Forum security risk. URGENT!
Heater.
Posts: 21,230
I recently got confused over private messaging and that "activity" feature of this forum. What I thought was a private message ended up plastered into a public "activity" area.
Turns out I am not alone in this confusion. Many other people have made the same mistake.
Looking at my activity area now I see many messages that were obviously intended to be private. How do I know that, they say so like this:
"I don't think it would be in the best interest of Parallax for me to ask this question publicly, so I'm asking it privately."
There are messages there between forum members discussing me. Obviously those messages were not intended for my eyes.
This is a grave privacy concern. The "activity" areas is not just brain dead. It's dangerous.
Please remove it as soon as possible.
Turns out I am not alone in this confusion. Many other people have made the same mistake.
Looking at my activity area now I see many messages that were obviously intended to be private. How do I know that, they say so like this:
"I don't think it would be in the best interest of Parallax for me to ask this question publicly, so I'm asking it privately."
There are messages there between forum members discussing me. Obviously those messages were not intended for my eyes.
This is a grave privacy concern. The "activity" areas is not just brain dead. It's dangerous.
Please remove it as soon as possible.
Comments
The activity feature acts like a common whiteboard. I wouldn't call it a security risk.. In fact its fairly helpful in catching a high % of spammers too before they get to the main forum pages.
That said, I don't disagree that the MESSAGE button which appears in every users profile for sending pm's could be a bit more obvious (or at least explained). So your feedback noted!
Without it, the blogs would not get posted there, and would be easier to find on the main forum page.
As Moderators, we would not see the newly signed up members, which we can catch deliberate spammers, so it's a catch 22.
I sent a email to Bumb to see if we can delete the Activity area. I'm not sure they can do that.
Sorry to be so boring as to be unworthy of stalking after 15 seconds. On the other hand you have spent more than 15 seconds writing that statement. I will leave it to others to figure out what that means.
@VonSzarvas,
Given the number of messages I see that are obviously intended to be private but published publicly I would call it a "privacy risk". There is no two ways about what is happening here.
So, yes, something more obvious to distinguish "public white board" from "private message" is obviously required.
But, but, isn't the forum itself supposed to be a public white board? This "activity" thing is totally redundant. As well as dangerous.
Of course, you don't have to be the sender of the message to have your privacy violated, you can be an unexpected recipient... tarred with the contents of something that was unsolicted.
After that, one simply begins to distrust privacy in general on the Forums. Is that the objective or an undesired side-effect?
Parallax took promt action to fix this problem... by writing a Tutorial on how to write private messages. Kinda of a band-aid approach.
Both Jim and I are in agreement that some benefit could be had from looking at the activity feature again, and that has been fed back to Parallax. Lets wait and see what the input is from Parallax before we burn the candle from all 3 sides.
One of the mods will update on this thread in a few days.
Thanks all.
Edit: strike tongue-in-cheek quip; misunderstanding avoidance.
No suggestion of conspiracy here. I'm sure everyone involved means well. I certainly don't mean to imply otherwise.
Just bringing to attention miss-features of the forum software. Features that may not be working as people expected.
I am waiting to hear to see if the "Activity" portion can only be available to Admins or Mods. Monday at the earliest.
And if anyone is concerned, Moderators can not see PM's, only the the stuff in "Activity", as can any member logged in.
But I'm going to let all of you Mods figure it out on your own before deciding what I'll do with it.
In other words, the HTML pages between the two are overly integrated. I have no idea what inspired that, but get rid of it.
It also might help to make it a bit more clear about how to remove a message from the Activity page. As it is, there is a tiny icon that one has to discover. I do realize that the fonts are trying to provide service for pad phones, netbooks, notebooks and desktops -- but trying to discover that tiny icon was difficult. How about a more concise box with 'delete'?
-Tor
Ray
Edit: at the very least, change "message" to "send private message". This can be done right now while a more appropriate solution is devised.
That's what I want. Good show there.
I agree with those thinking something should be done about this.
For sure nobody is using it seriously. Why would they?
Point is to stop them using it accidentally thinking that what they are writing is private.
From what I can tell, nobody used the feature as intended.
As intended, it's just a PA type thing, good for a quick shoutout, etc...
We just don't do that in this community. So, it's a no brainer. Ditch it.
I don't get it.
If I want to discuss something I start a thread here and see what happens.
If want to write my own serious content I use a blog site or whatever or set up my own.
Hopefully Parallax will go forward to get it removed.
(I'm just a Mod and can not change the software, only suggestions from what you guys want. I'm one your side).
Thanks, Ray... I feared that I might be the only one having had difficulty with locating the Delete.
HINT -- Look for the tiny bold X. In my case, I think the display actually offers up only the left hand side of the X .... and that is why I didn't catch on for a while.
Why only half? Perhaps, something is odd about the relationship between the selected Font and the HTML layout giving enough space for whole characters.
One simply was to have a discussion off the beaten path. Sometimes quieter.