Dear NGSC EC, NPOC EC, NCSG and NPOC members, This is a strange email. One it didn't occur to me I was going to write and yet here we are. In short, effective immediately I'll cease to provide support to NPOC and NCSG beyond my natural attributions as both an organizational and individual member. This is the TLDR version. For those interested, the explanations are below to the best of my abilities. For handovers, see below. *The circumstances.* In my account of the situation I will avoid to name people directly. Although everyone pretty much knows who is who in these stories. *A) NPOC's channels' (and others) credentials (Vaultwarden)* As part of my efforts to provide NPOC with an IT infrastructure at par with current needs, one of the main tasks was to secure all credentials used by NPOC EC and establish an effective way to do handovers between leadership changes. A Vaultwarden instance was created and all credentials secured in it. NPOC had now a credentials vault that is fully self-hosted, with unique and complex passwords for all platforms as well as MFA enabled when available. It also had a proper credentials structure that allowed full handovers in under 10 minutes. Ever since Istanbul I tried several times to hand over these. The procedure needs to be performed ONCE yet in the correct sequence. Just last week I was stood up not once but twice for calls I had organized to do the handover. After the last attempt, I requested advise to how to proceed with this. It's been 4 days and I haven't heard back. This is on top of several attempts during Istanbul and some more after it (one did materialize, which is where an SMTP problem was detected). I have also invited, several times, the other reps involved in using this credentials to book me (I gave a personal booking link) to explain how to use Vaultwarden (plus all the other platforms described below) and how the structures and templates I created work... to no avail. No one has booked me to this date despite having made myself largely available. But time for attacks and defamation wasn't in short supply, as I saw recently. The important thing to me is that this is already going on to close to 2 months and the handover is not yet done. Yes, there were problems with the instance (SMTP was buggy and the solution, after looking into it for hours, was to update the instance version) and yet these could have been solved either in Istanbul or soon after should the people involved in the handover had taken any interest on this. I also understand that everyone has work outside of NPOC, that we are all volunteers, etc... The situation just reached an untenable point in which I am done to be blamed for this not being done already. If everyone is busy, so am I. Moreover, all the efforts done in consolidating and securing the credentials have gone to waste as NPOC EC members have unilaterally decided to reset some of the passwords. I cannot provide any reassurances as to the quality and safety of these new passwords so I won't be accepting any responsibility for anything happening to those accounts. *B) The NPOC seat on the NCSG EC.* A few months back, and to my surprise, I was offered to fill one of the seats for NPOC at the NCSG EC. I didn't feel particularly prepared yet I was assured my only attributions would be to review membership submissions. It turned out that this was not accurate, as I discovered later on. Personally, I took the request as an opportunity to speed up my understanding and increase my participation in ICANN. To be clear, I have nothing against the people who have recently been appointed for the NPOC seats @ NCSG EC. I have however reservations as to how all these processes are managed as I learned about the new positions only because of a semi-formal announcement on a mailing list. At the time of writing this email I have not yet being told by NPOC leadership this change of situation, which has implications in my schedule and the work I was undertaking for NCSG. I was kept in the dark as to why the person before me was removed and I was put in his stead. I have been kept in the dark as to the results of the current "elections"(?). If I was approached personally to help with the "vacancy", I would expect to be approached personally to be told "You are out" (which I am fine with!). All in all, I find this waltz to be unbecoming of proper leadership. This is not what I expect from the NPOC EC at large. *C) Leadership* Since I joined NPOC, all I have observed (and witnessed) are petty attitudes from certain members, certainly fueled by personal interests more than working for the community. I have attempted to follow the established ranks and support the elected reps because that's what we are suppose to do as elected chairs. This has obviously proven to be a sterile attempt. The frictions, veiled accusations, political games, power plays and other distasteful attitudes that I have witnessed are not the result of natural clashes between people with different opinions. They are unnecessary and only make active participation in NPOC a 5 stars challenge. We wonder why we don't have "fresh blood"? *D) IT infrastructure & services for NPOC* I have purchased platforms for NPOC (some with my own money), I had created the beginning of an IT infrastructure that would have allowed the constituency to have a respectable degree of security and functionality moving forward. I had designed a methodology (and started to document it) to help automate tasks and streamline operations (less effort) to produce information for our constituency members (which, in turn, I was hoping would spark new participation). This had been under a mix of personal initiative (that's on me) and requests from the NPOC EC. My efforts have been met with lack of interest (by the same people who green lighted the approach) and sheer veiled accusations of having some hidden agenda by some. There is no reason for me to attempt helping on this area moving forward, especially not having observed the support that was to be expected by members of the NPOC EC. The mentality on IT infrastructure is backwards and I don't have any interest on fighting it. *E) Other frustrations* During one of the NPOC EC meetings, I proposed to structure our reporting, to create templates for our participation in sessions. This was intended to enable a flow of information for proper Comms (SocMed, Publications, Readouts). It was also