Wikipedia talk:Arbitration Committee: Difference between revisions

Use this page to discuss information on the page (and subpages) attached to this one. This includes limited discussion of the Arbitration Committee itself, as a body. Some things belong on other pages: requesting arbitration: WP:A/R discussing finalised decisions of the committee: WT:ACN discussing pending decisions: find the proceedings page at Template:Casenav discussing the process of arbitration: WT:A/R

Shortcuts WT:AC WT:ARBCOM

Final reminder: Arbitration policy update and ratification

The current written arbitration policy dates from 2004 and much has evolved since then. The policy has been extensively reviewed over the last two years, with a series of wide-ranging community consultations, to bring the written document up to date. The proposed update is posted and is undergoing community ratification, which is due to close on 13 June 2011. All editors are cordially invited to participate in the ratification process.  Roger Davies ^talk 06:02, 9 June 2011 (UTC)

Discuss this

Who is responsible?

I would like to know which member of ArbCom, past or present, is responsible for this leak.[1] Malleus Fatuorum 14:59, 23 June 2011 (UTC)

Oh dear. This is not going to end well, and I fear you--rather than the responsible parties--are going to end up pilloried. → ROUX ₪ 15:13, 23 June 2011 (UTC)

I'm quite used to that, but there's something amiss here that needs sorting out. What else has been/is being leaked? Malleus Fatuorum 15:15, 23 June 2011 (UTC)

Without engaging in hyperbole, this is really very bad. personally I'd bypass the usual ArbCom nonsense and go straight to WMF. Moonriddengirl might be a good way to get someone to take notice. → ROUX ₪ 15:23, 23 June 2011 (UTC)

meta:Ombudsman commission seems to be the appropriate Wikimedia body for outside review of this matter. –xeno^talk 15:29, 23 June 2011 (UTC)

The Ombudsman Commission investigates violations of the Foundation privacy policy, which does not appear to have occurred. This is a matter of a breach of trust by a community member, but not a matter for the Foundation. Dominic·t 16:47, 23 June 2011 (UTC)

Would a contributor's non-public(?) email address not be considered personally-identifying information? –xeno^talk 17:03, 23 June 2011 (UTC)

Can't be any past arbitrators (for the initial leak anyway); the only people on the list these days are current Arbs and Jimbo. NW (Talk) 15:28, 23 June 2011 (UTC)

• The committee is aware of the situation and looking into it. –xeno^talk 15:29, 23 June 2011 (UTC)

Malleus, please accept my most profound apology for this unforgivable breach of your expectation of privacy. It is vanishingly unlikely that this leak comes from someone else than a sitting arbitrator, and I want to assure you that I will do everything in my power to identify the slime who did this and crucify them. — Coren ^(talk) 16:34, 23 June 2011 (UTC)

In this particular instance there was nothing particularly private, just a chat with Iridescent (who I don't at all blame for this) about a few options that are now impractical. It does though raise the very serious question of what else has been leaked. Malleus Fatuorum 16:49, 23 June 2011 (UTC)

Nevertheless, you were given an assurance of confidentiality and, through lack of care or dishonesty, it has been breached. I agree with you that the possibility of further leaks that we are unaware of is worrisome, and makes it all the more important that the leak is found and plugged. — Coren ^(talk) 17:09, 23 June 2011 (UTC)

It clearly needs to be sorted out, and quickly. I must admit to being rather puzzled at this discussion being leaked though, as I'm sure there must be much juicier stuff on the mailing list that's far more interesting. Malleus Fatuorum 17:15, 23 June 2011 (UTC)

I do hope this isn't swept under the rug, either. This is a serious breach of confidentiality and I (and I'm sure others) would very much like to know who the leak is. Please don't just do whatever it is you arbs do behind closed doors. Please make a public statement about this once it is known who did such a thing. Tex (talk) 17:18, 23 June 2011 (UTC)

I agree with Tex, this is a very serious matter and as Tex said a lot of people would very much like to know who leaked and I, along with others, want a public statement as to what happened once it is figured out. This is a very serious issue and indeed it is worrisome that possibly other things have leaked out. This is truly disconcerting, as this defeats the entire purpose of Arb Com and emailing, to keep things that are private private, had he wanted it public he wouldn't have been emailing it. As Malleus said there are much more interesting things that could be talked about and that is partially what has me worried, if this is what we have found then there is probably other stuff that is more interesting or important out there as well. I hope that this is all resolved quickly and we can be assured that this is all that is out there.  Adwiii  Talk  17:42, 23 June 2011 (UTC)

The same person has leaked some emails I recently sent to the ArbCom, and emails from some of the Arbs discussing it between themselves. I think it's important that an announcement be made about this somewhere prominently, so that people know not to send anything confidential to the ArbCom until it's sorted out. SlimVirgin ^{TALK|CONTRIBS} 18:41, 23 June 2011 (UTC)

I've temporarily removed the word "private" from the emphatic bright yellow box on the page, since such status can't currently be guaranteed. I agree an announcement somewhere else (although I'm not sure where) might also be a good idea. --Demiurge1000 (talk) 18:47, 23 June 2011 (UTC)

The resulting statement instructs individuals to send all material (private or otherwise) for our attention to the list. –xeno^talk 18:51, 23 June 2011 (UTC)

Well, it says "any", not "all", but yes it could have been construed that way. So how should it be worded? How about "Material intended for the Committee's attention can be sent to..." ? The alternatives are emphatically suggesting a level of privacy that likely does not currently exist, or removing mention of the email address altogether until the problem is resolved. Or is there a better way? --Demiurge1000 (talk) 18:59, 23 June 2011 (UTC)

I'd suggest full and clear honesty. Something like Notice: Communication with ArbCom has been confirmed to be compromised. Confidentiality can not be guaranteed at the current time.--Cube lurker (talk) 19:08, 23 June 2011 (UTC)

I think the first sentence of that is perhaps overly dramatic. The second, in small, would be adequate though. --Demiurge1000 (talk) 19:15, 23 June 2011 (UTC)

I think this is serious enough that I'd be more concerned about failure to fully inform someone who intended to transmit confidential information. My understanding is that someone with access is willing to release information maliciously. There's a definite right to know issue that goes beyond a fine print note that could be missed or not treated seriously.--Cube lurker (talk) 19:22, 23 June 2011 (UTC)

