Revision as of 19:28, 28 June 2011 editJayen466 (talk | contribs)Autopatrolled, Extended confirmed users, Page movers, Mass message senders, Pending changes reviewers, Rollbackers56,622 edits →Conformity to generally accepted standards for the security of private information: re to SirFozzie← Previous edit | Revision as of 21:47, 28 June 2011 edit undoChase me ladies, I'm the Cavalry (talk | contribs)Autopatrolled, Extended confirmed users, Pending changes reviewers, Rollbackers31,859 edits →I'm not a big fan of ARBCOM, but...: nbNext edit → | ||
Line 437: | Line 437: | ||
::Yah. ArbCom's members as individuals may be among the victims here, but it is ArbCom (as an institution) that is largely to blame.--] (]) 10:59, 28 June 2011 (UTC) | ::Yah. ArbCom's members as individuals may be among the victims here, but it is ArbCom (as an institution) that is largely to blame.--] (]) 10:59, 28 June 2011 (UTC) | ||
:::Especially since we're back to the very real possibility that one of the members is not the victim but the perpetrator.--] (]) 12:30, 28 June 2011 (UTC) | :::Especially since we're back to the very real possibility that one of the members is not the victim but the perpetrator.--] (]) 12:30, 28 June 2011 (UTC) | ||
::::Let's not jump to conclusions about individuals - I don't think it's helpful to throw blame around when the investigations aren't over. ] (]) 21:47, 28 June 2011 (UTC) | |||
== Conformity to generally accepted standards for the security of private information == | == Conformity to generally accepted standards for the security of private information == |
Revision as of 21:47, 28 June 2011
Use this page to discuss information on the page (and subpages) attached to this one. This includes limited discussion of the Arbitration Committee itself, as a body. Some things belong on other pages:
| Shortcuts |
This Arbitration Committee has been mentioned by a media organization:
|
Misplaced Pages Arbitration |
---|
Open proceedings |
Active sanctions |
Arbitration Committee |
Audit
|
Track related changes |
Final reminder: Arbitration policy update and ratification
The current written arbitration policy dates from 2004 and much has evolved since then. The policy has been extensively reviewed over the last two years, with a series of wide-ranging community consultations, to bring the written document up to date. The proposed update is posted and is undergoing community ratification, which is due to close on 13 June 2011. All editors are cordially invited to participate in the ratification process. Roger Davies 06:02, 9 June 2011 (UTC)
Who is responsible?
I would like to know which member of ArbCom, past or present, is responsible for this leak. Malleus Fatuorum 14:59, 23 June 2011 (UTC)
- Maybe nobody is responsible and it is result of succesful hacking attack (or maybe sb decided to use "12345" as password)? Bulwersator (talk) 10:36, 28 June 2011 (UTC)
- Oh dear. This is not going to end well, and I fear you--rather than the responsible parties--are going to end up pilloried. → ROUX ₪ 15:13, 23 June 2011 (UTC)
- I'm quite used to that, but there's something amiss here that needs sorting out. What else has been/is being leaked? Malleus Fatuorum 15:15, 23 June 2011 (UTC)
- Without engaging in hyperbole, this is really very bad. personally I'd bypass the usual ArbCom nonsense and go straight to WMF. Moonriddengirl might be a good way to get someone to take notice. → ROUX ₪ 15:23, 23 June 2011 (UTC)
- meta:Ombudsman commission seems to be the appropriate Wikimedia body for outside review of this matter. –xeno 15:29, 23 June 2011 (UTC)
- The Ombudsman Commission investigates violations of the Foundation privacy policy, which does not appear to have occurred. This is a matter of a breach of trust by a community member, but not a matter for the Foundation. Dominic·t 16:47, 23 June 2011 (UTC)
- Would a contributor's non-public(?) email address not be considered personally-identifying information? –xeno 17:03, 23 June 2011 (UTC)
- The Ombudsman Commission investigates violations of the Foundation privacy policy, which does not appear to have occurred. This is a matter of a breach of trust by a community member, but not a matter for the Foundation. Dominic·t 16:47, 23 June 2011 (UTC)
- meta:Ombudsman commission seems to be the appropriate Wikimedia body for outside review of this matter. –xeno 15:29, 23 June 2011 (UTC)
- Without engaging in hyperbole, this is really very bad. personally I'd bypass the usual ArbCom nonsense and go straight to WMF. Moonriddengirl might be a good way to get someone to take notice. → ROUX ₪ 15:23, 23 June 2011 (UTC)
- I'm quite used to that, but there's something amiss here that needs sorting out. What else has been/is being leaked? Malleus Fatuorum 15:15, 23 June 2011 (UTC)
- Can't be any past arbitrators (for the initial leak anyway); the only people on the list these days are current Arbs and Jimbo. NW (Talk) 15:28, 23 June 2011 (UTC)
- The committee is aware of the situation and looking into it. –xeno 15:29, 23 June 2011 (UTC)
Malleus, please accept my most profound apology for this unforgivable breach of your expectation of privacy. It is vanishingly unlikely that this leak comes from someone else than a sitting arbitrator, and I want to assure you that I will do everything in my power to identify the slime who did this and crucify them. — Coren 16:34, 23 June 2011 (UTC)
- In this particular instance there was nothing particularly private, just a chat with Iridescent (who I don't at all blame for this) about a few options that are now impractical. It does though raise the very serious question of what else has been leaked. Malleus Fatuorum 16:49, 23 June 2011 (UTC)
- Nevertheless, you were given an assurance of confidentiality and, through lack of care or dishonesty, it has been breached. I agree with you that the possibility of further leaks that we are unaware of is worrisome, and makes it all the more important that the leak is found and plugged. — Coren 17:09, 23 June 2011 (UTC)
- It clearly needs to be sorted out, and quickly. I must admit to being rather puzzled at this discussion being leaked though, as I'm sure there must be much juicier stuff on the mailing list that's far more interesting. Malleus Fatuorum 17:15, 23 June 2011 (UTC)
- Nevertheless, you were given an assurance of confidentiality and, through lack of care or dishonesty, it has been breached. I agree with you that the possibility of further leaks that we are unaware of is worrisome, and makes it all the more important that the leak is found and plugged. — Coren 17:09, 23 June 2011 (UTC)
I do hope this isn't swept under the rug, either. This is a serious breach of confidentiality and I (and I'm sure others) would very much like to know who the leak is. Please don't just do whatever it is you arbs do behind closed doors. Please make a public statement about this once it is known who did such a thing. Tex (talk) 17:18, 23 June 2011 (UTC)
- I agree with Tex, this is a very serious matter and as Tex said a lot of people would very much like to know who leaked and I, along with others, want a public statement as to what happened once it is figured out. This is a very serious issue and indeed it is worrisome that possibly other things have leaked out. This is truly disconcerting, as this defeats the entire purpose of Arb Com and emailing, to keep things that are private private, had he wanted it public he wouldn't have been emailing it. As Malleus said there are much more interesting things that could be talked about and that is partially what has me worried, if this is what we have found then there is probably other stuff that is more interesting or important out there as well. I hope that this is all resolved quickly and we can be assured that this is all that is out there. Adwiii Talk 17:42, 23 June 2011 (UTC)
- The same person has leaked some emails I recently sent to the ArbCom, and emails from some of the Arbs discussing it between themselves. I think it's important that an announcement be made about this somewhere prominently, so that people know not to send anything confidential to the ArbCom until it's sorted out. SlimVirgin 18:41, 23 June 2011 (UTC)
- I've temporarily removed the word "private" from the emphatic bright yellow box on the page, since such status can't currently be guaranteed. I agree an announcement somewhere else (although I'm not sure where) might also be a good idea. --Demiurge1000 (talk) 18:47, 23 June 2011 (UTC)
- The resulting statement instructs individuals to send all material (private or otherwise) for our attention to the list. –xeno 18:51, 23 June 2011 (UTC)
- Well, it says "any", not "all", but yes it could have been construed that way. So how should it be worded? How about "Material intended for the Committee's attention can be sent to..." ? The alternatives are emphatically suggesting a level of privacy that likely does not currently exist, or removing mention of the email address altogether until the problem is resolved. Or is there a better way? --Demiurge1000 (talk) 18:59, 23 June 2011 (UTC)
- The resulting statement instructs individuals to send all material (private or otherwise) for our attention to the list. –xeno 18:51, 23 June 2011 (UTC)
- I've temporarily removed the word "private" from the emphatic bright yellow box on the page, since such status can't currently be guaranteed. I agree an announcement somewhere else (although I'm not sure where) might also be a good idea. --Demiurge1000 (talk) 18:47, 23 June 2011 (UTC)
- The same person has leaked some emails I recently sent to the ArbCom, and emails from some of the Arbs discussing it between themselves. I think it's important that an announcement be made about this somewhere prominently, so that people know not to send anything confidential to the ArbCom until it's sorted out. SlimVirgin 18:41, 23 June 2011 (UTC)
I'd suggest full and clear honesty. Something like Notice: Communication with ArbCom has been confirmed to be compromised. Confidentiality can not be guaranteed at the current time.--Cube lurker (talk) 19:08, 23 June 2011 (UTC)
- I think the first sentence of that is perhaps overly dramatic. The second, in small, would be adequate though. --Demiurge1000 (talk) 19:15, 23 June 2011 (UTC)
- I think this is serious enough that I'd be more concerned about failure to fully inform someone who intended to transmit confidential information. My understanding is that someone with access is willing to release information maliciously. There's a definite right to know issue that goes beyond a fine print note that could be missed or not treated seriously.--Cube lurker (talk) 19:22, 23 June 2011 (UTC)
- (ec) No one will notice it there. It should be posted somewhere prominently. It would be best if the ArbCom would do that asap. SlimVirgin 19:23, 23 June 2011 (UTC)
- This aspect of the discussion has been superseded by Coren's note below as far as I'm concerned. --Demiurge1000 (talk) 19:26, 23 June 2011 (UTC)
- (ec) No one will notice it there. It should be posted somewhere prominently. It would be best if the ArbCom would do that asap. SlimVirgin 19:23, 23 June 2011 (UTC)
brief status update
At this time, the source of the leak seems to have been identified and closed. We are not yet able to determine what other emails may have been stolen, but I am confident that future email will not be so exposed. The committee will give a detailed statement regarding the incident once we have finished cleaning things up and investigating the matter in detail (within the next 24h). — Coren 19:24, 23 June 2011 (UTC)
- Confirming what Coren has said above. For the record, this incident has been discussed with the WMF as well. Risker (talk) 19:32, 23 June 2011 (UTC)
- Given the ongoing leaks at Misplaced Pages Review, how confident are you that this matter is now sorted? Malleus Fatuorum 22:24, 23 June 2011 (UTC)
- Interestingly, the material posted so far has been surprisingly mild, and far more gossipy than scandalous. I'm a little hesitant to start writing WP:BEANS cases, but I think either the person who has the emails doesn't know what would be (relatively) explosive, or doesn't have much (I'm excluding there being nothing scandalous, based on knowing the personalities of certain people :-) ...) -- Seth Finkelstein (talk) 22:48, 23 June 2011 (UTC)
- We are quite certain that we have identified the source of the leak, and that the account involved no longer has access to any private mailing lists or the arbitration wiki. We are still assessing what information was accessed while the account was compromised. As a precaution, other members of the committee are changing passwords and reassessing their personal security precautions including hardware/software checks. Risker (talk) 22:51, 23 June 2011 (UTC)
- Should we assume that when the announcement about this is posted, it’s going to include the identity of whichever arbitrator leaked the e-mails? If it’s now been determined who was responsible for the leak, I think the community has a right to know that. --Captain Occam (talk) 00:44, 24 June 2011 (UTC)
- Risker seems to imply that the arbitrator in question had their account and/or email and/or other login information compromised by a third party. NW (Talk) 00:50, 24 June 2011 (UTC)
- Coren indicated that Iridescent's account had been compromised, but some of the leaked material dates from before his time on the ArbCom. I hope the Committee will be completely transparent about what happened here. SlimVirgin 00:59, 24 June 2011 (UTC)
Part of the problem is that most passwords, including that to the email archive, were sent by email (hence the importance of having all accounts pointing at a new email account as swiftly as possible). Of course, access to the archive and wikis was immediately removed to prevent further access, but that will have had no effect on what data was already stolen.
In other words, it's not really possible to establish with certainty what, or how much, has been taken before the accesses were changed; our focus will be on securing things for the future so that this does not happen again. I'm going to recommend a number of procedural changes to diminish the probability of such incidents happening in the future, as well as push very hard for strong security precautions to access confidential data (for instance, two-factor authentication to access privileged wikis or archives seem important to me). — Coren 01:07, 24 June 2011 (UTC)
- I had a conversation with the Foundation about this around a year ago, maybe longer. Anyone gaining access to the wiki or the archives needs that access only for the briefest of periods. They download the material, and that's that. Once this immediate situation is sorted out, I think a serious discussion needs to take place about the amount of information the Committee is retaining about people. Realistically you can't guarantee its safety, and the larger the mailing list, the less of a guarantee there can be. SlimVirgin 01:12, 24 June 2011 (UTC)
- Yes, I'll spearhead that necessary work to reform myself. — Coren 01:14, 24 June 2011 (UTC)
- Mike Godwin posted to one of the mailing lists recently that enlightened organizations are retaining very little data about individuals, so that if a legal issue arises, there's little to hand over. And the same principle would apply to security, that if there's a leak, there's not much that can be released. But it seems the ArbCom and functionaries take the opposite approach, retaining large archives, setting up an ArbCom wiki, and I believe a checkuser wiki. A great deal of it is unpleasant gossip about people, and some of it is material that ought to remain private. So I really question the ethics of this approach, because I think it's very unfair to editors to keep so much material for so long, and to be constantly giving new people access to it, even though the subjects of the information may not have seen it themselves. SlimVirgin 01:31, 24 June 2011 (UTC)
- Coren, is what you’re saying that it was possible to use Iridescent’s account to access information from before Iridescent became an arbitrator, because their e-mail account contained the password to the archive of past mailing list discussions? And it’s certain that there wasn’t any leak other than whoever broke into Iridescent’s account? --Captain Occam (talk) 01:16, 24 June 2011 (UTC)
- That is what every the evidence we have indicates, yes. I'm not going to say that it's certain that there are no other possible leaks, but it's certainly improbable. I'm probably the only arbitrator who controls every part of his email infrastructure, so I can tell you as a fact that no access has been made to my own email, but the other arbitrators have taken measures to ensure that their passwords are secure to make as sure as we can that no other leak is possible. — Coren 01:22, 24 June 2011 (UTC)
(ec) That was the issue I raised with the Foundation, that new members automatically gain access to the full archives, including material they have no need to read. Some kind of purging ought to be taking place each year, so that these secret files about individuals aren't being retained, just waiting for someone to steal them.
- Also, the leaker leaked Coren's email saying it was Iridescent's account. Presumably Coren sent that email after that account's access had been removed, so that's somewhat worrying. SlimVirgin 01:23, 24 June 2011 (UTC)
(←) No, it was not, though it is almost certainly the last email that account received from the list: Risker needed a bit of delay to get to a secure computer to remove the accesses. — Coren 01:28, 24 June 2011 (UTC)
- I saw some emails that were not addressed to arbcom. For example at least one email was from SV addressed to Cirt. How this got stolen and/or leaked?
