Revision as of 21:02, 24 June 2011 editRisker (talk | contribs)Edit filter managers, Autopatrolled, Checkusers, New page reviewers, Oversighters, Administrators28,285 edits →Break - security: some comments about security← Previous edit | Revision as of 21:08, 24 June 2011 edit undoCoren (talk | contribs)Extended confirmed users18,492 edits →Break - security: A more detailed responseNext edit → | ||
Line 156: | Line 156: | ||
* There are two separate issues here: the first is the personal IT security of individuals with access to non-public mailing lists, which we believe is what is at issue in this current event. We all know people who have taken all kinds of precautions and still wound up with hidden software in their computer; and this will always remain the most likely vector of attack. <p>The second issue is the management of archiving of private mailing lists, and we have been working with WMF on this issue for some months now. Changes are already in progress for some private mailing lists which are affiliated in whole or in part with Arbcom. The biggest challenge is the Mailman software that is currently used by WMF: it is extremely inflexible when it comes to archiving. One either has archiving turned on or off, but there is no ability to set auto-destroy or to manually remove posts from the archives. Therefore, the only way to keep current archives that are in very active use is to also keep the archives that were created at the inception of the list. We have made what we believe is a strong case for WMF to consider other mailing list software specifically for private mailing lists (Mailman's archiving function is just fine for the public lists). <p>We have also endorsed the principle of requiring two-step log-in for WMF-related private wikis, and I've been advised that the developers/sysadmins are currently looking at how this can be done, with a goal toward implementation. ] (]) 21:02, 24 June 2011 (UTC) | * There are two separate issues here: the first is the personal IT security of individuals with access to non-public mailing lists, which we believe is what is at issue in this current event. We all know people who have taken all kinds of precautions and still wound up with hidden software in their computer; and this will always remain the most likely vector of attack. <p>The second issue is the management of archiving of private mailing lists, and we have been working with WMF on this issue for some months now. Changes are already in progress for some private mailing lists which are affiliated in whole or in part with Arbcom. The biggest challenge is the Mailman software that is currently used by WMF: it is extremely inflexible when it comes to archiving. One either has archiving turned on or off, but there is no ability to set auto-destroy or to manually remove posts from the archives. Therefore, the only way to keep current archives that are in very active use is to also keep the archives that were created at the inception of the list. We have made what we believe is a strong case for WMF to consider other mailing list software specifically for private mailing lists (Mailman's archiving function is just fine for the public lists). <p>We have also endorsed the principle of requiring two-step log-in for WMF-related private wikis, and I've been advised that the developers/sysadmins are currently looking at how this can be done, with a goal toward implementation. ] (]) 21:02, 24 June 2011 (UTC) | ||
===The story so far=== | |||
Yesterday, around 15h UTC, we were made aware by Malleus Fatuorum that an email exchange between him and the Arbitration Committee had been leaked to an external website. The contents of the leaked email thread, which included comments that were restricted to the Arbitration Committee list itself, demonstrated that the leak necessarily came from someone who had access to (at least part of) the email archives or email box of a currently sitting arbitrator (or Jimmy Wales). | |||
An investigation of the technical aspects of the leak have shown that the leak was mailed by arbitrator Iridescent's Yahoo mail account from a server located in Iran, indicating that the person responsible for the leak was in control of that mail account. Given that it seemed highly improbable that Iridescent himself would have had the wherewithal to use a proxy computer in a foreign jurisdiction yet use a mail account directly associated with him, the scenario that the leak was a wilful act from Iridescent was not credible. | |||
At that time, I emailed the list and arbitrator Risker directly (who is one of the arbitrators in technical control of the mailing lists and the secure wikis) that Iridescent's mail account was compromised, and that it should be immediately removed from all private lists and wikis. This was done shortly, thus ensuring that whoever was in control of Iridescent's email account would get no further access. | |||
Simultaneously, we entered in contact with Iridescent through a different email account and verified that he was the correct person with private information that could not be found in any email archive. Once contact was established, Iridescent immediately changed all his passwords and all the email addresses associated with wiki accounts he has access to. At this time, Iridescent is still evaluating his personal computing security and has not yet been returned any access to private information. | |||
Every arbitrator has since taken steps to reevaluate their own computer security by, among other things, changing their passwords or other credentials where appropriate, or turning on additional security features such as two-factor authentication where possible. While this offers no guarantees that all our accounts are secure, it greatly reduces the probability that more accounts are under external control. | |||
Unfortunately, Iridescent's password to the Arbcom email archive was sent to him via the email address that was compromised, and it seems that the attacker used it to access it to leak at least one email thread from it. At this point, we must presume that all of Iridescent's email to and from that email address as well as an unknown fraction of the archive of the mailing list have been stolen by the attacker. Likewise, it is not possible to assess whether only Iridescent's Yahoo account has been compromised, or whether much or all of his computing resources were. | |||
In the name of the Arbitration Committee, I offer our most profound apologies to everyone whose privacy has been breached by this criminal act. While our investigation is ongoing, and we hope to gather enough information to evaluate more precisely the extent of the intrusion, our focus will be on making the necessary systemic chances to prevent such an attack from succeeding in the future. | |||
— ] <sup>]</sup> 21:08, 24 June 2011 (UTC) |
Revision as of 21:08, 24 June 2011
