Anyone using JW Scheduler software?

[More4me2do]

There is in the assignments a button labeled 2022 and another 2023 make sure that each has the correct day selected. 

[PubServ]

On 7/27/2022 at 9:03 AM, Benjamin said:

Just curious if anyone has seen this message. It was brought to my attention, asking if we should be using JWS. My understanding is that our data is saved on your local computer. Any thoughts on how to respond? Thanks.

I wanted to make one comment on this highlighted topic/quoted block:

 

Assuming use of modern / accepted symmetric crypto cyphers (and specifically long key lengths), data thereby ‘obfuscated’ is actually no longer ‘Information’, it is, in fact, gibberish, unusable except in the case of offline brute force attacks, and with said long key lengths, there isn’t enough time and compute power to make that anywhere close to feasible.  Risk score = 1 (lowest)

 

And really - who would bother.  There are far easier, more productive, and even public means for identifying sensitive information, including white pages, property tax records, social engineering and the like. 
 

I’m more interested in the usability (reliability and stability are especially critical) of NWS - and just beginning to explore it. 
 

thanks for the dialog all. 
 

Yb,

Eric

[Floyd]

On 12/8/2022 at 8:50 PM, PubServ said:

I wanted to make one comment on this highlighted topic/quoted block:

 

Assuming use of modern / accepted symmetric crypto cyphers (and specifically long key lengths), data thereby ‘obfuscated’ is actually no longer ‘Information’, it is, in fact, gibberish, unusable except in the case of offline brute force attacks, and with said long key lengths, there isn’t enough time and compute power to make that anywhere close to feasible.  Risk score = 1 (lowest)

 

And really - who would bother.  There are far easier, more productive, and even public means for identifying sensitive information, including white pages, property tax records, social engineering and the like. 
 

I’m more interested in the usability (reliability and stability are especially critical) of NWS - and just beginning to explore it. 
 

thanks for the dialog all. 
 

Yb,

Eric

 

I am just going to stick with the facts. Believe me I understand everything you said and agree with you regarding the security.

• Somebody here claimed they made the obfuscated data readable within 30 minutes.
• The organization also does not make a distinction between readable data and obfuscated data when it speaks of storing data online.
• The obfuscated data is stored online on the sharing server for a time.

Everybody has to make a personal choice with that information. Much of the data is publicly available but who is one of Jehovah's Witnesses is not and that information will be especially valuable to the government at some point.

 

We went through something similar for a time when we had to use landline phones for private communication even though I knew that a digital cell phone was far more protected than any landline. Even I know how to tap a landline and record conversations but to do the same with a digital cell phone is nearly impossible. Yet we still had to use landlines until nearly all cell phones were digital.

 

At some point the organization will probably tell us we can store encrypted or obfuscated data online. I have stopped telling people what they should or shouldn't do in this matter since we are not masters over other people's faith. Everybody has to make their own decision.

[Mike]

TAKE MY MONEY!  We have used the scheduler for almost a year.  It is now time to renew the registration.  I have been trying for 4 days.  I have tried 3 differant computers, cleared my cache and cookies, reset my router, rebooted my system ... basically, everything I can think of.  Each time I input and click to PAY, I get the same message:  We are unable to complete your request at this time. Please try again.

 

Any ideas?

[Aja]

18 minutes ago, Mike said:

TAKE MY MONEY!  We have used the scheduler for almost a year.  It is now time to renew the registration.  I have been trying for 4 days.  I have tried 3 differant computers, cleared my cache and cookies, reset my router, rebooted my system ... basically, everything I can think of.  Each time I input and click to PAY, I get the same message:  We are unable to complete your request at this time. Please try again.

 

Any ideas?

A lot of times when I'm having issues, it's my ad blockers. Any chance you have any ad block or extensions in play?

[molnarj]

You can send an email to support@nwscheduler.com The response for this issue is mostly very fast.

[PubServ]

3 hours ago, Mike said:

TAKE MY MONEY!  We have used the scheduler for almost a year.  It is now time to renew the registration.  I have been trying for 4 days.  I have tried 3 differant computers, cleared my cache and cookies, reset my router, rebooted my system ... basically, everything I can think of.  Each time I input and click to PAY, I get the same message:  We are unable to complete your request at this time. Please try again.

 

Any ideas?

 

This is so often the outsourced merchant service, API token renewal, or similar integration issue.  Not something you/we should have to worry about, frankly.  
Software reliability engineering…🙂 

[PubServ]

3 hours ago, Aja said:

A lot of times when I'm having issues, it's my ad blockers. Any chance you have any ad block or extensions in play?

best way to test is to set all your extensions (except your password manager - which you should be using (like Dashlane, etc.)) to ‘disabled’ whenever you launch a new private / incognito session, and try it again. This will make it about as pristine/unobstructed a browsing experience as you can get. 
 

hope it helps. 