(ec) No one will notice it there. It should be posted somewhere prominently. It would be best if the ArbCom would do that asap. SlimVirgin ^{TALK|CONTRIBS} 19:23, 23 June 2011 (UTC)

This aspect of the discussion has been superseded by Coren's note below as far as I'm concerned. --Demiurge1000 (talk) 19:26, 23 June 2011 (UTC)

brief status update

At this time, the source of the leak seems to have been identified and closed. We are not yet able to determine what other emails may have been stolen, but I am confident that future email will not be so exposed. The committee will give a detailed statement regarding the incident once we have finished cleaning things up and investigating the matter in detail (within the next 24h). — Coren ^(talk) 19:24, 23 June 2011 (UTC)

Confirming what Coren has said above. For the record, this incident has been discussed with the WMF as well. Risker (talk) 19:32, 23 June 2011 (UTC)

Given the ongoing leaks at Wikipedia Review, how confident are you that this matter is now sorted? Malleus Fatuorum 22:24, 23 June 2011 (UTC)

Interestingly, the material posted so far has been surprisingly mild, and far more gossipy than scandalous. I'm a little hesitant to start writing WP:BEANS cases, but I think either the person who has the emails doesn't know what would be (relatively) explosive, or doesn't have much (I'm excluding there being nothing scandalous, based on knowing the personalities of certain people :-) ...) -- Seth Finkelstein (talk) 22:48, 23 June 2011 (UTC)

We are quite certain that we have identified the source of the leak, and that the account involved no longer has access to any private mailing lists or the arbitration wiki. We are still assessing what information was accessed while the account was compromised. As a precaution, other members of the committee are changing passwords and reassessing their personal security precautions including hardware/software checks. Risker (talk) 22:51, 23 June 2011 (UTC)

Should we assume that when the announcement about this is posted, it’s going to include the identity of whichever arbitrator leaked the e-mails? If it’s now been determined who was responsible for the leak, I think the community has a right to know that. --Captain Occam (talk) 00:44, 24 June 2011 (UTC)

Risker seems to imply that the arbitrator in question had their account and/or email and/or other login information compromised by a third party. NW (Talk) 00:50, 24 June 2011 (UTC)

Coren indicated that Iridescent's account had been compromised, but some of the leaked material dates from before his time on the ArbCom. I hope the Committee will be completely transparent about what happened here. SlimVirgin ^{TALK|CONTRIBS} 00:59, 24 June 2011 (UTC)

Part of the problem is that most passwords, including that to the email archive, were sent by email (hence the importance of having all accounts pointing at a new email account as swiftly as possible). Of course, access to the archive and wikis was immediately removed to prevent further access, but that will have had no effect on what data was already stolen.

In other words, it's not really possible to establish with certainty what, or how much, has been taken before the accesses were changed; our focus will be on securing things for the future so that this does not happen again. I'm going to recommend a number of procedural changes to diminish the probability of such incidents happening in the future, as well as push very hard for strong security precautions to access confidential data (for instance, two-factor authentication to access privileged wikis or archives seem important to me). — Coren ^(talk) 01:07, 24 June 2011 (UTC)

I had a conversation with the Foundation about this around a year ago, maybe longer. Anyone gaining access to the wiki or the archives needs that access only for the briefest of periods. They download the material, and that's that. Once this immediate situation is sorted out, I think a serious discussion needs to take place about the amount of information the Committee is retaining about people. Realistically you can't guarantee its safety, and the larger the mailing list, the less of a guarantee there can be. SlimVirgin ^{TALK|CONTRIBS} 01:12, 24 June 2011 (UTC)

Yes, I'll spearhead that necessary work to reform myself. — Coren ^(talk) 01:14, 24 June 2011 (UTC)

Mike Godwin posted to one of the mailing lists recently that enlightened organizations are retaining very little data about individuals, so that if a legal issue arises, there's little to hand over. And the same principle would apply to security, that if there's a leak, there's not much that can be released. But it seems the ArbCom and functionaries take the opposite approach, retaining large archives, setting up an ArbCom wiki, and I believe a checkuser wiki. A great deal of it is unpleasant gossip about people, and some of it is material that ought to remain private. So I really question the ethics of this approach, because I think it's very unfair to editors to keep so much material for so long, and to be constantly giving new people access to it, even though the subjects of the information may not have seen it themselves. SlimVirgin ^{TALK|CONTRIBS} 01:31, 24 June 2011 (UTC)

Coren, is what you’re saying that it was possible to use Iridescent’s account to access information from before Iridescent became an arbitrator, because their e-mail account contained the password to the archive of past mailing list discussions? And it’s certain that there wasn’t any leak other than whoever broke into Iridescent’s account? --Captain Occam (talk) 01:16, 24 June 2011 (UTC)

That is what every the evidence we have indicates, yes. I'm not going to say that it's certain that there are no other possible leaks, but it's certainly improbable. I'm probably the only arbitrator who controls every part of his email infrastructure, so I can tell you as a fact that no access has been made to my own email, but the other arbitrators have taken measures to ensure that their passwords are secure to make as sure as we can that no other leak is possible. — Coren ^(talk) 01:22, 24 June 2011 (UTC)

(ec) That was the issue I raised with the Foundation, that new members automatically gain access to the full archives, including material they have no need to read. Some kind of purging ought to be taking place each year, so that these secret files about individuals aren't being retained, just waiting for someone to steal them.

Also, the leaker leaked Coren's email saying it was Iridescent's account. Presumably Coren sent that email after that account's access had been removed, so that's somewhat worrying. SlimVirgin ^{TALK|CONTRIBS} 01:23, 24 June 2011 (UTC)

(←) No, it was not, though it is almost certainly the last email that account received from the list: Risker needed a bit of delay to get to a secure computer to remove the accesses. — Coren ^(talk) 01:28, 24 June 2011 (UTC)

I saw some emails that were not addressed to arbcom. For example at least one email was from SV addressed to Cirt. How this got stolen and/or leaked?

