At bare minimum id like a pm interface that will automatically encrypt my users pm's.
Security is extremely important to me, dual pass log ins or similiar ideas would be welcomed.
Willing to pay, not made of money but dont expect it done for free.
smf 2.02
permissions admin controlled
interested in speaking with someone who could make me a custom security mod.
For what purpose, exactly?
Other than the intended recipients, the only person who could access PMs is if they had direct database access - and however it's encrypted, they could unencrypt it again.
Unless you've given someone admin permission that you shouldn't have been...
Arantor has a good point. Who ever is able to see others PMs now will be able to in the future regardless if they are encrypted. Remember they have to be decrypted for the intended recipient to read it.
there is an outdated plugin from vbulletin that did just this, a weak encryption in the data base should it ever be compromised yet both users or anyone for that matter were able to pm one another.
Not looking for military grade encryption or anything,
It doesn't matter.
If your database is compromised, so too is the code and whatever method used to encrypt will be broken too.
i prefer taking any extra security methods possible, your attitude is akin to the engine is already knocking no point in topping off the oil.
there are numerous cases including simply me wanting to assure my members i can't read their pm's..
Quotei prefer taking any extra security methods possible, your attitude is akin to the engine is already knocking no point in topping off the oil.
*shrug* I tell the same to the people who pay me good money too. Yup, that's right, I'm sufficiently confident in this approach that I turn down people paying me money to indulge in a fallacy.
Quotethere are numerous cases including simply me wanting to assure my members i can't read their pm's..
There's three problems with that logic.
1. You're the site admin. If they don't trust you as it is, nothing you can do can fix that.
2. Whatever method is used, by definition it means you will still theoretically be able to read PMs, because it still has to be decrypted to be able to be read.
3. People do actually report PMs with inappropriate content, so by definition you must be able to read PMs anyway.
This might help -- though I have to agree with Arantor it isn't of much use: http://custom.simplemachines.org/mods/index.php?mod=2426
That's not even encryption. ;) But every single argument still applies.
Quote from: Arantor on October 23, 2012, 11:50:38 PM
That's not even encryption. ;) But every single argument still applies.
Very true, but it seems like the OP is just looking for it to not be plain text in the DB and base_64 will accomplish that just as effectively as the strongest level of encryption would.
there really isn't any logic in your statements.
Sheesh people do trust me as im constantly looking for ways to protect them. Niche boards like mine have taken their users for thousands just recently, I am going from VB where I had such a program. Now maybe I had access to the data but surely I could not read it. That's like passing someone a note in farsi warning them of their death and saying i warned you.
Excuse me for trying to calm down a community that's been ravaged by bad admins, how dare I try to protect anyones sanity.
Now if all you want to do is piss and moan I do not believe I requested pissing and moaning now did I?
Quote from: Colin on October 23, 2012, 11:54:02 PM
Quote from: Arantor on October 23, 2012, 11:50:38 PM
That's not even encryption. ;) But every single argument still applies.
Very true, but it seems like the OP is just looking for it to not be plain text in the DB and base_64 will accomplish that just as effectively as the strongest level of encryption would.
Yes anything not plain text would be acceptable, anything stronger of course better.
http://www.vbulletin.org/forum/showthread.php?t=140064
Is what i used, w/o ever a problem.
like i said im not looking for military grade nor do i expect it
QuoteYes anything not plain text would be acceptable, anything stronger of course better.
hxxp:www.vbulletin.org/forum/showthread.php?t=140064 [nonactive]
Is what i used, w/o ever a problem.
like i said im not looking for military grade nor do i expect it
Did you get a chance to try this? http://custom.simplemachines.org/mods/index.php?mod=2426
Quote from: Colin on October 23, 2012, 11:48:01 PM
This might help -- though I have to agree with Arantor it isn't of much use: http://custom.simplemachines.org/mods/index.php?mod=2426
I thank you greatly, i still would like to discuss a security type suite with any programmers.
not exactly what i was looking for but definitely better than plan text,
thanks again
Couldn't we just use the other mod and modify it to use a different source of encryption? What encryption are you looking for?
tbh it doesnt even need to be encryption as yes i know if the data base is hacked and type of weak encryption is gonna be hammered as well.
of course id like the stronger the better but will gladly take just so i can't read, a system admin skimming that type of thing.
I tell people to use payments that secure themselves, etc but it seams it never fails some use green dots and similiar.
