Mise à jour de la base de données, veuillez patienter...

On Wednesday, October 25th, we received an email letting us know that an old Drupal database backup file was publicly accessible on defectivebydesign.org, a site operated by the Free Software Foundation. This backup file contained contact information and other details that should not have been public, submitted from 2007-2012.

Within minutes of receiving the report, we removed the file and started auditing defectivebydesign.org and the rest of our sites. The file did not contain any passwords or password hashes, financial information, mailing addresses, or information about users who interacted with the site without ever logging in.

On Friday, October 27th, once we were reasonably confident we understood the scope of the problem and had fixed the most urgent issues, we sent a notification email to every address that was in the database backup file. We explained what had happened, took responsibility, and apologized.

If you did not receive such an email, then your address was not in the exposed file.

The file included (from both real and spambot users' profiles):

• ~28,000 email addresses;
• contact names;
• some IP addresses associated with comments on posts;
• ~120 phone numbers;
• some information users shared about whether they participated in a particular campaign action (like a call-in), and
• timestamps of users submitting data.

While some of this information was intended by users to be public, some of it definitely was not.

I and the rest of the FSF staff are deeply sorry for this mistake. We know how important privacy is to our supporters; we fight on your behalf every day against restrictive and invasive technologies that threaten it. We also don't believe in covering up our mistakes, so we wanted to let everyone affected know as soon as possible, and then share our mistake and what we learned from it here, publicly.

Even though we are a small team, under pressure to move fast against extremely large forces, this kind of mistake is absolutely unacceptable. We have made many improvements in our security practices since 2012, and in light of this failure will be taking a deeper look at what else we need to do.

I'd also like to share some of the technical details about what happened, because in just a few minutes of searching, we found others who are making the same mistake we did.

A backup of defectivebydesign.org's Drupal database was made with the backup-migrate module in 2012, likely to assist migration of the site to a new host. We failed to delete or move that file.

In 2014, or some time before then, the directory name of our Drupal installation was manually changed as part of an upgrade. However we didn't update the part of our Apache configuration that enabled .htaccess files for specific directories. Drupal's .htaccess file normally hides files by disallowing directory indexes. The site appeared to work normally despite the disabled .htaccess file because our main Apache configuration contained functionality normally performed by that file. We also mistakenly didn't have another .htaccess file to fully disable access to the backup. As a result, the backup file was left exposed.

The documentation for backup_migrate has a "VERY IMPORTANT SECURITY NOTE" indicating that "Backup and Migrate attempts to protect backup files using a .htaccess file," which we failed to mind.

We currently don't use this module, and instead backup the site as part of our global backup procedures. We are reviewing and improving several other policies and procedures to both avoid making similar mistakes again, and to detect them should they be made. This includes, for example, deleting personal data from sites where we no longer use it or need it, and accelerating our progress toward full coverage by our centralized server configuration management system.

Thank you all for your support and trust. Our technical team can also use more hands on some of their work to help expedite improvements; if you have expertise in systems administration and are interested in volunteering some time to help, please let us know at sysadmin@gnu.org.

(as of October 24, 2017):

• autoconf-archive-2017.09.28
• bash-4.4.12
• dejagnu-1.6.1
• gawk-4.2.0
• gcc-5.5.0
• gnuhealth-3.2.5
• gnutls-3.6.1
• guile-cv-0.1.7
• kawa-3.0
• libextractor-1.6
• linux-libre-4.13.9-gnu
• mailutils-3.3
• parallel-20171022
• screen-4.6.2
• taler-0.4.0
• units-2.15
• zile-2.4.14

For announcements of most new GNU releases, subscribe to the info-gnu mailing list: https://lists.gnu.org/mailman/listinfo/info-gnu.

To download: nearly all GNU software is available from https://ftp.gnu.org/gnu/, or preferably one of its mirrors from https://www.gnu.org/prep/ftp.html. You can use the URL https://ftpmirror.gnu.org/ to be automatically redirected to a (hopefully) nearby and up-to-date mirror.

