The meeting was called to order at about 20:45 by elliot. EC members attending: elliot, amu, hartmans, kretch, gisele, yandros, cat, nygren EC members absent: nathanw Others present: kcr, zacheiss, belmonte, klmitch, mycroft, seph, jered, zoz, dkk, jdaniel hartmans: We've waited long enough for someone to come forward, and while it would be nice if someone came forward, I think we should move ahead now. We should talk to the people who were around and see if we can find anything. elliot: Preventative measures might also be helpful. [Techinical discussion about whether it probably was or wasn't a security versus trust issue.] cat: I'd like to see us talk about what we're going to do. We don't have res. to conduct an investigation; we should say that we're more than happy to help any investigation, and we should figure out what we're going to in relevant cases. If we offer a concrete lesser and worse alternative, people may be motivated to come forward now. Also, we should prob. have different cases for member/nonmember hartmans: If they sent the mail, I can't think of any justification for them still being members. cat: If they don't come forward, a member should be dismem'd; a prospective should be asked to leave. gisele: what should happen if it's a nonmember with a member's help. hartmans: Depends on how much the member knew (duped the member versus active collusion) hartmans: take a step back: Charles has implied that he's not sure that this was a big deal and.. asks Charles to elaborate. mycroft: I don't think that there's been sufficient evidence that it was actually malicious. hartmans: anything in particular that we should consider regarding this issue. mycroft: [not now] nygren: I'd like to see some way that others can be very clear that there is a required level of trust (privacy, serious security breach) and that violating it is grounds for dismem/asking to leave. elliot: I've considered maybe we should have people sign something when we give them the root password. gisele: I'd like to see not just a statement that it was bad, that it is the respon. of people in the office to enhance and keep this trust. kretch: such as? [not sure] kcr: we should consider if this is a symptom of a larger problem or an isolated case. solving a larger problem may be more work than is warranted. elliot: we need to make sure that IS beleives that we're taking this seriously... [yandros talks about the perils of second-guessing IS] kcr: [IS people who care are mostly SIPB too] nygren: one thing that bothers me is that even `low level' permissions can have a huge influence; people shouldn't have to worry about trusting the office for even these bits. elliot: there are technical changes that we could make... [Discussion of whether or not that's a good idea.] kretch: the technical helpers could change the `mood' of the situation, and that could be bad. cat: signing things won't really help.. we have an image as a `hacking' group, and we should work on that. I'm going to work on an Ethics statement for the sipb... [Discussion about resp. of people in office to `deal' with other people doing `bad' things in the office.] [Agreement that the ethics statement is a good idea.] Action Item 1: We should produce an ethics statement. cat will get this started; everyone should give input. belmonte: we want to be careful that we don't seem to be `outlawing' normally accepted things. kcr: in general, harmless messing should be something that is possibly reciprocal, and that could be useful for the delineation of things that are ok and that aren't. hartmans: 1) ethics statement 2) sipb should talk to the peope involved 3) we should talk to ops and let them know that we're going to cooperate with them gisele: we should make this clear to all the sipb that we do take this seriously. [yandros blathers more about details of malicous versus bad hack.] belmonte: given that the person hasn't come forward, they probably aren't going to. Given that, maybe we should make arrangements with an ombud-like that they could come forward to the third party. given what they looked at, is it possible to figure out who from the examined people were logged in at the time. [Discussion about technical feas. of that.] mhpower: general q: is it valuable to continue allowing things that are similar that are `ok'; i.e. should we outlaw close, non-malicious hacks. cat: considered that for the Ethic's statement gisele: make sure people think hard about whether or not a joke is really a joke. mycroft: I would be disturbed (never use athena services again) if I found out that jis used kerberos logs to divulge personal information for anything less than a court order. [Techinical discussion about other uses that happen, rarely.] cat: again, more focus! What do we want to do the current situation: (e.g. we give the person another week, and if they don't come forward, we dismember/punt them) are we the right group to do that elliot: I think we can certainly make threats. We could recomend such. Action Item 2: After giving another week for the guilty party to come forward to the EC, Ops, or the sipb as a whole: the EC will recommend to the Board that the person(s) found responsible for the misuse of Garry's bits and the breach of trust of the SIPB be dismembered if they are a member, and asked to leave the SIPB regardless of member status. If the person does come forward, the EC will make every effort to understand the situation and consider