I would suggest if you don't accept the decision of the list members to keep reply-to-list, you should not subscribe. It seems silly to raise it again and attempt to appeal to higher authorities that have much better things on which to spend their time than mediate disputes about mailing list policy. (I initiated the recent policy discussion of the mailing list configuration and accept the results, despite not agreeing with the decision (not on safety grounds).)
best, Joe On 4/22/13 11:45 PM, Michael Allan wrote: > To the experts in Liberationtech, Air-L and Mailman lists, > (cc General Counsel of Stanford University) > > Stanford University has configured the Liberationtech mailing list in > a manner that is potentially unsafe. University staff are aware of > the problem and are evalutating the situation, but have yet to take > action. I'm a subscriber to the list, and I ask your advice. > > > SITUATION > > The Liberationtech mailing list is run by Stanford University in > connection with its Program on Liberation Technology. That program > investigates the use of IT "to defend human rights, improve > governance, empower the poor, promote economic development, and > pursue a variety of other social goods." [1] Experts on the list > advise and inform on matters such as encrypting communications, > protecting infrastructure from cyber attack, and protecting onself > from personal danger. Often those seeking help are in vulnerable > situations. They include aid workers, reporters and activists who > live and work in environments where human rights are not well > respected, or where the government is too weak to protect people > from organized criminals, rival militias, and so forth. > > The list software is GNU Mailman. The administration interface > includes the following configuration items: [2] > > (a) Should any existing Reply-To: header found in the original > message be stripped? If so, this will be done regardless of > whether an explict Reply-To: header is added by Mailman or > not. > > X No > - Yes > > (b) Where are replies to list messages directed? Poster is > *strongly* recommended for most mailing lists. > > X Poster > - This list > - Explicit address (c) _________ > > Shown above is the default, recommended setting of (1 No, 2 Poster). > It leaves the sender's Reply-To headers (if any) unaltered during > mail transfer. Instead of this, the Liberationtech mailing list is > configured as follows: > > (b) Where are replies to list messages directed? Poster is > *strongly* recommended for most mailing lists. > > - Poster > X This list > - Explicit address (c) _________ > > With this setting, whenever a subscriber Q sends a message to the > list, the software adds a Reply-To header pointing to L, which is > the address of the list itself. The message is then passed on to > the subscribers. The meaning of the added Reply-To header is, "Q > asks that you reply to her at L." [3] > > Note that this is false information; Q does not ask that. > > > EXAMPLE OF DANGER > > Matt Mackall has suggested that, "here of all places", people might > get hurt as a consequence of this configuration [4]. I agree. > Here's a brief example of how people might get hurt: > > 1. Subscriber P is in a vulnerable situation. P is distacted by > the situation and is not getting a lot of sleep. > > 2. P asks the mailing list for advice on the situation, because > that's the purpose of the list. > > 3. Subscriber Q replies with helpful information. > > The mailing list adds a Reply-To header to Q's message that > points to address L. Again, the mis-information is, "Q asks > that you reply to her at L". [3] > > 4. P replies with private information, including (as Matt puts it) > a "potentially life-endangering datum". Tired and distracted, > P replies by hitting the standard Reply button. In the mail > client, this means "reply to Q". > > The reply goes instead to L, which is the public mailing list. > > Oh my god! What have I done! > > 5. People get hurt. > > Isn't this a danger? > > > POSSIBLE EXPLOIT THAT INCREASES THE DANGER > > Suppose that P is actually a police operative in an authoritarian > state, or a criminal operative in a failed state. He only pretends > to be a vulnerable activist (say). His real aim is to hurt the > activists and other opponents; damage the university's reputation; > close down the mailing list; make democracy look foolish [5]; and > finally make some money in the bargain [6]. The likelihood of his > success is roughly proportional to the amount of harm suffered by > the activists and other innocent people. > > If such an exploit were even *perceived* to be feasible, then the > mis-configuration of the mailing list would not only be exposing the > public to a haphazard danger, but also providing the means and > incentive to orchestrate and amplify that danger. > > Might not this exploit be perceived as feasible? > > > INTERIM RECOMMENDATION > > While Stanford University is evaluating these safety concerns and > has yet to make a decision, it should return the configuration to > its default setting. The default setting is known to be safe. > -- Joseph Lorenzo Hall Senior Staff Technologist Center for Democracy & Technology 1634 I ST NW STE 1100 Washington DC 20006-4011 (p) 202-407-8825 (f) 202-637-0968 j...@cdt.org PGP: https://josephhall.org/gpg-key -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