intended to produce some transparency about what is being done and followed by NPOC. To my disappointment, the idea was received with a mix of disinterest and sheer, blunt opposition. I was taken aback by how adamantly some EC members were unhappy with something that should be a net positive for the whole constituency. My reading is that certain members are not OK with being accountable to the work that is expected/declared to be done. In general, NPOC is lacking direction and spends way too much time and energy handling infighting and otherwise petty attitudes. We have little resources and we waste them on feuds. Much needs to change if NPOC expects to have a role in ICANN. *Handover Tasks* *- Vaultwarden* Info@ remains the Owner. I have removed my personal account as Admin. The NPOC EC is Admin. I will send the Owner credentials to the NPOC EC Chair via separate channels. From that point on, having removed myself from the Admins, I will not perform administration tasks on the instance. The Vaultwarden instance will remain available for as long as the current VPS host keeps it alive. @NPOC EC: A) If NPOC EC wants to make use of it, do proceed. B) If decision is made to not use this instance, I'll appreciate being told and I'll destroy it (saving some organization credits in the process). In the scenario where NPOC EC decides to not use the Vault, two dumps will be performed: - Full dump of credentials >> NPOC EC Chair - Partial dump of credentials for SocMed >> NPOC Outreach Chair The dumps will be communicated via separate channels to ensure basic security. Note that all MFA settings will have to be disabled in all applicable accounts. Whomever handles these accounts later should reactivate MFA as they take over them. 30 natural days should be sufficient to let me know. *- VBout* This SocMed scheduled was donated long ago to NPOC and has been used by me when I was Comms Chair. @NPOC EC: A) Should NPOC EC wish to use the platform, the necessary credentials are in the Vault. Plenty of documentation to learn to use the platform is available. B) Should NPOC EC decide to not use the platform, please let me know and I'll delete the sub-account. 30 natural days should be sufficient to let me know. *- ElkQR* This QR generator platform was acquired for NPOC. The Admin account is under Info@. Should NPOC EC wish to use the platform, the necessary credentials are in the Vault. It's paid for (it's an LTD) and I will not seek refund. *- Cloudflare* This platform was adopted to manage NPOC's DNS needs under approval of NPOC EC. The Admin account is under Info@. Whomever will take care of handling the DNS can be given the corresponding permissions by whomever will be managing IT for NPOC. *- Canva* This platform was configured to have a templated collaterals for SocMed and other comms. I managed to obtain the NGO license by using my US 501(c)(3) so that NPOC could have all the tools available. The platform is accessible through Info@ @NPOC EC: A) Should the NPOC EC decide to use the platform, they will find all the templates I created for the posts. B) Should NPOC EC decide to not use it, let me know and I'll unlink the account. 30 natural days should be sufficient for this. *- Sleekplan* This platform was intended to create a participation environment for NPOC members to vote and express their opinions on priorities for NPOC moving forward. The platform is registered under Info@. I managed to get it for the constituency for free. *- Google Account (NPOC.ICANN@Gmail.com - G Drive, Forms, etc.)* As NPOC needed some basic storage and a generic Gmail account to access/offer services, a Gmail account was created (and fought with Google - long story). The secondary/recovery email is Info@. Credentials are on the Vault. The GDrive has an initial folder structure with all the materials I managed to collect in while being NPOC Comms Chair. *- NCSG CRM* I have proceeded to Delete my account and from this point onward I have no access to the NCSG CRM. [image: image.png] @Andrea Glandon <andrea.glandon@icann.org> I am not sure if there's anything else that needs to be done. Please proceed, if ever. Thx! *- ICANN NPOC Pages* There are a number of NPOC pages @ Community that I should be removed from having Edit permissions. @Andrea Glandon <andrea.glandon@icann.org> could you look into this? Thx. Note to NPOC EC: This is why having a structured credentials access is crucial. But I am giving up on explaining this. *- NPOC Info@ email/list* I still receive the emails sent to this address. @Andrea Glandon <andrea.glandon@icann.org> could you please remove me from it? Thx. *- NPOC Github* This was indented to build a backend for NPOC, in terms of task management and documentation. This account is linked to Info@ You can do with it what you will. *- Other minor platforms* Credentials can be found on the Vault. NPOC EC is free to do as it wishes with them. *- NCSG Operating Procedures* @Rafik Dammak <rafik.dammak@gmail.com> It is my understanding that I have no part to play in this since I am not part of the NCSG EC anymore. The document remains available, nothing changes on that end. Feel free to disregard the comments I left on it. *- IT for NCSG* I owe a gap analysis to the NCSG EC. @Rafik Dammak <rafik.dammak@gmail.com> : Do let me know if you still want this or not. Please note while I'll do the analysis, I won't be helping with implementation at this stage as I do not wish to repeat the same mistakes as with NPOC. I believe this is all. I will not entertain comments or replies to this email except those related to decisions yet to be made (and that are quite explicit in the text). Regards, Jean F. Queralt Founder & CEO - The IO Foundation <https://TheIOFoundation.org> Book a meeting <https://TIOF.Click/BookJFQ> (30 minutes) -- **DISCLAIMER** *The content of this message, which may contain personal or sensitive data, is confidential. If you have received it by mistake, please inform the sender by replying to the email and then permanently delete the message, including any attachments. It is forbidden to copy, forward or in any way reveal the content of this message to anyone. The integrity and security of this email cannot be guaranteed over the Internet and, therefore, the sender will not be held liable for any damage caused by the message.*
Dear all, Following up on pending tasks/handovers as 30 days have passed. Please find my comments inline below.
