Ed Brayton Admits Running Insecure Software
August 10, 2012 10 Comments
On his blog, Freethoughtblog’s founder Ed Brayton admits:
I was hoping to not have to do this for another day or two, but the cat is out of the bag, so to speak….
On August 2, a close friend informed me that a mutual acquaintance of ours had been forwarded messages from that private mailing list by Thunderfoot. A few hours later, I received an email from a longtime commenter on the site telling me that “your email distribution list is not secure. Take the time to verify that only the people who are supposed to be on the list are actually members, as messages have been leaked.” Prompted by those messages, I went into the admin panel of our mailing list software, did some checking and discovered that Thunderfoot had somehow managed to get back on the mailing list after he was removed from it on July 1, when the decision was made to close his blog and remove him from the network. I double checked to make sure that he had been removed from the list at that time and he was (I have email confirmation from the system at the time). I then had our site tech do some digging into the database and he discovered that Thunderfoot had used a security loophole… to regain admission to the list only a few minutes after he was removed from it on July 1 and had been receiving all of the email traffic between everyone else from that moment forward, without our knowledge.
In other words, Mr. Brayton let a security hole go unnoticed and unpatched for over a month, while anyone who wanted to could add themselves to the Secret FTB Cabal Mailing List.
Is this the kind of lackadaisical attitude towards the Internet that we should condone from self-styled leaders of the skeptical community?
This Just In!
Lousy Canuck has attempted some damage control on the security breach, noting that it wasn’t open to just anyone; it was open only to the select few people to whom an administrator of the server trusted enough, or had been told by Messrs. Myers or Brayton, to grant access. In other words, this breach was caused by the combined incompetence of the Mailman administrators and the FTB leaders, not just the administrators. Thanks to SkepDirt reader stakkalee for bring this to light!
SkepDirt 
“In other words, Mr. Brayton let a security hole go unnoticed and unpatched for over a month, while anyone who wanted to could add themselves to the Secret FTB Cabal Mailing List.”
This is incorrect. The security hole was simply that the original invitation to Thunderf00t continued to be usable so it wasn’t that just anyone could join. It’s just people who were deleted were able to re-join. Meaning, only former FtB bloggers could have exploited it and only Thunderf00t tried.
I’m seconding what Mr. Webb said – this was only exploitable by Thunderfoot himself, and by any other FTB blogger who still has their original welcome email. Jason Thibeault has the technical specifics.
So it wasn’t merely buggy, it was intentionally misconfigured? That’s much worse! Thanks for pointing that out, and thanks for reading SkepDirt!
Nice to see that after being corrected, rather than admitting you were wrong you attempt a redirect. Is this the kind of lackadaisical attitude towards the truth that we should condone from supposed members of the skeptical community?
You must be new here! Welcome, and keep reading SkepDirt!
What makes you think it was “intentionally misconfigured”? Sounds like you didn’t even bother to read the link stakkalee left…
I’m sorry but that’s not correct. You stated that the FTB mail system was was configured in such a way that anyone could get access to their private emails. I pointed out, with evidence, that you were wrong, and that the only person who could exploit this was TF himself. Do you retract your original incorrect point?
Thank you for the welcome BTW. I’m always looking for smart, rational writers to add to my blogroll. Will you prove yourself to be smart and rational by reassessing the evidence and correcting your post?
You must be new here too! Welcome! You might want to go back and read some of this reporter’s journal entries, and come to your own conclusions about the strict level of journalistic integrity to which SkepDirt adheres! Keep reading SkepDirt!
As I said, I look forward to adding you to my blogroll. However, I still don’t see any correction to your original post. Your contention that Ed Brayton and FTB were running software that would allow anyone access to the backchannel list is incorrect; the security flaw that was exploited was only available to Thunderf00t himself. Does your failure to update the original post conform to SkepDirt’s strict level of journalistic integrity?
The post has been corrected! Thanks for your contribution to SkepDirt!