Use this page to discuss information on the page (and subpages) attached to this one. This includes limited discussion of the Arbitration Committee itself, as a body. Some things belong on other pages:
| Shortcuts |
This Arbitration Committee has been mentioned by a media organization:
|
Misplaced Pages Arbitration |
---|
Open proceedings |
Active sanctions |
Arbitration Committee |
Audit
|
Track related changes |
Re-organisation of Misplaced Pages:Arbitration/Requests/Enforcement
As a matter of experience, the Arbitration Enforcement (AE) noticeboard is unwieldy. In the current system of organisation, all requests are under one main header, with the most recent ones going to the bottom. The result is that an administrator, upon opening AE to attend to pending requests, is faced with a lengthy array of threads. I propose that we do something to improve the organisation of the noticeboard, although I have no single preference as to what new structure we implement. My suggestion is that we create sub-sections for the topic areas that are most commonly related to enforcement requests, with the option to add or remove sub-sections as dictated by demand, and with a final sub-section for other requests. The resulting structure would be:
= Requests for enforcement = == Open requests == === Arab-Israel conflict === === Armenia-Azerbaijan === === Digwuren === === Pseudoscience === === Other topics === == Closed requests ==
The sub-sections of Open requests are alphabetised (except for Other topics, which is placed last), so as to not give precedence to any one topic area. The topic areas which I have given their own section are ones that come to mind when I think of the cases which are most commonly cited at AE, but there may be others, and in any case this is merely an example. Also, I am unsure if I need the Committee's approval for this change, because AE was initially a community process—and, although it was moved by an arbitrator to the ArbCom space, I think it still is. But I thought I'd propose this here, because, although my primary motivation is to ask for input from everybody, I am also keen to know how the arbitrators would feel about these changes. AGK 21:39, 24 May 2011 (UTC)
- Thank you for giving this issue consideration, AGK. I think the most useful feedback would be from other administrators who currently participate in arbitration enforcement, as well as perhaps others who may be considering it. If this works for all of you, then it is likely to be a good step. One very minor point: Pseudoscience. :-) Risker (talk) 06:19, 25 May 2011 (UTC)
- My bad; fixed :). AGK 08:33, 25 May 2011 (UTC)
- As Risker said, this is mostly a question of what works best for the admins involved in enforcement; while the Committee retains jurisdiction over the enforcement process in principle, I don't see any problem with having the people who actually participate determining how to structure it.
- Personally, I think your idea is a good one. The only suggestion I would make is to use topic areas, rather than actual case names, for the section headings; "Eastern Europe" is much more obvious than "Digwuren", for example. Kirill 10:25, 25 May 2011 (UTC)
- Yeah, topic areas as opposed to case names would be better. As an aside, naming of cases has improved in recent years, and it is normally only older cases that do not have descriptive titles. AGK 20:04, 29 May 2011 (UTC)
- Kirill: As a purely constitutional point, arbitration enforcement is a community process, because it is operated entirely by administrators who do not sit on the Committee. It was moved into the Committee's namespace some time ago, from a subpage of AN, but without community agreement. AGK 14:28, 7 June 2011 (UTC)
- I disagree. The fact that arbitration enforcement is performed by the administrator corps, rather than the Committee itself, is immaterial; the administrators are implementing the Committee's decisions, pursuant to the enforcement provisions set by the Committee, and thus the enforcement process as a whole is necessarily under the Committee's jurisdiction.
- Or, to be slightly more pedantic: administrators are able to perform certain actions (e.g. blocking editors) on their own discretion, pursuant to the relevant community policies; thus, for example, the activity of AN/I. Thus, any administrator may in principle sanction an editor who violated an arbitration decision independently of the decision per se, by arguing that the editor's action was sanctionable in and of itself. However, for an administrator to legitimately claim that his actions constitute "enforcement of an arbitration decision", those actions must be carried out in accordance with the provisions for enforcement contained in said decision—else they are merely independent actions which happen to sanction the same offense. In other words, any administrator who explicitly claims to be acting pursuant to the Committee's instructions is by definition granting the Committee jurisdiction over his actions by doing so. Kirill 00:03, 8 June 2011 (UTC)
- Kirill: As a purely constitutional point, arbitration enforcement is a community process, because it is operated entirely by administrators who do not sit on the Committee. It was moved into the Committee's namespace some time ago, from a subpage of AN, but without community agreement. AGK 14:28, 7 June 2011 (UTC)
- Yeah, topic areas as opposed to case names would be better. As an aside, naming of cases has improved in recent years, and it is normally only older cases that do not have descriptive titles. AGK 20:04, 29 May 2011 (UTC)
- I don't about this. There are quite a lot of areas under discretionary sanctions; I'm not sure if I fancy seeing 12 headers up on WP:AE all the time, not even counting subheaders. Perhaps if we had people include the case in the section title like so: ==User (9/11 attacks)==, and started archiving closed discussions more quickly, we could streamline the process a bit more and achieve a similar result. NW (Talk) 11:22, 25 May 2011 (UTC)
- I don't see what problem this is solving. Admins who often comment at AE probably go there at least once a day. They are unlikely to be confused by the set of threads currently open. I tend to check the history before opening the page to see if there are any new comments on the set of things I am following. Adding headers to the page could be adding one more task for the people trying to submit complaints. EdJohnston (talk) 16:37, 25 May 2011 (UTC)
- Ed: I am as active at AE as most, but I regularly get frustrated and confused by the mass of threads. The page is simply so massive, even when closed threads are collapsed and even with the relatively prompt archiving set-up in place. My personal feeling is that we must impose some further structure if this page is to continue to function, although as I said before this is only one idea and I don't mind particularly what that structure is.
