Search RPD Archives
[members-discuss] [rpd] Privacy breach of nomcom2015's Mailing List
Sander Steffann
sander at steffann.nl
Mon Jun 8 13:23:47 UTC 2015
Hi Omo,
> I vote for the latter too but I am uncomfortable with the way you seem
> to be holding brief for the fellows concerned. You are interpreting and
> providing context as if you were party to this. I am sure the concerned
> folks can speak for themselves.
It was me who found the configuration error. I just haven't been reading email for a few days. Owen gave a very good description of what happened, which I copy here:
> 1. A mistake was made at creation time of the mailing list which flagged it as a publicly accessible list open to subscription by anyone.
> 2. Nobody noticed this error until the person in question went searching for publicly available information on the nom-comm and found
> the list on the public mailing list page on the AfriNIC web site.
> 3. The person in question subscribed to the list.
> 4. He downloaded the list archives.
> 5. He realized two things:
> 1. That these were the private emails of the nominating committee and should not be public.
> 2. That there were contents in those emails that caused him some concerns about the propriety of the actions by the
> nominating committee.
>
> A. In response to 1, he contacted Daniel from the AfriNIC staff who immediately corrected the misconfiguration.
> B. In response to 2, he provided the information to two members of the board who he knew and trusted.
>
> He honestly had no way to know that the emails were private until he started reading them. He did not set out to breach the security
> of AfriNIC or with any mal-intent.
>
> Action A was right and proper, and I believe we have consensus about that.
> Action B is being applauded by some and reviled by others. IMHO, it was poor judgment, but understandable.
> 6. Daniel corrected the configuration thus preventing further disclosures.
> 7. The logs show that only two unauthorized subscribers were admitted to the list. This was announced in the results of the investigation.
> 1 was known to be the original person in question above
> The other is now known to be someone whom he asked to confirm the vulnerability (which is fairly standard practice in identifying a security problem).
The above explanation is 100% correct. As why I downloaded the archives before reading the content: the pipermail archive web interface is horrible and I prefer to read email in a proper email client. The information was labelled as public information so there was no reason I should expect the contents to be private before reading it. To be precise, the text is: "Below is a listing of all the public mailing lists on lists.afrinic.net.". When I was looking for public information about the elections it made perfect sense to look at the public information from nomcom. That the 'public' information turned out not to be public is regrettable.
When this came up during the AGMM I have publicly stated exactly what happened. I don't like to hide and play games. What Owen described above is what happened and that is all there is to it. My apologies for any unrest I caused. With hindsight I should have handled things differently and I thank Owen for his advice at the time.
Cheers,
Sander
More information about the RPD
mailing list