- I believe, if wikipedia review has some self respect left, it should remove these stolen emails and ban the user who posted them for good.--Mbz1 (talk) 02:41, 24 June 2011 (UTC)
- My guess (provisional, and subject to revision based on new information) is that we're seeing information that was in a personal mail archive. As opposed to there being a Misplaced Pages Wikileaks cache of the entire arbcom list available. Umm, regarding banning the user who posted them - since it was a new special account, that wouldn't do a lot good even if they were so inclined (horse, barn, door). -- Seth Finkelstein (talk) 03:03, 24 June 2011 (UTC)
- Just following up on what Coren has said, that was the last email on the mailing list before the account in question was fully disabled from all private mailing lists and from the arbwiki. The point about archive security is entirely valid, and it is a concern that is shared by the Arbitration Committee. We have been having discussions with the WMF specifically about alternative methods of managing archives for various private lists, some processes are already in motion, and we were continuing to examine options for the arbcom-L list. We'll be accelerating those discussions now. However, at least some of it is a moot point because it appears these are from the arbitrator's own email logs and thus even tighter security on arbcom-L or arbwiki would not have changed the outcome. The committee members are now evaluating their own personal security situations, examining methods of storing emails, changing passwords and adding two-step authentications, to reduce the risk of a further recurrence. I know the saying about the barn door (I edit-conflicted with Seth saying the same thing), but I just wanted to point out that we've been working on this in the background for a while, and unfortunately this occurred before we'd managed to hammer out the details for this specific mailing list. Risker (talk) 03:07, 24 June 2011 (UTC)
- For everybody who uses GMAIL there is a line below the list of your messages:
Last account activity: 1 hour ago at this IP (xx.xxx.xxx.xxx). Details (I redacted my IP address here)
- "Details" is a clickable button. If you are to click it, you will see, if any IP other than your own accessed your account. It is a very useful tool that I used to locate a dirty hacker that hacked my email.--Mbz1 (talk) 03:26, 24 June 2011 (UTC)
Am I right in recalling that this isn't the first time something like this has happened? Didn't someone once do a complete public dump of the ArbCom archives, or something like that? If this incident is any more than a complete one-off, then I suggest we stop giving out the impression to anyone that they can communicate privately via the ArbCom mailing list; if people have anything confidential they need to bring to an arbitrator's attention, they should be advised to write to a single arbitrator whom they trust (ideally the Foundation would employ someone to deal with such matters), and information would be shared further strictly on a need-to-know basis.--Kotniski (talk) 10:14, 24 June 2011 (UTC)
- Some editors indeed chose the method of contacting a single arbitrator, who then forward it to every individual arbitrator when a decision needs to be reached. In this case, it would not have made any difference if the correspondence was emailed via the list or bypassing it (via every individual arbitrator email). - Mailer Diablo 11:09, 24 June 2011 (UTC)
- But my point was that it doesn't need to go to every individual arbitrator. It depends on the situation, I suppose, but I would have thought in most cases it would be enough for at most two or three of them to see it (and others to be told only what the public is told). --Kotniski (talk) 11:28, 24 June 2011 (UTC)
- The position here is that individual arbitrators have no special authority so any actual decisions need to be made the committee as a whole. What would help considerably though would be if people brought fewer things to the committee as many of the matters raised privately could be easily be handled publicly. Roger Davies 11:54, 24 June 2011 (UTC)
- Or if the committee learnt to delegate (which would have other advantages quite apart from limiting the circulation of private information). BTW, am I right in recalling that there have been leaks of this nature in the past, or is it my imagination (or untrue gossip)?--Kotniski (talk) 12:01, 24 June 2011 (UTC)
- Yes, see this thread about a leak of the ArbCom mailing list archives in 2009. Graham87 05:07, 25 June 2011 (UTC)
- Or if the committee learnt to delegate (which would have other advantages quite apart from limiting the circulation of private information). BTW, am I right in recalling that there have been leaks of this nature in the past, or is it my imagination (or untrue gossip)?--Kotniski (talk) 12:01, 24 June 2011 (UTC)
- The position here is that individual arbitrators have no special authority so any actual decisions need to be made the committee as a whole. What would help considerably though would be if people brought fewer things to the committee as many of the matters raised privately could be easily be handled publicly. Roger Davies 11:54, 24 June 2011 (UTC)
- But my point was that it doesn't need to go to every individual arbitrator. It depends on the situation, I suppose, but I would have thought in most cases it would be enough for at most two or three of them to see it (and others to be told only what the public is told). --Kotniski (talk) 11:28, 24 June 2011 (UTC)
From the threads on WR, it sure doesn't appear to be Iridescent who was hacked to me. Why would Iridescent have the whole SlimVirgin/Cirt/Shell thread, especially since Shell made it clear she was not sharing it with the whole of arbcom? I think your mailing list is leaking like a sieve and something needs to be done, pronto. Tex (talk) 14:07, 24 June 2011 (UTC)
- The entire SV/Cirt/Shell thread was forwarded to the arbcom-l mailing list at a later date (following a call for Shell's recusal in the related arbitration case).
- As indicated above, it is believed that the immediate cause of the breach has been identified and prevented from further access. We are exploring options to avoid a similar recurrence. –xeno 14:20, 24 June 2011 (UTC)
- So what was the cause of the breach? Malleus Fatuorum 14:59, 24 June 2011 (UTC)
- It is believed the cause was a breach of security (i.e. someone targeting an arbitrator's PC and/or email account). We intend to post a detailed statement in the near future. –xeno 15:23, 24 June 2011 (UTC)
- So what was the cause of the breach? Malleus Fatuorum 14:59, 24 June 2011 (UTC)
- As I pointed out to Sue Gardner in this message, there was an incident where a single Arb was contacted regarding an editor who was engaging in pro-paedophilia advocacy. That Arb did not act on the information and nothing was done until Arbcom in full were notified. I am concerned by the suggestion that editors should contact only a single Arbitrator as an effort to reduce the risk of these types of leaks. That course of action has been demonstrated to have other problems. (Gardner did not reply to my message and email, or my follow-up, incidentally.) Delicious carbuncle (talk) 00:28, 25 June 2011 (UTC)
Break - security
What's the status regarding functionaries-en? Is there anything to indicate that material from that list was also compromised? /ƒETCHCOMMS/ 18:34, 24 June 2011 (UTC)
- It's likely that some or many email from that list were also in the compromised mail account. Whether the criminal who broke into it cared enough for those email (who are, in the end, much less superficially "interesting" than arbcom-l's) to download them before access was cut, we cannot say. I note that none seem to have been leaked, though that obviously shouldn't be taken as any sort of guarantee. — Coren 19:20, 24 June 2011 (UTC)
- As an uninvolved (I hope!) observer, I'd hate for the ArbCom to throw out the baby with the bathwater, losing important communication systems and institutional memory. Perhaps the archive can be set with a daily limit and a notice could go to the email list every time the it's accessed. Whatever the right solution is, I hope the WMF takes this issue seriously enough to devote sufficient coding resources to provide security for the largest Wikimedia project. Will Beback talk 19:50, 24 June 2011 (UTC)
- There are systematic problems to fix for which, indeed, there may be technological help available. Much of this would require a bit of coding and support from the foundation (I would, for instance, strongly suggest some sort of two-factor authentication before private data can be accessed, and a running log of such accesses).
By happenstance IT security is my specialty, so I've already spoken at length about stronger security mechanisms; but I'm going to work directly with the foundation to help put those mechanisms in place in the short term. If nothing else, this incident will have served to highlight the importance of doing so. — Coren 19:56, 24 June 2011 (UTC)
- Re Xeno's recent email to me, which hasn't yet been leaked onto WR, I hope that you will not fall into the trap of security by obscurity, or avoid disclosing what actually happened here by deploying the silly beans argument. I am not at all happy about the situation this leak has put me in. Malleus Fatuorum 20:03, 24 June 2011 (UTC)
- I actually know security, Malleus; you'll not find me arguing for security theater. Little of what happened could have been avoided the way things are currently set up; we've plugged the immediate hole, but unless we start taking security more seriously such things are going to happen again. Like I've said, I've already approached the Foundation to start working on a review and rebuild of the way we handle private data from the ground up.
I take what happened to you (and the other victims) very seriously, and I don't intend to let the matter rest until I can confidently say that another incident like this will not happen again. — Coren 20:15, 24 June 2011 (UTC)
- I actually know security, Malleus; you'll not find me arguing for security theater. Little of what happened could have been avoided the way things are currently set up; we've plugged the immediate hole, but unless we start taking security more seriously such things are going to happen again. Like I've said, I've already approached the Foundation to start working on a review and rebuild of the way we handle private data from the ground up.
- Re Xeno's recent email to me, which hasn't yet been leaked onto WR, I hope that you will not fall into the trap of security by obscurity, or avoid disclosing what actually happened here by deploying the silly beans argument. I am not at all happy about the situation this leak has put me in. Malleus Fatuorum 20:03, 24 June 2011 (UTC)
- There are systematic problems to fix for which, indeed, there may be technological help available. Much of this would require a bit of coding and support from the foundation (I would, for instance, strongly suggest some sort of two-factor authentication before private data can be accessed, and a running log of such accesses).
- As an uninvolved (I hope!) observer, I'd hate for the ArbCom to throw out the baby with the bathwater, losing important communication systems and institutional memory. Perhaps the archive can be set with a daily limit and a notice could go to the email list every time the it's accessed. Whatever the right solution is, I hope the WMF takes this issue seriously enough to devote sufficient coding resources to provide security for the largest Wikimedia project. Will Beback talk 19:50, 24 June 2011 (UTC)
- There are two separate issues here: the first is the personal IT security of individuals with access to non-public mailing lists, which we believe is what is at issue in this current event. We all know people who have taken all kinds of precautions and still wound up with hidden software in their computer; and this will always remain the most likely vector of attack.
The second issue is the management of archiving of private mailing lists, and we have been working with WMF on this issue for some months now. Changes are already in progress for some private mailing lists which are affiliated in whole or in part with Arbcom. The biggest challenge is the Mailman software that is currently used by WMF: it is extremely inflexible when it comes to archiving. One either has archiving turned on or off, but there is no ability to set auto-destroy or to manually remove posts from the archives. Therefore, the only way to keep current archives that are in very active use is to also keep the archives that were created at the inception of the list. We have made what we believe is a strong case for WMF to consider other mailing list software specifically for private mailing lists (Mailman's archiving function is just fine for the public lists).
We have also endorsed the principle of requiring two-step log-in for WMF-related private wikis, and I've been advised that the developers/sysadmins are currently looking at how this can be done, with a goal toward implementation. Risker (talk) 21:02, 24 June 2011 (UTC)
- And how long will that take, given the glacial pace of Wikimedia development? Malleus Fatuorum 21:13, 24 June 2011 (UTC)
- Fair question, Malleus. My understanding is that this has been established as a high priority by Erik Moeller, to whom the entire developer/sysadmin structure currently reports, with significant support from the other department heads, so I'm guessing it's moved fairly close to the top of the heap. I've been given to believe that it's not a particularly difficult fix, but I'm poorly acquainted with anything that technical so can't give you an honest assessment. My sense is we're talking days to weeks rather than the usual many weeks to months. Risker (talk) 21:25, 24 June 2011 (UTC)
- So presumably the only safe thing to do in the interim is to assume that the ArbCom mailing list is not confidential? Malleus Fatuorum 21:32, 24 June 2011 (UTC)
- Well, it's as confidential as emailing any mailing list to which a group of individuals are subscribed. From the feedback I am seeing from my fellow arbitrators, the majority of us have now taken additional precautions to secure the email addresses to which we subscribe to the list, and have changed passwords on all applicable accounts; however, there remains the reality that anyone can be hacked by someone determined to do so, just as any of us could have our wallets stolen no matter how many precautions we take, or our houses could be broken into regardless of all the fancy security systems we subscribe to. We can mitigate the risk, but it will never completely disappear. Risker (talk) 22:00, 24 June 2011 (UTC)
- So presumably the only safe thing to do in the interim is to assume that the ArbCom mailing list is not confidential? Malleus Fatuorum 21:32, 24 June 2011 (UTC)
- Fair question, Malleus. My understanding is that this has been established as a high priority by Erik Moeller, to whom the entire developer/sysadmin structure currently reports, with significant support from the other department heads, so I'm guessing it's moved fairly close to the top of the heap. I've been given to believe that it's not a particularly difficult fix, but I'm poorly acquainted with anything that technical so can't give you an honest assessment. My sense is we're talking days to weeks rather than the usual many weeks to months. Risker (talk) 21:25, 24 June 2011 (UTC)
- And how long will that take, given the glacial pace of Wikimedia development? Malleus Fatuorum 21:13, 24 June 2011 (UTC)
So as I said, the only safe thing to do is to assume that the ArbCom mailing list is not secure, and can never be secure. Malleus Fatuorum 22:06, 24 June 2011 (UTC)
- that should be pretty much assumed to be case with any system attached to the web yes.©Geni 23:09, 24 June 2011 (UTC)
- So why the claim that it was secure, and why should anyone believe that it's now secure? Malleus Fatuorum 23:42, 24 June 2011 (UTC)
- I don't follow such things closely; where was the claim made? The reality is there is no such thing as absolute security for anything held outside your own head (even there there there is active research to get at stuff). So really it boils down to degrees of security. Historically arbcom have mostly relied on most arbcom members not leaking stuff (kelly martin is the exception) and the list not being interesting enough for more than standard security measures to be needed.©Geni 23:55, 24 June 2011 (UTC)
- So why the claim that it was secure, and why should anyone believe that it's now secure? Malleus Fatuorum 23:42, 24 June 2011 (UTC)
On a related note, I urge everyone who views this thread to check LulzSec's leak of 62,000 email-password combinations and ensure that if your email address has been listed, immediately stop using the associated password. (But this is a little late, perhaps, as the list was released last week and has surely been plundered several times.) /ƒETCHCOMMS/ 21:16, 24 June 2011 (UTC)
The story so far
Yesterday, around 15h UTC, we were made aware by Malleus Fatuorum that an email exchange between him and Iridescent, which was forwarded to the Arbitration Committee had been leaked to an external website. The contents of the leaked email thread, which included comments that were restricted to the Arbitration Committee list itself, demonstrated that the leak necessarily came from someone who had access to (at least part of) the email archives or email box of a currently sitting arbitrator (or Jimmy Wales).
An investigation of the technical aspects of the leak have shown that the leak was mailed by arbitrator Iridescent's Yahoo mail account from a server located in Iran, indicating that the person responsible for the leak was in control of that mail account. Given that it seemed highly improbable that Iridescent himself would have had the wherewithal to use a proxy computer in a foreign jurisdiction yet use a mail account directly associated with him, the scenario that the leak was a wilful act from Iridescent was not credible.
At that time, I emailed the list and arbitrator Risker directly (who is one of the arbitrators in technical control of the mailing lists and the secure wikis) that Iridescent's mail account was compromised, and that it should be immediately removed from all private lists and wikis. This was done shortly, thus ensuring that whoever was in control of Iridescent's email account would get no further access.
Simultaneously, we entered in contact with Iridescent through a different email account and verified that he was the correct person with private information that could not be found in any email archive. Once contact was established, Iridescent immediately changed all his passwords and all the email addresses associated with wiki accounts he has access to. At this time, Iridescent is still evaluating his personal computing security and has not yet been returned any access to private information.
Every arbitrator has since taken steps to reevaluate their own computer security by, among other things, changing their passwords or other credentials where appropriate, or turning on additional security features such as two-factor authentication where possible. While this offers no guarantees that all our accounts are secure, it greatly reduces the probability that more accounts are under external control.
Unfortunately, Iridescent's password to the Arbcom email archive was sent to him via the email address that was compromised, and it seems that the attacker used it to access it to leak at least one email thread from it. At this point, we must presume that all of Iridescent's email to and from that email address as well as an unknown fraction of the archive of the mailing list have been stolen by the attacker. Likewise, it is not possible to assess whether only Iridescent's Yahoo account has been compromised, or whether much or all of his computing resources were.
In the name of the Arbitration Committee, I offer our most profound apologies to everyone whose privacy has been breached by this criminal act. While our investigation is ongoing, and we hope to gather enough information to evaluate more precisely the extent of the intrusion, our focus will be on making the necessary systemic changes to prevent such an attack from succeeding in the future.
