Access to PMs

[JohnR]

Since the red board is all in a tizzy over the alleged reading of Private Messages by admins, how about if we settle the matter over here, so we all know where we stand.

Can Pilots of America admins read our PMs?

 

[gibbons]

Can Pilots of America admins read our PMs?

I think it would be silly to assume that PM's aren't available to admins with the proper authority, but as a member of the MC I don't have the ability - or desire - to read anyone else's PM's.

 

[JohnR]

I think it would be silly to assume that PM's aren't available to admins with the proper authority, but as a member of the MC I don't have the ability - or desire - to read anyone else's PM's.

It's not silly at all to assume that. Chuck has already said on the red board it's not an inherent function of vBulletin, and the phpBB forum I administer doesn't allow it either. Modifications are always possible, of course.

 

[jesse]

I'm not entirely sure why one would think that they have any right to privacy on their private messages on a private forum based on the internet. Everything I do on the internet I do fully expecting that someone else is and will read it.

If I do not want someone to read my actions I will encrypt them.

The internet by design is more or less a public network and your data can be read by more parties then you want to think about.

 

[JohnR]

I'm not talking about privacy, I'm talking about real-world actions. Anyone can steal mail out of your mailbox, steam open the letter, and read it, but that doesn't they have a right to do it, and doesn't mean it's done very often. Your snail mail is just about as "private" as electronic communication in that regard. Likewise, anything on the internet can be hacked by some 17 year old kid. That doesn't make it right either.

The issue is, do POA forum admins have the ability to read PMs? I'm 99% sure they do NOT have any such ability.

The question really can only be answered by POA, with the knowledge of their specific software capabilities and limitations.

To me, privacy is sort of like right of way to a driver or pilot. Right of way is never something one has, it is something one is required to yield in certain circumstances. Likewise, no on has a "right" to privacy, but there are circumstances when we ought to "yield" the privacy of others.

 

[markb5900]

I'm not talking about privacy, I'm talking about real-world actions. Anyone can steal mail out of your mailbox, steam open the letter, and read it, but that doesn't they have a right to do it, and doesn't mean it's done very often. Your snail mail is just about as "private" as electronic communication in that regard. Likewise, anything on the internet can be hacked by some 17 year old kid. That doesn't make it right either.

The issue is, do POA forum admins have the ability to read PMs? I'm 99% sure they do NOT have any such ability.

The question really can only be answered by POA, with the knowledge of their specific software capabilities and limitations.

To me, privacy is sort of like right of way to a driver or pilot. Right of way is never something one has, it is something one is required to yield in certain circumstances. Likewise, no on has a "right" to privacy, but there are circumstances when we ought to "yield" the privacy of others.

Look at post 26 on the AOPA board. Chuck has seemed to have answered your question.

Hope that helps.

 

[gibbons]

The issue is, do POA forum admins have the ability to read PMs? I'm 99% sure they do NOT have any such ability.

I can only tell you that as an admin I do not have that ability, or if I do I'm not aware of how to do it. I have always assumed that Chuck probably has the ability, but it's not something we've discussed as a management group.

 

[jesse]

I'm not talking about privacy, I'm talking about real-world actions. Anyone can steal mail out of your mailbox, steam open the letter, and read it, but that doesn't they have a right to do it, and doesn't mean it's done very often. Your snail mail is just about as "private" as electronic communication in that regard. Likewise, anything on the internet can be hacked by some 17 year old kid. That doesn't make it right either.

The issue is, do POA forum admins have the ability to read PMs? I'm 99% sure they do NOT have any such ability.

The question really can only be answered by POA, with the knowledge of their specific software capabilities and limitations.

To me, privacy is sort of like right of way to a driver or pilot. Right of way is never something one has, it is something one is required to yield in certain circumstances. Likewise, no on has a "right" to privacy, but there are circumstances when we ought to "yield" the privacy of others.

I'm not familiar with the VBulletin database structure. But I doubt it's really a technical problem to access private messages. Probably as simple as: SELECT * FROM privatemessages WHERE userid = '1' ;

I really doubt that any of the management council here makes it a habit to read private messages. At the same time--In the event of a major conflict--it wouldn't surprise me if they did. Do you honestly think if worst came to worse they wouldn't look at it? If it's possible--then keep it mind that it's possible. And..It is possible.

 

[Let'sgoflying!]

I would expect if owners have any associated liability with regard to "P"M's they have access. The fact that they own the site also means they have every right to see what is going on!

Having said that, I highly doubt they would have any interest in 99% of "P"Ms and no reason to go look. (talk about boring) Give them reason however....

I think the "P" in PM needs to be changed in the interest of disclosure. How about "Directed Messages".

 

[AirBaker]

Assume they can. I'd bet that they aren't encrypted and therefore readable if they wished. I'd be that they could even get your password too if they wanted!

