texascavers Digest 16 Dec 2009 14:14:37 -0000 Issue 921
Topics (messages 13024 through 13027):
Re: Can TSA be trusted with email addresses?
13024 by: Butch Fralia
13025 by: Rod Goke
Re: Officer's powers
13026 by: Mark.Alman.l-3com.com
Re: Subscribers to digital publications
13027 by: Mark.Alman.l-3com.com
Administrivia:
To subscribe to the digest, e-mail:
<[email protected]>
To unsubscribe from the digest, e-mail:
<[email protected]>
To post to the list, e-mail:
<[email protected]>
----------------------------------------------------------------------
--- Begin Message ---
While it's possible that a malware program could harvest e-mail addresses for
TSA members it's not very likely. It would have to be a specially written
program that new how the display page is structured. It would also have to be
installed on the computer of a person with member access. Else it would have
to be a pretty good hacker to hack the web server itself for access.
There are programs that search the web looking for unprotected e-mail
addresses. Those e-mail addresses are sold to advertisers and spammers. These
are called spiders. We have spiders search the TSA website almost daily
looking for e-mail addresses. You can see it in the statistical analysis
programs available with the website. They cannot get into the member area.
There isn't a function set up to download all the online registered members. I
have software that could do that but requires root access to the website that
I'm the only one who has (there's a backup person with the root access
information but not the software. The webhosting employees could dump the
information and they should do so often to back up the website. I have to
identify the IP address of my computer in the website control software to allow
access to the membership list.
The members list as seen in the member area is in an online database. That
database has its own password. The queries that access the data run on the
server and aren't seen off the server except by a TSA webmaster. The list uses
dynamic code to produce the member list you see. All that code executes on the
server and can't be seen by the outside world by right clicking in the browser
window and selecting view source.
Viewing the page requires a member be logged in to the website. It would be
theoretically possible to intercept the information exchanged by your computer
and the web-server but you'd have to be intercepted from somewhere on the
internet backbone, at your ISP, or the web-server. I don't think there's that
much interest in doing that with TSA data. There are 100 verified registered
users and 95 of those are showing on the member list. There's an option you
can select when you register or you can update to display your information on
the user list. There are apparently five people who have clicked No - don't
display me. If you don't want your information see outside the database,
select no for the question display me on the member list.
The e-mail addresses that are displayed are spoofed with a spoofing technique
that allows them to be read and displayed correctly by your browser and e-mail
program. To the knowledge of people who study such things, no one has changed
the spider software to include checking for this spoofing. It must work
because my e-mail address is publicly viewable on a number of websites but I
get a pretty low level of SPAM. For that matter, there are so many
unprotected/unspoofed e-mail addresses to swamp most databases so why bother?
I don't know if this puts anyone's mind at ease but it's the way it works.
Happy Holidays,
Butch Fralia
-----Original Message-----
From: Rod Goke [mailto:[email protected]]
Sent: Tuesday, December 15, 2009 8:49 PM
To: Charles Goldsmith; Rod Goke
Cc: TexasCavers
Subject: Re: [Texascavers] Can TSA be trusted with email addresses?
Charles,
I agree with your technical comments about the many ways that malware can be
used to harvest email addresses and other data and that there is no way to
protect an email address 100% while using it for its normal purpose. That
doesn't imply, however, that there is no point in trying reduce risk. Listening
to a computer professional say "Your email addresses aren't safe anywhere, so
why bother trying to protect them?" is like listening to restaurant cook say
"You're not safe from germs anywhere, so why bother washing hands or dishes?"
Like many email users, I've been using 2 email addresses for a number of years.
I've used both of them frequently, but one I've tried to keep away from
potential spam risks wherever practical and the other I've given out more
freely. Of the two, the more protected one remained spam free much longer
(about the first 2 years), and even after it began receiving spam, the quantity
of spam received on the more protected address has remained conspicuously less
than that received on the less protected address. This difference has remained
noticeable even though I have used the more protected address frequently on
Texascavers and for communication with numerous individuals.
Someone with a much more carefully guarded email address still should be able
to use it very safely in limited ways on caving related Internet services, as
long as the people running those services practice reasonable privacy policies.
For example, someone can subscribe to Texascavers without exposing his email
address to everyone on the list as long as he only uses the subscription to
receive messages from Texascavers, without ever posting to it (assuming, of
course, that you don't change your policy and start allowing users to download
the Texascavers address list).
Similarly, TSA could serve its online users much more safely if it simply
separated the email address list used for online registration from that
published in a "members manual". With this convention, a member could be
assured that the email address he uses for online registration will be used
only for that purpose and for "official" email sent to him by TSA and that this
address would NOT automatically appear on any list made available to the
general membership. For his listing in a "members manual" style list, each
member could specify separately what, if any, email address he wants published.
This would allow each user to choose whether to publish the same email address,
a different (less protected) address, or none at all.
Rod
-----Original Message-----
>From: Charles Goldsmith <[email protected]>
>Sent: Dec 15, 2009 4:09 PM
>To: Rod Goke <[email protected]>
>Cc: TexasCavers <[email protected]>
>Subject: Re: [Texascavers] Can TSA be trusted with email addresses?
>
>Rod, that wasn't a personal attack, if you took it as such, you need
>to re-read my message and think about how it was meant.
>
>The TSA having this list is no different than the NSS keeping a list
>of its members, and sending that list out in book format, plain and
>simple.
>
>Harvesting emails from a mailing list is very very simple, I have the
>complete list as owner of the list, but even another list, I can
>harvest with a simple script that would only take me a few minutes to
>write.
>
>It was a tongue in cheek comment about writing down email addresses by
>hand. Scammers/Spammers/Phishers don't do anything manually.
>
>Modern email applications cache email addresses that it sees, Malware
>can and does use these lists to send out spam. We've seen it recently
>on the mailing list.
>
>Your email address is not safe anywhere, you will just have to learn
>to face that fact in this modern age.
