from Diary 2023-10-31 Incidents of Threats Against Staff from DNS Query Visibility at PyCon APAC 2023
pyconjapan Regarding your remarks on NOC content at PyCon APAC 2023: PyCon JP Association This is Takanori Suzuki, President of the PyCon JP Association.
NOC (Network Operations Center) at PyCon APAC 2023 hosted by our corporation⊠[PyCon JP Blog: Your remarks on NOC content at PyCon APAC 2023 https://pyconjp.blogspot.com/2023/10/pyconapac2023-noc-content.html?utm_source= dlvr.it&utm_medium=twitter]
pana_pana_kuma DNS Query Publication
As one of the adults who failed to stop the youth at PyConAPAC, I apologize.
pana_pana_kuma I didnât word it right, so I will add it.
pana_pana_kuma It is a mistake to put the blame on me and say that one company did nothing. They have taken care of me and more.
The root of this tweet is. âIâm tired of it.â Thatâs it.
ymotongpoo I wonder if there is a summary of âwhy you think itâs a problemâ somewhere about the PyCon APAC DNS query word cloud. In my TL, I only see opinions like âitâs a problem because it seems like a problemâ. ymotongpoo To refine the question already, I would like to know âDoes this really violate the secrecy of communication? If so, I would like to know what part of the dashboard disclosure is in violation and in what way. ymotongpoo I know some people seem to have misunderstood the PyCon DNS query, but I would like to understand what is an ethical issue and what is a legal issue, respectively. I am trying to understand what is an ethical issue and what is a legal issue, and I want to learn so that I can apply it when another similar issue arises. Iâm not trying to be supportive or against it.
mipsparc Regarding an issue I raised at PyCon APAC 2023 regarding a publicized DNS inquiry by a free WiFi user. Apology
I have received both tangible and intangible comments from various people, including PyCon JP staff, that my raising the issue was an act of vandalism against the technical community. In addition, I am rescinding the issue because it has become too much for one individual to handle, including those who said they would no longer be staff members, references to my past labor disputes unrelated to this issue, and slander in replies, DMs, etc. I am sorry for the trouble I have caused. I am very sorry to all those who were inconvenienced. (All related tweets, including this one, will be deleted in due course.) mipsparc First: Post by PyCon APAC 2023 attendee 2-3 pieces: Posts by PyCon APAC 2023 Steering Core Members I was particularly troubled by the fact that this core member keeps digging up tweets from my past that have nothing to do with this case.
-
EzoeRyou PyCon, isnât the whole community over now?
-
kazuho Is there any evidence that PyCon, or the PyCon community in general, has moved toward tone policing rather than taking criticism?ăIâm guessing there isnât.
-
EzoeRyou: PyCon, is the whole community finished now? twitter.com/mipsparc/statuâŠ
-
Youâre so easy to say, youâre destroying the community! and the whole community is finished! I think itâs also an attitude of creating virtual enemies and refusing to have a dialogue.
-
jacopen Hereâs the abandoned account that is making threats to PyCon
https://twitter.com/junpou_law
Itâs not on the front page because itâs search-banned. Iâve filed a report against X, but weâll see what happens.
As a technical community management, I can only feel threatened by people like this, so please report them to the appropriate authorities.
jacopen Iâm not a party to this, so the only thing I can do is report it to X, but itâs terrible that these accounts are out there, so Iâll do what I can. jacopen I discuss the same thing at events Iâm involved in. Immediate response is important for this kind of thing, but the local management is not easily aware of the flames. They are too occupied with the local partition. I think itâs important to have an escalation flow in case of emergency and a decision-making process.
ymrl: I keep thinking about how difficult it would be to make a decision when someone points out that some kind of presentation is legally out of bounds when you are on the technical event management side. Iâm sure that the evaluation will change depending on what can be done during the event period, which can be a few hours or a few days at the most.
hikalium Please help everyone understand that when there is a problem, it is the system that should be improved, not the individuals involved. I hope everyone understands that when there is a problem, the system should be improved and not the individuals involved should be blamed.
integrated1453 Iâve noticed a lot of people who donât understand that the basic premise is that running a community or event is mostly a volunteer, self-help effort. It bothered me that there are many people who are not affected by the event, but are beating up on it as much as they want from the outside.
If people start threatening to âtake responsibilityâ or âapologizeâ when itâs not their job, I donât think Iâd want to run things either. integrated1453 Iâm not saying that we donât have responsibility when we announce the event, rent the place, gather sponsors, and attract customers, but I would like to thank the people who volunteer to support us. I would like to express my gratitude and cooperation to the people who volunteer to support us.
