| What's New:
To receive these updates and announcements by email, manage your subscription, or review the mailing list archive, go to the NCSE List User Form.
|
|
A Summary of the Recent NCSE Mailing List Incident and Apology
What Happened
NCSE maintains an electronic mailing list that sends out a yearly average of 3 announcements each month. No one else is authorized to send messages to the list. Anyone who responds to a notice sends a message just to NCSE. Approximately four weeks ago the list was moved from a system hosted by Colorado State University to a private system hosted by Intermedia.net because CSU will be closing that service soon.
NCSE posted two notices on this new system on July 9 and July 16. The system worked correctly for both of these messages. However, on Thursday afternoon (July 17) a subscriber posted an announcement to the list without the approval of the list moderator. It appears that something occurred to the configuration of the system which allowed this posting to be distributed. At this time, it does not appear that anyone "hacked" into our system, rather it appears that our configuration was changed either by accident, as a result of bad interface design, or because of a system bug. Procedure and policy changes have been made to prevent this from happening again.
This unauthorized posting went unnoticed by NCSE staff on Thursday evening. On Friday morning at approximately 6:00 am EDT somebody responded to the first posting with a one line message "more spam I fear." A little while later someone else responded with a short message informing people how to unsubscribe from the list. A little while later someone else responded with a more cutting comment. Then quickly the e-mail replies escalated.
How We Responded
Nearly all the senior NCSE staff were in Colorado at the meeting of the Council of Environmental Deans and Directors. At approximately 10:10 am, a NCSE intern noticed the problem and contacted the NCSE CTO by e-mail and phone. He responded at about 10:20 am and within 10 minutes had closed down the posting problem by fixing the configuration. However, the 68 messages that had been posted prior to this time were still working their way through the Internet. Most people received the posting within minutes or a few hours. However, some people were still getting the messages (sent out before the problem was fixed) as late as Saturday.
The following apology was sent to the list at 1:45 PM EDT:
Apology:
The National Council for Science and the Environment (NCSE) deeply regrets
that unauthorized email messages have been distributed through the NCSE
mailing list. We sincerely apologize for this and have taken action to
remedy the problem.
Please report any future problems to: News@NCSEonline.org
Peter Saundry
Executive Director
What Next?
In addition to the immediate corrective actions, NCSE is implementing a set of procedural and policy changes to prevent future problems and to improve service for subscribers. These include monitoring of the list by additional NCSE staff, an automatic alert of all successful postings by cell phone, and improved subscriber management forms. The forms for managing accounts were the default Mailman system forms and it appears that part of the problem was the result of confusion on the part of subscribers who had difficulty leaving the list. The CTO will also begin to rigorously enforce subscription policies to ensure that all addresses added to the list are both valid current addresses and that the owners of those accounts do indeed wish to be on the list.
July 21, 2003
|