I believe, if wikipedia review has some self respect left, it should remove these stolen emails and ban the user who posted them for good.--Mbz1 (talk) 02:41, 24 June 2011 (UTC)

My guess (provisional, and subject to revision based on new information) is that we're seeing information that was in a personal mail archive. As opposed to there being a Wikipedia Wikileaks cache of the entire arbcom list available. Umm, regarding banning the user who posted them - since it was a new special account, that wouldn't do a lot good even if they were so inclined (horse, barn, door). -- Seth Finkelstein (talk) 03:03, 24 June 2011 (UTC)

• Just following up on what Coren has said, that was the last email on the mailing list before the account in question was fully disabled from all private mailing lists and from the arbwiki. The point about archive security is entirely valid, and it is a concern that is shared by the Arbitration Committee. We have been having discussions with the WMF specifically about alternative methods of managing archives for various private lists, some processes are already in motion, and we were continuing to examine options for the arbcom-L list. We'll be accelerating those discussions now. However, at least some of it is a moot point because it appears these are from the arbitrator's own email logs and thus even tighter security on arbcom-L or arbwiki would not have changed the outcome. The committee members are now evaluating their own personal security situations, examining methods of storing emails, changing passwords and adding two-step authentications, to reduce the risk of a further recurrence. I know the saying about the barn door (I edit-conflicted with Seth saying the same thing), but I just wanted to point out that we've been working on this in the background for a while, and unfortunately this occurred before we'd managed to hammer out the details for this specific mailing list. Risker (talk) 03:07, 24 June 2011 (UTC)

• For everybody who uses GMAIL there is a line below the list of your messages:

Last account activity: 1 hour ago at this IP (xx.xxx.xxx.xxx). Details (I redacted my IP address here)

• "Details" is a clickable button. If you are to click it, you will see, if any IP other than your own accessed your account. It is a very useful tool that I used to locate a dirty hacker that hacked my email.--Mbz1 (talk) 03:26, 24 June 2011 (UTC)

Am I right in recalling that this isn't the first time something like this has happened? Didn't someone once do a complete public dump of the ArbCom archives, or something like that? If this incident is any more than a complete one-off, then I suggest we stop giving out the impression to anyone that they can communicate privately via the ArbCom mailing list; if people have anything confidential they need to bring to an arbitrator's attention, they should be advised to write to a single arbitrator whom they trust (ideally the Foundation would employ someone to deal with such matters), and information would be shared further strictly on a need-to-know basis.--Kotniski (talk) 10:14, 24 June 2011 (UTC)

• Some editors indeed chose the method of contacting a single arbitrator, who then forward it to every individual arbitrator when a decision needs to be reached. In this case, it would not have made any difference if the correspondence was emailed via the list or bypassing it (via every individual arbitrator email). - Mailer Diablo 11:09, 24 June 2011 (UTC)

  But my point was that it doesn't need to go to every individual arbitrator. It depends on the situation, I suppose, but I would have thought in most cases it would be enough for at most two or three of them to see it (and others to be told only what the public is told). --Kotniski (talk) 11:28, 24 June 2011 (UTC)

  The position here is that individual arbitrators have no special authority so any actual decisions need to be made the committee as a whole. What would help considerably though would be if people brought fewer things to the committee as many of the matters raised privately could be easily be handled publicly.  Roger Davies ^talk 11:54, 24 June 2011 (UTC)

  Or if the committee learnt to delegate (which would have other advantages quite apart from limiting the circulation of private information). BTW, am I right in recalling that there have been leaks of this nature in the past, or is it my imagination (or untrue gossip)?--Kotniski (talk) 12:01, 24 June 2011 (UTC)

  Yes, see this thread about a leak of the ArbCom mailing list archives in 2009. Graham87 05:07, 25 June 2011 (UTC)

From the threads on WR, it sure doesn't appear to be Iridescent who was hacked to me. Why would Iridescent have the whole SlimVirgin/Cirt/Shell thread, especially since Shell made it clear she was not sharing it with the whole of arbcom? I think your mailing list is leaking like a sieve and something needs to be done, pronto. Tex (talk) 14:07, 24 June 2011 (UTC)

The entire SV/Cirt/Shell thread was forwarded to the arbcom-l mailing list at a later date (following a call for Shell's recusal in the related arbitration case).

As indicated above, it is believed that the immediate cause of the breach has been identified and prevented from further access. We are exploring options to avoid a similar recurrence. –xeno^talk 14:20, 24 June 2011 (UTC)

So what was the cause of the breach? Malleus Fatuorum 14:59, 24 June 2011 (UTC)

It is believed the cause was a breach of security (i.e. someone targeting an arbitrator's PC and/or email account). We intend to post a detailed statement in the near future. –xeno^talk 15:23, 24 June 2011 (UTC)

• As I pointed out to Sue Gardner in this message, there was an incident where a single Arb was contacted regarding an editor who was engaging in pro-paedophilia advocacy. That Arb did not act on the information and nothing was done until Arbcom in full were notified. I am concerned by the suggestion that editors should contact only a single Arbitrator as an effort to reduce the risk of these types of leaks. That course of action has been demonstrated to have other problems. (Gardner did not reply to my message and email, or my follow-up, incidentally.) Delicious carbuncle (talk) 00:28, 25 June 2011 (UTC)

Break - security

What's the status regarding functionaries-en? Is there anything to indicate that material from that list was also compromised? /ƒETCHCOMMS/ 18:34, 24 June 2011 (UTC)

It's likely that some or many email from that list were also in the compromised mail account. Whether the criminal who broke into it cared enough for those email (who are, in the end, much less superficially "interesting" than arbcom-l's) to download them before access was cut, we cannot say. I note that none seem to have been leaked, though that obviously shouldn't be taken as any sort of guarantee. — Coren ^(talk) 19:20, 24 June 2011 (UTC)

As an uninvolved (I hope!) observer, I'd hate for the ArbCom to throw out the baby with the bathwater, losing important communication systems and institutional memory. Perhaps the archive can be set with a daily limit and a notice could go to the email list every time the it's accessed. Whatever the right solution is, I hope the WMF takes this issue seriously enough to devote sufficient coding resources to provide security for the largest Wikimedia project.   Will Beback  talk  19:50, 24 June 2011 (UTC)

There are systematic problems to fix for which, indeed, there may be technological help available. Much of this would require a bit of coding and support from the foundation (I would, for instance, strongly suggest some sort of two-factor authentication before private data can be accessed, and a running log of such accesses).