Despite failures, I continue to support the free and tolerant community atmosphere that I believe will lead to the growth of engineers and the competitiveness of the industry.
shibu_jp explicitly written about privacy issues, what constitutes personal information, and where to draw the line on issues for each event. There is no content, not everyone knows the relevant issues, and it is important to teach each other to deepen understanding. attitude is harmful to the industry.
nishio âWill the digital democracy of the future be the participatory utopia it promises to be? Or will it remain forever a place filled with boring images and smear campaigns? No one knows the answer to that question yet.â --- digital-democracy - digital democracy
PomericanCoffee at the PyCon site âfor research and display purposes only. It said. (I didnât see any disclaimer at the venue? (I didnât see any disclaimers at the venueâŠ) (I just wanted to take down the SSID/PW, so it only shows part of the picture)
PomericanCoffee âWhat kind of disclaimers (precautions) were written at PyCon? âDid it really say that? I just wanted to get the facts right, if I could.
Fushihara PyCon, The student who did it should be careful next time, and thatâs the end of it, The management is an idiot, and thatâs okay, I think the biggest problem is that I could observe many people saying âDNS queries are public information, so they donât fall under the category of confidentiality of communication and can be exposed to the Internet without permission.
dat27103 I think itâs terrible when people say things like âitâs not immediately harmful, so tolerate itâ or âdonât post it on social media because it will cause troubleâ in response to suspected violations of âconfidentiality of communicationsâ rather than what PyCon has done. I think itâs terrible that there are people who say, âItâs not immediately harmful, so tolerate itâ or âDonât post it on social networking sites because itâll cause trouble.
dat27103 If the intention is to minimize the extent of damage, it is completely counterproductive, so you shouldnât say things like âItâs not immediately harmful, so tolerate itâ or âDonât post it on social networking sites because it will cause a lot of trouble. If the intention is to minimize the scope of damage, it is completely counterproductive, so you should stop saying things like that.
otsune PyCon. Third-party. -Some young guy built a system to display DNS queries for the venue Wi-Fi because it looked interesting and made it available onsite and on the internet. -BlackHatâs honeypot Wi-Fi without the participantsâ permission?ăand accusations of social networking bitterness -Donât post it on a social networking site and complain to management first. -I told the management. -Waters of trust â otsune And this is the part that looks like this from a third partyâs perspective
- Lie and say equipment failure and stop for now -The event management apologized to the participants, saying that they were indeed right that it was unethical. -Iâm not sure if itâs legal, but it looks like a gray area thatâs closer to black. -Does the management see the accuser as an airhead and a nuisance?
piro_or I saw an exchange at PyCon about the accusations of ethically problematic matters for engineers, âYou should have told the management privately in advance instead of making a first-hand announcement, I saw the exchange of âfirst-hand announcement is very damaging to the communityâ and âno, we told them in advance and they didnât listen, so we announced itâ. I feel that there seems to be no solution that everyone can agree on when we balance things like public interest, our own self-preservation, and the protection of those involved.
It is true that the initial report looked like a âfirst-hand accusationâ from an outsiderâs point of view, and I can understand why you would want to say that you donât want thoughtless people who see such cases to imitate them because they will create a trend of âwell, a first-hand accusation is fineâ. I feel that it would be less likely to do so if you added a few words âI told the management in advance, but they ignored me, so Iâm going publicâ. I think it would be an excusable thing to say that the initial public announcement is not recommended, although thoughtless people would still short-circuit and imitate the situation.
But it is also self-preservation for the accuser. I donât know the specific background of this case, but as a general rule when something similar happens, if the accusation originated from a leak from inside the management, it may be a betrayal to the well-meaning leaker to add a word âI told the management when I heard about it beforehand. It may be a betrayal to the well-meaning leaker. Perhaps it was necessary to base accusations only on information already in the public domain in order to prevent the âtraitor huntâ of âwho leaked inside information?
