a security risk? That by coming right out and saying that you have this degree of access that you may have painted a really large bullseye on yourselves?

I may be making a mountain out of a molehill here, but I do have some genuine concern about this.
__________________
Dig it.
Reply With Quote
  #2  
Old 07-18-2004, 01:39 PM
livius drusus's Avatar
livius drusus livius drusus is offline
Admin of THIEVES and SLUGABEDS
 
Join Date: Apr 2004
Posts: LVCCCLXXII
Images: 5
Default Re: PM Access

Quote:
Originally Posted by Godot
1. How is it that you have access to the PM boxes of others in the first place? Is it vB standard, or do you have a hack installed to account for it?
PMs are stored in the database along with all the other data on the board, and are therefore accessible via database search. Not only is this a vB standard, afaik, but it's the way all such forums work, inlcuding your own phpBB site.

There is vB hack that allows admins easy access to PM via the ACP, but we think that's creepy as hell as well and refuse to install it.

Quote:
I've searched thoroughly through the FAQ at the other vB board most of us will be familiar with (IIDB) and my search turned up no similar disclosure on their part. At II they say that they do not monitor PM's, but this does not necessarily mean that they have access. Is that more of what you're saying then, that you have the access if absolutely necessary but will not be monitoring PM's either? Or are they as open as a book to the admins?
The former. The open as a book thing would require the access hack.

Quote:
2. Does such a disclosure not strike you as perhaps something of a security risk? That by coming right out and saying that you have this degree of access that you may have painted a really large bullseye on yourselves?
What kind of security risk did you have in mind?

Quote:
I may be making a mountain out of a molehill here, but I do have some genuine concern about this.
Could you elaborate on the nature of your concern?
Reply With Quote
  #3  
Old 07-18-2004, 04:23 PM
Larry's Avatar
Larry Larry is offline
Member
 
Join Date: Jul 2004
Posts: LVI
Default Re: PM Access

Quote:
Could you elaborate on the nature of your concern?
While waiting upon (is it Godot) a clarification of his concerns allow me to interject my own.

First, I'm not quite sure what "legal issues" could possibly arise from people PMing each other. The very purpose of the system is to afford two parties to converse with each other without the eyes of someone else looking over their shoulders. At least that's what I thought it provided. I always assumed that PMs were stored in a data bank, but thought never thought they were accessible to others.

And while I think we're dealing with a trust issue here -- trusting the Administrators not to look at the PMs -- I think it may have a prohibiting effect knowing that they can.

Personally, I don't have any qualms about using the system for I can't imagine writing anything which would get me (or the Board's owners) into legal problems. But I'm thinking that if you're referring to harassing PMs that there are filters in place which would address that issue -- such as simply applying the "Ignore" feature to particular people.

Anyways, that's my 2 cents on the issue.

Larry :)
__________________
"He who is unable to live in society or who has no need, because he is sufficient for himself, must either be a beast or a god." Aristotle
Reply With Quote
  #4  
Old 07-18-2004, 04:29 PM
viscousmemories's Avatar
viscousmemories viscousmemories is offline
Admin
 
Join Date: Apr 2004
Location: Ypsilanti, Mi
Gender: Male
Posts: XXXDCCXLVI
Blog Entries: 1
Images: 9
Default Re: PM Access

Quote:
Originally Posted by livius drusus
PMs are stored in the database along with all the other data on the board, and are therefore accessible via database search. Not only is this a vB standard, afaik, but it's the way all such forums work, inlcuding your own phpBB site.
And this includes unencrypted passwords. As livius explained, it was much simpler for us to acknowledge that we have access to the database, wherein all information you supply to this forum is stored, than to list every item individually.

Quote:
There is vB hack that allows admins easy access to PM via the ACP, but we think that's creepy as hell as well and refuse to install it.
And there is a thread at the vBulletin website where I roundly condemned the existence and promotion of that hack in no uncertain terms until the moderators strongly requested that the subject not be taken up on the thread wherein the hack was being promoted.

I will state for the record, in case it isn't yet clear enough, that livius and I have no intention of querying the database with the purpose of accessing the members' private messages.
Reply With Quote
  #5  
Old 07-18-2004, 04:40 PM
viscousmemories's Avatar
viscousmemories viscousmemories is offline
Admin
 
Join Date: Apr 2004
Location: Ypsilanti, Mi
Gender: Male
Posts: XXXDCCXLVI
Blog Entries: 1
Images: 9
Default Re: PM Access

Quote:
Originally Posted by Larry
While waiting upon (is it Godot) a clarification of his concerns allow me to interject my own.

