please don't just tell me I'm an idiot
June 30, 2005 11:28 AM Subscribe
Lack of Privacy Filter: I just discovered an unapproved stranger has been "eavesdropping" on a private yahoogroups list. What. The. Fuck?
I started a private, closed-membership yahoogroups list after a friend and colleague's email provider spamcopped my gmail address. We used the list for private conversation, and kept the work stuff confined to the work addresses we both used that weren't affected by spamcop. Even though I'm probably an idiot for assuming the list was really private, we had the kind of private conversations no one really wants anyone else to read.
I went to the stupid yahoogroups website today to check on some other group I moderate and saw that instead of this private group being listed as having 2 members, it said 3. And that the group setting had been changed from closed to open. And that the setting about posts not being archived online had been changed to posts being able to be read online. And that this random person had joined almost two months ago and I never got so much as a notification about it.
So someone's been reading over our shoulders for over two months now. In addition to being fucking creepy, I'm concerned about the sensitive personal information my friend and I discussed -- especially for my friend, as she's kind of high-profile, and some of the private stuff we were discussing is real 100% dirt that could fuck up her professional life.
What can I do about this? Aside from deleting the person's membership, is there any action I can take? With yahoogroups or otherwise? On the one hand, if this person wanted to do something with the information he gleaned from our discussion (making stuff public, blackmail, etc.), I imagine he probably would have done it already. But still... how did all that stuff get changed? As the group "owner," why wasn't I notified about it?
I started a private, closed-membership yahoogroups list after a friend and colleague's email provider spamcopped my gmail address. We used the list for private conversation, and kept the work stuff confined to the work addresses we both used that weren't affected by spamcop. Even though I'm probably an idiot for assuming the list was really private, we had the kind of private conversations no one really wants anyone else to read.
I went to the stupid yahoogroups website today to check on some other group I moderate and saw that instead of this private group being listed as having 2 members, it said 3. And that the group setting had been changed from closed to open. And that the setting about posts not being archived online had been changed to posts being able to be read online. And that this random person had joined almost two months ago and I never got so much as a notification about it.
So someone's been reading over our shoulders for over two months now. In addition to being fucking creepy, I'm concerned about the sensitive personal information my friend and I discussed -- especially for my friend, as she's kind of high-profile, and some of the private stuff we were discussing is real 100% dirt that could fuck up her professional life.
What can I do about this? Aside from deleting the person's membership, is there any action I can take? With yahoogroups or otherwise? On the one hand, if this person wanted to do something with the information he gleaned from our discussion (making stuff public, blackmail, etc.), I imagine he probably would have done it already. But still... how did all that stuff get changed? As the group "owner," why wasn't I notified about it?
*shrug* If someone was able to log into the account as you, the owner, they probably could do the changes without an alert being issued.
How crackable was your password? Have you ever written it down? Would someone in (living or visiting) your house or office be able to look up or figure out the password? Has it been sent to an email account that's got a crackable password? Was the yahoo password ever cited in an email that got transmitted through an unecrypted channel? Did you ever use work machines to log into the yahoo account? (Employers routinely monitor traffic passing through their network...)
There's a lot of theoretically possible ways for it to happen. If it were me, I'd:
1) Stop all comm via the group immediately, of course.
2) Ask yahoo to immediately purge the group and its archives (not sure whether they'd actually do that, but it'd be nice to get rid of the archives before raising the person's suspicions).*
3) Harden the passwords of your respective yahoo and mail accounts.
4) Contact the person and politely ask them how they got interested in the group, joined, etc. The worst damage has been done, so really what's the harm in making a direct inquiry? Maybe you'll be fortunate enough to learn that things aren't as bad as you fear.
* If yahoo won't destroy all traces of the group, you can at least delete the archived messages. A group member can go into the archive and delete their own messages one by one. Assuming that feature hasn't been changed since I had to delete a message a few years ago. Of course, the person could still have copies of whatever he/she already received...
posted by nakedcodemonkey at 12:08 PM on June 30, 2005
How crackable was your password? Have you ever written it down? Would someone in (living or visiting) your house or office be able to look up or figure out the password? Has it been sent to an email account that's got a crackable password? Was the yahoo password ever cited in an email that got transmitted through an unecrypted channel? Did you ever use work machines to log into the yahoo account? (Employers routinely monitor traffic passing through their network...)
There's a lot of theoretically possible ways for it to happen. If it were me, I'd:
1) Stop all comm via the group immediately, of course.
2) Ask yahoo to immediately purge the group and its archives (not sure whether they'd actually do that, but it'd be nice to get rid of the archives before raising the person's suspicions).*
3) Harden the passwords of your respective yahoo and mail accounts.
