Shoutbox

Privacy Issue - regarding @msgplus.net emails! - Printable Version

-Shoutbox (https://shoutbox.menthix.net)
+-- Forum: MsgHelp Archive (/forumdisplay.php?fid=58)
+--- Forum: General (/forumdisplay.php?fid=11)
+---- Forum: General Chit Chat (/forumdisplay.php?fid=14)
+----- Thread: Privacy Issue - regarding @msgplus.net emails! (/showthread.php?tid=29766)

Privacy Issue - regarding @msgplus.net emails! by EvilSeph on 08-10-2004 at 10:59 PM

Where has our privacy wandered off to?

Well well well, I've just learnt something that really ticks me off. My privacy has been violated. I know I get what I paid for but this is COMPLETELY ridiculous. I for one am disappointed in the lack of care taken to secure my @msgplus.net account password. I wouldn't mind if it were forum staff or people I know and trust that moderate the accounts but lettings someone, whom I DON'T TRUST moderate the accounts isn't what I call respecting my privacy. Now that may not be as bad as it seems but combine that with plain text password storage...and there goes my privacy completely. Now what if I used the same password everywhere? "universally" so to speak? There's a possiblity all those accounts could be lost, thankfully all those accounts I have each have a different password. But this isn't really about me it's about everyone. Everyone and everyone's privacy. Now I understand if you've used the same password for everything and I wouldn't call you foolish for doing so..because I'd do the same too as I really trusted the services this community has to offer, but not anymore.. Any trust I have for the services this community provides have been reduced to little to nothing now. I'm not happy about XxRebelSeanxX having access to my plain-text-stored passwords and I don't think other people are happy too. I have nothing against RebelSean, I just don't trust him. For things he's done in the past and for other reasons too. If only you had asked the users for their opinion on who should be allowed to moderate our accounts..then this wouldn't have happened... The fact that RebelSean, someone I really DO NOT TRUST has full access to my password (which, I must emphasise is STORED IN PLAIN TEXT) isn't the only thing that pissed me off, as you've probably already guessed. Why, oh why, are our passwords being stored in plain text in the first place? Why, oh why, are people whom you don't even know being given access to your possessions without your permission? Don't answer that, there's no excuse for recklessness or laziness.

*takes a deep breath*

I don't know why RebelSean has access to moderate our accounts, MY ACCOUNT especially, and I don't know why he was chosen instead of a forum staff member whom we all probably trust..but I hope this get's rectified immediately even if I probably won't be using any services this community offers until I'm well aware of how secure it is and how well thought over the data storage scheme is. I may sound demanding, but hey, I'm pissed off. You just took away my privacy, one of the things that's truly mine. One of the things I thought was safe when I signed up for a(n) @msgplus.net email. Please reconsider your password storage solutions and please, please, PLEASE don't go giving out access to random people that you trust, but we don't. I don't care if your opinion counts the most, we're the ones using the service and sorry if I sound harsh but, if I can't place my trust in your hands, and expect that my voice will be heard and my opinions considered then I don't think I want to utilise the services you offer. That's how it goes, you've given someone I don't trust access to my password (which I once again stress is NOT encrypted) and as a result you've thrown my trust out the window as if it was nothing.

*tries to calm down*

Well, if people like RebelSean can get access, _so easily_, to my passwords then who knows who else can go about doing so too? All I have to end in saying is that you've successfully lost my trust. From now on I'll think it over really hard when you guys offer services to us. Free or not, this is utter bullshit. This is COMPLETELY unacceptable.

-EvilSeph


johnny: removed ALL CAPS from title.


RE: PRIVACY ISSUE regarding @msgplus.net emails! by SonicBoom on 08-10-2004 at 11:03 PM

quote:
RE: Emails @msgplus.net available again!
In reference to a number of concerns regarding the "help" activating accounts, I have gone back to activating them myself.

Just to address one of the concerns, plaintext passwords are not available on existing accounts, only new signup requests.  If you would like however, you may change your password by submitting a request to rbewley@eq-sys.com, and your password will be changed per request.

I apologize for any confusion and hope that everyone finds this solution suitable.

Thank you,
SonicBoom


RE: PRIVACY ISSUE regarding @msgplus.net emails! by Dane on 08-10-2004 at 11:05 PM

I completely agree with you EvilSeph.  XxRebelSeanxX is the worst candidate ever to get this option.  There are people that have been at these forums far longer and are far more trusted to do this job.

