[liberationtech] (advice sought) Public safety and configuration of list
Michael insists that we post his reply to our decision to the list, so we do so below. We already responded to his message off list. Best, Yosem From: Michael Allan m...@zelea.com Date: Wed, Apr 24, 2013 at 11:40 PM Yosem, May I briefly speak in reply? I will not be joining the admin list, as it's only by accident that I became involved in this. Anyway, I'm sorry to have given you the wrong impression, but you make some errors in describing my actions and motivations, and I wish to correct them. Michael asked that the Program on Liberation Technology at Stanford University overrule the list vote over safety issues because he said the position created a potential legal liability for the university. I did not ask the university to overrule the vote, but only to act in the interests of public safety. If public safety is best served by upholding the vote, then that is O.K. by me. Nor was I concerned with the university's legal position. It was the university's own staff who invited me to off-list discussions, and the university's own staff who expressed a concern about legal implications, and then referred the matter to counsel. The only issue I consider worth discussing in this connection is the issue of public safety, especially the safety of innocent people who are not party to these discussions, not connected with the university, and not connected with the mailing list. The argument (which I seconded, but did not originate) is that the configuration of the list places these people in some danger. I felt that *their* concerns ought to have a voice before a decision was made. So this is what I attempted to do; though maybe I didn't do a good job of it. Michael, however, insists that there are safety issues. ... Well, I have never *insisted* on that. My crime was to ask whether or not the safety concerns that were raised are valid, and I directed this question to experts in particular. But apparently the university has already made a decision on the matter, so there's nothing further anyone can contribute. We can only hope that it's the right decision, and that we acted rightly in it ourselves. -- Michael Allan Toronto, +1 416-699-9528 http://zelea.com/ Yosem Companys said: Dear All, Michael asked that the Program on Liberation Technology at Stanford University overrule the list vote over safety issues because he said the position created a potential legal liability for the university. We informed Michael that we saw none and that the list subscribers had taken the perceived safety issue into consideration when voting; in fact, we included the links to the pros and cons that addressed the perceived safety concerns. Michael, however, insists that there are safety issues. We remained unconvinced. He asked that we discuss the issue internally at Stanford University. Our final decision is consistent with the view that Jeremy outlined below, which is common practice for mailing lists: Email users are responsible for their use of email, on a list or off, so they are responsible for knowing the settings and adapting their behaviors to them. The locus of action of the list is the user, the administrator just sets the terms. Moreover, we inform users of the risks associated with subscribing to public lists both when they sign up and in our list guidelines. We also clearly state that the list is configured to reply to all. As a result, the current option will remain as currently configured and voted upon by list subscribers -- that is, reply to all. As we have received numerous complaints over having administrative issues crowd out substantive discussion on the list, we are creating a separate liberationtech-admin list. As soon as that list is operational, we will let you know. In the meantime, out of respect to your fellow subscribers, we ask that you please refrain from further discussion about the issue here but encourage you to continue the discussion there, if interested. Best, Yosem One of your list moderators -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] (advice sought) Public safety and configuration of list
Brian and Elijah, Brian said: If Stanford University, who currently hosts the libtech mailng list decides to change the setup in contravention of democratic process of the list MEMBERS, then I would hope list members will move to one of many other options for hosting. ... Is it not worth considering that the constant rehashing of this discussion is in itself, something reminiscent of the behavior of bad actors attempting to derail effective organizing and discussion? Safety was hardly discussed in public; mostly only off list. Here's a short history of the public exchange between the subscribers and the university, thus far: Subs. When replying to messages sent via the list, I sometimes forget to hit Reply to List. Instead I hit Reply to Sender. When I realize my mistake, I must re-send my reply to the list. What a nuisance! How can we remedy this? Uni. It's possible to alter the sender's Reply-To headers, making it *appear* as though the sender had requested replies to be sent to the list. Then it no longer matters which button you press; your reply is directed to the list regardless. Subs. Yes, let's do that! Uni. But in our particular list, this may present a safety hazard to the public. Also it requires inserting false information into the mail that technically verges on fraud. Subs. (silence) Uni. Did you hear what I said? Subs. How dare