[Air-L] (advice sought) Public safety and configuration of list
Michael Allan
mike at zelea.com
Mon Apr 22 20:45:47 PDT 2013
To the experts in Liberationtech, Air-L and Mailman lists,
(cc General Counsel of Stanford University)
Stanford University has configured the Liberationtech mailing list in
a manner that is potentially unsafe. University staff are aware of
the problem and are evalutating the situation, but have yet to take
action. I'm a subscriber to the list, and I ask your advice.
SITUATION
The Liberationtech mailing list is run by Stanford University in
connection with its Program on Liberation Technology. That program
investigates the use of IT "to defend human rights, improve
governance, empower the poor, promote economic development, and
pursue a variety of other social goods." [1] Experts on the list
advise and inform on matters such as encrypting communications,
protecting infrastructure from cyber attack, and protecting onself
from personal danger. Often those seeking help are in vulnerable
situations. They include aid workers, reporters and activists who
live and work in environments where human rights are not well
respected, or where the government is too weak to protect people
from organized criminals, rival militias, and so forth.
The list software is GNU Mailman. The administration interface
includes the following configuration items: [2]
(a) Should any existing Reply-To: header found in the original
message be stripped? If so, this will be done regardless of
whether an explict Reply-To: header is added by Mailman or
not.
X No
- Yes
(b) Where are replies to list messages directed? Poster is
*strongly* recommended for most mailing lists.
X Poster
- This list
- Explicit address (c) _________
Shown above is the default, recommended setting of (1 No, 2 Poster).
It leaves the sender's Reply-To headers (if any) unaltered during
mail transfer. Instead of this, the Liberationtech mailing list is
configured as follows:
(b) Where are replies to list messages directed? Poster is
*strongly* recommended for most mailing lists.
- Poster
X This list
- Explicit address (c) _________
With this setting, whenever a subscriber Q sends a message to the
list, the software adds a Reply-To header pointing to L, which is
the address of the list itself. The message is then passed on to
the subscribers. The meaning of the added Reply-To header is, "Q
asks that you reply to her at L." [3]
Note that this is false information; Q does not ask that.
EXAMPLE OF DANGER
Matt Mackall has suggested that, "here of all places", people might
get hurt as a consequence of this configuration [4]. I agree.
Here's a brief example of how people might get hurt:
1. Subscriber P is in a vulnerable situation. P is distacted by
the situation and is not getting a lot of sleep.
2. P asks the mailing list for advice on the situation, because
that's the purpose of the list.
3. Subscriber Q replies with helpful information.
The mailing list adds a Reply-To header to Q's message that
points to address L. Again, the mis-information is, "Q asks
that you reply to her at L". [3]
4. P replies with private information, including (as Matt puts it)
a "potentially life-endangering datum". Tired and distracted,
P replies by hitting the standard Reply button. In the mail
client, this means "reply to Q".
The reply goes instead to L, which is the public mailing list.
Oh my god! What have I done!
5. People get hurt.
Isn't this a danger?
POSSIBLE EXPLOIT THAT INCREASES THE DANGER
Suppose that P is actually a police operative in an authoritarian
state, or a criminal operative in a failed state. He only pretends
to be a vulnerable activist (say). His real aim is to hurt the
activists and other opponents; damage the university's reputation;
close down the mailing list; make democracy look foolish [5]; and
finally make some money in the bargain [6]. The likelihood of his
success is roughly proportional to the amount of harm suffered by
the activists and other innocent people.
If such an exploit were even *perceived* to be feasible, then the
mis-configuration of the mailing list would not only be exposing the
public to a haphazard danger, but also providing the means and
incentive to orchestrate and amplify that danger.
Might not this exploit be perceived as feasible?
INTERIM RECOMMENDATION
While Stanford University is evaluating these safety concerns and
has yet to make a decision, it should return the configuration to
its default setting. The default setting is known to be safe.
--
Michael Allan
Toronto, +1 416-699-9528
http://zelea.com/
NOTES
[1] https://mailman.stanford.edu/mailman/listinfo/liberationtech
http://liberationtechnology.stanford.edu/
[2] The meaning of configuration variables (a,b,c) is defined here:
http://www.gnu.org/software/mailman/mailman-admin/node11.html
[3] 'The "Reply-To" field is added by the message originator and is
intended to direct replies.' Section 4.4.3, RFC 822.
http://www.ietf.org/rfc/rfc0822.txt
Note that the mailing list is not the "message originator", and
is not supposed to add a Reply-To header. It is mis-configured.
[4] Matt Mackall originally pointed to the danger in this post:
https://mailman.stanford.edu/pipermail/liberationtech/2013-March/007762.html
[5] The current configuration of the mailing list was approved by
the subscribers in a vote.
https://mailman.stanford.edu/pipermail/liberationtech/2013-March/007973.html
[6] America is a litigious society.
More information about the Air-L
mailing list