Amandine Jambert (cryptie), CNIL, FSFE Financial data breach

posted by Roy Schestowitz on Apr 02, 2024

[Article 1.5 years old]

Reprinted with permission from the Free Software Fellowship.

We already wrote about Amandine "Cryptie" Jambert who is working for the French privacy regulator, CNIL while using a pseudonym to participate in the FSFE.

We mentioned that FSFE covered up the financial data privacy breach.

We want to publish more evidence and show why this is happening.

FSFE financial statements show they have lots of money. Their budget is €600,000 per year.

Looking at their employee list, they don't employee anybody with real technical competence. The one technical staff member is a social science graduate who is re-training as a "hopeful" developer. All the money goes to the imposters and female interns.

They use volunteers and students to do the sysadmin work. The FSFE jobs page is currently looking for a student sysadmin to work on the minimum wage.

Working time and compensation: The desired working time would be 10 hours per week but can be discussed. You will start working in our Berlin office to get a feeling for the organisation and the faces behind it, but at a later stage, home office is possible. The salary is based on the currently applicable minimum wage in Germany but can be higher depending on your experience. A mandatory requirement is that you are enrolled as a student at a university in Germany.

As a student, the sysadmin won't be available for about 6 weeks each semester while undertaking exams.

Volunteers also discovered FSFE using teenagers, children, child labour - see the YH4F and Outreachy Grooming scandals

Here we publish the full email about the privacy breach.

In this leak, Matthias Kirschner claims that nobody has taken copies of the financial data so there was no obligation to make any warning to the donors.

In fact, many volunteers, former employees, students, interns and maybe even children have copies of data about the FSFE donors. It was 15 year olds in Belfast who hacked the British phone company Talk-Talk. FSFE would be a walk in the park for those kids. We are publishing a copy of the FSFE Berlin mailing list membership to prove that copies exist outside the FSFE and therefore Matthias Kirschner is a liar.

We will remove the list when Matthias Kirschner removes all the defamation from the FSFE web sites, all other free software projects and search results.

Subject: [GA] Report about privacy problem with financial data
Date: Thu, 15 Mar 2018 14:26:10 +0100
From: Matthias Kirschner <mk@fsfe.org>
To: FSFE General Assembly <ga@lists.fsfe.org>, FSFE system hackers <system-hackers@lists.fsfe.org>


The archives of finance@lists.fsfe.org, and thereby all the information
including full names, amount, credit card and bank details, were public
from 18 December 2017 until 13 March 2018. It is now fixed and nobody
outside the FSFE should have had access to them. Please help to check
if the archives of your list should be public or not (see below).


On 13 March Reinhard noticed, that finance@lists.fsfe.org has a public
archive, he informed me, I directly changed the archive to private and
changed the admin password for the list which is currently only
available to Heiki and myself. 
Due to a communication mistake neither Jan and Vincent nor I myself
checked finance@lists.fsfe.org when checking the list settings after we
were informed about the problems with staff@lists.fsfe.org (which Jonas
created on 1 November). I myself forgot to remember that finance@ was
also a mailing list, after Jonas migrated the former finance@ alias to a
mailman list on 18 December 2017, and Jan and Vincent used the external
mailing list listing, instead of the internal list. So we missed the
list when checking other mailing lists after the former incident.


As the mailing list had public archives everybody knowing the URL would
have had access to information like full name, amount of money for the
donation, and the last 4 digits of the credit card number, for bank
transfers the whole info BIC + IBAN numbers, contract discussions about
the legal workshop, info messages from corporate donors (e.g. Google's
Benevity), invoices, internal discussion by our finance team, etc.


I first wanted to inform you about the problem and discuss how to
communicate the privacy problem to the effected parties, but Heiki
suggested to first check all IP logs to see if they archives were
accessed by third parties. Thanks to Albert's work, we can now say that
the archives were only accessed this week, and that the IP addresses
belonged either to Heiki, Reinhard, or the Berlin office (in comparison
with staff@ the mailing list was not advertised on our list server and
we were able to confirm.)


Jan, Vincent, and myself did some other checks, and when we wondered if
the list should be public asked the people involved if it is ok that
their list archive is public. 
# How you can help


One wish how you can help: if you are part of a mailing list which was
not mentioned before, please do one quick check if the archives are
publicly available, and if that should be the case. Else either change
it yourself, or inform system-hackers@lists.fsfe.org about it. In
general if you setup a list with sensitive information, please check how
people can subscribe, if the list should be advertised on our list
server, if there should be an archive, and make sure that the archive is
not public. 
Best Regards,
Matthias


-- 
Matthias Kirschner - President - Free Software Foundation Europe
Schönhauser Allee 6/7, 10119 Berlin, Germany | t +49-30-27595290
Registered at Amtsgericht Hamburg, VR 17030  |   (fsfe.org/join)
Contact (fsfe.org/about/kirschner)  -  Weblog (k7r.eu/blog.html)
_______________________________________________
GA mailing list
GA@lists.fsfe.org
https://lists.fsfe.org/mailman/listinfo/ga

FSFE internal forms were captured by search engines

If you try to access the pages today they are demanding a password. It looks like somebody disabled the authentication and left them unprotected long enough for the search engines to take snapshots.