 

[JohnR]

There's no need to assume anything. I'm asking so we know for sure. I know that phpBB forum software (used for gazillions of forums out there) has no function for admins to read PMs. If the forum owner wishes, he can perform a modification to do so, but that's purely voluntary on the forum owner's part.

Chuck said vBulletin (POA's software, which is based in some way on php) also has no inherent way to do that, which I believe to be correct. Whether POA has the mod to read PMs was not addressed.

That liability issue is non-existent. The way to resolve offensive PMs is for the recipient to forward the offending PM to an admin. Admins shouldn't have to go trolling through people's inboxes for any reason.

 

[Tom-D]

My first thoughts were that somebody is just "P"MSing.

then I thought, who in their right mind would post something in a PM that would draw the attention of the moderators, but then I remembered the 50 or so flames I got for telling the rule breakers to knock off the crap. Or how easy it would have been to copy and paste them into an e-mail to Claire, But I thought she has enought problems trying to read all the crap and place her filter on it.

IMHO the AOPA forums have turned the corner on ugly, and day by day, post by post it is becoming useless as an aviation forum. When you consider how many AOPA members have been turned off by the few who choose to break the rules, and how much aviation experence has gone with them you'll understand why I get up set about the issue.

Until such time as the AOPA staff sees fit to roll some heads over this issue they will not gain the respect of the members who continually ignore the admin and the rules.

 

[jesse]

I'd be that they could even get your password too if they wanted!

Perhaps if he modified the way VBulletin handles passwords. But generally most software does not actually store your password--they store a hash of your password. This is why you always have to "reset" your password

 

[jesse]

Chuck said vBulletin (POA's software, which is based in some way on php) also has no inherent way to do that, which I believe to be correct. Whether POA has the mod to read PMs was not addressed.

That liability issue is non-existent. The way to resolve offensive PMs is for the recipient to forward the offending PM to an admin. Admins shouldn't have to go trolling through people's inboxes for any reason.

It wouldn't take a mod to view the PM's. It would just take someone with a slight knowledge of SQL. Chuck is very capable of viewing PM's from the database via SQL.

Like I said. I doubt the admins do it. But if the **** does hit the fan--don't expect your PMs to be completely private.

 

[Greebo]

As I said at AOPA, the function is not *inherent* to vBulletin.

As Jesse said, it only takes a decent knowledge of sql to do it.

So yes, I am technically capable of reading a user's PMs, but I do not do so, on principle, unless there is a situation which really and truly justifies it.

The only type of situation where I or the MC would approve the investigation of PMs would be one in which some kind of harassment, threat, or other inappropriate use has been reported to us.

 

[Frank Browne]

Until such time as the AOPA staff sees fit to roll some heads over this

I don't think AOPA is in the "head rolling" business.

 

[SkyHog]

FWIW, I am no longer a moderator at AOPA, but I did NOT have access to member's pms. Not sure about Admins, but I assume they don't either.

While reading that post over there...I gotta laught at EVERYONE that claimed that email is private. Y'all really (REALLY) don't know what you're talking about when it comes to that. I bet you'd be hard pressed to even find an ISP claim ANY sort of privacy exists with your email.

 

[JohnR]

FWIW, I am no longer a moderator at AOPA, but I did NOT have access to member's pms. Not sure about Admins, but I assume they don't either.

While reading that post over there...I gotta laught at EVERYONE that claimed that email is private. Y'all really (REALLY) don't know what you're talking about when it comes to that. I bet you'd be hard pressed to even find an ISP claim ANY sort of privacy exists with your email.

Oh, we all know that online privacy is an oxymoron, but what people have a problem with is if admins actually do go into our mailboxes in a casual fashion without our knowledge. That's an abuse of power and socially unacceptable. Nothing to do with "rights", only with privileges, trust, and getting along in a social environment. It's rude to eavesdrop on the next table in a restaurant, and it's rude to read other people's PMs without their consent.

 

[wsuffa]

As I said at AOPA, the function is not *inherent* to vBulletin.

As Jesse said, it only takes a decent knowledge of sql to do it.

So yes, I am technically capable of reading a user's PMs, but I do not do so, on principle, unless there is a situation which really and truly justifies it.

The only type of situation where I or the MC would approve the investigation of PMs would be one in which some kind of harassment, threat, or other inappropriate use has been reported to us.

As an admin here, I have neither the desire, the time, nor the interest to even think about hacking the SQL database. vBulletin does not have the capability to access PMs directly - you have to get to that through the underlying database. And my SQL is very, very rusty, meaning that I suppose I could technically figure out how to do it, but it would take far more time than I have.

I am 100% in alignment with Chuck's statement above.

Having said that, I would also reiterate the statements of others that you should never assume that anything on the internet is private, unless encrypted (and even then.....). Remember that PoA is hosted on a third-party (virtual) server.....

 

[gprellwitz]

Basically, the rule is that if you want to say something that you wouldn't want to be discovered via a subpoena, as a result of a disciplinary meeting, or just because you suddenly become famous and everyone is looking for dirt on you, don't put it down electronically! Count on it being found in the most ignominious manner possible and appearing on the front page of your home-town newspaper.

