Incidents of Threats Against Staff from DNS Query Visibility at PyCon APAC 2023
Incidents of Threats Against Staff from DNS Query Visibility at PyCon APAC 2023
pyconjapan Regarding your remarks on NOC content at PyCon APAC 2023: PyCon JP Association This is Takanori Suzuki, President of the PyCon JP Association. NOC (Network Operations Center) at PyCon APAC 2023 hosted by our corporation....
As one of the adults who failed to stop the youth at PyConAPAC, I apologize.
https://pbs.twimg.com/media/F9nx9wHawAANbIx?format=png&name=900x900#.png
https://pbs.twimg.com/media/F9p7ZEzaUAAbhzl?format=png&name=small#.png https://pbs.twimg.com/media/F9p7ZPVaUAA2Pio?format=png&name=900x900#.png
pana_pana_kuma It is a mistake to put the blame on me and say that one company did nothing. They have taken care of me and more.
The root of this tweet is.
"I'm tired of it."
That's it.
ymotongpoo I wonder if there is a summary of "why you think it's a problem" somewhere about the PyCon APAC DNS query word cloud. In my TL, I only see opinions like "it's a problem because it seems like a problem". ymotongpoo To refine the question already, I would like to know "Does this really violate the secrecy of communication? If so, I would like to know what part of the dashboard disclosure is in violation and in what way. ymotongpoo I know some people seem to have misunderstood the PyCon DNS query, but I would like to understand what is an ethical issue and what is a legal issue, respectively. I am trying to understand what is an ethical issue and what is a legal issue, and I want to learn so that I can apply it when another similar issue arises. I'm not trying to be supportive or against it. I have received both tangible and intangible comments from various people, including PyCon JP staff, that my raising the issue was an act of vandalism against the technical community. In addition, I am rescinding the issue because it has become too much for one individual to handle, including those who said they would no longer be staff members, references to my past labor disputes unrelated to this issue, and slander in replies, DMs, etc. I am sorry for the trouble I have caused. I am very sorry to all those who were inconvenienced. (All related tweets, including this one, will be deleted in due course.)
mipsparc First: Post by PyCon APAC 2023 attendee 2-3 pieces: Posts by PyCon APAC 2023 Steering Core Members
I was particularly troubled by the fact that this core member keeps digging up tweets from my past that have nothing to do with this case.
https://pbs.twimg.com/media/F9vOEtgaEAAyXF6?format=jpg&name=medium#.png https://pbs.twimg.com/media/F9vOI85bMAACTtS?format=jpg&name=small#.png https://pbs.twimg.com/media/F9vOLySaYAAkCH7?format=jpg&name=900x900#.png
EzoeRyou PyCon, isn't the whole community over now? kazuho Is there any evidence that PyCon, or the PyCon community in general, has moved toward tone policing rather than taking criticism? I'm guessing there isn't. >EzoeRyou: PyCon, is the whole community finished now? twitter.com/mipsparc/statu...
jacopen Here's the abandoned account that is making threats to PyCon It's not on the front page because it's search-banned.
I've filed a report against X, but we'll see what happens.
As a technical community management, I can only feel threatened by people like this, so please report them to the appropriate authorities.
https://pbs.twimg.com/media/F9rRYuoboAAaMG5?format=png&name=large#.png https://pbs.twimg.com/media/F9rSN6jbIAAm7B6?format=png&name=900x900#.png
jacopen I'm not a party to this, so the only thing I can do is report it to X, but it's terrible that these accounts are out there, so I'll do what I can. jacopen I discuss the same thing at events I'm involved in. Immediate response is important for this kind of thing, but the local management is not easily aware of the flames. They are too occupied with the local partition.
I think it's important to have an escalation flow in case of emergency and a decision-making process.
>ymrl: I keep thinking about how difficult it would be to make a decision when someone points out that some kind of presentation is legally out of bounds when you are on the technical event management side. I'm sure that the evaluation will change depending on what can be done during the event period, which can be a few hours or a few days at the most.
hikalium Please help everyone understand that when there is a problem, it is the system that should be improved, not the individuals involved. I hope everyone understands that when there is a problem, the system should be improved and not the individuals involved should be blamed. integrated1453 I've noticed a lot of people who don't understand that the basic premise is that running a community or event is mostly a volunteer, self-help effort. It bothered me that there are many people who are not affected by the event, but are beating up on it as much as they want from the outside. If people start threatening to "take responsibility" or "apologize" when it's not their job, I don't think I'd want to run things either.
