Author: Mathghamhain

Neon CRM Vulnerability Allows Modification of Member Numbers

TL;DR: Earlier this summer the SCA configured their Neon CRM membership portal to show registered users their member number. I discovered a vulnerability in Neon One’s software that allowed technically-savvy users to use that capability to change their member number to any value they desired.

After this was reported, the link to the vulnerable screen was removed, but the screen still exists and the vulnerability in the underlying Neon CRM software appears to remain unpatched.

In February the SCA completed the migration of its membership data from an aging legacy system (“Members Only”) to a new platform hosted by Neon One. Their Neon CRM service now appears to function as the system of record for the Society’s member records, including modern names, addresses, and payment information, as well as SCA-specific data such as Society name, kingdom, and member number.

Continue reading “Neon CRM Vulnerability Allows Modification of Member Numbers”

When Was the Society President Hired?

The senior-most officer in the Society for Creative Anachronism is the President, to whom nearly all other officers report. (The only exceptions are the Society’s Executive Assistant, and for some reason, the Manager of Information Technology.) As described the last time the position was opened for new candidates, the President is the Society’s executive representative to the outside world, and coordinates much of the Society’s internal operations.

The position of President was held by Isabeau della Farfalla from around April 2013 until around April 2016, when she was replaced by John the Bearkiller. Although there isn’t much documentation on how these appointments work, my understanding is that this was expected to be a three-year term (as it had been in the past), accompanied by a small stipend.

It appears that at some point in 2019 this arrangement was revised, and the position was reclassified as a salaried employee with no scheduled expiration date. I haven’t been able to find any discussion of this change in the Board Minutes or other public records of the Society’s governance.

This topic was brought up during the Board’s “Meet and Greet” session at Pennsic, and director Bricca di Ghelere indicated that she would provide an update on matters of internal staffing during the next quarterly Board meeting.

Is Data Disclosed by the SCA’s Digital Membership Card Vendor?

On June 23, the SCA announced the upcoming availability of “digital membership cards,” an electronic representation of the SCA’s traditional paper membership cards, delivered in formats compatible with smartphone apps such as Apple Wallet and Google Wallet.

On June 26, SCA members received email messages sent on behalf of the SCA, containing instructions on how to download their personal digital membership card. The email was sent by Cuseum.com, a vendor providing this service on behalf of Neon CRM, the service that the SCA uses for its membership data.

In the last day or so, a number of SCA members have expressed concern that the Cuseum.com privacy policy allows them to sell (“share”) user data, and thus information about SCA members might be being given to advertisers.

Continue reading “Is Data Disclosed by the SCA’s Digital Membership Card Vendor?”

SCA To End Emailing of Credit Card Numbers

The SCA will soon stop asking local event organizers to pay for venue insurance certificates by sending their personal credit card number to the corporate office via email, as it had been doing for the last two decades.

Instead, event organizers will be asked to process those credit card payments on the new membership portal operated by NeonOne, as hinted when the new higher costs for certificates were announced in April.

This change will be well received by Internet security enthusiasts among the membership, who have complained for many years about the practice of sending credit card numbers by email.

Continue reading “SCA To End Emailing of Credit Card Numbers”

Lawsuit Watch: Parker v. the SCA

A recent mention in social media led me to discover a currently-active lawsuit against the SCA currently being litigated out in An Tir: Parker v. Society for Creative Anachronism Inc.

As I understand it, the case was brought by Ha’kon Thorgeirsson and Alizand Thorgeirsson, a couple with long history in the Society, who became embroiled in a seemingly-endless web of disputes with other local participants, which seem to have included a mix of disagreements about how to run local Society affairs, random interpersonal drama, and the kinds of things that Americans refer to as “culture war” issues — the lead plaintiff’s social media posts include allegations of Democrats rigging the 2020 election, and claims that anti-Covid measures are motivated by a sinister desire for pervasive social control, while some of their antagonists complained about comments that were perceived as racist.

Continue reading “Lawsuit Watch: Parker v. the SCA”

Are Releases Needed to Re-share Social Media?

Someone asked an interesting question over on the Known World Discord server this evening, and after I wrote up my answer I thought I should also post it here (lightly edited) in case it was of use to anyone else:

Is sharing posts from individuals […] acceptable by SCA social media rules for official accounts, or is a written release required?

Continue reading “Are Releases Needed to Re-share Social Media?”

Procedures for Reporting IT Vulnerabilities

The SCA does not have an established procedure for reporting or addressing technology security vulnerabilities.

In correspondence with the Society IT Manager, they suggested sending vulnerability notifications by email, either to them, or to the relevant kingdom officers, or both.

Continue reading “Procedures for Reporting IT Vulnerabilities”

Update: SCA Disclaims Copyright to Heraldic Officers’ Work

Earlier this year I learned that the SCA has long relied on an unwritten interpretation of copyright law that does not seem to be well supported.

I’ve encouraged Society leadership to reconsider this approach, motivated in part by the fact that this would have implications for my work on the Book of Traceable Heraldic Art, but it’s been difficult to make much headway and now a month has passed since my last email without any reply.

While I am not a lawyer, I am profoundly skeptical that the Society’s interpretation holds any water, and so I have decided to move forwards without giving it any credence, as laid out in the letter below.

[Update:] I’m very happy to report that the Society Seneschal has responded, stating that they are not claiming copyright to the armorial depictions produced by heraldic and scribal officers.

It remains unclear to me on what grounds they claim copyright for some creative works created by volunteers but renounce it for others — however, as a first step in the right direction, I am pleased by this declaration.

Continue reading “Update: SCA Disclaims Copyright to Heraldic Officers’ Work”

Accessing SCA Member Information

For reasons discussed here previously, I was curious as to how complex it might be to programmatically access member data from the SCA’s new member portal.

It turns out the switch from MembersOnly to NeonOne has made this dramatically easier, and we can access member data in just a few lines of Python without scripting Chrome or hand-crafting any RPC calls.

Continue reading “Accessing SCA Member Information”

From the Archives: Annexation of the Southern Marches

When the Middle Kingdom was created in 1969, the borders between kingdoms do not seem to have been precisely drawn, but it appears that all of the seaboard states continued to be part of the East.

I’m not sure exactly what folks at the time had in mind, but I think it was something like this:

The borders of the East remained this way through 1972, by which time branches had been founded in Florida and Georgia.

Continue reading “From the Archives: Annexation of the Southern Marches”