• When you click on links to various merchants on this site and make a purchase, this can result in this site earning a commission. Affiliate programs and affiliations include, but are not limited to, the eBay Partner Network.

Archived

This topic is now archived and is closed to further replies.

Totally OT: do mods have full access to PM info?

Started by bronze_rules,

56 posts in this topic

Mr. Zipper

Mr. Zipper

Posted
Posted
I am an admin on a different major online forum with a couple thousand users and we do not have access to PMs and/or passwords. Obviously there are ways for an enterprising individual, but as far as 'just going in and looking at the stuff', it is very unlikely to happen. Passwords are encrypted.

 

As Mac Man said above, we can go and mess with posts and profiles, etc., but not see PM's, etc. without doing some hacking.

 

It's not almost 100%, it is 100%. At least with UBB threads-based forums; the code's not written that way

 

Ditto.

 

I am the admin on the CBCA Forum and I have no way of accessing a user's PMs. The passwords are encrypted going in, so I have no way of determining someone's password. I can only reset them.

Link to comment
Share on other sites
ashrael

ashrael

Posted
Posted
Head admin has access to all files thus he should be able to get anything he wants and see what he wants including passwords which are maintained inside files on the server.

 

Even on secure sites such as banks that is only security between the end user and the server. Head admins still can see everything.

 

Not all systems have full access to things such as passwords. Most of our software has 1-way encryption of passwords so that even we can't read them (thumbs u

 

Even md5 which is a form of hash string can be broken by brute force techniques if that is being used to secure your database for the information that needs to be secured.

 

We add 32 random characters to our passwords so that they won't match the lists of md5 cracked passwords. One users password of "1234" is different than anothers.

Link to comment
Share on other sites
Boozad

Boozad

Posted
Posted
You can set the option to no in your preferences. Here's mine. Arch should include this info in the FAQ page.

 

 

100394.jpg

 

Try pushing Arch on the 'not allowed to give you a strike' thing, see if it works :popcorn:

Link to comment
Share on other sites
Annihilus

Annihilus

Posted
Posted
Have to understand that its not the user interface that I am talking for the boards. I am talking the database itself which in some cases admins give permissions to their moderators to go in but is usally limited. But the admin has the root password and username thus can see everything since it is majority of the time plain text.

 

Only some times through the board interface can moderators with the right permissions see passwords and emails. And a good admin would have the passwords never viewable though that interface and hidden by asteriks. However that pasword list is contained in the database and again if you have root access you can go view it.

 

This is why I say a head admin can see everything and then any one under him is whatever controls he has put in place.

 

I also always never let my mods be able to do backups due to what I explained earlier along with only head admins should have the root password and username for the database.

 

But you can't sit here and say 100% pms cant be read since that is not true because you can.

 

And even after what I have typed you still don't believe me go do an internet search on the subject can admins read pms and how can they!

 

I have personal experience in this due to I have even wrote tutorials for setting up forums and security for the sql servers on the phpbb forums and that was back in 2003 so I have been doing it for awhile.

 

 

Yes, but the question is not 'CAN' they view the PM's/passwords, the question is 'DO' they view them. My answer is: not without difficulty. Not only is it not likely that the Admin (whoever that is) doesn't do it, but it is even less likely that moderators do (and I believe the question was asked of moderators, not admins). Any admin worth his salt is not going to let moderators read PMs.

 

Obviously anything can be hacked or done through the back-end database (which is why I stated 'almost 100% of the time' in my answer), but as a default any forum software I've ever used, you can't do these two things. I obviously have no inside info to the CGC forums, but I'm kind of doubting that CGC has hacked their forum database or added a custom mod to be able to see this private information.

Link to comment
Share on other sites
whisp

whisp

Posted
Posted
Have to understand that its not the user interface that I am talking for the boards. I am talking the database itself which in some cases admins give permissions to their moderators to go in but is usally limited. But the admin has the root password and username thus can see everything since it is majority of the time plain text.

 

Only some times through the board interface can moderators with the right permissions see passwords and emails. And a good admin would have the passwords never viewable though that interface and hidden by asteriks. However that pasword list is contained in the database and again if you have root access you can go view it.

 

This is why I say a head admin can see everything and then any one under him is whatever controls he has put in place.

