Ed Brayton Admits Running Insecure Software
August 10, 2012 10 Comments
On his blog, Freethoughtblog’s founder Ed Brayton admits:
I was hoping to not have to do this for another day or two, but the cat is out of the bag, so to speak….
On August 2, a close friend informed me that a mutual acquaintance of ours had been forwarded messages from that private mailing list by Thunderfoot. A few hours later, I received an email from a longtime commenter on the site telling me that “your email distribution list is not secure. Take the time to verify that only the people who are supposed to be on the list are actually members, as messages have been leaked.” Prompted by those messages, I went into the admin panel of our mailing list software, did some checking and discovered that Thunderfoot had somehow managed to get back on the mailing list after he was removed from it on July 1, when the decision was made to close his blog and remove him from the network. I double checked to make sure that he had been removed from the list at that time and he was (I have email confirmation from the system at the time). I then had our site tech do some digging into the database and he discovered that Thunderfoot had used a security loophole… to regain admission to the list only a few minutes after he was removed from it on July 1 and had been receiving all of the email traffic between everyone else from that moment forward, without our knowledge.
In other words, Mr. Brayton let a security hole go unnoticed and unpatched for over a month, while anyone who wanted to could add themselves to the Secret FTB Cabal Mailing List.
Is this the kind of lackadaisical attitude towards the Internet that we should condone from self-styled leaders of the skeptical community?
This Just In!
Lousy Canuck has attempted some damage control on the security breach, noting that it wasn’t open to just anyone; it was open only to the select few people to whom an administrator of the server trusted enough, or had been told by Messrs. Myers or Brayton, to grant access. In other words, this breach was caused by the combined incompetence of the Mailman administrators and the FTB leaders, not just the administrators. Thanks to SkepDirt reader stakkalee for bring this to light!