[PubServ]

On 12/10/2022 at 4:27 AM, Floyd said:

I am just going to stick with the facts. Believe me I understand everything you said and agree with you regarding the security.

• Somebody here claimed they made the obfuscated data readable within 30 minutes.
• The organization also does not make a distinction between readable data and obfuscated data when it speaks of storing data online.
• The obfuscated data is stored online on the sharing server for a time

One additional comment:

the decryption of the file could be possible by a person if:

 - they had the file locally

 - had authorized access to the data (a login - I’m not yet spun up on the data at-rest/in-use methods employed on the local computer)

 - and if they performed session key intercept on the system - which could log out to a file keys generated in memory on the fly (it’s been possible on Linux for years, also it’s been commercialized by Nubeva - founded by former Aruba Networks founders)

 

But once the file is encrypted, again, given adequate key lengths, and pushed to the sharing server, it should not be decryptable by another party (assuming again, no MITM / proxy intercept method).  This latter is harder to do successfully now, with TLS 1.3, perfect forward secrecy (PFS), and pinned certificates.

(Not posturing here… just sharing - I just had to write a white paper on this so it’s pretty fresh…🙂). 
 

 

[Kennykuva]

I’m just beginning to use it as an administrator for our cong. Wondering if it is able to integrate LM school assignments with S-89 form … 

[Floyd]

11 hours ago, PubServ said:

One additional comment:

the decryption of the file could be possible by a person if:

 - they had the file locally

 - had authorized access to the data (a login - I’m not yet spun up on the data at-rest/in-use methods employed on the local computer)

 - and if they performed session key intercept on the system - which could log out to a file keys generated in memory on the fly (it’s been possible on Linux for years, also it’s been commercialized by Nubeva - founded by former Aruba Networks founders)

 

But once the file is encrypted, again, given adequate key lengths, and pushed to the sharing server, it should not be decryptable by another party (assuming again, no MITM / proxy intercept method).  This latter is harder to do successfully now, with TLS 1.3, perfect forward secrecy (PFS), and pinned certificates.

(Not posturing here… just sharing - I just had to write a white paper on this so it’s pretty fresh…🙂). 
 

 

 

Again I agree with you except the organization makes no distinction between encrypted and unencrypted data when it talks about storing data in the cloud. Its a moot point. That is the only reason I am not using it yet.

 

If I encrypt my publisher files and then stored them on Google Drive would that be ok? Not according to our current instructions. I think it should be ok but I am waiting on Jehovah to tell me it is.

 

 

[Kennykuva]

Every cong. member’s name/address/phone number are already listed in my phone’s “Contacts”. I’m sure this info is not encrypted. This is stored in a cloud is it not?

[Floyd]

27 minutes ago, Kennykuva said:

Every cong. member’s name/address/phone number are already listed in my phone’s “Contacts”. I’m sure this info is not encrypted. This is stored in a cloud is it not?

 

But that is not all of the publisher information stored in JW Scheduler. We are not talking about just contact information.

[molnarj]

9 hours ago, Kennykuva said:

I’m just beginning to use it as an administrator for our cong. Wondering if it is able to integrate LM school assignments with S-89 form … 

Yes. Go to the Printing Tab and choose Save, Print and Email Reports. Then choose Life and Ministry Meeting. Assignment Slips. Choose your Template and the Period. Then choose Save, Email or Print.

[More4me2do]

4 hours ago, Floyd said:

If I encrypt my publisher files and then stored them on Google Drive would that be ok? Not according to our current instructions. I think it should be ok but I am waiting on Jehovah to tell me it is.

 

Please tell me the letter reference in any letters that show the current instructions have changed from the letter to BofE December 17, 2012 which said this:

"We have received reports that some are using online storage services for congregation documents. We have researched this matter and would like to provide the following guidelines so that these services can be used appropriately and securely.

In general, there is no objection to the use of such a service. However, if your body of elders chooses to do so, you should select the appropriate service for your needs and establish and maintain a suitable security protocol for those using the service."

 

Dropbox, Google Drive, and OneDrive were listed as acceptable.

 

Edited December 14, 2022 by More4me2do

[Floyd]

6 hours ago, More4me2do said:

 

Please tell me the letter reference in any letters that show the current instructions have changed from the letter to BofE December 17, 2012 which said this:

 

 

 

sfl 22:23

[More4me2do]

3 hours ago, Floyd said:

 

sfl 22:23

 

Que??