 

I also always never let my mods be able to do backups due to what I explained earlier along with only head admins should have the root password and username for the database.

 

But you can't sit here and say 100% pms cant be read since that is not true because you can.

 

And even after what I have typed you still don't believe me go do an internet search on the subject can admins read pms and how can they!

 

I have personal experience in this due to I have even wrote tutorials for setting up forums and security for the sql servers on the phpbb forums and that was back in 2003 so I have been doing it for awhile.

 

 

Yes, but the question is not 'CAN' they view the PM's/passwords, the question is 'DO' they view them. My answer is: not without difficulty. Not only is it not likely that the Admin (whoever that is) doesn't do it, but it is even less likely that moderators do (and I believe the question was asked of moderators, not admins). Any admin worth his salt is not going to let moderators read PMs.

 

Obviously anything can be hacked or done through the back-end database (which is why I stated 'almost 100% of the time' in my answer), but as a default any forum software I've ever used, you can't do these two things. I obviously have no inside info to the CGC forums, but I'm kind of doubting that CGC has hacked their forum database or added a custom mod to be able to see this private information.

 

Yes moderators are limited but admins are not and it is not as hard as you think for the main admin to go view your pms. Admins don't need your password to view anything on that server related to you. They just go to the server, login in as an admin, then login to the sql server as root and then they can view all data related to the forum as clear text. You can even do this remotely as long as you have a database reader on the computer you are viewing it from.

 

I will admit passwords do take a bit more work but it is doable.

 

Also you would be surprised the rights admins give moderators on larger sites.

Link to comment
Share on other sites
Annihilus

Annihilus

Posted
Posted

 

Yes moderators are limited but admins are not and it is not as hard as you think for the main admin to go view your pms. Admins don't need your password to view anything on that server related to you. They just go to the server, login in as an admin, then login to the sql server as root and then they can view all data related to the forum as clear text. You can even do this remotely as long as you have a database reader on the computer you are viewing it from.

 

I will admit passwords do take a bit more work but it is doable.

 

Also you would be surprised the rights admins give moderators on larger sites.

 

Again, it's not 'CAN they?', it's 'DO they?'. I never said they didn't have the means to do it with some work, just that it's pretty unsavory to run that kind of operation and no board I've ever been associated with has done it (and that's quite a few going back to the old BBS days).

 

"In before the lock", btw.

Link to comment
Share on other sites
whisp

whisp

Posted
Posted
Head admin has access to all files thus he should be able to get anything he wants and see what he wants including passwords which are maintained inside files on the server.

 

Even on secure sites such as banks that is only security between the end user and the server. Head admins still can see everything.

 

Not all systems have full access to things such as passwords. Most of our software has 1-way encryption of passwords so that even we can't read them (thumbs u

 

Even md5 which is a form of hash string can be broken by brute force techniques if that is being used to secure your database for the information that needs to be secured.

 

We add 32 random characters to our passwords so that they won't match the lists of md5 cracked passwords. One users password of "1234" is different than anothers.

 

MD5 really isnt that secure. It is one way and only encrypts and doesn't decode and is sending plaintext passwords. Brute force dictionary attack or a rainbow table could most likely get you in. And even then we are talking about user to server communication for that authentication. The password tables are still available for the admins in a file in the database where an admin has free range.

Link to comment
Share on other sites
whisp

whisp

Posted
Posted

 

Yes moderators are limited but admins are not and it is not as hard as you think for the main admin to go view your pms. Admins don't need your password to view anything on that server related to you. They just go to the server, login in as an admin, then login to the sql server as root and then they can view all data related to the forum as clear text. You can even do this remotely as long as you have a database reader on the computer you are viewing it from.

 

I will admit passwords do take a bit more work but it is doable.

 

Also you would be surprised the rights admins give moderators on larger sites.

 

Again, it's not 'CAN they?', it's 'DO they?'. I never said they didn't have the means to do it with some work, just that it's pretty unsavory to run that kind of operation and no board I've ever been associated with has done it (and that's quite a few going back to the old BBS days).

 

"In before the lock", btw.

 

Of course its unsavory to do but look in the world we live in lol

 

People do do it.

 

Many a Black Hat operations out there.

