Totally OT: do mods have full access to PM info?

[bronze_rules]

I know this is totally OT, because it doesn't relate directly to this particular forum. However, I was just wondering, generally, on any forums, where information is sensitive; do individuals PMing each other, do so in discretion, or do mods have full visibility? I.e. If you expect to PM another individual with highly discrete information, is there any kind of protection built into the software that prevents the owners (ok even higher then mod) from viewing your conversation?

[G.A.tor]

my understanding is they can access all posts (including pm's)

[whisp]

Depends on what the rights and privileges/permissions the head administrator of the forum gave the moderators. If they have full privileges then they have access to see everything. Usually a good administrator will set rules incase a moderator goes rogue.

 

Head administrator can see everything including pms, passwords along with all logs.

[RockMyAmadeus]

Arch has made it clear on several occasions that he needs to have permission (and the password) to a user's account if he is going to see unwanted/hostile PMs sent to someone.

 

Either he's covering well, or he really doesn't have access.

[bronze_rules]

Thanks for the input; I suppose I was referring more specifically to financial forums, where private information can be very sensitive, and mods are obviously in a position of power to access privileged information not meant for them. Just wondering if there are any safeguards built into the forum generating software itself; I suppose it would be naive to think so. But wanted to see if others knew for certain.

[Ares]

I know this is totally OT, because it doesn't relate directly to this particular forum. However, I was just wondering, generally, on any forums, where information is sensitive; do individuals PMing each other, do so in discretion, or do mods have full visibility? I.e. If you expect to PM another individual with highly discrete information, is there any kind of protection built into the software that prevents the owners (ok even higher then mod) from viewing your conversation?

 

Yes we do!

 

 

and you should stop doing that to your pets

[RockMyAmadeus]

Here's the answer: if there's information you want to keep private, don't send it over the internet.

 

Otherwise, assume it is, at the very least, accessible to every person who has access to any site at an administrator level.

[whisp]

Head admin has access to all files thus he should be able to get anything he wants and see what he wants including passwords which are maintained inside files on the server.

 

Even on secure sites such as banks that is only security between the end user and the server. Head admins still can see everything.

 

 

[bronze_rules]

sounds about right.. thanks all.

 

Darn you Ares, how dare you abuse your privileges, that was between me and g.....

[asteroid-comix]

A friend once told me.. ... that one of the funniest things programmers get to do is read the goofy things that people use for passwords and try to figure out what the mean. Favorite of all time was "shesaguy".

 

Laughed for an hour when I read heard that.

 

 

 

[Mac Man]

I run an online Message Board Forum for some of my English classes and as the senior administrator, I don't have access to the PMs between students. I can go in and play with all of their posts but aside from freezing / deleting accounts, etc, that's about it.

 

My moderators (which would assign students to be for a period of time on a rotating basis) had only the ability to pull posts, lock and move threads, etc., so they had a less active role than I did. Again, that is a much different software system and I didn't own it so could be an entirely different set up than here.

 

[Annihilus]

Head admin has access to all files thus he should be able to get anything he wants and see what he wants including passwords which are maintained inside files on the server.

 

Even on secure sites such as banks that is only security between the end user and the server. Head admins still can see everything.

 

 

To my knowledge, this is almost 100% incorrect.

 

I am an admin on a different major online forum with a couple thousand users and we do not have access to PMs and/or passwords. Obviously there are ways for an enterprising individual, but as far as 'just going in and looking at the stuff', it is very unlikely to happen. Passwords are encrypted.

 

As Mac Man said above, we can go and mess with posts and profiles, etc., but not see PM's, etc. without doing some hacking.

[Sal]

Head admin has access to all files thus he should be able to get anything he wants and see what he wants including passwords which are maintained inside files on the server.

 

Even on secure sites such as banks that is only security between the end user and the server. Head admins still can see everything.

 

 

To my knowledge, this is almost 100% incorrect.

 

I am an admin on a different major online forum with a couple thousand users and we do not have access to PMs and/or passwords. Obviously there are ways for an enterprising individual, but as far as 'just going in and looking at the stuff', it is very unlikely to happen. Passwords are encrypted.