— Coren 21:08, 24 June 2011 (UTC)
- That account is not strictly accurate, as I have never to my knowledge emailed the Arbitration Committee. What was made public was a series of emails I exchanged with Iridescent, which he apparently forwarded on to the committee. Malleus Fatuorum 21:16, 24 June 2011 (UTC)
- I've tweaked it accordingly. I don't think it makes much difference in substance, though. — Coren 21:57, 24 June 2011 (UTC)
- It may not, but it more accurately represents what happened. I did not, and have never, emailed anything to the Arbitration Committee. Malleus Fatuorum 22:02, 24 June 2011 (UTC)
- I've tweaked it accordingly. I don't think it makes much difference in substance, though. — Coren 21:57, 24 June 2011 (UTC)
Malleus
Coren's account above is correct to the best of my knowledge. I endorse the posts that have been made by Coren, Risker, and others. I will add only that upon learning of what had occurred, I immediately ruled out the possibility that Iridescent had intentionally leaked the material based on everything I know about him, even before I learned of the technical evidence demonstrating an external hack. Newyorkbrad (talk) 22:58, 24 June 2011 (UTC)
- An external hack of what? This still needs some explanation. Malleus Fatuorum 23:46, 24 June 2011 (UTC)
- An arbitrator's email account was compromised by an unknown third party. This third party then used the additional information gathered after gaining access to the email account, (the emails to that Arbitrator with the passwords to the archives, which would be necessary for the performance of their duties) to gather additional information. We're still trying to figure out how and by whom, but this incident has of course prompted all of us to review our own security and try to determine not only how this happened, and by whom, but how to prevent it from happening again. SirFozzie (talk) 23:52, 24 June 2011 (UTC)
- And how was that done? No more beans bollocks please, just a little bit of honesty. Malleus Fatuorum 23:59, 24 June 2011 (UTC)
- Malleus, how the hell could we know? Maybe the thief guessed Iridescent's password. Perhaps he has a keylogger on a computer that Iridescent has used, or he has compromised a router between him and Yahoo. Perhaps he is a Yahoo employee with enough access or a backdoor to compromise the accounts of arbitrary users. We almost certainly will never know how the account was compromised unless the miscreant steps forward and confesses. — Coren 01:13, 25 June 2011 (UTC)
- Maybe the thief guessed Iridescent's password to what? And how do you explain the initial focus on me? Malleus Fatuorum 01:24, 25 June 2011 (UTC)
- Malleus, how the hell could we know? Maybe the thief guessed Iridescent's password. Perhaps he has a keylogger on a computer that Iridescent has used, or he has compromised a router between him and Yahoo. Perhaps he is a Yahoo employee with enough access or a backdoor to compromise the accounts of arbitrary users. We almost certainly will never know how the account was compromised unless the miscreant steps forward and confesses. — Coren 01:13, 25 June 2011 (UTC)
- And how was that done? No more beans bollocks please, just a little bit of honesty. Malleus Fatuorum 23:59, 24 June 2011 (UTC)
- An arbitrator's email account was compromised by an unknown third party. This third party then used the additional information gathered after gaining access to the email account, (the emails to that Arbitrator with the passwords to the archives, which would be necessary for the performance of their duties) to gather additional information. We're still trying to figure out how and by whom, but this incident has of course prompted all of us to review our own security and try to determine not only how this happened, and by whom, but how to prevent it from happening again. SirFozzie (talk) 23:52, 24 June 2011 (UTC)
If I might mildly interject, I think this is an excellent question. As Captain Occam says somewhere below, it is often possible to figure out how an account was hacked and someone needs to do that figuring. At the least, simple questions like "was Iridescent's password guessable", do other arbcom members have secure passwords (minimum 10 characters with mixed uppercase, lowercase, digits, etc.) should be asked and answered. (I'm collapsing the gratuitous part of the discussion below.)--rgpk (comment) 14:03, 25 June 2011 (UTC)
Extended content |
---|
:A)Malleus: I'm sorry to be abrupt, but either you are missing bits of reading comprehension, OR you are deliberately being obtuse, but if you look up THREE LINES in a reply to one of your PREVIOUS questions, you would get the answer to "Password to what", and B) We're not the people who posted the information.. Only the person who is posting these emails can answer that question. We're not mind readers. (If we were, we'd conduct all Committee business via Telepathy, and there'd be no archives for them to raid). SirFozzie (talk) 02:06, 25 June 2011 (UTC)
Are you really as dumb as you appear to be? Malleus Fatuorum 03:22, 25 June 2011 (UTC)
|
- As someone who’s had online accounts belonging to me broken into in the past (not at Misplaced Pages; this happened before I joined) I don’t agree with the statement that it’s not possible to determine how Iridescent’s account was broken into unless the culprit reveals it. Other members of ArbCom probably won’t be able to determine this, but I don’t think it’s unreasonable to expect Iridescent to. It’s often possible for a person who’s been hacked to determine what method was used against them, and I’ve done this myself. Once a person has determined when they were first hacked (which in this case Iridescent could determine from her e-mail IP login history), they can next determine what vulnerabilities they were exposed to at around that time. I think that determining how a break-in was accomplished is an important part of preventing the problem from recurring in the future, because without an understanding of how it was done, you can never be certain that you’ve removed the vulnerability that made it possible. --Captain Occam (talk) 09:10, 25 June 2011 (UTC)
- That's true, but may not be particularly helpful in this case. Everything we've seen so far suggests that this was a targeted compromise (in other words, that the attacker set out specifically to gain access the Committee's correspondence) rather than an opportunistic one; if that's the case, then it's quite possible that the underlying security breach took place days or weeks before the material was released, and that the attacker has had ample time to compromise any audit trails. Kirill 11:22, 25 June 2011 (UTC)
- As someone who’s had online accounts belonging to me broken into in the past (not at Misplaced Pages; this happened before I joined) I don’t agree with the statement that it’s not possible to determine how Iridescent’s account was broken into unless the culprit reveals it. Other members of ArbCom probably won’t be able to determine this, but I don’t think it’s unreasonable to expect Iridescent to. It’s often possible for a person who’s been hacked to determine what method was used against them, and I’ve done this myself. Once a person has determined when they were first hacked (which in this case Iridescent could determine from her e-mail IP login history), they can next determine what vulnerabilities they were exposed to at around that time. I think that determining how a break-in was accomplished is an important part of preventing the problem from recurring in the future, because without an understanding of how it was done, you can never be certain that you’ve removed the vulnerability that made it possible. --Captain Occam (talk) 09:10, 25 June 2011 (UTC)
Even if the e-mails weren’t released until weeks after Iridescent’s account was broken into, isn’t it likely that Iridescent’s e-mail account would have been logged into by an unfamiliar IP address whenever the breach first took place? If the attacker didn’t even log into Iridescent’s e-mail account until a long time after obtaining the password, there would have been a possibility of Iridescent changing their password before the attacker could download any material from the mail archive. --Captain Occam (talk) 15:44, 25 June 2011 (UTC)
- See spear phishing. That's the most likely explanation. ArbCom should not hold forth their ability to keep correspondence confidential, nor should archives be kept past their immediate need. ArbCom does not have the benefit of a professional IT staff, and they are sufficiently numerous that there will always be at least one member to can be successfully victimized by social engineering. It would be regrettably if many years worth of confidential information were to suddenly surface on the open Internet. Hopefully ArbCom has been purging their archives regularly. Jehochman 20:04, 26 June 2011 (UTC)
- Apparently not. SlimVirgin 20:27, 26 June 2011 (UTC)
PGP
- Would the severity of this incident and the importance of confidentiality merit arbitrators adopting PGP for their email communications? --causa sui (talk) 23:43, 24 June 2011 (UTC)
- I can't speak for the other arbs, but I think all options need to be considered. Of course, that means any further archives (which to some, is rather necessary for us to do our jobs, especially when we do clarifications or amendments of past decisions) would be useless. I'm not going to rule anything in or out, however.. we're taking a Soup to nuts review of our current situation, both personally, as a committee, and working with the WMF. SirFozzie (talk) 23:52, 24 June 2011 (UTC)
- Has anyone actually used PGP for day-to-day conversations? I have, and found it to be pretty cumbersome. A simpler solution would be to move ALL conversations to a secured Wiki, and just turn on email notifications of changes. Jclemens (talk) 06:12, 25 June 2011 (UTC)
- We're still assessing the situation, but preliminary findings appear to look very bleak. Encryption might well become the future way of securing email communications along with other long-term security measures, which the arbitrators will be discussing once the dust settles. - Mailer Diablo 23:57, 24 June 2011 (UTC)
- Why do you say "preliminary findings appear to look very bleak"? Nothing of much consequence (no offense meant) has been leaked. Do you KNOW that the Arbcom email archive was downloaded? -- Seth Finkelstein (talk) 00:05, 25 June 2011 (UTC)
- Know? Not as of yet. Is there inklings from what HAS been posted? Yes. SirFozzie (talk) 00:13, 25 June 2011 (UTC)
- I'd say the opposite. The thread that pre-dated Iridescent being on the committee has been explained as having been forwarded later. I suppose the thing to do is to ask Iridescent if he was in the habit of keeping everything archived, or just saved a few threads once in a while. -- Seth Finkelstein (talk) 00:23, 25 June 2011 (UTC)
- Know? Not as of yet. Is there inklings from what HAS been posted? Yes. SirFozzie (talk) 00:13, 25 June 2011 (UTC)
- Why do you say "preliminary findings appear to look very bleak"? Nothing of much consequence (no offense meant) has been leaked. Do you KNOW that the Arbcom email archive was downloaded? -- Seth Finkelstein (talk) 00:05, 25 June 2011 (UTC)
- I can't speak for the other arbs, but I think all options need to be considered. Of course, that means any further archives (which to some, is rather necessary for us to do our jobs, especially when we do clarifications or amendments of past decisions) would be useless. I'm not going to rule anything in or out, however.. we're taking a Soup to nuts review of our current situation, both personally, as a committee, and working with the WMF. SirFozzie (talk) 23:52, 24 June 2011 (UTC)
- Good to know that you're on top of it. I brought up PGP because aside from giving a second layer of security -- PGP-encrypted email is left encrypted in the inbox, requiring a hacker to guess an extremely strong password before he could read any archived mail -- it would have an important additional benefit: PGP would allow arbitrators to send identity-validated communications to prevent a more intelligent and destructive hacker from impersonating an arbitrator. That hasn't yet happened, but it should be on our minds as a very real and very, very dangerous disaster scenario. I'm sure you'll reach out to anyone you think can help you implement the security measures you choose. Good luck. Regards, --causa sui (talk) 23:59, 24 June 2011 (UTC)
- Non-repudiation is among the least important of the security aspects of messages. Impersonating an arb gets one very little, and of that "very little", almost none could not be quickly reversed when the mischief was discovered. The bigger issue is the account compromise itself, which could lead to... WP:BEANS. Jclemens (talk) 06:24, 25 June 2011 (UTC)
- Well then, whichever security concern you think is most important, I'll say PGP is an elegant solution to it and leave it at that. :-) --causa sui (talk) 16:52, 25 June 2011 (UTC)
Re: Malleus
Malleus's comment is actually quite significant. It adds weight to the theory that this material comes from Iridescent's email account, not the Arbcom web archive. While this cannot be established definitively, there has been no evidence that the crack will create Wikileaks - Misplaced Pages Edition. And there's so many people who would like to have their names ego-searched over the Arbcom archive that if the entire archive was available, I strongly suspect much more would be posted. If we get WikipediaLeaks, I'll be wrong, but again, I would say that at this time, the breach appears highly contained. -- Seth Finkelstein (talk) 23:55, 24 June 2011 (UTC)
- At this point, we are unable to guarantee that. - Mailer Diablo 00:22, 25 June 2011 (UTC)
- Seth, the password to the archives was emailed to Iridescent, so whoever had access to the account had access to the archives, unless we know that Iridescent did not keep a copy of the password in that account. Two things: (1) I seem to recall from the last leak that the ArbCom agreed to stop emailing passwords, though I may be misremembering, and I can't now find those threads. (2) Are the developers able to see which IP addresses have accessed the archives recently, using which password? SlimVirgin 07:57, 25 June 2011 (UTC)
- As the leaker gained access to the archives, we have to assume that he downloaded them. Can the Committee tell us how far back the compromised archives go so we can judge the extent of the damage? SlimVirgin 07:52, 25 June 2011 (UTC)
- Mailman stores its archives as a single bundle; anyone who gains access to any part of the archive gains access to all of it. In the case of arbcom-l, this would include material going back to when the list was started (in 2004?); the archives have never been purged, although there have been repeated discussions about doing so. Kirill 11:16, 25 June 2011 (UTC)
- Earlier, the kind of material posted suggested to me that the poster did not have much. Even if there was a message with an archive password, I wondered if that message had been found before the archive password was changed. As more material has been posted, I'm reconsidering my original skeptical view. I may have been too restrictive in thinking about what someone would likely do if they had a full dump. Ironically, I've still yet to see something that really puts ArbCom in a scandalous light (it may yet happen, but hasn't so far). -- Seth Finkelstein (talk) 19:15, 25 June 2011 (UTC)
- Mailman stores its archives as a single bundle; anyone who gains access to any part of the archive gains access to all of it. In the case of arbcom-l, this would include material going back to when the list was started (in 2004?); the archives have never been purged, although there have been repeated discussions about doing so. Kirill 11:16, 25 June 2011 (UTC)
Looking around WR (not pleasant), there are now multiple threads posting what appear to be hacked e-mails. All of these threads are started by someone calling him/herself Maliceaforethought. I would guess that's the screen name of the hacker. Does that name ring any bells? --Tryptofish (talk) 14:31, 25 June 2011 (UTC)
- Other than the obvious one, you mean? I'm not aware of any obvious connections to anyone we know, although it's not that difficult to conceal that sort of thing.
- At this point, it's not really certain whether the user in question is the attacker himself—the material may have been handed off, à la Wikileaks—or even whether this is the work of a single attacker or of a group. Kirill 14:38, 25 June 2011 (UTC)
Is this really a disaster?
Sure, it's embarrassing for the arbitrators and discomforting for those who have been in communication with them on this list, but in a whole of project sense, just how much damage can be done? Miss E. Lovetinkle (talk) 11:45, 25 June 2011 (UTC)
- Our internal deliberations are not the main concern, in my opinion; as you suggest, their being published is more a cause for embarrassment than a real threat to the project. The larger issue is the various material (including evidence, complaints, requests for assistance, and so forth) submitted by other editors; in many cases, this correspondence includes personal information (real names, addresses, telephone numbers, ages) whose release could have negative consequences for editors and non-editors with no relation to the Committee.
- I remain hopeful, however, that the individual or individuals in possession of the archives will maintain their focus on the Committee itself, and will refrain from gratuitously exposing the personal information of the many innocent people who've written to us over the years. Kirill 12:12, 25 June 2011 (UTC)
- So why was this information never purged? Wasn't it absolutely inevitable that at one time or another it would be stolen and/or leaked? Why were people encouraged to write to ArbCom as if in confidence, when it was known that the probability of the information's remaining confidential would tend to zero over time?--Kotniski (talk) 13:32, 25 June 2011 (UTC)
- It's not possible to purge as it's not part of the Mailman functionality: you can either have archives or not. Profoundly unsatisfactory but there you are. Roger Davies 13:42, 25 June 2011 (UTC)
- (edit conflict) There are several problems with purging the archives; some of these have been alluded to above, but to recap:
- The software used for operating the mailing lists does not allow either selective archiving or modification of the archives after the fact; either the entire archive is retained, in its original form, or no archiving is done at all.
- Numerous proposals have been made to disable archiving entirely, but have never achieved consensus; this is primarily because some level of records retention is necessary to process appeals (particularly repeat appeals), clarifications, and similar matters where examining the content of previous discussions is necessary. It has been suggested that the personal archives maintained by individual arbitrators could serve this institutional memory purpose without the need for a central archive; but there were concerns that (a) no single arbitrator or former arbitrator has archives covering the Committee's entire history, that (b) personal archives could potentially be tampered with in subtle ways, and there would be no "master" copy to compare against, and that (c) this would unduly rely on former arbitrators, many of whom might be inactive or unwilling to share archives.
- An alternative option that was considered was the selective retention of particular discussions in some shared space (e.g. on the arbitration wiki) and the deletion of the original archive. This is something that is currently being done with CheckUser records, but would be prohibitively time-consuming for arbcom-l due to the immense volume of the archives; and there have been security concerns with the arbitration wiki as well.