By happenstance IT security is my specialty, so I've already spoken at length about stronger security mechanisms; but I'm going to work directly with the foundation to help put those mechanisms in place in the short term. If nothing else, this incident will have served to highlight the importance of doing so. — Coren ^(talk) 19:56, 24 June 2011 (UTC)

Re Xeno's recent email to me, which hasn't yet been leaked onto WR, I hope that you will not fall into the trap of security by obscurity, or avoid disclosing what actually happened here by deploying the silly beans argument. I am not at all happy about the situation this leak has put me in. Malleus Fatuorum 20:03, 24 June 2011 (UTC)

I actually know security, Malleus; you'll not find me arguing for security theater. Little of what happened could have been avoided the way things are currently set up; we've plugged the immediate hole, but unless we start taking security more seriously such things are going to happen again. Like I've said, I've already approached the Foundation to start working on a review and rebuild of the way we handle private data from the ground up.

I take what happened to you (and the other victims) very seriously, and I don't intend to let the matter rest until I can confidently say that another incident like this will not happen again. — Coren ^(talk) 20:15, 24 June 2011 (UTC)

• There are two separate issues here: the first is the personal IT security of individuals with access to non-public mailing lists, which we believe is what is at issue in this current event. We all know people who have taken all kinds of precautions and still wound up with hidden software in their computer; and this will always remain the most likely vector of attack.

  The second issue is the management of archiving of private mailing lists, and we have been working with WMF on this issue for some months now. Changes are already in progress for some private mailing lists which are affiliated in whole or in part with Arbcom. The biggest challenge is the Mailman software that is currently used by WMF: it is extremely inflexible when it comes to archiving. One either has archiving turned on or off, but there is no ability to set auto-destroy or to manually remove posts from the archives. Therefore, the only way to keep current archives that are in very active use is to also keep the archives that were created at the inception of the list. We have made what we believe is a strong case for WMF to consider other mailing list software specifically for private mailing lists (Mailman's archiving function is just fine for the public lists).

  We have also endorsed the principle of requiring two-step log-in for WMF-related private wikis, and I've been advised that the developers/sysadmins are currently looking at how this can be done, with a goal toward implementation. Risker (talk) 21:02, 24 June 2011 (UTC)

  • And how long will that take, given the glacial pace of Wikimedia development? Malleus Fatuorum 21:13, 24 June 2011 (UTC)
    • Fair question, Malleus. My understanding is that this has been established as a high priority by Erik Moeller, to whom the entire developer/sysadmin structure currently reports, with significant support from the other department heads, so I'm guessing it's moved fairly close to the top of the heap. I've been given to believe that it's not a particularly difficult fix, but I'm poorly acquainted with anything that technical so can't give you an honest assessment. My sense is we're talking days to weeks rather than the usual many weeks to months. Risker (talk) 21:25, 24 June 2011 (UTC)
      • So presumably the only safe thing to do in the interim is to assume that the ArbCom mailing list is not confidential? Malleus Fatuorum 21:32, 24 June 2011 (UTC)
        • Well, it's as confidential as emailing any mailing list to which a group of individuals are subscribed. From the feedback I am seeing from my fellow arbitrators, the majority of us have now taken additional precautions to secure the email addresses to which we subscribe to the list, and have changed passwords on all applicable accounts; however, there remains the reality that anyone can be hacked by someone determined to do so, just as any of us could have our wallets stolen no matter how many precautions we take, or our houses could be broken into regardless of all the fancy security systems we subscribe to. We can mitigate the risk, but it will never completely disappear. Risker (talk) 22:00, 24 June 2011 (UTC)

So as I said, the only safe thing to do is to assume that the ArbCom mailing list is not secure, and can never be secure. Malleus Fatuorum 22:06, 24 June 2011 (UTC)

• that should be pretty much assumed to be case with any system attached to the web yes.©Geni 23:09, 24 June 2011 (UTC)
  • So why the claim that it was secure, and why should anyone believe that it's now secure? Malleus Fatuorum 23:42, 24 June 2011 (UTC)
    • I don't follow such things closely; where was the claim made? The reality is there is no such thing as absolute security for anything held outside your own head (even there there there is active research to get at stuff). So really it boils down to degrees of security. Historically arbcom have mostly relied on most arbcom members not leaking stuff (kelly martin is the exception) and the list not being interesting enough for more than standard security measures to be needed.©Geni 23:55, 24 June 2011 (UTC)

On a related note, I urge everyone who views this thread to check LulzSec's leak of 62,000 email-password combinations and ensure that if your email address has been listed, immediately stop using the associated password. (But this is a little late, perhaps, as the list was released last week and has surely been plundered several times.) /ƒETCHCOMMS/ 21:16, 24 June 2011 (UTC)

The story so far

Yesterday, around 15h UTC, we were made aware by Malleus Fatuorum that an email exchange between him and Iridescent, which was forwarded to the Arbitration Committee had been leaked to an external website. The contents of the leaked email thread, which included comments that were restricted to the Arbitration Committee list itself, demonstrated that the leak necessarily came from someone who had access to (at least part of) the email archives or email box of a currently sitting arbitrator (or Jimmy Wales).

An investigation of the technical aspects of the leak have shown that the leak was mailed by arbitrator Iridescent's Yahoo mail account from a server located in Iran, indicating that the person responsible for the leak was in control of that mail account. Given that it seemed highly improbable that Iridescent himself would have had the wherewithal to use a proxy computer in a foreign jurisdiction yet use a mail account directly associated with him, the scenario that the leak was a wilful act from Iridescent was not credible.

At that time, I emailed the list and arbitrator Risker directly (who is one of the arbitrators in technical control of the mailing lists and the secure wikis) that Iridescent's mail account was compromised, and that it should be immediately removed from all private lists and wikis. This was done shortly, thus ensuring that whoever was in control of Iridescent's email account would get no further access.

Simultaneously, we entered in contact with Iridescent through a different email account and verified that he was the correct person with private information that could not be found in any email archive. Once contact was established, Iridescent immediately changed all his passwords and all the email addresses associated with wiki accounts he has access to. At this time, Iridescent is still evaluating his personal computing security and has not yet been returned any access to private information.

