Wikipedia talk:Arbitration Committee: Difference between revisions

Use this page to discuss information on the page (and subpages) attached to this one. This includes limited discussion of the Arbitration Committee itself, as a body. Some things belong on other pages: requesting arbitration: WP:A/R discussing finalised decisions of the committee: WT:ACN discussing pending decisions: find the proceedings page at Template:Casenav discussing the process of arbitration: WT:A/R

Shortcuts WT:AC WT:ARBCOM

Final reminder: Arbitration policy update and ratification

The current written arbitration policy dates from 2004 and much has evolved since then. The policy has been extensively reviewed over the last two years, with a series of wide-ranging community consultations, to bring the written document up to date. The proposed update is posted and is undergoing community ratification, which is due to close on 13 June 2011. All editors are cordially invited to participate in the ratification process.  Roger Davies ^talk 06:02, 9 June 2011 (UTC)

Discuss this

Who is responsible?

I would like to know which member of ArbCom, past or present, is responsible for this leak.[1] Malleus Fatuorum 14:59, 23 June 2011 (UTC)

Oh dear. This is not going to end well, and I fear you--rather than the responsible parties--are going to end up pilloried. → ROUX ₪ 15:13, 23 June 2011 (UTC)

I'm quite used to that, but there's something amiss here that needs sorting out. What else has been/is being leaked? Malleus Fatuorum 15:15, 23 June 2011 (UTC)

Without engaging in hyperbole, this is really very bad. personally I'd bypass the usual ArbCom nonsense and go straight to WMF. Moonriddengirl might be a good way to get someone to take notice. → ROUX ₪ 15:23, 23 June 2011 (UTC)

meta:Ombudsman commission seems to be the appropriate Wikimedia body for outside review of this matter. –xeno^talk 15:29, 23 June 2011 (UTC)

The Ombudsman Commission investigates violations of the Foundation privacy policy, which does not appear to have occurred. This is a matter of a breach of trust by a community member, but not a matter for the Foundation. Dominic·t 16:47, 23 June 2011 (UTC)

Would a contributor's non-public(?) email address not be considered personally-identifying information? –xeno^talk 17:03, 23 June 2011 (UTC)

Can't be any past arbitrators (for the initial leak anyway); the only people on the list these days are current Arbs and Jimbo. NW (Talk) 15:28, 23 June 2011 (UTC)

• The committee is aware of the situation and looking into it. –xeno^talk 15:29, 23 June 2011 (UTC)

Malleus, please accept my most profound apology for this unforgivable breach of your expectation of privacy. It is vanishingly unlikely that this leak comes from someone else than a sitting arbitrator, and I want to assure you that I will do everything in my power to identify the slime who did this and crucify them. — Coren ^(talk) 16:34, 23 June 2011 (UTC)

In this particular instance there was nothing particularly private, just a chat with Iridescent (who I don't at all blame for this) about a few options that are now impractical. It does though raise the very serious question of what else has been leaked. Malleus Fatuorum 16:49, 23 June 2011 (UTC)

Nevertheless, you were given an assurance of confidentiality and, through lack of care or dishonesty, it has been breached. I agree with you that the possibility of further leaks that we are unaware of is worrisome, and makes it all the more important that the leak is found and plugged. — Coren ^(talk) 17:09, 23 June 2011 (UTC)

It clearly needs to be sorted out, and quickly. I must admit to being rather puzzled at this discussion being leaked though, as I'm sure there must be much juicier stuff on the mailing list that's far more interesting. Malleus Fatuorum 17:15, 23 June 2011 (UTC)

I do hope this isn't swept under the rug, either. This is a serious breach of confidentiality and I (and I'm sure others) would very much like to know who the leak is. Please don't just do whatever it is you arbs do behind closed doors. Please make a public statement about this once it is known who did such a thing. Tex (talk) 17:18, 23 June 2011 (UTC)

I agree with Tex, this is a very serious matter and as Tex said a lot of people would very much like to know who leaked and I, along with others, want a public statement as to what happened once it is figured out. This is a very serious issue and indeed it is worrisome that possibly other things have leaked out. This is truly disconcerting, as this defeats the entire purpose of Arb Com and emailing, to keep things that are private private, had he wanted it public he wouldn't have been emailing it. As Malleus said there are much more interesting things that could be talked about and that is partially what has me worried, if this is what we have found then there is probably other stuff that is more interesting or important out there as well. I hope that this is all resolved quickly and we can be assured that this is all that is out there.  Adwiii  Talk  17:42, 23 June 2011 (UTC)

The same person has leaked some emails I recently sent to the ArbCom, and emails from some of the Arbs discussing it between themselves. I think it's important that an announcement be made about this somewhere prominently, so that people know not to send anything confidential to the ArbCom until it's sorted out. SlimVirgin ^{TALK|CONTRIBS} 18:41, 23 June 2011 (UTC)