I simply want to make it as hard as possible to read,
I tried the other plugin. says it wont work with current version.
on a side note im loving sm coming from vb
thank you again for your time :)
The other modification will do just what you described. The value will not be plain text in the database; thus if an admin is glancing over it they won't be able to interpret it (unless they decode it of course). How can I install a mod that doesn't work for my SMF version? (http://wiki.simplemachines.org/smf/How_can_I_install_a_mod_that_doesn't_work_in_my_SMF_version)
It might install if you emulate SMF 2.0 RC2.
ty colin and live627
believe i got it working. i really appreciate the friendly/fast support.
Great. Glad we could help. Let us know if anything else comes up.
Wouldn't it be best that you as the owner have complete access to all material, beside their password?
TY for the temp solution, i guess that was 1 feature my members really loved.
so my question is is there any way to port that vb plugin to smf perhaps? use an encryption possibly optional where users must share keys, or would there be any possibility of a pgp type solution?
im trying to secure and make my members happy.
ty
or another option is there a method to encrypt the entire smf database? say being unecrypted on the fly via admin keys?
Not without completely rewriting it.
Why are you so intent on implementing something that only gives the *illusion* of security, rather than actual security? If it is encrypted it can be unencrypted, and there's no reason why you as the administrator can't do that to your users' data.
Look at it this way, if you told me that you'd encrypted the data but that you couldn't decrypt it yourself, I'd wonder whether it was you lying about it, or you being too incompetent to do it. You won't like that reality, but that's how it is.
my members want it #1
#2 i could not unencrypt it
#3 lets not make any software as all software has flaws
#4 how about writing something constructive?
1. *shrug*
2. That's only because you don't have the knowledge, not because you physically couldn't. There's also no reason to assume that you won't learn that in the process of working on a forum.
3. All software has flaws. It is the job of the programmers of software (like I do as my day job) to minimise the flaws by good design. Something that gives the impression of security isn't secure, it just looks secure.
4. I have been constructive. Constructive criticism, that is. I'm trying to prevent you from 1) lying to your members about what you think you would be doing and 2) burning cash (because no-one's going to be doing this for free) on something that is broken by design.
But hey, you want to spunk cash on something that is fundamentally pointless, go right ahead.
I offered payment #1
#2 i brought up several methods including allowing users to choose to encrypt with both needing to know the key.
i guess if that's flawed every form of encryption is. please stop trolling my thread
What encryption type are you looking for?
I am honestly open to ideas, the stronger the better of course.
if it could however be something like the vb plugin where it was automatic for simplicity that would be great.
Again i know this isnt gonna be military grade unless its made very hard to use 'unless you know a way :p
Quote from: grimeg on October 24, 2012, 04:32:35 PM
TY for the temp solution, i guess that was 1 feature my members really loved.
so my question is is there any way to port that vb plugin to smf perhaps? use an encryption possibly optional where users must share keys, or would there be any possibility of a pgp type solution?
another option is there a method to encrypt the entire smf database? say being unecrypted on the fly via admin keys?
In order of security both (VB/SMF) mods use base64 decrypt/encrypt options, MySQL itself uses AES encryption SMF uses SHA-1, SHA-2 i believe there is SHA-3 comming ASAP ..
Algoritmes are breakable just need to understand how it works, ...
what Arantor said is so true ... in my opinion its more a server security setup host side or at your home don't know your situation how you use it...
if ya need a more secure algoritme you have to dig into it, all algoritmes are breakable but its harder to get somewhere...
this are just my 2 cents ;)
QuoteIn order of security both (VB/SMF) mods use base64 decrypt/encrypt options, MySQL itself uses AES encryption SMF uses SHA-1, SHA-2 i believe there is SHA-3 comming ASAP ..
base64 is not encryption.
SHA anything is not an encryption cipher, it is a hashing algorithm. Hashing anything makes it not retrievable, which is why you use it for passwords - because you can't recover the original password out of it.
QuoteAlgoritmes are breakable just need to understand how it works, ...
Not exactly. The details of all of the above algorithms are all published.
Quoteif ya need a more secure algoritme you have to dig into it, all algoritmes are breakable but its harder to get somewhere...
Except that by definition the details must be preserved to make it readable again (which lets out SHA anything). If you keep the details, you can decrypt it with minimal effort. It is no more secure than not encrypting it at all.
Quotei guess if that's flawed every form of encryption is. please stop trolling my thread
The only thing that's flawed is your understanding of what you're asking for.