NW: That suggestion might actually work. I wonder if we could additionally create two sub-headers, for Open requests and Closed requests, to further separate the settled threads (before they are archived) from the stuff that actually needs attention. I should also say that I anticipated that we would limit the depth of the table of contents, so that only the main headers were visible, and so that the number of headers didn't become unwieldy. Sorry I didn't make that clear. AGK 20:04, 29 May 2011 (UTC)
- The problem with limiting the headers using
{{TOC limit}}
is that if you use{{TOC limit|2}}
, you don't have enough headers. If you use{{TOC limit|3}}
, you have all the subject areas but it isn't easy to see from a glance if there is anything in the section you want to see, so you have to go down and read it all anyway. If we use{{TOC limit|4}}
, that would work I guess, but I think that's too many headers. I liked the idea of "opened" and "closed" sections though. NW (Talk) 20:22, 29 May 2011 (UTC)
- The problem with limiting the headers using
- Ed: I am as active at AE as most, but I regularly get frustrated and confused by the mass of threads. The page is simply so massive, even when closed threads are collapsed and even with the relatively prompt archiving set-up in place. My personal feeling is that we must impose some further structure if this page is to continue to function, although as I said before this is only one idea and I don't mind particularly what that structure is.
- I don't see what problem this is solving. Admins who often comment at AE probably go there at least once a day. They are unlikely to be confused by the set of threads currently open. I tend to check the history before opening the page to see if there are any new comments on the set of things I am following. Adding headers to the page could be adding one more task for the people trying to submit complaints. EdJohnston (talk) 16:37, 25 May 2011 (UTC)
Arbitration policy update and ratification
The current written arbitration policy dates from 2004 and much has evolved since then. It has been extensively reviewed over the last two years, with a series of wide-ranging community consultations. A proposed update has now been posted and is awaiting community ratification. All editors are cordially invited to participate in the ratification process, which is now open. Roger Davies 23:36, 1 June 2011 (UTC)
Final reminder: Arbitration policy update and ratification
The current written arbitration policy dates from 2004 and much has evolved since then. The policy has been extensively reviewed over the last two years, with a series of wide-ranging community consultations, to bring the written document up to date. The proposed update is posted and is undergoing community ratification, which is due to close on 13 June 2011. All editors are cordially invited to participate in the ratification process. Roger Davies 06:02, 9 June 2011 (UTC)
Who is responsible?
I would like to know which member of ArbCom, past or present, is responsible for this leak. Malleus Fatuorum 14:59, 23 June 2011 (UTC)
- Oh dear. This is not going to end well, and I fear you--rather than the responsible parties--are going to end up pilloried. → ROUX ₪ 15:13, 23 June 2011 (UTC)
- I'm quite used to that, but there's something amiss here that needs sorting out. What else has been/is being leaked? Malleus Fatuorum 15:15, 23 June 2011 (UTC)
- Without engaging in hyperbole, this is really very bad. personally I'd bypass the usual ArbCom nonsense and go straight to WMF. Moonriddengirl might be a good way to get someone to take notice. → ROUX ₪ 15:23, 23 June 2011 (UTC)
- meta:Ombudsman commission seems to be the appropriate Wikimedia body for outside review of this matter. –xeno 15:29, 23 June 2011 (UTC)
- The Ombudsman Commission investigates violations of the Foundation privacy policy, which does not appear to have occurred. This is a matter of a breach of trust by a community member, but not a matter for the Foundation. Dominic·t 16:47, 23 June 2011 (UTC)
- Would a contributor's non-public(?) email address not be considered personally-identifying information? –xeno 17:03, 23 June 2011 (UTC)
- The Ombudsman Commission investigates violations of the Foundation privacy policy, which does not appear to have occurred. This is a matter of a breach of trust by a community member, but not a matter for the Foundation. Dominic·t 16:47, 23 June 2011 (UTC)
- meta:Ombudsman commission seems to be the appropriate Wikimedia body for outside review of this matter. –xeno 15:29, 23 June 2011 (UTC)
- Without engaging in hyperbole, this is really very bad. personally I'd bypass the usual ArbCom nonsense and go straight to WMF. Moonriddengirl might be a good way to get someone to take notice. → ROUX ₪ 15:23, 23 June 2011 (UTC)
- I'm quite used to that, but there's something amiss here that needs sorting out. What else has been/is being leaked? Malleus Fatuorum 15:15, 23 June 2011 (UTC)
- Can't be any past arbitrators (for the initial leak anyway); the only people on the list these days are current Arbs and Jimbo. NW (Talk) 15:28, 23 June 2011 (UTC)
- The committee is aware of the situation and looking into it. –xeno 15:29, 23 June 2011 (UTC)