I've temporarily removed the word "private" from the emphatic bright yellow box on the page, since such status can't currently be guaranteed. I agree an announcement somewhere else (although I'm not sure where) might also be a good idea. --Demiurge1000 (talk) 18:47, 23 June 2011 (UTC)

The resulting statement instructs individuals to send all material (private or otherwise) for our attention to the list. –xeno^talk 18:51, 23 June 2011 (UTC)

Well, it says "any", not "all", but yes it could have been construed that way. So how should it be worded? How about "Material intended for the Committee's attention can be sent to..." ? The alternatives are emphatically suggesting a level of privacy that likely does not currently exist, or removing mention of the email address altogether until the problem is resolved. Or is there a better way? --Demiurge1000 (talk) 18:59, 23 June 2011 (UTC)

I'd suggest full and clear honesty. Something like Notice: Communication with ArbCom has been confirmed to be compromised. Confidentiality can not be guaranteed at the current time.--Cube lurker (talk) 19:08, 23 June 2011 (UTC)

I think the first sentence of that is perhaps overly dramatic. The second, in small, would be adequate though. --Demiurge1000 (talk) 19:15, 23 June 2011 (UTC)

I think this is serious enough that I'd be more concerned about failure to fully inform someone who intended to transmit confidential information. My understanding is that someone with access is willing to release information maliciously. There's a definite right to know issue that goes beyond a fine print note that could be missed or not treated seriously.--Cube lurker (talk) 19:22, 23 June 2011 (UTC)

(ec) No one will notice it there. It should be posted somewhere prominently. It would be best if the ArbCom would do that asap. SlimVirgin ^{TALK|CONTRIBS} 19:23, 23 June 2011 (UTC)

This aspect of the discussion has been superseded by Coren's note below as far as I'm concerned. --Demiurge1000 (talk) 19:26, 23 June 2011 (UTC)

brief status update

At this time, the source of the leak seems to have been identified and closed. We are not yet able to determine what other emails may have been stolen, but I am confident that future email will not be so exposed. The committee will give a detailed statement regarding the incident once we have finished cleaning things up and investigating the matter in detail (within the next 24h). — Coren ^(talk) 19:24, 23 June 2011 (UTC)

Confirming what Coren has said above. For the record, this incident has been discussed with the WMF as well. Risker (talk) 19:32, 23 June 2011 (UTC)

Given the ongoing leaks at Wikipedia Review, how confident are you that this matter is now sorted? Malleus Fatuorum 22:24, 23 June 2011 (UTC)

Interestingly, the material posted so far has been surprisingly mild, and far more gossipy than scandalous. I'm a little hesitant to start writing WP:BEANS cases, but I think either the person who has the emails doesn't know what would be (relatively) explosive, or doesn't have much (I'm excluding there being nothing scandalous, based on knowing the personalities of certain people :-) ...) -- Seth Finkelstein (talk) 22:48, 23 June 2011 (UTC)

We are quite certain that we have identified the source of the leak, and that the account involved no longer has access to any private mailing lists or the arbitration wiki. We are still assessing what information was accessed while the account was compromised. As a precaution, other members of the committee are changing passwords and reassessing their personal security precautions including hardware/software checks. Risker (talk) 22:51, 23 June 2011 (UTC)

Should we assume that when the announcement about this is posted, it’s going to include the identity of whichever arbitrator leaked the e-mails? If it’s now been determined who was responsible for the leak, I think the community has a right to know that. --Captain Occam (talk) 00:44, 24 June 2011 (UTC)

Risker seems to imply that the arbitrator in question had their account and/or email and/or other login information compromised by a third party. NW (Talk) 00:50, 24 June 2011 (UTC)

Coren indicated that Iridescent's account had been compromised, but some of the leaked material dates from before his time on the ArbCom. I hope the Committee will be completely transparent about what happened here. SlimVirgin ^{TALK|CONTRIBS} 00:59, 24 June 2011 (UTC)

Part of the problem is that most passwords, including that to the email archive, were sent by email (hence the importance of having all accounts pointing at a new email account as swiftly as possible). Of course, access to the archive and wikis was immediately removed to prevent further access, but that will have had no effect on what data was already stolen.

In other words, it's not really possible to establish with certainty what, or how much, has been taken before the accesses were changed; our focus will be on securing things for the future so that this does not happen again. I'm going to recommend a number of procedural changes to diminish the probability of such incidents happening in the future, as well as push very hard for strong security precautions to access confidential data (for instance, two-factor authentication to access privileged wikis or archives seem important to me). — Coren ^(talk) 01:07, 24 June 2011 (UTC)

I had a conversation with the Foundation about this around a year ago, maybe longer. Anyone gaining access to the wiki or the archives needs that access only for the briefest of periods. They download the material, and that's that. Once this immediate situation is sorted out, I think a serious discussion needs to take place about the amount of information the Committee is retaining about people. Realistically you can't guarantee its safety, and the larger the mailing list, the less of a guarantee there can be. SlimVirgin ^{TALK|CONTRIBS} 01:12, 24 June 2011 (UTC)

