Notes on Security

This page is meant to address some of the concerns of CWT members regarding security and privacy of the Chicago Woodturners website. The issues are broad enough that every aspect can't be adequately dealt with here. So links are provided to a bulletin board where specific questions can be answered. Discussions there will lead to updates to this document.

Threats to Privacy

The most serious threat to members' privacy is through email harvesting. These attacks are usually in one of three forms: computers that are programmed to troll for personal information, "phishing" attacks in which people are induced to disclose information about themselves or others, unwittingly to the wrong people, and cases where the service provider decides to disclose user information to third parties.

Other threats include hackers who try to harvest personal information (as in trying to guess valid username and password combinations or subscribing to a list to gain information about members), physical access (one of our members downloads the membership roster onto a laptop which gets stolen or lost), snooping (accessing information over an un-encrypted wireless connection or a network node), or simply reading email headers (your email address is on every piece of email you receive, is unencrypted, and travels through a non-secure network).

A number of steps have been put in place to protect members' privacy. The first step is in protecting the information as it's stored on the server. Names and email addresses for both the mailing list and the bulletin board are stored in a database. The database is protected by a username (not Admin, Administrator, etc) and a non-trivial password. This is similar to the security measures now in place on Yahoo Groups.

As in all password-protected systems, the protection is only as good as the least secure password. If a dedicated hacker can guess a valid name and password combination, they have access to the group. So while administrators must do all they can to protect members privacy, in a sense security is everybody's business. Please choose appropriate passwords! The best passwords are eight or more characters long, do not include words found in a dictionary, and combine numbers, letters, and punctuation marks.

If a hacker broke an administrators username and password, they would have access to everybody's email addresses. If they broke a users name and password, the steps we have taken to limit the information that users have about each other would limit the utility of the hack (see below). However, they would have access to the content of users posts.

Bulletin Board Security

The bulletin board has four classes of members: Anonymous, Registered Users, CWT Members, and Administrators/Moderators.

Anonymous users have the least rights, but remain anonymous. They can post to a few forums, can read some forums, and can vote on some topics without revealing much about themselves (certainly not their email address). They cannot see many of the forums, and can't access the memberlist. I have made a forum on CWT security available to anonymous users so that we can discuss areas of concern before people register. If you want to see what anonymous users can see, just go to the bulletin board and look around. Your "rights" are usually posted in the lower right portion of the screen: whether you can post a topic, reply, etc. Please keep in mind that there's other stuff that is simply not shown to anonymous viewers.

Registered Users have more rights. To become a registered user, you have to fill out a short form that includes a visual match of numbers and letters shown graphically. This keeps automated systems (machines) from signing up. Machines are really bad at this. It also requires a valid email address, another security measure.

As you sign up, there is a Preferences section near the bottom of the form. The first option is whether you want to always display your email address. If you say "Yes" then anonymous users can see your email address on any messages or replies that you post in a forum that they have access to. If you say "Yes" then registered users can see your email address on your posts in forums that they have access to, and on the member list. If you say "No" (the default answer) then your email address will not be shown to anyone except administrators. Your email will not be visible on messages that you post. Your name will appear on the member list, but only registered users have access to it, and your email address doesn't appear there either. Since these increased privileges come with being a registered user, there is no "preview" of what you can see once you register. I can tell you that if you try it and then decide you want out, I can remove you from the database.

The third class of members is "CWT Members". Actually we can have any number of these user groups. To become a member of the CWT Members discussion group, you have to be a registered user. Then click on Usergroups (near the top of the bulletin board) and click View Information about the CWT Members group. Then click "Join". This group requires the administrator to validate members. Although your application to the group is immediate, you won't have access until the administrator checks your name and email address against the membership roster. CWT Members have more access than registered users— there are more forums visible and accessible.

Administrators / moderators have access to all information that people have provided.

I set up the bulletin board with some access to the general public, more to people willing to sign up through the registration process (remember we took measures to weed out machine applications), and the most access to actual members of the Chicago Woodturners. We have talked about a private area for members for some time— the forums "CWT Business" and "Demonstration Notes" are private areas. This is not the only way the board can be set up. It can be totally private or totally public. We need to discuss these options and how we want to proceed. There are benefits to the club in allowing public access to some forums. And we have all benefited from other people and groups posting information on the Web.

