Can Moderators Read Private Messages?

I have a question for you sir. Who is able to read PM's sent from one forum member to another other besides the recipient?

The PM system is quite similar to any email system, they are stored as plain text in the database on my server. There's no ability in a "out of the box" installation of phpBB or on this installation at Nepacrossroads for anyone else to access to PM's unless they are the recipient but setting up such a modification is a trivial matter. Since I have direct access to the server there is no way to prevent this access by myself, I could just read them by directly accessing the database if I wanted. All this can be done without your knowledge. This is the case with any type of communication like this, your hosting provider if you have a website or your ISP could just as easily do the same thing with email. Having said that I don't read the private communications between members and you'll just have to take my word on that.

One thing to note is if you send a message to two recipients when that sets a chain of events where any replies sent from that message will be sent to the other two people. e.g if you send a private message to Member A and Member B and Member B pressses reply both your name and Member A's name will appear in the TO: field. It can be manually removed.

There's no way I can prevent myself not being ale to have this ability and truthfully I'd like to make it so I can't. This topic came up before and I did suggest such a modification on phpbb.combut it's not a trivial matter to set such a system up. To absolutely remove the ability for me read such communications you would need to use public/private key encryption like they have for email.

In a nutshell public/private key encryption works because the only one that has access to the key that can decrypt a message is the recipient. If you wanted to send and encrypted message to someone you would obtain their public key which can be used to encrypt a message. You cannot decrypt it with the public key. You need the private key to do that. For this to work on the forum presents a few problems. Firstly these keys, specifically the private key would need to be obtained from a third party or created on their local machine because only the recipient can ever have access to it or the security completely breaks down.

The recipient would then be able to upload their public key to here which will give all forum members the ability to encrypt messages being sent to them. This is another spot it will break down because the recipient needs to take the steps before encrypted messages could be sent to them. Lastly I would need to provide a way for the web page on the recipients local machine that will access their local key.

As I said it's not an easy thing to do. If you want to protect your messages here you can still do it through other means such as sending password protected zip files which I'll note are pretty easy to break or some other form of third party encryption.

If we can't trust a MAYOR, who can we trust.

interesting question. My feeling is that if your ability is the only "chink in the armor" of protection than certainly your word is more than sufficient for me. Wouldnt that question be answered in the forum rules?

We didn't really mean that stuff we said about you, Richard.

Poconoeagle wrote:interesting question. My feeling is that if your ability is the only "chink in the armor" of protection than certainly your word is more than sufficient for me.

I wouldn't go so far as to say it's chink proof at least 100%. If someone was able to hack the phpbb script they could possibly gain access or if they hacked the server they would have access to all that information. The same goes for hosting company and ultimately the people at the datacenter where the server is physically located. Unless I had my own machine physically locked up in a room at a datacenter it's still accessible to others. The only thing that is *nearly* 100% safe (since nothing is 100% safe ) is your password because it uses a one way encryption. The password itself is the key to decrypt it so it couldn't be used by me or anyone else to try and gain access to other forums or sites you might have used the same password.

While on the topic you should never use passwords on sites like this that you may use for important stuff like banking sites. Although the passwrod storage method here is quite secure that is not the case on many applications. Personally I use Keepass to store all my passwords in one encrypted file locally.

Anyone interested in the topic of public key encryption? It permits sending e-mails that can only be read by the intended recipient. It also allows encryption of files on your computer. If a significant number are interested I'll start a new thread.

I thought everyone knew that there is zero privacy on the internet. I don't care what you do, someone, somewhere, somehow, can figure it out if need be. If you need absolute privacy, go see that person live and in person. (and then scan each other for wires)

Well Freddy the public/private key method is quite secure, even government agencies like the NSA are going to have issues breaking messages like that in any quantity if they can at all because of the tremendous processing power needed. It's certainly possible back doors exist in some commercial applications they could utilize but they or the companies certainly aren't going to tell you that. There are open source applications available though that won't have a backdoor because the source code can be examined.