- As far as inevitability is concerned, arbcom-l is not inherently any less secure than any other mailing list used by/for Wikimedia business. A determined attacker can eventually find a way to compromise a system of this sort—we'd need to disconnect it from the internet to truly make it secure—but the same is true of any online system. The only real way to ensure that private correspondence could never be leaked would be to prohibit the use of private correspondence in the first place; otherwise, any system open to remote access is potentially open to compromise. Kirill 13:57, 25 June 2011 (UTC)
- But if you keep the information only for as long as it's needed, it's possible but unlikely that it will be leaked. If you keep it for ever, the only question is how much time will elapse before it inevitably is leaked. If the software you use doesn't allow you to discard old information, then you're using the wrong software. And if you know (from common sense and past experience) that the information people send to a given address is highly likely to be leaked, you should at the very least make sure people are aware of that fact before writing to that address. --Kotniski (talk) 14:31, 25 June 2011 (UTC)
- Oh, we're well aware that Mailman is the wrong software; unfortunately, it's all that the WMF provides. We tried moving arbitration discussions to a non-WMF-hosted list at one point—thus the succession of "private" lists—but that was rather poorly received by the community, if you recall. Kirill 14:46, 25 June 2011 (UTC)
- But if you keep the information only for as long as it's needed, it's possible but unlikely that it will be leaked. If you keep it for ever, the only question is how much time will elapse before it inevitably is leaked. If the software you use doesn't allow you to discard old information, then you're using the wrong software. And if you know (from common sense and past experience) that the information people send to a given address is highly likely to be leaked, you should at the very least make sure people are aware of that fact before writing to that address. --Kotniski (talk) 14:31, 25 June 2011 (UTC)
- (edit conflict) There are several problems with purging the archives; some of these have been alluded to above, but to recap:
- People have submitted their IRL stuff to you guys? Phone numbers? Why on earth would people do that? Why would you require people to submit such information? This is an online encyclopedia. What possible necessity is there in the provision of information of that kind to you and your colleagues? This really is quite surprising stuff. Miss E. Lovetinkle (talk) 13:38, 25 June 2011 (UTC)
- No it's not a requirement of ours but you'd be astonished what some people think is pertinant to tell us. Roger Davies 13:42, 25 June 2011 (UTC)
- Well given that I've just discovered where this stuff is being posted to, I think this might be a bit of a disaster. For you guys at any rate. Oh dear. There's some rancid stuff coming out. What the hell is the "functionaries" list? Apparently stuff from that is being released now. Miss E. Lovetinkle (talk) 13:46, 25 June 2011 (UTC)
- No it's not a requirement of ours but you'd be astonished what some people think is pertinant to tell us. Roger Davies 13:42, 25 June 2011 (UTC)
- People have submitted their IRL stuff to you guys? Phone numbers? Why on earth would people do that? Why would you require people to submit such information? This is an online encyclopedia. What possible necessity is there in the provision of information of that kind to you and your colleagues? This really is quite surprising stuff. Miss E. Lovetinkle (talk) 13:38, 25 June 2011 (UTC)
- Is this a disaster? Looks like one to me. Off2riorob (talk) 13:36, 25 June 2011 (UTC)
- Well, given that we're told that almost the same thing happened in the past and absolutely nothing was done to prevent a repetition, this episode would appear to have revealed ArbCom as an institution to be almost criminally incompetent. I'd say it's a good thing that more people are now aware of that fact. --Kotniski (talk) 14:24, 25 June 2011 (UTC)
- The previous situation to which you refer was someone who had authorized access to the material releasing it in breach of trust. In this case, there was a breach of security - as could happen to any system connected to the Internet. –xeno 14:29, 25 June 2011 (UTC)
- So? The point remains that nothing was done to prevent or ameliorate a potential repetition, and people writing to the list were not warned that this was likely to happen. --Kotniski (talk) 14:34, 25 June 2011 (UTC)
- As I recall that's not correct, Xeno. There have been leaks before from the ArbCom list or wiki to WR, and we were told at the time that someone had hacked into something. SlimVirgin 15:25, 25 June 2011 (UTC)
- So? The point remains that nothing was done to prevent or ameliorate a potential repetition, and people writing to the list were not warned that this was likely to happen. --Kotniski (talk) 14:34, 25 June 2011 (UTC)
- The previous situation to which you refer was someone who had authorized access to the material releasing it in breach of trust. In this case, there was a breach of security - as could happen to any system connected to the Internet. –xeno 14:29, 25 June 2011 (UTC)
- Well, given that we're told that almost the same thing happened in the past and absolutely nothing was done to prevent a repetition, this episode would appear to have revealed ArbCom as an institution to be almost criminally incompetent. I'd say it's a good thing that more people are now aware of that fact. --Kotniski (talk) 14:24, 25 June 2011 (UTC)
You'll have to point me to that; they haven't been referenced yet in this discussion as far as I can tell. –xeno 15:30, 25 June 2011 (UTC)
- You might be referring to the arbitration wiki vulnerabilities (e.g. being able to determine the presence of pages based on the error reported, etc.), which led to new security measures being implemented on that wiki. There were earlier leaks from arbcom-l (before the removal of former arbitrators from the list), but those were believed to be deliberate leaks rather than technical compromise. Kirill 15:33, 25 June 2011 (UTC)
- I'm thinking in particular of email threads that were posted to WR about two particular editors. I don't want to name them here. My recollection of that is we were told the wiki had been hacked into, and there was talk then of changing the way passwords were generated or distributed. SlimVirgin 15:36, 25 June 2011 (UTC)
- I think we're talking about the same thing, then; but, as you mention, that was a compromise of the arbitration wiki, while the indication here is that the compromise is of an arbitrator's email account (and the subsequent use of materials found in that account to gain access to e.g. the mailing list archives). Kirill 15:41, 25 June 2011 (UTC)
- I'm thinking in particular of email threads that were posted to WR about two particular editors. I don't want to name them here. My recollection of that is we were told the wiki had been hacked into, and there was talk then of changing the way passwords were generated or distributed. SlimVirgin 15:36, 25 June 2011 (UTC)
- As I noted above, arbcom-l is not inherently any more insecure than any other mailing list; it's simply that its contents are likely a higher-value target, and the leaks from it are more widely publicized. The same warning could just as legitimately be applied to any Wikimedia/Wikipedia list—or the private email of anyone involved in Misplaced Pages, for that matter. I'm assuming that people don't need a warning that "anything you post on the internet could potentially be exposed" when they go online? Kirill 14:43, 25 June 2011 (UTC)
- You're just not getting it. I was assured by Iridescent that our correspondence would remain confidential, and it wasn't. The mailing list itself claimed to be confidential and it wasn't. But all I see here is empty bleating and no real explanation, and I've got no doubt that's the way it'll stay. What will it take to wake you guys up? Malleus Fatuorum 14:50, 25 June 2011 (UTC)
- As I noted above, arbcom-l is not inherently any more insecure than any other mailing list; it's simply that its contents are likely a higher-value target, and the leaks from it are more widely publicized. The same warning could just as legitimately be applied to any Wikimedia/Wikipedia list—or the private email of anyone involved in Misplaced Pages, for that matter. I'm assuming that people don't need a warning that "anything you post on the internet could potentially be exposed" when they go online? Kirill 14:43, 25 June 2011 (UTC)
Quite. Until this all came out, the banner at the top of this page specifically invited people to send private material to this address. Despite you knowing that much material sent to the address had already been leaked, and that nothing had changed that would prevent the same thing happening again. The committee was effectively lying to the public in order to protect its own image.--Kotniski (talk) 14:56, 25 June 2011 (UTC)
- Presumably you're referring to our image of being a cabal and doing everything behind closed doors? Why in the world would we want to protect that, of all things? We'd much prefer it if we had a reputation for transparency.
Having said that, our work does require us to handle some things in a non-public fashion—most of them incoming correspondence from people who would prefer that it not be published. The measures we took to safeguard our correspondence were those that were reasonable (i.e. did not pose an undue hardship on our work) and feasible (i.e. could be implemented given the very limited resources available—recall that the Committee has no funding with which to procure a more sophisticated security infrastructure). It is unfortunate that these measures were not sufficient to prevent a compromise; but that does not mean that they were not appropriate ones, given the applicable constraints. Kirill 15:16, 25 June 2011 (UTC)
- You don't need funding to stop the continued distribution of old private e-mails to new recipients. You just need an ounce of common sense. I find it sick that arbitrators not only allowed this to happen, but are now pretending that they couldn't reasonably have done anything about it. This mailing list should never have been described as private, given the way it was managed. You guys had a serious duty to people; you failed in that duty - though I don't blame anyone personally, the excuses that have been presented are absolutely pathetic. (Not to mention the other issue, the apparent revelations about the way arbitrators have been discussing editors behind their backs.)--Kotniski (talk) 19:28, 26 June 2011 (UTC)
It's worth noting that in the European Union at least, data breaches of this kind can be and have been criminally prosecuted - not just the person responsible for the breach but the people or organisations who failed to secure the data in the first place. The arbitrators and the WMF need to be conscious that this is not just an embarrassment, this is potentially something for which they could face civil and criminal legal consequences as individuals and collectively. There needs to be a radical change to the way they handle private data. At the very least, the current archives need to be shut down and taken offline until there is a secure access system in place - and that needs to be signed off by outside specialists, not just Coren. Prioryman (talk) 14:40, 25 June 2011 (UTC)
- The focus on security misses an important point. A lot of this material shouldn't be posted and archived in the first place, because it's just Arbs gossiping about editors, barely related or entirely unrelated to arbitration. Yet every year more members are sent a password to access it, which is spreading the damage, even without the leaks. SlimVirgin 15:31, 25 June 2011 (UTC)
- It's really quite shocking that it looks like Arbcom is using some kind of antique archives and sending the password out via e-mail. I swear, we have better security in place at the library where I work. Kirill's point about the lack of funding to set up better security is something that has to be resolved, immediately. A project of this size and importance demands it. --Diannaa (talk) 15:50, 25 June 2011 (UTC)
- I suspect it's not so much a lack of funding, but an instutionalized lack of common sense - among arbitrators, among people at the WMF, and among us all, who tolerate a dispute-resolution and privacy-protection system that is obviously failing in so many different ways (partly because those two systems have been rolled into one).--Kotniski (talk) 19:34, 26 June 2011 (UTC)
- It's really quite shocking that it looks like Arbcom is using some kind of antique archives and sending the password out via e-mail. I swear, we have better security in place at the library where I work. Kirill's point about the lack of funding to set up better security is something that has to be resolved, immediately. A project of this size and importance demands it. --Diannaa (talk) 15:50, 25 June 2011 (UTC)
- Obviously what happened was terrible and can't be defended. But I hope that this incident can spur a discussion of Arbcom's transparency. There was a lot of complaining from both sides in the Climate Change arbitration that Arbcom was excessively opaque, failed to give guidance to the parties, and that generally everything seemed to be happening behind closed doors, so to speak. Arbcom also needs to advise persons writing to it in the future, no matter what "security precautions" are put in place, that it cannot assure the confidentiality of emails to the arbitrators. ScottyBerg (talk) 16:21, 25 June 2011 (UTC)
Action plans
It seems there are an awful lot of leaks in the news this week ... I hope this is at the very least a wakeup call and I hope the ArbCom will keep the community updated on the status of any technical/security changes that will be occurring in the near future. /ƒETCHCOMMS/ 16:33, 25 June 2011 (UTC)
- I can confirm that we are accelerating the action plans that we had in place to address the mailing list archives, as well as re-evaluating these plans based on the nature of this breach. –xeno 16:45, 25 June 2011 (UTC)
- So what was the nature of this breach? What exactly was hacked into? Iridescent's email account? Is that the claim? Malleus Fatuorum 17:14, 25 June 2011 (UTC)
- Based on the information we have to date, yes, that appears to have been the case. Kirill 17:17, 25 June 2011 (UTC)
- How confident are you that no other arbitrators' email accounts have been equally compromised? Malleus Fatuorum 17:20, 25 June 2011 (UTC)
- It's difficult to prove a negative, obviously; but there has been no evidence that indicates any other compromise, and a number of arbitrators have implemented additional security measures (e.g. two-factor authentication) to reduce the risk of a similar compromise in the future. Kirill 17:23, 25 June 2011 (UTC)
- How confident are you that no other arbitrators' email accounts have been equally compromised? Malleus Fatuorum 17:20, 25 June 2011 (UTC)
- Based on the information we have to date, yes, that appears to have been the case. Kirill 17:17, 25 June 2011 (UTC)
- So what was the nature of this breach? What exactly was hacked into? Iridescent's email account? Is that the claim? Malleus Fatuorum 17:14, 25 June 2011 (UTC)
The point though is that if you're wrong then this is nothing more than an irrelevant side show. Why would Iridescent have been the only arbitrator to have been targetted? Malleus Fatuorum 17:26, 25 June 2011 (UTC)
- You are right that we can't rule anything out at this point - though as indicated by Coren above at #The story so far - the information that we do have available does suggest a breach of an arbitrator's email account that allowed the intruder or intruders to access nearly all of the arbitration-related mailman lists (and archives thereof). It is entirely possible that more than one arbitrator was targeted; all arbitrators have changed or will be changing all their Misplaced Pages-related passwords as a precaution and are taking further steps to secure their personal infrastructures. Moreover, any arbitrators who are inactive and have not confirmed that this has been done have been or will be removed from the mailing lists as a further precaution. –xeno 17:30, 25 June 2011 (UTC)
- Confirmed it how? From a compromised email account? Malleus Fatuorum 17:36, 25 June 2011 (UTC)
- We have been verifying that the right people are in control of their email accounts via offline methods (voice-to-voice, and so forth). –xeno 21:17, 25 June 2011 (UTC)
- (edit conflict) I have no idea. It's possible that Iridescent was deliberately targeted for some reason, whether related to his security profile or something totally different; or that multiple arbitrators were targeted and Iridescent was simply the first one compromised; or even that the evidence we found of Iridescent's account being compromised was deliberately planted to conceal a completely different attack vector. Unfortunately, it's somewhat speculative unless we (and by "we" I mean the people looking at the audit trail, not necessarily the Committee) can find additional evidence to point in one direction or the other. Kirill 17:33, 25 June 2011 (UTC)
- Malleus: One of the first things we did when we found out about the leaks is in general for all of us to look at our own security.. several of us use a service which maintains a log of IP addresses used to access those accounts (which is set to alert us should any unusual IP address access our accounts). The first thing I did, and I know that at least several other Arbs have done is to immediately change ALL our passwords (even for stuff not Wiki-related).. just in case. As Kirill says, however, it's hard to prove a negative. SirFozzie (talk) 17:41, 25 June 2011 (UTC)
- (edit conflict) I have no idea. It's possible that Iridescent was deliberately targeted for some reason, whether related to his security profile or something totally different; or that multiple arbitrators were targeted and Iridescent was simply the first one compromised; or even that the evidence we found of Iridescent's account being compromised was deliberately planted to conceal a completely different attack vector. Unfortunately, it's somewhat speculative unless we (and by "we" I mean the people looking at the audit trail, not necessarily the Committee) can find additional evidence to point in one direction or the other. Kirill 17:33, 25 June 2011 (UTC)
- We have been verifying that the right people are in control of their email accounts via offline methods (voice-to-voice, and so forth). –xeno 21:17, 25 June 2011 (UTC)
- Confirmed it how? From a compromised email account? Malleus Fatuorum 17:36, 25 June 2011 (UTC)
This is probably just stating the obvious, but if the way the attacker gained access to Iridescent's (or anyone else's) e-mail account was by installing a keylogger on a computer they regularly use, changing all of their passwords isn't going to be enough to stop the problem. When my online accounts were broken into using this method years ago, the person attacking me was able to use the keylogger to re-record my password every time I changed it. --Captain Occam (talk) 19:27, 25 June 2011 (UTC)
- Well, that too.. but I run Spybot S&D every few days already, so it was just a matter of bumping up the check here :/ SirFozzie (talk) 21:24, 25 June 2011 (UTC)
- There are ways of hiding these programs so that virus scanners can’t detect them, using things like rootkits and hidden user accounts. (Which is what happened to me.) It all depends on how skilled and determined the attacker is. I wish I could give more specific advice about how to detect them in those cases, but it depends on the operating system and the method of attack that was used.
- This is one of the reasons why I think it’s important for Iridescent to figure out how their e-mail account was broken into. When an attacker knows what they’re doing, these sorts of routine security measures like changing passwords and running virus scanners aren’t very effective, because they’re not all that difficult for a sophisticated attacker to anticipate and thwart. The only way to make sure a vulnerability has been closed is to determine exactly how the attacker got in, and make sure you’ve changed whatever it is that made it possible. --Captain Occam (talk) 23:05, 25 June 2011 (UTC)
The most obvious "action plan" would be for all Arbitrators and functionaries to be given @wikipedia.org mail accounts that are to be used only for "company business", and to configure those accounts carefully. OTOH, having read a good bit of the "leaks", perhaps a better solution might be to always talk in public, since everything I've seen seems to be about some people trying to manipulate other people, which isn't really such a great thing for the ideals that most people in this community seem to ascribe to. --SB_Johnny | 19:20, 25 June 2011 (UTC)
- I've been reading too, and it's clear that a significant amount of the material clearly could not ever have been discussed in public (I already knew about some of it, but that's not quite the same thing.) I do take your point that private musings about public disputes can, and probably should, be reduced, but there is still a place for private discussion. And in addition, it's extremely hard to know where to draw the line; or to enforce such a line. Every time an arb says privately on the arb list "hey, you know that's just like that other guy SomeName who acted just like this two years ago", another arb has to say "you can't say that here" ? It's tricky. --Demiurge1000 (talk) 21:18, 25 June 2011 (UTC)
- Very little of what's appeared so far is of genuine concern wrt privacy. It's not really even the case that the arbs themselves look all that bad, for the most part. It's more the outsiders who are mailing the list with material that seems to be aimed at making rather petty political gains that are being embarrassed here, and quite frankly I think that the committee would do better by themselves and by the project at large if they would strongly discourage that (and better yet, not spend time discussing it).
