I agree with your general point, nicegirls, that people are worrying too much about this, but as for the details, I think nearly every single thing you've said is wrong.
This site is running on vBulletin. On vBulletin it is easy to set things up so admin can read private messages. There is an add-on for it. Of course such tricks are only for admins who are too stupid to realise that they can just query them off the database.
Quite successfully, but those people are largely morons. There are simpler ways to read pm's if you control the server.You see the mention of the word "hack"? There's a whole community out there designed to try to hack into forum boards so the admins can read the pms!!
It's not encrypted. Not that it would matter. Think about it. The webserver needs the keys, or no one would ever be able to read the pm, including the recipient, and who controls the webserver? And "only people who know how to get the data from it" includes anyone who knows how to write an SQL query, which is about half the planet.It's not obviously, the only people who can read them are people with access to the database and people who know how to get the data from it (which could be encrypted).
First thing I did when I started using the site. No, it's not running on SSL. Interestingly, parts of the site are. The ones on the business end. Not the forums.You're probably right about E-I but that's not always necessarily the way. With SSL your password is encrypted by the site with the help of the web browser on leaving and decrypted by the site/web browser again when it reaches them. Your ISP can't read that because only the yahoo server or whatever has the key to decrypt it. So unless you've used a sniffer to see if they're being sent plaintext, you can't be sure on that. Anyway I know that my ISP doesn't sniff my traffic because they told me.![]()
![]()
They certainly don't store everything. They look for certain things, and then decide whether to look further and possibly store it. For example, I mentioned Al Qaeda in an earlier post on this thread. When you viewed this thread the server sent you a page with the words "Al Qaeda". I'm sure that set off a flag somewhere to inspect that packet in more detail. I doubt it was stored. All of this is automated, of course.I would say that's an urban myth. It could be physically impossible to monitor every single private message into and out of the states, which would probably be hundreds of thousands each minute. Scanning is one thing and would be hard enough, "retaining" them would probably be impossible even given their resources. This is the main reason your ISP doesn't retain data from every user, it'd be ridiculously impossible.... even retaining log-on and log-off files ALONE, to show who had a certain IP address at a certain time is in the region of thousands of terabytes for a few million users. The NSA doesn't care about your mickey mouse PMs to escorts.
Wireless makes it easier, but most office wired networks aren't secured in any meaningful way against someone who has physical access to the network. By physical access, I don't mean anything fancy, just what you do when you plug your laptop in.Not really, only if you're using for example wifi and it's unencrypted or poorly encrypted, otherwise it would be very hard and need lots of criminal activity. I'm using WiMax so it may be more insecure for me, but I would send anything that's extremely highly sensitive completely encrypted anyway.
Are you sending your pm's encrypted? If so, is anyone bothering to decrypt them?
We didn't go from "could possibly" to "can". I always said "can". I think the number of people who can read your pm's is probably in the thousands. I would guess the number who do is one, the recipient, and maybe not even always that.How do we go from "could possibly" read your pms to "all of these people or organizations can" read them? I would guess maybe 10 people can read your pms if they want to.
This is not going to happen. As always, usability wins over security. Doing it properly is hard, and would make the pm system unusable from some kinds of devices. From a business perspective it's clearly better not to worry about it.Maybe Patricia should consider the idea of encrypted private messages. There is talk about hacking some of these systems but I'm pretty sure that you could use a system that would be of government top-secret standard and almost literally impossible to hack.... without trillions of years of supercomputers working on it trying to brute-force it.
Whatever Patricia said, you shouldn't believe that the message is deleted from the database when you delete it from your inbox or outbox. If the other person, sender or recipient keeps it then it is obviously still there. You can't access it, but it's there. So Patricia is wrong, and it doesn't matter whether I say that slowly or quickly. What's perhaps less obvious is that the message is still not gone even if both people "delete" it. I don't know how vBulletin handles this, but not all boards software deletes pm's from the database once they've been removed from all users' folders. Even if it does, the database which stores E-I's data is Patricia's most valuable asset. I'm sure she backs it up often. So your "deleted" pm's are still there on the backups, waiting to be restored with the rest of the database. I doubt she would ever bother, except possibly if there were reason to believe they were relevant to a criminal investigation.This isn't true, if you delete them it doesn't mean that it'd be impossible for anyone to access what was written in the database before it was deleted. But it would be extremely harder, if not impossible. The data could be wiped 5 times over as soon as they're deleted from the database, maybe partly because you're not allowed to keep records of data from someone except in certain circumstances. So don't be so quick to say something Patricia is saying is wrong.
I never said anyone had easy access, but that wasn't the question that was asked. Personally I am not really worried about this, or I wouldn't be here. But maybe there are people here who are more subject to blackmail or less careful in their pm's than I am. For them maybe it's just not good enough that no one has easy access.There's a huge difference between something being absolutely impossible and something being plausible or practical. If you want to assume that because it wouldn't be physically impossible for them to get it that suddenly everyone has extremely fast access to it then that's fine... but it's only a theoretical/philosophical comment on how EVERYTHING is unsafe no matter WHAT. It's not realistic.