Malleus, please accept my most profound apology for this unforgivable breach of your expectation of privacy. It is vanishingly unlikely that this leak comes from someone else than a sitting arbitrator, and I want to assure you that I will do everything in my power to identify the slime who did this and crucify them. — Coren 16:34, 23 June 2011 (UTC)
- In this particular instance there was nothing particularly private, just a chat with Iridescent (who I don't at all blame for this) about a few options that are now impractical. It does though raise the very serious question of what else has been leaked. Malleus Fatuorum 16:49, 23 June 2011 (UTC)
- Nevertheless, you were given an assurance of confidentiality and, through lack of care or dishonesty, it has been breached. I agree with you that the possibility of further leaks that we are unaware of is worrisome, and makes it all the more important that the leak is found and plugged. — Coren 17:09, 23 June 2011 (UTC)
- It clearly needs to be sorted out, and quickly. I must admit to being rather puzzled at this discussion being leaked though, as I'm sure there must be much juicier stuff on the mailing list that's far more interesting. Malleus Fatuorum 17:15, 23 June 2011 (UTC)
- Nevertheless, you were given an assurance of confidentiality and, through lack of care or dishonesty, it has been breached. I agree with you that the possibility of further leaks that we are unaware of is worrisome, and makes it all the more important that the leak is found and plugged. — Coren 17:09, 23 June 2011 (UTC)
I do hope this isn't swept under the rug, either. This is a serious breach of confidentiality and I (and I'm sure others) would very much like to know who the leak is. Please don't just do whatever it is you arbs do behind closed doors. Please make a public statement about this once it is known who did such a thing. Tex (talk) 17:18, 23 June 2011 (UTC)
- I agree with Tex, this is a very serious matter and as Tex said a lot of people would very much like to know who leaked and I, along with others, want a public statement as to what happened once it is figured out. This is a very serious issue and indeed it is worrisome that possibly other things have leaked out. This is truly disconcerting, as this defeats the entire purpose of Arb Com and emailing, to keep things that are private private, had he wanted it public he wouldn't have been emailing it. As Malleus said there are much more interesting things that could be talked about and that is partially what has me worried, if this is what we have found then there is probably other stuff that is more interesting or important out there as well. I hope that this is all resolved quickly and we can be assured that this is all that is out there. Adwiii Talk 17:42, 23 June 2011 (UTC)
- The same person has leaked some emails I recently sent to the ArbCom, and emails from some of the Arbs discussing it between themselves. I think it's important that an announcement be made about this somewhere prominently, so that people know not to send anything confidential to the ArbCom until it's sorted out. SlimVirgin 18:41, 23 June 2011 (UTC)
- I've temporarily removed the word "private" from the emphatic bright yellow box on the page, since such status can't currently be guaranteed. I agree an announcement somewhere else (although I'm not sure where) might also be a good idea. --Demiurge1000 (talk) 18:47, 23 June 2011 (UTC)
- The resulting statement instructs individuals to send all material (private or otherwise) for our attention to the list. –xeno 18:51, 23 June 2011 (UTC)
- Well, it says "any", not "all", but yes it could have been construed that way. So how should it be worded? How about "Material intended for the Committee's attention can be sent to..." ? The alternatives are emphatically suggesting a level of privacy that likely does not currently exist, or removing mention of the email address altogether until the problem is resolved. Or is there a better way? --Demiurge1000 (talk) 18:59, 23 June 2011 (UTC)
- I'd suggest full and clear honesty. Something like Notice: Communication with ArbCom has been confirmed to be compromised. Confidentiality can not be guaranteed at the current time.--Cube lurker (talk) 19:08, 23 June 2011 (UTC)
- I think the first sentence of that is perhaps overly dramatic. The second, in small, would be adequate though. --Demiurge1000 (talk) 19:15, 23 June 2011 (UTC)
- I think this is serious enough that I'd be more concerned about failure to fully inform someone who intended to transmit confidential information. My understanding is that someone with access is willing to release information maliciously. There's a definite right to know issue that goes beyond a fine print note that could be missed or not treated seriously.--Cube lurker (talk) 19:22, 23 June 2011 (UTC)
- I think the first sentence of that is perhaps overly dramatic. The second, in small, would be adequate though. --Demiurge1000 (talk) 19:15, 23 June 2011 (UTC)
- I'd suggest full and clear honesty. Something like Notice: Communication with ArbCom has been confirmed to be compromised. Confidentiality can not be guaranteed at the current time.--Cube lurker (talk) 19:08, 23 June 2011 (UTC)