>
>Charles
>
>On Tue, Dec 15, 2009 at 2:23 PM, Rod Goke <[email protected]> wrote:
>> Charles,
>>
>> Your message below really misses the the point, and your personal attacks
>> are totally unwarranted. Of course, we all run some risk that our email
>> addresses will somehow get to spammers whenever we send them to anyone.
>> Whenever you or I or anyone else posts a message to Texascavers we
>> understand that our email addresses will be visible to others on the list,
>> and we choose to do that. Harvesting email addresses one at a time from
>> postings to this list as you suggested would be possible, of course, but it
>> would be a slow and inconvenient way to collect a large list for spam, and I
>> don't think either of us is seriously worried about that.
>>
>> The primary hazard is not that anyone in TSA or other caving organizations
>> will deliberately pass information to spammers, but rather that some people
>> downloading information with good intentions will inadvertently store it
>> where spyware or other malware on an infected computer can search the
>> downloaded files for email addresses, phone numbers, or other information
>> that writers of the malware wish to harvest. This is something that easily
>> can happen, and when it does, the person making information available to the
>> malware might be totally unaware of what is going on. When people download
>> individual email messages or other data items containing only a few email
>> addresses or other sensitive items, then only those few items are vulnerable
>> to harvesting by malware in any one incident. When people download an entire
>> mailing list, however, then just one incident on one inadvertently infected
>> computer can result in harvesting of the entire list. When many people
>> download the list to many different computers, the risk to everyone on the
>> list increases accordingly.
>>
>> So far as I know, the subscribers to Texascavers are not allowed to download
>> that entire email address list, and I trust that Texascavers will continue
>> to be managed in this responsible manner, especially since I haven't noticed
>> any demand to do otherwise. The discussions I've heard and read about the
>> TSA's online data resources, however, create much more uncertainty about how
>> they will be managed. This is why it is important to have serious
>> discussions of the issues beforehand to prevent problems, especially when
>> some of them could be prevented so easily with a few minor policy decisions.
>>
>> Rod
>>
>>
>> -----Original Message-----
>>>From: Charles Goldsmith <[email protected]>
>>>Sent: Dec 15, 2009 10:48 AM
>>>To: Rod Goke <[email protected]>
>>>Cc: Bill Bentley <[email protected]>, John Brooks <[email protected]>,
>>>Mark Alman <[email protected]>, TexasCavers <[email protected]>
>>>Subject: Re: [Texascavers] Can TSA be trusted with email addresses?
>>>
>>>Rod, your paranoia is unwarranted here, only by the fact that over 360
>>>people have your email address and each others. Anyone of them could
>>>harvest most of the emails after a bit of time by keeping track of who
>>>posted an email to this list.
>>>
>>>Do you completely trust every one of these 360 people? The odds that
>>>one of them would sell out is far greater than one of the "TSA"
>>>people, who are duly elected by some of these people.
>>>
>>>If the TC goes free, it won't be in the password protected section, it
>>>will be available on the front page.
>>>
>>>Blaming the TSA for something that has never happened is just bad
>>>press, and you should know better, as a member of the TSA.
>>>
>>>Charles
>>>
>>>On Tue, Dec 15, 2009 at 8:56 AM, Rod Goke <[email protected]> wrote:
>>>> For the record, I like TSA, too, which is why I've maintained my TSA
>>>> membership ever since moving to Texas about 25 years ago. I, too, think
>>>> that Mark has been doing a great job as editor, and I much appreciate the
>>>> dedicated work that he and other TSA volunteers have been doing. Nor do I
>>>> blame TSA for the small amount of spam that occasionally slips through the
>>>> filters into my email account. (How could I blame TSA for that when they
>>>> don't even have my email address? ;-) )
>>>>
>>>> I still am not confident, however, that TSA can be trusted to handle our
>>>> email addresses responsibly. Look at Jerry's observation that TSA already
>>>> has placed an online listing of its electronically registered members on
>>>> its password protected website. Then look at Gill's recent proposal to
>>>> make online access to the Texas Caver free for nonmembers. Neither of
>>>> these things necessarily involves an irresponsible release of TSA members'
>>>> email addresses when considered separately (although I still would rather
>>>> not have my email address on even a members-only password protected online
>>>> list). When both of these things are considered together, however, along
>>>> with all the other turmoil about TSA digital publication policies, it is
>>>> easy to imagine how people might provide their email addresses to TSA
>>>> assuming one seemingly responsible privacy policy, only to discover later
>>>> that TSA has changed its mind and has made the email address list more
>>>> widely accessible than people had expected when they provided their
>>>> addresses.
>>>>
>>>> I chose to "throw this stone into the hornets nest," because I wanted
>>>> people to actually start thinking about the issue, instead of just telling
>>>> us "don't worry, be happy." The problem would be easy to fix if TSA simply
>>>> would make a commitment to its members that no member's email address will
>>>> be included in any online list unless that member explicitly "opts in" for
>>>> inclusion in the list. TSA members need to be able to register for website
>>>> access without having their email addresses published in an online list.
>>>>
>>>> Rod
>>>>
>>>> -----Original Message-----
>>>>>From: Bill Bentley <[email protected]>
>>>>>Sent: Dec 14, 2009 11:17 AM
>>>>>To: John Brooks <[email protected]>
>>>>>Cc: TexasCavers <[email protected]>
>>>>>Subject: Re: [Texascavers] Can TSA be trusted with email addresses?
>>>>>
>>>>>For the record Mark, I wasn't blaming nor condeming the TSA, I was just
>>>>>stating the fact that I get hundreds of thousands of spam emails.
>>>>>Mark, I like the TSA and I think I get my moneys worth from volunteers who
>>>>>are very much appreciated.
>>>>>
>>>>>Bill
>>>>>----- Original Message -----
>>>>>From: "John Brooks" <[email protected]>
>>>>>To: "Bill Bentley" <[email protected]>
>>>>>Cc: "Rod Goke" <[email protected]>; "TexasCavers"
>>>>><[email protected]>; "Rod Goke" <[email protected]>
>>>>>Sent: Monday, December 14, 2009 9:24 AM
>>>>>Subject: Re: [Texascavers] Can TSA be trusted with email addresses?
