Amandine Jambert (cryptie), CNIL, FSFE Financial data breach
[Article 1.5 years old]
Reprinted with permission from the Free Software Fellowship.
We already wrote about Amandine "Cryptie" Jambert who is working for the French privacy regulator, CNIL while using a pseudonym to participate in the FSFE.
We mentioned that FSFE covered up the financial data privacy breach.
We want to publish more evidence and show why this is happening.
FSFE financial statements show they have lots of money. Their budget is €600,000 per year.
Looking at their employee list, they don't employee anybody with real technical competence. The one technical staff member is a social science graduate who is re-training as a "hopeful" developer. All the money goes to the imposters and female interns.
They use volunteers and students to do the sysadmin work. The FSFE jobs page is currently looking for a student sysadmin to work on the minimum wage.
Working time and compensation: The desired working time would be 10 hours per week but can be discussed. You will start working in our Berlin office to get a feeling for the organisation and the faces behind it, but at a later stage, home office is possible. The salary is based on the currently applicable minimum wage in Germany but can be higher depending on your experience. A mandatory requirement is that you are enrolled as a student at a university in Germany.
As a student, the sysadmin won't be available for about 6 weeks each semester while undertaking exams.
Here we publish the full email about the privacy breach.
In this leak, Matthias Kirschner claims that nobody has taken copies of the financial data so there was no obligation to make any warning to the donors.
In fact, many volunteers, former employees, students, interns and maybe even children have copies of data about the FSFE donors. It was 15 year olds in Belfast who hacked the British phone company Talk-Talk. FSFE would be a walk in the park for those kids. We are publishing a copy of the FSFE Berlin mailing list membership to prove that copies exist outside the FSFE and therefore Matthias Kirschner is a liar.
We will remove the list when Matthias Kirschner removes all the defamation from the FSFE web sites, all other free software projects and search results.
Subject: [GA] Report about privacy problem with financial data Date: Thu, 15 Mar 2018 14:26:10 +0100 From: Matthias Kirschner <mk@fsfe.org> To: FSFE General Assembly <ga@lists.fsfe.org>, FSFE system hackers <system-hackers@lists.fsfe.org>
The archives of finance@lists.fsfe.org, and thereby all the information including full names, amount, credit card and bank details, were public from 18 December 2017 until 13 March 2018. It is now fixed and nobody outside the FSFE should have had access to them. Please help to check if the archives of your list should be public or not (see below).
On 13 March Reinhard noticed, that finance@lists.fsfe.org has a public archive, he informed me, I directly changed the archive to private and changed the admin password for the list which is currently only available to Heiki and myself. Due to a communication mistake neither Jan and Vincent nor I myself checked finance@lists.fsfe.org when checking the list settings after we were informed about the problems with staff@lists.fsfe.org (which Jonas created on 1 November). I myself forgot to remember that finance@ was also a mailing list, after Jonas migrated the former finance@ alias to a mailman list on 18 December 2017, and Jan and Vincent used the external mailing list listing, instead of the internal list. So we missed the list when checking other mailing lists after the former incident.
As the mailing list had public archives everybody knowing the URL would have had access to information like full name, amount of money for the donation, and the last 4 digits of the credit card number, for bank transfers the whole info BIC + IBAN numbers, contract discussions about the legal workshop, info messages from corporate donors (e.g. Google's Benevity), invoices, internal discussion by our finance team, etc.
I first wanted to inform you about the problem and discuss how to communicate the privacy problem to the effected parties, but Heiki suggested to first check all IP logs to see if they archives were accessed by third parties. Thanks to Albert's work, we can now say that the archives were only accessed this week, and that the IP addresses belonged either to Heiki, Reinhard, or the Berlin office (in comparison with staff@ the mailing list was not advertised on our list server and we were able to confirm.)
Jan, Vincent, and myself did some other checks, and when we wondered if the list should be public asked the people involved if it is ok that their list archive is public. # How you can help
One wish how you can help: if you are part of a mailing list which was not mentioned before, please do one quick check if the archives are publicly available, and if that should be the case. Else either change it yourself, or inform system-hackers@lists.fsfe.org about it. In general if you setup a list with sensitive information, please check how people can subscribe, if the list should be advertised on our list server, if there should be an archive, and make sure that the archive is not public. Best Regards, Matthias
-- Matthias Kirschner - President - Free Software Foundation Europe Schönhauser Allee 6/7, 10119 Berlin, Germany | t +49-30-27595290 Registered at Amtsgericht Hamburg, VR 17030 | (fsfe.org/join) Contact (fsfe.org/about/kirschner) - Weblog (k7r.eu/blog.html) _______________________________________________ GA mailing list GA@lists.fsfe.org https://lists.fsfe.org/mailman/listinfo/ga
FSFE internal forms were captured by search engines
If you try to access the pages today they are demanding a password. It looks like somebody disabled the authentication and left them unprotected long enough for the search engines to take snapshots.
