Can Moderators and Administrators read PM's?

Discussion in 'Et Cetera, Et Cetera' started by Drifterwood, Jul 12, 2007.

  1. Drifterwood

    Gold Member

    Joined:
    Jun 14, 2007
    Messages:
    15,724
    Likes Received:
    386
    Location:
    Fingringhoe (GB)
  2. B_big dirigible

    B_big dirigible New Member

    Joined:
    Dec 27, 2005
    Messages:
    2,739
    Likes Received:
    0
    You expect them to admit it?
     
  3. Drifterwood

    Gold Member

    Joined:
    Jun 14, 2007
    Messages:
    15,724
    Likes Received:
    386
    Location:
    Fingringhoe (GB)
    Silence will be all too clear.
     
  4. Pecker

    Pecker Retired Moderator
    Gold Member

    Joined:
    Mar 5, 2002
    Messages:
    83,922
    Likes Received:
    34
    Only those sent to us individually just as any other member. We have no access to others' PMs. That is why they are called private.
     
  5. snoozan

    Gold Member

    Joined:
    Sep 23, 2006
    Messages:
    3,568
    Likes Received:
    4
    From moderating and administering a forum much like this one (though it didn't use the same software, but the are all similar), PMs couldn't be read by moderators and couldn't easily be read by administrators. I'm sure Rob_E could read the PMs if he so chose, though it would mean getting into the master database. I think this forum is run on vbulletin.

    This is what I read on the vbulletin forum (quote is from a Vbulletin rep):

    "This ability to read your members' PMs is not built into vB. However since you presumbly have access to the database you could conceivably access these directly in the database. That's not something I recommend however."

    There is, apparently, a hack you can install so that the admin can read PMs. I guess Rob_E would have to have that hack installed to read them. I would think this is something that should be addressed in the ToS, personally. I'd like to know if my PMs are being read, and if so, would use the PM function less and use other methods to communicate with members.

    from here:

    admin reading others "pm's" - vBulletin Community Forum
     
  6. Drifterwood

    Gold Member

    Joined:
    Jun 14, 2007
    Messages:
    15,724
    Likes Received:
    386
    Location:
    Fingringhoe (GB)
    Can you see who is PM'ing whom?
     
  7. B_big dirigible

    B_big dirigible New Member

    Joined:
    Dec 27, 2005
    Messages:
    2,739
    Likes Received:
    0
    I have never run a vBulletin forum. In the forum software with which I am familiar, no one can access PMs directly except the member with the account password. The password is not accessible even at administrator level. The passwords are stored in hashed form in the database itself. The site administrator (which may or may not be the forum administrator) has access to the database, but can only read the hashed versions of passwords. However, the hashed password can be edited (that is, changed) directly in the database. The password itself - not its hashed version - can also be changed at forum administrator level. So the site or forum administrator can change the password, then log in as the member and read PMs (or delete them, send new PMs, etc). However the old password is lost in this process, so the real member will know that something's up the next time he tries to log in.

    There is another possibility. The site administrator could dig into the database and copy the hashed form of the password. He could then change it to a new password, and log in to fiddle with the PMs. When done, he could then paste the old hashed password back into the database. This would probably restore the original password to the account, so that the member wouldn't notice when logging back in. I haven't tried this myself, though, so don't know if it would actually work.

    On my own forum, it is occasionally useful to be able to work directly with hashed passwords. The standard password test is 098f6bcd4621d373cade4e832627b4f6 in its hashed form.
     
  8. Freddie53

    Gold Member

    Joined:
    Nov 19, 2004
    Messages:
    7,285
    Likes Received:
    60
    Gender:
    Male
    Location:
    The South, USA
    Thanks for the technical information. Neither the coordinators nor the moderators can read private messages here. Rob E is pretty busy. I don't know what functions he can and can't do.

    I do know that members can forward private message to whomever they wish. We have seen private messages appear here on the public board. Fairly easy just a cut and paste procedure.

    And some members have sent copies of private messages that they have received to a moderator (s). That is the only way that moderators have received information from private messages.

    Private messages are just like e-mails. They can be forwarded by the owner to someone else. So the question is, "Can you trust the person that you are sending the private message to?" If you can, send that private message. If you can't and want it to remain private don't send it.
     
  9. Drifterwood

    Gold Member

    Joined:
    Jun 14, 2007
    Messages:
    15,724
    Likes Received:
    386
    Location:
    Fingringhoe (GB)
    Freddie? Pex?
     
  10. dong20

    Gold Member

    Joined:
    Feb 17, 2006
    Messages:
    6,130
    Likes Received:
    5
    Location:
    The grey country
    Nor have I, but yes, if a password as stored is changed it will lockout it's user.

