Before I start this post, and the real content I am going to list everything you'll need to play along at home.
Hardware:
An old PC (1Ghz CPU, 1GB RAM, 2TB RAID 0 Hard Drive) - it is a dinosaur but any computer will do.
Software:
XAMPP (PHP, Apache, phpMyAdmin) - available here.
SMF Forum - available here.
PHPBB3 Forum - available here.
Windows XP (although any Operating System will do; such as OSX, Linux)
Firefox 10 (although any web browser will do; Chromium (not Chrome) being a better option.
Install Procedure:
Install XAMPP.
Use phpMyAdmin to create two databases (smf & bb3 were used).
Install SMF.
Install phpBB3.
That is pretty much it. There is a little more to the installation but that gives you the order. What you now have is a pair of locally hosted forums. Which for test purposes is fine. If you was doing this on a web host forget the XAMPP; and secure everything better than the standard install.
Note: Click images for clearer details - such as dates, names, descriptions, etc.
Now, the reason for this post. I was involved in a discussion last night and the topic came up of a certain admin of a forum changing things. Some involved in the discussion suggested that if anything was changed then the post would show an "edited by" statement.
I explained as the admin you can do it without it showing; which some did not believe. So this post shows how to change things without it showing. Which also shows why nothing on a forum can be taken to be true.
Firstly, in SMF, I created a post predicting various things which I knew would happen:
Nothing groundbreaking there; as all events were known when the post was created.
I then went in to phpMyAdmin
This is the database running behind SMF. The table in the database is smf_messages (although called messages it is posts; and private messages is called smf_personal_messages). In the above screen shot you will see a field called poster_time; this is the time the post was created.
Most wont realise that 1329487838 is what is commonly called a 'unix timestamp' and actually means Friday, February 17, 2012 2:10 PM.
So to amaze the world all you need to do is actually change the poster_time field to an earlier date; I chose Friday, December 31, 1999 11:59 PM.
Now we have something pretty amazing looking. Anyone stumbling across the forum will think that in 1999 I predicted the 4 events with pinpoint accuracy; even though I didn't.
I then went through the procedure with phpBB3 doing the same thing.
Note the only differences are the table is phpbb_posts and the field is post_time. I changed it this time to Saturday, July 7, 2007 7:07 AM.
Only 2 years (almost) before the first prediction; but still anyone stumbling on it would think it pretty cool that it was predicted so accurately.
And that is the point. Just because it is on a forum doesn't make it factual.
Unfortunately it doesn't stop there. In the discussion from the previous night private messages were mentioned. And once again I was the bearer of bad news and said if you don't trust the admin then don't use private messages.
Here, briefly, is why.
The message was composed like any other private message. But when the admin logs into phpMyAdmin they see everything; and can change everything also.
The admin sees the message, sender, recipient(s), subject, and time sent. And yes, you guessed it, the admin of the forum can change all of those without anyone knowing; except maybe the original sender if they pay enough attention. But then how does the original sender prove it was changed; surely they didn't bother to screen grab the message composition.
And the same thing can happen in SMF.
If you are going to try it out for yourself the online timestamp converter comes in handy; and can be found here.
Note: All of the above was completed in an insecure test environment; but can be completed just as easily on a live database/forum setup.