This was a fast decision and the person given these powers wasnt looked into.  I agree with you, I will now be reconsidering what MsgPlus services I use if any new ones come out.


RE: PRIVACY ISSUE regarding @msgplus.net emails! by EvilSeph on 08-10-2004 at 11:08 PM

Alright, however I still don't understand how and why anyone that doesn't already have access/had access to the old system could so easily get access to our accounts, with our passwords.

Sorry if I really sound rude, or unappreciative, I'm not doing it on purpose, this just makes me angry :s...


RE: PRIVACY ISSUE regarding @msgplus.net emails! by jren207 on 08-10-2004 at 11:10 PM

shouldn't the passwords be encrypted using MD5?? etc.


RE: PRIVACY ISSUE regarding @msgplus.net emails! by SonicBoom on 08-10-2004 at 11:10 PM

To address another concern, passwords are not stored on the mailserver in plaintext.  I could not even extract them.  I also keep a mysql version as a backup (and in case we ever changed mailservers or the like) where passwords are stored in plaintext.  Nobody except myself has access to this.

[EDIT] Also, the moderation script does not access this database, and cannot pull plaintext passwords.

SonicBoom


RE: PRIVACY ISSUE regarding @msgplus.net emails! by Concord Dawn on 08-10-2004 at 11:12 PM

OK. I have a problem with this. I'm sure that he won't do anything stupid unless provoked, but that's hard not to do. He is known to be quick to anger. I don't like the idea that he has access to ALL PASSWORDS in plaintext. I request either a GROUP of people be instated or encryption to the passwords be used. I will definetly not be using an @msgplus.net account in the near future.


RE: PRIVACY ISSUE regarding @msgplus.net emails! by RebelSean on 08-10-2004 at 11:14 PM

Sorry if I caused anyone any trouble. I never knew that anyone would have a problem with this. Tbh, even if I did know your password, it don't make a difference. SonicBoom trusted me in doing this, and I have done nothing wrong. Not sayin you hav accused me for doing wrong but I didn't. Now, I will not be helping SonicBoom with activating the accounts.The ony reason I have asked him for me to help out with this, is because he got so behind, so I thought that he could use some help. Now this said, I don't think it is a real problem as for I am not immature as for going out with anyones passwords and doing immature things with them, like Seany did on IRC. I am not that immature and I would never do that. I am not that rude and mean. As SonicBoom said the passwords are no longer stored in plaintext.

Sorry I caused you all trouble again.:),



Sean.


RE: PRIVACY ISSUE regarding @msgplus.net emails! by EvilSeph on 08-10-2004 at 11:14 PM

Well SB, I apologise if I'm wrong, but I was informed otherwise..

^^

Edit: Well, that tells me they were, which I'm glad has changed. But I'm still going to be cautious.


RE: PRIVACY ISSUE regarding @msgplus.net emails! by marissa on 08-10-2004 at 11:19 PM

quote:
Originally posted by XxRebelSeanxX
Sorry if I caused anyone any trouble. I never knew that anyone would have a problem with this. Tbh, even if I did know your password, it don't make a difference. SonicBoom trusted me in doing this, and I have done nothing wrong. Not sayin you hav accused me for doing wrong but I didn't. Now, I will not be helping SonicBoom with activating the accounts.The ony reason I have asked him for me to help out with this, is because he got so behind, so I thought that he could use some help. Now this said, I don't think it is a real problem as for I am not immature as for going out with anyones passwords and doing immature things with them, like Seany did on IRC. I am not that immature and I would never do that. I am not that rude and mean. As SonicBoom said the passwords are no longer stored in plaintext.

Sorry I caused you all trouble again.:),



Sean.



Sonicboom trusting you is a whole different story, the point of evilseph writing that was to say that more than half the people on these forums dont trust you, and probably dont trust a lot of people with things such as passwords, as evilseph said, they could use the same passowrd for everything. Say once on IRC, if someone kicks you, you could easily get pissed off and close the account, or do stupid things to it.  And um, if you're helping out, wanna tell me why my 2 week over due mail hasnt came?:D
RE: RE: PRIVACY ISSUE regarding @msgplus.net emails! by SonicBoom on 08-10-2004 at 11:21 PM

quote:
Originally posted by EvilSeph
Well SB, I apologise if I'm wrong, but I was informed otherwise..