- I don't see any reason to doubt that the arbitrators are in any way not acting in good faith and out of high ideals, but it's pretty clear that there's some unhealthy groupthink, and that groupthink is likely encouraged when non-arbitrators throw dirty laundry at them. --SB_Johnny | 11:32, 26 June 2011 (UTC)
- "Very little of what's appeared so far is of genuine concern wrt privacy." What? I haven't even bothered reading more than a small fraction of the material that's appeared so far, and even offhand I can think of three separate instances of serious breaches of privacy that would be of great concern to the three people concerned. (I am not talking of things like people's private email addresses being exposed, although such people do still have every right to be annoyed.) So yes, some of what's appeared is very much of genuine concern wrt privacy.
- And then of course there's all the material that hasn't appeared so far, but is assumed to be in the hands of the hacker. --Demiurge1000 (talk) 14:41, 26 June 2011 (UTC)
- "The hacker" has been fairly selective in his leaking, and has made an open and straightforward effort to comply with The Review's privacy policy, which is aimed narrowly at preventing harm, rather than enabling bad behavior (which WP's policy does, if inadvertently). "The hacker" is doing things you don't like, but he's been more or less ethical about it so far. More will be coming out, of course. Give credit where credit is due, and look for the opportunity to learn from this. --SB_Johnny | 23:39, 26 June 2011 (UTC)
- SG followup
First, I smell socks having fun on this page. Second, could an arb in contact with Iri please ascertain if he e-mailed me from yahoo on June 10? The answer to that question might point to the intruder. Thirdly, best wishes to Iri and Malleus, who has every right to be bugged as heck. Finally, I raised a very long time ago the issue that new arbs should not have access to archived info before their term, particularly in very sensitive cases. Because the entry bar to ArbCom was lowered by the RFC two years ago, and because new arbs can access old cases, I no longer write to ArbCom. SandyGeorgia (Talk) 23:46, 25 June 2011 (UTC)
More Material
- Moved them
Just to let you know, WR moved all of the threads related to this into a subforum under bureaucracy. That's something at least, since they won't be Google-indexed now. Silverseren 01:27, 26 June 2011 (UTC)
- That subforum looks like it's indexed . –xeno 13:05, 27 June 2011 (UTC)
Seeing the latest post of Malice is the stuff relating to Jossi from 2009.... This clearly goes further than simply Iri's or Chase Me accounts being compromised. This suggests Malice either had full access to everything and got a dump of it all or still has access to it all. The Resident Anthropologist (talk)•(contribs) 16:49, 26 June 2011 (UTC)
- Yes, it appears the mail archives were compromised, which date back to July 2005. We're still not sure if Chase Me's account was hijacked - the blocking was done as a preventative measure, and we're trying to get in touch with him. PhilKnight (talk) 17:07, 26 June 2011 (UTC)
- what about Panyd and has anyone tried her? The Resident Anthropologist (talk)•(contribs) 17:28, 26 June 2011 (UTC)
- It appears from the section below that Chase me has been in contact with someone from ArbCom. RxS (talk) 19:53, 26 June 2011 (UTC)
- what about Panyd and has anyone tried her? The Resident Anthropologist (talk)•(contribs) 17:28, 26 June 2011 (UTC)
- It also appears that money changed hands at some point, regardless of where the data originated. Don't know what it means...RxS (talk) 02:20, 27 June 2011 (UTC)
Chase me ladies, I'm the Cavalry de-adminned
This issue is now addressed and permissions returned to Chase me ladies, I'm the Cavalry |
---|
The following discussion has been closed. Please do not modify it. |
From what I've gathered, Iridescent is being blamed for this arbcom-l leak. It looks like Chase me ladies, I'm the Cavalry has had his on-wiki rights removed, though (and there doesn't seem to be any mention of him on this page). What's the story there? --MZMcBride (talk) 21:08, 25 June 2011 (UTC)
How does MZM know the emails came from Iri's account? Cool Hand Luke 23:13, 25 June 2011 (UTC)
So my point is, if MZM cannot prove the location of the breach, is it not prudent to cut all unspoken-for logins from the source of, say, the CU logs? I mean, MZM is currently discussing how such logs could be most gainfully published, but I am sure he can imagine the perspective of people who would be horrified by it. Yes? Cool Hand Luke 01:56, 26 June 2011 (UTC)
|
Privacy
In the RH__u case, many asked that all correspondence be made available.
WR's malicious publication of stolen correspondence shows the imprudence and callousness of that demand, which could have led to a death or serious injury.
Let us hope that WR remove the stolen correspondence ASAP, probably to reduce their liability.
Some commentators may wish to retract some of their statements and criticisms of ArbCom during the RH_u case. Sincerely, Kiefer.Wolfowitz 23:29, 25 June 2011 (UTC)
- I've been following this whole thing, and I think this would be as good a place as any to add my two cents. In the year or so that I've been active in this community, I've heard a lot of moaning about how ArbCom is an incompetent mess. Regardless of the merits of the decisions of individual cases, and even the process by which this batch of information was acquired, I think that the one thing that stands out to me is the sheer amount of crap (that refers to both quantity and quality) that must be decided behind the scenes. Obviously, I won't mention any specific cases/leaks, but certain situations just make me wonder how else they could have been resolved without...well... Anyway, I'm sure the Committee will take a lot of flak for certain things but, I guess that if you haven't been there, you don't know what it's like. Just something to remember -- Nolelover 00:09, 26 June 2011 (UTC)
- ArbCom was correct in that decision, and I have no serious complaints about any decision I've reviewed. Emphatically, Kiefer.Wolfowitz 00:13, 26 June 2011 (UTC)
- Thank you both for your kind words. It means a lot to us right now. Jclemens (talk) 00:24, 26 June 2011 (UTC)
- Agreed. Thanks. SirFozzie (talk) 00:57, 26 June 2011 (UTC)
- Thank you both for your kind words. It means a lot to us right now. Jclemens (talk) 00:24, 26 June 2011 (UTC)
- ArbCom was correct in that decision, and I have no serious complaints about any decision I've reviewed. Emphatically, Kiefer.Wolfowitz 00:13, 26 June 2011 (UTC)
- 1) To be fair, at the time, those who "asked that all correspondence be made available" could have no idea of what was going on behind the scenes.
- 2) Agreed, ArbCom does come out ahead here. Politically, I'd say it's got a major "sympathy backlash" benefit.
- 3) Life's complicated. Sometimes "National Security" really is about national security. Sometimes it's about covering up corruption. How do you tell beforehand?
- -- Seth Finkelstein (talk) 01:43, 26 June 2011 (UTC)
- Dear Seth,
- A number of alarming statements were publicized on Misplaced Pages and cited (perhaps too much) during the discussion, as others noted at the time. These statements were denied by those mis-characterizing solidarity as paternalism (or mistaking the "hands-on imperative" for the categorical imperative ...). This episode needs to be remembered in future discussions of vulnerable persons, especially minors.
- Nobody has claimed "national security" or denied life's complexity. Nobody has even alleged that this ArbCom has conducted "cover ups", so the relevance of your third point escapes me. Kiefer.Wolfowitz 02:03, 26 June 2011 (UTC)
- Sigh. I used the cliche "National Security" as a way of making the intended point distanced from current emotional issues. The idea is that when a person in power says "We are keeping this information confidential because of (national security, privacy, delicate personal matters, etc.), sometimes that is the truth, but sometimes it is an excuse. HOW CAN YOU TELL? A liar is always going to say that he or she is telling the truth and has someone's best interests at heart. So it doesn't help much to have an instance where people were shown to be telling the truth. The question is what one does when faced with a story. One can't always believe power, as then cover-ups will go uninvestigated. -- Seth Finkelstein (talk) 02:18, 26 June 2011 (UTC)
- I'm old enough to remember Oliver North's surprise that the emails he thought he'd deleted weren't really gone after all. We're all old enough to remember Wikileaks. Emails aren't secure. Even diaries can be subpoenaed. Whatever we write, even our most personal thoughts, can turn up in public. The point being that no one should write an email, especially one that goes to a mailing list, which includes anything they'd be embarrassed to see made public. I suggest that ArbCom members should avoid using disparaging nicknames or making comments, even in "private" conversations. That said, in the little I've seen of the leaked documents the ArbCom seems to maintain their professionalism even when discussing problem users. Will Beback talk 04:49, 26 June 2011 (UTC)
- My company basically says the same thing about e-mails. Even so, if someone has betrayed the trust of arbcom here and/or hacked into it, a few snippy comments are a small problem by comparison. ←Baseball Bugs carrots→ 05:05, 26 June 2011 (UTC)
- Sigh. I used the cliche "National Security" as a way of making the intended point distanced from current emotional issues. The idea is that when a person in power says "We are keeping this information confidential because of (national security, privacy, delicate personal matters, etc.), sometimes that is the truth, but sometimes it is an excuse. HOW CAN YOU TELL? A liar is always going to say that he or she is telling the truth and has someone's best interests at heart. So it doesn't help much to have an instance where people were shown to be telling the truth. The question is what one does when faced with a story. One can't always believe power, as then cover-ups will go uninvestigated. -- Seth Finkelstein (talk) 02:18, 26 June 2011 (UTC)
Notification of this compromise to personal information
I think the discussions here are sufficient to conclude that the information that has been publicly leaked is genuine. There seem to be suggestions that still more information could have been accessed before the leak was plugged, so there may be more disclosures yet to come. Given that ArbCom receives private and personal information from editors and others, and may be privy to private information related to Misplaced Pages (alternate accounts, real names, email addresses, etc), it seems that it is incumbent on ArbCom and/or the WMF to alert editors that their personal information may be or may already have been revealed. I don't mean this in a legal sense, although I am not certain that the privacy laws of some countries would not come into play in this instance. The have been several high-profile data breaches recently and one of the lessons that should have been learned from those incidents is that it is important to alert users quickly to allow them to take whatever steps are necessary to protect their privacy and security.
Now that the barn door is locked and the horses bolted, it may be wise to let some people know that those unsightly horses that they thought were safely hidden away may be popping up in public places soon. At the very least, I would have hoped that there would have been a site-wide announcement by now. It should be fairly easy to send out a message to every account that has emailed ArbCom to let them know that those emails may soon become public. Legal issues aside, I think the WMF has a responsibility to minimize the damage that this leak may cause others. Delicious carbuncle (talk) 15:35, 26 June 2011 (UTC)
- Click the "Reply to all" option in the Email sever? The Resident Anthropologist (talk)•(contribs) 17:34, 26 June 2011 (UTC)
- I have absolutely no doubt that information leaked so far is genuine. Malleus Fatuorum 22:09, 26 June 2011 (UTC)
- A site-wide message might be overkill and mistargeted (in particular, affected people may not be editing now, or ignore an unspecific message). But I would agree that it would be prudent (if understandably painful) to notify people who have emailed to the list, that their emails may become public due to a data-breach. Though this sort of thing should be run by staff counsel for the particulars of the message, so a short delay for legal review would be understandable. -- Seth Finkelstein (talk) 23:58, 26 June 2011 (UTC)
- I haven't done a side-by-side comparison, but I'm not aware of any discrepancies. A message for the ArbCom noticeboard has been drafted and is awaiting approval. PhilKnight (talk) 00:00, 27 June 2011 (UTC)
- That is a good start, PhilKnight, but what steps are being taken to directly notify editors (most of whom are unlikely to be watching that noticeboard) and individuals outside of Misplaced Pages who may have contacted ArbCom? Delicious carbuncle (talk) 11:53, 27 June 2011 (UTC)
- I haven't done a side-by-side comparison, but I'm not aware of any discrepancies. A message for the ArbCom noticeboard has been drafted and is awaiting approval. PhilKnight (talk) 00:00, 27 June 2011 (UTC)
- Indeed, my personal impression is that of what's been published, any editing that has been done has been to remove "the boring bits". The majority of Arbcom-L traffic is substantially more mundane than what's been posted, being routine "can the last two of you vote?" or "I agree with that wording" or "Someone besides me want to respond?" sorts of things. I've not read everything posted, but I haven't seen myself misquoted yet. Jclemens (talk) 02:29, 27 June 2011 (UTC)
- The only thing I've noticed is a few missing headers which make it unclear who is saying what. –xeno 02:35, 27 June 2011 (UTC)
- Indeed, my personal impression is that of what's been published, any editing that has been done has been to remove "the boring bits". The majority of Arbcom-L traffic is substantially more mundane than what's been posted, being routine "can the last two of you vote?" or "I agree with that wording" or "Someone besides me want to respond?" sorts of things. I've not read everything posted, but I haven't seen myself misquoted yet. Jclemens (talk) 02:29, 27 June 2011 (UTC)
Legal action
If/once the intruder is identified, could the WMF be pursuing legal action against the responsible party or parties? Or is this not a possibility at all? I'm not familiar with the relevant U.S. and state laws, but would the WMF even be an involved party in this, and is Geoff Brigham going to make any statement about this soon? /ƒETCHCOMMS/ 01:18, 27 June 2011 (UTC)
- Fetchcomms brings up an important point. I may have missed it, but if the WMF General Counsel, Geoff Brigham, has not yet commented regarding this illegal action, then he should be asked to make a statement to inform the community regarding the WMF legal position regarding this matter. I also feel that ArbCom deserves praise and support during this stressful period. Jusdafax 01:56, 27 June 2011 (UTC)
- WMF has made Geoff aware of the situation, and we've been told there's going to be a big meeting on Monday on how to proceed. Jclemens (talk) 02:25, 27 June 2011 (UTC)
- I can confirm that Geoff is aware. Beyond that, I don't know much. Philippe Beaudette, Wikimedia Foundation (talk) 03:48, 27 June 2011 (UTC)
- ArbCom deserves praise and support?! Amazing. They've failed in one of their two fundamental duties, despite having the benefit of one lot of hindsight; and they don't even seem to understand what they've done wrong (or even that they have done anything wrong). These guys doubtless mean well, but they were way out of their depth here, and the complete lack of contrition displayed here by some of the most long-standing arbs is (or would be, if it wasn't what we've come to expect) really astounding.--Kotniski (talk) 06:36, 27 June 2011 (UTC)
- Anyone can be hacked these days, my friend, even the US Government and the biggest corporations in the world... Considering none of the ArbCom members make a dime off their stressful, time-consuming work, my statement stands. I don't know you, nor your history, but I find it doubtful you are a past member of ArbCom. Do you think it possible, on reflection, that moderation and the key WP concept of Agf might be the path of wisdom? To put it perhaps a bit more harshly, your comment is less than helpful, at best. Jusdafax 07:21, 27 June 2011 (UTC)
- As I say, they mean well - I'm not disputing their good faith. But it's not the fact they were hacked that I'm complaining about - it's the fact that they knew (or should have known) they were going to get hacked, and still carried on (and let others carry on) as if they weren't.--Kotniski (talk) 07:27, 27 June 2011 (UTC)
- First of all, I'm very pleased that counsel is now involved. Second, what Jusdafax said. I agree entirely, and would add to it. My heart goes out, deeply, to those members of our community whose privacy has been violated. To those members whose privacy was not violated, but who are nonetheless taking shots at the Committee, please let me point out that there is a good supply of digital white space in this talk, where you may choose to post your user name, followed by your real life name, e-mail address, phone number, street address, and perhaps some additional information about your medical records, employment, and family members. If that doesn't ring your bell, then perhaps you will observe that the news is full of other organizations that have also been hacked in recent days, many of them no slouches with respect to security, and furthermore that every single one of our Arbitrators is an unpaid volunteer doing a rather thankless job. I've read some of the stuff that was leaked. There have been cases that I followed on-Wiki where I have wondered whether the Arbs recognized various things for the garbage that it was. I now know that they did. Good for you! In my personal opinion, the current members of the Committee actually come across very well in what I saw, although some past members and some non-members come across rather badly. In time, we are going to learn some things about how to make the Committee work better (pity that this happened just after the completion of the policy revision). But for now, the Committee deserves the community's understanding and support. --Tryptofish (talk) 13:58, 27 June 2011 (UTC)
- I don't understand why you start by sympathizing (rightly) with those whose privacy has been violated, but somehow end by saying how much we should be supporting those whose collective complacency and incompetence (see multiple threads on this page) largely brought about that violation. --Kotniski (talk) 16:57, 27 June 2011 (UTC)
- I promise you that I've read all those threads. With respect, if you still conclude "incompetence", then I have to agree with you that you do not understand. --Tryptofish (talk) 23:13, 27 June 2011 (UTC)
- If your job description includes handling private information, then you're incompetent if you continue to invite people to send such information to an address which (from past experience and common sense) is known to have critical unresolved security issues. And it's not so much a criticism of the individuals (though one might have hoped that lightbulbs might have sparked in at least some of their heads), but of the system, which places important professional tasks in the hands of clueless amateurs.--Kotniski (talk) 10:53, 28 June 2011 (UTC)
- Kotniski, your admirable frankness has unfortunately turned into personal attacks against ArbCom, whom we all elected. What good does your name calling these volunteers do? Kiefer.Wolfowitz 11:05, 28 June 2011 (UTC)
- Haven't you noticed - I haven't name-called anyone, and deliberately so. I have made no personal attacks, just an "institutional attack" if you like, against a Misplaced Pages institution that has seriously fouled up and deserves (for all our sakes, including its members') to be recognized clearly as having done so.--Kotniski (talk) 11:15, 28 June 2011 (UTC)
- Kotniski, your admirable frankness has unfortunately turned into personal attacks against ArbCom, whom we all elected. What good does your name calling these volunteers do? Kiefer.Wolfowitz 11:05, 28 June 2011 (UTC)
- If your job description includes handling private information, then you're incompetent if you continue to invite people to send such information to an address which (from past experience and common sense) is known to have critical unresolved security issues. And it's not so much a criticism of the individuals (though one might have hoped that lightbulbs might have sparked in at least some of their heads), but of the system, which places important professional tasks in the hands of clueless amateurs.--Kotniski (talk) 10:53, 28 June 2011 (UTC)
- I promise you that I've read all those threads. With respect, if you still conclude "incompetence", then I have to agree with you that you do not understand. --Tryptofish (talk) 23:13, 27 June 2011 (UTC)
- I don't understand why you start by sympathizing (rightly) with those whose privacy has been violated, but somehow end by saying how much we should be supporting those whose collective complacency and incompetence (see multiple threads on this page) largely brought about that violation. --Kotniski (talk) 16:57, 27 June 2011 (UTC)
- First of all, I'm very pleased that counsel is now involved. Second, what Jusdafax said. I agree entirely, and would add to it. My heart goes out, deeply, to those members of our community whose privacy has been violated. To those members whose privacy was not violated, but who are nonetheless taking shots at the Committee, please let me point out that there is a good supply of digital white space in this talk, where you may choose to post your user name, followed by your real life name, e-mail address, phone number, street address, and perhaps some additional information about your medical records, employment, and family members. If that doesn't ring your bell, then perhaps you will observe that the news is full of other organizations that have also been hacked in recent days, many of them no slouches with respect to security, and furthermore that every single one of our Arbitrators is an unpaid volunteer doing a rather thankless job. I've read some of the stuff that was leaked. There have been cases that I followed on-Wiki where I have wondered whether the Arbs recognized various things for the garbage that it was. I now know that they did. Good for you! In my personal opinion, the current members of the Committee actually come across very well in what I saw, although some past members and some non-members come across rather badly. In time, we are going to learn some things about how to make the Committee work better (pity that this happened just after the completion of the policy revision). But for now, the Committee deserves the community's understanding and support. --Tryptofish (talk) 13:58, 27 June 2011 (UTC)
- As I say, they mean well - I'm not disputing their good faith. But it's not the fact they were hacked that I'm complaining about - it's the fact that they knew (or should have known) they were going to get hacked, and still carried on (and let others carry on) as if they weren't.--Kotniski (talk) 07:27, 27 June 2011 (UTC)
- Anyone can be hacked these days, my friend, even the US Government and the biggest corporations in the world... Considering none of the ArbCom members make a dime off their stressful, time-consuming work, my statement stands. I don't know you, nor your history, but I find it doubtful you are a past member of ArbCom. Do you think it possible, on reflection, that moderation and the key WP concept of Agf might be the path of wisdom? To put it perhaps a bit more harshly, your comment is less than helpful, at best. Jusdafax 07:21, 27 June 2011 (UTC)
- WMF has made Geoff aware of the situation, and we've been told there's going to be a big meeting on Monday on how to proceed. Jclemens (talk) 02:25, 27 June 2011 (UTC)
DMCA for emails?