- Well, it says "any", not "all", but yes it could have been construed that way. So how should it be worded? How about "Material intended for the Committee's attention can be sent to..." ? The alternatives are emphatically suggesting a level of privacy that likely does not currently exist, or removing mention of the email address altogether until the problem is resolved. Or is there a better way? --Demiurge1000 (talk) 18:59, 23 June 2011 (UTC)
- The resulting statement instructs individuals to send all material (private or otherwise) for our attention to the list. –xeno 18:51, 23 June 2011 (UTC)
- I've temporarily removed the word "private" from the emphatic bright yellow box on the page, since such status can't currently be guaranteed. I agree an announcement somewhere else (although I'm not sure where) might also be a good idea. --Demiurge1000 (talk) 18:47, 23 June 2011 (UTC)
- The same person has leaked some emails I recently sent to the ArbCom, and emails from some of the Arbs discussing it between themselves. I think it's important that an announcement be made about this somewhere prominently, so that people know not to send anything confidential to the ArbCom until it's sorted out. SlimVirgin 18:41, 23 June 2011 (UTC)
- (ec) No one will notice it there. It should be posted somewhere prominently. It would be best if the ArbCom would do that asap. SlimVirgin 19:23, 23 June 2011 (UTC)
- This aspect of the discussion has been superseded by Coren's note below as far as I'm concerned. --Demiurge1000 (talk) 19:26, 23 June 2011 (UTC)
- (ec) No one will notice it there. It should be posted somewhere prominently. It would be best if the ArbCom would do that asap. SlimVirgin 19:23, 23 June 2011 (UTC)
brief status update
At this time, the source of the leak seems to have been identified and closed. We are not yet able to determine what other emails may have been stolen, but I am confident that future email will not be so exposed. The committee will give a detailed statement regarding the incident once we have finished cleaning things up and investigating the matter in detail (within the next 24h). — Coren 19:24, 23 June 2011 (UTC)
- Confirming what Coren has said above. For the record, this incident has been discussed with the WMF as well. Risker (talk) 19:32, 23 June 2011 (UTC)
- Given the ongoing leaks at Misplaced Pages Review, how confident are you that this matter is now sorted? Malleus Fatuorum 22:24, 23 June 2011 (UTC)
- Interestingly, the material posted so far has been surprisingly mild, and far more gossipy than scandalous. I'm a little hesitant to start writing WP:BEANS cases, but I think either the person who has the emails doesn't know what would be (relatively) explosive, or doesn't have much (I'm excluding there being nothing scandalous, based on knowing the personalities of certain people :-) ...) -- Seth Finkelstein (talk) 22:48, 23 June 2011 (UTC)
- We are quite certain that we have identified the source of the leak, and that the account involved no longer has access to any private mailing lists or the arbitration wiki. We are still assessing what information was accessed while the account was compromised. As a precaution, other members of the committee are changing passwords and reassessing their personal security precautions including hardware/software checks. Risker (talk) 22:51, 23 June 2011 (UTC)
- Should we assume that when the announcement about this is posted, it’s going to include the identity of whichever arbitrator leaked the e-mails? If it’s now been determined who was responsible for the leak, I think the community has a right to know that. --Captain Occam (talk) 00:44, 24 June 2011 (UTC)
- Risker seems to imply that the arbitrator in question had their account and/or email and/or other login information compromised by a third party. NW (Talk) 00:50, 24 June 2011 (UTC)
- Coren indicated that Iridescent's account had been compromised, but some of the leaked material dates from before his time on the ArbCom. I hope the Committee will be completely transparent about what happened here. SlimVirgin 00:59, 24 June 2011 (UTC)
- Part of the problem is that most passwords, including that to the email archive, were sent by email (hence the importance of having all accounts pointing at a new email account as swiftly as possible). Of course, access to the archive and wikis was immediately removed to prevent further access, but that will have had no effect on what data was already stolen.
In other words, it's not really possible to establish with certainty what, or how much, has been taken before the accesses were changed; our focus will be on securing things for the future so that this does not happen again. I'm going to recommend a number of procedural changes to diminish the probability of such incidents happening in the future, as well as push very hard for strong security precautions to access confidential data (for instance, two-factor authentication to access privileged wikis or archives seem important to me). — Coren 01:07, 24 June 2011 (UTC)
- Part of the problem is that most passwords, including that to the email archive, were sent by email (hence the importance of having all accounts pointing at a new email account as swiftly as possible). Of course, access to the archive and wikis was immediately removed to prevent further access, but that will have had no effect on what data was already stolen.