4) Contact the person and politely ask them how they got interested in the group, joined, etc. The worst damage has been done, so really what's the harm in making a direct inquiry? Maybe you'll be fortunate enough to learn that things aren't as bad as you fear.
* If yahoo won't destroy all traces of the group, you can at least delete the archived messages. A group member can go into the archive and delete their own messages one by one. Assuming that feature hasn't been changed since I had to delete a message a few years ago. Of course, the person could still have copies of whatever he/she already received...
posted by nakedcodemonkey at 12:08 PM on June 30, 2005
Yikes. A good maxim: never put anything online you wouldn't want to see in tomorrow's paper next to your name.
A friend of mine is the chair of an academic department at a state university. Upon learning that all his email was subject to Freedom of Information Act requests from journalists (many state employees, especially academics, do not know this and should) he alerted his colleagues that they should not send him anything they wouldn't want made public. In a flash, his life was simplified and his email volume dropped by half.
So I have to ask, *what were you thinking* in archiving stuff that could ruin your friend's career on a Yahoo group?
posted by realcountrymusic at 12:33 PM on June 30, 2005
A friend of mine is the chair of an academic department at a state university. Upon learning that all his email was subject to Freedom of Information Act requests from journalists (many state employees, especially academics, do not know this and should) he alerted his colleagues that they should not send him anything they wouldn't want made public. In a flash, his life was simplified and his email volume dropped by half.
So I have to ask, *what were you thinking* in archiving stuff that could ruin your friend's career on a Yahoo group?
posted by realcountrymusic at 12:33 PM on June 30, 2005
If you are feeling particularly evil, remember that the fact that you now know what they are doing is a powerful tool. Especially if the third party doesn't realize that you have found out about their hack...
You could use this as a misinformation channel. Carry on in the group as if nothing had ever happened, but contact the other member off-line and warn them. Then proceed to spread lies and scandalous gossip. Make sure that it is believable, but false and disprovable if required. If the third party then acts on this information, you can prove it was false.
Alternatively, contact the other members off-line, warn them and then send a message that says "This was a great creative writing exercise, but I think I'm done! All of this stuff we made up will look great in this saucy novel that I'm writing!"
(not that I've ever done anything like this, I'm just saying'. And even if you think I have you can't prove anything)
posted by baggers at 12:37 PM on June 30, 2005
You could use this as a misinformation channel. Carry on in the group as if nothing had ever happened, but contact the other member off-line and warn them. Then proceed to spread lies and scandalous gossip. Make sure that it is believable, but false and disprovable if required. If the third party then acts on this information, you can prove it was false.
Alternatively, contact the other members off-line, warn them and then send a message that says "This was a great creative writing exercise, but I think I'm done! All of this stuff we made up will look great in this saucy novel that I'm writing!"
(not that I've ever done anything like this, I'm just saying'. And even if you think I have you can't prove anything)
posted by baggers at 12:37 PM on June 30, 2005
Response by poster: Thanks, nakedcodemonkey. Realcountrymusic, that's the thing -- the group was set up to NOT be archived, and to have membership closed, and to be private. Those settings were changed without my consent, and neither of us realized it because we weren't accessing the group via the web.
posted by youarejustalittleant at 12:39 PM on June 30, 2005
posted by youarejustalittleant at 12:39 PM on June 30, 2005
Do you know who the lurker is? Do you have at least an email address for them?
posted by LarryC at 12:45 PM on June 30, 2005
posted by LarryC at 12:45 PM on June 30, 2005
Response by poster: Baggers, that is excellent... LarryC, I have an email address, though that's not turning up anything.
posted by youarejustalittleant at 12:47 PM on June 30, 2005
posted by youarejustalittleant at 12:47 PM on June 30, 2005
Disinformation sounds brilliant. If you can pass the whole thing off as an elaborate fiction, that could be one hell of a clever solution.
Discussing false, scandalous claims, though...that sounds like an invitation to worse trouble. It's a public space, whether you intended it to be or not. You know at least one member of the public is already watching, and you can't close the group to more members of the public without tipping your hand. IANAL, but that sounds like you'd be opening yourself up to a libel complaint or other bad consequences. Careful.
posted by nakedcodemonkey at 1:27 PM on June 30, 2005
Discussing false, scandalous claims, though...that sounds like an invitation to worse trouble. It's a public space, whether you intended it to be or not. You know at least one member of the public is already watching, and you can't close the group to more members of the public without tipping your hand. IANAL, but that sounds like you'd be opening yourself up to a libel complaint or other bad consequences. Careful.
posted by nakedcodemonkey at 1:27 PM on June 30, 2005
Have you checked the Management logs for your group? Those often provide more detail, such as exactly when those settings were changed, and by whom.
