Search RPD Archives
[members-discuss] [rpd] Privacy breach of nomcom2015's Mailing List
badru.ntege at nftconsult.com
Mon Jun 8 14:36:29 UTC 2015
Again hot air to think the community is blind.
You know there was no public direct email for you to click.
Using your knowledge and maybe alongside a former staff member with knowledge you managed to get to the link. We all know it was not publicly available.
An apology would be easier and better especially the fact that you are employed by a sister RIR. Makes me wonder what their take is on your actions especially the fact that they probably funded your trip
Sent from my Mobile
> On 8 Jun 2015, at 16:33, Sander Steffann <sander at steffann.nl> wrote:
> Hi Omo,
>> I vote for the latter too but I am uncomfortable with the way you seem
>> to be holding brief for the fellows concerned. You are interpreting and
>> providing context as if you were party to this. I am sure the concerned
>> folks can speak for themselves.
> It was me who found the configuration error. I just haven't been reading email for a few days. Owen gave a very good description of what happened, which I copy here:
>> 1. A mistake was made at creation time of the mailing list which flagged it as a publicly accessible list open to subscription by anyone.
>> 2. Nobody noticed this error until the person in question went searching for publicly available information on the nom-comm and found
>> the list on the public mailing list page on the AfriNIC web site.
>> 3. The person in question subscribed to the list.
>> 4. He downloaded the list archives.
>> 5. He realized two things:
>> 1. That these were the private emails of the nominating committee and should not be public.
>> 2. That there were contents in those emails that caused him some concerns about the propriety of the actions by the
>> nominating committee.
>> A. In response to 1, he contacted Daniel from the AfriNIC staff who immediately corrected the misconfiguration.
>> B. In response to 2, he provided the information to two members of the board who he knew and trusted.
>> He honestly had no way to know that the emails were private until he started reading them. He did not set out to breach the security
>> of AfriNIC or with any mal-intent.
>> Action A was right and proper, and I believe we have consensus about that.
>> Action B is being applauded by some and reviled by others. IMHO, it was poor judgment, but understandable.
>> 6. Daniel corrected the configuration thus preventing further disclosures.
>> 7. The logs show that only two unauthorized subscribers were admitted to the list. This was announced in the results of the investigation.
>> 1 was known to be the original person in question above
>> The other is now known to be someone whom he asked to confirm the vulnerability (which is fairly standard practice in identifying a security problem).
> The above explanation is 100% correct. As why I downloaded the archives before reading the content: the pipermail archive web interface is horrible and I prefer to read email in a proper email client. The information was labelled as public information so there was no reason I should expect the contents to be private before reading it. To be precise, the text is: "Below is a listing of all the public mailing lists on lists.afrinic.net.". When I was looking for public information about the elections it made perfect sense to look at the public information from nomcom. That the 'public' information turned out not to be public is regrettable.
> When this came up during the AGMM I have publicly stated exactly what happened. I don't like to hide and play games. What Owen described above is what happened and that is all there is to it. My apologies for any unrest I caused. With hindsight I should have handled things differently and I thank Owen for his advice at the time.
> rpd mailing list
> rpd at afrinic.net
More information about the RPD