For example, to make an internal order for business cards using the name Adolf Hitler, you can try to use this form.

Membership list for the Berlin FSFE mailing list

You can use this page to join the list or browse the archives.

0xf10e@fsfe.org
99735@gmx.de
ahmruoff@gmail.com
ajh92@fsfe.org
albert@fsfe.org
alex01at@gmail.com
alex.graichen.ag@gmail.com
alex.sander@fsfe.org
anwalt@rechtsanwalt-stehmann.de
archive@mail-archive.com
arvid@fsfe.org
axel.b.kaiser@fsfe.org
axelmetzger@gmx.de
behrens_lars@gmx.de
benedikt.geissler@mailbox.org
benjamin.wand@web.de
benny@benny.de
bernhard@fsfe.org
bernhard@weitzhofer.org
bettgens@wesel-net.de
bh@intevation.de
birgit.huesken@fsfe.org
blanky0230@gmail.com
blipp@fsfe.org
brucker@spamfence.net
buenger@mytum.de
bussec@fsfe.org
c11f49af@posteo.de
cal@zls.de
carl-daniel.hailfinger@bsi.bund.de
carsten.knoll@posteo.de
cb@christian-bertram.de
cc@cmesh.de
chorse@gnu.org
chris.schabesberger@mailbox.org
christian.bleich.b@outlook.com
christian.imhorst@fsfe.org
christian@leber.de
christian@maxen.de
christian.naehle@posteo.de
christop@physik.tu-berlin.de
comzeradd@fsfe.org
cornelius@fsfe.org
cpoell@web.de
cw@fsfe.org
cybercow@triangulum.uberspace.de
dan.scharon@fsfe.org
denefi@fsfe.org
dennis.kawurek@hotmail.de
derik@fsfe.org
dg-lists@restfarbe.de
dhaen@gmx.de
dnt@gmx.com
dosbart@fsfe.org
dr-faustus@gmx.de
dschreiber@gmx.de
dzemisch@emailaholics.org
eal@fsfe.org
ebner@rosinak.at
edu-ml@unormal.org
egnun@fsfe.org
eht16@fsfe.org
erack@fsfe.org
erik@erlenweg.de
etjen.delilovic@gmail.com
e-user@fsfe.org
ff@chello.at
filla-news@online.de
fixtux@t-online.de
flo@4freax.net
floriansnow@fsfe.org
flx@fsfe.org
fphome@live.de
frank.becker@posteo.de
frank@frank.uvena.de
frank.koormann@intevation.de
frank.zimmermann.berlin@freenet.de
freebsd-listen@fabiankeil.de
fseidl@f9s.eu
fsfe@alteholz.de
fsfe@datentopf.org
fsfe@david-huecking.de
fsfe_dl@yahoo.de
fsfe@mo-online.org
fsferesignations@tuta.io
fsfe@rince.de
fsfe@sebdu.de
fsfeurope-german@lists.infodrom.org
fullstack@gmx.de
fw@deneb.enyo.de
ggiedke@fsfe.org
gian-maria.daffre@giammi.org
gnu-fsfe-de@m.gmane.org
gregor6464hp@posteo.de
greve@fsfe.org
gs@gstange.de
guido@fsfe.org
g.w.kugler@posteo.de
haagch@frickel.club
hannes.mayr@digitalcourage.de
he.ne@gmx.net
henning@jacobs1.de
hjensen@mailbox.org
hweidner-lists@gmx.net
idrost@htwm.de
ilu@fsfe.org
irie@wakeupandlive.de
irmhild.rogalla@institut-pi.de
jaeger@jbb-berlin.de
ja@fsfe.org
jan@dittberner.info
jan@intevation.de
jannis@pinterjann.is
jansson@gmx.net
janwey@fsfe.org
j.avdg@fsfe.org
jens@koch-der-gaertner.de
jj@pr-profi.com
jj.sarton@t-online.de
jlk@fsfe.org
jochen@herr-schmitt.de
joerg.berkel@phbern.ch
johannes@hubertz.de
joris.baum@runbox.com
jotbe@fsfe.org
julian.rueth@gmail.com
jurzik@guug.de
jzarl@fsfe.org
kar.dre.2017@gmail.com
karsten.reincke@telekom.de
kdambiec@fsfe.org
kelvan@ist-total.org
kloschi@subsignal.org
kontakt@do-foss.de
kontakt@freiesoftwareog.org
laabs@dasr.de
leize@leize.de
lemming@henning-thielemann.de
