How private are PMs

**bhoywonder** · 05-06-10, 13:57

Originally Posted by nicegirlsarenice

That's a visitor message he wrote on her page, not a private message.

gotcha!!

my mistake

**El Gordo** · 05-06-10, 14:37

I agree with your general point, nicegirls, that people are worrying too much about this, but as for the details, I think nearly every single thing you've said is wrong.

Originally Posted by nicegirlsarenice

Patricia can, however I was reading up on this here and the admins can't always read pms, such as in the TurboIsland message board. They physically can't access them because they're encrypted and neither can anyone else ever even if asked to by law enforcement they can't.

This site is running on vBulletin. On vBulletin it is easy to set things up so admin can read private messages. There is an add-on for it. Of course such tricks are only for admins who are too stupid to realise that they can just query them off the database.

You see the mention of the word "hack"? There's a whole community out there designed to try to hack into forum boards so the admins can read the pms!!

Quite successfully, but those people are largely morons. There are simpler ways to read pm's if you control the server.

It's not obviously, the only people who can read them are people with access to the database and people who know how to get the data from it (which could be encrypted).

It's not encrypted. Not that it would matter. Think about it. The webserver needs the keys, or no one would ever be able to read the pm, including the recipient, and who controls the webserver? And "only people who know how to get the data from it" includes anyone who knows how to write an SQL query, which is about half the planet.

You're probably right about E-I but that's not always necessarily the way. With SSL your password is encrypted by the site with the help of the web browser on leaving and decrypted by the site/web browser again when it reaches them. Your ISP can't read that because only the yahoo server or whatever has the key to decrypt it. So unless you've used a sniffer to see if they're being sent plaintext, you can't be sure on that. Anyway I know that my ISP doesn't sniff my traffic because they told me.

First thing I did when I started using the site. No, it's not running on SSL. Interestingly, parts of the site are. The ones on the business end. Not the forums.

I would say that's an urban myth. It could be physically impossible to monitor every single private message into and out of the states, which would probably be hundreds of thousands each minute. Scanning is one thing and would be hard enough, "retaining" them would probably be impossible even given their resources. This is the main reason your ISP doesn't retain data from every user, it'd be ridiculously impossible.... even retaining log-on and log-off files ALONE, to show who had a certain IP address at a certain time is in the region of thousands of terabytes for a few million users. The NSA doesn't care about your mickey mouse PMs to escorts.

They certainly don't store everything. They look for certain things, and then decide whether to look further and possibly store it. For example, I mentioned Al Qaeda in an earlier post on this thread. When you viewed this thread the server sent you a page with the words "Al Qaeda". I'm sure that set off a flag somewhere to inspect that packet in more detail. I doubt it was stored. All of this is automated, of course.

Not really, only if you're using for example wifi and it's unencrypted or poorly encrypted, otherwise it would be very hard and need lots of criminal activity. I'm using WiMax so it may be more insecure for me, but I would send anything that's extremely highly sensitive completely encrypted anyway.

Wireless makes it easier, but most office wired networks aren't secured in any meaningful way against someone who has physical access to the network. By physical access, I don't mean anything fancy, just what you do when you plug your laptop in.

Are you sending your pm's encrypted? If so, is anyone bothering to decrypt them?

How do we go from "could possibly" read your pms to "all of these people or organizations can" read them? I would guess maybe 10 people can read your pms if they want to.

We didn't go from "could possibly" to "can". I always said "can". I think the number of people who can read your pm's is probably in the thousands. I would guess the number who do is one, the recipient, and maybe not even always that.

Maybe Patricia should consider the idea of encrypted private messages. There is talk about hacking some of these systems but I'm pretty sure that you could use a system that would be of government top-secret standard and almost literally impossible to hack.... without trillions of years of supercomputers working on it trying to brute-force it.

This is not going to happen. As always, usability wins over security. Doing it properly is hard, and would make the pm system unusable from some kinds of devices. From a business perspective it's clearly better not to worry about it.

This isn't true, if you delete them it doesn't mean that it'd be impossible for anyone to access what was written in the database before it was deleted. But it would be extremely harder, if not impossible. The data could be wiped 5 times over as soon as they're deleted from the database, maybe partly because you're not allowed to keep records of data from someone except in certain circumstances. So don't be so quick to say something Patricia is saying is wrong.

Whatever Patricia said, you shouldn't believe that the message is deleted from the database when you delete it from your inbox or outbox. If the other person, sender or recipient keeps it then it is obviously still there. You can't access it, but it's there. So Patricia is wrong, and it doesn't matter whether I say that slowly or quickly. What's perhaps less obvious is that the message is still not gone even if both people "delete" it. I don't know how vBulletin handles this, but not all boards software deletes pm's from the database once they've been removed from all users' folders. Even if it does, the database which stores E-I's data is Patricia's most valuable asset. I'm sure she backs it up often. So your "deleted" pm's are still there on the backups, waiting to be restored with the rest of the database. I doubt she would ever bother, except possibly if there were reason to believe they were relevant to a criminal investigation.

There's a huge difference between something being absolutely impossible and something being plausible or practical. If you want to assume that because it wouldn't be physically impossible for them to get it that suddenly everyone has extremely fast access to it then that's fine... but it's only a theoretical/philosophical comment on how EVERYTHING is unsafe no matter WHAT. It's not realistic.

I never said anyone had easy access, but that wasn't the question that was asked. Personally I am not really worried about this, or I wouldn't be here. But maybe there are people here who are more subject to blackmail or less careful in their pm's than I am. For them maybe it's just not good enough that no one has easy access.

**punterminator** · 05-06-10, 14:43

Hehe, I worked as a Lectuer/Admin in my University while finishing my PHd thesis - crikey I think we read everyone's emails. The things we seen. Thing is though, back then, anyone with an email on any server could read everyone else's mails. That' just the way it was...

**El Gordo** · 05-06-10, 14:44

Originally Posted by Westsidex

its downright insulting to think that we would even read ppls pms even if we had access. Who the fuck are you ppl to judge us just because we mod. What about you lot? If you could read pms ,would you?

one wonders,
Westside.

Who said they think you would read pm's? As far as I can see, people have only asked whether you could.

**nicegirlsarenice** · 05-06-10, 15:59