Re: better understanding potential security issues

Inbox
x

Chad Vanderlinden chadvanderlinden@yahoo.com

3:42 AM (12 hours ago)


to Nextdoor, chad, sonja
Gordon, It appears that you don't believe me, and you must be aware that you are in extreme breach of trust with me. Forcing me to conduct this test to create fake accounts on ND, which I have only observed, is pointless. I told you all that I know openly and freely.

Have you considered the chilling effect this will have on future security reports once folks know how ND treats people when they want more information? You are treating me like a captive tied to a chair! It is abominable that someone working for a social movement possesses this tool in his repertoire.

Please show me where in ND's TOS or other covenant that I have entered, that Leads in good standing can be drafted into service by staff, to perform security testing of your website, whereupon their Lead status may be returned at your pleasure? Results of which will *go* to your 'security team' instead of being a process involving them alone? I do not think this policy exists. You have taken my Lead status, and the status of my dear neighbor Sonja Hunter from us without warning, with the admission that it is for reasons other than breach of TOS.

I'm fresh off the battlefield with our HOA and still possess the means to contact most of my neighbors independently of your venue. That's how I *invited* hundreds of people, you realize. I won't place any bets on luring everyone over to yet another alternate social forum, but you shouldn't place any bets on being able to contain this incident and control the flow of information. Your company is widely mentioned in open forums online. I think the topics of security, privacy and treatment of whistleblowers might be of interest to some of them.

I propose you restore our Lead status and let us go back to our busy roles in the community we are proud to have built and stand behind. Your demonstration is over. We see everything you wished us to see. Your warning is clear to us. Now this is over.

Chad Vanderlinden
DawsonAustin Lead (129 invites sent, 27 invites accepted)

Sonja Hunter
DawsonAustin Lead (resident 20 years)

--------------------------------------------------------------------------------------------

On 6/24/2014 1:10 AM, Gordon Strause wrote:
Sorry for the surprise Chad. But I confess I was just as taken aback
by the idea that you somehow on a live video stream where you watched
someone from a foreign country join a Nextdoor website?! That is
perhaps the strangest thing I have ever heard in 20 years of working
on online communities! Who was doing this demonstration? Why? Why were
you a part of it? Why did you not contact Nextdoor about it or ask the
person putting on the demonstration to do so? None of it makes any
sense at all. It's crazy!

Meanwhile, I continue to believe that it's not possible to join a
Nextdoor website simply using the steps you describe below. I have
tested our join flow literally hundreds of times (our team is
responsible for QA of that flow), and there is a verification step
that you're somehow eliding.

So my belief is that something else was going on that you are either
unaware of or that you are intentionally failing to disclose. If I'm
wrong, however, I definitely want to know it. It will be something
that our security team would want to look into immediately.

So it would be a huge help to us if you could provide us with this
information. You absolutely have permission to do this test, as long
as it happens in your neighborhood. In fact, it's going to be
necessary for you to conduct this test to regain your Lead status
because we need to get to the bottom of what is happening (or not
happening) here. If it's possible to join in the way you describe,
it's vital that we know about it. On the other hand, if it's not
possible to join given the steps that you have outlined, then that is
something that is important for you to know.

That said, since I don't want to get in the way of your BBQ, I'll go
ahead and reactivate your account. But until we resolve these other
issues, your Lead status is on hold. We can work through the other
stuff later.

Finally, I'll contact Sonja and apologize for the fact that she was
caught up in this because she shares an address with you. Best,

- Gordon
Nextdoor

--------------------------------------------------------------------------------------------

On Mon, Jun 23, 2014 at 8:01 PM, Chad Vanderlinden
<chadvanderlinden@yahoo.com> wrote:
Gordon,

I would make more sense if you had contacted me about this in advance. Sonja
and I are both very troubled by being suspended without warning. She and I
are duplex neighbors, and as she is like a mother to me, I provide her with
free Internet, Google Voice phone over PBX gateway and, as you have grep'd
from your access logs, email aliases. Hers is not a fake account. She and I
both had the impression that you've punished her only for her association
with me. Without benefit of advance notice, this feels like a demonstration
or warning. It's going to have a chilling effect on my enthusiasm, no matter
what the explanation is.

While this continues, my neighborhood suffers from outside malice, internal
apathy, and I do not know where I will turn for another Lead if I lose
Sonja. I've already lost Kam for negligible reasons. I doubt that my being a
Lead has prevented anyone else from bringing vitality to our neighborhood,
but my absence leaves little doubt to me about it's downfall. I think you
agree we have some crazy, malevolent characters in our neighborhood.

Not sure what needs to be said about Garrett. Everything I wished to express
was cc:d to you so you could decide internally if it merited discipline. I
did not presume either of you would be thrilled with me, so that is no
question. I've dealt with much harsher emails working at Illuminati Online,
Onramp Access, Samsung Wireless, Whole Foods HQ and Railroad Commission of
Texas. I see no reason to write to him again.

I anticipated you have some points to make about posting in the Leads Forum.
You may have noticed a change in my tone of voice recently. I have shifted
into full CSR mode and intend to remain complimentary or neutral whenever
possible. My concern for NextDoor, which bears on the health of my
neighborhood, is sincere. This is a lot of work for me, and I have acquired
a responsibility in the eyes of my flesh-and-blood neighbors.

I am categorically uneasy doing anything which represents a breach of the
website's TOS, even with your blessing. It is for that reason I have not
attempted an innocent test of my own. Someone who is not involved with ND
(AFAIK) performed the demonstration, and I was in the right place at the
right time to observe it. It seems unusual to me that you've reached out to
a non-employee to perform a security breach of your website. Even more
unusual that you're almost obligating me to cooperate. I have shared
everything I know about it. I suggest that you perform your own test by
creating a membership for a random non-member of your own neighborhood. You
can then see what it looks like from both ends. Wouldn't you want your
security team to do this? If you don't have one, I recommend contracting
Northrop Grumman.

1) Find an established name and address in public records who has not yet
joined NextDoor.

2) Apply for membership using the information from 1), and supply a free
webmail address for confirmation.

3) Login and see your welcome message. I can't think of anything to
elaborate on besides that.

Please restore my accounts tonight. I'm in the middle of a potentially
time-sensitive conversation about organizing a neighborhood BBQ this
weekend.

-Chad

--------------------------------------------------------------------------------------------

On 6/23/2014 8:47 PM, Gordon Strause wrote:

Chad,

It's been a crazy last week and a half, and I haven't had time to
engage in the Forum the way I would like to. Hopefully that will
change this week. And I definitely want to discuss with you both your
recent activity in the Forum and your interactions with Garrett.

But first I want to better understand the security concerns you have
been raising, which you have been alluding to but not actually
explaining (while I appreciate your caution in the Forum, I confess
that I don't understand why you haven't explained it in an email to
Support).

So why don't you demonstrate the issue in your neighborhood. I have
temporarily suspended your account. Go ahead and exploit the security
hold you have been referring to rejoin using your name or the name of
a neighbor but some variation of your email address. Then let me know
who it is. I will then delete that account and reactivate yours.

That will help me raise the issue with the Product Team. Thanks!

- Gordon
Nextdoor