*shrug* What I will tell you is that any of the capable-enough programmers around here will tell you the same thing I have - like several people already have. Good luck.
I agree with ya, just what i want to tell was as the VB mod use Base64 also the SMF one use Base64 so both are pointless as an PM crypto...
it maybe looks secure but aint that way...
See, here's my main objection. If the point is to prevent the OP from accessing PMs, all he has to do is *not go into phpMyAdmin, or if he does, then not go into the main PM table*. It's that simple.
or just shutdown the PM system by the permission :P
My point was i wanted an actual system and all you have done is ****** on my thread. for the last time PLEASE stop trolling!
it shouldnt matter if i want animated bunny rabbits to jump on the screen. im asking for a feature and willing to pay for it.
And if you wanted something that's comparable to vB's system, one was pointed out to you, complete with a breakdown of why it's pointless. You said yourself you wanted what vB has, there you go, right there, already made.
Actually i did not and they do not appear to be the same again STOP TROLLING!
Pointing out the truth is not trolling. Explaining why something is so doesn't make it trolling. But since you want me to leave, fine. Just bear in mind that no-one around here with any real coding skill (or a sense of ethics) will listen.
Just a thought for you, would it have made a difference if I had an SMF team member badge? Because I am ex-SMF team, and no, I wasn't kicked out, I resigned.
might wanna rethink that truth, running text from sm plugin through base-64 decoder decodes it.
running it though vb version does not decode it. hmmm doesn't seam the same to me.
but i guess real world examples or the other countless encryption products i have used hell and the military uses dont exist either.
just delete the thread as you obvious have no wish to actually help me.
and btw you kinda lost all cred to me when you said the vb and smf are identical yet 1 encrypts and 1 doesnt
Please tell me, with links, where I said it was the same. I said they were comparable, in that neither is encryption, they are encoding processes (assuming you mean the one that uses 4 XOR processes, which merely scrambles bits but is completely reversible with little effort, especially since you don't even have to encode a key into it). The fact you can't tell the difference between encryption and encoding is another matter entirely. If you want to lay that claim, check out The Burglar's post where he says that.
I'm not a moderator, I don't have the power to delete a thread. The thing is, the next time this thread comes along, someone else will either point to this one and/or make all the same observations that I have.
EDIT: Reported this to the moderators, maybe one of them will do something about it. I also invited them to issue me with a warning for trolling if they agree (and the team has demonstrated that they're willing to issue me with a warning if appropriate)
i can show you where you said you would leave, yet have you?
I think there is a fundamental, conceptual issue that is fueling the disagreement.
The level of encryption is irrelevant to the level of security it will provide in this scenario simply because it has to be decryptable. No matter how complex the encryption is, the method to decrypt it into plain text would still be just as readily available to the person who has the necessary access.
Don't get me wrong, I understand that you want to hide the PM contents from people going through the database, but fussing with different encryption types won't provide any different result. With that said, if you still wish to not use base_64, then I would suggest having a modification made to the already existing PM mod.
Quote from: grimeg on October 23, 2012, 11:38:47 PMincluding simply me wanting to assure my members i can't read their pm's.
If I was a member of your forum and you told me that you couldn't read my PMs, if you wanted to, I'd leave, straight away, coz I'd know you were lying.
What I did, was this:
http://www.tlakoc.org.uk/index.php?topic=10.msg71#msg71
i have always made my members very aware of how viewable their data is to an admin. i dont see why wishing to give them some extra comfort is such a bad thing :/
i have even demonstrated how easily it is to take over their account, etc.
Quote from: grimeg on October 26, 2012, 01:41:44 PMi dont see why wishing to give them some extra comfort is such a bad thing :/
It's not a bad thing. But, if anybody wants to share something secret, there are ways to do that.
Using the PM facility on a forum ain't one of 'em. Anyone who believes otherwise is, quite simply, off their trolley.
Also, look at it from a legal perspective. Site admins are responsible for the content on their site (Even PM stuff). So, logically, they should have access to EVERYTHING on it. Going to extremes, what if members of Al Qaeda were using your forum to pass messages? If the Feds found out about it, YOU would be the one whose door they came a'knockin' on.
In that respect, a notice, such as the one that I put, on my forum, should, perhaps, be reworded to say that they WILL be read, if suspicions were raised. Not, to make them totally unreadable (Which is impossible, anyway).