Yes, I'll spearhead that necessary work to reform myself. — Coren ^(talk) 01:14, 24 June 2011 (UTC)

Mike Godwin posted to one of the mailing lists recently that enlightened organizations are retaining very little data about individuals, so that if a legal issue arises, there's little to hand over. And the same principle would apply to security, that if there's a leak, there's not much that can be released. But it seems the ArbCom and functionaries take the opposite approach, retaining large archives, setting up an ArbCom wiki, and I believe a checkuser wiki. A great deal of it is unpleasant gossip about people, and some of it is material that ought to remain private. So I really question the ethics of this approach, because I think it's very unfair to editors to keep so much material for so long, and to be constantly giving new people access to it, even though the subjects of the information may not have seen it themselves. SlimVirgin ^{TALK|CONTRIBS} 01:31, 24 June 2011 (UTC)

Coren, is what you’re saying that it was possible to use Iridescent’s account to access information from before Iridescent became an arbitrator, because their e-mail account contained the password to the archive of past mailing list discussions? And it’s certain that there wasn’t any leak other than whoever broke into Iridescent’s account? --Captain Occam (talk) 01:16, 24 June 2011 (UTC)

That is what every the evidence we have indicates, yes. I'm not going to say that it's certain that there are no other possible leaks, but it's certainly improbable. I'm probably the only arbitrator who controls every part of his email infrastructure, so I can tell you as a fact that no access has been made to my own email, but the other arbitrators have taken measures to ensure that their passwords are secure to make as sure as we can that no other leak is possible. — Coren ^(talk) 01:22, 24 June 2011 (UTC)

(ec) That was the issue I raised with the Foundation, that new members automatically gain access to the full archives, including material they have no need to read. Some kind of purging ought to be taking place each year, so that these secret files about individuals aren't being retained, just waiting for someone to steal them.

Also, the leaker leaked Coren's email saying it was Iridescent's account. Presumably Coren sent that email after that account's access had been removed, so that's somewhat worrying. SlimVirgin ^{TALK|CONTRIBS} 01:23, 24 June 2011 (UTC)

(←) No, it was not, though it is almost certainly the last email that account received from the list: Risker needed a bit of delay to get to a secure computer to remove the accesses. — Coren ^(talk) 01:28, 24 June 2011 (UTC)

I saw some emails that were not addressed to arbcom. For example at least one email was from SV addressed to Cirt. How this got stolen and/or leaked?

I believe, if wikipedia review has some self respect left, it should remove these stolen emails and ban the user who posted them for good.--Mbz1 (talk) 02:41, 24 June 2011 (UTC)

My guess (provisional, and subject to revision based on new information) is that we're seeing information that was in a personal mail archive. As opposed to there being a Wikipedia Wikileaks cache of the entire arbcom list available. Umm, regarding banning the user who posted them - since it was a new special account, that wouldn't do a lot good even if they were so inclined (horse, barn, door). -- Seth Finkelstein (talk) 03:03, 24 June 2011 (UTC)

• Just following up on what Coren has said, that was the last email on the mailing list before the account in question was fully disabled from all private mailing lists and from the arbwiki. The point about archive security is entirely valid, and it is a concern that is shared by the Arbitration Committee. We have been having discussions with the WMF specifically about alternative methods of managing archives for various private lists, some processes are already in motion, and we were continuing to examine options for the arbcom-L list. We'll be accelerating those discussions now. However, at least some of it is a moot point because it appears these are from the arbitrator's own email logs and thus even tighter security on arbcom-L or arbwiki would not have changed the outcome. The committee members are now evaluating their own personal security situations, examining methods of storing emails, changing passwords and adding two-step authentications, to reduce the risk of a further recurrence. I know the saying about the barn door (I edit-conflicted with Seth saying the same thing), but I just wanted to point out that we've been working on this in the background for a while, and unfortunately this occurred before we'd managed to hammer out the details for this specific mailing list. Risker (talk) 03:07, 24 June 2011 (UTC)

• For everybody who uses GMAIL there is a line below the list of your messages:

Last account activity: 1 hour ago at this IP (xx.xxx.xxx.xxx). Details (I redacted my IP address here)

• "Details" is a clickable button. If you are to click it, you will see, if any IP other than your own accessed your account. It is a very useful tool that I used to locate a dirty hacker that hacked my email.--Mbz1 (talk) 03:26, 24 June 2011 (UTC)

Am I right in recalling that this isn't the first time something like this has happened? Didn't someone once do a complete public dump of the ArbCom archives, or something like that? If this incident is any more than a complete one-off, then I suggest we stop giving out the impression to anyone that they can communicate privately via the ArbCom mailing list; if people have anything confidential they need to bring to an arbitrator's attention, they should be advised to write to a single arbitrator whom they trust (ideally the Foundation would employ someone to deal with such matters), and information would be shared further strictly on a need-to-know basis.--Kotniski (talk) 10:14, 24 June 2011 (UTC)