- I had a conversation with the Foundation about this around a year ago, maybe longer. Anyone gaining access to the wiki or the archives needs that access only for the briefest of periods. They download the material, and that's that. Once this immediate situation is sorted out, I think a serious discussion needs to take place about the amount of information the Committee is retaining about people. Realistically you can't guarantee its safety, and the larger the mailing list, the less of a guarantee there can be. SlimVirgin 01:12, 24 June 2011 (UTC)
- Yes, I'll spearhead that necessary work to reform myself. — Coren 01:14, 24 June 2011 (UTC)
- Mike Godwin posted to one of the mailing lists recently that enlightened organizations are retaining very little data about individuals, so that if a legal issue arises, there's little to hand over. And the same principle would apply to security, that if there's a leak, there's not much that can be released. But it seems the ArbCom and functionaries take the opposite approach, retaining large archives, setting up an ArbCom wiki, and I believe a checkuser wiki. A great deal of it is unpleasant gossip about people, and some of it is material that ought to remain private. So I really question the ethics of this approach, because I think it's very unfair to editors to keep so much material for so long, and to be constantly giving new people access to it, even though the subjects of the information may not have seen it themselves. SlimVirgin 01:31, 24 June 2011 (UTC)
- Coren, is what you’re saying that it was possible to use Iridescent’s account to access information from before Iridescent became an arbitrator, because their e-mail account contained the password to the archive of past mailing list discussions? And it’s certain that there wasn’t any leak other than whoever broke into Iridescent’s account? --Captain Occam (talk) 01:16, 24 June 2011 (UTC)
- That is what every the evidence we have indicates, yes. I'm not going to say that it's certain that there are no other possible leaks, but it's certainly improbable. I'm probably the only arbitrator who controls every part of his email infrastructure, so I can tell you as a fact that no access has been made to my own email, but the other arbitrators have taken measures to ensure that their passwords are secure to make as sure as we can that no other leak is possible. — Coren 01:22, 24 June 2011 (UTC)
- (ec) That was the issue I raised with the Foundation, that new members automatically gain access to the full archives, including material they have no need to read. Some kind of purging ought to be taking place each year, so that these secret files about individuals aren't being retained, just waiting for someone to steal them.
- Also, the leaker leaked Coren's email saying it was Iridescent's account. Presumably Coren sent that email after that account's access had been removed, so that's somewhat worrying. SlimVirgin 01:23, 24 June 2011 (UTC)
(←) No, it was not, though it is almost certainly the last email that account received from the list: Risker needed a bit of delay to get to a secure computer to remove the accesses. — Coren 01:28, 24 June 2011 (UTC)
- I saw some emails that were not addressed to arbcom. For example at least one email was from SV addressed to Cirt. How this got stolen and/or leaked?
- I believe, if wikipedia review has some self respect left, it should remove these stolen emails and ban the user who posted them for good.--Mbz1 (talk) 02:41, 24 June 2011 (UTC)
- My guess (provisional, and subject to revision based on new information) is that we're seeing information that was in a personal mail archive. As opposed to there being a Misplaced Pages Wikileaks cache of the entire arbcom list available. Umm, regarding banning the user who posted them - since it was a new special account, that wouldn't do a lot good even if they were so inclined (horse, barn, door). -- Seth Finkelstein (talk) 03:03, 24 June 2011 (UTC)
- Just following up on what Coren has said, that was the last email on the mailing list before the account in question was fully disabled from all private mailing lists and from the arbwiki. The point about archive security is entirely valid, and it is a concern that is shared by the Arbitration Committee. We have been having discussions with the WMF specifically about alternative methods of managing archives for various private lists, some processes are already in motion, and we were continuing to examine options for the arbcom-L list. We'll be accelerating those discussions now. However, at least some of it is a moot point because it appears these are from the arbitrator's own email logs and thus even tighter security on arbcom-L or arbwiki would not have changed the outcome. The committee members are now evaluating their own personal security situations, examining methods of storing emails, changing passwords and adding two-step authentications, to reduce the risk of a further recurrence. I know the saying about the barn door (I edit-conflicted with Seth saying the same thing), but I just wanted to point out that we've been working on this in the background for a while, and unfortunately this occurred before we'd managed to hammer out the details for this specific mailing list. Risker (talk) 03:07, 24 June 2011 (UTC)
- For everybody who uses GMAIL there is a line below the list of your messages:
Last account activity: 1 hour ago at this IP (xx.xxx.xxx.xxx). Details (I redacted my IP address here)
- "Details" is a clickable button. If you are to click it, you will see, if any IP other than your own accessed your account. It is a very useful tool that I used to locate a dirty hacker that hacked my email.--Mbz1 (talk) 03:26, 24 June 2011 (UTC)
