|
Grex > Coop12 > #123: Proposal to modify selection of corporate officers | |
|
| Author |
Message |
| 25 new of 118 responses total. |
jp2
|
|
response 27 of 118:
| 
Aug 28 14:23 UTC 2002 |
This response has been erased.
|
bhelliom
|
|
response 28 of 118:
|
Aug 28 15:53 UTC 2002 |
How is this data stored, and how far back does it go? Is it destroyed
after a specific period of time?
|
other
|
|
response 29 of 118:
|
Aug 28 18:16 UTC 2002 |
RE the cc# storage: My reference to that is based on vague recollections
of past conversations about splitting up the job of the treasurer. As I
said earlier, you would have to consult aruba for specifics and current
data. In either case, the data are stored offline only, which greatly
minimizes the security concern.
Marcus makes some valid points, but has apparently not read (or else not
remembered) the full context of the discussion and assumes intent behind
the discussion which is in this case not applicable. It is not a tactic,
but merely an error.
All this aside, the anonymity requested by certain donors alone justifies
the consolidation of tasks in the one position.
|
cross
|
|
response 30 of 118:
|
Aug 28 21:55 UTC 2002 |
Regarding #29; I don't really want to enter into this specific debate,
but Marcus appears to make that error a lot. After a while, it stops
looking like an error, and more like a tactic.
I'm off to hum now.
|
carson
|
|
response 31 of 118:
|
Aug 28 23:08 UTC 2002 |
(it's hard to follow Jamie when he insists on leaping from one position
to another. that's not to say that any of those positions are necessarily
incorrect; that's an exercise best left to the individual. however, I
would encourage Jamie, once he's exhausted his imagination, to re-present
his favorite one at length for the rest of the class. I suspect he'd then
find more support than some might expect.)
|
jp2
|
|
response 32 of 118:
|
Aug 28 23:15 UTC 2002 |
This response has been erased.
|
mdw
|
|
response 33 of 118:
|
Aug 29 05:21 UTC 2002 |
"My opponent"? My, my. I'm not the one claiming that grex has tons of
well aged credit card information and yet I'm being accused of making up
facts to suit my fancy.
|
bhelliom
|
|
response 34 of 118:
|
Aug 29 13:18 UTC 2002 |
Why don't all try to get along, children? This is neither court nor an
interrogation room, and we are not trying to find anyone guilty. I do
not appreciate the air of suspicion that is being created in this
item. It completely detracts from the discussion and makes everyone
less inclined to listen and discuss this situation like adults. For the
sake of clarity, can we keep this on task as much as possible? There
are issues under discussion here that have absolutely nothing to do
with the original topic. Please create another item for these side
arguments that do not directly pertain to this issue.
|
jp2
|
|
response 35 of 118:
|
Aug 29 13:47 UTC 2002 |
This response has been erased.
|
bhelliom
|
|
response 36 of 118:
|
Aug 29 19:59 UTC 2002 |
Oh dear.
|
polytarp
|
|
response 37 of 118:
|
Aug 30 01:02 UTC 2002 |
fag.
|
carson
|
|
response 38 of 118:
|
Aug 30 23:27 UTC 2002 |
(having re-read this item, I find myself agreeing with the sentiments
expressed in resp:1. further, I'm not compelled to believe that the
change proposed in resp:0 is necessary, nor am I compelled to believe
that such a change would necessarily be beneficial.)
(although it's merely a side issue, I should point out that, while
well-intentioned, other's description of what membership information
is handled by the treasurer doesn't jibe with my recollection.
perhaps aruba [or danr or flem] could clarify what's actually handled
and what's retained?)
|
polytarp
|
|
response 39 of 118:
|
Aug 31 00:32 UTC 2002 |
fag.
|
aruba
|
|
response 40 of 118:
|
Sep 2 23:02 UTC 2002 |
I have been out of town, so am only now able to respond to this item.
First of all, I don't have a strong opinion about Jamie's idea. It would
be fine with me if the board were allowed to appoint a non-board member as
an officer.