• Some editors indeed chose the method of contacting a single arbitrator, who then forward it to every individual arbitrator when a decision needs to be reached. In this case, it would not have made any difference if the correspondence was emailed via the list or bypassing it (via every individual arbitrator email). - Mailer Diablo 11:09, 24 June 2011 (UTC)

  But my point was that it doesn't need to go to every individual arbitrator. It depends on the situation, I suppose, but I would have thought in most cases it would be enough for at most two or three of them to see it (and others to be told only what the public is told). --Kotniski (talk) 11:28, 24 June 2011 (UTC)

  The position here is that individual arbitrators have no special authority so any actual decisions need to be made the committee as a whole. What would help considerably though would be if people brought fewer things to the committee as many of the matters raised privately could be easily be handled publicly.  Roger Davies ^talk 11:54, 24 June 2011 (UTC)

  Or if the committee learnt to delegate (which would have other advantages quite apart from limiting the circulation of private information). BTW, am I right in recalling that there have been leaks of this nature in the past, or is it my imagination (or untrue gossip)?--Kotniski (talk) 12:01, 24 June 2011 (UTC)

  Yes, see this thread about a leak of the ArbCom mailing list archives in 2009. Graham87 05:07, 25 June 2011 (UTC)

From the threads on WR, it sure doesn't appear to be Iridescent who was hacked to me. Why would Iridescent have the whole SlimVirgin/Cirt/Shell thread, especially since Shell made it clear she was not sharing it with the whole of arbcom? I think your mailing list is leaking like a sieve and something needs to be done, pronto. Tex (talk) 14:07, 24 June 2011 (UTC)

The entire SV/Cirt/Shell thread was forwarded to the arbcom-l mailing list at a later date (following a call for Shell's recusal in the related arbitration case).

As indicated above, it is believed that the immediate cause of the breach has been identified and prevented from further access. We are exploring options to avoid a similar recurrence. –xeno^talk 14:20, 24 June 2011 (UTC)

So what was the cause of the breach? Malleus Fatuorum 14:59, 24 June 2011 (UTC)

It is believed the cause was a breach of security (i.e. someone targeting an arbitrator's PC and/or email account). We intend to post a detailed statement in the near future. –xeno^talk 15:23, 24 June 2011 (UTC)

• As I pointed out to Sue Gardner in this message, there was an incident where a single Arb was contacted regarding an editor who was engaging in pro-paedophilia advocacy. That Arb did not act on the information and nothing was done until Arbcom in full were notified. I am concerned by the suggestion that editors should contact only a single Arbitrator as an effort to reduce the risk of these types of leaks. That course of action has been demonstrated to have other problems. (Gardner did not reply to my message and email, or my follow-up, incidentally.) Delicious carbuncle (talk) 00:28, 25 June 2011 (UTC)

Break - security

What's the status regarding functionaries-en? Is there anything to indicate that material from that list was also compromised? /ƒETCHCOMMS/ 18:34, 24 June 2011 (UTC)

It's likely that some or many email from that list were also in the compromised mail account. Whether the criminal who broke into it cared enough for those email (who are, in the end, much less superficially "interesting" than arbcom-l's) to download them before access was cut, we cannot say. I note that none seem to have been leaked, though that obviously shouldn't be taken as any sort of guarantee. — Coren ^(talk) 19:20, 24 June 2011 (UTC)

As an uninvolved (I hope!) observer, I'd hate for the ArbCom to throw out the baby with the bathwater, losing important communication systems and institutional memory. Perhaps the archive can be set with a daily limit and a notice could go to the email list every time the it's accessed. Whatever the right solution is, I hope the WMF takes this issue seriously enough to devote sufficient coding resources to provide security for the largest Wikimedia project.   Will Beback  talk  19:50, 24 June 2011 (UTC)

There are systematic problems to fix for which, indeed, there may be technological help available. Much of this would require a bit of coding and support from the foundation (I would, for instance, strongly suggest some sort of two-factor authentication before private data can be accessed, and a running log of such accesses).

By happenstance IT security is my specialty, so I've already spoken at length about stronger security mechanisms; but I'm going to work directly with the foundation to help put those mechanisms in place in the short term. If nothing else, this incident will have served to highlight the importance of doing so. — Coren ^(talk) 19:56, 24 June 2011 (UTC)

Re Xeno's recent email to me, which hasn't yet been leaked onto WR, I hope that you will not fall into the trap of security by obscurity, or avoid disclosing what actually happened here by deploying the silly beans argument. I am not at all happy about the situation this leak has put me in. Malleus Fatuorum 20:03, 24 June 2011 (UTC)

I actually know security, Malleus; you'll not find me arguing for security theater. Little of what happened could have been avoided the way things are currently set up; we've plugged the immediate hole, but unless we start taking security more seriously such things are going to happen again. Like I've said, I've already approached the Foundation to start working on a review and rebuild of the way we handle private data from the ground up.