you question our democratically reached decision! Did *you* not hear what *we* said? This is perhaps a little unfair. If a proper discussion had been held beforehand, then nobody could have *reasonably* agreed to alter the Reply-To headers without *first* refuting the public safety concerns. But this was not done; instead there was a vote. One subscriber even called for the vote as a means to end the discussion. And now, when the university is required to decide the matter, *again* public discussion is to be curtailed? That is fine, but remember that reasonable arguments of public safety and wilful mis-information are still standing. They have hardly been addressed yet, let alone refuted. (Again, pending that decision, I recommend that the configuration be returned to its default setting. The default is strongly recommended by the providers and its safety is unquestioned.) Elijah Wright said: Please don't reply-all on private mail (what this appears to be - interim mails did not go to Air-L), and then include lists in the CC line. ... it's unethical ... Apologies for cross-posting, but the mail I quoted was not private: https://mailman.stanford.edu/pipermail/liberationtech/2013-April/008257.html Mike Brian Conley said: +1 to both of Joe's comments. Michael, I'm not sure what world you live in, but in the world I live in, anyone who has information worth considering and is to be respected as a security adviser would NEVER follow the actions you've suggested. This is a strawman. The world is a dangerous place, and people get hurt. At least give them the agency to decide how best to protect themselves. Quite frankly I think there is a lot of hand-wringing going on, and it really wastes a lot of people's time. If Stanford University, who currently hosts the libtech mailng list decides to change the setup in contravention of democratic process of the list MEMBERS, then I would hope list members will move to one of many other options for hosting. I fully understand that Stanford University may now feel they have some sort of legal obligation, due, no doubt, in part to less than transparent actions by a few individuals, robbing the members of the list of agency. Its the University's legal decision, no doubt, but perhaps someone from the EFF can kindly call them and let them know this is a straw man. Is it not worth considering that the constant rehashing of this discussion is in itself, something reminiscent of the behavior of bad actors attempting to derail effective organizing and discussion? regards all. On Tue, Apr 23, 2013 at 5:43 PM, Joseph Lorenzo Hall j...@cdt.org wrote: (reply-to-list-only) On Apr 23, 2013, at 16:39, Michael Allan m...@zelea.com wrote: Maybe there's a misunderstanding here. The list subscribers are not responsible for the safe administration of the list. The university alone is responsible. It could never pass that responsibility on to the subscribers, even if it wanted to. There's definitely a misunderstanding. I see mailing lists as fundamentally normative negotiations with a foundation of acceptable use, whether administered by Stanford or some other entity. Changing the entity that hosts a mailman list is one of the most frictionless changes which a community can agree to online. So, ultimately it's the list that requires persuasion (in my opinion). --Joe -- Brian Conley Director, Small World News
Re: [liberationtech] (advice sought) Public safety and configuration of list
3 lines summary of what follows: There is NO way that the list admin can prevent list members from putting in danger other people who ask for help to the list, so stop worrying too much about this and don't mess anymore with the headers. On Mon, Apr 22, 2013 23:45:47 PM -0400, Michael Allan wrote: Experts on the list advise and inform on matters such as encrypting communications, protecting infrastructure from cyber attack, and protecting onself from personal danger. in ~2 years I've been a subscriber here, I don't remember anything that would be in the personal vulnerable situation category, that is the starting point for all the concerns that follow. Anyway: the software adds a Reply-To header pointing to L, which is the address of the list itself. The message is then passed on to the subscribers. The meaning of the added Reply-To header is, Q asks that you reply to her at L. [3] Note that this is false information; Q does not ask that. Partly not correct (Q implicitly asked, or accepted that, the moment he or she subscribed to a MAILING LIST, that as everybody knows are places for public discussion. Especially when they have public archives), partly irrelevant: a) at least HALF of the fault in the scenario that you keep torturing yourself with is not on P. It is on Subscriber Q dumb enough to reply with helpful information about a PERSONAL VULNERABLE SITUATION [only] to the list, instead of being mature/sensible/smart enough to: 1) answer to list ONLY in the vaguest possible terms (I'll get back to you on that) if at all 2) send any advice that may help but provocate reply with sensitive data in a completely SEPARATE message, that the list doesn't see at all 3) eventually, post to the list for future reference a summary of general advice for cases like that, purged of personal data if a tired and distracted person asks for advice to a not stressed person, and the second person replies OK, let's talk this over just on the edge of a cliff, is the distracted person the only one to blame if she falls off the cliff? In other words, the