Request a clarification on usage of non-church owned websites

[jdlessley]

This thread has narrowed to discussing child privacy issues and the law. While I agree there are complex threads to the issue of privacy and children, the thread has narrowed the discussion from the original issue of authorized and unauthorized web sites. I am quite interested in the overall issue originally posted by daddy-o. Since this narrowing of focus happened as a result of questioning the use of ymyw.org I am also curious about the ymyw.org site. I did a quick scan of the site without registering. I was then prompted to ask a few pointed questions using their 'contact us' link. I am hoping to get a response that will help clarify the structure, use, and availability of information at that site. This is what I sent throught that link.

Your web site has come up in a thread in LDS Technology Forums (lds.org) as being a site violating Church policy regarding authorized web sites.
What is it about your web site that you think does not violate this policy? How do you ensure someone registering as an "Advisor, Ward Admin, Stake Advisor, or Stake Admin" is who they say they are?
I am my stake's technology specialist and must advise my stake president on these matters. Before I can advise him I need to know the answers to these questions and others to ensure we will be following Church policy regarding authorized web sites.

I am hoping to get a better understanding of their site from their point of view. Maybe they have not considered the issues brought up in this thread. If there is interest I will share what I get from them.

[Mikerowaved]

Thanks for bringing us back on topic, JD. I think many of us are curious about the response you get.

I attempted to register on the site, but was told our unit was already registered, so I was told an email was sent to [they provided the first name only] and I must wait for approval. I'm attempting to contact several people in my unit with that name hoping to explain why I would like to take a look around on the "inside" of this website.

Mike

[lajackson]

I attempted to register on the site, but was told our unit was already registered,

And, aside from the other issues discussed, that is another problem. Did the person who is registered at the site have permission to represent the ward or stake? While it is not the site's responsibility to know, if there was a problem, would the site be willing to accommodate the authorized user?

Difficult questions, even for a site that seems to be providing a desired and worthwhile service.

[aebrown]

And, aside from the other issues discussed, that is another problem. Did the person who is registered at the site have permission to represent the ward or stake? While it is not the site's responsibility to know, if there was a problem, would the site be willing to accommodate the authorized user?

Difficult questions, even for a site that seems to be providing a desired and worthwhile service.

The questions seem to be rather easily answered. The site doesn't make any attempt to make sure that the people who register for the site have permission, but I don't see why it would need to. Here's the basic process:

• A person registers with the site using the unit number.
• That first person becomes the defacto administrator for the ward.
• Any subsequent users have to be authorized by that person, or by someone designated by that person as an administrator.
• So access is not granted by the site, but by another member of the ward who has administrator privileges.
• Since the ward members who would be using the site are known to each other, it's not really likely that a stranger could ask for authorization and have it granted.
• Any ward that is using the site can easily set policies for who is an administrator and who grants access.

I suppose if you are worried about risks, you could consider the scenario that a stranger is the first to register. But that would quickly be discovered as actual ward members start to register and receive communication from a stranger.

So the basic technique of passing authorization among ward members, with a very small number of administrators authorized by the bishop, seems safe enough to me. The set of users will be small and well known to the ward administrator(s).

[rmrichesjr]

...
I suppose if you are worried about risks, you could consider the scenario that a stranger is the first to register. But that would quickly be discovered as actual ward members start to register and receive communication from a stranger.
...

That scenario is the most obvious (to me, at least) risk. I don't know that site. How would ward members know it was a stranger who was communicating with them and not someone pretending to be the administrator assigned to that ward from the site? If by email address, the imposter could have an email address like Somewhereville1stWardAdmin@domain.tld where "domain.tld" is one of the many domains where anyone can register for a free email address.

[aebrown]

That scenario is the most obvious (to me, at least) risk. I don't know that site. How would ward members know it was a stranger who was communicating with them and not someone pretending to be the administrator assigned to that ward from the site? If by email address, the imposter could have an email address like Somewhereville1stWardAdmin@domain.tld where "domain.tld" is one of the many domains where anyone can register for a free email address.

Maybe I wasn't clear. The administrator is inown by name and e-mail address on the site. It is a member of the ward (except in this fantasy scenario). The list of users from the ward is available to any administrator for the ward. I don't see how someone could pretend to be a member of the ward, having a name of someone in the ward, with that someone having conversations in person with other members of the ward about the site. It just wouldn't happen.

If this site is to be implemented in the ward, there will be organization, and discussion, and assignments made. No one can sneak in unknown into the list of users. I mentioned the scenario for the sake of completeness and to show that there really is no risk there. If by chance some stranger registers first, as real ward members try to use the site, that stranger would not authorize them as administrators, but if he did, they would quickly figure out that it was an imposter during the council meetings where the site is discussed. In such a rare case (I don't see the motivation for a stranger being the first to register for a ward), I'm sure it can be worked out with the site owners to remove the stranger.

[russellhltn]

I think the real question in the "stranger" scenario, is could the impostor be discovered before damage was done? It's possible they could con someone into uploading information prior to the next meeting. If they got a list of names and contact info, that might have been all they wanted.