I take what happened to you (and the other victims) very seriously, and I don't intend to let the matter rest until I can confidently say that another incident like this will not happen again. — Coren ^(talk) 20:15, 24 June 2011 (UTC)

• There are two separate issues here: the first is the personal IT security of individuals with access to non-public mailing lists, which we believe is what is at issue in this current event. We all know people who have taken all kinds of precautions and still wound up with hidden software in their computer; and this will always remain the most likely vector of attack.

  The second issue is the management of archiving of private mailing lists, and we have been working with WMF on this issue for some months now. Changes are already in progress for some private mailing lists which are affiliated in whole or in part with Arbcom. The biggest challenge is the Mailman software that is currently used by WMF: it is extremely inflexible when it comes to archiving. One either has archiving turned on or off, but there is no ability to set auto-destroy or to manually remove posts from the archives. Therefore, the only way to keep current archives that are in very active use is to also keep the archives that were created at the inception of the list. We have made what we believe is a strong case for WMF to consider other mailing list software specifically for private mailing lists (Mailman's archiving function is just fine for the public lists).

  We have also endorsed the principle of requiring two-step log-in for WMF-related private wikis, and I've been advised that the developers/sysadmins are currently looking at how this can be done, with a goal toward implementation. Risker (talk) 21:02, 24 June 2011 (UTC)

  • And how long will that take, given the glacial pace of Wikimedia development? Malleus Fatuorum 21:13, 24 June 2011 (UTC)
    • Fair question, Malleus. My understanding is that this has been established as a high priority by Erik Moeller, to whom the entire developer/sysadmin structure currently reports, with significant support from the other department heads, so I'm guessing it's moved fairly close to the top of the heap. I've been given to believe that it's not a particularly difficult fix, but I'm poorly acquainted with anything that technical so can't give you an honest assessment. My sense is we're talking days to weeks rather than the usual many weeks to months. Risker (talk) 21:25, 24 June 2011 (UTC)
      • So presumably the only safe thing to do in the interim is to assume that the ArbCom mailing list is not confidential? Malleus Fatuorum 21:32, 24 June 2011 (UTC)
        • Well, it's as confidential as emailing any mailing list to which a group of individuals are subscribed. From the feedback I am seeing from my fellow arbitrators, the majority of us have now taken additional precautions to secure the email addresses to which we subscribe to the list, and have changed passwords on all applicable accounts; however, there remains the reality that anyone can be hacked by someone determined to do so, just as any of us could have our wallets stolen no matter how many precautions we take, or our houses could be broken into regardless of all the fancy security systems we subscribe to. We can mitigate the risk, but it will never completely disappear. Risker (talk) 22:00, 24 June 2011 (UTC)
          • So as I said, the only safe thing to do is to assume that the ArbCom mailing list is not secure, and can never be secure. Malleus Fatuorum 22:06, 24 June 2011 (UTC)
            • that should be pretty much assumed to be case with any system attached to the web yes.©Geni 23:09, 24 June 2011 (UTC)
              • So why the claim that it was secure, and why should anyone believe that it's now secure? Malleus Fatuorum 23:42, 24 June 2011 (UTC)
                • I don't follow such things closely; where was the claim made? The reality is there is no such thing as absolute security for anything held outside your own head (even there there there is active research to get at stuff). So really it boils down to degrees of security. Historically arbcom have mostly relied on most arbcom members not leaking stuff (kelly martin is the exception) and the list not being interesting enough for more than standard security measures to be needed.©Geni 23:55, 24 June 2011 (UTC)

On a related note, I urge everyone who views this thread to check LulzSec's leak of 62,000 email-password combinations and ensure that if your email address has been listed, immediately stop using the associated password. (But this is a little late, perhaps, as the list was released last week and has surely been plundered several times.) /ƒETCHCOMMS/ 21:16, 24 June 2011 (UTC)

The story so far

Yesterday, around 15h UTC, we were made aware by Malleus Fatuorum that an email exchange between him and Iridescent, which was forwarded to the Arbitration Committee had been leaked to an external website. The contents of the leaked email thread, which included comments that were restricted to the Arbitration Committee list itself, demonstrated that the leak necessarily came from someone who had access to (at least part of) the email archives or email box of a currently sitting arbitrator (or Jimmy Wales).

An investigation of the technical aspects of the leak have shown that the leak was mailed by arbitrator Iridescent's Yahoo mail account from a server located in Iran, indicating that the person responsible for the leak was in control of that mail account. Given that it seemed highly improbable that Iridescent himself would have had the wherewithal to use a proxy computer in a foreign jurisdiction yet use a mail account directly associated with him, the scenario that the leak was a wilful act from Iridescent was not credible.

At that time, I emailed the list and arbitrator Risker directly (who is one of the arbitrators in technical control of the mailing lists and the secure wikis) that Iridescent's mail account was compromised, and that it should be immediately removed from all private lists and wikis. This was done shortly, thus ensuring that whoever was in control of Iridescent's email account would get no further access.