If the problem had been resolved internally, it would not have occurred and would not have come to light. Once the problem occurred, someone had to take the blame, and the person who has to take the blame the most is the adult on the management side who is âin charge. I understand the sentiment of the discourse that seeks to diminish that responsibility, but there is a sense of âthis is not the time to talk about itâ. piro_or If the accuser had told the management after the incident occurred and received a response, both the accuser and the management would have been happy, but the interests of the âevent participantsâ would have continued to be damaged. However, the interests of the âevent participantsâ may have continued to be damaged, and it is possible that the public disclosure of the incident would have been necessary if the interests of the participants were considered important. In fact, the display in question seems to have been stopped immediately after the incident was made public. piro_or Iâm a small-towner whose own self-preservation is important to me, so if I encounter such a situation, Iâll either (if I have one) ask the person who leaked it to me from the inside for permission before saying âInside I would either write âI got some inside informationâ after getting the approval of the person who leaked it from the inside (placing the responsibility on the leaker), or I would keep quiet until I am safe (placing the damage on the participant), even if the participantâs interests are being harmed. piro_or That being said, I feel that if I pasted a scrubbed image of the accusation as it is, I might be accused of something myself this time. If I were you, I would put a mosaic or something like that on the information that might be dangerous (even if the person who saw it could see the information by accessing the site by himself/herself) before publishing it. piro_or Iâm talking about the same context as if you analyze a vulnerability in good faith (unless you were asked to do it), youâre still guilty of unauthorized access, or something like that. piro_or There are many interpretations of the fact that the communication is not secret because it is not encrypted, certain individuals on the management side have been slandered and have announced their resignation, people who have made accusations have been slandered and have retracted their accusations, and even though we are talking about incidents of technical events, everyone is technically inappropriate. The person who made the accusation has been slandered and has retracted the accusation with a grudge, and even though we are talking about an incident of a technical event, everyone is technically inappropriate. nahadank But when you have people who canât even pay attention to both the organization and the management, that in itself is ⊠Iâm not sure if thatâs a good thing. In many ways, itâs a series of eh ⊠In many ways, itâs a series of "". Organizations are made up of a combination of ill-considered people, arenât they? (I know many of the organizations Iâve been in have been made up of such people, butâŠ) piro_or I believe that the effort to create a system is how to achieve stable results with a group of âthoughtless and imperfect peopleâ and how to make them behave robustly. I believe that this is the point of the system, and it is the point of ingenuity.
otsune If it were a broad general discussion rather than an individual discussion of PyCon, I would say that âplease point out to the management that they need to stop making a biased fuss on social networking sitesâ is still a reasonable opinion. From the perspective of the individual theory, it appears that there is no other way to deal with the situation than to âexplain the situation by providing information on a larger scale than the accuserâ because it appears to be merely an evasion or an attempt to shut down the accusation with the aim of a delegitimization effect.
kaoriya: it looks like a sophomoric justification of the means.
I believe there was a better way to drop the matter, and I think the most important contribution is to identify the factors that prevented that from happening. If there is no better place to drop the matter, then there is no room for a community in the broad sense of the word. twitter.com/flurry/status/⊠otsune Personally, I donât want to take the accuserâs post as it is, and I can sort of read the intention on the part of the management to quietly admit the mistake and apologize somehow. I donât want to take the accuserâs post at face value. I thought that the frequency of transmission was overwhelmingly too infrequent, and from a third partyâs point of view, it looked like they were running away from the situation.
Lychee_jam I thought the person muttering about the PyCon wifi thing had a sense of deja vu in his thumbnail, but he said he was fired after reporting it internally in the PR TIMES. Iâm not sure if itâs the same person or not. I wonder what happened to him after he tweeted it out. Lychee_jam I googled it and found it still archived.
mipsparc Since it was settled by mutual agreement, I canât have any say in it!
nanashi51201738 I would interpret that not only the content of the communication but also the secrecy of its existence should be ensured. In other words, if you publish even just the address like DNS, you are out. There is no problem for a post office person to see the address of a letter within the scope of legitimate business conduct (illegality is prevented).
So, is it a legitimate business practice to publish DNS queries to the whole world? I should say that it is out of the question when you violate a secret rather than when you disclose it.
lyuka_jp I donât think that a resolved name is a âcommunications secretâ (even for the ITU), and the fact that a communication channel has been created is not the same as privacy. I donât think itâs the same thing as privacy. I guess itâs not important from the level of the information warfare world, where people shake hands with their right hand and hit each other with their left. https://twitter.com/mipsparc/status/1717839214770016559⊠hanai_y If you make it visible, they will beat you, so you will hide and gather information⊠w osabori_jp In terms of the Sotsu guidelines, âexistence or non-existence of a communicationâ is a secret of communication: âŠ
Even if a public wireless LAN is a service that does not require notification, is it not subject to the protection of the secrecy of communications since it is a communication being handled by a telecommunications carrier? (I was told that I did not need to notify Sotsu, whom I consulted when I installed Wi-Fi in my lodgings, but that I should keep my communications confidential)
This page is auto-translated from [/nishio/PyCon APAC 2023ă«ăăăDNSăŻăšăȘćŻèŠćăăăčăżăăă«ćŻŸăăè èż«ăçșçăăäș件](https://scrapbox.io/nishio/PyCon APAC 2023ă«ăăăDNSăŻăšăȘćŻèŠćăăăčăżăăă«ćŻŸăăè èż«ăçșçăăäș件) using DeepL. If you looks something interesting but the auto-translated English is not good enough to understand it, feel free to let me know at @nishio_en. Iâm very happy to spread my thought to non-Japanese readers.