integrated1453 I'm not saying that we don't have responsibility when we announce the event, rent the place, gather sponsors, and attract customers, but I would like to thank the people who volunteer to support us. I would like to express my gratitude and cooperation to the people who volunteer to support us. Despite failures, I continue to support the free and tolerant community atmosphere that I believe will lead to the growth of engineers and the competitiveness of the industry.
shibu_jp explicitly written about privacy issues, what constitutes personal information, and where to draw the line on issues for each event. There is no content, not everyone knows the relevant issues, and it is important to teach each other to deepen understanding. attitude is harmful to the industry. nishio "Will the digital democracy of the future be the participatory utopia it promises to be? Or will it remain forever a place filled with boring images and smear campaigns? No one knows the answer to that question yet." --- digital-democracy PomericanCoffee at the PyCon site "for research and display purposes only. It said. (I didn't see any disclaimer at the venue? (I didn't see any disclaimers at the venue...)
(I just wanted to take down the SSID/PW, so it only shows part of the picture)
https://pbs.twimg.com/media/F9uPGhSbwAAWIe8?format=jpg&name=900x900#.png
PomericanCoffee "What kind of disclaimers (precautions) were written at PyCon? "Did it really say that?
I just wanted to get the facts right, if I could.
The student who did it should be careful next time, and that's the end of it,
The management is an idiot, and that's okay,
I think the biggest problem is that I could observe many people saying "DNS queries are public information, so they don't fall under the category of confidentiality of communication and can be exposed to the Internet without permission.
dat27103 I think it's terrible when people say things like "it's not immediately harmful, so tolerate it" or "don't post it on social media because it will cause trouble" in response to suspected violations of "confidentiality of communications" rather than what PyCon has done. I think it's terrible that there are people who say, "It's not immediately harmful, so tolerate it" or "Don't post it on social networking sites because it'll cause trouble. https://pbs.twimg.com/media/F9kaqonbkAASZl_?format=png&name=small#.png https://pbs.twimg.com/media/F9kbIOpasAAjiba?format=png&name=small#.png
dat27103 If the intention is to minimize the extent of damage, it is completely counterproductive, so you shouldn't say things like "It's not immediately harmful, so tolerate it" or "Don't post it on social networking sites because it will cause a lot of trouble. If the intention is to minimize the scope of damage, it is completely counterproductive, so you should stop saying things like that. -Some young guy built a system to display DNS queries for the venue Wi-Fi because it looked interesting and made it available onsite and on the internet.
-BlackHat's honeypot Wi-Fi without the participants' permission? and accusations of social networking bitterness
-Don't post it on a social networking site and complain to management first.
-I told the management.
-Waters of trust
↓
otsune And this is the part that looks like this from a third party's perspective - Lie and say equipment failure and stop for now
-The event management apologized to the participants, saying that they were indeed right that it was unethical.
-I'm not sure if it's legal, but it looks like a gray area that's closer to black.
-Does the management see the accuser as an airhead and a nuisance?
piro_or I saw an exchange at PyCon about the accusations of ethically problematic matters for engineers, "You should have told the management privately in advance instead of making a first-hand announcement, I saw the exchange of "first-hand announcement is very damaging to the community" and "no, we told them in advance and they didn't listen, so we announced it". I feel that there seems to be no solution that everyone can agree on when we balance things like public interest, our own self-preservation, and the protection of those involved.
It is true that the initial report looked like a "first-hand accusation" from an outsider's point of view, and I can understand why you would want to say that you don't want thoughtless people who see such cases to imitate them because they will create a trend of "well, a first-hand accusation is fine".
I feel that it would be less likely to do so if you added a few words "I told the management in advance, but they ignored me, so I'm going public". I think it would be an excusable thing to say that the initial public announcement is not recommended, although thoughtless people would still short-circuit and imitate the situation.
But it is also self-preservation for the accuser. I don't know the specific background of this case, but as a general rule when something similar happens, if the accusation originated from a leak from inside the management, it may be a betrayal to the well-meaning leaker to add a word "I told the management when I heard about it beforehand. It may be a betrayal to the well-meaning leaker.
Perhaps it was necessary to base accusations only on information already in the public domain in order to prevent the "traitor hunt" of "who leaked inside information?
If the problem had been resolved internally, it would not have occurred and would not have come to light. Once the problem occurred, someone had to take the blame, and the person who has to take the blame the most is the adult on the management side who is "in charge.
