Hi there,
I've set up a local message area and set "Msg Kinds" to "Private". I
uderstand that by doing things this way, only the sender and addressee of a specific message can read it. Still, other users can use "Quickscan" to view who sent a specific message, who was the addressee for that message and what its subject was.

My assumption would be that if "Msg Kinds" is set to "Private", a user
would only be able to see his/her sent/received messages. It seems to work
that way if "Msg Kinds" is set to "Private" on a non-local, Echomail message area.

In other ways: is it possible to have a non-networked (local) but private message area similar to what "personal messages" are on other BBS systems?

Kind regards,
Niels


Greetings, Niels Haedecke

--- MBSE BBS v1.0.7.13 (GNU/Linux-ARM)
* Origin: Wintermute BBS (2:240/8002 2:240/1895 75:49/1895) (2:240/8002)

Hello Niels!

Wednesday December 11 2019 11:23, you wrote to All:

Hi there,
I've set up a local message area and set "Msg Kinds" to "Private". I uderstand that by doing things this way, only the sender and addressee
of a specific message can read it. Still, other users can use
"Quickscan" to view who sent a specific message, who was the addressee
for that message and what its subject was.

My assumption would be that if "Msg Kinds" is set to "Private", a user
would only be able to see his/her sent/received messages. It seems to
work that way if "Msg Kinds" is set to "Private" on a non-local,
Echomail message area.

In other ways: is it possible to have a non-networked (local) but
private message area similar to what "personal messages" are on other
BBS systems?

I thought that setting a echo to private no one see content other than the sender and
recipient.

Are you saying that is NOT the case and if so under what circumstances, i.e., dany user
logged into the system or a remote user via internet or QWK packets ?


One way of making sure would be trying out the settings for each area that raises the
security of it but I am not sure that is a gain or a hindrance.

The security of the Private flag should be dealing with it and if not sound like a bug and
will need looking into.

Tell me what the conditions are when it can be see by all others.
Note that the Sysop can always see echo message content unless the security is raised above
that of the sysop which is what happens on my system for military areas both UK and USA so I
can not see them when using tools like golded. Note that some of these echos are also
protected by encryption which fully locks down such security as there is no way I can read
them .

Echo security can be found via mbset 9.2. area number then Read = 16, Write = 17 and 18
sysop with 24, 25 both No and 27 as needed but poosibly same as 16 - 18.


Vincent

--- Mageia Linux v7.1 X64/Mbse v1.0.7.13/GoldED+/LNX 1.1.5-b20180707
* Origin: Air Applewood, The Linux Gateway to the UK & Eire (2:250/1)

Vincent Coen wrote to Niels Haedecke:

Hello Niels!

I thought that setting a echo to private no one see content other than the

sender and
recipient.

Are you saying that is NOT the case and if so under what circumstances, i.e.,
dany user
logged into the system or a remote user via internet or QWK packets ?

Hi Vincent,
sorry for the very delayd reply. So here's what user "test" (who is a
non-sysop user) sees when he is querying the local, private echo:

# From To Subject

1 amiganer niels haedecke Hi

2 lodger amiganer Re: Hi


So as you can see, the user I'm logged in (test) can see that there are
private messages between amiganer and lodger. He can even see the subject of any private message. This should not be possible. When querying the local, private echo, user "test" should not see any messages listed he is neither sender nor recipient of.

However, when user "test" is then trying to read one of the two messages he
was shown, he gets:

"This is a private message; only the owner and addressee can view it."

So is this the expected behaviour and could this be fixed so you can't "spy"
on other conversation topics and participants by running the Quickscan
command.

Kind regards,
Niels

Greetings, Niels Haedecke

--- MBSE BBS v1.0.7.13 (GNU/Linux-ARM)
* Origin: Wintermute BBS - Duesseldorf, Germany (2:240/8002)

Hello Niels!

Monday May 25 2020 13:44, you wrote to me:

Vincent Coen wrote to Niels Haedecke:

Hello Niels!

I thought that setting a echo to private no one see content other
than the

sender and
recipient.

Are you saying that is NOT the case and if so under what
circumstances, i.e., dany user logged into the system or a remote
user via internet or QWK packets ?

Hi Vincent,
sorry for the very delayd reply. So here's what user "test" (who is a non-sysop user) sees when he is querying the local, private echo:

# From To Subject

1 amiganer niels haedecke Hi

2 lodger amiganer Re: Hi

So as you can see, the user I'm logged in (test) can see that there
are private messages between amiganer and lodger. He can even see the subject of any private message. This should not be possible. When
querying the local, private echo, user "test" should not see any
messages listed he is neither sender nor recipient of.

However, when user "test" is then trying to read one of the two
messages he was shown, he gets:

"This is a private message; only the owner and addressee can view it."

So is this the expected behaviour and could this be fixed so you can't
"spy" on other conversation topics and participants by running the
Quickscan command.

Can you confirm that user test cannot see the content of these messages .

Clearly from your testing it looks like the content SHOULD be private but the msgs lists are not.

I must admit I am in two minds on this, but leaning that this behaviour is correct.

It is the content that must be private.