*Handover Tasks*
*- Vaultwarden*
After 30 days, no one has reached out to inform me of any decision on this matter. Pursuant to my initial email, I am to understand that the platform is no longer of interest to NPOC EC so I have proceeded to: - Remove all the 2FA/MFA settings in all accounts that had them - Create 1 full dump of credentials (Master Dump) that has been sent to the NPOC EC Chair - Create 1 partial dump of credentials (Outreach Dump - corresponding to outreach accounts) that has been sent to the NPOC Outreach Chair - Both files are password protected (Passwords have been sent to the corresponding persons separately) - Take down the Vaultwarden instance (as a result Vault.NPOC.org is no longer operational) - Remove the A record *Vault *from NPOC's DNS - Destroyed the Master Dump and the Outreach Dump from my storage I would emphatically advise the NPOC EC to: - Immediately update all passwords of all accounts - Store the credentials in a secured vault - Reactivate the 2FA/MFA settings in all possible accounts in the shortest of times - Establish a handover procedure that facilitates the passing of credentials to future NPOC EC members.
*- VBout*
After 30 days, no one has reached out to inform me of any decision on this matter. Pursuant to my initial email, I am to understand that the platform is no longer of interest to NPOC EC so I have proceeded to: - Remove the sub account I had assigned to NPOC *- ElkQR*
After 30 days, no one has reached out to inform me of any decision on this matter. Pursuant to my initial email, I am to understand that the platform is no longer of interest to NPOC EC so I have proceeded to: - Reclaim the account for my organization - Reclaim the Appsumo account under which it was acquired (as it has both the proof of purchase and my personal card details) - Remove the CNAME record *QR* from NPOC's DNS
*- Cloudflare*
Access to this platform is granted through the credentials on Master Dump. As part of the clean-up process, I have proceeded to: - Remove the CNAME record * BLOG* from NPOC's DNS - Remove the CNAME record *DOCS* from NPOC's DNS Note: These were CNAMEs created for services that were being implemented for NPOC Comms and are of no utility anymore. Note 2: Despite the fact that I don't have any passwords on my end anymore, PLEASE change Cloudflare's password immediately. Note 3: After the maintenance clean ups, I have no longer access to the Cloudflare account. *- Canva*
After 30 days, no one has reached out to inform me of any decision on this matter. Pursuant to my initial email, I am to understand that the platform is no longer of interest to NPOC EC so I have proceeded to: - Reclaim the account for my organization - Requested a full download of all the templates, which has been submitted with the Dumps - Removed all NPOC templates from the Canva instance Note: The rendered images, as well as the originals that were used to create them, can be found in the Media folder inside the Shared Drive of the NPOC.ICANN@Gmail.com account (of which NPOC EC has access to). *- Sleekplan*
After 30 days, no one has reached out to inform me of any decision on this matter. Pursuant to my initial email, I am to understand that the platform is no longer of interest to NPOC EC so I have proceeded to: - Reclaim the account for my organization
*- Google Account (NPOC.ICANN@Gmail.com - G Drive, Forms, etc.)*
After 30 days, no one has reached out to inform me of any decision on this matter. As a result, I have proceeded to: - Remove any access I had over this account The account can be accessed with the credentials in the Master Dump that has been shared with the NPOC EC. Note: This account was used to store quite an amount of information pertaining to Comms. I recommend accessing it and decide what you want to do with it.
*Info@NPOC.org*
I still receive the emails sent to this address. Whomever controls this list, please remove me. Thx. *- NPOC Github*
Access to this platform is granted through the credentials on Master Dump. Note: However, as per Github policy, 2FA cannot be disabled, see below. [image: image.png] I tried several ways and in the case of Github this is unavoidable. The way to proceed with this: - Log in using one of the Backup codes for the account (These can be found in the Master Dump) - Go to Account >> Settings >> Password and Authentication >> Two-factor authentication >> Two-factor methods >> Authenticator app >> Edit then proceed with creating a new 2FA linkage
*- Other minor platforms*
Access to these platforms is granted through the credentials on Outreach Dump and/or Master Dump. I believe that will be all in this regard. Regards, Jean F. Queralt Founder & CEO - The IO Foundation <https://theiofoundation.org/> Book a meeting <https://tiof.click/BookJFQ> (30 minutes) -- **DISCLAIMER** *The content of this message, which may contain personal or sensitive data, is confidential. If you have received it by mistake, please inform the sender by replying to the email and then permanently delete the message, including any attachments. It is forbidden to copy, forward or in any way reveal the content of this message to anyone. The integrity and security of this email cannot be guaranteed over the Internet and, therefore, the sender will not be held liable for any damage caused by the message.*
participants (1)
-
Jean F. Quéralt