Search RPD Archives
[members-discuss] [rpd] Privacy breach of nomcom2015's Mailing List
Owen DeLong
owen at delong.com
Sun Jun 7 21:24:46 UTC 2015
> On Jun 7, 2015, at 13:07 , Boubakar Barry <boubakarbarry at gmail.com> wrote:
>
> Well, it will be difficult for a serving AfriNIC staff to challenge this at this point of time.
>
> Let's wait for the investigation report to be shared with the community. I however don't support the expressed idea to wait for the AGMM minutes.
>
> While the investigation results can be incorporated in the AGMM minutes, I don't see why we should wait until the minutes are made available to know about the investigation results. Our Tunis experience regarding the release of resolutions of a Board meeting held 7 months ago advocates for the disconnection of the two.
Boubakar,
Alan Barrett presented the results of the investigation at the AGMM. I’m not sure what investigation report you are waiting for other than the one that was delivered at the meeting.
Everything was disclosed. Nobody was made a scapegoat and nothing was covered up.
Sum total as best I can recall… I’m sure someone will correct me if I got anything wrong:
1. A mistake was made at creation time of the mailing list which flagged it as a publicly accessible list open to subscription by anyone.
2. Nobody noticed this error until the person in question went searching for publicly available information on the nom-comm and found
the list on the public mailing list page on the AfriNIC web site.
3. The person in question subscribed to the list.
4. He downloaded the list archives.
5. He realized two things:
1. That these were the private emails of the nominating committee and should not be public.
2. That there were contents in those emails that caused him some concerns about the propriety of the actions by the
nominating committee.
A. In response to 1, he contacted Daniel from the AfriNIC staff who immediately corrected the misconfiguration.
B. In response to 2, he provided the information to two members of the board who he knew and trusted.
He honestly had no way to know that the emails were private until he started reading them. He did not set out to breach the security
of AfriNIC or with any mal-intent.
Action A was right and proper, and I believe we have consensus about that.
Action B is being applauded by some and reviled by others. IMHO, it was poor judgment, but understandable.
6. Daniel corrected the configuration thus preventing further disclosures.
7. The logs show that only two unauthorized subscribers were admitted to the list. This was announced in the results of the investigation.
1 was known to be the original person in question above
The other is now known to be someone whom he asked to confirm the vulnerability (which is fairly standard practice in identifying a security problem).
Thus, no actual harm was done. Nobody had any ill intent. There is no conspiracy, no tampering with the election, no interference with the nominating
committee. In short, nothing worthy of the amount of brouhaha that has been hitherto presented on this topic.
I will note that I did not have a dog in the fight for the election. My only concern was a free and fair election by the members. I was made aware of this situation by the original person in question shortly after he informed Daniel and I was given an opportunity to download the information and/or review it. I expressed my thoughts that doing so was not right and discouraged the person in question from any further disclosure of the information. Advice which was followed.
Owen
>
> Boubakar
>
>
> On Sun, Jun 7, 2015 at 7:55 PM, Kofi ANSA AKUFO <kofi.ansa at gmail.com <mailto:kofi.ansa at gmail.com>> wrote:
> Well well well . . . it was just a matter of time.
>
> So this has happened again ... exploiting mal-configured systems in Afrinic. It is time to call for a thorough independent security assessment of these systems.
>
> The last time this happened leading staff in Afrinic concealed this and went witch hunting and shamefully sacrificed an ex-employee as a cover up.
>
> I challenge any well meaning staff of Afrinic to come to refute this.
>
> K.
>
>
>
> On 7 June 2015 at 22:32, Omo Oaiya <omo at wacren.net <mailto:omo at wacren.net>> wrote:
>
>
> On 6/7/15 Owen DeLong wrote:
> >
> > I would much rather that the board tells us what is going on in a
> > timely manner, even if they don’t have all the details. This reduces
> > the potential for innuendo, rumor, and chaos in the community and
> > should increase trust in the board.
>
> +1.
>
> > I do not entirely agree with the actions of the community member in
> > question as I agree that disclosure to select board members was
> > inappropriate, but the intent was honorable and not mischievous. The
> > absolute worst that can be legitimately said of the person in
> > question it that he exercised poor judgment.
>
>
> Very poor judgement at best.
>
> Brings Adiel's admonition to the board to show good judgment to mind.
> We look forward with expectation to the outcome of their next meeting.
>
> -Omo
>
>
> _______________________________________________
> rpd mailing list
> rpd at afrinic.net <mailto:rpd at afrinic.net>
> https://lists.afrinic.net/mailman/listinfo.cgi/rpd <https://lists.afrinic.net/mailman/listinfo.cgi/rpd>
>
>
>
> _______________________________________________
> rpd mailing list
> rpd at afrinic.net <mailto:rpd at afrinic.net>
> https://lists.afrinic.net/mailman/listinfo.cgi/rpd <https://lists.afrinic.net/mailman/listinfo.cgi/rpd>
>
>
> _______________________________________________
> rpd mailing list
> rpd at afrinic.net
> https://lists.afrinic.net/mailman/listinfo.cgi/rpd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20150607/e0828329/attachment.html>
More information about the RPD
mailing list