only problem and fault in your scenario is not point 4 (P replies with private info) but point 3 (Q replies with helpful info, but in a totally braindead way, when he or she should really know better) b) many people, like me, set their mail clients to recognize lists and automatically send replies to list messages ONLY to the list. Regardless of how much the admin played with the headers. c) oh, and of course there still are the people who routinely and blindly reply to all to whatever they get in their inbox POSSIBLE EXPLOIT THAT INCREASES THE DANGER hmm... Might not this exploit be perceived as feasible? yes. Just don't expect to solve it with mailing list management. If, instead, the only goal is to give Stanford and the list admin wants a legal basis to not be sued, that's OK. While Stanford University is evaluating these safety concerns and has yet to make a decision, it should return the configuration to its default setting. The default setting is known to be safe. The default setting is known to provide very little of the specific safety you want, for the reasons I explained. If replying to messages from this list can put other people in danger, this is something that ALL list members must individually commit to avoid, whenever they answer. Oh, and maybe Q people so DUMB to not check whether they are replying on or off list when somebody's LIFE may be in danger shouldn't subscribe in the first place, should they now? So, personally I (re)vote for keeping reply-to to the list, but do as you wish because I'll keep MY email client to Reply-to List anyway (which proves my point), because it's infinitely more convenient than having different behavior from all the other tens of mailing lists I am subscribed to. Marco F. http://mfioretti.com -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] (advice sought) Public safety and configuration of list
I would suggest if you don't accept the decision of the list members to keep reply-to-list, you should not subscribe. It seems silly to raise it again and attempt to appeal to higher authorities that have much better things on which to spend their time than mediate disputes about mailing list policy. (I initiated the recent policy discussion of the mailing list configuration and accept the results, despite not agreeing with the decision (not on safety grounds).) best, Joe On 4/22/13 11:45 PM, Michael Allan wrote: To the experts in Liberationtech, Air-L and Mailman lists, (cc General Counsel of Stanford University) Stanford University has configured the Liberationtech mailing list in a manner that is potentially unsafe. University staff are aware of the problem and are evalutating the situation, but have yet to take action. I'm a subscriber to the list, and I ask your advice. SITUATION The Liberationtech mailing list is run by Stanford University in connection with its Program on Liberation Technology. That program investigates the use of IT to defend human rights, improve governance, empower the poor, promote economic development, and pursue a variety of other social goods. [1] Experts on the list advise and inform on matters such as encrypting communications, protecting infrastructure from cyber attack, and protecting onself from personal danger. Often those seeking help are in vulnerable situations. They include aid workers, reporters and activists who live and work in environments where human rights are not well respected, or where the government is too weak to protect people from organized criminals, rival militias, and so forth. The list software is GNU Mailman. The administration interface includes the following configuration items: [2] (a) Should any existing Reply-To: header found in the original message be stripped? If so, this will be done regardless of whether an explict Reply-To: header is added by Mailman or not. X No - Yes (b) Where are replies to list messages directed? Poster is *strongly* recommended for most mailing lists. X Poster - This list - Explicit address (c) _ Shown above is the default, recommended setting of (1 No, 2 Poster). It leaves the sender's Reply-To headers (if any) unaltered during mail transfer. Instead of this, the Liberationtech mailing list is configured as follows: (b) Where are replies to list messages directed? Poster is *strongly* recommended for most mailing lists. - Poster X This list - Explicit address (c) _ With this setting, whenever a subscriber Q sends a message to the list, the software adds a Reply-To header pointing to L, which is the address of the list itself. The message is then passed on to the subscribers. The meaning of the added Reply-To header is, Q asks that you reply to her at L. [3] Note that this is false information; Q does not ask that. EXAMPLE OF DANGER Matt Mackall has suggested that, here of all places, people might get hurt as a consequence of this configuration [4]. I agree. Here's a brief example of how people might get hurt: 1. Subscriber P is in a vulnerable situation. P is distacted by the situation and is not getting a lot of sleep. 