Am I right in recalling that this isn't the first time something like this has happened? Didn't someone once do a complete public dump of the ArbCom archives, or something like that? If this incident is any more than a complete one-off, then I suggest we stop giving out the impression to anyone that they can communicate privately via the ArbCom mailing list; if people have anything confidential they need to bring to an arbitrator's attention, they should be advised to write to a single arbitrator whom they trust (ideally the Foundation would employ someone to deal with such matters), and information would be shared further strictly on a need-to-know basis.--Kotniski (talk) 10:14, 24 June 2011 (UTC)
- Some editors indeed chose the method of contacting a single arbitrator, who then forward it to every individual arbitrator when a decision needs to be reached. In this case, it would not have made any difference if the correspondence was emailed via the list or bypassing it (via every individual arbitrator email). - Mailer Diablo 11:09, 24 June 2011 (UTC)
- But my point was that it doesn't need to go to every individual arbitrator. It depends on the situation, I suppose, but I would have thought in most cases it would be enough for at most two or three of them to see it (and others to be told only what the public is told). --Kotniski (talk) 11:28, 24 June 2011 (UTC)
- The position here is that individual arbitrators have no special authority so any actual decisions need to be made the committee as a whole. What would help considerably though would be if people brought fewer things to the committee as many of the matters raised privately could be easily be handled publicly. Roger Davies 11:54, 24 June 2011 (UTC)
- Or if the committee learnt to delegate (which would have other advantages quite apart from limiting the circulation of private information). BTW, am I right in recalling that there have been leaks of this nature in the past, or is it my imagination (or untrue gossip)?--Kotniski (talk) 12:01, 24 June 2011 (UTC)
- The position here is that individual arbitrators have no special authority so any actual decisions need to be made the committee as a whole. What would help considerably though would be if people brought fewer things to the committee as many of the matters raised privately could be easily be handled publicly. Roger Davies 11:54, 24 June 2011 (UTC)
- But my point was that it doesn't need to go to every individual arbitrator. It depends on the situation, I suppose, but I would have thought in most cases it would be enough for at most two or three of them to see it (and others to be told only what the public is told). --Kotniski (talk) 11:28, 24 June 2011 (UTC)
From the threads on WR, it sure doesn't appear to be Iridescent who was hacked to me. Why would Iridescent have the whole SlimVirgin/Cirt/Shell thread, especially since Shell made it clear she was not sharing it with the whole of arbcom? I think your mailing list is leaking like a sieve and something needs to be done, pronto. Tex (talk) 14:07, 24 June 2011 (UTC)
- The entire SV/Cirt/Shell thread was forwarded to the arbcom-l mailing list at a later date (following a call for Shell's recusal in the related arbitration case).
- As indicated above, it is believed that the immediate cause of the breach has been identified and prevented from further access. We are exploring options to avoid a similar recurrence. –xeno 14:20, 24 June 2011 (UTC)
- So what was the cause of the breach? Malleus Fatuorum 14:59, 24 June 2011 (UTC)
- It is believed the cause was a breach of security (i.e. someone targeting an arbitrator's PC and/or email account). We intend to post a detailed statement in the near future. –xeno 15:23, 24 June 2011 (UTC)
- So what was the cause of the breach? Malleus Fatuorum 14:59, 24 June 2011 (UTC)
Break - security
What's the status regarding functionaries-en? Is there anything to indicate that material from that list was also compromised? /ƒETCHCOMMS/ 18:34, 24 June 2011 (UTC)
- It's likely that some or many email from that list were also in the compromised mail account. Whether the criminal who broke into it cared enough for those email (who are, in the end, much less superficially "interesting" than arbcom-l's) to download them before access was cut, we cannot say. I note that none seem to have been leaked, though that obviously shouldn't be taken as any sort of guarantee. — Coren 19:20, 24 June 2011 (UTC)
- As an uninvolved (I hope!) observer, I'd hate for the ArbCom to throw out the baby with the bathwater, losing important communication systems and institutional memory. Perhaps the archive can be set with a daily limit and a notice could go to the email list every time the it's accessed. Whatever the right solution is, I hope the WMF takes this issue seriously enough to devote sufficient coding resources to provide security for the largest Wikimedia project. Will Beback talk 19:50, 24 June 2011 (UTC)
- There are systematic problems to fix for which, indeed, there may be technological help available. Much of this would require a bit of coding and support from the foundation (I would, for instance, strongly suggest some sort of two-factor authentication before private data can be accessed, and a running log of such accesses).
By happenstance IT security is my specialty, so I've already spoken at length about stronger security mechanisms; but I'm going to work directly with the foundation to help put those mechanisms in place in the short term. If nothing else, this incident will have served to highlight the importance of doing so. — Coren 19:56, 24 June 2011 (UTC)
- Re Xeno's recent email to me, which hasn't yet been leaked onto WR, I hope that you will not fall into the trap of security by obscurity, or avoid disclosing what actually happened here by deploying the silly beans argument. I am not at all happy about the situation this leak has put me in. Malleus Fatuorum 20:03, 24 June 2011 (UTC)
- I actually know security, Malleus; you'll not find me arguing for security theater. Little of what happened could have been avoided the way things are currently set up; we've plugged the immediate hole, but unless we start taking security more seriously such things are going to happen again. Like I've said, I've already approached the Foundation to start working on a review and rebuild of the way we handle private data from the ground up.