 

[wbarnhill]

Online privacy exists insofar as real life privacy exists. There are areas where one would consider things to be private, such as emails and private messages, or your phone calls and letters. That doesn't mean that certain people can't intercept your emails and private messages or phone calls and letters. Some can accomplish it legally, some can accomplish it illegally.

I would ask how a policy of viewing users' private messages meshes with AOPA's Privacy Policy:

http://www.aopa.org/privacy_policy.html

Beyond that, I generally assume that any information I give can be viewed by the administrators of whatever website/server I'm on whenever they feel like it.

 

[JohnR]

Well, not to make this an AOPA-centric thread, but Claire over there denies looking at or deleting anyone's PMs. Go figger.

Online privacy, or any other type of privacy, works about as well as this device:

 

[Frank Browne]

Ahh, yes, the old Cone of Silence. Hi-tech at it's finest!

 

[AirBaker]

Perhaps if he modified the way VBulletin handles passwords. But generally most software does not actually store your password--they store a hash of your password. This is why you always have to "reset" your password

I stand corrected. There is another aviation related board I was on recently that did NOT encrypt your password.

 

[jesse]

I stand corrected. There is another aviation related board I was on recently that did NOT encrypt your password.

There are exceptions. But generally if an application isn't hashing your password. It probably has some other major design flaws and screams of an inexperienced developer that puts little thought towards security.

Here is a decent article about password hashing: http://phpsec.org/articles/2005/password-hashing.html

 

[AirBaker]

Agreed. It's one thing we look for as part of our own PCI compliance. Passwords in any sort of open text is a no-no.

But seriously, assume they can read your email, PMs, etc. I'm not going to feel violated if 'they' do. It's not my server, application or site.

 

[wbarnhill]

Agreed. It's one thing we look for as part of our own PCI compliance. Passwords in any sort of open text is a no-no.

But seriously, assume they can read your email, PMs, etc. I'm not going to feel violated if 'they' do. It's not my server, application or site.

Just to clarify encryption vs hashing...

Hashing doesn't do anything with the actual data, just makes calculations and produces a result. Encryption still has the original data, and with the appropriate key, you can extract that data.

For example:

If you did a ROT13 "encryption" on the password "greeborules", you'd get:
"terrobehyrf"

Now if you took that "terrobehyrf" and put it through the ROT13 again, you'd get the original "greeborules". The data is still preserved.

If you, instead, create a simple hash of the password, you won't get any discernible data.

For instance, let's make a cheesy little hash function. First let's apply values to each letter of the alphabet. a = 1, b = 2, etc.

greeborules would then become

7 18 5 5 2 15 18 21 12 5 19

Now add all of those numbers together and you get 127.

There is no direct algorithm to take 127 and get "greeborules"; HOWEVER, there is a SLIGHT drawback to hashing. Since hashes don't care about the original data, only the result of the algorithm, there can be multiple ways to get the same hash result. These are called "collisions" and while programmers strive to make every hash result unique, there is almost always bound to be a collision or two. In the above example, any user's password which happened to equal "127" would be just as authentic as "greeborules" and could be used to login. With the advanced hashes in use today, the odds are quite against you finding a collision, but the possibility still exists.

The biggest concern with hashes today are the folks with no time on their hands that create "rainbow tables", where they punch in every imaginable possible set of data (the entire rainbow) into the hash algorithm and record both the input and result. By posting these tables online, should you happen to have a password listed (or one of those freaky collisions), a hacker could "decipher" your password from the hash in the database.

I hope this didn't go too technical and perhaps gives a better insight to the realm of passwording...

If a website's "forgot my password" link sends you your password in an email, it's not really a good sign. 1) They apparently store your password in some format, or use encryption which means they can access your password whenever (or someone else if they get ahold of the key), and 2) they just sent your password in plaintext over the internet. Bad juju.

Perhaps some others can shed further light on the topic, as I don't know too much about MD5/SHA1, but for now I'm going to bed.

 

[Tom-D]

Just to clarify encryption vs hashing...

I thought I heard what you said, but I think it went by so far over my head, it went by unnoticed.


But in the end, Clare has stated she doesn't read PMs unless she is asked to do so.

I think this dead horse has been beaten enought.

 

[JohnR]

William, that's a great explanation and it made sense to me, which is really saying something.

Personally, I'm just not that concerned with anything I do over the internet (besides banking), that it's worth getting paranoid over security. I treat it as if we were all standing around face to face and rarely even use PMs. Nothing to hide, here.

 

[Everskyward]

William, that's a great explanation and it made sense to me, which is really saying something.

Same here.

Personally, I'm just not that concerned with anything I do over the internet (besides banking), that it's worth getting paranoid over security.

I'm not even paranoid about the banking part. The worst banking screwup I ever had came from a paper check deposited at a physical branch.

I will say, however, that I don't use my company e-mail address for anything except company business.