^^

Edit: Well, that tells me they were, which I'm glad has changed. But I'm still going to be cautious.


Let me clarify further.  Passwords are not stored on the mailserver in plaintext, they are encrypted using md5, and Sean never even had access to the md5 hashes.  Through the GUI I gave him, it is only possible to change a password.

Regarding the signup script, new accounts displayed password before activation; existing ones were not and are not accessible.  There were only a small number of accounts activated by Sean.  Regardless, if you would like to change your password, you are free to do so.
RE: PRIVACY ISSUE regarding @msgplus.net emails! by RebelSean on 08-10-2004 at 11:22 PM

quote:
Originally posted by marissa
Say once on IRC, if someone kicks you, you could easily get pissed off and close the account,


No I would not. As I said before I am not that freakin immature to do those childish things. Tbh, I dont even go on irc that much b/c they discconect my computer wene I get on there , and nothing has been done about them doing that. No im not sayign thats your problem, im saying that as a fact...'


quote:
Originally posted by marissa
And um, if you're helping out, wanna tell me why my 2 week over due mail hasnt came?


I am no longer helping SonicBoom out due to this problem.:)
RE: PRIVACY ISSUE regarding @msgplus.net emails! by marissa on 08-10-2004 at 11:23 PM

No, that just happened a few minutes ago...I'd really like to know why i didnt get an activate email when you were helping.


RE: PRIVACY ISSUE regarding @msgplus.net emails! by RebelSean on 08-10-2004 at 11:26 PM

Tbh Marissa, I haven't seen your request during the 3 days I was activating accounts.So you have to talk to SonicBoom about that.:)


RE: PRIVACY ISSUE regarding @msgplus.net emails! by jren207 on 08-10-2004 at 11:28 PM

has mine been activated if you know?? thnx :S


RE: PRIVACY ISSUE regarding @msgplus.net emails! by RebelSean on 08-10-2004 at 11:30 PM

I think I activated your a bit ago. Go see! :)


RE: PRIVACY ISSUE regarding @msgplus.net emails! by EvilSeph on 08-10-2004 at 11:32 PM

Great SB, I'm glad you've rectified the problems I've outlined. I don't mean to start some kind of flame-fest, this is just a notice and I mean no disrespect, but you should ask the users if they're comfortable with people having, access, however little, to their passwords. That's just my opinion, thanks for providing the service to us, I really do appreciate it. I'm just angry because of the problems outlined in my first post..but they seem to be fixed so, let's get on with life :p.


RE: Privacy Issue - regarding @msgplus.net emails! by SonicBoom on 08-10-2004 at 11:36 PM

Alright, here's a policy privacy I propose to address this, please let me know if it works for everybody and we can get this resolved.

http://www.eq-dev.com/msgplus/agreement.html


RE: Privacy Issue - regarding @msgplus.net emails! by Johnny_Mac on 08-10-2004 at 11:36 PM

I see why some people may be concerned, but in all honesty, some responsibility is down to us. We signed up to it, did anyone ask about the encryption etc before hand? Did anyone care? its just an example of how users have to be vigilent at all times.

Hmm... theres nothing more to say. :^) :P


RE: Privacy Issue - regarding @msgplus.net emails! by EvilSeph on 08-10-2004 at 11:47 PM

I didn't even think to ask :\, I thought it would be naturally done. Either way, you're right, it is partly our fault too.

Perfect I think, but either way, this has opened up my eyes, I'm now going to investiage services before using them.

Specially after the youvegotpost incident, damn those admins on there were real asses (or was it one admin?). Anyway, thanks again SB.

Once again, no disrespect intended, nor do I aim to offend anyone.

-EvilSeph


RE: RE: Privacy Issue - regarding @msgplus.net emails! by SonicBoom on 08-10-2004 at 11:56 PM

quote:
Originally posted by EvilSeph

Once again, no disrespect intended, nor do I aim to offend anyone.

-EvilSeph


No offense taken, let me know if there's anything else I can do :)

SonicBoom
RE: Privacy Issue - regarding @msgplus.net emails! by Sunshine on 08-11-2004 at 01:04 PM

SonicBoom, how about the possibility for ppl to change their password emselves..as possible with hotmail etc etc.??? That way ppl can change their password regurarly if they feel its needed without too much hassle an third parties beeing involved ;)