Every arbitrator has since taken steps to reevaluate their own computer security by, among other things, changing their passwords or other credentials where appropriate, or turning on additional security features such as two-factor authentication where possible. While this offers no guarantees that all our accounts are secure, it greatly reduces the probability that more accounts are under external control.

Unfortunately, Iridescent's password to the Arbcom email archive was sent to him via the email address that was compromised, and it seems that the attacker used it to access it to leak at least one email thread from it. At this point, we must presume that all of Iridescent's email to and from that email address as well as an unknown fraction of the archive of the mailing list have been stolen by the attacker. Likewise, it is not possible to assess whether only Iridescent's Yahoo account has been compromised, or whether much or all of his computing resources were.

In the name of the Arbitration Committee, I offer our most profound apologies to everyone whose privacy has been breached by this criminal act. While our investigation is ongoing, and we hope to gather enough information to evaluate more precisely the extent of the intrusion, our focus will be on making the necessary systemic changes to prevent such an attack from succeeding in the future.

— Coren ^(talk) 21:08, 24 June 2011 (UTC)

That account is not strictly accurate, as I have never to my knowledge emailed the Arbitration Committee. What was made public was a series of emails I exchanged with Iridescent, which he apparently forwarded on to the committee. Malleus Fatuorum 21:16, 24 June 2011 (UTC)

I've tweaked it accordingly. I don't think it makes much difference in substance, though. — Coren ^(talk) 21:57, 24 June 2011 (UTC)

It may not, but it more accurately represents what happened. I did not, and have never, emailed anything to the Arbitration Committee. Malleus Fatuorum 22:02, 24 June 2011 (UTC)

Malleus

Coren's account above is correct to the best of my knowledge. I endorse the posts that have been made by Coren, Risker, and others. I will add only that upon learning of what had occurred, I immediately ruled out the possibility that Iridescent had intentionally leaked the material based on everything I know about him, even before I learned of the technical evidence demonstrating an external hack. Newyorkbrad (talk) 22:58, 24 June 2011 (UTC)

An external hack of what? This still needs some explanation. Malleus Fatuorum 23:46, 24 June 2011 (UTC)

An arbitrator's email account was compromised by an unknown third party. This third party then used the additional information gathered after gaining access to the email account, (the emails to that Arbitrator with the passwords to the archives, which would be necessary for the performance of their duties) to gather additional information. We're still trying to figure out how and by whom, but this incident has of course prompted all of us to review our own security and try to determine not only how this happened, and by whom, but how to prevent it from happening again. SirFozzie (talk) 23:52, 24 June 2011 (UTC)

And how was that done? No more beans bollocks please, just a little bit of honesty. Malleus Fatuorum 23:59, 24 June 2011 (UTC)

Malleus, how the hell could we know? Maybe the thief guessed Iridescent's password. Perhaps he has a keylogger on a computer that Iridescent has used, or he has compromised a router between him and Yahoo. Perhaps he is a Yahoo employee with enough access or a backdoor to compromise the accounts of arbitrary users. We almost certainly will never know how the account was compromised unless the miscreant steps forward and confesses. — Coren ^(talk) 01:13, 25 June 2011 (UTC)

Maybe the thief guessed Iridescent's password to what? And how do you explain the initial focus on me? Malleus Fatuorum 01:24, 25 June 2011 (UTC)

If I might mildly interject, I think this is an excellent question. As Captain Occam says somewhere below, it is often possible to figure out how an account was hacked and someone needs to do that figuring. At the least, simple questions like "was Iridescent's password guessable", do other arbcom members have secure passwords (minimum 10 characters with mixed uppercase, lowercase, digits, etc.) should be asked and answered. (I'm collapsing the gratuitous part of the discussion below.)--rgpk (comment) 14:03, 25 June 2011 (UTC)

Extended content

:A)Malleus: I'm sorry to be abrupt, but either you are missing bits of reading comprehension, OR you are deliberately being obtuse, but if you look up THREE LINES in a reply to one of your PREVIOUS questions, you would get the answer to "Password to what", and B) We're not the people who posted the information.. Only the person who is posting these emails can answer that question. We're not mind readers. (If we were, we'd conduct all Committee business via Telepathy, and there'd be no archives for them to raid). SirFozzie (talk) 02:06, 25 June 2011 (UTC) You're not being abrupt Fozzie, you're being a fucking wanker. Malleus Fatuorum 02:21, 25 June 2011 (UTC) Well that was called for. Or not. Shell babelfish 02:24, 25 June 2011 (UTC) So block me for telling the truth. I know how unpopular the truth is here. Malleus Fatuorum 02:45, 25 June 2011 (UTC) If you can't tell the difference between calling people names and the truth, why don't you go block yourself? Shell babelfish 03:11, 25 June 2011 (UTC) Are you really as dumb as you appear to be? Malleus Fatuorum 03:22, 25 June 2011 (UTC) Quite possibly, but opinions vary. How about you? Shell babelfish 03:32, 25 June 2011 (UTC) Why don't you undertake the most basic of investigations, which will tell you that I can't block anyone. Do you always pontificate from a position of ignorance? Malleus Fatuorum 04:27, 25 June 2011 (UTC) Shell, the last thing that's needed now from you is this kind of snark. SlimVirgin TALK|CONTRIBS 07:52, 25 June 2011 (UTC)

As someone who’s had online accounts belonging to me broken into in the past (not at Wikipedia; this happened before I joined) I don’t agree with the statement that it’s not possible to determine how Iridescent’s account was broken into unless the culprit reveals it. Other members of ArbCom probably won’t be able to determine this, but I don’t think it’s unreasonable to expect Iridescent to. It’s often possible for a person who’s been hacked to determine what method was used against them, and I’ve done this myself. Once a person has determined when they were first hacked (which in this case Iridescent could determine from her e-mail IP login history), they can next determine what vulnerabilities they were exposed to at around that time. I think that determining how a break-in was accomplished is an important part of preventing the problem from recurring in the future, because without an understanding of how it was done, you can never be certain that you’ve removed the vulnerability that made it possible. --Captain Occam (talk) 09:10, 25 June 2011 (UTC)

