Topic: Ballotbin.com Security Breaches - Disclosure to the General Membership

Due to security breaches discovered in a previous vote, a link to the Voting Booth will NO LONGER be supplied. I would like to reassure everyone that the security breaches were addressed and handled appropriately, and fortunately they did not cause any damage nor did they skew any results. Please read the following report for more information.



What happened: some e-mails that did not belong to Phoenix Members were registered in an ongoing vote, but those e-mails did not register any votes. So no damage was done and no results of the vote were skewed.

How it was handled: When the breaches were discovered, the e-mails were removed from the ongoing vote before the users could skew the results of the vote and the vote was changed to invitation-only to prevent any non-Phoenix members from registering in that vote.

How we are preventing these security breaches: As a safety measure, I asked Euan to set up an automatically updated list of users that have been active (those who have posted within the last 2 weeks) to ensure these security breaches cannot happen again. This grants us immunity to these kinds of security breaches and also eliminates the possibility of idle user accounts (people who have joined but have never posted) from getting invited to vote in an election for a community they are inactive in.



As a result, only members who have posted within the last 2 weeks will be invited via e-mail to vote in the current election and in all future votes until such time that we have a more secure system for voting. I can manually enter any person who has been inactive and would like to be registered as a voter - please contact me via e-mail, Phoenix message, or even Facebook to arrange to be added to the voter registry.



I am sorry for any inconvenience this might cause anyone. It is my desire to break away from Ballotbin.com and to create our own Voting Booth so that in the future, for one, we might never need worry about these security breaches ever again.

Robert Longtin
Elections and Voting Coordinator

http://i41.tinypic.com/2q2e0ig.png

Thumbs up Thumbs down

Re: Ballotbin.com Security Breaches - Disclosure to the General Membership

Thanks Robert. What measures are in place for those who are new to the community (say, people creating dummy accounts just to "stuff the ballot box")?

Is there consideration of creating a minimum membership period before participating in the vote?

http://www.phoenix-rp.com/img/pips/4.png http://oi60.tinypic.com/5otabo.jpg

Thumbs up Thumbs down

Re: Ballotbin.com Security Breaches - Disclosure to the General Membership

Jason Andersen wrote:

Thanks Robert. What measures are in place for those who are new to the community (say, people creating dummy accounts just to "stuff the ballot box")?

Is there consideration of creating a minimum membership period before participating in the vote?

RLongtin wrote:

How we are preventing these security breaches: As a safety measure, I asked Euan to set up an automatically updated list of users that have been active (those who have posted within the last 2 weeks) to ensure these security breaches cannot happen again. This grants us immunity to these kinds of security breaches and also eliminates the possibility of idle user accounts (people who have joined but have never posted) from getting invited to vote in an election for a community they are inactive in.

In addition to the above, I am personally looking at every account that gets past this safety net to ensure the users are indeed newcomers and not "dummy accounts". The types of posts being made, the timing of the posts, checking IP addresses for uniqueness, and also investigating e-mail addresses to find out how recently the e-mail account was set up are all things that are being considered for accounts that are being looked at.

So far I haven't noticed anything suspicious, so no worries! I'm hoping things stay that way until the end of the elections. The intent here is to ensure that the community benefits from its own true opinion, free of fraud and corruption. Eventually we will be breaking away from this system to one which has a stronger sense of security, and when that day arrives we can all rest a bit easier.

Robert Longtin
Elections and Voting Coordinator

http://i41.tinypic.com/2q2e0ig.png

Thumbs up Thumbs down

Re: Ballotbin.com Security Breaches - Disclosure to the General Membership

Sounds good. Thanks for your hard work and dedication, Robert!

http://www.phoenix-rp.com/img/pips/4.png http://oi60.tinypic.com/5otabo.jpg

Thumbs up Thumbs down

Re: Ballotbin.com Security Breaches - Disclosure to the General Membership

No problem! As it stands, after 1 week of voting no other accounts have started posting so literally everyone that has been invited has checked out, and no new accounts (real or otherwise) have appeared on the list of people to add so there has been no need for much checking yet.

Robert Longtin
Elections and Voting Coordinator

http://i41.tinypic.com/2q2e0ig.png

Thumbs up Thumbs down

Re: Ballotbin.com Security Breaches - Disclosure to the General Membership

Jason Andersen wrote:

Thanks Robert. What measures are in place for those who are new to the community (say, people creating dummy accounts just to "stuff the ballot box")?

Is there consideration of creating a minimum membership period before participating in the vote?

RLongtin wrote:

In addition to the above, I am personally looking at every account that gets past this safety net to ensure the users are indeed newcomers and not "dummy accounts". The types of posts being made, the timing of the posts, checking IP addresses for uniqueness, and also investigating e-mail addresses to find out how recently the e-mail account was set up are all things that are being considered for accounts that are being looked at.

That scuppers my plan to register a bunch of fraudulent accounts and vote for myself relentlessly! Alas, I'll have to rely on honest means to win this one... foiled again, Moriarty! ;-)

Joking aside, excellent work Robert.

Ash

Thumbs up Thumbs down