[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Question about non-board-member posts to the list



Nice to see traffic on the list again. ;-)

I agree with Pascal. This was a on topic post and was additionally helpful in discovering an item that can be improved in the MITRE process going forward.

Kent Landfield
Director, Standards and Technology Policy
Intel Corporation
+1.817.637.8026 | kent.b.landfield@intel.com

From: <owner-cve-editorial-board-list@lists.mitre.org> on behalf of pmeunier <pmeunier@cerias.purdue.edu>
Date: Friday, September 4, 2015 at 10:56 AM
To: "Christey, Steven M." <coley@mitre.org>, "Boyle, Stephen V." <sboyle@mitre.org>, jericho <jericho@attrition.org>, cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
Subject: Re: Question about non-board-member posts to the list

Tom's message was on topic and helpful.  If needed I would have repeated the suggestion to the list
or endorsed it, so in that sense it is not dissonant either with board members viewpoints.  I
believe it's fine to leave it.  What matters is to make the process or mechanisms more robust for
the future.  Essentially, a weakness was discovered in MITRE's internal processes and that should be
improved.  IMO the benign incident that led to this discovery does not merit correction.

Pascal

On 09/04/2015 11:27 AM, Christey, Steven M. wrote:
All,

Here is the technical sequence of events for how Tom Millar's message was archived.  I'd be very interested in knowing whether Board members believe the message should be removed from the archives.

1. As Steve Boyle already said, and just to re-emphasize, Tom has read-only access to the list.

2. Only Board members and certain MITRE personnel have the privileges to post to the list.

3. As already observed by Steve, Tom's message was directed toward both cve-id-change and the Board list.

4. Tom's message almost certainly was *not* delivered to the Board list due to his read-only privileges, which probably resulted in a bounce.  (If any Board member *did* receive such a message, please let us know.)

5. The message was (appropriately) delivered to cve-id-change because, as Steve already explained, we created it in order to receive input from everybody.

6. The account that is used to maintain the online Board archive is subscribed to both cve-editorial-board-list and cve-id-change.

7. Because cve-editorial-board-list was listed as a recipient, a program stored Tom's message in a Board-specific mail folder that is dedicated to public archival.

8. Typically, a manual verification step is performed to "clean up" stray messages that were actually rejected.  The manual review step did not happen in this case.

9. As a result, Tom's message was publicly archived.

For a previous example of the type of human error as described in item 8, see https://cve.mitre.org/data/board/archives/2013-04/msg00003.html

- Steve



-----Original Message-----
editorial-board-list@lists.mitre.org] On Behalf Of Boyle, Stephen V.
Sent: Wednesday, September 02, 2015 4:45 PM
To: jericho <jericho@attrition.org>; cve-editorial-board-list <cve-editorial-
Cc: Boyle, Stephen V. <sboyle@mitre.org>
Subject: RE: Question about non-board-member posts to the list

Hi Brian,

Would Steve or MITRE please make it clear what happened here?

Sure, I'd be happy to. (I figured I'm "a" Steve if not "the" Steve, so close enough.)

Tom Millar is subscribed to the Editorial Board List as are other people who are
not members of the Board. As you know, Tom, since he is part of the sponsoring
organization, is not allowed to be on the Editorial Board. However, it has been
longstanding practice for CVE to  offer read-only access to the Editorial Board
list as a courtesy to certain people; in this case, to our sponsor. People who are
not Board members can see what goes by, but they do not have posting
privileges because they are not, well, Board members. That is another reason
why we maintain the separate, private Editorial Board-only email list -- cve-
private-eboard-list.

Given that Mr. Millar replied within an hour to that post on a Thursday
night...

That's not at all unusual for Tom, or lots of us.

... when he would not have been included in the general distribution
list, it is fair to say that he was BCC'd.

Except that Tom was included in the general distribution list, as described above.
Because Tom sees Board list messages that go by, he wouldn't need a BCC or
other out-of-band notification of our request -- he saw it at the same time as
other members of the Editorial Board list. So, Tom is on the list, was on the list,
and was not BCC'd or otherwise given a preview of the email.

   Further, that he was likely warned of the incoming post and encouraged to
reply to it.

Except that Tom wasn't warned and he wasn't encouraged to reply. He read the
post, presumably on the Board list, and responded to cve-id-change (as we
requested) with his offer of help to publicize the change. More on this below.

Given Steve's mail specifically asked
repliers to "contact cve-id-change@mitre.org if you wish to participate",
which is odd for an Editorial Board posting...

In the normal case, it would be odd to ask the Board to reply to another list.
However, in the case of the exceptional, singular event that was the change to
the CVE ID syntax, we asked people to respond to cve-id-change because we
were asking for lots of participation from others, not just the Board, and using
the cve-id-change list kept it all together. In addition, cve-id-change was an
open list so anyone could post, making it even more handy for replies from non-
Board members. The attendant Board message was a cut-and-paste of what we
were sending out. We simply previewed it to the Board members, thereby asking
them to reply to the same email address as everybody else.

it is doubly odd that a random non-board member would be involved.

I hope I've sufficiently explained how that came about (above).

I understand your concerns, and I appreciate the fact that you raised them here,
where they could be addressed. I invite and encourage you to continue to ask
questions and look for answers, especially when things seem odd or otherwise
squirrelly.

I 'll close by saying that I can't tell you anything more than what I know and what
I remember, but I can personally assure you that MITRE has not and does not
circumvent the Board, in any way, with any person or organization.

Best Regards,
Steve Boyle
CVE Project Leader

-----Original Message-----
Sent: Wednesday, September 02, 2015 1:35 AM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Question about non-board-member posts to the list
Importance: High


To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Request to include Board members in a press release about CVE
IDsyntax change
From: "Christey, Steven M." <coley@mitre.org>
Date: Thu, 4 Sep 2014 19:12:43 +0000

Steve posted to the editorial board list, for members of the editorial
board and MITRE, asking about a press release.

There was a single reply to this post:


Subject: Re: Request to include Board members in a press release about
CVEID syntax change
From: "Millar, Thomas" <Thomas.Millar@hq.dhs.gov>
Date: Thu, 4 Sep 2014 20:18:36 +0000

Thomas Millar, from DHS, is not on the CVE editorial board per the
membership list (by name or org):


Given that Mr. Millar replied within an hour to that post on a Thursady
night, when he would not have been included in the general distribution
list, it is fair to say that he was BCC'd. Further, that he was likely
warned of the incoming post and encouraged to reply to it.

Would Steve or MITRE please make it clear what happened here? Why was Mr.
Millar brought into this mail before hand, BCC'd on a mail to the list,
and likely encouraged to reply? Given Steve's mail specifically asked
repliers to "contact cve-id-change@mitre.org if you wish to participate",
which is odd for an Editorial Board posting, it is doubly odd that a
random non-board member would be involved.

Thanks,

.b



Page Last Updated or Reviewed: September 14, 2015