Hi everybody, The Kirschner email is very long. That is for one reason: to avoid answering the important questions.
How long was our data accessible (years, months)? How many times was our data accessed during that time? How many different users accessed the data? Why doesn't his email mention the financial[1] data vulnerability? Why didn't he disclose the financial data vulnerability in March 2018 and simply depart on paternity leave, hoping other people would tidy up the mailing list security? Which law was violated? Germans have laws for so many things yet he doesn't give an example of which law is relevant in this case. The email below doesn't reference any specific part of the German legal code. It looks like he just uses the word "legal" over and over again for intimidation, like an abusive partner who is always saying "divorce" to scare their spouse. As people have to log in to download the data, he knows the name of every user who downloaded the data. Why didn''t he provide a list of every user who downloaded the data, why does he only give the name of one person, why did he hide all the other names from you and focus his tirade on your elected Fellowship representative? Is he trying to fool you to focus on a scapegoat when you should focus your attention on Kirschner himself? How come I can spot all these holes in his argument within 15 minutes of reading his abusive email, despite having no legal training? How much FSFE money was spent on lawyers to write the intimidating email below? If any law was broken, legal counsel would have told him already. Eleven days have passed since unavoidable measures were taken to warn the community about Kirschner's censorship regime. The email below is just more evidence of bully tactics in FSFEland. I'm not the least bit scared of this pathetic behavior. The fact is that this data was willfully disclosed to hundreds of people by FSFE through lists.fsfe.org. The long intimidating email from Kirschner proves one thing: this is not a community, it is a dictatorship. Kirschner indulges himself in hurting and blaming volunteers, yet despite the fact he is on a salary, he accepts no responsibility for multiple incidents involving mailing lists. As elected Fellowship representative, it was my responsibility to give people the truth about this organization. Kirschner sabotaged my communications with the community throughout 2018. Letting you know about that sabotage was not a crime, it was one of the core responsibilities of the role. Even after resigning, I still have a responsibility to let you know that my communications were subject to censorship, coercion and other forms of sabotage. If you saw Kirschner kicking a volunteer at a free software event, what would you do to stop him? How is his email any better than that? Regards, Daniel 1. https://lists.fsfellowship.eu/pipermail/discussion/2019-May/000088.html On 13/05/2019 17:35, Joe Awni wrote: > Forwarded this here in case my inquiry is blocked on the FSFE list. > > ---------- Forwarded message --------- > From: *Joe Awni* <[email protected] <mailto:[email protected]>> > Date: Mon, May 13, 2019 at 11:34 AM > Subject: Re: Further facts about data breach > To: [email protected] <mailto:[email protected]> > <[email protected] <mailto:[email protected]>> > > > Mr. Kirschner, > > I believe we are all interested to hear more details about this in an > open forum where fellows can post questions. > > Would you agree to discuss the circumstances of the events of May 2nd in > a live-streamed video chat with myself on YouTube? > > -Joe Awni > > On Mon, May 13, 2019 at 11:11 AM Matthias Kirschner <[email protected] > <mailto:[email protected]>> wrote: > > Dear all, > > The FSFE values your privacy and deeply regrets the incident that > occurred on 2 May 2019 that resulted in the unauthorized use of your > information, and the ensuing events that transpired. We apologise for > the delay in our response, but we wished to conduct an investigation to > accurately determine how and what exactly happened. Resulting from our > investigation, here is are summaries of what took place as we understand > it. > > **TL;DR: In brief, your email addresses were used by a third party to > create another mailing list, unaffiliated with and without the consent > and prior knowledge of the FSFE, on the web infrastructure of another > company. Shortly afterwards, the third party then ran automation scripts > to unsubscribe all members of the FSFE's list, which resulted in you > receiving emails requesting your confirmation to unsubscribe from the > FSFE's lists. The FSFE has informed the relevant Federal authorities in > Germany of this breach, and we are in contact with legal counsel to > explore our options to ensure that our communities are protected.