    It would depend on whether the database merely stores the data as it's entered or encrypts the data as it's entered in which case re-entering the encrypted version of test '098f6bcd4621d373cade4e832627b4f6' would cyrpt that, thus rendering it useless as a 'hack'. That's the way a 'proper' encryption system works, at least at this level.

    Many systems use a simple crypt key stored either in the database (or a config file) which is used to crypt and decypt data as it's entered and read respectively. If that's known then decrypting and re crytping a password (or any other encrypted data) is a snap and, logging aside undetectable by anyone.

    I assume it encrypts then stores the password as plain text then decrypts to authenticate, that's the easier, more normal path? To be honest I can't recall if MySql even supports true encrypted fields. I've not used it for ages, do you know if it does, save me a Google?

    I have no idea how this board is set up but I doubt it's especially sophisticated, the content simply doesn't warrant any signficant level of security, which paradoxically, means said content (a few PM's perhaps) are probably safe merely by not being worth any effort to obtain. I wouldn't worry.
     
  11. naughty

    Gold Member

    Joined:
    May 21, 2004
    Messages:
    12,837
    Likes Received:
    14
    Gender:
    Female
    Location:
    Workin' up a good pot of mad!

    Im just curious what brought all of this about? We are basically too busy trying to make sure underaged kids are not here and chasing trolls. By the way, who is Pex?
     
  12. D_alex8

    D_alex8 Member

    Joined:
    Dec 15, 2005
    Messages:
    8,602
    Likes Received:
    11
    Gender:
    Male
    Location:
    Germany
    I suspect he's a friend of Lecker. :rolleyes:
     
  13. naughty

    Gold Member

    Joined:
    May 21, 2004
    Messages:
    12,837
    Likes Received:
    14
    Gender:
    Female
    Location:
    Workin' up a good pot of mad!

    You just made me lose my soft drink.... LOL!
     
  14. snoozan

    Gold Member

    Joined:
    Sep 23, 2006
    Messages:
    3,568
    Likes Received:
    4
    i think you all have me on ignore. if not, read this:

    admin reading others "pm's" - vBulletin Community Forum

    the technical information with changing passwords is interesting, but there is a apparently hack that was written for admins to access PMs, though it's not built into the software originally. in essence, then, it's up to Rob_E whether he reads PMs or not.

    honestly, i'd venture to say he doesn't as it's common practice on internet fora that PMs are only read by the sender and the recipients.
     
  15. B_big dirigible

    B_big dirigible New Member

    Joined:
    Dec 27, 2005
    Messages:
    2,739
    Likes Received:
    0
    Oy, no idea. I can get into the MySQL database with phpMyAdmin and fiddle around inside any of the tables. I have been informed by someone who should know that pasting the hashed password in the right place will change the real password. I don't claim to be a whiz at either databases or encryption algorithms, so generally I keep my fingers out of there until there's an actual crisis.
     
  16. dong20

    Gold Member

    Joined:
    Feb 17, 2006
    Messages:
    6,130
    Likes Received:
    5
    Location:
    The grey country
    I used to get paid loads to be one, though I never felt especially whizzy, I like to think I could hold my own. But outside of performance tuning etc I adopted (and still do adopt) much the same strategy as you. As they say, if it ain't broke...:smile:
     
  17. B_big dirigible

    B_big dirigible New Member

    Joined:
    Dec 27, 2005
    Messages:
    2,739
    Likes Received:
    0
    Hmmm. Old thread. But if it was available then, it's probably available now.

    I just looked at the support forum for the software I use nowadays, phpBB 2, and apparently it has such a modification also. I have no intention of adding it to my forum, though. Possibly the PMs are readable directly in the database, without logging in as the user and fooling around with all that password stuff. If so, it's still limited to the site owner, as not even forum administrator level has direct access to the database.
     
  18. snoozan

    Gold Member

    Joined:
    Sep 23, 2006
    Messages:
    3,568
    Likes Received:
    4
    ok, this thread is from last week. it says essentially the same thing:

    Read Members Pm's - vBulletin Community Forum
     
  19. Freddie53

    Gold Member

    Joined:
    Nov 19, 2004
    Messages:
    7,285
    Likes Received:
    60
    Gender:
    Male
    Location:
    The South, USA
    LOL. If you knew me well, you would know that I wouldn't be able to tell who is sending pm's at a particular time. I do well with cut and paste. And I can do a few functions. But be the authority on the tech stuff here? Well, actually no.
     
  20. B_big dirigible

    B_big dirigible New Member

    Joined:
    Dec 27, 2005
    Messages:
    2,739
    Likes Received:
    0
    "Superadministrators", huh?

    Well, whatever vBulletin has available for snooping in the closets, it looks like moderators and administrators don't have it.
     
Draft saved Draft deleted