This site is supported by the advertisements on it, please disable your AdBlocker so we can continue to provide you with the quality content you expect.
  1. Follow us on Twitter @buckeyeplanet and @bp_recruiting, like us on Facebook! Enjoy a post or article, recommend it to others! BP is only as strong as its community, and we only promote by word of mouth, so share away!
    Dismiss Notice
  2. Consider registering! Fewer and higher quality ads, no emails you don't want, access to all the forums, download game torrents, private messages, polls, Sportsbook, etc. Even if you just want to lurk, there are a lot of good reasons to register!
    Dismiss Notice

Regarding PMs, Clarity screws up.

Discussion in 'Administrative' started by Clarity, Dec 15, 2004.

  1. Clarity

    Clarity Will Bryant Staff Member

    Earlier today, I installed (temporarily) a piece of software called phpmyadmin. This is something of a web interface to mysql, which is the database software that stores every single little bit of data on this site.

    After installing it, I went about trying to get some information that might help me put an end to a prolonged attempt by some outsider to access the machine that BP resides on. As I am no mysql wiz, and had never used phpmyadmin, this involved the usual amount of bungling, stumbling, swearing and near-death experiences. Another part of this found me regarding someone's entry in the database, not really understanding what I was looking at, before I realized that parts of the entry were this persons Private Messages.

    Our privacy policy states that in the unfortunate event that we are forced to view PMs (by law, by threat to the ability of the site to stay online, and other equally extreme circumstances), that we (like all sites everywhere basically) have the capacity to do so. It also makes clear that it's the last thing in the world I (as I'm the only one would could) want to do.

    In fact, I'm so averse to this, that when I realized what I was looking at in the phpmyadmin entry, it felt a bit like my stomach twisted in place. I PM'd the user in question, made him aware of my gaffe and what I had seen (I believe it to be of little consequence, there was nothing sensitive in the PM seen, but that's for him to place a personal value on). I then followed that up later with an apology and better explanation of what had led to it. Part of that explanation indicated that I felt it important to say something about the mistake on the open forums, which is why I'm here now. For the record, at the time of this posting, that user hasn't responded, and this may be a far less noteworthy incident for him than it is to me. But I'm the drama queen this time and this is my show. So we continue.

    The whole point of saying this is to remind people that 'Private' Messages are private when compared to posts in the forums, but not as private, as, say, an encrypted email, or whispered conversation in a closet with your imaginary friend. I have made the process to read a user's PM ridiculously complicated, even though the person who might try would have to be logged in as me. In fact, they'd have to be on my account, *and* would have to get through two layers of logins on the machine itself, just to get to the program that can accomplish this, and it's a program that has no documentation. I guess my point is, if your PMs are *ever* read, it's going to have to have been a very deliberate act, and it is ONLY going to be if there's a clear cut and tangible reason to do so. You've physically threatened someone, you're arranging, plotting or discussing a significant crime, and someone has ratted you out, or because there's some sort of legal obligation for me to release information. The point is, the only way your PMs are going to be read, are if you've done something where you should probably expecting it anyway. Unless of course, like in this case, I simply display a stunning degree of technical ineptitude. Stumbled across something I didn't mean to see while trying to fix something in the database, and end up making a rambling "Oh jeez am I an idiot" announcement like this in the forums.

    Understand that this announcement is being made because of the personal degree of importance I put on your expectations of privacy. Hopefully this will make my position on the issue clear, and also serve to remind people that if there's something so sensitive that it would be a disaster if someone else saw it, I recommend email. In over 2 years, I've been forced to check one PM on two different accounts. In both instances, there were claims of real threats of physical violence. And in both instances this proved to be true. In the same 2 years there's been a single instance of what we'll call the "Clarity and mySQL go together like two things that don't go together at all, even a little bit" rule. That was today, and I'm left feeling unhappy about it. I suppose I could argue that one "woops" that resulted in a "so what" PM being seen during a legitimate effort to protect the site from a disasterous attack is something that could be easily shrugged off, but that just doesn't really cut it for me.

    Hence the, "hey look, I fucked up" message here.

    Mea culpa.

    I've since removed phpmyadmin. It, like mySQL, Unix and PHP, is an evil and dangerous magic. I can't say I clicked on a single thing inside it, without rushing over to another window with the site loaded up to see if I destroyed the whole forum.

    If you have any concerns about PMs or privacy, I recommend checking out the privacy policy, if you still have questions, I'm available for those and ridicule.
  2. tibor75

    tibor75 Banned

    In English next time.
  3. Clarity

    Clarity Will Bryant Staff Member

    Clarity see a PM, sort of, in part, he think, while working directly with the database. Clarity make mistake. Clarity regets. Clarity fears mySQL.
  4. tibor75

    tibor75 Banned

    tibor now understands.
  5. Clarity

    Clarity Will Bryant Staff Member

    Joking aside, the issue is a serious enough matter to me personally, that I felt the need to expose my mistake. It was entirely accidental, but that might not have made someone feel better had I stumbled across some user expressing forbidden hairy man-love for another. Not that there's anything wrong with that.

    The integrity of the site is something I take seriously, particularly as it pertains to the privacy of the users. I don't think many, or perhaps any, would/will really fault me for stumbling upon a fragment of a PM in the course of my going about the tasks related to keeping this place running -- but I feel like if I'm not open about when 'security' dips, then we create an opportunity for dips to turn into depressions, depressions into dives, and dives into Grassy. Or some other site, I just picked Grassy as a change of pace.

    The truth of the matter is this was a non-event. I recognize that even though the whole thing sort of bugged me. But not saying something about it out in the open felt a bit like saying I think it's okay, even as an accident. I don't, so you get to try and sludge through the admission looking for some semblance of a point. There is one, it's just probably better stated in my follow-up cromag summary.

    This was also an opportunity to point people to the privacy policy, and remind folks that when PM doesn't meet your needs, email a marginally more secure. At least if someone reads those, it's bound to be strangers you've never met or talked to before. Is that comforting? I should stop now.
  6. bucknut11

    bucknut11 Defense still wins Championships

    Wow. I didn't even realize we had that much privacy, even in the PM's. I learn something new about this site every day!
  7. BrutusBobcat

    BrutusBobcat Icon and Entertainer

    It really wouldn't take much programming to make the PM text field encrypted in the SQL database. I presume that the password field already is. If accidentally seeing our requests to the VG for boobie pics causes you that much stress, you might want to look into it. :wink:

    Just a thought. :)
  8. Clarity

    Clarity Will Bryant Staff Member

    Yes, passwords are. It wasn't *that* much stress. It sounds here like it was, but I was pretty exhausted by the time I wrote this and wasn't thinking clearly. Hence the sloppy gush of explanation.

    I would like to look into encrypting the PM field. But there needs to be a way to decrypt should I be required by law (I only mention this seemingly unlikely possibility because there's a current suggestion that this is possible in the near future) to look at a particular user.

    If you (or anyone else) have a good idea how to handle this, I'm interested in suggestions.

    What I saw wasn't so much important as talking about it here.
  9. methomps

    methomps an imbecility, a stupidity without name

    Ok, that's it. Tibor, our kinky PM-relationship has to end. I can't risk us being exposed (well, exposed as being exposed to each other).

    It has been fun, you sending me naughty pictures of you with your boyfriend and me super-imposing my face over your boyfriend's face, but I'm afraid we've reached the end of the very un-straight line.

    Please, send me no more PMs of what you want to do to me. Well, at least send them less regularly.

    We can still be friends.

Share This Page