“I wish you wouldn’t keep appearing and vanishing so suddenly; you make one quite giddy!”
“All right,” said the Cat; and this time it vanished quite slowly, beginning with the end of the tail, and ending with the grin, which remained some time after the rest of it had gone.
Hehe, I worked as a Lectuer/Admin in my University while finishing my PHd thesis - crikey I think we read everyone's emails. The things we seen. Thing is though, back then, anyone with an email on any server could read everyone else's mails. That' just the way it was...
Anything's a dildo if you're brave enough.
“I wish you wouldn’t keep appearing and vanishing so suddenly; you make one quite giddy!”
“All right,” said the Cat; and this time it vanished quite slowly, beginning with the end of the tail, and ending with the grin, which remained some time after the rest of it had gone.
Bullshit. Everything I've said is right. I have a tendency to always be right about everything, usually because I don't talk about things I don't know anything about.
How do you know it's running on vBulletin? I'm not disputing it, but it's just vBulletin often has an advertisement up that it's running on it... maybe E-I is using a premium software that doesn't have that but I'm just wondering how you know.
Maybe there's an easy way of knowing. Again I'm not disputing it, I'm just wondering how you know it is (if it indeed is). Call me "stupid" for that if you wish... I also don't understand why you're calling someone "stupid" if they use an add-on to access the database, it's a ridiculous claim.
Not if it's encrypted. If it's encrypted you are locked out.
It is encrypted for some databases. The forum can perform as a black box (even if it's open source). It doesn't show you everything, it locks you out even if you're an admin. Unless you have given it the correct SSL-encrypted password it won't show the pm. It has a mind of its own.
Maybe the server can try to read/intercept everything going in and out of the forum software, maybe that is what you're intuitively trying to get at. But it can be a very complicated thing. I agree that unless there is some other server in between that it will have all the information, but having all the information and actually REVERSING all the processes are incredibly different things. It's like trying to play a game of chess instead of bridge.... just because you can SEE everything unlike in bridge, that doesn't mean you automatically make the perfect moves for a perfect game. There are huge entities devoted to trying to do these things with million of dollars put into it (at least if you're talking about encrypted communication over the internet in general).
I don't think you really have a clue what you're talking about here do you?
Physical access to the network inside the building, in which case they should be taking serious steps to protect their network anyway.
What a load of fucking bullshit. Thousands of people cannot read a pm you send here, at least not without passing it on. 10 is erring on the high side. Patricia's admins, your ISP, and that's it really.
I don't know whether this is true or not, but I wouldn't be surprised if it were completely false at all.
Patricia may not have been 100%, exactly, precisely right on an axiomatic level (and as we have established, it is impossible to be in terms of security), but what YOU said was OBSCENELY wrong. What YOU said was that it would make no difference at ALL if you deleted them, which was a farcical thing to say. I think you'll agree that was a pretty stupid mistake on your part, it wouldn't be so bad if you didn't say Patricia was wrong when she clearly was not, at least not unless someone had saved your message beforehand.
Because of how she said it, I would guess that Patricia was doing more than just guessing on the subject. I would guess that Patricia had read this key point at some time... that she no longer has access to any PMs you sent if you delete them from the system. With all of the complicated legalities about data retention which Patricia is obviously well up on and serious about your data considering all the policies on it E-I have. To me it doesn't sound like something she would just say off the cuff as a guess. Otherwise, why would she specifically say that El Gordo? Even if she did and they are all backed up (UNLIKELY), it wasn't a bad mistake, but I doubt that she would just guess on it like that. You seem to be implying like E-I are keeping more data than we would like. Actually E-I is clear on what it keeps about its users if you read the privacy policy. They can track your website usage, they say everything else they keep about you.
I don't know who you think you are coming in here talking like this, making wild guesses from limited knowledge. So maybe you feel you know a thing or two about message boards and security. That doesn't mean you be calling others stupid, saying all those guys that obviously know what they're talking about on other forums are wrong.... trying to push the extent of your knowledge way beyond what you can reasonably comment on.
Finally you say something reasonable.
Last edited by nicegirlsarenice; 05-06-10 at 16:07.
Ok just to end this onee and for all. I am reading all of your pms right now and you are all sick individuals who should be ashamed of yourselves
Because where security online is concerned, the correct question is never "Is there any reason why I shouldn't trust this person with this person with this information?", but always "Is there any reason why I should trust this person with this information?" The fact that you have no good reason to have access to pm's is enough reason why you shouldn't have access. The question of whether you might abuse that access doesn't even come up.
“I wish you wouldn’t keep appearing and vanishing so suddenly; you make one quite giddy!”
“All right,” said the Cat; and this time it vanished quite slowly, beginning with the end of the tail, and ending with the grin, which remained some time after the rest of it had gone.
Can someone other than El Gordo and nicegirlsarenice please give me the bullet points of what the 2 of them is on about, christ they love the sound of their own voices, brings me back to the good old 10000 letter days of QPH![]()
ah FFS this thread has me rattled people can read my PM's? what do people know about me now? they're all talking about me? am I now a target?![]()