But I do agree with Colleen that it's good for the jobs to change hands
periodically. In the case of treasurer, the problem is finding someone
willing to put in the time to do a good job at it. (Colleen is mistaken,
BTW about how often the job must currently turn over; board members are
allowed up to 2 consecutive 2-year terms, so one person may be treasurer
for 4 consecuive years. Both danr and I have done that. But in the 5th
year, we were forced to turn it over to someone else.)
I found Eric's description of "anonymous members" confusing; we've never
had anyone we called that during my time as treasurer. What he means, I
think, is this: while we publish the logins of our members, we do not
publish their real names if they request that we not do so. This has no
effect on whether they can vote or not, so I'm not sure what Eric was
referring to there.
We also require ID from each member, which is always kept confidential.
That means a bank name/account number from a personal check, or a
photocopy of a driver's license, or something like that. It's stored on
my computer, which is not a server and is not permanently attached to the
net. As far as I know there's no way anyone could steal that information
without physical access to my machine, but I am not a security expert, and
I would welcome a discussion by those who are on how to make sure no one
has a chance to see that info.
During the first part of 2000, while flem was treasurer, we had a system
set up to process credit cards. We received the credit card numbers via a
secure server, and the board agreed that a CC# should count as someone's
ID, just like a driver's license would. This made it a lot easier for
people to become members via credit cards; they didn't need to send us a
separate ID.
So Greg recorded credit card numbers for ID purposes. He saved
approximately 32 credit card numbers. Of those 32 people, one is still a
member and another was until recently (and may be again soon); the rest
are no longer members.
It's always been my standard practice to save ID information even after
someone is no longer a member, because that makes it easier for them to
become a member again. (I.e., they can just send money, and not bother to
re-send ID.) So I still have the credit card numbers that Greg saved.
Now frankly, I've always been a little uncomfortable having those numbers
on my computer, but if they are our only way to identify members, then I
figure it's necessary. I would certainly be willing, though, to delete
them for people who are no longer members, if most people think I should.
Since the fall of 2000, we have only received credit card money via
Paypal, which does not pass CC#s on to us. That's why people who become
members via Paypal have to send separate ID. This is kind of a pain for
them, and I'm sure it probably discourages some people from becoming
members. But I believe there's still a consensus that we need to have ID
from our members.
|
cross
|
|
response 41 of 118:
|
Sep 2 23:17 UTC 2002 |
Mark, you should permanently delete any and all credit card and personal
bank account information that's on your personal computer. Perhaps keep
hardcopy of the bank account stuff, but don't keep it online; even if your
computer isn't a `server' and it's only temporarily connected to the
Internet, it's likely that it's vulnerable to some form of attack and it's
likely it's probed for those vulnerabilities during the times it is
connected to the Internet. The credit card stuff should be summarily
deleted and wiped and not backed up, even on hardcopy; grex has no right
to that information after the users in question have ceased being members.
|
aruba
|
|
response 42 of 118:
|
Sep 2 23:55 UTC 2002 |
Well, I don't buy that - there was no "time limit" on the information when
it was given to us; I could as easily say that you have no right to
remember my login if I don't want you to write to me any more. But I
can't revoke your right to your memory.
That said, I would certainly respect a request from anyone to delete
his/her personal information from my computer if we no longer needed it
for ID purposes. No one has ever requested that.
Let me say again that we still have one member whose only ID is a credit
card number, so I can't delete that one. But the more I think about it,
there really isn't any reason to save the numbers from people who are long
gone, so I'll go ahead and delete them now. OK, I did it. I deleted all
the numbers except the one who is currently a member and the one who may
be reinstated soon.
|
jp2
|
|
response 43 of 118:
|
Sep 3 01:16 UTC 2002 |
This response has been erased.
|
gull
|
|
response 44 of 118:
|
Sep 3 02:15 UTC 2002 |
Why do you need the number, if the person's identity has already been
proven? Keeping it around seems like an unnecessary risk.
|
mdw
|
|
response 45 of 118:
|
Sep 3 02:22 UTC 2002 |
I see nothing inaccurate regarding memfaq.html#whoseesmyid . The reason
we keep the credit card number has nothing whatsoever to do with money;
it is in fact completely useless to us for that purpose.