 

 

Link to comment
Share on other sites
Mr. Zipper

Mr. Zipper

Posted
Posted
Again, it's not 'CAN they?', it's 'DO they?'. I never said they didn't have the means to do it with some work, just that it's pretty unsavory to run that kind of operation and no board I've ever been associated with has done it (and that's quite a few going back to the old BBS days).

 

I agree. The stuff Whisp is describing may be technically possible, but it's all Greek to me. As a non-IT guy admin, I use the functionality provided on the Administrative Control Panel. There is no feature on the control panel which allows accessing users PMs.

Link to comment
Share on other sites
  • Administrator
Architecht

Architecht

Posted
  • Administrator
Posted
Arch has made it clear on several occasions that he needs to have permission (and the password) to a user's account if he is going to see unwanted/hostile PMs sent to someone.

 

Either he's covering well, or he really doesn't have access.

 

Not true. Admins have the ability to review PMs by users. Moderators have to be expressly granted that permission, and, pretty much, they are not granted that permission.

 

Technically, I don't need anything from a board member to review PMs. In practice it is my rule to not review PMs unless asked to. Be aware that if ANOTHER member asks me to review their PMs, it will include (obviously) PMs that were sent to them and thus your "sent" PMs could be reviewed in that context.

 

 

Link to comment
Share on other sites
  • Administrator
Architecht

Architecht

Posted
  • Administrator
Posted
Thanks for the input; I suppose I was referring more specifically to financial forums, where private information can be very sensitive, and mods are obviously in a position of power to access privileged information not meant for them. Just wondering if there are any safeguards built into the forum generating software itself; I suppose it would be naive to think so. But wanted to see if others knew for certain.

 

Any truly sensitive information sent via email should be done only on secure email in an encrypted fashion. Your average email user has no idea how to do that, though.

Link to comment
Share on other sites
  • Administrator
Architecht

Architecht

Posted
  • Administrator
Posted

 

Passwords in UBB are encrypted. Encryption can be broken, but it's pretty unlikely and certainly not something we do. There is no guarantee that any particular message board software does or does not encrypt passwords.

 

Generally it is a good idea to have unique passwords for everything. If that is too much hassle for you, you should at least create a few tiers of passwords from "who cares" easy ones to highly secure ones.

 

Important financial sites that you use should have their own unique password that is highly unguessable and that you don't use for anything else.

Link to comment
Share on other sites
RockMyAmadeus

RockMyAmadeus

Posted
Posted
Arch has made it clear on several occasions that he needs to have permission (and the password) to a user's account if he is going to see unwanted/hostile PMs sent to someone.

 

Either he's covering well, or he really doesn't have access.

 

Not true. Admins have the ability to review PMs by users. Moderators have to be expressly granted that permission, and, pretty much, they are not granted that permission.

 

Technically, I don't need anything from a board member to review PMs. In practice it is my rule to not review PMs unless asked to. Be aware that if ANOTHER member asks me to review their PMs, it will include (obviously) PMs that were sent to them and thus your "sent" PMs could be reviewed in that context.

 

 

So if you can review them, why have you asked for people's passwords to log into their accounts to check potential offending PMs...?

 

:shrug:

Link to comment
Share on other sites
RockMyAmadeus

RockMyAmadeus

Posted
Posted

Passwords in UBB are encrypted. Encryption can be broken, but it's pretty unlikely and certainly not something we do. There is no guarantee that any particular message board software does or does not encrypt passwords.

 

Generally it is a good idea to have unique passwords for everything. If that is too much hassle for you, you should at least create a few tiers of passwords from "who cares" easy ones to highly secure ones.

 

Important financial sites that you use should have their own unique password that is highly unguessable and that you don't use for anything else.

 

So, I shouldn't use "bankpassword" then...?

 

hm

 

 

Link to comment
Share on other sites
whisp

whisp

Posted
Posted
Thanks for the input; I suppose I was referring more specifically to financial forums, where private information can be very sensitive, and mods are obviously in a position of power to access privileged information not meant for them. Just wondering if there are any safeguards built into the forum generating software itself; I suppose it would be naive to think so. But wanted to see if others knew for certain.

 

Any truly sensitive information sent via email should be done only on secure email in an encrypted fashion. Your average email user has no idea how to do that, though.

 

No doubt even when getting SSL certificates is pretty easy.

Link to comment
Share on other sites
Go to topic listing