First, I'm not quite sure what "legal issues" could possibly arise from people PMing each other. The very purpose of the system is to afford two parties to converse with each other without the eyes of someone else looking over their shoulders. At least that's what I thought it provided. I always assumed that PMs were stored in a data bank, but thought never thought they were accessible to others.
We meant that in the unlikely scenario of a court order demanding the release of any data from our database, we would comply. I agree that it seems unlikely that such a thing would ever happen, but it's not unthinkable. Say for example an FF member was accused of being a member of Al Queda, I imagine the Homeland Security department would demand access to that member's correspondence.

Quote:
And while I think we're dealing with a trust issue here -- trusting the Administrators not to look at the PMs -- I think it may have a prohibiting effect knowing that they can.
I agree, but that is the reality of the technology.

Quote:
Personally, I don't have any qualms about using the system for I can't imagine writing anything which would get me (or the Board's owners) into legal problems. But I'm thinking that if you're referring to harassing PMs that there are filters in place which would address that issue -- such as simply applying the "Ignore" feature to particular people.
Again, we would release the information only if ordered by a court to do so. We absolutely have no intention of monitoring our member's private messages for content, or investigating any legal complaints on our own.

Quote:
Anyways, that's my 2 cents on the issue.

Larry :)
Thanks for the input, Larry. :)
Reply With Quote
  #6  
Old 07-18-2004, 04:44 PM
Larry's Avatar
Larry Larry is offline
Member
 
Join Date: Jul 2004
Posts: LVI
Default Re: PM Access

Quote:
As livius explained, it was much simpler for us to acknowledge that we have access to the database, wherein all information you supply to this forum is stored, than to list every item individually.
Well, I'm not even sure what the need to inform the members of such access is. The phrase -- "Out of sight, out of mind." comes to mind in thinking about this. Whereas, being out in the open on such matters is admirable, I don't think I would give it (the fact that others might have access) much thought whenever I found an occasion to PM someone.

Now, it may come as a surprise to a party which necessitated (legally) your viewing their PMs I would think that only the parties involved would be aware (and rightfully should be the only ones aware) of such access. And since it would be a legal nature I don't think they would be in a position to protest.

But I'm wondering if this is the same thing as informing a party on a phone line that their conversations are being recorded.

Larry :)
__________________
"He who is unable to live in society or who has no need, because he is sufficient for himself, must either be a beast or a god." Aristotle
Reply With Quote
  #7  
Old 07-18-2004, 05:01 PM
livius drusus's Avatar
livius drusus livius drusus is offline
Admin of THIEVES and SLUGABEDS
 
Join Date: Apr 2004
Posts: LVCCCLXXII
Images: 5
Default Re: PM Access

Quote:
Originally Posted by Larry
While waiting upon (is it Godot) a clarification of his concerns allow me to interject my own.
I appreciate it greatly. Thank you.

Quote:
First, I'm not quite sure what "legal issues" could possibly arise from people PMing each other.
Tom gave you an example above; another scenario I thought about which might be more likely than the secret FF Al Qaeda cell one was an investigation into trading copyrighted software via PM. Another possibility - which I've actually heard about from someone it happened to - would be an acrimonious divorce proceeding where one party's lawyers subpoenaed all the other party's private correspondence.

Quote:
The very purpose of the system is to afford two parties to converse with each other without the eyes of someone else looking over their shoulders. At least that's what I thought it provided. I always assumed that PMs were stored in a data bank, but thought never thought they were accessible to others.
I thought the same until I read the thread about the Read Your Members' PM hack. Once I knew, however, it seemed deceptive not to state up front that nothing is completely and totally private on a discussion board, even though the circumstances under which the effective privacy might hypothetically be breached are pretty darned outlandish.

Quote:
And while I think we're dealing with a trust issue here -- trusting the Administrators not to look at the PMs -- I think it may have a prohibiting effect knowing that they can.
It may indeed, and of course I very much hope that effect will be minimal, but it seemed to me telling the truth up front was fairer than not.

Quote:
But I'm thinking that if you're referring to harassing PMs that there are filters in place which would address that issue -- such as simply applying the "Ignore" feature to particular people.
Yessir. In fact, we had a custom "Disallow contact" feature installed so that members can choose not to receive PMs or emails from individual posters without having to ignore their posts.

