Draft Licensing Agreement for SCA Software Developers

TL;DR: If you write or manage software for the SCA, I’d love to get your feedback on this proposed license agreement intended to document the Society’s ability to continue using and maintaining the software even if you someday become unavailable.

Given the high proportion of technical professionals in the Society’s ranks, it is no surprise that the SCA has a long history of informal software development: folks developing small custom applications to facilitate some part of their office’s or local group’s operations. However, this process has by-and-large been uncoordinated, and policy for it has been slow to coalesce.

One recurrent issue in this area has been the lack of clear licensing practices. In a few cases, copyright has explicitly been transferred to the Society, but in the majority of cases the issue has not been considered, leaving the copyright in the hands of the original developer. In most cases, there is no written license agreement, which is usually fine while the original developer remains involved in local activities, but can become problematic if they move away or drop out of Society activities, as nobody knows for sure if the group has the right to to continue using the software, to make changes to it, or to share it with other branches of the SCA.

Continue reading “Draft Licensing Agreement for SCA Software Developers”

From the Archives: The “SCA Gazette” Proposal of 2015–2017

In April 2015, the Society’s Publications Office undertook a survey, variously referred to as the “Evolution of SCA Communications” or “Newsletter & Communications Survey,” which asked participants about the channels they used to obtain information about SCA activities.

Survey announcement sent to kingdom chroniclers

At the next quarterly meeting of the Board of Directors, the Publications Office submitted a flurry of proposed policies and actions based on the survey results.

Continue reading “From the Archives: The “SCA Gazette” Proposal of 2015–2017″

Branch Pollings Have Been Stymied by Member Data Problems

TL;DR: Democratic governance requires logistical competence, but for more than half a year garbled address data and other issues with membership records have complicated the branch pollings that are supposed to be part of routine Society operations. 

As previously discussed here, the SCA recently migrated its membership database from the Members Only platform it had used since 2012 over to a service offered by Neon One.

This transition took quite a bit longer than anticipated. (It had been announced by the Society’s President at the July 2022 Board meeting, with an anticipated launch date in October. At the October 2022 Board meeting the anticipated launch date was pushed back to November; data import issues were mentioned as contributing to the delay. On January 1 it was announced that the old membership portal would be taken offline on January 3 for “several days” to launch the new system, but the site did not launch as scheduled. At the January 2023 Board meeting three weeks later, the delay was attributed to bad weather. The eventual launch of the membership portal was announced on February 8.)

Unfortunately, the data migration appears to have introduced errors in the membership records that have been difficult to correct. Some people found that their address had been reset to a location where they had lived years ago; others found that their zip or post codes were wrong; and some had their membership numbers changed. Folks with family memberships had their own set of problems; in some cases, membership numbers were swapped between two relatives, and in one case a person who requested a new membership card instead received one addressed to a recently-deceased relative.

Continue reading “Branch Pollings Have Been Stymied by Member Data Problems”

Neon CRM Vulnerability Allows Modification of Member Numbers

TL;DR: Earlier this summer the SCA configured their Neon CRM membership portal to show registered users their member number. I discovered a vulnerability in Neon One’s software that allowed technically-savvy users to use that capability to change their member number to any value they desired.

After this was reported, the link to the vulnerable screen was removed, but the screen still exists and the vulnerability in the underlying Neon CRM software appears to remain unpatched.

In February the SCA completed the migration of its membership data from an aging legacy system (“Members Only”) to a new platform hosted by Neon One. Their Neon CRM service now appears to function as the system of record for the Society’s member records, including modern names, addresses, and payment information, as well as SCA-specific data such as Society name, kingdom, and member number.

Continue reading “Neon CRM Vulnerability Allows Modification of Member Numbers”

SCA To End Emailing of Credit Card Numbers

The SCA will soon stop asking local event organizers to pay for venue insurance certificates by sending their personal credit card number to the corporate office via email, as it had been doing for the last two decades.

Instead, event organizers will be asked to process those credit card payments on the new membership portal operated by NeonOne, as hinted when the new higher costs for certificates were announced in April.

This change will be well received by Internet security enthusiasts among the membership, who have complained for many years about the practice of sending credit card numbers by email.

Continue reading “SCA To End Emailing of Credit Card Numbers”

Procedures for Reporting IT Vulnerabilities

The SCA does not have an established procedure for reporting or addressing technology security vulnerabilities.

In correspondence with the Society IT Manager, they suggested sending vulnerability notifications by email, either to them, or to the relevant kingdom officers, or both.

Continue reading “Procedures for Reporting IT Vulnerabilities”

Accessing SCA Member Information

For reasons discussed here previously, I was curious as to how complex it might be to programmatically access member data from the SCA’s new member portal.

It turns out the switch from MembersOnly to NeonOne has made this dramatically easier, and we can access member data in just a few lines of Python without scripting Chrome or hand-crafting any RPC calls.

Continue reading “Accessing SCA Member Information”

Letter: Reconsideration of Sanction of Brian De Moray

I have sent the following letter regarding the sanction of Brian De Moray to the Society Seneschal, the Board Comments address, and the Ombudsman for IT, with copies to the Society IT Manager, Society Webminister, East Kingdom Webminister, and Brian De Moray himself. As always, I included my modern name and member number. Receipt was acknowledged less than two minutes later; I suspect they’re having a busy weekend over there. I will update if further action is taken.

To the Society’s Seneschal and Board of Directors, greetings from the East.

I write to you today to ask you to reconsider the January 2020 sanction of Brian De Moray, as the information available in the public record suggests that this decision may have been made in error.

Continue reading “Letter: Reconsideration of Sanction of Brian De Moray”

The Sanction of Brian De Moray

TL;DR: Brian De Moray is a Master of Defense and of the Pelican in Atlantia, who was sanctioned by the Society in January 2020 for an innocuous 113-word Facebook post commenting on software development work he was doing as a volunteer for the kingdom.

As far as I can tell from the information available to me, this sanction appears to have been an error, made in haste by a Board that misinterpreted some technical jargon they didn’t understand, and should be reversed.

I first became aware of this case when it was mentioned in the context of the Wistric Saga, being discussed by Aeron Harper in the second part of his “Tale of Six Sanctions” essay. Aeron’s article was focused on the procedures and policies of the sanctions process, and understandably glossed over some of the technical details, but as a software developer, my curiosity was piqued.

At the time, I was disappointed to learn that Brian was reluctant to discuss the details for fear of additional sanction, but ten days later he published additional information, including technical details of his work, after the Chairman of the Board of Directors assured him that he would not be sanctioned a second time for the same offense.

Continue reading “The Sanction of Brian De Moray”

Why Does IT Report Directly to the Board?

I’ve submitted this question to the “Topical Town Hall Request” form, but it’s obscure enough that I’m not terribly optimistic about seeing it addressed in upcoming meetings:

According to the October 19, 2019 organization chart available from sca.org, the Society Webminister is the only officer with kingdom/local counterparts who does not report through the Society President — instead they report to the Manager of Information Technology, who reports directly to the Board. 

Why is this reporting structure different than every other role in the organization?

Continue reading “Why Does IT Report Directly to the Board?”