[aebrown]

I think the real question in the "stranger" scenario, is could the impostor be discovered before damage was done? It's possible they could con someone into uploading information prior to the next meeting. If they got a list of names and contact info, that might have been all they wanted.

So you're saying that all the following could happen:

1. A stranger registers with the ymyw.org site, supplying a valid unit number. But if they even know about the site, how will they know the unit number? Why would they have any reason to assume that that unit would ever use the site?
2. A member of the ward (let's call her "Molly") at some later date is authorized by the bishop to register with ymyw.org as an administrator. Alternatively, Molly is not authorized, but is just checking out the site.
3. Molly attempts to register, but is told something along the lines of "John is your ward's administrator, but you can request that John activates your account."
4. Molly thinks nothing of that being odd, even though she is supposedly the first person to register, and she doesn't know who John is. Why would Molly not worry about this? Why would she register with a mysterious ward administrator?
5. "John" authorizes Molly to join. I suppose if all the completely improbable preceding events have happened, we're assuming John would do this.
6. Molly does not ask to be an administrator, or she asks to be an administrator but doesn't have the curiosity to see who John is. In the most likely scenario, she went to the site expecting to be an administrator, but she gives up on this without a second thought?
7. Molly uploads contact information. But if she wasn't authorized to use the site by the bishop, why is she uploading contact information? If she is that careless, she could just as easily be posting the information on some totally public site. In that case, it makes no sense to criticize ymyw.org, which at least is password protected. If she was authorized, then why was she so foolish as to upload information when there was a surprising turn of events where an unknown person was the ward administrator but no one was expected to be registered before Molly?

Frankly, I see this as improbability multiplied by improbability. I find it hard to get past step 1. But in any case, if a ward is being at all serious about this, they will do it deliberately, and assign people to be the administrators and advisers. Any of my objections in steps 4, 6, and 7 would stop any abuse, but you think that all 4 improbabilities would happen?

When evaluating threat models, it's good to be creative and consider all the posibilities, but I don't understand how this particular threat is at all credible.

[rmrichesjr]

So you're saying that all the following could happen:

1. A stranger registers with the ymyw.org site, supplying a valid unit number. But if they even know about the site, how will they know the unit number? Why would they have any reason to assume that that unit would ever use the site?
2. A member of the ward (let's call her "Molly") at some later date is authorized by the bishop to register with ymyw.org as an administrator. Alternatively, Molly is not authorized, but is just checking out the site.
3. Molly attempts to register, but is told something along the lines of "John is your ward's administrator, but you can request that John activates your account."
4. Molly thinks nothing of that being odd, even though she is supposedly the first person to register, and she doesn't know who John is. Why would Molly not worry about this? Why would she register with a mysterious ward administrator?
5. "John" authorizes Molly to join. I suppose if all the completely improbable preceding events have happened, we're assuming John would do this.
6. Molly does not ask to be an administrator, or she asks to be an administrator but doesn't have the curiosity to see who John is. In the most likely scenario, she went to the site expecting to be an administrator, but she gives up on this without a second thought?
7. Molly uploads contact information. But if she wasn't authorized to use the site by the bishop, why is she uploading contact information? If she is that careless, she could just as easily be posting the information on some totally public site. In that case, it makes no sense to criticize ymyw.org, which at least is password protected. If she was authorized, then why was she so foolish as to upload information when there was a surprising turn of events where an unknown person was the ward administrator but no one was expected to be registered before Molly?

Frankly, I see this as improbability multiplied by improbability. I find it hard to get past step 1. But in any case, if a ward is being at all serious about this, they will do it deliberately, and assign people to be the administrators and advisers. Any of my objections in steps 4, 6, and 7 would stop any abuse, but you think that all 4 improbabilities would happen?

When evaluating threat models, it's good to be creative and consider all the posibilities, but I don't understand how this particular threat is at all credible.

Step 1 is easy to get past. Let's say John is anti-LDS and wants to cause trouble by getting a list of youth names and contact info. Let's say he has several unit numbers from his cohorts. Let's say he has heard a rumor that a unit for which he has the unit number is going to register on the site soon. That's the threat I'm considering.

For steps 4, 6, and 7, I'm thinking John could try to pass himself off to Molly as being an official representative of the site assigned to help that ward get registered. I understand there are people skilled at social engineering who can call up a business, pretend to be "IT Support" and convince people to divulge their passwords. Is there anything in the headers/footers sent with messages between site users that would prevent John, skilled at social engineering, from getting valuable information from a hypothetical naive/gullible Molly?

[russellhltn]

As for Step 1, ymyw.org tells you how. Look on the left side of the link. What they're telling you to do is to search for the LUWS page and pick it out of the URL. Note that you need not log into a ward to find it's Unit Number.

The rest is just social engineering. Perhaps registering with a name like "President". And when contacted the first thing "President" says is to go ahead and upload the information. I think it's quite likely that anyone stumbling across the site will register and explore first, and report in a meeting later. A clever social engineer can con the user into uploading before that first meeting.

While the possibility for success may not be high, a predator only has to get lucky once to get a list. He may do all the units within his area and hope that one will fall for it.