Simultaneously, we entered in contact with Iridescent through a different email account and verified that he was the correct person with private information that could not be found in any email archive. Once contact was established, Iridescent immediately changed all his passwords and all the email addresses associated with wiki accounts he has access to. At this time, Iridescent is still evaluating his personal computing security and has not yet been returned any access to private information.

Every arbitrator has since taken steps to reevaluate their own computer security by, among other things, changing their passwords or other credentials where appropriate, or turning on additional security features such as two-factor authentication where possible. While this offers no guarantees that all our accounts are secure, it greatly reduces the probability that more accounts are under external control.

Unfortunately, Iridescent's password to the Arbcom email archive was sent to him via the email address that was compromised, and it seems that the attacker used it to access it to leak at least one email thread from it. At this point, we must presume that all of Iridescent's email to and from that email address as well as an unknown fraction of the archive of the mailing list have been stolen by the attacker. Likewise, it is not possible to assess whether only Iridescent's Yahoo account has been compromised, or whether much or all of his computing resources were.

In the name of the Arbitration Committee, I offer our most profound apologies to everyone whose privacy has been breached by this criminal act. While our investigation is ongoing, and we hope to gather enough information to evaluate more precisely the extent of the intrusion, our focus will be on making the necessary systemic chances to prevent such an attack from succeeding in the future.

— Coren ^(talk) 21:08, 24 June 2011 (UTC)

That account is not strictly accurate, as I have never to my knowledge emailed the Arbitration Committee. What was made public was a series of emails I exchanged with Iridescent, which he apparently forwarded on to the committee. Malleus Fatuorum 21:16, 24 June 2011 (UTC)

I've tweaked it accordingly. I don't think it makes much difference in substance, though. — Coren ^(talk) 21:57, 24 June 2011 (UTC)

It may not, but it more accurately represents what happened. I did not, and have never, emailed anything to the Arbitration Committee. Malleus Fatuorum 22:02, 24 June 2011 (UTC)

Coren's account above is correct to the best of my knowledge. I endorse the posts that have been made by Coren, Risker, and others. I will add only that upon learning of what had occurred, I immediately ruled out the possibility that Iridescent had intentionally leaked the material based on everything I know about him, even before I learned of the technical evidence demonstrating an external hack. Newyorkbrad (talk) 22:58, 24 June 2011 (UTC)

An external hack of what? This still needs some explanation. Malleus Fatuorum 23:46, 24 June 2011 (UTC)

An arbitrator's email account was compromised by an unknown third party. This third party then used the additional information gathered after gaining access to the email account, (the emails to that Arbitrator with the passwords to the archives, which would be necessary for the performance of their duties) to gather additional information. We're still trying to figure out how and by whom, but this incident has of course prompted all of us to review our own security and try to determine not only how this happened, and by whom, but how to prevent it from happening again. SirFozzie (talk) 23:52, 24 June 2011 (UTC)

And how was that done? No more beans bollocks please, just a little bit of honesty. Malleus Fatuorum 23:59, 24 June 2011 (UTC)

Malleus, how the hell could we know? Maybe the thief guessed Iridescent's password. Perhaps he has a keylogger on a computer that Iridescent has used, or he has compromised a router between him and Yahoo. Perhaps he is a Yahoo employee with enough access or a backdoor to compromise the accounts of arbitrary users. We almost certainly will never know how the account was compromised unless the miscreant steps forward and confesses. — Coren ^(talk) 01:13, 25 June 2011 (UTC)

Maybe the thief guessed Iridescent's password to what? And how do you explain the initial focus on me? Malleus Fatuorum 01:24, 25 June 2011 (UTC)

A)Malleus: I'm sorry to be abrupt, but either you are missing bits of reading comprehension, OR you are deliberately being obtuse, but if you look up THREE LINES in a reply to one of your PREVIOUS questions, you would get the answer to "Password to what", and B) We're not the people who posted the information.. Only the person who is posting these emails can answer that question. We're not mind readers. (If we were, we'd conduct all Committee business via Telepathy, and there'd be no archives for them to raid). SirFozzie (talk) 02:06, 25 June 2011 (UTC)

You're not being abrupt Fozzie, you're being a fucking wanker. Malleus Fatuorum 02:21, 25 June 2011 (UTC)

Well that was called for. Or not. Shell ^babelfish 02:24, 25 June 2011 (UTC)

So block me for telling the truth. I know how unpopular the truth is here. Malleus Fatuorum 02:45, 25 June 2011 (UTC)

If you can't tell the difference between calling people names and the truth, why don't you go block yourself? Shell ^babelfish 03:11, 25 June 2011 (UTC)

Are you really as dumb as you appear to be? Malleus Fatuorum 03:22, 25 June 2011 (UTC)

Quite possibly, but opinions vary. How about you? Shell ^babelfish 03:32, 25 June 2011 (UTC)

Why don't you undertake the most basic of investigations, which will tell you that I can't block anyone. Do you always pontificate from a position of ignorance? Malleus Fatuorum 04:27, 25 June 2011 (UTC)

