While it's possible that a malware program could harvest e-mail addresses for TSA members it's not very likely. It would have to be a specially written program that new how the display page is structured. It would also have to be installed on the computer of a person with member access. Else it would have to be a pretty good hacker to hack the web server itself for access.
There are programs that search the web looking for unprotected e-mail addresses. Those e-mail addresses are sold to advertisers and spammers. These are called spiders. We have spiders search the TSA website almost daily looking for e-mail addresses. You can see it in the statistical analysis programs available with the website. They cannot get into the member area. There isn't a function set up to download all the online registered members. I have software that could do that but requires root access to the website that I'm the only one who has (there's a backup person with the root access information but not the software. The webhosting employees could dump the information and they should do so often to back up the website. I have to identify the IP address of my computer in the website control software to allow access to the membership list. The members list as seen in the member area is in an online database. That database has its own password. The queries that access the data run on the server and aren't seen off the server except by a TSA webmaster. The list uses dynamic code to produce the member list you see. All that code executes on the server and can't be seen by the outside world by right clicking in the browser window and selecting view source. Viewing the page requires a member be logged in to the website. It would be theoretically possible to intercept the information exchanged by your computer and the web-server but you'd have to be intercepted from somewhere on the internet backbone, at your ISP, or the web-server. I don't think there's that much interest in doing that with TSA data. There are 100 verified registered users and 95 of those are showing on the member list. There's an option you can select when you register or you can update to display your information on the user list. There are apparently five people who have clicked No - don't display me. If you don't want your information see outside the database, select no for the question display me on the member list. The e-mail addresses that are displayed are spoofed with a spoofing technique that allows them to be read and displayed correctly by your browser and e-mail program. To the knowledge of people who study such things, no one has changed the spider software to include checking for this spoofing. It must work because my e-mail address is publicly viewable on a number of websites but I get a pretty low level of SPAM. For that matter, there are so many unprotected/unspoofed e-mail addresses to swamp most databases so why bother? I don't know if this puts anyone's mind at ease but it's the way it works. Happy Holidays, Butch Fralia -----Original Message----- From: Rod Goke [mailto:rod.g...@earthlink.net] Sent: Tuesday, December 15, 2009 8:49 PM To: Charles Goldsmith; Rod Goke Cc: TexasCavers Subject: Re: [Texascavers] Can TSA be trusted with email addresses? Charles, I agree with your technical comments about the many ways that malware can be used to harvest email addresses and other data and that there is no way to protect an email address 100% while using it for its normal purpose. That doesn't imply, however, that there is no point in trying reduce risk. Listening to a computer professional say "Your email addresses aren't safe anywhere, so why bother trying to protect them?" is like listening to restaurant cook say "You're not safe from germs anywhere, so why bother washing hands or dishes?" Like many email users, I've been using 2 email addresses for a number of years. I've used both of them frequently, but one I've tried to keep away from potential spam risks wherever practical and the other I've given out more freely. Of the two, the more protected one remained spam free much longer (about the first 2 years), and even after it began receiving spam, the quantity of spam received on the more protected address has remained conspicuously less than that received on the less protected address. This difference has remained noticeable even though I have used the more protected address frequently on Texascavers and for communication with numerous individuals. Someone with a much more carefully guarded email address still should be able to use it very safely in limited ways on caving related Internet services, as long as the people running those services practice reasonable privacy policies. For example, someone can subscribe to Texascavers without exposing his email address to everyone on the list as long as