2. P asks the mailing list for advice on the situation, because that's the purpose of the list. 3. Subscriber Q replies with helpful information. The mailing list adds a Reply-To header to Q's message that points to address L. Again, the mis-information is, Q asks that you reply to her at L. [3] 4. P replies with private information, including (as Matt puts it) a potentially life-endangering datum. Tired and distracted, P replies by hitting the standard Reply button. In the mail client, this means reply to Q. The reply goes instead to L, which is the public mailing list. Oh my god! What have I done! 5. People get hurt. Isn't this a danger? POSSIBLE EXPLOIT THAT INCREASES THE DANGER Suppose that P is actually a police operative in an authoritarian state, or a criminal operative in a failed state. He only pretends to be a vulnerable activist (say). His real aim is to hurt the activists and other opponents; damage the university's reputation; close down the mailing list; make democracy look foolish [5]; and finally make some money in the bargain [6]. The likelihood of his success is roughly proportional to the amount of harm suffered by the activists and other innocent people. If such an exploit were even *perceived* to be feasible, then the mis-configuration of the mailing list would not only be exposing the public to a
[liberationtech] (advice sought) Public safety and configuration of list
To the experts in Liberationtech, Air-L and Mailman lists, (cc General Counsel of Stanford University) Stanford University has configured the Liberationtech mailing list in a manner that is potentially unsafe. University staff are aware of the problem and are evalutating the situation, but have yet to take action. I'm a subscriber to the list, and I ask your advice. SITUATION The Liberationtech mailing list is run by Stanford University in connection with its Program on Liberation Technology. That program investigates the use of IT to defend human rights, improve governance, empower the poor, promote economic development, and pursue a variety of other social goods. [1] Experts on the list advise and inform on matters such as encrypting communications, protecting infrastructure from cyber attack, and protecting onself from personal danger. Often those seeking help are in vulnerable situations. They include aid workers, reporters and activists who live and work in environments where human rights are not well respected, or where the government is too weak to protect people from organized criminals, rival militias, and so forth. The list software is GNU Mailman. The administration interface includes the following configuration items: [2] (a) Should any existing Reply-To: header found in the original message be stripped? If so, this will be done regardless of whether an explict Reply-To: header is added by Mailman or not. X No - Yes (b) Where are replies to list messages directed? Poster is *strongly* recommended for most mailing lists. X Poster - This list - Explicit address (c) _ Shown above is the default, recommended setting of (1 No, 2 Poster). It leaves the sender's Reply-To headers (if any) unaltered during mail transfer. Instead of this, the Liberationtech mailing list is configured as follows: (b) Where are replies to list messages directed? Poster is *strongly* recommended for most mailing lists. - Poster X This list - Explicit address (c) _ With this setting, whenever a subscriber Q sends a message to the list, the software adds a Reply-To header pointing to L, which is the address of the list itself. The message is then passed on to the subscribers. The meaning of the added Reply-To header is, Q asks that you reply to her at L. [3] Note that this is false information; Q does not ask that. EXAMPLE OF DANGER Matt Mackall has suggested that, here of all places, people might get hurt as a consequence of this configuration [4]. I agree. Here's a brief example of how people might get hurt: 1. Subscriber P is in a vulnerable situation. P is distacted by the situation and is not getting a lot of sleep. 2. P asks the mailing list for advice on the situation, because that's the purpose of the list. 3. Subscriber Q replies with helpful information. The mailing list adds a Reply-To header to Q's message that points to address L. Again, the mis-information is, Q asks that you reply to her at L. [3] 4. P replies with private information, including (as Matt puts it) a potentially life-endangering datum. Tired and distracted, P replies by hitting the standard Reply button. In the mail client, this means reply to Q. The reply goes instead to L, which is the public mailing list. Oh my god! What have I done! 5. People get hurt. Isn't this a danger? POSSIBLE EXPLOIT THAT INCREASES THE DANGER Suppose that P is actually a police operative in an authoritarian state, or a criminal operative in a failed state. He only pretends to be a vulnerable activist (say). His real aim is to hurt the activists and other opponents; damage the university's reputation; close down the mailing list; make democracy look foolish [5]; and finally make some money in the bargain [6]. The likelihood of his success is roughly proportional to the amount of harm suffered by the activists and other innocent people. If such an exploit were even *perceived* to be feasible, then the mis-configuration of the mailing list would not only be exposing the public to a haphazard danger, but also providing the means and incentive to orchestrate and amplify that danger. Might not this exploit be perceived as feasible? INTERIM RECOMMENDATION While Stanford University is evaluating these safety concerns and has yet to make a decision, it should return the configuration to its default setting. The default setting is known to be safe. -- Michael Allan Toronto, +1 416-699-9528 http://zelea.com/ NOTES [1] https://mailman.stanford.edu/mailman/listinfo/liberationtech http://liberationtechnology.stanford.edu/ [2] The meaning of configuration variables (a,b,c) is defined