The information provided by seeing a list of from, to, subject is not confidentaal.

In my system areas that are secure cannot be seen by any one who does not have the required level let alone any form of content.

These are areas for the military seperated by country ie., USA and UK.

They are set so even I cannot look at some of them but there is encryption turned on so unless you have the key you cannot see them any way.

This is done on purpose to protect to a very high level all content now matter who you are and that includes police, security forces etc as allowing them such
access would in itself be a breach of the official security act sections 1 & 2 (for the UK) and similar for the USA. The system also supports the mititary of other countries but using similar encryption all using 128 byte keys and in some cases larger.

I guess you are not worried to this level ?

Vincent

--- Mageia Linux v7.1 X64/Mbse v1.0.7.13/GoldED+/LNX 1.1.5-b20180707
* Origin: Air Applewood, The Linux Gateway to the UK & Eire (2:250/1)

Hello Vincent,

Clearly from your testing it looks like the content SHOULD be private
but the msgs lists are not.

Yes, it should be. The details of the messages from, to and subject should also be private and not displayed to anyone aside from the sender or recipient.

I must admit I am in two minds on this, but leaning that this
behaviour is correct.

Why display to details of a private message to others?

It is the content that must be private.

The information provided by seeing a list of from, to, subject is not confidentaal.

This looks like a bug that went unnoticed.

Probably not hard to fix if anyone is caring for MBSE.

Ttyl :-),
Al

--- GoldED+/LNX
* Origin: The Rusty MailBox - Penticton, BC Canada (1:153/757)

Hello Alan!

25 May 20 11:02, you wrote to Vincent Coen:

Clearly from your testing it looks like the content SHOULD be
private but the msgs lists are not.

Yes, it should be. The details of the messages from, to and subject
should also be private and not displayed to anyone aside from the
sender or recipient.

Why display to details of a private message to others?

This looks like a bug that went unnoticed.

Agreed.

Probably not hard to fix if anyone is caring for MBSE.

I'll look into it.

Andrew

--- GoldED+/LNX 1.1.5-b20180707
* Origin: Phoenix BBS * phoenix.bnbbbs.net (1:320/219)

Hello Niels!

25 May 20 13:44, you wrote to Vincent Coen:

So as you can see, the user I'm logged in (test) can see that there
are private messages between amiganer and lodger. He can even see the subject of any private message. This should not be possible. When
querying the local, private echo, user "test" should not see any
messages listed he is neither sender nor recipient of.

However, when user "test" is then trying to read one of the two
messages he was shown, he gets:

"This is a private message; only the owner and addressee can view it."

So is this the expected behaviour and could this be fixed so you can't "spy" on other conversation topics and participants by running the Quickscan command.

This bug has been fixed in v1.0.7.16, which was just committed to the SourceForge Mercurial and Git repositories.

Thanks for letting me know about the issue.

Andrew

--- GoldED+/LNX 1.1.5-b20180707
* Origin: Phoenix BBS * phoenix.bnbbbs.net (1:320/219)

Hi Andrew,
thank you for fixing this issue (and the one regarding the user handle in From/To fields) so quick! I've already updated my Wintermute BBS to 1.0.7.17

Working perfect so far!

Kind regards,
Niels

Andrew Leary wrote to Niels Haedecke:

Hello Niels!

25 May 20 13:44, you wrote to Vincent Coen:

So as you can see, the user I'm logged in (test) can see that there are private messages between amiganer and lodger. He can even see the subject of any private message. This should not be possible. When querying the local, private echo, user "test" should not see any messages listed he is neither sender nor recipient of.

However, when user "test" is then trying to read one of the two messages he was shown, he gets:

"This is a private message; only the owner and addressee can view

it."

So is this the expected behaviour and could this be fixed so you

can't

"spy" on other conversation topics and participants by running the Quickscan command.

This bug has been fixed in v1.0.7.16, which was just committed to the SourceForge Mercurial and Git repositories.

Thanks for letting me know about the issue.

Andrew

--- GoldED+/LNX 1.1.5-b20180707
* Origin: Phoenix BBS * phoenix.bnbbbs.net (1:320/219)

Greetings, Niels Haedecke

--- MBSE BBS v1.0.7.17 (GNU/Linux-x86_64)
* Origin: Wintermute BBS - Duesseldorf, Germany (2:240/8002)

Hello Niels!

01 Jun 20 18:10, you wrote to me:

thank you for fixing this issue (and the one regarding the user handle
in From/To fields) so quick! I've already updated my Wintermute BBS to 1.0.7.17

Please continue to report any issues you find; if we aren't aware of them they won't get fixed.

Working perfect so far!

Glad to hear it!

Andrew

--- GoldED+/LNX 1.1.5-b20180707
* Origin: Phoenix BBS * phoenix.bnbbbs.net (1:320/219)

* Originally in mbse
* Crossposted in netmail

01 Jun 20 21:17, Andrew Leary wrote to Niels Haedecke:

Glad to hear it!

Sorry to write you here, but I've sent a couple of netmails to you during the last few weeks... Did you get them? I didn't get any respond.

'Tommi

---
* Origin: rbb.fidonet.fi (2:221/1)