Could one of you arbitrators issue a DMCA notice to Misplaced Pages Review? Nyttend (talk) 01:20, 27 June 2011 (UTC)
- Does the Committee own the copyright? Or do the individuals who corresponded own copyright to the individual emails? In the first case, how did the committee acquire the copyright? In the second, wouldn't the individual senders be required to initiated the DMCA take downs? And then who gave the committee permission to archive the emails, and if the emails were licensed under terms open enough for the committee to archive and redistribute the emails, are you sure that Misplaced Pages review can't post them too? In the future, if an email is forwarded to the committee and the original sender DMCA's the committee, would the committee be willing to remove the email from the archives, would they even have the technical capability? Would DMCAing the emails attracted broader media attention? Would it do any good? The whole DMCA thing seems like an enormous can of worms that perhaps should go unopened. Monty845 01:34, 27 June 2011 (UTC)
- I'm sure WMF is looking at all their options in this case. The Resident Anthropologist (talk)•(contribs) 01:37, 27 June 2011 (UTC)
- Attention all WR folks: About a million years ago, I Opposed one RfA based largely on the fact that the nominee was a WR regular. Many WR folks (some well-known and respected here) chimed in and said how valuable WR is. I was taken aback at the rush to defend WR. HERE IS YOUR CHANCE TO BE MATURE AND RESPONSIBLE. JUST DON'T LET ANYONE PUBLISH PRIVATE MATERIAL. delete immediately. Ban user who posts. That is the only adult thing to do, and the only ethical thing. All else is shameless, in the truest sense of the word. 'Nuff said. – Ling.Nut 01:41, 27 June 2011 (UTC)
- That's just bollocks Ling.Nut. Malleus Fatuorum 01:53, 27 June 2011 (UTC)
- I agree with MF, let's not over-react.--SPhilbrickT 15:15, 27 June 2011 (UTC)
- Clarifying: I thought you calling for a ban (from Misplaced Pages) of anyone who posts (at WR). I now see you were talking more narrowly about the single person who was posting the ArbCom communications. Sorry, my intention was to avoid an over-reaction, and I may have inadvertently contributed to one.--SPhilbrickT 11:57, 28 June 2011 (UTC)
- I'm sure WMF is looking at all their options in this case. The Resident Anthropologist (talk)•(contribs) 01:37, 27 June 2011 (UTC)
Breaking my rule for not using humor on Misplaced Pages discussions: Oh, please, please, send a DMCA notice to Misplaced Pages Review. This whole dull, dreary, tawdry, mostly downright boring event, desperate needs some fireworks and popcorn. I can think of little that would liven it up better than the prospect of some good old fashioned CENSORSHIP flames, where everyone can smugly rant STREISAND EFFECT !!!. The media narrative desperately needs to be changed, from "Evil cracker breaks into confidential archives, yielding only painful personal material and showing people trying to handle very difficult issues with laudable sensitivity", to "Misplaced Pages administrators try to cover-up embarrassing revelations, using legal threats, but they will be defeated by the forces of freedom on the Internet - wiki-wikileaks forever!". Yes, yes, critics everywhere will thank you for this, do it now, bloggers are standing by. -- Seth Finkelstein (talk) 02:08, 27 June 2011 (UTC)
- ^ ResidentAntropologist 03:00, 27 June 2011 (UTC)
- To comment on the legal merits: the WMF doesn't hold the copyrights to the emails, and the Arbitration Committee isn't a legal entity, so a DMCA request would be incumbent on the individuals involved. The emails definitely are not licensed for usage such as posting at WR. However I do not think that such a takedown action would be likely to be effective or expedient. Der Wohltemperierte Fuchs 20:09, 27 June 2011 (UTC)
- Seth is correct here (Not often that I'm going to say that). As of right now, this is getting no coverage or attention. If anyone tries to remove the material it is going to get a lot more. Just the way the internet works. JoshuaZ (talk) 01:12, 28 June 2011 (UTC)
- Since I don't frequent any Misplaced Pages-related websites except for ones operated by the WMF, I saw the firestorm that's erupted here and misinterpreted it as an indication that this was already all over the Internet. Anyway, of course Arbcom doesn't hold copyrights; that's why I said "one of you arbitrators". Nyttend (talk) 11:40, 28 June 2011 (UTC)
Enquiries are continuing
At time of writing, we have not established the source of the data theft though our investigations are continuing. There is no reason to suppose that either Iridescent or Chase Me were responsible. In the meantime, the committee is looking at various options. Roger Davies 14:05, 27 June 2011 (UTC)
- Thank you all. Bearian (talk) 17:23, 27 June 2011 (UTC)
- Just to make this crystal clear, there is no credible evidence at all to suggest that Iridescent or Chase were responsible, either directly or indirectly. Roger Davies 17:40, 27 June 2011 (UTC)
- So, Coren's statement "An investigation of the technical aspects of the leak have shown that the leak was mailed by arbitrator Iridescent's Yahoo mail account from a server located in Iran" turned out to be a misinterpretation or data falsification? Amalthea 17:43, 27 June 2011 (UTC)
- Correct. Roger Davies 17:46, 27 June 2011 (UTC)
- More accurately, further review of the information that made it appear that the email came from Iri's email account showed that the headers were forged. SirFozzie (talk) 19:40, 27 June 2011 (UTC)
- Which raises the question of why it was Iridescent's email that was was forged instead of, say, yours, and why the first revelations were a rather dull email exchange I had with Iridescent. There are definitely more questions than answers here. Malleus Fatuorum 01:25, 28 June 2011 (UTC)
- Malleus: I can sincerely say I wish I knew. We're still working towards getting all the information we can here. SirFozzie (talk) 01:41, 28 June 2011 (UTC)
- Which raises the question of why it was Iridescent's email that was was forged instead of, say, yours, and why the first revelations were a rather dull email exchange I had with Iridescent. There are definitely more questions than answers here. Malleus Fatuorum 01:25, 28 June 2011 (UTC)
- More accurately, further review of the information that made it appear that the email came from Iri's email account showed that the headers were forged. SirFozzie (talk) 19:40, 27 June 2011 (UTC)
- Correct. Roger Davies 17:46, 27 June 2011 (UTC)
- Are you saying there's no indication at all where the leak came from, and that therefore it may not have been plugged? SlimVirgin 17:45, 28 June 2011 (UTC)
I'm not a big fan of ARBCOM, but...
It's fairly well known that I have deep seated concerns with ARBCOM as a general idea, and in particular issues with a number of the individual arbitrators and their actions. I'm also not totally against Misplaced Pages Review if it stuck to the goal of critical and hard analysis of Misplaced Pages (which it does occasionally - and heck we even manage to be an encyclopedia occasionally too.) Nevertheless the posting of prviate conversation, no matter that in certain cases it's rather low-brow stuff, is not a good idea. The posting of email addresses even less so. The posting of conversations involving real life threats (I understand now redacted) just bloody stupid. This is a tough time for a lot of people who give up a lot of hours to help Misplaced Pages for free, and for your resilience in this unfortunate episode I tip my hat. Pedro : Chat 20:02, 27 June 2011 (UTC)
- Well said, Pedro. Kiefer.Wolfowitz 20:32, 27 June 2011 (UTC)
- I think the threat posting nailed the sympathy backlash. ArbCom is coming out of this way ahead. -- Seth Finkelstein (talk) 22:02, 27 June 2011 (UTC)
- Meh. I have similar feelings about that you do whoever released the info. And piling on arbcom wouldn't be productive at the moment, but I'm having trouble seeing anything worth giving them a two thumbs up attaboy.--Cube lurker (talk) 22:21, 27 June 2011 (UTC)
- Yah. ArbCom's members as individuals may be among the victims here, but it is ArbCom (as an institution) that is largely to blame.--Kotniski (talk) 10:59, 28 June 2011 (UTC)
- Especially since we're back to the very real possibility that one of the members is not the victim but the perpetrator.--Cube lurker (talk) 12:30, 28 June 2011 (UTC)
- Let's not jump to conclusions about individuals - I don't think it's helpful to throw blame around when the investigations aren't over. The Cavalry (Message me) 21:47, 28 June 2011 (UTC)
- Especially since we're back to the very real possibility that one of the members is not the victim but the perpetrator.--Cube lurker (talk) 12:30, 28 June 2011 (UTC)
- Yah. ArbCom's members as individuals may be among the victims here, but it is ArbCom (as an institution) that is largely to blame.--Kotniski (talk) 10:59, 28 June 2011 (UTC)
Conformity to generally accepted standards for the security of private information
While it's literally true that no system is perfectly secure and anything connected to the internet could be hacked, such excuses miss the point entirely. No responsible financial institution or merchant would invite customers to submit non-public personal information :such as credit card, bank account, or social security numbers via ordinary email or any other insecure form of online transmission. Secure websites utilizing Transport Layer Security or equivalent strong cryptography are a generally accepted means of handling information which requires privacy. Yet until recently, arbcom invited editors unfamiliar with proper security practices to send "any private material intended for the Committee's attention" to the arbcom mailing list. Compounding the problem, the "private material" thereby solicited was redistributed via insecure, unencrypted email, as were passwords giving access to arbcom's entire email archive since 2004. This was in no way necessary, since a secure messaging facility could have been added to the mediawiki interface, much as banks which allow online account access normally provide a secure mail feature for encrypted transmission of customer service requests. Distribution of such messages could have been confined to the secure arbcom wiki, to which access would be provided only using arbitrators' primary account passwords, eliminating the man-in-the-middle attack on password distribution. Suggestions that editors sufficiently naive to trust arbcom to provide a generally accepted level of information security deserve whatever fate befalls them are misplaced. The community should expect arbitrators to act in a responsible manner worthy of the trust reposed in them. 71.131.18.216 (talk) 06:17, 27 June 2011 (UTC)
- While your suggestions are interesting and reflect some knowledge of information security theory and practice, there is absolutely no indication that transport security was at issue here. Likewise, I'm not sure how retrieving a stored password from a mailbox constitutes a MITM attack. Indeed, if the issue wasn't with stored email, in mailbox or archived format, then the leak has been going on for quite some time indeed. Jclemens (talk) 06:39, 27 June 2011 (UTC)
- We obviously don't know exactly how this particular security breach occurred. What's certain is that the attacker could have retrieved Iridescent's password when arbcom emailed it to him in plaintext format, then waited until now to publish the stolen material to throw investigators off the trail. The other salient possibility is that Iridescent's computer was one of all too many improperly secured Windows installations, making it easy to hack and install a keylogger. Financial institutions that handle private information don't make this mistake either. Even with hackers highly motivated by the prospect of stealing thousands of credit card numbers, such breaches are relatively rare, since banks normally have professional IT staff to secure their servers. Since the WMF also employs such personnel, it would be advisable to have them instruct arbitrators, checkusers, etc, in the correct way to secure their computers. Hacking a system with a clean operating system installation, an effective firewall, and good anti-virus software is probably sufficiently difficult to be beyond the capabilities of "MaliceAforethought". While using security tokens to augment the password protection provided on the arbcom wiki almost certainly would have prevented this problem, much more could have and can still be done without requiring two-factor authentication. Security of private information online has been a studied problem in e-commerce for over a decade. It's time for arbcom to utilize some of the solutions developed, instead of relying on plaintext content and password distribution to arbitrators' computers which the WMF has made no effort to secure. 71.131.18.216 (talk) 07:26, 27 June 2011 (UTC)
- The WMF already has an infrastructure it uses for privacy-sensitive interactions with the public, namely, WP:OTRS. It ought to be, at least, a bit more secure and professionally managed than a mailing list archive or individual e-mail accounts, and could be used as a stopgap measure for all sensitive internal ArbCom work.
The Committee should also reduce its apparently great reliance on private communication and use the onwiki case pages for case coordination, which is the purpose of these pages, unless there are genuine privacy concerns. More transparency could reduce the appearance of cabalism, and thus perhaps some of the incentive to break into other people's computers and to steal and publish the actually sensitive information. (Of course, ArbCom's perceived deficiencies are absolutely no excuse for the criminal acts that appear to have been committed here; these should be reported to law enforcement authorities, and the perpetrators brought to justice.)