>>>>>
>>>>>
>>>>>> The TSA has my e mail.....and I get....oh maybe one or two junk mail
>>>>>> messages per WEEK.
>>>>>> Paranoia runs deep concerning e mail spam. But unjustly condemning the
>>>>>> TSA
>>>>>> for something they are not doing or really at fault for......hardly seems
>>>>>> fair or reasonable.
>>>>>>
>>>>>> Sent from my iPhone
>>>>>>
>>>>>> On Dec 14, 2009, at 6:37 AM, "Bill Bentley" <[email protected]> wrote:
>>>>>>
>>>>>> Rod,
>>>>>> My [email protected] email address gets a spam email message every 2 to 3
>>>>>> seconds... literally thousands per hour... all of it goes into a spam
>>>>>> folder and good spam sorting software on the email server helps me
>>>>>> figure
>>>>>> what is crap and what is not... End of the day I am deleting a lot of
>>>>>> spam... If someone were to go after the companies who are advertisng the
>>>>>> drugs, diplomas and sex services then it mifght help curb it. I feel that
>>>>>> a complete overhaul of how email works wouold be the answer, since you
>>>>>> can
>>>>>> currently send from and have the reply to address be different. A lot of
>>>>>> the spam I gets looks as if it is coming to me from me... but buried in
>>>>>> the header I find that it comes from Korea or China...
>>>>>>
>>>>>> Bill
>>>>>> ----- Original Message ----- From: "Rod Goke" <[email protected]>
>>>>>> To: "TexasCavers" <[email protected]>
>>>>>> Cc: "Rod Goke" <[email protected]>
>>>>>> Sent: Monday, December 14, 2009 2:04 AM
>>>>>> Subject: [Texascavers] Can TSA be trusted with email addresses?
>>>>>>
>>>>>>
>>>>>> All this talk about electronic vs. paper publication of the Texas Caver
>>>>>> reminds me of a related issue:
>>>>>>
>>>>>> Is it safe to give your email address to TSA?
>>>>>>
>>>>>> For years TSA has been asking for our email addresses on the membership
>>>>>> renewal forms, and I have been refusing to give them mine. During this
>>>>>> same period, however, I have been providing my email address (along with
>>>>>> mailing address and phone numbers) to the UT Grotto for publication in
>>>>>> their "UT Grotto Phone List". Why is it that I have felt that my email
>>>>>> address was sufficiently safe with the UT Grotto but not with TSA? The
>>>>>> answer is that the "UT Grotto Phone List" is published only in paper
>>>>>> form,
>>>>>> where email addresses and other personal information is not likely to be
>>>>>> harvested by spammers, telemarketers, search engines, etc.
>>>>>>
>>>>>> I don't have that kind of confidence in TSA, however, because for years,
>>>>>> I've heard various people within TSA advocating expanded use of digital
>>>>>> publication without adequately considering the negative consequences of
>>>>>> what they are advocating. Most disturbing has been the proposal I've
>>>>>> heard
>>>>>> from time to time that TSA publish its membership list information
>>>>>> electronically, perhaps by placing it on a web site. This might be cheap
>>>>>> and convenient for TSA to implement and for TSA members to use, but it
>>>>>> also could make our personal information much more vulnerable to
>>>>>> automated
>>>>>> harvesting by those who would use it in ways we never intended. Once our
>>>>>> email addresses, cell phone numbers, etc. have been harvested from a
>>>>>> digitally published list, there would be no cheap and convenient way to
>>>>>> undo the damage. How can we be confident that the continuing push towards
>>>>>> digital publication within TSA will not lead to ill considered digital
>>>>>> publication of email addresses
>>>>>> and other information vulnerable to automated harvesting?
>>>>>>
>>>>>> Rod
>>>>>>
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> Visit our website: http://texascavers.com
>>>>>> To unsubscribe, e-mail: [email protected]
>>>>>> For additional commands, e-mail: [email protected]
>>>>>>
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> Visit our website: http://texascavers.com
>>>>>> To unsubscribe, e-mail: [email protected]
>>>>>> For additional commands, e-mail: [email protected]
>>>>>>
>>>>>>
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> Visit our website: http://texascavers.com
>>>>>> To unsubscribe, e-mail: [email protected]
>>>>>> For additional commands, e-mail: [email protected]
>>>>>>
>>>>>
>>>>>
>>>>>---------------------------------------------------------------------
>>>>>Visit our website: http://texascavers.com
>>>>>To unsubscribe, e-mail: [email protected]
>>>>>For additional commands, e-mail: [email protected]
>>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> Visit our website: http://texascavers.com
>>>> To unsubscribe, e-mail: [email protected]
>>>> For additional commands, e-mail: [email protected]
>>>>
>>>>
>>
>>
>
>---------------------------------------------------------------------
>Visit our website: http://texascavers.com
>To unsubscribe, e-mail: [email protected]
>For additional commands, e-mail: [email protected]
>
---------------------------------------------------------------------
Visit our website: http://texascavers.com
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
--- End Message ---
--- Begin Message ---
Thanks, Butch, for the detailed and informative explanation. It's reassuring to
know that someone has given that much attention to security issues in the
current implementation. From a security standpoint, it is particularity
reassuring to know you are satisfied that the spiders can't get into the member
area and that users can't download the complete list to their local machines,
where it potentially could be attacked by local malware. I was primarily
concern about the potential vulnerability of TSA data to the various types of
malware that are so common now, and it appears that you have that under
control. I'm less concerned about anyone putting much effort into a specialized
attack aimed specifically at TSA, because we aren't that tempting a target.