That's true, but may not be particularly helpful in this case. Everything we've seen so far suggests that this was a targeted compromise (in other words, that the attacker set out specifically to gain access the Committee's correspondence) rather than an opportunistic one; if that's the case, then it's quite possible that the underlying security breach took place days or weeks before the material was released, and that the attacker has had ample time to compromise any audit trails. Kirill ^{[talk] [prof]} 11:22, 25 June 2011 (UTC)

Even if the e-mails weren’t released until weeks after Iridescent’s account was broken into, isn’t it likely that Iridescent’s e-mail account would have been logged into by an unfamiliar IP address whenever the breach first took place? If the attacker didn’t even log into Iridescent’s e-mail account until a long time after obtaining the password, there would have been a possibility of Iridescent changing their password before the attacker could download any material from the mail archive. --Captain Occam (talk) 15:44, 25 June 2011 (UTC)

• See spear phishing. That's the most likely explanation. ArbCom should not hold forth their ability to keep correspondence confidential, nor should archives be kept past their immediate need. ArbCom does not have the benefit of a professional IT staff, and they are sufficiently numerous that there will always be at least one member to can be successfully victimized by social engineering. It would be regrettably if many years worth of confidential information were to suddenly surface on the open Internet. Hopefully ArbCom has been purging their archives regularly. Jehochman ^Talk 20:04, 26 June 2011 (UTC)

• Apparently not. SlimVirgin ^{TALK|CONTRIBS} 20:27, 26 June 2011 (UTC)

PGP

• Would the severity of this incident and the importance of confidentiality merit arbitrators adopting PGP for their email communications? --causa sui (talk) 23:43, 24 June 2011 (UTC)
  • I can't speak for the other arbs, but I think all options need to be considered. Of course, that means any further archives (which to some, is rather necessary for us to do our jobs, especially when we do clarifications or amendments of past decisions) would be useless. I'm not going to rule anything in or out, however.. we're taking a Soup to nuts review of our current situation, both personally, as a committee, and working with the WMF. SirFozzie (talk) 23:52, 24 June 2011 (UTC)
    • Has anyone actually used PGP for day-to-day conversations? I have, and found it to be pretty cumbersome. A simpler solution would be to move ALL conversations to a secured Wiki, and just turn on email notifications of changes. Jclemens (talk) 06:12, 25 June 2011 (UTC)
  • We're still assessing the situation, but preliminary findings appear to look very bleak. Encryption might well become the future way of securing email communications along with other long-term security measures, which the arbitrators will be discussing once the dust settles. - Mailer Diablo 23:57, 24 June 2011 (UTC)
    • Why do you say "preliminary findings appear to look very bleak"? Nothing of much consequence (no offense meant) has been leaked. Do you KNOW that the Arbcom email archive was downloaded? -- Seth Finkelstein (talk) 00:05, 25 June 2011 (UTC)
      • Know? Not as of yet. Is there inklings from what HAS been posted? Yes. SirFozzie (talk) 00:13, 25 June 2011 (UTC)
        • I'd say the opposite. The thread that pre-dated Iridescent being on the committee has been explained as having been forwarded later. I suppose the thing to do is to ask Iridescent if he was in the habit of keeping everything archived, or just saved a few threads once in a while. -- Seth Finkelstein (talk) 00:23, 25 June 2011 (UTC)

• Good to know that you're on top of it. I brought up PGP because aside from giving a second layer of security -- PGP-encrypted email is left encrypted in the inbox, requiring a hacker to guess an extremely strong password before he could read any archived mail -- it would have an important additional benefit: PGP would allow arbitrators to send identity-validated communications to prevent a more intelligent and destructive hacker from impersonating an arbitrator. That hasn't yet happened, but it should be on our minds as a very real and very, very dangerous disaster scenario. I'm sure you'll reach out to anyone you think can help you implement the security measures you choose. Good luck. Regards, --causa sui (talk) 23:59, 24 June 2011 (UTC)

• Non-repudiation is among the least important of the security aspects of messages. Impersonating an arb gets one very little, and of that "very little", almost none could not be quickly reversed when the mischief was discovered. The bigger issue is the account compromise itself, which could lead to... WP:BEANS. Jclemens (talk) 06:24, 25 June 2011 (UTC)

• Well then, whichever security concern you think is most important, I'll say PGP is an elegant solution to it and leave it at that. :-) --causa sui (talk) 16:52, 25 June 2011 (UTC)

Re: Malleus

Malleus's comment is actually quite significant. It adds weight to the theory that this material comes from Iridescent's email account, not the Arbcom web archive. While this cannot be established definitively, there has been no evidence that the crack will create Wikileaks - Wikipedia Edition. And there's so many people who would like to have their names ego-searched over the Arbcom archive that if the entire archive was available, I strongly suspect much more would be posted. If we get WikipediaLeaks, I'll be wrong, but again, I would say that at this time, the breach appears highly contained. -- Seth Finkelstein (talk) 23:55, 24 June 2011 (UTC)

• At this point, we are unable to guarantee that. - Mailer Diablo 00:22, 25 June 2011 (UTC)

• Seth, the password to the archives was emailed to Iridescent, so whoever had access to the account had access to the archives, unless we know that Iridescent did not keep a copy of the password in that account. Two things: (1) I seem to recall from the last leak that the ArbCom agreed to stop emailing passwords, though I may be misremembering, and I can't now find those threads. (2) Are the developers able to see which IP addresses have accessed the archives recently, using which password? SlimVirgin ^{TALK|CONTRIBS} 07:57, 25 June 2011 (UTC)

• As the leaker gained access to the archives, we have to assume that he downloaded them. Can the Committee tell us how far back the compromised archives go so we can judge the extent of the damage? SlimVirgin ^{TALK|CONTRIBS} 07:52, 25 June 2011 (UTC)
  • Mailman stores its archives as a single bundle; anyone who gains access to any part of the archive gains access to all of it. In the case of arbcom-l, this would include material going back to when the list was started (in 2004?); the archives have never been purged, although there have been repeated discussions about doing so. Kirill ^{[talk] [prof]} 11:16, 25 June 2011 (UTC)
    • Earlier, the kind of material posted suggested to me that the poster did not have much. Even if there was a message with an archive password, I wondered if that message had been found before the archive password was changed. As more material has been posted, I'm reconsidering my original skeptical view. I may have been too restrictive in thinking about what someone would likely do if they had a full dump. Ironically, I've still yet to see something that really puts ArbCom in a scandalous light (it may yet happen, but hasn't so far). -- Seth Finkelstein (talk) 19:15, 25 June 2011 (UTC)

Looking around WR (not pleasant), there are now multiple threads posting what appear to be hacked e-mails. All of these threads are started by someone calling him/herself Maliceaforethought. I would guess that's the screen name of the hacker. Does that name ring any bells? --Tryptofish (talk) 14:31, 25 June 2011 (UTC)

Other than the obvious one, you mean? I'm not aware of any obvious connections to anyone we know, although it's not that difficult to conceal that sort of thing.