Finally, users should be more proactively informed that in a semi-anonymous unpaid volunteer environment on an international Internet-based project, the risk of something like this happening is ultimately rather high no matter what technical and organizational measures are taken, and so that if they have genuinely important and private information to communicate relating to Misplaced Pages content, they may want to contact the WMF rather than ArbCom. And the WMF may need to take more responsibility to triage and if necessary address such requests by their own staff in a secure IT environment rather than relying on the OTRS and ArbCom volunteers. At the end of the day, the responsibility to protect sensitive project data lies with the Foundation; they cannot rely on a rather large group of unpaid volunteers to develop and reliably use a state-of-the-art secure communications system. Sandstein 09:39, 27 June 2011 (UTC)
- Good points, some which I've also made in the past to the effect that discussions which don't need to be private should be public. That said, most discussions of editors should be done in private. Check Robert's Rules of Order. When a committee discusses personnel it's often appropriate to do so in "executive session": in private and confidentially. Obviously, city councils can't go on the record as saying Joe Smith is a lazy city clerk and we need to fire him. They go into executive sessions, speak candidly in private, and then announce their decision publicly. In California the Brown Act is a sunshine ordinance requiring public meetings on many topics once held in private. It's had a huge impact in local governance.
- Perhaps what's needed is a noticeboard where only ArbCom members can participate, but in public. Otherwise the confidential mailing list is the only place for deliberations free from interruptions by non-members. Will Beback talk 10:17, 27 June 2011 (UTC)
- I dunno, non-members are just as likely to have valid points to make as members are. It's this "us and them" approach ("we're better than the rest of you and have little interest in listening to what you have to say") that seems to be one of the fundamental problems with ArbCom. And discussions of editors, if they happen at all, ought to be done in public - otherwise (and we all know from real life what happens when a group of people start discussing someone who's not there) the person is not able to defend themselves aginst dodgy allegations, which then gradually come to be perceived as truth. --Kotniski (talk) 11:08, 27 June 2011 (UTC)
- I think we have to start insisting that anyone discussed by ArbCom in private must be included in the discussion, with exceptions made only for situations where there would be real-life danger to someone. SlimVirgin 17:27, 27 June 2011 (UTC)
- This would seem like an ideal time for very serious consideration of Sandstein's comment about OTRS. While the leaked ArbCom material is concerning and will likely have some damaging effects on a few individuals, it is (for the most part) confined to Misplaced Pages's internal politics and Misplaced Pages editors. Imagine the fallout if emails to OTRS from someone well-known to the public were leaked, say Rick Santorum or Paris Hilton? Delicious carbuncle (talk) 12:08, 27 June 2011 (UTC)
- FWIW, the celebrities who write in person tend to be minor people, not anyone big enough to have a PR firm or staffers. I think there's no better education in BLP than reading the pleas from relatively minor people whose Misplaced Pages articles are mostly made up of the one big mistake they've made in their lives, but I digress. Yes, OTRS is a better place for actual private information. No, there's no indication this event involved OTRS data in any way. Jclemens (talk) 14:09, 27 June 2011 (UTC)
- I dunno, non-members are just as likely to have valid points to make as members are. It's this "us and them" approach ("we're better than the rest of you and have little interest in listening to what you have to say") that seems to be one of the fundamental problems with ArbCom. And discussions of editors, if they happen at all, ought to be done in public - otherwise (and we all know from real life what happens when a group of people start discussing someone who's not there) the person is not able to defend themselves aginst dodgy allegations, which then gradually come to be perceived as truth. --Kotniski (talk) 11:08, 27 June 2011 (UTC)
- The WMF already has an infrastructure it uses for privacy-sensitive interactions with the public, namely, WP:OTRS. It ought to be, at least, a bit more secure and professionally managed than a mailing list archive or individual e-mail accounts, and could be used as a stopgap measure for all sensitive internal ArbCom work.
- We obviously don't know exactly how this particular security breach occurred. What's certain is that the attacker could have retrieved Iridescent's password when arbcom emailed it to him in plaintext format, then waited until now to publish the stolen material to throw investigators off the trail. The other salient possibility is that Iridescent's computer was one of all too many improperly secured Windows installations, making it easy to hack and install a keylogger. Financial institutions that handle private information don't make this mistake either. Even with hackers highly motivated by the prospect of stealing thousands of credit card numbers, such breaches are relatively rare, since banks normally have professional IT staff to secure their servers. Since the WMF also employs such personnel, it would be advisable to have them instruct arbitrators, checkusers, etc, in the correct way to secure their computers. Hacking a system with a clean operating system installation, an effective firewall, and good anti-virus software is probably sufficiently difficult to be beyond the capabilities of "MaliceAforethought". While using security tokens to augment the password protection provided on the arbcom wiki almost certainly would have prevented this problem, much more could have and can still be done without requiring two-factor authentication. Security of private information online has been a studied problem in e-commerce for over a decade. It's time for arbcom to utilize some of the solutions developed, instead of relying on plaintext content and password distribution to arbitrators' computers which the WMF has made no effort to secure. 71.131.18.216 (talk) 07:26, 27 June 2011 (UTC)
- But inevitably one day it will involve that data, if archives are retained. SlimVirgin 17:22, 27 June 2011 (UTC)
- Slim such data retention is an unfortunate necessity in running an operation like this. Could the Data have been better secured? Yes.. but that does not no mean retaining the data itself is invalid act. The Resident Anthropologist (talk)•(contribs) 21:46, 27 June 2011 (UTC)
- But inevitably one day it will involve that data, if archives are retained. SlimVirgin 17:22, 27 June 2011 (UTC)
- The long-term retention of sensitive data—especially in a way that gives large numbers of people access to it—is legally, ethically and technically difficult. It's just impossible to do it with a mass of volunteers, none of them properly identified. And even if they were identified, what would it tell us? Knowing that someone is called John Smith and lives in Bristol tells us nothing about whether he's sensible and can be trusted.
- Misplaced Pages has always believed it could start from scratch, reinvent the wheel, but there are areas of expertise we ought to learn from, and once you start to educate yourself, you see that what we're doing is unsustainable. We can't continue to keep files on people, whether they're editors, or readers who complain to us—files that every year are accessed by more and more Arbs, functionaries and OTRS volunteers—and believe we have no legal and moral obligations toward the people the files discuss. SlimVirgin 22:12, 27 June 2011 (UTC)
- There are two ways we can do it, hold everything or hold very little. Ultimately I think the benefits of retaining the data outweighs the risks of security. So far the leaked emails have more or less shown that such data retention is extremely useful in assessing new evidence. The Resident Anthropologist (talk)•(contribs) 22:27, 27 June 2011 (UTC)
- Surely the reverse - the fact of the leak has shown that data retention is extremely harmful - unless, I suppose, access to it were to be restricted to a limited group of very well-trusted and security-aware people.--Kotniski (talk) 11:11, 28 June 2011 (UTC)
- I'm not comfortable with storing gossip either, especially where those gossiped about have no way of knowing what is said about them. That gossip should go, and not be kept. What is legitimate to keep is any important decisions, and the basis on which they were made, and other important facts that may become relevant later on. And in my view, we should implement a kind of FOIA, giving editors the right to view what is stored about them. That's a common principle in modern society, and it was instituted for good reasons. --JN466 15:56, 28 June 2011 (UTC)
- Unfortunately the current software is an "all or nothing" kind of thing - either there are archives, or there aren't. We have asked for a different system at various times in the past and obviously have re-iterated our request given the current situation. –xeno 16:05, 28 June 2011 (UTC)
- I really find these attempts to blame the software extremely unconvincing. Surely even if you're forced to use inadequate software, you can work round the problem somehow (like restarting a new list at least once a year, and restricting access to the old ones to very few people).--Kotniski (talk) 18:16, 28 June 2011 (UTC)
- So it is good point to finf free software with basic configuration possibility. Or use not-free if it is impossible Bulwersator (talk) 16:40, 28 June 2011 (UTC)
- Could you not store summaries of the stuff that is important and fact-based, and delete the dross? And these summaries should be accessible to the users concerned. --JN466 16:48, 28 June 2011 (UTC)
- Unfortunately the current software is an "all or nothing" kind of thing - either there are archives, or there aren't. We have asked for a different system at various times in the past and obviously have re-iterated our request given the current situation. –xeno 16:05, 28 June 2011 (UTC)
- There are two ways we can do it, hold everything or hold very little. Ultimately I think the benefits of retaining the data outweighs the risks of security. So far the leaked emails have more or less shown that such data retention is extremely useful in assessing new evidence. The Resident Anthropologist (talk)•(contribs) 22:27, 27 June 2011 (UTC)
- Misplaced Pages has always believed it could start from scratch, reinvent the wheel, but there are areas of expertise we ought to learn from, and once you start to educate yourself, you see that what we're doing is unsustainable. We can't continue to keep files on people, whether they're editors, or readers who complain to us—files that every year are accessed by more and more Arbs, functionaries and OTRS volunteers—and believe we have no legal and moral obligations toward the people the files discuss. SlimVirgin 22:12, 27 June 2011 (UTC)
- That would be fairly easy to do—produce a summary of the discussion that contains only the agreed facts—or allegations along with evidence—and a rebuttal from the person concerned. And only those summaries are forwarded to a separate archive, with archiving for the main mailing list switched off.
- There should definitely be no more discussions among Arbs without the subjects being cc-ed, with exceptions for serious real-life issues, such as evidence of mental-health problems or a justified fear of real-life stalking. The bottom line is that we have to start applying the BLP principles to internal discussions too. SlimVirgin 17:01, 28 June 2011 (UTC)
(unindent) I can say with a good amount of confidence,firmly, no, that is not going to happen SV. We will discuss things amongst ourselves as necessary for our job, no more, no less. SirFozzie (talk) 17:27, 28 June 2011 (UTC)
- That has not been happening, though. A great deal of the discussion seems to be about non-issues, issues invented by ArbCom. Obsessing about who's a sockpuppet (why is ArbCom dealing with SPI issues?), discussing whether to unblock very troublesome editors (when these are issues for the community). Editors being insulted gratuitiously. In the mean, requests for arbitration are turned down, or dealt with so slowly it's like watching paint dry. In short, it feels as though the ArbCom mailing list is just another venue like IRC circa 2006, or WR, where people are attacked so the in-group can bond socially.
It can't continue if the Committee wants the community to have confidence in it, or respect for it. And I hope the Foundation won't allow it to continue, because it has ethical and legal implications that can't keep on being ignored. SlimVirgin 17:40, 28 June 2011 (UTC)
- Agreed - and I would even go further - quite apart from the information concerns that have been raised, ArbCom would actually do its basic job of arbitrating better if the arbs didn't talk to each other about substance in private. We want to know on what basis each arb reached their decision, and we expect them to do so independently with their own intellect, not via groupthink. (Yes, I know what real-life juries do, but they're not really comparable.)--Kotniski (talk) 18:06, 28 June 2011 (UTC)
- That still leaves the possibility of not archiving the list traffic, but creating a database of the relevant facts, allegations, and evidence, and making that open to the people concerned. --JN466 19:28, 28 June 2011 (UTC)
- Good points from Sandstein and Will regarding transparency. --JN466 16:04, 28 June 2011 (UTC)
Private records of checkuser material
One of the things that has concerned me about the leaked material is the number of times those participating have been asking around to see if anyone has saved old checkuser data, and the fact that such data are being held by individuals (presumably on their own machines) and not centrally on a machine controlled by the Foundation. Two points - is such private retention compatible with the Foundation's existing privacy policy, and if any retention is to be allowed it would surely be more efficient and helpful in the cases where Arbs want to access it for it to be held in one place rather than scattered around. DuncanHill (talk) 15:23, 27 June 2011 (UTC)
- http://checkuser.wikimedia.org/ now exists (it's a relatively recent creation). My general view is that this type of data aggregation and retention violates both the spirit and letter of the Wikimedia privacy policy. --MZMcBride (talk) 17:00, 27 June 2011 (UTC)
- Mike Godwin posted recently to the Foundation mailing list: "Typically, a service that values user privacy highly minimizes the amount of private information it keeps about users, so that even if compelled to comply with a lawful government order to disclose identifying information, the service may not have much to disclose."
- I'm afraid that what we're seeing here is that the Foundation has not valued user privacy, or indeed its users' safety or reputations. Whether it's CU archives, or ArbCom archives containing gossip, they should be destroyed after a short time. I know that several editors have requested the latter. As things stand, more and more people are downloading these things every year with authorization, never mind without. SlimVirgin 17:20, 27 June 2011 (UTC)
- The problem with wholesale deletion of archived material is the loss of context when it comes to long-term problems, or problems which have resurfaced. A wiser move would be to archive material (private wikis and mail lists) to a machine entirely under WMF control, with one of the public-facing WMF employees having sole access--someone like Bastique perhaps. This ensures that information can still be re-released (in a private sense) to arbs and CUs on a need to know basis, without the potential damage of wholesale leaks. → ROUX ₪ 17:54, 27 June 2011 (UTC)
- I personally think the value of archives is overrated. They are usually only useful for verification purposes (ie to see whether a text claiming to unredacted is actually a true copy of the original). Others mileage might vary. Roger Davies 18:01, 27 June 2011 (UTC)
- Arbs say they download them, so they must see them of value. SlimVirgin 18:03, 27 June 2011 (UTC)
- Sure: some do, some don't. I personally don't. Roger Davies 18:11, 27 June 2011 (UTC)
- Arbs say they download them, so they must see them of value. SlimVirgin 18:03, 27 June 2011 (UTC)
- I personally think the value of archives is overrated. They are usually only useful for verification purposes (ie to see whether a text claiming to unredacted is actually a true copy of the original). Others mileage might vary. Roger Davies 18:01, 27 June 2011 (UTC)
- But then you still have a situation where the Foundation is releasing gossip, and in some cases actionable material, to the ArbCom, without the knowledge of the person concerned, who has no right to defend himself, and doesn't even know what the charges are. SlimVirgin 17:58, 27 June 2011 (UTC)
- Where incidentally do you draw the various lines between gossip, vennting, fair comment, speculation and reasonable inference? Roger Davies 18:11, 27 June 2011 (UTC)
- I don't know where I'd draw the line. But I think the Arbs shouldn't be engaged in any of it without the knowledge of the person they're discussing. We've seen material along the lines of "X is toxic, "X is a blackmailer," "Don't trust X," "X's editing is worthless." As I recall, none of the comments were connected to arbitration, and none of the people were told they were being discussed. That means the ArbCom list has become like IRC at its worst, or some of the other private lists people have objected to over the years (including one I was involved in, so I'm not being holier-than-thou here, because I know how easy it is for this to happen—though I didn't keep archives).
- Where incidentally do you draw the various lines between gossip, vennting, fair comment, speculation and reasonable inference? Roger Davies 18:11, 27 June 2011 (UTC)
- The problem with wholesale deletion of archived material is the loss of context when it comes to long-term problems, or problems which have resurfaced. A wiser move would be to archive material (private wikis and mail lists) to a machine entirely under WMF control, with one of the public-facing WMF employees having sole access--someone like Bastique perhaps. This ensures that information can still be re-released (in a private sense) to arbs and CUs on a need to know basis, without the potential damage of wholesale leaks. → ROUX ₪ 17:54, 27 June 2011 (UTC)
- I'm afraid that what we're seeing here is that the Foundation has not valued user privacy, or indeed its users' safety or reputations. Whether it's CU archives, or ArbCom archives containing gossip, they should be destroyed after a short time. I know that several editors have requested the latter. As things stand, more and more people are downloading these things every year with authorization, never mind without. SlimVirgin 17:20, 27 June 2011 (UTC)
- When you keep archives, it means people who were not included on those emails can access and download this stuff years after the fact, and may end up drawing quite false conclusions from it. And that encourages new Arbs to continue to treat those people poorly, and in general develop an Us and Them mentality (We Who Have Access to the Insults versus The Insulted).
- The point is that the ArbCom is elected by the people it's discussing, and it therefore has to force itself to rise above this kind of thing, and be fair to all, including people individual members may personally dislike. SlimVirgin 18:30, 27 June 2011 (UTC)
- Sure, people shouldn't really be making those kinds of remarks but, that said, the unfortunate truth is that some people are toxic and some people's edits are worthless and similar remarks are made publicly, for example, on WP:AN/I, about recently indeffed users (with no right of reply) frequently. Roger Davies 18:41, 27 June 2011 (UTC)
- That's a worrying response, Roger, because it suggests you think the tone of the mailing list is okay. It really isn't okay, not least because you're spending huge amount of time on issues other than arbitration, micromanaging sockpuppet investigations, and almost creating problems by discussing them.
