Search RPD Archives
Limit search to: Subject & Body Subject Author
Sort by:

[rpd] Privacy breach of nomcom2015's Mailing List

Owen DeLong owen at delong.com
Sun Jun 7 16:02:41 UTC 2015


> On Jun 6, 2015, at 12:40 , Noah <noah at neo.co.tz> wrote:
> 
> On Sat, Jun 6, 2015 at 10:17 PM, Sunday Folayan <sunday.folayan at afrinic.net <mailto:sunday.folayan at afrinic.net>> wrote:
> On 06/06/2015 20:12, Noah wrote:
> > On Sat, Jun 6, 2015 at 9:22 PM, Sunday Folayan <sunday.folayan at afrinic.net <mailto:sunday.folayan at afrinic.net>>
> > wrote:
> >
> >> Dear Noah,
> >>
> >>
> > Hi Sunday,
> >
> >
> >> The issue was discussed and resolved on the floor of the AGMM, after the
> >> CEO briefed members that it was a configuration error, which left the
> >> supposed private list open to anyone to subscribe.
> >>
> > Unfortunately, I missed the AGMM, however, if the issue was a configuration
> > error, then why wasn't it reported as such in your original email
> > considering the message was "*A breach of nomcom2015 and confirmed reports
> > of  dumps of archives circulating in the community"*.
> 
> My Email acted on the brief from the CEO. Further information was then
> provided by the CEO at the AGMM.
> 
> 
> All right then. IMHO, next time, let the message being send to the community be "clear" that is after gathering credible evidence rather than you the BoardChair sending a different message and then the CEO coming out with another version completely different.

Noah, you are, IMHO, making an unreasonable request here.

The CEO provided the chair with information about a breach of privacy. The Chair chose to share the information with the community detailing what was known at the time, namely what was disclosed and what the next steps (an investigation by staff) would be.

Later in the AGMM, the CEO provided additional details as a result of the investigation conducted by staff and the matter was settled with the consent of all present in the AGMM.

Because the information about the breach was timely and could have potential impact on the election, I think it was correct for the chair to give preliminary information to the community. The investigation could easily have taken much longer than it did had the breach been more widespread or had the mechanism been more complicated to determine. At the time the chair disclosed the information to the community, this was not yet known and there was no way to know until the investigation was well underway.

> 
> Am sure you will appreciate that there is a difference between [1] and [2] below.....
> 
> [1] "There is a confirmed report that this hole was indeed exploited, and a
> dump of the archive is now circulating in the community. This is an
> unacceptable conduct that must be condemned."
> 
> [2] " the CEO briefed members that it was a configuration error, which left the
> supposed private list open to anyone to subscribe.”

There really isn’t.

The misconfiguration was the hole which was indeed exploited. The dump of the archive was known to be circulating in the community, though the extent of circulation was not known. All of that [1] is true and remains true.

The further information in [2] does indicate that the breach was achieved by exploitation of a configuration error in the mailing list software, but it does not contradict anything in [1].

Why do you see this as a problem?

I would much rather that the board tells us what is going on in a timely manner, even if they don’t have all the details. This reduces the potential for innuendo, rumor, and chaos in the community and should increase trust in the board.

Owen


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20150607/4eaaafe4/attachment.html>


More information about the RPD mailing list