Shell, the last thing that's needed now from you is this kind of snark. SlimVirgin ^{TALK|CONTRIBS} 07:52, 25 June 2011 (UTC)

As someone who’s had online accounts belonging to me broken into in the past (not at Wikipedia; this happened before I joined) I don’t agree with the statement that it’s not possible to determine how Iridescent’s account was broken into unless the culprit reveals it. Other members of ArbCom probably won’t be able to determine this, but I don’t think it’s unreasonable to expect Iridescent to. It’s often possible for a person who’s been hacked to determine what method was used against them, and I’ve done this myself. Once a person has determined when they were first hacked (which in this case Iridescent could determine from her e-mail IP login history), they can next determine what vulnerabilities they were exposed to at around that time. I think that determining how a break-in was accomplished is an important part of preventing the problem from recurring in the future, because without an understanding of how it was done, you can never be certain that you’ve removed the vulnerability that made it possible. --Captain Occam (talk) 09:10, 25 June 2011 (UTC)

That's true, but may not be particularly helpful in this case. Everything we've seen so far suggests that this was a targeted compromise (in other words, that the attacker set out specifically to gain access the Committee's correspondence) rather than an opportunistic one; if that's the case, then it's quite possible that the underlying security breach took place days or weeks before the material was released, and that the attacker has had ample time to compromise any audit trails. Kirill ^{[talk] [prof]} 11:22, 25 June 2011 (UTC)

• Would the severity of this incident and the importance of confidentiality merit arbitrators adopting PGP for their email communications? --causa sui (talk) 23:43, 24 June 2011 (UTC)
  • I can't speak for the other arbs, but I think all options need to be considered. Of course, that means any further archives (which to some, is rather necessary for us to do our jobs, especially when we do clarifications or amendments of past decisions) would be useless. I'm not going to rule anything in or out, however.. we're taking a Soup to nuts review of our current situation, both personally, as a committee, and working with the WMF. SirFozzie (talk) 23:52, 24 June 2011 (UTC)
    • Has anyone actually used PGP for day-to-day conversations? I have, and found it to be pretty cumbersome. A simpler solution would be to move ALL conversations to a secured Wiki, and just turn on email notifications of changes. Jclemens (talk) 06:12, 25 June 2011 (UTC)
  • We're still assessing the situation, but preliminary findings appear to look very bleak. Encryption might well become the future way of securing email communications along with other long-term security measures, which the arbitrators will be discussing once the dust settles. - Mailer Diablo 23:57, 24 June 2011 (UTC)
    • Why do you say "preliminary findings appear to look very bleak"? Nothing of much consequence (no offense meant) has been leaked. Do you KNOW that the Arbcom email archive was downloaded? -- Seth Finkelstein (talk) 00:05, 25 June 2011 (UTC)
      • Know? Not as of yet. Is there inklings from what HAS been posted? Yes. SirFozzie (talk) 00:13, 25 June 2011 (UTC)
        • I'd say the opposite. The thread that pre-dated Iridescent being on the committee has been explained as having been forwarded later. I suppose the thing to do is to ask Iridescent if he was in the habit of keeping everything archived, or just saved a few threads once in a while. -- Seth Finkelstein (talk) 00:23, 25 June 2011 (UTC)

• Good to know that you're on top of it. I brought up PGP because aside from giving a second layer of security -- PGP-encrypted email is left encrypted in the inbox, requiring a hacker to guess an extremely strong password before he could read any archived mail -- it would have an important additional benefit: PGP would allow arbitrators to send identity-validated communications to prevent a more intelligent and destructive hacker from impersonating an arbitrator. That hasn't yet happened, but it should be on our minds as a very real and very, very dangerous disaster scenario. I'm sure you'll reach out to anyone you think can help you implement the security measures you choose. Good luck. Regards, --causa sui (talk) 23:59, 24 June 2011 (UTC)

  Non-repudiation is among the least important of the security aspects of messages. Impersonating an arb gets one very little, and of that "very little", almost none could not be quickly reversed when the mischief was discovered. The bigger issue is the account compromise itself, which could lead to... WP:BEANS. Jclemens (talk) 06:24, 25 June 2011 (UTC)

Malleus's comment is actually quite significant. It adds weight to the theory that this material comes from Iridescent's email account, not the Arbcom web archive. While this cannot be established definitively, there has been no evidence that the crack will create Wikileaks - Wikipedia Edition. And there's so many people who would like to have their names ego-searched over the Arbcom archive that if the entire archive was available, I strongly suspect much more would be posted. If we get WikipediaLeaks, I'll be wrong, but again, I would say that at this time, the breach appears highly contained. -- Seth Finkelstein (talk) 23:55, 24 June 2011 (UTC)

• At this point, we are unable to guarantee that. - Mailer Diablo 00:22, 25 June 2011 (UTC)