I understand the sentiment of the discourse that seeks to diminish that responsibility, but there is a sense of "this is not the time to talk about it".
piro_or If the accuser had told the management after the incident occurred and received a response, both the accuser and the management would have been happy, but the interests of the "event participants" would have continued to be damaged. However, the interests of the "event participants" may have continued to be damaged, and it is possible that the public disclosure of the incident would have been necessary if the interests of the participants were considered important. In fact, the display in question seems to have been stopped immediately after the incident was made public.
piro_or I'm a small-towner whose own self-preservation is important to me, so if I encounter such a situation, I'll either (if I have one) ask the person who leaked it to me from the inside for permission before saying "Inside I would either write "I got some inside information" after getting the approval of the person who leaked it from the inside (placing the responsibility on the leaker), or I would keep quiet until I am safe (placing the damage on the participant), even if the participant's interests are being harmed. piro_or That being said, I feel that if I pasted a scrubbed image of the accusation as it is, I might be accused of something myself this time. If I were you, I would put a mosaic or something like that on the information that might be dangerous (even if the person who saw it could see the information by accessing the site by himself/herself) before publishing it. piro_or I'm talking about the same context as if you analyze a vulnerability in good faith (unless you were asked to do it), you're still guilty of unauthorized access, or something like that. piro_or There are many interpretations of the fact that the communication is not secret because it is not encrypted, certain individuals on the management side have been slandered and have announced their resignation, people who have made accusations have been slandered and have retracted their accusations, and even though we are talking about incidents of technical events, everyone is technically inappropriate. The person who made the accusation has been slandered and has retracted the accusation with a grudge, and even though we are talking about an incident of a technical event, everyone is technically inappropriate. nahadank But when you have people who can't even pay attention to both the organization and the management, that in itself is .... I'm not sure if that's a good thing. In many ways, it's a series of eh .... In many ways, it's a series of "". Organizations are made up of a combination of ill-considered people, aren't they? (I know many of the organizations I've been in have been made up of such people, but...)
piro_or I believe that the effort to create a system is how to achieve stable results with a group of "thoughtless and imperfect people" and how to make them behave robustly. I believe that this is the point of the system, and it is the point of ingenuity. otsune If it were a broad general discussion rather than an individual discussion of PyCon, I would say that "please point out to the management that they need to stop making a biased fuss on social networking sites" is still a reasonable opinion. From the perspective of the individual theory, it appears that there is no other way to deal with the situation than to "explain the situation by providing information on a larger scale than the accuser" because it appears to be merely an evasion or an attempt to shut down the accusation with the aim of a delegitimization effect.
>kaoriya: it looks like a sophomoric justification of the means.
I believe there was a better way to drop the matter, and I think the most important contribution is to identify the factors that prevented that from happening. If there is no better place to drop the matter, then there is no room for a community in the broad sense of the word. twitter.com/flurry/status/...
otsune Personally, I don't want to take the accuser's post as it is, and I can sort of read the intention on the part of the management to quietly admit the mistake and apologize somehow. I don't want to take the accuser's post at face value. I thought that the frequency of transmission was overwhelmingly too infrequent, and from a third party's point of view, it looked like they were running away from the situation.
Lychee_jam I thought the person muttering about the PyCon wifi thing had a sense of deja vu in his thumbnail, but he said he was fired after reporting it internally in the PR TIMES. I'm not sure if it's the same person or not. I wonder what happened to him after he tweeted it out.
Lychee_jam I googled it and found it still archived. https://pbs.twimg.com/card_img/1718573794682695680/Oyq9Zvru?format=png&name=medium#.png
mipsparc Since it was settled by mutual agreement, I can't have any say in it! nanashi51201738 I would interpret that not only the content of the communication but also the secrecy of its existence should be ensured. In other words, if you publish even just the address like DNS, you are out. There is no problem for a post office person to see the address of a letter within the scope of legitimate business conduct (illegality is prevented).
So, is it a legitimate business practice to publish DNS queries to the whole world?
I should say that it is out of the question when you violate a secret rather than when you disclose it.
lyuka_jp I don't think that a resolved name is a "communications secret" (even for the ITU), and the fact that a communication channel has been created is not the same as privacy. I don't think it's the same thing as privacy. hanai_y If you make it visible, they will beat you, so you will hide and gather information... w osabori_jp In terms of the Sotsu guidelines, "existence or non-existence of a communication" is a secret of communication: ...... Even if a public wireless LAN is a service that does not require notification, is it not subject to the protection of the secrecy of communications since it is a communication being handled by a telecommunications carrier?
(I was told that I did not need to notify Sotsu, whom I consulted when I installed Wi-Fi in my lodgings, but that I should keep my communications confidential)
https://pbs.twimg.com/media/F9r-mLMbkAAil3N?format=jpg&name=medium#.png
---