For example, to make an internal order for business cards using the name Adolf Hitler, you can try to use this form.
Membership list for the Berlin FSFE mailing list
You can use this page to join the list or browse the archives.
0xf10e@fsfe.org 99735@gmx.de ahmruoff@gmail.com ajh92@fsfe.org albert@fsfe.org alex01at@gmail.com alex.graichen.ag@gmail.com alex.sander@fsfe.org anwalt@rechtsanwalt-stehmann.de archive@mail-archive.com arvid@fsfe.org axel.b.kaiser@fsfe.org axelmetzger@gmx.de behrens_lars@gmx.de benedikt.geissler@mailbox.org benjamin.wand@web.de benny@benny.de bernhard@fsfe.org bernhard@weitzhofer.org bettgens@wesel-net.de bh@intevation.de birgit.huesken@fsfe.org blanky0230@gmail.com blipp@fsfe.org brucker@spamfence.net buenger@mytum.de bussec@fsfe.org c11f49af@posteo.de cal@zls.de carl-daniel.hailfinger@bsi.bund.de carsten.knoll@posteo.de cb@christian-bertram.de cc@cmesh.de chorse@gnu.org chris.schabesberger@mailbox.org christian.bleich.b@outlook.com christian.imhorst@fsfe.org christian@leber.de christian@maxen.de christian.naehle@posteo.de christop@physik.tu-berlin.de comzeradd@fsfe.org cornelius@fsfe.org cpoell@web.de cw@fsfe.org cybercow@triangulum.uberspace.de dan.scharon@fsfe.org denefi@fsfe.org dennis.kawurek@hotmail.de derik@fsfe.org dg-lists@restfarbe.de dhaen@gmx.de dnt@gmx.com dosbart@fsfe.org dr-faustus@gmx.de dschreiber@gmx.de dzemisch@emailaholics.org eal@fsfe.org ebner@rosinak.at edu-ml@unormal.org egnun@fsfe.org eht16@fsfe.org erack@fsfe.org erik@erlenweg.de etjen.delilovic@gmail.com e-user@fsfe.org ff@chello.at filla-news@online.de fixtux@t-online.de flo@4freax.net floriansnow@fsfe.org flx@fsfe.org fphome@live.de frank.becker@posteo.de frank@frank.uvena.de frank.koormann@intevation.de frank.zimmermann.berlin@freenet.de freebsd-listen@fabiankeil.de fseidl@f9s.eu fsfe@alteholz.de fsfe@datentopf.org fsfe@david-huecking.de fsfe_dl@yahoo.de fsfe@mo-online.org fsferesignations@tuta.io fsfe@rince.de fsfe@sebdu.de fsfeurope-german@lists.infodrom.org fullstack@gmx.de fw@deneb.enyo.de ggiedke@fsfe.org gian-maria.daffre@giammi.org gnu-fsfe-de@m.gmane.org gregor6464hp@posteo.de greve@fsfe.org gs@gstange.de guido@fsfe.org g.w.kugler@posteo.de haagch@frickel.club hannes.mayr@digitalcourage.de he.ne@gmx.net henning@jacobs1.de hjensen@mailbox.org hweidner-lists@gmx.net idrost@htwm.de ilu@fsfe.org irie@wakeupandlive.de irmhild.rogalla@institut-pi.de jaeger@jbb-berlin.de ja@fsfe.org jan@dittberner.info jan@intevation.de jannis@pinterjann.is jansson@gmx.net janwey@fsfe.org j.avdg@fsfe.org jens@koch-der-gaertner.de jj@pr-profi.com jj.sarton@t-online.de jlk@fsfe.org jochen@herr-schmitt.de joerg.berkel@phbern.ch johannes@hubertz.de joris.baum@runbox.com jotbe@fsfe.org julian.rueth@gmail.com jurzik@guug.de jzarl@fsfe.org kar.dre.2017@gmail.com karsten.reincke@telekom.de kdambiec@fsfe.org kelvan@ist-total.org kloschi@subsignal.org kontakt@do-foss.de kontakt@freiesoftwareog.org laabs@dasr.de leize@leize.de lemming@henning-thielemann.de