A number of GNU packages, as well as the GNU operating system as a whole, are looking for maintainers and other assistance: please see https://www.gnu.org/server/takeaction.html#unmaint if you'd like to help. The general page on how to help GNU is at https://www.gnu.org/help/help.html.

If you have a working or partly working program that you'd like to offer to the GNU Project as a GNU package, see https://www.gnu.org/help/evaluation.html.

As always, please feel free to write to us at maintainers@gnu.org with any GNUish questions or suggestions for future installments.

Richard Stallman's conversation with radio host Dr. Diane Hamilton will air on her show “Take the Lead” on November 3, 2017, at 10:00 EDT, on twelve AM/FM stations across the United States, including:

• Tampa, Florida: AM 1630, FM 92.1
• Las Vegas, Nevada: AM 1520, FM 107.1
• Macon, Georgia: AM 810, FM 87.9
• Lancaster, Pennsylvania: AM 1640, FM 102.1
• Boulder, Colorado: FM 100.7
• Milwaukee, Wisconsin: FM 104.1
• Pittsburgh, Pennsylvania: FM 107.3
• Long Beach, California: FM 101.5
• The Villages, Florida: FM 97.7
• Colorado Springs, Colorado: FM 87.9
• Jacksonville, Florida: FM 90.3

You can also listen to the interview online here.

Dr. Diane Hamilton's Leadership Radio Show features in-depth interviews with entrepreneurs, thought leaders, speakers, and other influential individuals, including Steve Forbes of Forbes Media and Craig Newmark of Craiglist.

My name is Florian Rival, I'm a software engineer working in Paris. I'm working on various projects, ranging from large scale Web apps to innovative mobile apps, and I'm also creating games in my spare time. GDevelop is a piece of game creator software allowing anyone to create games. The editor is built to be intuitive and used by beginners or advanced game makers. In particular, no programming skills are required: all the game logic can be made using a visual event system that is easy to learn and expressive enough to build any game you can imagine.

Why did you start GDevelop?

I've always been fond of software that allows people to create things without having to spend a lot of time learning advanced programming. When I was young, I used a game-making software similar to GDevelop, and this is what got me into programming later. Since then, I've always been eager to provide the same kind of software to allow anyone to create games. I'm also quite fond of video games, so making software to create video games is a natural fit for me!

How are people using it?

Most people are making their first step in game creation and programming using GDevelop, mostly to have fun and see how it works. A few people are able to create advanced games, and I'm quite proud when I discover a really enjoyable game made with GDevelop.

What features do you think really sets GDevelop apart from other game development systems?

It is feature-rich, which allows for a multitude of uses. The event system is a way to create the game rules and logic without having to learn how to use traditional programming language. It's easier to get started with events as you search in a list of all available actions and conditions that you can use, and apply them on the objects of your game. And it's still powerful enough to re-create the same things that you can do with programming -- so that no user of GDevelop is forced to switch to a programming language when the game is becoming a bit complex.

Why did you choose the GPLv3 as GDevelop's license?

I've spent a huge amount of time designing the editor, and I wanted to be sure that anybody improving and developing the editor will make their contribution available to anyone else with the same license.

How can users (technical or otherwise) help contribute to GDevelop?

First, developers can help in designing or improving the editor or the game engine (written in C++ and Javascript) on https://github.com/4ian/GD. I'm developing a new, improved editor, and any developer knowing a bit of JavaScript should be able to quickly set it up and contribute! The best way for other users is simply to download GDevelop and get involved in the community. In particular, we need a lot of tutorials to help beginners to get started and build advanced games! We already have some tutorials, but more are better.

What's the next big thing for GDevelop?

The editor is being re-written so that it's built on new Web technologies, enabling it to be fully cross-platform (GNU/Linux, macOS, Windows) and even used directly from a Web browser in the near future. It's a good way for me to think again about the whole interface and to simplify it. I'd like to build an ecosystem around GDevelop, this should help even more people to try game creation and see how easy it can be once you've learned a few concepts, and we have a road map.

*Enjoy this interview? Check out our previous entry in this series, featuring David Rosca of QupZilla.

The logo and screenshots are used with permission of Florian Rival.