The fact that members can't download the complete list is good for security,
but it might become a limitation that members will want to overcome if TSA
decides to switch entirely to electronic publication and wants to publish a
"members manual" that members can download and print. Do you think there is
some sufficiently secure way to download and print a document without it being
vulnerable to data harvesting by malware on an infected local machine? There
probably is no immediate need for this, but I'd be interested in your thoughts,
since it might become a future issue.
Separating the email address list used for online registration from that
published in a "members manual" (as described in my previous message) is still
something I think would be worthwhile, especially if TSA decides to publish a
downloadable and printable "members manual."
Rod
-----Original Message-----
>From: Butch Fralia <[email protected]>
>Sent: Dec 16, 2009 12:19 AM
>To: 'Rod Goke' <[email protected]>, 'Charles Goldsmith' <[email protected]>
>Cc: 'TexasCavers' <[email protected]>
>Subject: RE: [Texascavers] Can TSA be trusted with email addresses?
>
>While it's possible that a malware program could harvest e-mail addresses for
>TSA members it's not very likely. It would have to be a specially written
>program that new how the display page is structured. It would also have to be
>installed on the computer of a person with member access. Else it would have
>to be a pretty good hacker to hack the web server itself for access.
>
>There are programs that search the web looking for unprotected e-mail
>addresses. Those e-mail addresses are sold to advertisers and spammers.
>These are called spiders. We have spiders search the TSA website almost daily
>looking for e-mail addresses. You can see it in the statistical analysis
>programs available with the website. They cannot get into the member area.
>
>There isn't a function set up to download all the online registered members.
>I have software that could do that but requires root access to the website
>that I'm the only one who has (there's a backup person with the root access
>information but not the software. The webhosting employees could dump the
>information and they should do so often to back up the website. I have to
>identify the IP address of my computer in the website control software to
>allow access to the membership list.
>
>The members list as seen in the member area is in an online database. That
>database has its own password. The queries that access the data run on the
>server and aren't seen off the server except by a TSA webmaster. The list
>uses dynamic code to produce the member list you see. All that code executes
>on the server and can't be seen by the outside world by right clicking in the
>browser window and selecting view source.
>
>Viewing the page requires a member be logged in to the website. It would be
>theoretically possible to intercept the information exchanged by your computer
>and the web-server but you'd have to be intercepted from somewhere on the
>internet backbone, at your ISP, or the web-server. I don't think there's that
>much interest in doing that with TSA data. There are 100 verified registered
>users and 95 of those are showing on the member list. There's an option you
>can select when you register or you can update to display your information on
>the user list. There are apparently five people who have clicked No - don't
>display me. If you don't want your information see outside the database,
>select no for the question display me on the member list.
>
>The e-mail addresses that are displayed are spoofed with a spoofing technique
>that allows them to be read and displayed correctly by your browser and e-mail
>program. To the knowledge of people who study such things, no one has changed
>the spider software to include checking for this spoofing. It must work
>because my e-mail address is publicly viewable on a number of websites but I
>get a pretty low level of SPAM. For that matter, there are so many
>unprotected/unspoofed e-mail addresses to swamp most databases so why bother?
>
>I don't know if this puts anyone's mind at ease but it's the way it works.
>
>Happy Holidays,
>
>Butch Fralia
>
>
>
>
>-----Original Message-----
>From: Rod Goke [mailto:[email protected]]
>Sent: Tuesday, December 15, 2009 8:49 PM
>To: Charles Goldsmith; Rod Goke
>Cc: TexasCavers
>Subject: Re: [Texascavers] Can TSA be trusted with email addresses?
>
>Charles,
>
>I agree with your technical comments about the many ways that malware can be
>used to harvest email addresses and other data and that there is no way to
>protect an email address 100% while using it for its normal purpose. That
>doesn't imply, however, that there is no point in trying reduce risk.
>Listening to a computer professional say "Your email addresses aren't safe
>anywhere, so why bother trying to protect them?" is like listening to
>restaurant cook say "You're not safe from germs anywhere, so why bother
>washing hands or dishes?"
>
>Like many email users, I've been using 2 email addresses for a number of
>years. I've used both of them frequently, but one I've tried to keep away from
>potential spam risks wherever practical and the other I've given out more
>freely. Of the two, the more protected one remained spam free much longer
>(about the first 2 years), and even after it began receiving spam, the
>quantity of spam received on the more protected address has remained
>conspicuously less than that received on the less protected address. This
>difference has remained noticeable even though I have used the more protected
>address frequently on Texascavers and for communication with numerous
>individuals.
>
>Someone with a much more carefully guarded email address still should be able
>to use it very safely in limited ways on caving related Internet services, as
>long as the people running those services practice reasonable privacy
>policies. For example, someone can subscribe to Texascavers without exposing
>his email address to everyone on the list as long as he only uses the
>subscription to receive messages from Texascavers, without ever posting to it
>(assuming, of course, that you don't change your policy and start allowing
>users to download the Texascavers address list).
>
>Similarly, TSA could serve its online users much more safely if it simply
>separated the email address list used for online registration from that
>published in a "members manual". With this convention, a member could be
>assured that the email address he uses for online registration will be used
>only for that purpose and for "official" email sent to him by TSA and that
>this address would NOT automatically appear on any list made available to the
>general membership. For his listing in a "members manual" style list, each
>member could specify separately what, if any, email address he wants
>published. This would allow each user to choose whether to publish the same
>email address, a different (less protected) address, or none at all.
>
>Rod
>
>-----Original Message-----
>>From: Charles Goldsmith <[email protected]>
>>Sent: Dec 15, 2009 4:09 PM
>>To: Rod Goke <[email protected]>
>>Cc: TexasCavers <[email protected]>
>>Subject: Re: [Texascavers] Can TSA be trusted with email addresses?
>>
>>Rod, that wasn't a personal attack, if you took it as such, you need
>>to re-read my message and think about how it was meant.
>>
>>The TSA having this list is no different than the NSS keeping a list
>>of its members, and sending that list out in book format, plain and
>>simple.