I take what happened to you (and the other victims) very seriously, and I don't intend to let the matter rest until I can confidently say that another incident like this will not happen again. — Coren 20:15, 24 June 2011 (UTC)
- I actually know security, Malleus; you'll not find me arguing for security theater. Little of what happened could have been avoided the way things are currently set up; we've plugged the immediate hole, but unless we start taking security more seriously such things are going to happen again. Like I've said, I've already approached the Foundation to start working on a review and rebuild of the way we handle private data from the ground up.
- Re Xeno's recent email to me, which hasn't yet been leaked onto WR, I hope that you will not fall into the trap of security by obscurity, or avoid disclosing what actually happened here by deploying the silly beans argument. I am not at all happy about the situation this leak has put me in. Malleus Fatuorum 20:03, 24 June 2011 (UTC)
- There are systematic problems to fix for which, indeed, there may be technological help available. Much of this would require a bit of coding and support from the foundation (I would, for instance, strongly suggest some sort of two-factor authentication before private data can be accessed, and a running log of such accesses).
- As an uninvolved (I hope!) observer, I'd hate for the ArbCom to throw out the baby with the bathwater, losing important communication systems and institutional memory. Perhaps the archive can be set with a daily limit and a notice could go to the email list every time the it's accessed. Whatever the right solution is, I hope the WMF takes this issue seriously enough to devote sufficient coding resources to provide security for the largest Wikimedia project. Will Beback talk 19:50, 24 June 2011 (UTC)
- There are two separate issues here: the first is the personal IT security of individuals with access to non-public mailing lists, which we believe is what is at issue in this current event. We all know people who have taken all kinds of precautions and still wound up with hidden software in their computer; and this will always remain the most likely vector of attack.
The second issue is the management of archiving of private mailing lists, and we have been working with WMF on this issue for some months now. Changes are already in progress for some private mailing lists which are affiliated in whole or in part with Arbcom. The biggest challenge is the Mailman software that is currently used by WMF: it is extremely inflexible when it comes to archiving. One either has archiving turned on or off, but there is no ability to set auto-destroy or to manually remove posts from the archives. Therefore, the only way to keep current archives that are in very active use is to also keep the archives that were created at the inception of the list. We have made what we believe is a strong case for WMF to consider other mailing list software specifically for private mailing lists (Mailman's archiving function is just fine for the public lists).
We have also endorsed the principle of requiring two-step log-in for WMF-related private wikis, and I've been advised that the developers/sysadmins are currently looking at how this can be done, with a goal toward implementation. Risker (talk) 21:02, 24 June 2011 (UTC)
The story so far
Yesterday, around 15h UTC, we were made aware by Malleus Fatuorum that an email exchange between him and the Arbitration Committee had been leaked to an external website. The contents of the leaked email thread, which included comments that were restricted to the Arbitration Committee list itself, demonstrated that the leak necessarily came from someone who had access to (at least part of) the email archives or email box of a currently sitting arbitrator (or Jimmy Wales).
An investigation of the technical aspects of the leak have shown that the leak was mailed by arbitrator Iridescent's Yahoo mail account from a server located in Iran, indicating that the person responsible for the leak was in control of that mail account. Given that it seemed highly improbable that Iridescent himself would have had the wherewithal to use a proxy computer in a foreign jurisdiction yet use a mail account directly associated with him, the scenario that the leak was a wilful act from Iridescent was not credible.
At that time, I emailed the list and arbitrator Risker directly (who is one of the arbitrators in technical control of the mailing lists and the secure wikis) that Iridescent's mail account was compromised, and that it should be immediately removed from all private lists and wikis. This was done shortly, thus ensuring that whoever was in control of Iridescent's email account would get no further access.
Simultaneously, we entered in contact with Iridescent through a different email account and verified that he was the correct person with private information that could not be found in any email archive. Once contact was established, Iridescent immediately changed all his passwords and all the email addresses associated with wiki accounts he has access to. At this time, Iridescent is still evaluating his personal computing security and has not yet been returned any access to private information.
Every arbitrator has since taken steps to reevaluate their own computer security by, among other things, changing their passwords or other credentials where appropriate, or turning on additional security features such as two-factor authentication where possible. While this offers no guarantees that all our accounts are secure, it greatly reduces the probability that more accounts are under external control.
Unfortunately, Iridescent's password to the Arbcom email archive was sent to him via the email address that was compromised, and it seems that the attacker used it to access it to leak at least one email thread from it. At this point, we must presume that all of Iridescent's email to and from that email address as well as an unknown fraction of the archive of the mailing list have been stolen by the attacker. Likewise, it is not possible to assess whether only Iridescent's Yahoo account has been compromised, or whether much or all of his computing resources were.
In the name of the Arbitration Committee, I offer our most profound apologies to everyone whose privacy has been breached by this criminal act. While our investigation is ongoing, and we hope to gather enough information to evaluate more precisely the extent of the intrusion, our focus will be on making the necessary systemic chances to prevent such an attack from succeeding in the future.
— Coren 21:08, 24 June 2011 (UTC)
Category: