[Air-L] (advice sought) Public safety and configuration of list

Sky Croeser scroeser at gmail.com
Mon Apr 22 22:31:19 PDT 2013 

I'm glad to see this being addressed, particularly in light of the use of
targetted viruses sent specifically to activist mailing lists (which is, of
course, a slightly different issue). In the past this mostly seems to be
around Chinese/Tibetan issues, but it's probably useful to start thinking
about mailing list security more broadly.


On 23 April 2013 06:45, Michael Allan <mike at zelea.com> wrote:

> To the experts in Liberationtech, Air-L and Mailman lists,
> (cc General Counsel of Stanford University)
>
> Stanford University has configured the Liberationtech mailing list in
> a manner that is potentially unsafe.  University staff are aware of
> the problem and are evalutating the situation, but have yet to take
> action.  I'm a subscriber to the list, and I ask your advice.
>
>
> SITUATION
>
>   The Liberationtech mailing list is run by Stanford University in
>   connection with its Program on Liberation Technology.  That program
>   investigates the use of IT "to defend human rights, improve
>   governance, empower the poor, promote economic development, and
>   pursue a variety of other social goods." [1] Experts on the list
>   advise and inform on matters such as encrypting communications,
>   protecting infrastructure from cyber attack, and protecting onself
>   from personal danger.  Often those seeking help are in vulnerable
>   situations.  They include aid workers, reporters and activists who
>   live and work in environments where human rights are not well
>   respected, or where the government is too weak to protect people
>   from organized criminals, rival militias, and so forth.
>
>   The list software is GNU Mailman.  The administration interface
>   includes the following configuration items: [2]
>
>     (a) Should any existing Reply-To: header found in the original
>         message be stripped?  If so, this will be done regardless of
>         whether an explict Reply-To: header is added by Mailman or
>         not.
>
>          X  No
>          -  Yes
>
>     (b) Where are replies to list messages directed?  Poster is
>         *strongly* recommended for most mailing lists.
>
>           X  Poster
>           -  This list
>           -  Explicit address (c) _________
>
>   Shown above is the default, recommended setting of (1 No, 2 Poster).
>   It leaves the sender's Reply-To headers (if any) unaltered during
>   mail transfer.  Instead of this, the Liberationtech mailing list is
>   configured as follows:
>
>     (b) Where are replies to list messages directed?  Poster is
>         *strongly* recommended for most mailing lists.
>
>           -  Poster
>           X  This list
>           -  Explicit address (c) _________
>
>   With this setting, whenever a subscriber Q sends a message to the
>   list, the software adds a Reply-To header pointing to L, which is
>   the address of the list itself.  The message is then passed on to
>   the subscribers.  The meaning of the added Reply-To header is, "Q
>   asks that you reply to her at L." [3]
>
>   Note that this is false information; Q does not ask that.
>
>
> EXAMPLE OF DANGER
>
>   Matt Mackall has suggested that, "here of all places", people might
>   get hurt as a consequence of this configuration [4].  I agree.
>   Here's a brief example of how people might get hurt:
>
>     1. Subscriber P is in a vulnerable situation.  P is distacted by
>        the situation and is not getting a lot of sleep.
>
>     2. P asks the mailing list for advice on the situation, because
>        that's the purpose of the list.
>
>     3. Subscriber Q replies with helpful information.
>
>        The mailing list adds a Reply-To header to Q's message that
>        points to address L.  Again, the mis-information is, "Q asks
>        that you reply to her at L". [3]
>
>     4. P replies with private information, including (as Matt puts it)
>        a "potentially life-endangering datum".  Tired and distracted,
>        P replies by hitting the standard Reply button.  In the mail
>        client, this means "reply to Q".
>
>        The reply goes instead to L, which is the public mailing list.
>
>        Oh my god!  What have I done!
>
>     5. People get hurt.
>
>   Isn't this a danger?
>
>
> POSSIBLE EXPLOIT THAT INCREASES THE DANGER
>
>   Suppose that P is actually a police operative in an authoritarian
>   state, or a criminal operative in a failed state.  He only pretends
>   to be a vulnerable activist (say).  His real aim is to hurt the
>   activists and other opponents; damage the university's reputation;
>   close down the mailing list; make democracy look foolish [5]; and
>   finally make some money in the bargain [6].  The likelihood of his
>   success is roughly proportional to the amount of harm suffered by
>   the activists and other innocent people.
>
>   If such an exploit were even *perceived* to be feasible, then the
>   mis-configuration of the mailing list would not only be exposing the
>   public to a haphazard danger, but also providing the means and
>   incentive to orchestrate and amplify that danger.
>
>   Might not this exploit be perceived as feasible?
>
>
> INTERIM RECOMMENDATION
>
>   While Stanford University is evaluating these safety concerns and
>   has yet to make a decision, it should return the configuration to
>   its default setting.  The default setting is known to be safe.
>
> --
> Michael Allan
>
> Toronto, +1 416-699-9528
> http://zelea.com/
>
>
> NOTES
>
>   [1] https://mailman.stanford.edu/mailman/listinfo/liberationtech
>       http://liberationtechnology.stanford.edu/
>
>   [2] The meaning of configuration variables (a,b,c) is defined here:
>       http://www.gnu.org/software/mailman/mailman-admin/node11.html
>
>   [3] 'The "Reply-To" field is added by the message originator and is
>       intended to direct replies.'  Section 4.4.3, RFC 822.
>       http://www.ietf.org/rfc/rfc0822.txt
>
>       Note that the mailing list is not the "message originator", and
>       is not supposed to add a Reply-To header.  It is mis-configured.
>
>   [4] Matt Mackall originally pointed to the danger in this post:
>
> https://mailman.stanford.edu/pipermail/liberationtech/2013-March/007762.html
>
>   [5] The current configuration of the mailing list was approved by
>       the subscribers in a vote.
>
> https://mailman.stanford.edu/pipermail/liberationtech/2013-March/007973.html
>
>   [6] America is a litigious society.
> _______________________________________________
> The Air-L at listserv.aoir.org mailing list
> is provided by the Association of Internet Researchers http://aoir.org
> Subscribe, change options or unsubscribe at:
> http://listserv.aoir.org/listinfo.cgi/air-l-aoir.org
>
> Join the Association of Internet Researchers:
> http://www.aoir.org/
>

More information about the Air-L mailing list