>>
>>Harvesting emails from a mailing list is very very simple, I have the
>>complete list as owner of the list, but even another list, I can
>>harvest with a simple script that would only take me a few minutes to
>>write.
>>
>>It was a tongue in cheek comment about writing down email addresses by
>>hand. Scammers/Spammers/Phishers don't do anything manually.
>>
>>Modern email applications cache email addresses that it sees, Malware
>>can and does use these lists to send out spam. We've seen it recently
>>on the mailing list.
>>
>>Your email address is not safe anywhere, you will just have to learn
>>to face that fact in this modern age.
>>
>>Charles
>>
>>On Tue, Dec 15, 2009 at 2:23 PM, Rod Goke <[email protected]> wrote:
>>> Charles,
>>>
>>> Your message below really misses the the point, and your personal attacks
>>> are totally unwarranted. Of course, we all run some risk that our email
>>> addresses will somehow get to spammers whenever we send them to anyone.
>>> Whenever you or I or anyone else posts a message to Texascavers we
>>> understand that our email addresses will be visible to others on the list,
>>> and we choose to do that. Harvesting email addresses one at a time from
>>> postings to this list as you suggested would be possible, of course, but it
>>> would be a slow and inconvenient way to collect a large list for spam, and
>>> I don't think either of us is seriously worried about that.
>>>
>>> The primary hazard is not that anyone in TSA or other caving organizations
>>> will deliberately pass information to spammers, but rather that some people
>>> downloading information with good intentions will inadvertently store it
>>> where spyware or other malware on an infected computer can search the
>>> downloaded files for email addresses, phone numbers, or other information
>>> that writers of the malware wish to harvest. This is something that easily
>>> can happen, and when it does, the person making information available to
>>> the malware might be totally unaware of what is going on. When people
>>> download individual email messages or other data items containing only a
>>> few email addresses or other sensitive items, then only those few items are
>>> vulnerable to harvesting by malware in any one incident. When people
>>> download an entire mailing list, however, then just one incident on one
>>> inadvertently infected computer can result in harvesting of the entire
>>> list. When many people download the list to many different computers, the
>>> risk to everyone on the list increases accordingly.
>>>
>>> So far as I know, the subscribers to Texascavers are not allowed to
>>> download that entire email address list, and I trust that Texascavers will
>>> continue to be managed in this responsible manner, especially since I
>>> haven't noticed any demand to do otherwise. The discussions I've heard and
>>> read about the TSA's online data resources, however, create much more
>>> uncertainty about how they will be managed. This is why it is important to
>>> have serious discussions of the issues beforehand to prevent problems,
>>> especially when some of them could be prevented so easily with a few minor
>>> policy decisions.
>>>
>>> Rod
>>>
>>>
>>> -----Original Message-----
>>>>From: Charles Goldsmith <[email protected]>
>>>>Sent: Dec 15, 2009 10:48 AM
>>>>To: Rod Goke <[email protected]>
>>>>Cc: Bill Bentley <[email protected]>, John Brooks <[email protected]>,
>>>>Mark Alman <[email protected]>, TexasCavers
>>>><[email protected]>
>>>>Subject: Re: [Texascavers] Can TSA be trusted with email addresses?
>>>>
>>>>Rod, your paranoia is unwarranted here, only by the fact that over 360
>>>>people have your email address and each others. Anyone of them could
>>>>harvest most of the emails after a bit of time by keeping track of who
>>>>posted an email to this list.
>>>>
>>>>Do you completely trust every one of these 360 people? The odds that
>>>>one of them would sell out is far greater than one of the "TSA"
>>>>people, who are duly elected by some of these people.
>>>>
>>>>If the TC goes free, it won't be in the password protected section, it
>>>>will be available on the front page.
>>>>
>>>>Blaming the TSA for something that has never happened is just bad
>>>>press, and you should know better, as a member of the TSA.
>>>>
>>>>Charles
>>>>
>>>>On Tue, Dec 15, 2009 at 8:56 AM, Rod Goke <[email protected]> wrote:
>>>>> For the record, I like TSA, too, which is why I've maintained my TSA
>>>>> membership ever since moving to Texas about 25 years ago. I, too, think
>>>>> that Mark has been doing a great job as editor, and I much appreciate the
>>>>> dedicated work that he and other TSA volunteers have been doing. Nor do I
>>>>> blame TSA for the small amount of spam that occasionally slips through
>>>>> the filters into my email account. (How could I blame TSA for that when
>>>>> they don't even have my email address? ;-) )
>>>>>
>>>>> I still am not confident, however, that TSA can be trusted to handle our
>>>>> email addresses responsibly. Look at Jerry's observation that TSA already
>>>>> has placed an online listing of its electronically registered members on
>>>>> its password protected website. Then look at Gill's recent proposal to
>>>>> make online access to the Texas Caver free for nonmembers. Neither of
>>>>> these things necessarily involves an irresponsible release of TSA
>>>>> members' email addresses when considered separately (although I still
>>>>> would rather not have my email address on even a members-only password
>>>>> protected online list). When both of these things are considered
>>>>> together, however, along with all the other turmoil about TSA digital
>>>>> publication policies, it is easy to imagine how people might provide
>>>>> their email addresses to TSA assuming one seemingly responsible privacy
>>>>> policy, only to discover later that TSA has changed its mind and has made
>>>>> the email address list more widely accessible than people had expected
>>>>> when they provided their addresses.
>>>>>
>>>>> I chose to "throw this stone into the hornets nest," because I wanted
>>>>> people to actually start thinking about the issue, instead of just
>>>>> telling us "don't worry, be happy." The problem would be easy to fix if
>>>>> TSA simply would make a commitment to its members that no member's email
>>>>> address will be included in any online list unless that member explicitly
>>>>> "opts in" for inclusion in the list. TSA members need to be able to
>>>>> register for website access without having their email addresses
>>>>> published in an online list.
