|
|
07-18-2004, 10:37 AM
|
|
Petty Moralist Censor
|
|
Join Date: Jul 2004
Location: Sol III
|
|
PM Access
It has been mentioned to me before that the admins of this site have access to the Private Messaging boxes and current passwords of all members of the forum. Now I can't recall who exactly told me or how they came to know, but all I could find in a brief search was this little tidbit:
In the rules, the section on Private Messages is as follows:
Quote:
Private messages, like all FF content, are stored in the database and therefore accessible by the Admins should it be required for legal purposes. Outside of that highly unlikely scenario, PMs will be seen by the sender and receiver only.
|
I can understand that you're trying to cover all bases here, but I have two concerns I need to raise.
1. How is it that you have access to the PM boxes of others in the first place? Is it vB standard, or do you have a hack installed to account for it? I've searched thoroughly through the FAQ at the other vB board most of us will be familiar with (IIDB) and my search turned up no similar disclosure on their part. At II they say that they do not monitor PM's, but this does not necessarily mean that they have access. Is that more of what you're saying then, that you have the access if absolutely necessary but will not be monitoring PM's either? Or are they as open as a book to the admins?
2. Does such a disclosure not strike you as perhaps something of a security risk? That by coming right out and saying that you have this degree of access that you may have painted a really large bullseye on yourselves?
I may be making a mountain out of a molehill here, but I do have some genuine concern about this.
__________________
Dig it.
|
07-18-2004, 01:39 PM
|
|
Admin of THIEVES and SLUGABEDS
|
|
|
|
Re: PM Access
Quote:
Originally Posted by Godot
1. How is it that you have access to the PM boxes of others in the first place? Is it vB standard, or do you have a hack installed to account for it?
|
PMs are stored in the database along with all the other data on the board, and are therefore accessible via database search. Not only is this a vB standard, afaik, but it's the way all such forums work, inlcuding your own phpBB site.
There is vB hack that allows admins easy access to PM via the ACP, but we think that's creepy as hell as well and refuse to install it.
Quote:
I've searched thoroughly through the FAQ at the other vB board most of us will be familiar with (IIDB) and my search turned up no similar disclosure on their part. At II they say that they do not monitor PM's, but this does not necessarily mean that they have access. Is that more of what you're saying then, that you have the access if absolutely necessary but will not be monitoring PM's either? Or are they as open as a book to the admins?
|
The former. The open as a book thing would require the access hack.
Quote:
2. Does such a disclosure not strike you as perhaps something of a security risk? That by coming right out and saying that you have this degree of access that you may have painted a really large bullseye on yourselves?
|
What kind of security risk did you have in mind?
Quote:
I may be making a mountain out of a molehill here, but I do have some genuine concern about this.
|
Could you elaborate on the nature of your concern?
|
07-18-2004, 04:23 PM
|
|
Member
|
|
|
|
Re: PM Access
Quote:
Could you elaborate on the nature of your concern?
|
While waiting upon (is it Godot) a clarification of his concerns allow me to interject my own.
First, I'm not quite sure what "legal issues" could possibly arise from people PMing each other. The very purpose of the system is to afford two parties to converse with each other without the eyes of someone else looking over their shoulders. At least that's what I thought it provided. I always assumed that PMs were stored in a data bank, but thought never thought they were accessible to others.
And while I think we're dealing with a trust issue here -- trusting the Administrators not to look at the PMs -- I think it may have a prohibiting effect knowing that they can.
Personally, I don't have any qualms about using the system for I can't imagine writing anything which would get me (or the Board's owners) into legal problems. But I'm thinking that if you're referring to harassing PMs that there are filters in place which would address that issue -- such as simply applying the "Ignore" feature to particular people.
Anyways, that's my 2 cents on the issue.
Larry
__________________
"He who is unable to live in society or who has no need, because he is sufficient for himself, must either be a beast or a god." Aristotle
|
07-18-2004, 04:29 PM
|
|
Admin
|
|
Join Date: Apr 2004
Location: Ypsilanti, Mi
Gender: Male
|
|
Re: PM Access
Quote:
Originally Posted by livius drusus
PMs are stored in the database along with all the other data on the board, and are therefore accessible via database search. Not only is this a vB standard, afaik, but it's the way all such forums work, inlcuding your own phpBB site.
|
And this includes unencrypted passwords. As livius explained, it was much simpler for us to acknowledge that we have access to the database, wherein all information you supply to this forum is stored, than to list every item individually.
Quote:
There is vB hack that allows admins easy access to PM via the ACP, but we think that's creepy as hell as well and refuse to install it.
|
And there is a thread at the vBulletin website where I roundly condemned the existence and promotion of that hack in no uncertain terms until the moderators strongly requested that the subject not be taken up on the thread wherein the hack was being promoted.
I will state for the record, in case it isn't yet clear enough, that livius and I have no intention of querying the database with the purpose of accessing the members' private messages.
|
07-18-2004, 04:40 PM
|
|
Admin
|
|
Join Date: Apr 2004
Location: Ypsilanti, Mi
Gender: Male
|
|
Re: PM Access
Quote:
Originally Posted by Larry
While waiting upon (is it Godot) a clarification of his concerns allow me to interject my own.
First, I'm not quite sure what "legal issues" could possibly arise from people PMing each other. The very purpose of the system is to afford two parties to converse with each other without the eyes of someone else looking over their shoulders. At least that's what I thought it provided. I always assumed that PMs were stored in a data bank, but thought never thought they were accessible to others.
|
We meant that in the unlikely scenario of a court order demanding the release of any data from our database, we would comply. I agree that it seems unlikely that such a thing would ever happen, but it's not unthinkable. Say for example an FF member was accused of being a member of Al Queda, I imagine the Homeland Security department would demand access to that member's correspondence.
Quote:
And while I think we're dealing with a trust issue here -- trusting the Administrators not to look at the PMs -- I think it may have a prohibiting effect knowing that they can.
|
I agree, but that is the reality of the technology.
Quote:
Personally, I don't have any qualms about using the system for I can't imagine writing anything which would get me (or the Board's owners) into legal problems. But I'm thinking that if you're referring to harassing PMs that there are filters in place which would address that issue -- such as simply applying the "Ignore" feature to particular people.
|
Again, we would release the information only if ordered by a court to do so. We absolutely have no intention of monitoring our member's private messages for content, or investigating any legal complaints on our own.
Quote:
Anyways, that's my 2 cents on the issue.
Larry
|
Thanks for the input, Larry.
|
07-18-2004, 04:44 PM
|
|
Member
|
|
|
|
Re: PM Access
Quote:
As livius explained, it was much simpler for us to acknowledge that we have access to the database, wherein all information you supply to this forum is stored, than to list every item individually.
|
Well, I'm not even sure what the need to inform the members of such access is. The phrase -- "Out of sight, out of mind." comes to mind in thinking about this. Whereas, being out in the open on such matters is admirable, I don't think I would give it (the fact that others might have access) much thought whenever I found an occasion to PM someone.
Now, it may come as a surprise to a party which necessitated (legally) your viewing their PMs I would think that only the parties involved would be aware (and rightfully should be the only ones aware) of such access. And since it would be a legal nature I don't think they would be in a position to protest.
But I'm wondering if this is the same thing as informing a party on a phone line that their conversations are being recorded.
Larry
__________________
"He who is unable to live in society or who has no need, because he is sufficient for himself, must either be a beast or a god." Aristotle
|
07-18-2004, 05:01 PM
|
|
Admin of THIEVES and SLUGABEDS
|
|
|
|
Re: PM Access
Quote:
Originally Posted by Larry
While waiting upon (is it Godot) a clarification of his concerns allow me to interject my own.
|
I appreciate it greatly. Thank you.
Quote:
First, I'm not quite sure what "legal issues" could possibly arise from people PMing each other.
|
Tom gave you an example above; another scenario I thought about which might be more likely than the secret FF Al Qaeda cell one was an investigation into trading copyrighted software via PM. Another possibility - which I've actually heard about from someone it happened to - would be an acrimonious divorce proceeding where one party's lawyers subpoenaed all the other party's private correspondence.