At this point, it's not really certain whether the user in question is the attacker himself—the material may have been handed off, à la Wikileaks—or even whether this is the work of a single attacker or of a group. Kirill ^{[talk] [prof]} 14:38, 25 June 2011 (UTC)

Is this really a disaster?

Sure, it's embarrassing for the arbitrators and discomforting for those who have been in communication with them on this list, but in a whole of project sense, just how much damage can be done? Miss E. Lovetinkle (talk) 11:45, 25 June 2011 (UTC)

Our internal deliberations are not the main concern, in my opinion; as you suggest, their being published is more a cause for embarrassment than a real threat to the project. The larger issue is the various material (including evidence, complaints, requests for assistance, and so forth) submitted by other editors; in many cases, this correspondence includes personal information (real names, addresses, telephone numbers, ages) whose release could have negative consequences for editors and non-editors with no relation to the Committee.

I remain hopeful, however, that the individual or individuals in possession of the archives will maintain their focus on the Committee itself, and will refrain from gratuitously exposing the personal information of the many innocent people who've written to us over the years. Kirill ^{[talk] [prof]} 12:12, 25 June 2011 (UTC)

So why was this information never purged? Wasn't it absolutely inevitable that at one time or another it would be stolen and/or leaked? Why were people encouraged to write to ArbCom as if in confidence, when it was known that the probability of the information's remaining confidential would tend to zero over time?--Kotniski (talk) 13:32, 25 June 2011 (UTC)

It's not possible to purge as it's not part of the Mailman functionality: you can either have archives or not. Profoundly unsatisfactory but there you are.  Roger Davies ^talk 13:42, 25 June 2011 (UTC)

(edit conflict) There are several problems with purging the archives; some of these have been alluded to above, but to recap:

• The software used for operating the mailing lists does not allow either selective archiving or modification of the archives after the fact; either the entire archive is retained, in its original form, or no archiving is done at all.
• Numerous proposals have been made to disable archiving entirely, but have never achieved consensus; this is primarily because some level of records retention is necessary to process appeals (particularly repeat appeals), clarifications, and similar matters where examining the content of previous discussions is necessary. It has been suggested that the personal archives maintained by individual arbitrators could serve this institutional memory purpose without the need for a central archive; but there were concerns that (a) no single arbitrator or former arbitrator has archives covering the Committee's entire history, that (b) personal archives could potentially be tampered with in subtle ways, and there would be no "master" copy to compare against, and that (c) this would unduly rely on former arbitrators, many of whom might be inactive or unwilling to share archives.
• An alternative option that was considered was the selective retention of particular discussions in some shared space (e.g. on the arbitration wiki) and the deletion of the original archive. This is something that is currently being done with CheckUser records, but would be prohibitively time-consuming for arbcom-l due to the immense volume of the archives; and there have been security concerns with the arbitration wiki as well.

As far as inevitability is concerned, arbcom-l is not inherently any less secure than any other mailing list used by/for Wikimedia business. A determined attacker can eventually find a way to compromise a system of this sort—we'd need to disconnect it from the internet to truly make it secure—but the same is true of any online system. The only real way to ensure that private correspondence could never be leaked would be to prohibit the use of private correspondence in the first place; otherwise, any system open to remote access is potentially open to compromise. Kirill ^{[talk] [prof]} 13:57, 25 June 2011 (UTC)

But if you keep the information only for as long as it's needed, it's possible but unlikely that it will be leaked. If you keep it for ever, the only question is how much time will elapse before it inevitably is leaked. If the software you use doesn't allow you to discard old information, then you're using the wrong software. And if you know (from common sense and past experience) that the information people send to a given address is highly likely to be leaked, you should at the very least make sure people are aware of that fact before writing to that address. --Kotniski (talk) 14:31, 25 June 2011 (UTC)

Oh, we're well aware that Mailman is the wrong software; unfortunately, it's all that the WMF provides. We tried moving arbitration discussions to a non-WMF-hosted list at one point—thus the succession of "private" lists—but that was rather poorly received by the community, if you recall. Kirill ^{[talk] [prof]} 14:46, 25 June 2011 (UTC)

People have submitted their IRL stuff to you guys? Phone numbers? Why on earth would people do that? Why would you require people to submit such information? This is an online encyclopedia. What possible necessity is there in the provision of information of that kind to you and your colleagues? This really is quite surprising stuff. Miss E. Lovetinkle (talk) 13:38, 25 June 2011 (UTC)

No it's not a requirement of ours but you'd be astonished what some people think is pertinant to tell us.  Roger Davies ^talk 13:42, 25 June 2011 (UTC)

Well given that I've just discovered where this stuff is being posted to, I think this might be a bit of a disaster. For you guys at any rate. Oh dear. There's some rancid stuff coming out. What the hell is the "functionaries" list? Apparently stuff from that is being released now. Miss E. Lovetinkle (talk) 13:46, 25 June 2011 (UTC)

• Is this a disaster? Looks like one to me. Off2riorob (talk) 13:36, 25 June 2011 (UTC)
  • Well, given that we're told that almost the same thing happened in the past and absolutely nothing was done to prevent a repetition, this episode would appear to have revealed ArbCom as an institution to be almost criminally incompetent. I'd say it's a good thing that more people are now aware of that fact. --Kotniski (talk) 14:24, 25 June 2011 (UTC)
    • The previous situation to which you refer was someone who had authorized access to the material releasing it in breach of trust. In this case, there was a breach of security - as could happen to any system connected to the Internet. –xeno^talk 14:29, 25 June 2011 (UTC)
      • So? The point remains that nothing was done to prevent or ameliorate a potential repetition, and people writing to the list were not warned that this was likely to happen. --Kotniski (talk) 14:34, 25 June 2011 (UTC)
        • As I recall that's not correct, Xeno. There have been leaks before from the ArbCom list or wiki to WR, and we were told at the time that someone had hacked into something. SlimVirgin ^{TALK|CONTRIBS} 15:25, 25 June 2011 (UTC)