>>>>>
>>>>> Rod
>>>>>
>>>>> -----Original Message-----
>>>>>>From: Bill Bentley <[email protected]>
>>>>>>Sent: Dec 14, 2009 11:17 AM
>>>>>>To: John Brooks <[email protected]>
>>>>>>Cc: TexasCavers <[email protected]>
>>>>>>Subject: Re: [Texascavers] Can TSA be trusted with email addresses?
>>>>>>
>>>>>>For the record Mark, I wasn't blaming nor condeming the TSA, I was just
>>>>>>stating the fact that I get hundreds of thousands of spam emails.
>>>>>>Mark, I like the TSA and I think I get my moneys worth from volunteers who
>>>>>>are very much appreciated.
>>>>>>
>>>>>>Bill
>>>>>>----- Original Message -----
>>>>>>From: "John Brooks" <[email protected]>
>>>>>>To: "Bill Bentley" <[email protected]>
>>>>>>Cc: "Rod Goke" <[email protected]>; "TexasCavers"
>>>>>><[email protected]>; "Rod Goke" <[email protected]>
>>>>>>Sent: Monday, December 14, 2009 9:24 AM
>>>>>>Subject: Re: [Texascavers] Can TSA be trusted with email addresses?
>>>>>>
>>>>>>
>>>>>>> The TSA has my e mail.....and I get....oh maybe one or two junk mail
>>>>>>> messages per WEEK.
>>>>>>> Paranoia runs deep concerning e mail spam. But unjustly condemning the
>>>>>>> TSA
>>>>>>> for something they are not doing or really at fault for......hardly
>>>>>>> seems
>>>>>>> fair or reasonable.
>>>>>>>
>>>>>>> Sent from my iPhone
>>>>>>>
>>>>>>> On Dec 14, 2009, at 6:37 AM, "Bill Bentley" <[email protected]> wrote:
>>>>>>>
>>>>>>> Rod,
>>>>>>> My [email protected] email address gets a spam email message every 2 to 3
>>>>>>> seconds... literally thousands per hour... all of it goes into a spam
>>>>>>> folder and good spam sorting software on the email server helps me
>>>>>>> figure
>>>>>>> what is crap and what is not... End of the day I am deleting a lot of
>>>>>>> spam... If someone were to go after the companies who are advertisng the
>>>>>>> drugs, diplomas and sex services then it mifght help curb it. I feel
>>>>>>> that
>>>>>>> a complete overhaul of how email works wouold be the answer, since you
>>>>>>> can
>>>>>>> currently send from and have the reply to address be different. A lot of
>>>>>>> the spam I gets looks as if it is coming to me from me... but buried in
>>>>>>> the header I find that it comes from Korea or China...
>>>>>>>
>>>>>>> Bill
>>>>>>> ----- Original Message ----- From: "Rod Goke" <[email protected]>
>>>>>>> To: "TexasCavers" <[email protected]>
>>>>>>> Cc: "Rod Goke" <[email protected]>
>>>>>>> Sent: Monday, December 14, 2009 2:04 AM
>>>>>>> Subject: [Texascavers] Can TSA be trusted with email addresses?
>>>>>>>
>>>>>>>
>>>>>>> All this talk about electronic vs. paper publication of the Texas Caver
>>>>>>> reminds me of a related issue:
>>>>>>>
>>>>>>> Is it safe to give your email address to TSA?
>>>>>>>
>>>>>>> For years TSA has been asking for our email addresses on the membership
>>>>>>> renewal forms, and I have been refusing to give them mine. During this
>>>>>>> same period, however, I have been providing my email address (along with
>>>>>>> mailing address and phone numbers) to the UT Grotto for publication in
>>>>>>> their "UT Grotto Phone List". Why is it that I have felt that my email
>>>>>>> address was sufficiently safe with the UT Grotto but not with TSA? The
>>>>>>> answer is that the "UT Grotto Phone List" is published only in paper
>>>>>>> form,
>>>>>>> where email addresses and other personal information is not likely to be
>>>>>>> harvested by spammers, telemarketers, search engines, etc.
>>>>>>>
>>>>>>> I don't have that kind of confidence in TSA, however, because for years,
>>>>>>> I've heard various people within TSA advocating expanded use of digital
>>>>>>> publication without adequately considering the negative consequences of
>>>>>>> what they are advocating. Most disturbing has been the proposal I've
>>>>>>> heard
>>>>>>> from time to time that TSA publish its membership list information
>>>>>>> electronically, perhaps by placing it on a web site. This might be cheap
>>>>>>> and convenient for TSA to implement and for TSA members to use, but it
>>>>>>> also could make our personal information much more vulnerable to
>>>>>>> automated
>>>>>>> harvesting by those who would use it in ways we never intended. Once our
>>>>>>> email addresses, cell phone numbers, etc. have been harvested from a
>>>>>>> digitally published list, there would be no cheap and convenient way to
>>>>>>> undo the damage. How can we be confident that the continuing push
>>>>>>> towards
>>>>>>> digital publication within TSA will not lead to ill considered digital
>>>>>>> publication of email addresses
>>>>>>> and other information vulnerable to automated harvesting?
>>>>>>>
>>>>>>> Rod
>>>>>>>
>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> Visit our website: http://texascavers.com
>>>>>>> To unsubscribe, e-mail: [email protected]
>>>>>>> For additional commands, e-mail: [email protected]
>>>>>>>
>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> Visit our website: http://texascavers.com
>>>>>>> To unsubscribe, e-mail: [email protected]
>>>>>>> For additional commands, e-mail: [email protected]
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> Visit our website: http://texascavers.com
>>>>>>> To unsubscribe, e-mail: [email protected]
>>>>>>> For additional commands, e-mail: [email protected]
>>>>>>>
>>>>>>
>>>>>>
>>>>>>---------------------------------------------------------------------
>>>>>>Visit our website: http://texascavers.com
>>>>>>To unsubscribe, e-mail: [email protected]
>>>>>>For additional commands, e-mail: [email protected]
>>>>>>
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> Visit our website: http://texascavers.com
>>>>> To unsubscribe, e-mail: [email protected]
>>>>> For additional commands, e-mail: [email protected]
>>>>>
>>>>>
>>>
>>>
>>
>>---------------------------------------------------------------------
>>Visit our website: http://texascavers.com
>>To unsubscribe, e-mail: [email protected]
>>For additional commands, e-mail: [email protected]
>>
>
>
>---------------------------------------------------------------------
>Visit our website: http://texascavers.com
>To unsubscribe, e-mail: [email protected]
>For additional commands, e-mail: [email protected]
>
--- End Message ---
--- Begin Message ---
Actually, Butch, I have received quite a few requests and have sent them a PDF
file of the newsletter for them to peruse.