Quote:
The very purpose of the system is to afford two parties to converse with each other without the eyes of someone else looking over their shoulders. At least that's what I thought it provided. I always assumed that PMs were stored in a data bank, but thought never thought they were accessible to others.
|
I thought the same until I read the thread about the Read Your Members' PM hack. Once I knew, however, it seemed deceptive not to state up front that nothing is completely and totally private on a discussion board, even though the circumstances under which the effective privacy might hypothetically be breached are pretty darned outlandish.
Quote:
And while I think we're dealing with a trust issue here -- trusting the Administrators not to look at the PMs -- I think it may have a prohibiting effect knowing that they can.
|
It may indeed, and of course I very much hope that effect will be minimal, but it seemed to me telling the truth up front was fairer than not.
Quote:
But I'm thinking that if you're referring to harassing PMs that there are filters in place which would address that issue -- such as simply applying the "Ignore" feature to particular people.
|
Yessir. In fact, we had a custom "Disallow contact" feature installed so that members can choose not to receive PMs or emails from individual posters without having to ignore their posts.
Quote:
Anyways, that's my 2 cents on the issue.
|
And two very shiny pennies they were. Thank you, Larry.
|
07-18-2004, 05:08 PM
|
|
Admin of THIEVES and SLUGABEDS
|
|
|
|
Re: PM Access
Quote:
Originally Posted by Larry
But I'm wondering if this is the same thing as informing a party on a phone line that their conversations are being recorded.
|
That was my thought on the matter, particularly if it was the phone company recording all conversations.
|
07-18-2004, 05:14 PM
|
|
I said it, so I feel it, dick
|
|
Join Date: Jul 2004
Location: Here
|
|
Re: PM Access
I think the important point here is that ALL forums have such access, some have installed the hack allowing easy access, but never mention it, so members assume their PMs are truly private.
livius and vm seem to me to be interested in full disclosure, which I think is commendable.
|
07-18-2004, 05:35 PM
|
|
Member
|
|
|
|
Re: PM Access
Quote:
And two very shiny pennies they were. Thank you, Larry.
|
You're welcome! And since, in my estimation, your response were quite satisfactory I'll take what's left of my buck and spend it on other things.
Larry
__________________
"He who is unable to live in society or who has no need, because he is sufficient for himself, must either be a beast or a god." Aristotle
|
07-18-2004, 05:48 PM
|
|
Admin of THIEVES and SLUGABEDS
|
|
|
|
Re: PM Access
Quote:
Originally Posted by Larry
You're welcome! And since, in my estimation, your response were quite satisfactory I'll take what's left of my buck and spend it on other things.
|
Thank you, Larry. I'm glad I could answer your concerns.
P.S. - We have in the "Fraidycat" category.
|
07-18-2004, 05:54 PM
|
|
Member
|
|
|
|
Re: PM Access
Quote:
P.S. - We have in the "Fraidycat" category.
|
Oh! Okie dokey. I'm use to bringing my own "luggage" with me, but I'll be sure to check out your emoticons in the future.
Carry on!
Larry
__________________
"He who is unable to live in society or who has no need, because he is sufficient for himself, must either be a beast or a god." Aristotle
|
07-18-2004, 07:40 PM
|
|
Petty Moralist Censor
|
|
Join Date: Jul 2004
Location: Sol III
|
|
Re: PM Access
Quote:
Originally Posted by livius drusus
PMs are stored in the database along with all the other data on the board, and are therefore accessible via database search. Not only is this a vB standard, afaik, but it's the way all such forums work, inlcuding your own phpBB site.
|
I realise that fully. I simplpy interpreted the statement in the rules as though you did have easy access should you so wish to do so. Of course you can access this same information in other ways, only they are far from easy. That was my point.
Quote:
There is vB hack that allows admins easy access to PM via the ACP, but we think that's creepy as hell as well and refuse to install it.
|
And I commend you for it. The thought of being on a board that would have that sort of hack enabled sickens me. Far too reminiscent of Big Brother for my liking.
Quote:
What kind of security risk did you have in mind?
|
The security risk comes from being so up front and candid about it. Despite the wonderful intenttions of full disclosure, I feel that you might be painting yourselves with a mighty big target. Yes, all sites do contain this information in the database, and yes, it is somehow possible to get access to that information through the back roads if you have the knowledge and intestinal fortitude to persevere. But in the number of sites I've come across, this is the first time I've ever seen it stated up front like that. Anomalies do tend to stick out.