• Seth, the password to the archives was emailed to Iridescent, so whoever had access to the account had access to the archives, unless we know that Iridescent did not keep a copy of the password in that account. Two things: (1) I seem to recall from the last leak that the ArbCom agreed to stop emailing passwords, though I may be misremembering, and I can't now find those threads. (2) Are the developers able to see which IP addresses have accessed the archives recently, using which password? SlimVirgin ^{TALK|CONTRIBS} 07:57, 25 June 2011 (UTC)

• As the leaker gained access to the archives, we have to assume that he downloaded them. Can the Committee tell us how far back the compromised archives go so we can judge the extent of the damage? SlimVirgin ^{TALK|CONTRIBS} 07:52, 25 June 2011 (UTC)
  • Mailman stores its archives as a single bundle; anyone who gains access to any part of the archive gains access to all of it. In the case of arbcom-l, this would include material going back to when the list was started (in 2004?); the archives have never been purged, although there have been repeated discussions about doing so. Kirill ^{[talk] [prof]} 11:16, 25 June 2011 (UTC)

Is this really a disaster?

Sure, it's embarrassing for the arbitrators and discomforting for those who have been in communication with them on this list, but in a whole of project sense, just how much damage can be done? Miss E. Lovetinkle (talk) 11:45, 25 June 2011 (UTC)

Our internal deliberations are not the main concern, in my opinion; as you suggest, their being published is more a cause for embarrassment than a real threat to the project. The larger issue is the various material (including evidence, complaints, requests for assistance, and so forth) submitted by other editors; in many cases, this correspondence includes personal information (real names, addresses, telephone numbers, ages) whose release could have negative consequences for editors and non-editors with no relation to the Committee.

I remain hopeful, however, that the individual or individuals in possession of the archives will maintain their focus on the Committee itself, and will refrain from gratuitously exposing the personal information of the many innocent people who've written to us over the years. Kirill ^{[talk] [prof]} 12:12, 25 June 2011 (UTC)

So why was this information never purged? Wasn't it absolutely inevitable that at one time or another it would be stolen and/or leaked? Why were people encouraged to write to ArbCom as if in confidence, when it was known that the probability of the information's remaining confidential would tend to zero over time?--Kotniski (talk) 13:32, 25 June 2011 (UTC)

It's not possible to purge as it's not part of the Mailman functionality: you can either have archives or not. Profoundly unsatisfactory but there you are.  Roger Davies ^talk 13:42, 25 June 2011 (UTC)

(edit conflict) There are several problems with purging the archives; some of these have been alluded to above, but to recap:

• The software used for operating the mailing lists does not allow either selective archiving or modification of the archives after the fact; either the entire archive is retained, in its original form, or no archiving is done at all.
• Numerous proposals have been made to disable archiving entirely, but have never achieved consensus; this is primarily because some level of records retention is necessary to process appeals (particularly repeat appeals), clarifications, and similar matters where examining the content of previous discussions is necessary. It has been suggested that the personal archives maintained by individual arbitrators could serve this institutional memory purpose without the need for a central archive; but there were concerns that (a) no single arbitrator or former arbitrator has archives covering the Committee's entire history, that (b) personal archives could potentially be tampered with in subtle ways, and there would be no "master" copy to compare against, and that (c) this would unduly rely on former arbitrators, many of whom might be inactive or unwilling to share archives.
• An alternative option that was considered was the selective retention of particular discussions in some shared space (e.g. on the arbitration wiki) and the deletion of the original archive. This is something that is currently being done with CheckUser records, but would be prohibitively time-consuming for arbcom-l due to the immense volume of the archives; and there have been security concerns with the arbitration wiki as well.

As far as inevitability is concerned, arbcom-l is not inherently any less secure than any other mailing list used by/for Wikimedia business. A determined attacker can eventually find a way to compromise a system of this sort—we'd need to disconnect it from the internet to truly make it secure—but the same is true of any online system. The only real way to ensure that private correspondence could never be leaked would be to prohibit the use of private correspondence in the first place; otherwise, any system open to remote access is potentially open to compromise. Kirill ^{[talk] [prof]} 13:57, 25 June 2011 (UTC)

People have submitted their IRL stuff to you guys? Phone numbers? Why on earth would people do that? Why would you require people to submit such information? This is an online encyclopedia. What possible necessity is there in the provision of information of that kind to you and your colleagues? This really is quite surprising stuff. Miss E. Lovetinkle (talk) 13:38, 25 June 2011 (UTC)

No it's not a requirement of ours but you'd be astonished what some people think is pertinant to tell us.  Roger Davies ^talk 13:42, 25 June 2011 (UTC)

Well given that I've just discovered where this stuff is being posted to, I think this might be a bit of a disaster. For you guys at any rate. Oh dear. There's some rancid stuff coming out. What the hell is the "functionaries" list? Apparently stuff from that is being released now. Miss E. Lovetinkle (talk) 13:46, 25 June 2011 (UTC)

• Is this a disaster? Looks like one to me. Off2riorob (talk) 13:36, 25 June 2011 (UTC)