Quote:
Anyways, that's my 2 cents on the issue.
And two very shiny pennies they were. Thank you, Larry. :)
Reply With Quote
  #8  
Old 07-18-2004, 05:08 PM
livius drusus's Avatar
livius drusus livius drusus is offline
Admin of THIEVES and SLUGABEDS
 
Join Date: Apr 2004
Posts: LVCCCLXXII
Images: 5
Default Re: PM Access

Quote:
Originally Posted by Larry
But I'm wondering if this is the same thing as informing a party on a phone line that their conversations are being recorded.
That was my thought on the matter, particularly if it was the phone company recording all conversations.
Reply With Quote
  #9  
Old 07-18-2004, 05:14 PM
LadyShea's Avatar
LadyShea LadyShea is offline
I said it, so I feel it, dick
 
Join Date: Jul 2004
Location: Here
Posts: XXXMDCCCXCVII
Images: 41
Default Re: PM Access

I think the important point here is that ALL forums have such access, some have installed the hack allowing easy access, but never mention it, so members assume their PMs are truly private.

livius and vm seem to me to be interested in full disclosure, which I think is commendable.
Reply With Quote
  #10  
Old 07-18-2004, 05:35 PM
Larry's Avatar
Larry Larry is offline
Member
 
Join Date: Jul 2004
Posts: LVI
Default Re: PM Access

Quote:
And two very shiny pennies they were. Thank you, Larry.
You're welcome! And since, in my estimation, your response were quite satisfactory I'll take what's left of my buck and spend it on other things. :yup:



Larry :)
__________________
"He who is unable to live in society or who has no need, because he is sufficient for himself, must either be a beast or a god." Aristotle
Reply With Quote
  #11  
Old 07-18-2004, 05:48 PM
livius drusus's Avatar
livius drusus livius drusus is offline
Admin of THIEVES and SLUGABEDS
 
Join Date: Apr 2004
Posts: LVCCCLXXII
Images: 5
Default Re: PM Access

Quote:
Originally Posted by Larry
You're welcome! And since, in my estimation, your response were quite satisfactory I'll take what's left of my buck and spend it on other things. :yup:

Thank you, Larry. I'm glad I could answer your concerns. :)

P.S. - We have :runaway: in the "Fraidycat" category. :wink:
Reply With Quote
  #12  
Old 07-18-2004, 05:54 PM
Larry's Avatar
Larry Larry is offline
Member
 
Join Date: Jul 2004
Posts: LVI
Default Re: PM Access

Quote:
P.S. - We have in the "Fraidycat" category.
Oh! Okie dokey. I'm use to bringing my own "luggage" with me, but I'll be sure to check out your emoticons in the future.

Carry on! :popcorn:

Larry :)
__________________
"He who is unable to live in society or who has no need, because he is sufficient for himself, must either be a beast or a god." Aristotle
Reply With Quote
  #13  
Old 07-18-2004, 07:40 PM
Godot's Avatar
Godot Godot is offline
Petty Moralist Censor
 
Join Date: Jul 2004
Location: Sol III
Posts: LXXXVII
Default Re: PM Access

Quote:
Originally Posted by livius drusus
PMs are stored in the database along with all the other data on the board, and are therefore accessible via database search. Not only is this a vB standard, afaik, but it's the way all such forums work, inlcuding your own phpBB site.
I realise that fully. I simplpy interpreted the statement in the rules as though you did have easy access should you so wish to do so. Of course you can access this same information in other ways, only they are far from easy. That was my point.

Quote:
There is vB hack that allows admins easy access to PM via the ACP, but we think that's creepy as hell as well and refuse to install it.
And I commend you for it. The thought of being on a board that would have that sort of hack enabled sickens me. Far too reminiscent of Big Brother for my liking.

Quote:
What kind of security risk did you have in mind?
The security risk comes from being so up front and candid about it. Despite the wonderful intenttions of full disclosure, I feel that you might be painting yourselves with a mighty big target. Yes, all sites do contain this information in the database, and yes, it is somehow possible to get access to that information through the back roads if you have the knowledge and intestinal fortitude to persevere. But in the number of sites I've come across, this is the first time I've ever seen it stated up front like that. Anomalies do tend to stick out.