Quote:
Could you elaborate on the nature of your concern?
|
I think I have already, but I will try to do more if I am still unclear.
__________________
Dig it.
|
07-18-2004, 07:52 PM
|
|
Admin
|
|
Join Date: Apr 2004
Location: Ypsilanti, Mi
Gender: Male
|
|
Re: PM Access
Quote:
Originally Posted by Godot
The security risk comes from being so up front and candid about it. Despite the wonderful intenttions of full disclosure, I feel that you might be painting yourselves with a mighty big target. Yes, all sites do contain this information in the database, and yes, it is somehow possible to get access to that information through the back roads if you have the knowledge and intestinal fortitude to persevere. But in the number of sites I've come across, this is the first time I've ever seen it stated up front like that. Anomalies do tend to stick out.
|
You still haven't explained why our clarifying our ability to access data in the database is a security risk. Are you concerned that a potential hacker might not know that we have access to the data in our own database?
|
07-18-2004, 08:03 PM
|
|
Admin of THIEVES and SLUGABEDS
|
|
|
|
Re: PM Access
Quote:
Originally Posted by Godot
I realise that fully. I simplpy interpreted the statement in the rules as though you did have easy access should you so wish to do so. Of course you can access this same information in other ways, only they are far from easy. That was my point.
|
Ah, okay then. Fair enough. I'll clarify that codicil of the PP.
Quote:
Yes, all sites do contain this information in the database, and yes, it is somehow possible to get access to that information through the back roads if you have the knowledge and intestinal fortitude to persevere. But in the number of sites I've come across, this is the first time I've ever seen it stated up front like that. Anomalies do tend to stick out.
|
I can see how someone might find us shady and Big-Brothery if they didn't realize we're referring to a basic truth about databases, but like Tom, I'm unclear how this might rise to the level of security risk.
|
07-18-2004, 08:36 PM
|
|
Admin of THIEVES and SLUGABEDS
|
|
|
|
Re: PM Access
I have edited the Privacy Policy to include the following:
Quote:
Private Messaging
Private messages, like all content of online message boards, are stored in the database. There is no simple method to access this information which is why it is to all intents and purposes private. However, if required by law, the Administrators could scour the database and retrieve any of the data therein demanded on a search warrant or subpoena, including private correspondence. Outside of that highly unlikely scenario, PMs will only be seen by the sender and receiver.
|
Is that better?
|
07-18-2004, 11:20 PM
|
|
Petty Moralist Censor
|
|
Join Date: Jul 2004
Location: Sol III
|
|
Re: PM Access
Quote:
Originally Posted by viscousmemories
You still haven't explained why our clarifying our ability to access data in the database is a security risk. Are you concerned that a potential hacker might not know that we have access to the data in our own database?
|
I've actually explained it in crystal clear terms on more than one occasion.
Here it is, one last time:
By stating up front and in no uncertain terms that you do have the means to access this information available to you, you are painting a rather large target for any potentially malicious users. It is just asking for trouble.
__________________
Dig it.
|
07-18-2004, 11:23 PM
|
|
Petty Moralist Censor
|
|
Join Date: Jul 2004
Location: Sol III
|
|
Re: PM Access
Quote:
Originally Posted by livius drusus
I have edited the Privacy Policy to include the following:
Is that better?
|
It's much better liv, thank you.
__________________
Dig it.
|
07-18-2004, 11:24 PM
|
|
Admin
|
|
Join Date: Apr 2004
Location: Ypsilanti, Mi
Gender: Male
|
|
Re: PM Access
Quote:
Originally Posted by Godot
I've actually explained it in crystal clear terms on more than one occasion.
Here it is, one last time:
By stating up front and in no uncertain terms that you do have the means to access this information available to you, you are painting a rather large target for any potentially malicious users. It is just asking for trouble.
|
I'm sorry, but I still don't understand your concern. Exactly what kind of trouble are we "asking for" by publicly acknowledging that we have access to all of the data in our database? In what way could your hypothetical "malicious users" use this information to the detriment of our site?
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
|
|
Thread Tools |
|
Display Modes |
Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT +1. The time now is 09:12 AM.
|
|
|
|