- Calling someone "toxic" is meaningless, so that kind of casual insult is something friends can exchange, but for it to happen on a formal Foundation mailing list is obviously dodgy. You wouldn't like it if you were the one being so described without your knowledge. But for those comments to be collected for six years in archives, so that every new ArbCom member is able to download them, is really unacceptable. Please put yourself in the shoes of the people being so discussed. SlimVirgin 18:52, 27 June 2011 (UTC)
- It no more suggests that I think the tone of every post is okay than I think that the tone of yours is. For instance, you've just taken it upon yourself to say that I've wasted huge amounts of time micromanaging sockpuppet investigations and creating problems by discussing them. Roger Davies 19:07, 27 June 2011 (UTC)
- Ideally, Arbs who disagree with the tone ought to speaking up when they see discussions deteriorating. You can see a few Arbs try to do it, but for the most part they don't. And that's entirely understandable, because they don't want to fall out with people, or they don't read every post, or they prefer to lurk, or they decide that continuing to post—even to ask that a discussion stop—will only prolong it. That's why the list has become problematic, as all private lists of this kind do. And that's why they should not be archived, because at least without archives the damage is contained to the people the emails were actually sent to. SlimVirgin 19:14, 27 June 2011 (UTC)
- Oh, that happens often enough, don't you worry. I realise that you're not able to form an accurate view of things because of the partial view you have. However, you are rather assuming that (i) arbs blindly swallow what other arb say (they don't) and (ii) the archives are read assiduously. It may be apocryphal but I think the thing most new arbs do is check the archives so see what has been said about them (a "Washington read", I think it's called). The search facility on the archives is so appalling and the usual content so tedious, that few if any spend much time there. I agree entirely with pruning and with a short fall off the radar. Roger Davies 19:22, 27 June 2011 (UTC)
- I'm sure that Roger is right (cf the true story of the public figure who receives a free book without covering note, turned to the index, turned to the first mention of their own name, and found a marginal note from the author explaining the gift beginning 'knew you'd look here first'). Certainly when I discovered my unexpected electoral popularity in December 2007, the one thing that more than any other persuaded me not to withdraw was that it might be interesting to read the archives. (When actually appointed I discovered I no longer did, but that may be another story for another day). However what is slowly dawning on WR is that there are very few complete surprises in the material; what few there are, were kept confidential for good reason; and that the Arbs in private are in fact generally conscientious and try to be fair. It's a bit like a Misplaced Pages version of the Palin emails. If there were any absolute shockers, you can bet that they would be screaming about them at WR whereas in fact they're complaining that it's dull and 'tl; dr'. And I absolutely agree with everything the current arbitrators say that they do need to discuss things in private. Sam Blacketer (talk) 22:14, 27 June 2011 (UTC)
- In the case of actionable material, that already happens, doesn't it? And really, if it's actionable, then the person in question is pretty much guaranteed to know what they've done wrong. So that's not really a concern. I guess what I'm envisioning is something along the lines of how CU data is released to the community: a specific question must be asked, and the CU responds with yes or no, and contextual information (e.g. other socks found), without releasing underlying private data. So in my hypothetical scenario, an arb would have to (publicly, unless there are serious privacy ramifications) ask the Foundation for historical material relating to User X in a specific context. So... let's say there's an Arbcom case involving User X who has been misbehaving. Arbs could then ask the Foundation if there is archived material related to the scope of the case. Anything outside of the scope would remain in the archive and unseen. → ROUX ₪ 18:06, 27 June 2011 (UTC)
- I didn't understand your point about actionable material. What I meant to say is that, if the ArbCom mailing list contains arguable defamation—and it seems it does—that material ought not to be retained in archives. Damaging material in general ought not to be archived, even if it doesn't rise to the level of defamation. Ideally it ought not to be emailed between Arbs in the first place, but it certainly shouldn't be archived.
- You couldn't have a situation where the Foundation was releasing personally damaging and possibly false material to individual Arbs at their request from archives the Foundation controlled.
- As for CU material, yes I see what you mean there. But that goes back to Mike Godwin's point: the more the Foundation retains, the more it may have to hand over to the courts one day. SlimVirgin 18:18, 27 June 2011 (UTC)
- Sorry, by 'actionable' I had thought you meant actionable by ArbCom, not actionable in a court of law. AFAIK, defamation only occurs when such information is made public; retaining it to a small group that is decidedly nonpublic doesn't rise to that level. WMF legal counsel would be able to define better, of course. Roger's point above about the continuum from gossip to reasonable inference is a useful one, too. I guess what I'm suggesting is that private arblist/arbwiki information should be retained for institutional memory purposes, but access to it should be very narrowly circumscribed. I think that approach would satisfy privacy concerns without a baby/bathwater problem. → ROUX ₪ 18:37, 27 June 2011 (UTC)
- As for CU material, yes I see what you mean there. But that goes back to Mike Godwin's point: the more the Foundation retains, the more it may have to hand over to the courts one day. SlimVirgin 18:18, 27 June 2011 (UTC)
- Material need not have been made public; it need only have been communicated to a third party. As I said above, allowing narrow access to problematic material is still allowing access. We should not be retaining archives that contain this stuff, and preferably Arbs should be very wary of distributing it in the first place. SlimVirgin 18:45, 27 June 2011 (UTC)
- Are we talking US law here? It's pretty well impossible to obtain a judgement for libel in the US, so I can't see a legal issue for user x calling user y a ....whatever. Interestingly, in the UK, it has to be published, and it is the publisher, not the person making the statement, who is liable. So if this were the UK, WR could be sued for publishing libels (assuming any of the material actually constitutes libel). Elen of the Roads (talk) 19:10, 27 June 2011 (UTC)
- Material need not have been made public; it need only have been communicated to a third party. As I said above, allowing narrow access to problematic material is still allowing access. We should not be retaining archives that contain this stuff, and preferably Arbs should be very wary of distributing it in the first place. SlimVirgin 18:45, 27 June 2011 (UTC)
- None of that is quite right, Elen. You need only pass the material to a third party, or fail to take reasonable care. But this isn't the place to discuss legal ins and outs. The point is that by retaining archives you are publishing the material to more and more people every year. As I've been trying to argue for a couple of years, unauthorized access isn't the only problem here. Editors are being blackened, whether fairly or otherwise, in emails being read by people the emails were not sent to, and this is being done without the knowledge of the person being discussed. You can surely see why that's deeply problematic, ethically never mind legally, and in terms of community relations. SlimVirgin 19:24, 27 June 2011 (UTC)
- Personal retention of non-public data is not addressed by the privacy policy, and it would likely be impossible to regulate. Hosting such data on Foundation servers would open them up to subpoena, but would not make them much less likely to be downloaded by those with access.
The CheckUser wiki is actually an attempt to move us in the right direction in terms of compliance with the privacy policy. Currently (but changing within a matter of days), the CheckUser mailing list retains an archive, which actually means the data posted to it was accessible by CheckUsers long after it had expired through normal CheckUser means. Going forward, checkuser-l will not be archived, or its archives will expire within the same time frame as CheckUser data. The wiki is intended to host the data from investigations that actually needs to be retained for the future due to persistent abuse. The only CheckUser data it retains is related to persistent vandals, spammers, and a select few banned users, and even those will be removed when no longer relevant. This does not in any way run afoul of the privacy policy, and is in line with Mike Godwin's point.
There is certainly room for discussion of improving how sensitive data is handled in the other mailing list archives, or in the CheckUser log itself, but most of the suggestions on this page so far fail to take into account that ArbCom actually has a function that it needs to perform, and that it is a body which requires both sensitive data and confidential discussions amongst its members to properly carry that out. Dominic·t 18:52, 27 June 2011 (UTC)
The issue I have is how this relates to transparency, because it explains a lot. Depending on how widespread this saving of old CU information is, it explains why so many open on-wiki cases are not conducted in these situations. If an investigation had been opened, it would have had to be revealed that the accounts were being CUed against information that should have long been considered stale and deleted and this, in turn, would have revealed that Arbcom members and other people have been saving old CU info. Because this is obviously not something the community knows about and would be a large shock, instead in such cases, the accounts either say that the User was banned because of CU data, but without an actual investigation page being present or the user is banned with a statement saying that you should refer any questions to Arbcom.
Essentially, this means that the lack of transparency has been compounded with an active cover-up of the fact that old CU information has been being saved and utilized in a secret manner. While I may or may not believe that this old info should be allowed for use in certain instances, the main issue I have is specifically this lack of transparency and the active cover-up actions taken so that the truth of it didn't get out. Silverseren 21:21, 27 June 2011 (UTC)
- If the complaint is that it was somehow a secret that all checks are logged and that we refer to this log to find expired CheckUser data, or that we also refer to mailing list archives or fellow CheckUsers for such data, then that is simply false. This has never been a secret, nor was there any active cover-up. It is commonly remarked upon where CheckUser investigations occur, namely sockpuppet investigations. As several people have noted here, this is not a revelation. If anything, the complaints are largely about the fact that it has been a known vulnerability for so long. I think you are simply confusing this state of affairs with the fact that CheckUser investigations may take place outside of the context of a case, or even an on-wiki request; that is an entirely different issue, and has no bearing on the use of expired CheckUser data. Dominic·t 21:41, 27 June 2011 (UTC)
- It is common knowledge that expired checkuser data is kept and stored by individual users and used in subsequent investigations without a case being opened for them? Is this written somewhere on the Checkuser page? I must have missed it. Maybe it's on the investigations page. Nope, can't find it there either. Silverseren 21:59, 27 June 2011 (UTC)
- I do not believe the fact that some specific point is not explained on those pages means there is a cover-up. As I noted, it commonly remarked upon. You have also somewhat misrepresented my words; the main source of expired CheckUser data is in fact the CheckUser log itself, not just data on people's hard drives. Dominic·t 22:10, 27 June 2011 (UTC)
- But my original remark was about the data kept on people's hard drives, as that is what is mentioned in the revealed Arbcom discussions. Saying that they should "ask around to see if anyone has a copy of the data" seems to imply that it is not in a centralized log, since anyone who has access should be able to look there, but data that has been saved specifically by various Checkusers and functionaries. Silverseren 22:20, 27 June 2011 (UTC)
- I do not believe the fact that some specific point is not explained on those pages means there is a cover-up. As I noted, it commonly remarked upon. You have also somewhat misrepresented my words; the main source of expired CheckUser data is in fact the CheckUser log itself, not just data on people's hard drives. Dominic·t 22:10, 27 June 2011 (UTC)
- It is common knowledge that expired checkuser data is kept and stored by individual users and used in subsequent investigations without a case being opened for them? Is this written somewhere on the Checkuser page? I must have missed it. Maybe it's on the investigations page. Nope, can't find it there either. Silverseren 21:59, 27 June 2011 (UTC)
- If someone with checkuser privileges is retaining on their personal machine data acquired from the use of those privileges, I believe that is a gross breach of trust and suggests that they should not retain those privileges. If Arbs are fishing around for such data (as they clearly have been) it really beats any of the previous ethical failures of the committee hands down. Just because you can do something does not mean you should, or even ought, to do it. You really need to have a moral compass and an ability to restrain yourself if you are going to have the sort of privacy invading tools that checkusers and Arbs have. DuncanHill (talk) 02:17, 28 June 2011 (UTC)
- I think that's a very important point, and hopefully someone somewhere is working on a proper Misplaced Pages data protection policy. What information is being stored, where, for how long, and for what purpose? Malleus Fatuorum 02:50, 28 June 2011 (UTC)
redact emails when you forward
If an Arb receives a confidential EMail and forwards it to the rest of arbcom may I suggest redacting that which you don't need to forward? I gather in this case that the Arb who first received the email was the one whose account was compromised, so it wouldn't have helped this time. But adopting a general principle of pruning superfluous info is one way of minimising risk (and avoiding clutter). An editors request would need to be discussed with arbcom, but does their Email need to be shared? ϢereSpielChequers 19:32, 27 June 2011 (UTC)
- The problem with redacting is it can be tricky to redact the right amount. Not everyone will agree on what information is relevant, and where it is being done in secret, there is a risk that important information may be redacted without anyone being in a position to point it out. Essentially your asking one arbitor to censor what the rest of the committee is going to see, with no oversight. It doesn't sound like a good idea to me. Monty845 19:42, 27 June 2011 (UTC)
- It requires judgment, but at a minimum I'd expect an email address to be redacted unless there was very good reason or it was clearly known. If there has been a whole thread of discussion ending with a request to forward an appeal or whatever to the rest of the committee I'd expect the appeal to be forwarded, not necessarily the rest. ϢereSpielChequers 20:14, 27 June 2011 (UTC)
Positive revelations
I thought Risker came over as a real straight shooter in the emails with a priority on doing the right thing, vice how it would look. TCO (talk) 03:34, 28 June 2011 (UTC)
Update from WMF
An update on WMF’s view of this incident: We were notified about the disclosure of ArbCom information shortly after the disclosure appeared. We have conducted a preliminary review and have detected no unauthorized activity on our servers. We have nonetheless taken precautionary security measures and will continue to investigate the situation as appropriate. Philippe Beaudette, Wikimedia Foundation (talk) 09:22, 28 June 2011 (UTC)
- If it’s determined that there was no unauthorized access to the mailing list archives on WMF’s servers, that will mean that Iridescent can’t have been the only arbitrator who was hacked, correct? Some of the leaked e-mails are from before Iridescent became an arbitrator, so the only way they could have been obtained using Iridescent’s account is if an attacker broke into the archives using Iridescent’s password. If there was no unauthorized access to the archives, then it wouldn’t have been possible to obtain messages from before the beginning of the year using only Iridescent’s account. --Captain Occam (talk) 09:56, 28 June 2011 (UTC)
- Not necessarily. Access to the archives by an arbitrator's account wouldn't be flagged as "unauthorized" on a technical level, since the security mechanisms would have no way of knowing whether said account was under the control of someone other than the real arbitrator. Furthermore, if an arbitrator had a personal copy of the archive, and it was their system (rather than just their email account) that was compromised, that copy of the archive could be distributed without leaving any traces on the WMF servers. Kirill 10:18, 28 June 2011 (UTC)
- Moreover, there's absolutely no evidence Iridescent's account was hacked. Roger Davies 10:24, 28 June 2011 (UTC)
- Kirill: I was assuming that the mail archive kept a log of the IP addresses that have logged into accounts there, and that Philippe’s comment meant that no arbitrators’ accounts had been accessed by IPs other than those normally associated with the accounts’ owners. I could be misinterpreting him, though, and I also see your other point.
- Roger: Thanks for pointing out that there doesn’t seem to be evidence of Iridescent having been hacked; I’d missed that.
- Is ArbCom considering the possibility that one of its members deliberately chose to leak these e-mails? I know it’s a much more palatable idea that someone’s account or system was compromised, but if there’s no evidence of that having happened, the alternative should be considered also. Based on this thread, deliberate leaking of mailing list contents from a (former) arbitrator appears to be something that’s happened before. --Captain Occam (talk) 11:04, 28 June 2011 (UTC)
- Yes, of course the committee considered that. If you read Coren's earliest statements about it, you see that it was our original assumption. In my view, it has not been eliminated as a possibility. We just don't know. Cool Hand Luke 12:19, 28 June 2011 (UTC)
- Hmm. I was going to say that the odd selection of material leaked argued against an insider trying to do damage. But then I realized that one could turn that around, and say the odd selection of material leaked argued for an insider, but not trying to do damage. That is, the people who have come off the worst from this have essentially been those who are troublesome cases for ArbCom. It does sort of look like what one would get if a frustrated prosecutor or police officer started leaking private documents about annoying court cases. That's just a speculation. But it's an intriguing thought. -- Seth Finkelstein (talk) 12:52, 28 June 2011 (UTC)
Communication
I suggest to inform other ACs to avoid similar thing - I did this for plwiki Bulwersator (talk) 10:22, 28 June 2011 (UTC)
- i agree. de.wp: the german arbcom doesn't need an extra note, because it is not authorized to store comparable databases anyway. de.wp-arbcom-members are not entitled to hold privacy policy-related flags on a local basis, regards --Jan eissfeldt (talk) 16:17, 28 June 2011 (UTC)