I think we need to be very careful not to make Mark's job any harder
than it needs to be. We're already asking him to go to quite a bit of
trouble on grex's behalf; and he's not getting paid for any of this.
The treasuer's job is perhaps *the* most important job on grex; without
it being done, and done well, this system *will* fold. Mark has done an
excellent job for grex, and frankly he deserves a *lot* more praise,
appreciation, and credit, than any of us have shown him. People who
critique Mark are really displaying a marked ignorance of what he has
done for grex, and how indebted grex really is for his work.
Having said that, onto the "computers is dangerous" thread. There are
things we've asked Mark to do to keep things safer. We ask for instance
that he keep nothing "of value" on grex -- that means grex is never the
authoritative source of membership information, and no credit card
numbers here. We expect he keeps decent backups at home since hardware
failure is always a possibility. I'm not sure we need to be asking for
anything beyond that. Sure, it would be "nice" if he kept all
membership data on a totally secure dedicated machine always kept
offline in a vault and guarded by armed dogs 24 hours a day with orders
to shoot to kill. But I don't think we can realistically expect that of
him. The best we can hope is that he'll use "appropriate" technology to
keep accurate track of the information we ask, and unfortunately, for
better or worse, today that's highly unlikely to mean anything but
MicroSoft, regardless of what any of us computer geeks might think.
In the general scheme of things, I don't think that's necessarily all
that risky. Sure there are things that can reach in via a dialup
connection, infect a machine, and make it divulge all sorts of
embarassing supposedly "private" information. But reality is not a
Hollywood movie. Most of those things that can "reach in" are things
like viruses and worms. These things are usually "blind" in the sense
that they don't really know how to shift through random data on a user's
machine; if they were looking to steal data from the machine, it would
likely be passwords or financial information Mark would have given his
computer to pay bills online or some such. But most of these things are
bent on either replicating themselves, or stealing access on the
machine. Too, Mark has been involved with computers long enough that he
has every reason to understand about viruses and worms, and take
appropriate measures against them. So I don't really see him getting
infected with Klez and sending copies of random files off his hard disk
along with the virus to random strangers. Like it or not, people who
are out to harvest credit card numbers really are after *much* bigger
fish than grex; grex is simply not worth their while.
|
jp2
|
|
response 46 of 118:
|
Sep 3 02:45 UTC 2002 |
This response has been erased.
|
other
|
|
response 47 of 118:
|
Sep 3 03:05 UTC 2002 |
re "it now says that that information is, at least occasionally, on the
Internet": It does not say that at all, and the extent of the illogic of
that admittedly broad leap is puzzling at best.
|
gull
|
|
response 48 of 118:
|
Sep 3 12:48 UTC 2002 |
It's not intentionally posted. It *is* on a machine that's sometimes
exposed on the Internet. You may think that's a minor risk, but have
you looked at the number of security patches that have come out for
Internet Explorer and Outlook Express in the last year? Have you
installed every single one?
I won't even keep my *own* credit card numbers on my computer, much less
other people's. You may think it can't happen to you; that's what I
thought until a machine I was running got hacked.
|
other
|
|
response 49 of 118:
|
Sep 3 13:39 UTC 2002 |
Hmm. That's a good point, which I sometimes forget because I personally
do not use MS OS or browser software except very occasionally.
|
cross
|
|
response 50 of 118:
|
Sep 3 14:32 UTC 2002 |
Okay, here's a rhetorical question: What would you think of a store that
kept a copy of your credit card information indefinitely? Marcus, who
often champions security way beyond what's necessary for grex, makes the
dangerous and misinformed statement that Mark's machine isn't necessarily
a target. Specifically, I agree with him; being caught up in a broad
sweep (which happens all the time, incidentally) is another matter.
Lasty, what reason does grex have for storing people's credit information
electronically? Actually, at all? Is it necessary to retain copies of
ID's after they've been verified as being valid?
|
jp2
|
|
response 51 of 118:
|
Sep 3 14:42 UTC 2002 |
This response has been erased.
|