Freddy wrote:I thought everyone knew that there is zero privacy on the internet. I don't care what you do, someone, somewhere, somehow, can figure it out if need be. If you need absolute privacy, go see that person live and in person. (and then scan each other for wires)

Yes Freddy , I think it is sometimes better to govern oneself using the zero privacy thought . Putting a 1 or 0 in front of something isn't my idea of deleting or eraseing something.

Poconoeagle wrote: Putting a 1 or 0 in front of something isn't my idea of deleting or eraseing something.

There's tools for overwriting data if that is your concern which will make it "gone", when you delete something it still exists until it gets overwritten. These tools overwrite the data multiple times, I believe the standard is 7 which is DOD standard.

Full disk wiping:
http://www.dban.org/
This would be the one you want when you're going to dispose of a drive.

Partial wiping:
http://www.jetico.com/download.htm
Bcwipe will do single files or unused space on your drive.

Of course that's not going to help if you don't have access to the drive.

Richard S. wrote:There's tools for overwriting data if that is your concern which will make it "gone", when you delete something it still exists until it gets overwritten. These tools overwrite the data multiple times, I believe the standard is 7 which is DOD standard.
.

When I was in the Air Force, we had to run the 3420 tape reels thru a "Degauser". A large electromagnet mounted under a slowly rotating table. I swear I could see the molecules vibrating in the tape, when it was in use. Horrendous sound too! BUT, when it was done, you were garrunteed the tape was empty. All the '1's and '0's were shaken' right out of it

To be honest, never really gave it much thought. My feeling is that pretty much anything on the net is up for grabs should
someone be so inclined to get it. Of the bazillion posts, emails, sites, etc, I would think some one would have to want it
pretty bad to find it. That and have the know how and equipment. Now if some one wants to make an effort to read messages
commenting on coal and equipment, let them have at it.

I do my banking on line.... They make things secure enough so that's fairly safe. I was just making the point that if you're doing something really really secret (Like a surprise birthday party), you should know the secret might slip out in cyberspace.

Back in 1996 I had a tour of a computer place in Florida. The brother of my AHS buddy builds secure computers for the government. He took us into the test room and showed us how anyone with the right equipment can see every keystroke you make on your keyboard from up to 750 feet away. Back then he was buying Gateway computers and rebuilding them so they gave off no signals. I don't know if he still owns that business.... he scurries from one million dollar idea to another. Last I knew he had invented a way to find cancer cells by computer.

Freddy wrote: with the right equipment can see every keystroke you make on your keyboard from up to 750 feet away.

Keyloggers are quite common, sometimes they are installed for example by parents wanting to spy on their kids but you can pick them up elsewhere. In your example you gave as bank this is one place the "chink in the armor" would be. If you somehow managed to get something like this installed the keystrokes you make are recorded and sent sent to the hacker. Computer security is only good as the weakest link, hackers don't come through the front door on a server or your machine. They find their way in through vulnerable spots.

Edit: I'll elaborate a little more, when you communicate over a HTTPS connection like a bank uses all that means is the communication between your computer and the server is secure because the data is encrypted prior to being sent so if it's intercepted in transit it can't be read by a third party. What happens before like a keylogger on your own computer for example and after such as the server storing the data insecurely is another matter. HTTPS doesn't mean the server is necessarily secure, it just means the communication is.

HTTPS is actually one thing on my to do list for logins, control panel, PM's and private forums.

Richard S. wrote:

Freddy wrote: with the right equipment can see every keystroke you make on your keyboard from up to 750 feet away.

Keyloggers are quite common.

I don't think Freddy was referring to keyloggers.

Keyboards are electronic devices and they emit electronic radiation that can be picked up with the right electronic easedropping equipment. Every keystoke can be read remotely without ever touching the computer. Installation of software is not necessary. Use of HTTPS does nothing against this form of easedropping because HTTPS doesn't encrypt until the electronic pulse from the keyboard reaches the computer.