he only uses the subscription to receive messages from Texascavers, without ever posting to it (assuming, of course, that you don't change your policy and start allowing users to download the Texascavers address list). Similarly, TSA could serve its online users much more safely if it simply separated the email address list used for online registration from that published in a "members manual". With this convention, a member could be assured that the email address he uses for online registration will be used only for that purpose and for "official" email sent to him by TSA and that this address would NOT automatically appear on any list made available to the general membership. For his listing in a "members manual" style list, each member could specify separately what, if any, email address he wants published. This would allow each user to choose whether to publish the same email address, a different (less protected) address, or none at all. Rod -----Original Message----- >From: Charles Goldsmith <wo...@justfamily.org> >Sent: Dec 15, 2009 4:09 PM >To: Rod Goke <rod.g...@ieee.org> >Cc: TexasCavers <texascavers@texascavers.com> >Subject: Re: [Texascavers] Can TSA be trusted with email addresses? > >Rod, that wasn't a personal attack, if you took it as such, you need >to re-read my message and think about how it was meant. > >The TSA having this list is no different than the NSS keeping a list >of its members, and sending that list out in book format, plain and >simple. > >Harvesting emails from a mailing list is very very simple, I have the >complete list as owner of the list, but even another list, I can >harvest with a simple script that would only take me a few minutes to >write. > >It was a tongue in cheek comment about writing down email addresses by >hand. Scammers/Spammers/Phishers don't do anything manually. > >Modern email applications cache email addresses that it sees, Malware >can and does use these lists to send out spam. We've seen it recently >on the mailing list. > >Your email address is not safe anywhere, you will just have to learn >to face that fact in this modern age. > >Charles > >On Tue, Dec 15, 2009 at 2:23 PM, Rod Goke <rod.g...@earthlink.net> wrote: >> Charles, >> >> Your message below really misses the the point, and your personal attacks >> are totally unwarranted. Of course, we all run some risk that our email >> addresses will somehow get to spammers whenever we send them to anyone. >> Whenever you or I or anyone else posts a message to Texascavers we >> understand that our email addresses will be visible to others on the list, >> and we choose to do that. Harvesting email addresses one at a time from >> postings to this list as you suggested would be possible, of course, but it >> would be a slow and inconvenient way to collect a large list for spam, and I >> don't think either of us is seriously worried about that. >> >> The primary hazard is not that anyone in TSA or other caving organizations >> will deliberately pass information to spammers, but rather that some people >> downloading information with good intentions will inadvertently store it >> where spyware or other malware on an infected computer can search the >> downloaded files for email addresses, phone numbers, or other information >> that writers of the malware wish to harvest. This is something that easily >> can happen, and when it does, the person making information available to the >> malware might be totally unaware of what is going on. When people download >> individual email messages or other data items containing only a few email >> addresses or other sensitive items, then only those few items are vulnerable >> to harvesting by malware in any one incident. When people download an entire >> mailing list, however, then just one incident on one inadvertently infected >> computer can result in harvesting of the entire list. When many people >> download the list to many different computers, the risk to everyone on the >> list increases accordingly. >> >> So far as I know, the subscribers to Texascavers are not allowed to download >> that entire email address list, and I trust that Texascavers will continue >> to be managed in this responsible manner, especially since I haven't noticed >> any demand to do otherwise. The discussions I've heard and read about the >> TSA's online data resources, however, create much more uncertainty about how >> they will be managed. This is why it is important to have serious >> discussions of the issues beforehand to prevent problems, especially when >> some of them could be prevented so easily with a few minor policy decisions. >> >> Rod >> >> >> -----Original Message----- >>>From: Charles Goldsmith <wo...@justfamily.org> >>>Sent: Dec 15, 2009 10:48 AM >>>To: Rod Goke <rod.g...@ieee.org> >>>Cc: Bill Bentley <ca...