Any system can be hacked. Period. It's also possible to hack a system so that they can't trace it back to the source. I don't know about any current PHP exploits, but i'm sure there are some that worked in the past. In general, most exploits involve buffer overflow, but they could also involve embedded scripts in messages or posts. It'd be easier to do if the security is set up to be lax and they don't monitor the system for intrusion attempts. If someone can log is as root or administrator, they can do anything. Passwords should be picked so that they can't be found with a dictionary atttack. Also, the system should be set up to lock out any administrative account after a few unsuccessful attempts to log in with the wrong password. All of your PMs can be read by DB or anyone who gets the right username/password from them. I would never send out anything that's self-incriminating on the internet. If a court issues a subpeona or a search warrant, DB would be obligated to give them what the court ordered.

A few days ago the system was configured so that it was spitting out its SQL error messages in HTML to everyone. People make mistakes. A human error could expose everything here to anyone who wanted to look at it ... no hacking required. Have you ever left your house or car unlocked for a few minutes by mistake? Same thing.

If you want your PMs to be confidential, then encrypt them with PGP. Then the only person who can read them is the one you encrypt them to. But that person can disclose it to others. It's also only as good as the passphrase you choose, so don't write it on a Post-It and paste it on your monitor. PGP 8.02 is about as good as it gets for free encryption. You can download it directly from PGP. Find it with Google.

Trampy