lgradl@posteo.net linux@7mhz.de liste3@gmx.de listen@leena.de lists@apfelkraut.org lists@bitkeks.eu lists@koffeinfrei.org lists-mm@netcologne.de lists@realcyber.de lists@sumpfralle.de lorenz@vulgrim.de lorenz.wenner@posteo.de luc.saffre@gmx.net mail@florianhaas.net mailinglist@doczkal.de mail@michael-weimann.eu mail@rolandgreim.de mail@zimmer428.net majestyx@fsfe.org mararm@fsfe.org marcoschlicht@onlinehome.de maria.w@fsfe.org mark.gerber.1976@gmail.com martin@gerwinski.de martone@fsfe.org marvin.cohrs@hotmail.de marvin.kohl@posteo.de mason.edwards.20@outlook.com mat@fsfe.org matthias.kabel@tyche.de matthias@vorlons.info maurice@prtrc.net max.mehl@fsfe.org mbauer@mailbox.org mf@fsfe.org mfritsche@reauktion.de mgross@junetz.de michael.wehram@wolfsburg.de micha@stoecker.me michele.martone@ipp.mpg.de mkellner@innnet.de mk@fsfe.org ml@mareichelt.com ml@schoenitzer.de m.mittler@gmx.net modlinger@erneuerbare-freiheit.de moritz@headstrong.de m_szczawinski@poczta.fm neal@walfield.org news@gernot-schulz.com newsletter@danielklier.com news@schiermeier-it.de nick.blackberg@nurfuerspam.de nidi@fsfe.org nowakewitz@yahoo.de ntj@allesjetzt.net oj@null.at oliver.horn@gmx.net olli@sopos.org ooo@altsys.de pascalwittmann@gmx.net paul@fsfe.org p.beier@t-online.de peter.hormanns@jalin.de peter.muehlbauer@gmx.net pfarrch@gmail.com phil@hoefer-elze.de philipp.n@fsfe.org philipp.schneider@mailbox.org post@lespocky.de prawn@fsfe.org proedie@fsfe.org radoje.stojisic@posteo.de r.brusa@gmx.ch reedts@fsfe.org reg+fsfe@disroot.org reinhard@fsfe.org riepernet@fsfe.org rmacek@fsfe.org roland.hummel@student.hu-berlin.de roland@mxchange.org ronny-fs@vlugnet.org sascha@girrulat.de schiessle@fsfe.org schult@reneschult.de schulz@fsfe.org schwirz.linux-ag@freenet.de sebastian@dorni.net sebastian.fedrau@gmail.com sebastian@feltel.de sebastian@lubo-net.de sebsch@geblubber.org selva@posteo.de shin@posteo.jp silvan.heintze@gmx.de simon.parrer@gmail.com singer.felix@t-online.de softmetz@fsfe.org spam.an.joker@googlemail.com spikespiegel@gmx.net stefan.boehringer@posteo.de stefan@debxwoody.de stefan.frech@gmx.de stefan.nagy@posteo.net stefano.cavallari@posteo.de steffenfritz@fsfe.org suhrj@fsfe.org sus2006@bluewin.ch su@su2.info sw@fsfe.org tblu@autistici.org tb@makesyoualwaysgorgeous.org tes@fsfe.org thb@documentfoundation.org thomasb-fsfe-de@dawnlink.net thomas@koch.ro thomas@leske.biz thomas@schwinge.name tiestes@gmx.de tilljaeger@web.de till.schaefer@do-foss.de tks@fsfe.org tobiasd@mailbox.org tobias_huttner@mailbox.org tobias.rothfelder@tum.de tobias.schrank@fsfe.org tom@voodoo-arts.net t.schilde@firetech-online.de tsctob@web.de u.volmer@u-v.de vanitasvitae@riseup.net vassilis@raccoonia.com v@njh.eu volker@ixolution.de volker@netkladde.de vschlecht@fsfe.org vv01f@fsfe.org weo@weo1.de wg@fsfe.org wharms@bfs.de wicker@posteo.de wilde@intevation.de willi.uebelherr@gmx.de woro@wolfgangromey.de wromey@fsfe.org yqxoqjno@umail.furryterror.org zwiebel444@yahoo.de