@caver.net>, John Brooks <jpbrook...@sbcglobal.net>, >>>Mark Alman <mark.al...@l-3com.com>, TexasCavers <texascavers@texascavers.com> >>>Subject: Re: [Texascavers] Can TSA be trusted with email addresses? >>> >>>Rod, your paranoia is unwarranted here, only by the fact that over 360 >>>people have your email address and each others. Anyone of them could >>>harvest most of the emails after a bit of time by keeping track of who >>>posted an email to this list. >>> >>>Do you completely trust every one of these 360 people? The odds that >>>one of them would sell out is far greater than one of the "TSA" >>>people, who are duly elected by some of these people. >>> >>>If the TC goes free, it won't be in the password protected section, it >>>will be available on the front page. >>> >>>Blaming the TSA for something that has never happened is just bad >>>press, and you should know better, as a member of the TSA. >>> >>>Charles >>> >>>On Tue, Dec 15, 2009 at 8:56 AM, Rod Goke <rod.g...@earthlink.net> wrote: >>>> For the record, I like TSA, too, which is why I've maintained my TSA >>>> membership ever since moving to Texas about 25 years ago. I, too, think >>>> that Mark has been doing a great job as editor, and I much appreciate the >>>> dedicated work that he and other TSA volunteers have been doing. Nor do I >>>> blame TSA for the small amount of spam that occasionally slips through the >>>> filters into my email account. (How could I blame TSA for that when they >>>> don't even have my email address? ;-) ) >>>> >>>> I still am not confident, however, that TSA can be trusted to handle our >>>> email addresses responsibly. Look at Jerry's observation that TSA already >>>> has placed an online listing of its electronically registered members on >>>> its password protected website. Then look at Gill's recent proposal to >>>> make online access to the Texas Caver free for nonmembers. Neither of >>>> these things necessarily involves an irresponsible release of TSA members' >>>> email addresses when considered separately (although I still would rather >>>> not have my email address on even a members-only password protected online >>>> list). When both of these things are considered together, however, along >>>> with all the other turmoil about TSA digital publication policies, it is >>>> easy to imagine how people might provide their email addresses to TSA >>>> assuming one seemingly responsible privacy policy, only to discover later >>>> that TSA has changed its mind and has made the email address list more >>>> widely accessible than people had expected when they provided their >>>> addresses. >>>> >>>> I chose to "throw this stone into the hornets nest," because I wanted >>>> people to actually start thinking about the issue, instead of just telling >>>> us "don't worry, be happy." The problem would be easy to fix if TSA simply >>>> would make a commitment to its members that no member's email address will >>>> be included in any online list unless that member explicitly "opts in" for >>>> inclusion in the list. TSA members need to be able to register for website >>>> access without having their email addresses published in an online list. >>>> >>>> Rod >>>> >>>> -----Original Message----- >>>>>From: Bill Bentley <ca...@caver.net> >>>>>Sent: Dec 14, 2009 11:17 AM >>>>>To: John Brooks <jpbrook...@sbcglobal.net> >>>>>Cc: TexasCavers <texascavers@texascavers.com> >>>>>Subject: Re: [Texascavers] Can TSA be trusted with email addresses? >>>>> >>>>>For the record Mark, I wasn't blaming nor condeming the TSA, I was just >>>>>stating the fact that I get hundreds of thousands of spam emails. >>>>>Mark, I like the TSA and I think I get my moneys worth from volunteers who >>>>>are very much appreciated. >>>>> >>>>>Bill >>>>>----- Original Message ----- >>>>>From: "John Brooks" <jpbrook...@sbcglobal.net> >>>>>To: "Bill Bentley" <ca...@caver.net> >>>>>Cc: "Rod Goke" <rod.g...@ieee.org>; "TexasCavers" >>>>><texascavers@texascavers.com>; "Rod Goke" <rod.g...@ieee.org> >>>>>Sent: Monday, December 14, 2009 9:24 AM >>>>>Subject: Re: [Texascavers] Can TSA be trusted with email addresses? >>>>> >>>>> >>>>>> The TSA has my e mail.....and I get....oh maybe one or two junk mail >>>>>> messages per WEEK. >>>>>> Paranoia runs deep concerning e mail spam. But unjustly condemning the >>>>>> TSA >>>>>> for something they are not doing or really at fault for......hardly seems >>>>>> fair or reasonable. >>>>>> >>>>>> Sent from my iPhone >>>>>> >>>>>> On Dec 14, 2009, at 6:37 AM, "Bill Bentley" <ca...@caver.net> wrote: >>>>>> >>>>>> Rod, >>>>>> My ca...