Quote:
Could you elaborate on the nature of your concern?
I think I have already, but I will try to do more if I am still unclear.
__________________
Dig it.
Reply With Quote
  #14  
Old 07-18-2004, 07:52 PM
viscousmemories's Avatar
viscousmemories viscousmemories is offline
Admin
 
Join Date: Apr 2004
Location: Ypsilanti, Mi
Gender: Male
Posts: XXXDCCXLVI
Blog Entries: 1
Images: 9
Default Re: PM Access

Quote:
Originally Posted by Godot
The security risk comes from being so up front and candid about it. Despite the wonderful intenttions of full disclosure, I feel that you might be painting yourselves with a mighty big target. Yes, all sites do contain this information in the database, and yes, it is somehow possible to get access to that information through the back roads if you have the knowledge and intestinal fortitude to persevere. But in the number of sites I've come across, this is the first time I've ever seen it stated up front like that. Anomalies do tend to stick out.
You still haven't explained why our clarifying our ability to access data in the database is a security risk. Are you concerned that a potential hacker might not know that we have access to the data in our own database?
Reply With Quote
  #15  
Old 07-18-2004, 08:03 PM
livius drusus's Avatar
livius drusus livius drusus is offline
Admin of THIEVES and SLUGABEDS
 
Join Date: Apr 2004
Posts: LVCCCLXXII
Images: 5
Default Re: PM Access

Quote:
Originally Posted by Godot
I realise that fully. I simplpy interpreted the statement in the rules as though you did have easy access should you so wish to do so. Of course you can access this same information in other ways, only they are far from easy. That was my point.
Ah, okay then. Fair enough. I'll clarify that codicil of the PP.

Quote:
Yes, all sites do contain this information in the database, and yes, it is somehow possible to get access to that information through the back roads if you have the knowledge and intestinal fortitude to persevere. But in the number of sites I've come across, this is the first time I've ever seen it stated up front like that. Anomalies do tend to stick out.
I can see how someone might find us shady and Big-Brothery if they didn't realize we're referring to a basic truth about databases, but like Tom, I'm unclear how this might rise to the level of security risk.
Reply With Quote
  #16  
Old 07-18-2004, 08:36 PM
livius drusus's Avatar
livius drusus livius drusus is offline
Admin of THIEVES and SLUGABEDS
 
Join Date: Apr 2004
Posts: LVCCCLXXII
Images: 5
Default Re: PM Access

I have edited the Privacy Policy to include the following:

Quote:
Private Messaging
Private messages, like all content of online message boards, are stored in the database. There is no simple method to access this information which is why it is to all intents and purposes private. However, if required by law, the Administrators could scour the database and retrieve any of the data therein demanded on a search warrant or subpoena, including private correspondence. Outside of that highly unlikely scenario, PMs will only be seen by the sender and receiver.
Is that better?
Reply With Quote
  #17  
Old 07-18-2004, 11:20 PM
Godot's Avatar
Godot Godot is offline
Petty Moralist Censor
 
Join Date: Jul 2004
Location: Sol III
Posts: LXXXVII
Default Re: PM Access

Quote:
Originally Posted by viscousmemories
You still haven't explained why our clarifying our ability to access data in the database is a security risk. Are you concerned that a potential hacker might not know that we have access to the data in our own database?
I've actually explained it in crystal clear terms on more than one occasion.
Here it is, one last time:

By stating up front and in no uncertain terms that you do have the means to access this information available to you, you are painting a rather large target for any potentially malicious users. It is just asking for trouble.
__________________
Dig it.
Reply With Quote
  #18  
Old 07-18-2004, 11:23 PM
Godot's Avatar
Godot Godot is offline
Petty Moralist Censor
 
Join Date: Jul 2004
Location: Sol III
Posts: LXXXVII
Thumbup Re: PM Access

Quote:
Originally Posted by livius drusus
I have edited the Privacy Policy to include the following:



Is that better?
It's much better liv, thank you. :yup:
__________________
Dig it.
Reply With Quote
  #19  
Old 07-18-2004, 11:24 PM
viscousmemories's Avatar
viscousmemories viscousmemories is offline
Admin
 
Join Date: Apr 2004
Location: Ypsilanti, Mi
Gender: Male
Posts: XXXDCCXLVI
Blog Entries: 1
Images: 9
Default Re: PM Access

Quote:
Originally Posted by Godot
I've actually explained it in crystal clear terms on more than one occasion.
Here it is, one last time:

By stating up front and in no uncertain terms that you do have the means to access this information available to you, you are painting a rather large target for any potentially malicious users. It is just asking for trouble.
I'm sorry, but I still don't understand your concern. Exactly what kind of trouble are we "asking for" by publicly acknowledging that we have access to all of the data in our database? In what way could your hypothetical "malicious users" use this information to the detriment of our site?
Reply With Quote
Reply

  Freethought Forum > Public Works > Forum Administration


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

 

All times are GMT +1. The time now is 09:12 AM.


Powered by vBulletin® Version 3.8.2
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Page generated in 0.98688 seconds with 13 queries