That is an overview of security on the Bulletin Board. We went over what information the board provides about you and how that information is stored. We should discuss what information you provide in the content of your posts. Assuming we decide to proceed with some level of public access, people will post messages in areas where they are viewable by more than the membership of the CWT. A message that says "Call me at 847-123-1234 or email me at somename@somehost.com" makes that phone number and email address public. The same message placed on a private area of the bulletin board will remain private as long as members' passwords are not compromised.

Since we're already using Yahoo Groups, I thought it would be helpful to note some differences between this Bulletin Board and Yahoo. Yahoo says in its privacy statement that it shares information with its partners (though not personalized information), includes tracking technology in the HTML emails it sends to members of its groups, and tracks online behavior using the same technology. Yahoo actually provides a lot of information about it's privacy policy, on the tracking technology it uses and visibility of users' email when using Yahoo Groups. From a Yahoo critic, Yahoo changes their policies covers some of Yahoo's changes in security and privacy policy. I believe Yahoo is showing itself to be a responsible host, keeping in mind that its goal is commercial. Some of our members have read this information in detail and have declined to sign up with Yahoo Groups. That is a valid position to take. Others have felt that Yahoo provides a good balance between privacy and utility and have signed up, also a valid position (and the majority position). The Bulletin Board does not have a profit motive behind it, and so is naturally more in line with the interests of its members. It is under our control to a much higher degree. For example, if you choose not to disclose your email address, it is completely hidden, where Yahoo Groups displays most of your email address to other group members. Through the measures mentioned, as well as the changes made to the program , we are protecting our members privacy.

Mailing List Security

The Mailing List is an application that allows one of a small number of people (right now just Paul and me) to send email to a large group of people. It allows users to sign up for any number of "newsletters". Currently there are two, "Announcements from Paul Shotola", and "Newsletter Announcement". If we find other instances where this type of messaging would be helpful, we can add more lists.

It is a double-opt-in system. If you go to the subscription page, you are asked for your email address and which newsletters you want to receive. The mailing list then sends an email to that address with a link to a web page on it. If you follow that link and click on a button, then you are subscribed and will receive those announcements. If you don't, you won't. You can select any combination of announcements to subscribe to, including none. You can unsubscribe, which will keep you in the database with a note to not re-subscribe you. This is done as a security measure, to keep someone from maliciously signing you up over and over for messages you don't want to get (they would have to know your email address first). You can also ask me to remove you from the database, which I will do.

When an announcement is posted, it is sent to each member of the list one after another. In this way, all the members of a list are invisible to each other. If you sign up for Announcements from Paul Shotola, you will get his announcements but won't be able to tell if I am (or anyone else is) on the list.

The membership of a list is visible to the administrators (now just Paul and me). It is securely stored in a database as noted at the beginning of this page. Only administrators are able to send the announcements.

As it is currently set up, anyone at all can be on the list. Since the membership of the list is not shared with any member, this is not a security issue. If the contents of an announcement include private information, then it would be a security issue. For example if I send an email that contains email addresses, phone numbers, etc., that information may be delivered to people outside the CWT membership. If instead the message doesn't contain private information, or points to a private part of the web site containing the private information, only CWT members would have access. Anyone else on the list would know it's there, but couldn't get to it. We can periodically review the list of names on the list to make sure we're all friends. That said, someone would have to have a lot of time on their hands to sign up for these announcements hoping that some day Paul or I would put private information into an announcement. If we decide that we want to vet names before allowing them on the list, we can do that. I can eliminate the ability of people to sign themselves up for a list, and handle additions to the list as the administrator.

Conclusion

I hope this has provided an overview (albeit long) of the security on these two applications. There may still be specific questions you have regarding privacy and security on the CWT website. To post questions, comments, etc. you can do so anonymously at the forum on CWT security. I look forward to hearing from you!

--Chuck