@caver.net email address gets a spam email message every 2 to 3 >>>>>> seconds... literally thousands per hour... all of it goes into a spam >>>>>> folder and good spam sorting software on the email server helps me >>>>>> figure >>>>>> what is crap and what is not... End of the day I am deleting a lot of >>>>>> spam... If someone were to go after the companies who are advertisng the >>>>>> drugs, diplomas and sex services then it mifght help curb it. I feel that >>>>>> a complete overhaul of how email works wouold be the answer, since you >>>>>> can >>>>>> currently send from and have the reply to address be different. A lot of >>>>>> the spam I gets looks as if it is coming to me from me... but buried in >>>>>> the header I find that it comes from Korea or China... >>>>>> >>>>>> Bill >>>>>> ----- Original Message ----- From: "Rod Goke" <rod.g...@earthlink.net> >>>>>> To: "TexasCavers" <texascavers@texascavers.com> >>>>>> Cc: "Rod Goke" <rod.g...@ieee.org> >>>>>> Sent: Monday, December 14, 2009 2:04 AM >>>>>> Subject: [Texascavers] Can TSA be trusted with email addresses? >>>>>> >>>>>> >>>>>> All this talk about electronic vs. paper publication of the Texas Caver >>>>>> reminds me of a related issue: >>>>>> >>>>>> Is it safe to give your email address to TSA? >>>>>> >>>>>> For years TSA has been asking for our email addresses on the membership >>>>>> renewal forms, and I have been refusing to give them mine. During this >>>>>> same period, however, I have been providing my email address (along with >>>>>> mailing address and phone numbers) to the UT Grotto for publication in >>>>>> their "UT Grotto Phone List". Why is it that I have felt that my email >>>>>> address was sufficiently safe with the UT Grotto but not with TSA? The >>>>>> answer is that the "UT Grotto Phone List" is published only in paper >>>>>> form, >>>>>> where email addresses and other personal information is not likely to be >>>>>> harvested by spammers, telemarketers, search engines, etc. >>>>>> >>>>>> I don't have that kind of confidence in TSA, however, because for years, >>>>>> I've heard various people within TSA advocating expanded use of digital >>>>>> publication without adequately considering the negative consequences of >>>>>> what they are advocating. Most disturbing has been the proposal I've >>>>>> heard >>>>>> from time to time that TSA publish its membership list information >>>>>> electronically, perhaps by placing it on a web site. This might be cheap >>>>>> and convenient for TSA to implement and for TSA members to use, but it >>>>>> also could make our personal information much more vulnerable to >>>>>> automated >>>>>> harvesting by those who would use it in ways we never intended. Once our >>>>>> email addresses, cell phone numbers, etc. have been harvested from a >>>>>> digitally published list, there would be no cheap and convenient way to >>>>>> undo the damage. How can we be confident that the continuing push towards >>>>>> digital publication within TSA will not lead to ill considered digital >>>>>> publication of email addresses >>>>>> and other information vulnerable to automated harvesting? >>>>>> >>>>>> Rod >>>>>> >>>>>> >>>>>> --------------------------------------------------------------------- >>>>>> Visit our website: http://texascavers.com >>>>>> To unsubscribe, e-mail: texascavers-unsubscr...@texascavers.com >>>>>> For additional commands, e-mail: texascavers-h...@texascavers.com >>>>>> >>>>>> >>>>>> --------------------------------------------------------------------- >>>>>> Visit our website: http://texascavers.com >>>>>> To unsubscribe, e-mail: texascavers-unsubscr...@texascavers.com >>>>>> For additional commands, e-mail: texascavers-h...@texascavers.com >>>>>> >>>>>> >>>>>> >>>>>> --------------------------------------------------------------------- >>>>>> Visit our website: http://texascavers.com >>>>>> To unsubscribe, e-mail: texascavers-unsubscr...@texascavers.com >>>>>> For additional commands, e-mail: texascavers-h...@texascavers.com >>>>>> >>>>> >>>>> >>>>>--------------------------------------------------------------------- >>>>>Visit our website: http://texascavers.com >>>>>To unsubscribe, e-mail: texascavers-unsubscr...@texascavers.com >>>>>For additional commands, e-mail: texascavers-h...@texascavers.com >>>>> >>>> >>>> >>>> --------------------------------------------------------------------- >>>> Visit our website: http://texascavers.com >>>> To unsubscribe, e-mail: texascavers-unsubscr...@texascavers.com >>>> For additional commands, e-mail: texascavers-h...@texascavers.com >>>> >>>> >> >> > >--------------------------------------------------------------------- >Visit our website: http://texascavers.com >To unsubscribe, e-mail: texascavers-unsubscr...@texascavers.com >For additional commands, e-mail: texascavers-h...@texascavers.com > --------------------------------------------------------------------- Visit our website: http://texascavers.com To unsubscribe, e-mail: texascavers-unsubscr...@texascavers.com For additional commands, e-mail: texascavers-h...@texascavers.com