** > > To get into greater detail, the FSFE operates a number of mailing lists > using the subdomain "lists.fsfe.org <http://lists.fsfe.org>", as you > are aware. Among these > lists are [email protected] > <mailto:[email protected]> (the "FSFE Discussion List") and > [email protected] <mailto:[email protected]>. Both these > lists shall hereinafter be referred > to collectively as the "FSFE Lists". > > On or before 2 May 2019, Daniel Pocock and/or Ready Technology (UK) > Limited obtained approximately 800 email addresses from the FSFE Lists, > either from the FSFE website or through other means, without the consent > of the FSFE or of the individual subscribers of the FSFE Lists. It is > our understanding that Pocock and/or Ready Technology (UK) Limited was > able to obtain these email addresses because they were subscribed to the > mailing list and therefore had access to view the register. Up until 2 > May 2019, subscribers of the FSFE Lists were able to view a register of > the emails subscribed to these mailing lists, on the FSFE website. These > registers are password protected, and therefore not available for the > general public at large to access. We have since set the register of > subscriber emails on our mailing lists to be only viewable by the list > administrators. > > Pocock and/or Ready Technology (UK) Limited then set up a mailing list > called [email protected] > <mailto:[email protected]> (the "Unaffiliated List"), > using > the email addresses obtained from the FSFE Lists with neither the > consent nor knowledge of the FSFE or of the individual subscribers of > the FSFE Lists. The Unaffiliated List is not affiliated with the FSFE in > any way. > > Pocock then sent an unsolicited mass email on 2 May 2019 to the > Unaffiliated List under the subject line “[Discussion] censorship in > FSFE, Debian, Mozilla and other communities” > (https://lists.fsfellowship.eu/pipermail/discussion/2019-May/000000.html). > It included the statement "If you wish to unsubscribe, please visit > here”, which linked to the management interface for the FSFE Discussion > List. The statement was vague enough to mislead a number of people into > thinking that clicking on such link would allow them to unsubscribe from > the Unaffiliated List. This email did not contain any information on how > to unsubscribe from the Unaffiliated List. > > Information on how to unsubscribe from the Unaffiliated List was > provided in a later email sent by Pocock on the same day, under the > subject line “[Discussion] unsubscribing and transparency” > (https://lists.fsfellowship.eu/pipermail/discussion/2019-May/000016.html), > together with the unsubscribe information for the FSFE Discussion List. > Further, the email contained the statement: “if you have technical > problems unsubscribing, please ask on IRC or simply email system-hackers > at lists.fsfe.org <http://lists.fsfe.org> and we'll work it out > behind the scenes as > professionals." This statement misrepresented Pocock and/or Ready > Technology (UK) Limited to be an official representative(s) of the FSFE. > > Mailing list software commonly injects so called list management headers > into e-mails sent through the list. Among other things, these headers > can provide a way to unsubscribe from the mailing list. The e-mails sent > on 2 May 2019 contained the relevant list management headers, but the > unsubscribe interface indicated in the headers was not functioning for > all subscribers correctly. > > Additionally, unsubscribe requests for all members of the FSFE > Discussion List were automatically generated on two separate occasions: > on 2 May 2019 and 5 May 2019 (one of them proven to be from Pocock), > regardless of whether or not they had requested to be unsubscribed from > the FSFE Discussion List. This resulted in members receiving emails > requesting them to confirm their unsubscribe request from the FSFE > Discussion List. > > We have gathered enough evidence to be confident that these are the > events that transpired, and also to identify the parties involved in the > breach. Accordingly, we have banned all relevant email addresses from > the FSFE web infrastructure. We have also reached out to Pocock last > week informing him of our understanding of these events and the > consequences, in order to give him an opportunity to comment on or > clarify any of the points made above. As of the sending of this email, > we have not received word from him. > > The FSFE has been in contact with legal counsel to understand our > options and the steps that we will take to ensure the protection of our > communities and its data. We have reached out specifically to the > relevant German Data Protection Authorities to inform them of the data > breach, and to receive any advice that they may provide on this matter. > > We ask you for your patience and understanding, and once again, we > apologise for any problems that the events of the past weeks may have > caused you. We will keep you updated as the situation develops, and want > to assure you that the FSFE remains dedicated to our mission to promote > and further the development of Free Software. > > Best Regards, > Matthias > > -- > Matthias Kirschner - President - Free Software Foundation Europe > Schönhauser Allee 6/7, 10119 Berlin, Germany | t +49-30-27595290 > Registered at Amtsgericht Hamburg, VR 17030 |(fsfe.org/support > <http://fsfe.org/support>) > Contact (fsfe.org/about/kirschner > <http://fsfe.org/about/kirschner>) Weblog k7r.eu/blog.html > <http://k7r.eu/blog.html> > _______________________________________________ > Discussion mailing list > [email protected] <mailto:[email protected]> > https://lists.fsfe.org/mailman/listinfo/discussion > > This mailing list is covered by the FSFE's Code of Conduct. All > participants are kindly asked to be excellent to each other: > https://fsfe.org/about/codeofconduct > > > _______________________________________________ > Discussion mailing list > [email protected] > https://lists.fsfellowship.eu/mailman/listinfo/discussion > _______________________________________________ Discussion mailing list [email protected] https://lists.fsfellowship.eu/mailman/listinfo/discussion