You didn't specifically mention checking the Management settings (located at http://groups.yahoo.com/group/yourgroup/manage), so that may ease your mind a little bit, if the mystery person joined two months ago, but settings were only changed last week, for example.
posted by wells at 1:32 PM on June 30, 2005
You didn't specifically mention checking the Management settings (located at http://groups.yahoo.com/group/yourgroup/manage), so that may ease your mind a little bit, if the mystery person joined two months ago, but settings were only changed last week, for example.
posted by wells at 1:32 PM on June 30, 2005
You describe your friend as "kind of high-profile," and you claim to have the lurker's email address. Depending on what "high-profile" means, consider hiring a private investigator to determine the lurker's identity. It's amazing what folks can do with computers.
posted by cribcage at 1:36 PM on June 30, 2005
posted by cribcage at 1:36 PM on June 30, 2005
I would delete the archived posts and do nothing. The lurker might be some random asshole who does not realize the sensitivity of the material. Any contact could just tip them. I would not even delete the lurker from the group.
Alternatively, you could email them and ask what is up. "Hey you, why are you on my Yahoo Group?" Or use a different email account and send them some kind of message to phish for their identity. "I am trying to find an old friend from high school, are you the xx who went to high school with me?" (Actually, that is not very good, does anyone have a better idea?)
Baggers' idea is brilliant, but I would not do anything that would increase the lurker's interest in the site. Maybe just a last simple exchange or two to mimic a conversation tapering off.
Geez this is creepy. Good luck with it.
posted by LarryC at 1:39 PM on June 30, 2005
Alternatively, you could email them and ask what is up. "Hey you, why are you on my Yahoo Group?" Or use a different email account and send them some kind of message to phish for their identity. "I am trying to find an old friend from high school, are you the xx who went to high school with me?" (Actually, that is not very good, does anyone have a better idea?)
Baggers' idea is brilliant, but I would not do anything that would increase the lurker's interest in the site. Maybe just a last simple exchange or two to mimic a conversation tapering off.
Geez this is creepy. Good luck with it.
posted by LarryC at 1:39 PM on June 30, 2005
Not to fan the flames of paranoia too much, but this whole discussion has taken place in a very public space. How did they hack your group? nakedcodemonkey asks some relevant questions about how this could have happened. Is it someone who knows you/your online habits? I get the impulse for a sting but what are the risks of that?
If this is as dangerous to your friend as you say I second cribcage on the PI.
posted by pointilist at 1:59 PM on June 30, 2005
If this is as dangerous to your friend as you say I second cribcage on the PI.
posted by pointilist at 1:59 PM on June 30, 2005
Response by poster: The email address is unfamiliar, and I doubt it's someone I know. I have deleted the posts and deleted the group.
posted by youarejustalittleant at 2:18 PM on June 30, 2005
posted by youarejustalittleant at 2:18 PM on June 30, 2005
Get a third (i.e., fourth) person to join, using another vaguely famous or recognizable name, to muddy the waters. Slowly add such people to subtly make it seem like people are acting out. I agree that too coarse a disinformation effort will raise a lot of suspicions and have the opposite effect to that desired.
and post an update when you figure it out
posted by Rumple at 4:06 PM on June 30, 2005
and post an update when you figure it out
posted by Rumple at 4:06 PM on June 30, 2005
It also may just be that the group's management settings were reset by accident during a server update, and that this other person joined before you'd figured out that the group was no longer private. It happens sometimes. I don't necessarily think you should assume that someone is spying on you-- it could simply be that someone joined what was, at the time, a public group.
posted by yellowcandy at 5:11 PM on June 30, 2005
posted by yellowcandy at 5:11 PM on June 30, 2005
I maintain a private Yahoo group similar to what the poster described, except I use mine for off-site file storage (i.e. one member, no discussions). Yahoo has upgraded its software a few times in the past several years, I believe, but my group has never been reverted to open membership.
Every so often someone stumbles upon the group and tries to join. I click a link, and they get a polite rejection notice. No problem.
posted by cribcage at 5:47 PM on June 30, 2005
Every so often someone stumbles upon the group and tries to join. I click a link, and they get a polite rejection notice. No problem.
posted by cribcage at 5:47 PM on June 30, 2005
I would say your best bet is to use more secure means of communication than, ahem, Yahoooooooooooooh!
posted by angry modem at 7:52 PM on June 30, 2005
posted by angry modem at 7:52 PM on June 30, 2005
A yahoogroup I was in had it's settings changed by yahoo for no apparent reason and without notice (private archives to public). It does happen, although apparently not very often. So it is possible, as yellowcandy says, that the person joined a public group, and had no ill intentions.
posted by clarissajoy at 10:36 AM on July 1, 2005
posted by clarissajoy at 10:36 AM on July 1, 2005
This thread is closed to new comments.
posted by shino-boy at 11:45 AM on June 30, 2005