Popular Post Jordan aka FltAdmlWolf Posted August 1, 2021 Popular Post Posted August 1, 2021 Valued members of the StarBase 118 Community, We are sad to report that we've discovered what appears to be intentional tampering with our 2021 Awards nominations. We'd like to help you understand what we found, how it affected the outcome, and how we will ensure it doesn't happen again. BACKGROUND As you know, we use a form on our website to collect nominations. We use a WordPress plugin called "GravityForms" to build this form and manage the entries, and your nominations are stored in WordPress, in the GravityForms plugin database. When it's time to compile the nominations each year, we export the entries and transfer them via a CSV file into a Google spreadsheet. Our Awards Facilitator and their team then collate the nominations and separates them by type (General, Duty Post, etc.). In addition to storing entries in GravityForms, email notifications are generated from each nomination and sent to the original nominators for their records. An additional email record is sent to a private archive. We were alerted by a member that they were not on the list of people who were due to receive a nominator badge, despite receiving email confirmation of their nomination. We verified that the nomination had generated an email notification from the nomination form but was not present in our database of nominations in GravityForms. INVESTIGATION We then began an investigation to try and determine how we could be missing nominations in our database that had been properly entered into our form. Two staff members conducted a full audit of our backup archive of email notifications against what's in our database, and it became clear that a total of eight nominations were missing from our database and therefore not considered by the various committees that review and select award winners. These nominations were for two members, and half the missing nominations were for one member and one award. We also conducted an audit of our 2020 Awards nominations to see if we could find any missing ones there, and found none missing. As we investigated, we found that a former staff member who had left the group last year somehow had access to WordPress at the level required to delete GravityForms entries, despite having been removed from all staff-level access upon their departure – a fact that had been confirmed twice on separate occasions after that. We also found that this player had a secondary forum account from the one they had used as a staff member, and that this player had been logging in to our forums repeatedly around the time of the awards. And, perhaps most damningly, we found server access records that clearly linked the IP address used to log into that forum account to deleted entries in our WordPress Community News queue. Hoping someone would not be malicious enough to delete award nominations for a friend and former colleague in our community, we investigated other possibilities. But we could not establish a compelling, alternative theory on how these nominations disappeared. If the error had been technical, we would not expect to see only two people – from the same ship – affected: The nominations came from several people, who also had other nominations for other players, some for the same award or award category; The nominations were submitted on different days and different times, so where we originally suspected this could be due to overload at peak times of nomination submissions, this is not the case; Those whose nominations were missing received other nominations present in the lineup, both from the same nominators, and others. While we are fairly confident that the pattern of missing nominations, the login pattern on the forums coinciding with the awards release, and the relationship the former player in question had to those affected are pretty convincing evidence of guilt, we don't have an open-and-shut case. WordPress does not have native login tracking, and there are no logs to show records being deleted manually. As such, we are choosing not to reveal the identity of the player we believe may have been tampering with our site. There was extensive conversation amongst the Captain’s Council on this matter, and though some members considered the evidence that we have to be clear enough to name the player in question, we have decided to avoid doing so due to the fact that this evidence is circumstantial. WHAT HAPPENS NEXT The Captain's Council is mortified and upset to discover two members of our community were not properly considered for nominated awards this year due to the nefarious interference of a former member. We have made a personal apology to the two affected players, and we're making it again now in this public forum. Of course, our awards process is one of our most honored traditions in the group and we don't want anything to impact it now, or going forward. As such, we intend to make the following changes to our process immediately: We will increase the time between the closing of the nomination period and the beginning of the Awards Ceremony by one week. This will give us more time to audit the data we have and allow the Staff more time with the administration of awards, ensuring we're not adding stress where we can avoid it. We will change the access to WordPress in the coming weeks and, specifically, move the Awards Nomination Panel to its own WordPress subsite with access available to fewer people. We have already begun a process – and will continue to iterate on it – to strengthen our access control, safeguarding our community by removing members who have retired or taken long-term leave. The Captains Council also has a process of reviewing the awards post-ceremony each year – examining what went well and considering what needs improvement – and we'll be starting this sooner than we normally do, to ensure the most recent Awards Ceremony is fresher in our minds, for the sake of coming up with other recommendations on how to ensure the integrity of our process. Sincerely, Members of the Captains Council 7 9 1
Recommended Posts