lgradl@posteo.net
linux@7mhz.de
liste3@gmx.de
listen@leena.de
lists@apfelkraut.org
lists@bitkeks.eu
lists@koffeinfrei.org
lists-mm@netcologne.de
lists@realcyber.de
lists@sumpfralle.de
lorenz@vulgrim.de
lorenz.wenner@posteo.de
luc.saffre@gmx.net
mail@florianhaas.net
mailinglist@doczkal.de
mail@michael-weimann.eu
mail@rolandgreim.de
mail@zimmer428.net
majestyx@fsfe.org
mararm@fsfe.org
marcoschlicht@onlinehome.de
maria.w@fsfe.org
mark.gerber.1976@gmail.com
martin@gerwinski.de
martone@fsfe.org
marvin.cohrs@hotmail.de
marvin.kohl@posteo.de
mason.edwards.20@outlook.com
mat@fsfe.org
matthias.kabel@tyche.de
matthias@vorlons.info
maurice@prtrc.net
max.mehl@fsfe.org
mbauer@mailbox.org
mf@fsfe.org
mfritsche@reauktion.de
mgross@junetz.de
michael.wehram@wolfsburg.de
micha@stoecker.me
michele.martone@ipp.mpg.de
mkellner@innnet.de
mk@fsfe.org
ml@mareichelt.com
ml@schoenitzer.de
m.mittler@gmx.net
modlinger@erneuerbare-freiheit.de
moritz@headstrong.de
m_szczawinski@poczta.fm
neal@walfield.org
news@gernot-schulz.com
newsletter@danielklier.com
news@schiermeier-it.de
nick.blackberg@nurfuerspam.de
nidi@fsfe.org
nowakewitz@yahoo.de
ntj@allesjetzt.net
oj@null.at
oliver.horn@gmx.net
olli@sopos.org
ooo@altsys.de
pascalwittmann@gmx.net
paul@fsfe.org
p.beier@t-online.de
peter.hormanns@jalin.de
peter.muehlbauer@gmx.net
pfarrch@gmail.com
phil@hoefer-elze.de
philipp.n@fsfe.org
philipp.schneider@mailbox.org
post@lespocky.de
prawn@fsfe.org
proedie@fsfe.org
radoje.stojisic@posteo.de
r.brusa@gmx.ch
reedts@fsfe.org
reg+fsfe@disroot.org
reinhard@fsfe.org
riepernet@fsfe.org
rmacek@fsfe.org
roland.hummel@student.hu-berlin.de
roland@mxchange.org
ronny-fs@vlugnet.org
sascha@girrulat.de
schiessle@fsfe.org
schult@reneschult.de
schulz@fsfe.org
schwirz.linux-ag@freenet.de
sebastian@dorni.net
sebastian.fedrau@gmail.com
sebastian@feltel.de
sebastian@lubo-net.de
sebsch@geblubber.org
selva@posteo.de
shin@posteo.jp
silvan.heintze@gmx.de
simon.parrer@gmail.com
singer.felix@t-online.de
softmetz@fsfe.org
spam.an.joker@googlemail.com
spikespiegel@gmx.net
stefan.boehringer@posteo.de
stefan@debxwoody.de
stefan.frech@gmx.de
stefan.nagy@posteo.net
stefano.cavallari@posteo.de
steffenfritz@fsfe.org
suhrj@fsfe.org
sus2006@bluewin.ch
su@su2.info
sw@fsfe.org
tblu@autistici.org
tb@makesyoualwaysgorgeous.org
tes@fsfe.org
thb@documentfoundation.org
thomasb-fsfe-de@dawnlink.net
thomas@koch.ro
thomas@leske.biz
thomas@schwinge.name
tiestes@gmx.de
tilljaeger@web.de
till.schaefer@do-foss.de
tks@fsfe.org
tobiasd@mailbox.org
tobias_huttner@mailbox.org
tobias.rothfelder@tum.de
tobias.schrank@fsfe.org
tom@voodoo-arts.net
t.schilde@firetech-online.de
tsctob@web.de
u.volmer@u-v.de
vanitasvitae@riseup.net
vassilis@raccoonia.com
v@njh.eu
volker@ixolution.de
volker@netkladde.de
vschlecht@fsfe.org
vv01f@fsfe.org
weo@weo1.de
wg@fsfe.org
wharms@bfs.de
wicker@posteo.de
wilde@intevation.de
willi.uebelherr@gmx.de
woro@wolfgangromey.de
wromey@fsfe.org
yqxoqjno@umail.furryterror.org
zwiebel444@yahoo.de