 

As Mac Man said above, we can go and mess with posts and profiles, etc., but not see PM's, etc. without doing some hacking.

 

It's not almost 100%, it is 100%. At least with UBB threads-based forums; the code's not written that way

[whisp]

Head admin has access to all files thus he should be able to get anything he wants and see what he wants including passwords which are maintained inside files on the server.

 

Even on secure sites such as banks that is only security between the end user and the server. Head admins still can see everything.

 

 

To my knowledge, this is almost 100% incorrect.

 

I am an admin on a different major online forum with a couple thousand users and we do not have access to PMs and/or passwords. Obviously there are ways for an enterprising individual, but as far as 'just going in and looking at the stuff', it is very unlikely to happen. Passwords are encrypted.

 

As Mac Man said above, we can go and mess with posts and profiles, etc., but not see PM's, etc. without doing some hacking.

 

It's not almost 100%, it is 100%. At least with UBB threads-based forums; the code's not written that way

 

Not all sites are encrypted and it is up to the site admin to add that level of security. If they don't want that security at that level they can remove it thus looking at any info. Majority of databases are plaintext. Admin has 100% full control of everything on his server. You have to have this type of control since you can be held responsible for anything being done illegal on your server.

 

I myself have ran phpbb forum server with sql databases and I was able to look up a person account and see their email and password just as they can. I could also look at their pms if I wished. And as a note I wasn't doing it through the forum software. I was using the data files from the sql database server.

 

Then there is the fact that on some forums an admin or moderator can even go in and change your password for you.

 

To tell you the truth an admin doesn't even need your password majority of the time to look at your account and your setting and definelty don't need it to look at your pms for majority of sites if they have access to the database server.

 

Even sometimes when these sites get exploited you will see a mass pm or email to all forum members asking you to change your password for safety in fear that the server files might have been stolen thus someone may pull apart the files.

 

Even md5 which is a form of hash string can be broken by brute force techniques if that is being used to secure your database for the information that needs to be secured.

 

Now I am not saying all forums are like this since there is different programming but it is up to the admin.

 

And if you don't believe me look at some of the major games where people get their accounts stolen. One example is Guild Wars where I even know some people that got their accounts stolen by guild mates when they signed up for the guild forum and where stupid enough to use their game email and password for their forum account.

 

Anyways if you have access to the database which the head admin should have you have access to all data contained on it majority of the time.

 

Edit: Oh and an other fact is that you can even pull apart the backup and read it too. And that you can get from most forum interfaces as the admin by starting the backup and saving it to your own computer elsewhere away from the server. You have to use an ASP created program though to read it.

[kidcolt]

I am a mod on a sports card collector site and we don't have access to personal private messages. I am not sure about the admin guys but the mods don't.

[THE_BEYONDER]

I'm sure Arch has access to everything...PMs included.

[whisp]

Have to understand that its not the user interface that I am talking for the boards. I am talking the database itself which in some cases admins give permissions to their moderators to go in but is usally limited. But the admin has the root password and username thus can see everything since it is majority of the time plain text.

 

Only some times through the board interface can moderators with the right permissions see passwords and emails. And a good admin would have the passwords never viewable though that interface and hidden by asteriks. However that pasword list is contained in the database and again if you have root access you can go view it.

 

This is why I say a head admin can see everything and then any one under him is whatever controls he has put in place.

 

I also always never let my mods be able to do backups due to what I explained earlier along with only head admins should have the root password and username for the database.

 

But you can't sit here and say 100% pms cant be read since that is not true because you can.

 

And even after what I have typed you still don't believe me go do an internet search on the subject can admins read pms and how can they!

 

I have personal experience in this due to I have even wrote tutorials for setting up forums and security for the sql servers on the phpbb forums and that was back in 2003 so I have been doing it for awhile.

 

 

[Boozad]

I'm sure Arch has access to everything...PMs included.

 

(thumbs u

[lizards2]

If they did, Divad would be long gone.

[mica]

You can set the option to no in your preferences. Here's mine. Arch should include this info in the FAQ page.