It saves the TSA stamps and printing costs and has resulted in some new
members, one being my son.
I haven't kept statistics as to its effectiveness, but, heck, it's cheap and it
has worked!
Mark
________________________________
From: Butch Fralia [mailto:[email protected]]
Sent: Tue 12/15/2009 10:50 PM
To: 'Charles Goldsmith'; 'Gill Edigar'
Cc: [email protected]
Subject: RE: [Texascavers] Officer's powers
On the home page: http://cavetexas.org/index.html of the TSA website
there's a note to prospective members who might like a copy to e-mail the
editor for such. I don't know if anyone has ever done this (asked for a
copy) but it's available from that note.
Butch Fralia
-----Original Message-----
From: Charles Goldsmith [mailto:[email protected]]
Sent: Tuesday, December 15, 2009 4:49 PM
To: Gill Edigar
Cc: [email protected]
Subject: Re: [Texascavers] Officer's powers
Well Said Gill
Charles
On Tue, Dec 15, 2009 at 3:59 PM, Gill Edigar <[email protected]> wrote:
> An observation--
> Officers are elected to run the day-to-day operations of companies,
> organizations, governments, and other such groups of people in lieu of
> having a council or committee mico-managing the trivial details. They are
> expected to make certain decisions on behalf of the organization without
> consulting the entire membership or executive council or board of
governors.
> For instance, they would be expected to go buy a roll of tape or box of
> staples if they were needed for the conduct of business. Likewise, if a
> special mailing were required for a safety alert or an election they could
> conceivably be expected to spend $100 on postage stamps to see the mailing
> got to the members--without asking anybody. That is their job. Along that
> same train of thought, I would suggest that if the Chairman and newsletter
> editor decided to send out free digital copies as advertising to
prospective
> new members of the various college clubs they would have it completely
> within their powers to do so--and be praised for their aggressiveness--and
> need to ask no one's permission. Indeed, there is a long and respected
> history of the TSA doing just that. No board action would be necessary--or
> even expected, for that matter. Especially if no expenditures were
> required.
> Now then, I'm not a TSA member so I would never presume to tell the TSA
how
> to conduct its business. I'm merely speaking as an independent Texas caver
> bystander and interested observer. So, I have been both TSA Chairman and
> TEXAS CAVER editor on more than one occasion over the years. I would
presume
> that most Texas cavers would suspect that I have a bit of experience with
> officer power and responsibilities and how they can get things
> constitutionally accomplished. Believe me, creativity can be a valuable
tool
> in the running of a volunteer organization. Both Davy Crockett and Sam
> Houston used to proclaim, "Be sure you're right and then go ahead." No
> officer will ever be chastised by the membership for handing out free
> advertising supporting the aims and goals of the organization and
> encouraging membership. It is the right thing to do. And no other current
> advertising brochure will fulfill that function better than a free digital
> copy of The TEXAS CAVER sent (or made available) to all non-TSA-member NSS
> cavers in Texas. So now, they can go ahead. No board action is required.
It
> is an officer responsibility. I'm looking forward to seeing old Sam and
Davy
> crack a smile over this one.
> --Ediger
>
>
---------------------------------------------------------------------
Visit our website: http://texascavers.com
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
Visit our website: http://texascavers.com
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
--- End Message ---
--- Begin Message ---
Excellent and very well thought out post, Gill.
I like most of your suggestions and you have provided a lot of food for
thought, prior to the Winter meeting (Sunday, 1/4/10 at the Conference Center
at CBSP at 9AM!).
Ellie and I were talking the other night while discussing the Spring
Convention. She suggested making all of the TEXAS CAVER newsletters over a year
old open to anyone (her idea), after they complete a Subscription form (your
idea and one in which I concur).
I think this would entice them to consider joining the TSA and the desire to
read the newer issues would clinch the deal.
I like this discussion and ways to improve the TSA and attract new members and
to get prior ones to re-join.
Let's just be sure to keep it civil, y'all.
'Tis the season, and all!
Mark
________________________________
From: [email protected] on behalf of Gill Edigar
Sent: Tue 12/15/2009 7:57 PM
To: [email protected]
Subject: [Texascavers] Subscribers to digital publications
On Tue, Dec 15, 2009 at 9:48 AM, Charles Goldsmith <[email protected]> wrote:
If the TC goes free, it won't be in the password protected section, it
will be available on the front page.
That would not be good. But it would not be not good because of the reason
being discussed here--spam, etc. There's another...
Now I'm gonna tell you what I'm gonna tell you then I'm gonna tell you why--two
paragraphs.
The process should be some variation of this:
Cavers can get 'invited to subscribe' to The TEXAS CAVER by any of several
means--from the TSA or Grotto Home Pages, at Grotto meetings, the TSA
convention, TCR, from fellow cavers, from handouts at projects such as CBSP,
Gov Canyon, Punkin & Deep, etc, or basically any way and place that cavers get
together.
Then, the caver will go to the link on the TSA web site and navigate to the
Subscribe to The TEXAS CAVER button.
Then, the caver will be asked for some vital information such as name,
address, etc, NSS number, Grotto affiliation (or independent), and maybe even
personal info such as family member names (which are mostly for photo
identification purposes, not for publication, etc), age, years caving, and a
brief caving bio, and the all important email address (which does not have to
be the caver's primary one). Most of this info will be voluntary. Basically all
that will be needed is a name and an email address and a password.
