Daily "Check In" Thread For Us

[yankees60]

Yes, only the people who actually run the site would be able to read private messages, not run-of-the-mill moderators or even admins.

So you are this forum's administrator. Who are the people who actually run this site?

[Smith1776]

I'm guessing Craig R.?

[yankees60]

I'm guessing Craig R.?

That is what AI confirms: "Gyroscopic Investing is privately owned and operated by CraigR (Craig Rowland)."

If is true that Craig can see anyone's private messages. then how can they be called "private".

I thought it would be like when I call representatives for something .. they tell me I cannot see your password. But apparently it is not?

[yankees60]

From the below it seems like access various from forum to forum even using the same software?


In phpBB forums, private messages (PMs) are primarily accessible only to the sender and recipient. These messages function like private emails between users and are stored securely within individual user accounts.
​

Access Permissions
Standard members cannot view others' PMs unless explicitly granted permission by the account owner, such as through forwarding options if enabled by admins. Forum administrators and super moderators typically have elevated access to manage or review PMs for moderation purposes, such as investigating spam or abuse, depending on the forum's configuration and extensions installed.

Admin Controls
Admins can configure global PM settings—like enabling attachments, BBCode, or mass messaging—but do not automatically gain read access to all PM content without deliberate actions like database queries or custom mods. Some forums explicitly state that even tech admins cannot access PMs without owner-level privileges.

[dualstow]

Yes, only the people who actually run the site would be able to read private messages, not run-of-the-mill moderators or even admins.

So you are this forum's administrator. Who are the people who actually run this site?

The Zionist Conspirac- oh, sorry, wrong forum.
Probably Craig.

[Smith1776]

I have always assumed that either Xan or Craig would be able to see our search queries too.

[Xan]

When Craig stepped back from the forum, he did so completely. In fact he had originally planned for it to disappear. He hasn't had anything to do with the forum, other than being a member, for many years.

The forum is hosted on a Linode rented by me. I administer the (virtual) server. I have access to the database, and so in theory I know everything that the software itself knows. If it can show you a private message, then I could go in and see that message. They are called private messages because they aren't published for all the world to see like most messages on a web forum are.

For emergencies, in case something happens to me, Dualstow has access to the Linode account, and in theory he also could see the entire database. (Thanks Dualstow!)

As I said earlier, a message is only truly secret from middlemen (which the forum is) if it is end-to-end encrypted. If the forum were only storing the encrypted version of a message, and you personally held the decryption key, then neither the forum nor I would have access to the plain text.

Passwords are different: in order to validate your password, the forum doesn't need to know what your password is. Systems shouldn't ever store passwords, they should store hashes of passwords. For example, "12345" run through the MD5 hashing algorithm (just for example) is "827ccb0eea8a706c4c34a16891f84e7b". We would store "827ccb0eea8a706c4c34a16891f84e7b", and only passwords which hash into that string are validated. (There are other details but these are the basics.)

So again, I know what the forum knows: I know that your password hashes to a particular long string of gibberish, but I don't know what your password actually is. And even if some third party knew the long string of gibberish, that wouldn't give them access to your account. This is why customer service reps don't know what your password is. If at any time a customer service rep DOES know your password, or you get it emailed to you, etc, then you know your password is being stored in clear text, and that is a massive problem.

However, I should point out that every time you enter your password into the login prompt, you are giving it in clear text to the server. (It's encrypted in transit, so it isn't given to any middlemen, but it is given to the server.) So in theory, I could intercept your passwords at that point and nefariously record them.

[Xan]

In terms of private messages, this isn't different from your email provider. Unless you are hosting your own email, then your provider has access to all your email. If it's stored on their server, they have access to it, and if it so much as passes through their server on its way to you, they could record it.

If you encrypt your email end-to-end, where only you have the decryption key, then they're only storing gibberish they can't understand.

In this case, I am the "email" provider for private messages.