consequences appropriate to the situation. ----------------------------------------------------------------------------- gisele: we should say something about what we'll do if they do come foward. amu: ..and we won't recomend anything worse than if they don't come forward. kretch: IS, generally, is more interested in finding the person than punishment. belmonte: ombudsmanp elliot: an ombud can't convince me that it was a joke, because they don't know the situation well enough. belmonte: is there any such person? kretch: what does that gain? we know someone did it. if they don't come forward, the trust is not restored.. hartmans: if you are not willing to come forward and admit your mistakes, then I'm not sure I want you as a sipb mem/pros. cat: I would want to know that if they weren't publicly revealed, then I would want someone I know and trust to talk to them and make sure that they understand what and why wrong. gisele: there's a problem with the ombudsman is *oblidged* to not share the information, and rebuilding the trust requires sharing of this information. belmonte: I understand what you're saying.. pragmatically, a 3rd party might increase communication.. hartmans: if it comes to that, it's not worth the effort. nygren: I've seen people debate the malicousness of it, so there's enough disucssion of that... given this discussion, I'm really bothered that the person didn't come forward. It's often very easy to forgive someone who comes forward, but it's very hard to deal with no one coming forward... yandros: is the ombudsman going to generate a distinct state? [generally, no] -------------------------------------------- seph: it seems to me as a malicious attack on Garry and others, and thye're not going to come forward. [discussion of coming forward] yandros: they may have already decided it was a bad thing and dealt with this without it. doesn't the ombudsman deal with this situation? kretch: leaving that option seems to make it too easy to just `get out of it' or kill the issue elliot: I still can't trust someone not involved to understand the situation well enough to rebuild my trust.. belmonte: I think the false confession thing is a bit ridiculous.. [discussion indicates that this isn't as ridiculous as it might seem.] gisele: should this person come forward and want to talk about it, then we could consider the ombud before that. elliot: it seems like the `3rd person' issue isn't going to help, so maybe we should move on [Concensus.] -------------------------------------------- sam, gisele, others: discussion of confidentiality of coming forward -------------------------------------------- elliot: right now, we seem to be moving foward on 1) ethics statement 2) statment about the situation [above] anything else? chad: is the week `right'? [yes] kcr: other things that could be done: some talking to people could be done that I don't think anyone actually in ops wants to do. elliot: do we want to conduct an investigation? [discussion] chad: should we say something like ``coming forward to the EC if you have info, and we'll to keep it confidentially'' cat: remember that we're very bad at being a court. gisele: it's crucial for us to start gathering information and we should see what we can do. dkk: avoiding the witchhunt feel.. [lost] nygren: it's very easy for this to turn into a witchhunt; we should be aware that the witchhunt mentality is hard to avoid. Action Item 3: The EC will solicit information from people. People should send mail or talk to a member of the EC about any information they have (even things as simple as "I was around in the office that evening, but didn't notice anything.") People may want to avoid sending mail to sipb-ec, if they don't want lots of non-EC people get it. Action Item 4: The SIPB will cooperate with Ops in dealing with this issue. chad: can we close the meeting [unanimous] -------------------------------------------- we unclose the meeting, and didn't say anything confidential. chad was confused about the specificity of dealing with mycroft elliot explained he was the last one in the office We thought about reviewing the log information in the closed EC meeting, but decided not to. ------------------------------------------------------------------ elliot: Move that it is the sense of the EC that: 1) Ethics statement: We should produce an ethics statement. cat will get this started; everyone should give input. 2) Consequences: After giving another week for the guilty party to come forward to the EC, Ops, or the sipb as a whole: the EC will recommend to the Board that the person(s) found responsible for the misuse of Garry's bits and the breach of trust of the SIPB be dismembered if they are a member, and asked to leave the SIPB regardless of member status. If the person does come forward, the EC will make every effort to understand the situation and consider consequences appropriate to the situation. 3) Solicitation of information: The EC will solicit information from people. People should send mail or talk to a member of the EC about any information they have (even things as simple as "I was around in the office that evening, but didn't notice anything.") People may want to avoid sending mail to sipb-ec, if they don't want lots of non-EC people get it. 4) Cooperation with Ops: The SIPB will cooperate with Ops in dealing with this issue. Motion passes 8-0-0 with 1 absent. The meeting was adjourned at 22:25. Minutes taken and submitted by yandros.