[jwhess]

41 minutes ago, More4me2do said:

 

Que??

See PM

 

Edit: I can't message you, it says your inbox is full.  The reference is to Elder instructions that say it is OK to put files online (certain specific instructions not dealing with normal congregation items.

Edited December 15, 2022 by jwhess

[More4me2do]

9 minutes ago, jwhess said:

See PM

 

Edit: I can't message you, it says your inbox is full.  The reference is to Elder instructions that say it is OK to put files online (certain specific instructions not dealing with normal congregation items.

 

Thanks I deleted 10 messages of the 27 that I had in the inbox, should be good now.

[More4me2do]

There seems to be a 250 message limit on the inbox and I only have used 5% could it be that your sent items box is full

[jwhess]

could be, I will check.

[Floyd]

20 hours ago, jwhess said:

See PM

 

Edit: I can't message you, it says your inbox is full.  The reference is to Elder instructions that say it is OK to put files online (certain specific instructions not dealing with normal congregation items.

 

Basically anything you can put on the information board can be stored online. "Sensitive" information should not be stored online.

[JKalliola]

-

Edited December 24, 2022 by JKalliola
There was a new group for problems etc.

[howudodat]

On 12/14/2022 at 7:45 AM, More4me2do said:

 

Please tell me the letter reference in any letters that show the current instructions have changed from the letter to BofE December 17, 2012 which said this:

"We have received reports that some are using online storage services for congregation documents. We have researched this matter and would like to provide the following guidelines so that these services can be used appropriately and securely.

In general, there is no objection to the use of such a service. However, if your body of elders chooses to do so, you should select the appropriate service for your needs and establish and maintain a suitable security protocol for those using the service."

 

Dropbox, Google Drive, and OneDrive were listed as acceptable.

 

 

This question comes up from time to time on this forum. There are a lot of opinions.  It's a question that is on a similar level to will we have electricity or eat meat in the new system.  

Here are some things to consider:

• Data protection laws have changed significantly over the past years, especially in Europe.
• There are only 3 letters from 2012 still on jw.org.  Dec 17th is not one of them.  That might be a hint that newer instructions are out there
• Just because your phone has some information doesn't mean it has everything (baptism dates, birth dates, children's names, emergency contacts, etc)
• Just because you have contacts on your phone doesn't mean you have to store them in the cloud, none of the contacts on my phone live on google's or apple's spyware farms
• Google, et al, make money from harvesting information.  If they can't harvest your data, they go broke.  Given the fact that they are not broke, serious thought should be given to what they are able to harvest
• Any encryption can be broken
• No security is perfect

So really the only thing to consider is:

• Sensitive information should not be stored online. 
• Publisher information is sensitive. 
• Our role as elders is not to decide whether or not we will follow directions, but how to implement them.  That gives us a little room to consider:
  • 95% of the information in JWS is not sensitive.  Once the data is obfuscated who cares if 
    • id:1 has clm:5 on date:2022-01-01
    • Of course after that it's encrypted.
    • But even if it isn't obfuscated and encrypted, who cares if Peter has TGW on 2022-01-01 
  • What about the other 5% publisher sensitive info???
• The question for the body to consider is once the data is obfuscated and encrypted is it still considered sensitive.  That I wont personally comment on.

  

JWS has never given a decent example of how their obfuscation works.  It would be much more helpful if they explained how their publisher information obfuscation works.  It would also be helpful to know if they store all the publisher information on their sharing servers, or only deltas. 

• For example an initial sync of publisher sensitive information could happen through some secure means, then once that happens, no personally identifiable information would ever be stored on their servers. 

 

I have asked them for this information and their response...well...I better bite my tongue here.

 

 

 

 

[jwhess]

Our organization is quite capable of informing us of situations they feel violate their standards or endanger the publishers under their care.  We can remember the counsel not to do electronic public witnessing carts.  Some of us remember the counsel to stop converting Watchtower publication files to Isilo pdb files and so on.  If there is a problem. concern or danger, they will be quick to point it out.  After months (years) of comment, no such counsel was given.

 

EDIT:  after 3 years of letter writing and phone witnessing, how many of us have become adept a searching out personal data on anyone in our territory?  I can find your name, address, phone umber, age. relatives names, whether you bought your home and how much it cost, legal records, convictions and sequence of your moves for 10 years. The list goes on.  For an additional fee I can get your drivers license, insurance data and so on.  Why would my baptism date require more concern that where I live and how much money I make?  Lighten up folks.

Edited December 26, 2022 by jwhess