The caver will also be asked to furnish a password for accessing his or her
own personal subscription information.
Then, whenever a new CAVER is ready to mail (or some breaking TSA
caver-worthy news) the caver will be sent a message telling him or her to go
access his or her subscription account, and to download a free digital copy of
whatever is being offered--TEXAS CAVER or whatever. There could be some
restrictions as to which publications can be downloaded without being a TSA
member, such as a Members Manual, meeting minutes, etc.
Then, they can download it and print it out in any way they choose,
archiving the digital copy for posterity, and getting back to doing whatever
they were doing before--or maybe read The CAVER.
The mechanics of that process are not too hard to visualize--I hope. But there
are some questions, I'm sure. So here are a few 'whys' to dispel some of um.
Q. Why require a subscription?
A. Because what we really want is to know who is this subscriber is and
where they fit in the Texas caving scene. Basically we are trying to identify
all the cavers in Texas so we can keep in contact with them--ostensibly through
the auspices of The TEXAS CAVER--and influence them and they us. "We will give
you a free CAVER if you will be a part of our 'extended' TSA caving fraternity.
This is a bribe from us to know who you are and that you are one of us--even
though you may have been hiding for many years because you felt that the TSA
doesn't care about you--doesn't want you to be a part of their elite group
without you getting involved in their political intrigues" or any other reasons
you may have.
Q, How does this help the TSA?
A. The subscription gives the TSA a database for contacting outside cavers
(not just TSA members) about important issues such as cave conservation, caver
functions, projects, conventions, TCR and other events that cavers would be
interested in. It also restricts (somewhat) the distribution of errant issues
on the open market. That's not to say that I couldn't just print out 40 copies
via my download and hand them out at Walgreens. It also provides a larger
man-power base of both leaders and followers which will obviously contribute to
projects, training, participation, writing articles, and a general contribution
to more and better caving.
Q. How will my email address be protected?
A. The subscriber list will be maintained as a database, pretty much
entirely electronically. The database, or selected fields, at least, should be
available to subscribers as a caver service. Subscribers could elect to not
make their email address and certain other fields visible. Also, certain low
tech schemes such as embedding the letters 'TSA' into each email address to be
manually removed by the end user could offer some degree of security, but
probably not worth it.
Q. Will a Members Manual be published?
A. A hard copy Members Manual is a handy reference for cavers who travel
great distances to visit caves and caving events. But, as the Members Manual is
a TSA list, perhaps only TSA members could be allowed to download it. That
would provide incentive to join TSA. Properly loaded, a Members Manual could be
available for downloading just like The TEXAS CAVER. Again, subscribers can
elect to have their sensitive data available for viewing or printing.
Q. How do we keep just anybody from accessing and printing out a copy of The
CAVER or Member's Manual?
A. Well, basically we can't. I can print one for my brother-in-law and he
can leave it laying in the break room at work for anybody to see. Just like a
hard copy could be. But the subscription process will help and will at least
let us track who is subscribing--which should be valuable information, in it's
own right, for an organization dedicated to conservation and safety, at least.
Q. How will the hard copy subscribers be handled?
A. When subscribing to receive The TEXAS CAVER, a subscriber can elect from
any of 3 options: 1) To receive free digital TEXAS CAVER downloads (and other
selected publications and notices). 2) To receive both a digital notification
for downloading and a hard copy of any (again, selected) publications. 3) To
receive one or more hard copies from TSA via USPS at a proscribed rate to cover
production and mailing costs. A 4th option, which should probably come first,
would be to join the TSA as a dues paying member with voting and other
privileges, hopefully stated somewhere.
Q. Who will tend to the hard copy printing and mailing business?
A. Traditionally the editor had a major hand in that, often doing it
all--printing, collating, binding, labeling, sorting, mailing, paying, and
dealing with returns, address changes, etc. At time there were helpers for any
or most of those tasks. I suspect that with the lighter load, the editor can
easily handle it all. But the door will still be open for volunteers to pitch
in. Hard copy subscribers will probably see a bit better service since things
won't take so long to finish as they formerly did.
Q What else can we expect from the new contacts we will make.
A. Well, some of them will join the TSA. Many of them will contribute trip
reports and cave reports and articles and other submissions to The TEXAS CAVER
for your reading enjoyment, swelling its pages. They will become a part of our
inner caving community instead or remaining out of it. And they will contribute
to our overall enjoyment of caving, standing around campfires, and reading The
TEXAS CAVER.
Q. Would it be realistic to expect more issues of The CAVER?
A. Actually, it would be realistic to expect that the editor could publish
any time he'd accumulated enough information to make up an issue--not
necessarily on a fixed schedule. In fact, the raw information could be made
available as it is gathered and processed and cavers could watch the miracle of
publication progress before their very eyes. And possible inspire them to
submit some article themselves.
This is the first time I've actually enumerated these ideas so they may be
somewhat crudely developed, but the basic idea of what is possible should be
contained within this writing. The two most important things to be gained are
1) identifying and getting The TEXAS CAVER into the hands of non-TSA cavers and
2) getting them to participate in the TSA. Neither of those will happen if we
don't do something. There are, I'm sure, details which I've not considered. But
the underlying concept should make for a better, cheaper system for producing
and distributing The TEXAS CAVER and other TSA periodical-type publications. It
should contribute to a broadening of both a Texas caver base and TSA membership
and participation. It should satisfy those cavers who justifiably prefer a hard
copy CAVER supplied by the TSA. And it should result in the TSA having more
money and human resources to put toward the realization of its aims and
purposes. And, on the face of it, I can't identify even one reason to justify
not doing it, at least somehow, along the general pattern I have presented
here. There is just no down side.
In the interest of Texas caving,
I thank you for your time and consideration,
--Ediger
--- End Message ---