[Xan]

Oh I should also point out that in theory, Linode has access to all this too! And even more in theory and less likely, the people who run the datacenter.

[Smith1776]

Xan: the best forum steward on the internet!

[Xan]

Xan: the best forum steward on the internet!

I'm glad you think so! I fear I've disappointed many of you on this private message thing, though. There isn't much that I could do to improve the situation, I don't think.

[yankees60]

Xan!

Many thanks for all the detailed information. Quite helpful.

For many years I've been well aware of the vulnerabilities of email. However, for those who can illegally get at my emails ... they have certain motivations. They are not seeking to retaliate against me for something I have done regarding them but, instead, are trying to steal something from me. Of course, not what I want to happen but a separate issues from what is being discussed here.

So, in contrast assume you'd taken some action here in the forum against me. Then I engage in a private message with Dualstow regarding that action. Until now I had been assuming that you would not have access to this discussion. Now I know that you do.

You were only being used as an example given that you are this forum's administrator. The example does not apply to you as you are an exemplary moderator. Taking an extreme light-handed approach, only taking actions when necessary. You treat us all like fellow adults.

I contrast that another forum where there are many (unclear) rules to be followed, the moderation is heavy handed, no discussion as you (as administrator) and I just engaged in is allowed or tolerated, warnings and bans are handed out in an arbitrary fashion. The administrators are the parents, and all the participants are its children. For that type of forum I'm not going to want to discuss anything in any private message regarding forum administration as I don't want to provide to the administrators any opportunity to have access to my private thoughts, intended only to be shared with one other person.

This has been both highly enlightening and useful to me. Thanks again, Xan! And, thanks for keeping us going for many years after Craig wanted to end this forum. Should I now henceforth address you as Saint Xan??!!!

[Xan]

Thanks for the kind words. Not everyone would agree with you. When I started, I had visions of me being the technical administrator and others handling any kind of user issues. Unfortunately that's not how it played out: the buck ends up stopping with me, and I don't really like that, but it's been a long time since we had significant issues here which is nice.

[yankees60]

Thanks for the kind words. Not everyone would agree with you. When I started, I had visions of me being the technical administrator and others handling any kind of user issues. Unfortunately that's not how it played out: the buck ends up stopping with me, and I don't really like that, but it's been a long time since we had significant issues here which is nice.

I am the coach of two adult coed softball teams. Of course, I always think that what I'm doing is correct and try to explain to all. But they don't always agree with me. Imagine that!

So, I'm well aware of what comes from taking on positions of responsibility.

You may make decisions here that I don't agree with, but the difference is that you have responsivity here while I do not.

People love to exert authority while assuming no responsibility. Those who do assume responsibility do have the right to exert authority.

Of course, one should strive to gather as much information as reasonably possible prior to exerting that authority.

[Jack Jones]

Xan: the best forum steward on the internet!

I'm glad you think so! I fear I've disappointed many of you on this private message thing, though. There isn't much that I could do to improve the situation, I don't think.

Not me. The current setup is how I expected it to work. Thanks for running the forum.

[Mountaineer]

Xan: the best forum steward on the internet!

I'm glad you think so! I fear I've disappointed many of you on this private message thing, though. There isn't much that I could do to improve the situation, I don't think.

Not me. The current setup is how I expected it to work. Thanks for running the forum.

Yes, thanks Xan for performing what can be a thankless task. I too appreciate your work.

[dualstow]

Xan is awesome.
I’m just an occasional spam squasher.
I should say a belated thank you l82start for letting me join when another person was needed.

[dualstow]

{ Meta-Whatsapp lawsuit }

I pretty much always assumed that they could, regardless of whatever they said in public.

On the other hand:

WhatsApp Lawsuit Draws Skepticism From Cryptographers, Privacy Lawyers
A proposed class action accusing Meta of accessing WhatsApp messages is drawing early skepticism from experts, claiming it lacks evidence.
By Jason Nelson
https://decrypt.co/356119/whatsapp-laws ... cy-lawyers