IGDA: Not Hacked (Or Maybe it Was!)

(Just to be clear: I did not have anything to do with the emails from “concerned_members_of_the_IGDA.” It caught me by surprise, and while I think it was a good attempt at grassroots organization, they could have been somewhat clearer that they did not represent the IGDA itself, and they should have signed names to it.)

(UPDATE: Everyone I spoke to prior to writing this who received a message had a public IGDA profile. It’s come to light that some people who definitely have private profiles also received a message from concerned_members. Seems like there might be some PHP hacking involved after all. Consulting some friends in security…)

IGDA members received an anonymous message yesterday urging them to sign the petition to call a member vote on the removal of Tim Langdell from his Board position.

Joshua Caulfield sent out an email to the IGDA membership today saying the following:

Dear Members,

Recently an email went out that appeared to have originated from IGDA. The return address of this email appeared as: “Concerned_Members_of_the_IGDA@IGDA.org.”
That email address was spoofed and the communication was not an official IGDA communication. We are currently reviewing the methods by which it was sent to see if this was sent out by people ignorant of proper use of the IGDA website or if there was malicious actions involved. We are also reviewing the method by which your email addresses were obtained and if that was done ethically or not. It is my hope that this was done by someone simply overzealous about their cause and not for destructive reasons.

Please be aware IGDA was not responsible for this email and does not have anything to do with the content or the links provided. You should read and use such links at your own risk.

We will investigate this issue and provide you with information on our findings as they are confirmed.

Thank you,

Joshua Caulfield
Executive Director
IGDA

It’s very clear from the email I received that it was not “spoofed.” The people who sent the message clearly used the IGDA’s web forms. The header of the email says it was mailed by ynilo.pair.com — well, pair.com happens to be the IGDA’s web host, so if it was sent via the IGDA’s PHP web form it would indeed be mailed by pair.com. Just to test it out, I sent the following message to a friend:

My friend forwarded me the email he received. The header and footer are identical to the email from “concerned_members”:

From: I_am_totally_anonymous <bad_address@example.com>
Date: Wed, Aug 5, 2009 at 10:41 AM
Subject: Message via IGDA Profile: I_am_totally_anonymous
To: (my friend)

I_am_totally_anonymous sends you the below message via your IGDA Member Profile:

This is my anonymous message to you.

-Nobody

—————————————–

You can reply to I_am_totally_anonymous at bad_address@example.com.

Note: You can change your public profile access, privacy and email settings via your MyProfile page:
http://www.igda.org/membership/myprofile.php

International Game Developers Association

So there you have it. It is clear that this was a group of people who decided to split up the Member Directory listings (which are publicly available to any paying IGDA member) and went down the list and messaged everyone using the form system. Nobody obtained email addresses through dubious means. It’s like sending a message via Facebook messaging, only in the IGDA’s Member Directory there’s no setting to say “only let my friends message me.” You’re either public or hidden, and the default is public.

These messages were not sent in an unethical or illegal way. If anything, the messages are a consequence of the rather poor state of the current IGDA website (having seen the new site, these issues will not come into play, it will be a lot more Facebook-like in terms of privacy).

I also want to say that I think it was a bad move for the “Concerned Members” to remain completely anonymous, but that’s neither here nor there. It wasn’t a hack, plain and simple.