You'll have to point me to that; they haven't been referenced yet in this discussion as far as I can tell. –xeno^talk 15:30, 25 June 2011 (UTC)

• You might be referring to the arbitration wiki vulnerabilities (e.g. being able to determine the presence of pages based on the error reported, etc.), which led to new security measures being implemented on that wiki. There were earlier leaks from arbcom-l (before the removal of former arbitrators from the list), but those were believed to be deliberate leaks rather than technical compromise. Kirill ^{[talk] [prof]} 15:33, 25 June 2011 (UTC)
  • I'm thinking in particular of email threads that were posted to WR about two particular editors. I don't want to name them here. My recollection of that is we were told the wiki had been hacked into, and there was talk then of changing the way passwords were generated or distributed. SlimVirgin ^{TALK|CONTRIBS} 15:36, 25 June 2011 (UTC)
    • I think we're talking about the same thing, then; but, as you mention, that was a compromise of the arbitration wiki, while the indication here is that the compromise is of an arbitrator's email account (and the subsequent use of materials found in that account to gain access to e.g. the mailing list archives). Kirill ^{[talk] [prof]} 15:41, 25 June 2011 (UTC)

• • • • As I noted above, arbcom-l is not inherently any more insecure than any other mailing list; it's simply that its contents are likely a higher-value target, and the leaks from it are more widely publicized. The same warning could just as legitimately be applied to any Wikimedia/Wikipedia list—or the private email of anyone involved in Wikipedia, for that matter. I'm assuming that people don't need a warning that "anything you post on the internet could potentially be exposed" when they go online? Kirill ^{[talk] [prof]} 14:43, 25 June 2011 (UTC)
        • You're just not getting it. I was assured by Iridescent that our correspondence would remain confidential, and it wasn't. The mailing list itself claimed to be confidential and it wasn't. But all I see here is empty bleating and no real explanation, and I've got no doubt that's the way it'll stay. What will it take to wake you guys up? Malleus Fatuorum 14:50, 25 June 2011 (UTC)

Quite. Until this all came out, the banner at the top of this page specifically invited people to send private material to this address. Despite you knowing that much material sent to the address had already been leaked, and that nothing had changed that would prevent the same thing happening again. The committee was effectively lying to the public in order to protect its own image.--Kotniski (talk) 14:56, 25 June 2011 (UTC)

• Presumably you're referring to our image of being a cabal and doing everything behind closed doors? Why in the world would we want to protect that, of all things? We'd much prefer it if we had a reputation for transparency.

  Having said that, our work does require us to handle some things in a non-public fashion—most of them incoming correspondence from people who would prefer that it not be published. The measures we took to safeguard our correspondence were those that were reasonable (i.e. did not pose an undue hardship on our work) and feasible (i.e. could be implemented given the very limited resources available—recall that the Committee has no funding with which to procure a more sophisticated security infrastructure). It is unfortunate that these measures were not sufficient to prevent a compromise; but that does not mean that they were not appropriate ones, given the applicable constraints. Kirill ^{[talk] [prof]} 15:16, 25 June 2011 (UTC)

  • You don't need funding to stop the continued distribution of old private e-mails to new recipients. You just need an ounce of common sense. I find it sick that arbitrators not only allowed this to happen, but are now pretending that they couldn't reasonably have done anything about it. This mailing list should never have been described as private, given the way it was managed. You guys had a serious duty to people; you failed in that duty - though I don't blame anyone personally, the excuses that have been presented are absolutely pathetic. (Not to mention the other issue, the apparent revelations about the way arbitrators have been discussing editors behind their backs.)--Kotniski (talk) 19:28, 26 June 2011 (UTC)

It's worth noting that in the European Union at least, data breaches of this kind can be and have been criminally prosecuted - not just the person responsible for the breach but the people or organisations who failed to secure the data in the first place. The arbitrators and the WMF need to be conscious that this is not just an embarrassment, this is potentially something for which they could face civil and criminal legal consequences as individuals and collectively. There needs to be a radical change to the way they handle private data. At the very least, the current archives need to be shut down and taken offline until there is a secure access system in place - and that needs to be signed off by outside specialists, not just Coren. Prioryman (talk) 14:40, 25 June 2011 (UTC)

• The focus on security misses an important point. A lot of this material shouldn't be posted and archived in the first place, because it's just Arbs gossiping about editors, barely related or entirely unrelated to arbitration. Yet every year more members are sent a password to access it, which is spreading the damage, even without the leaks. SlimVirgin ^{TALK|CONTRIBS} 15:31, 25 June 2011 (UTC)

• It's really quite shocking that it looks like Arbcom is using some kind of antique archives and sending the password out via e-mail. I swear, we have better security in place at the library where I work. Kirill's point about the lack of funding to set up better security is something that has to be resolved, immediately. A project of this size and importance demands it. --Diannaa (talk) 15:50, 25 June 2011 (UTC)
  • I suspect it's not so much a lack of funding, but an instutionalized lack of common sense - among arbitrators, among people at the WMF, and among us all, who tolerate a dispute-resolution and privacy-protection system that is obviously failing in so many different ways (partly because those two systems have been rolled into one).--Kotniski (talk) 19:34, 26 June 2011 (UTC)

• Obviously what happened was terrible and can't be defended. But I hope that this incident can spur a discussion of Arbcom's transparency. There was a lot of complaining from both sides in the Climate Change arbitration that Arbcom was excessively opaque, failed to give guidance to the parties, and that generally everything seemed to be happening behind closed doors, so to speak. Arbcom also needs to advise persons writing to it in the future, no matter what "security precautions" are put in place, that it cannot assure the confidentiality of emails to the arbitrators. ScottyBerg (talk) 16:21, 25 June 2011 (UTC)

Action plans

It seems there are an awful lot of leaks in the news this week ... I hope this is at the very least a wakeup call and I hope the ArbCom will keep the community updated on the status of any technical/security changes that will be occurring in the near future. /ƒETCHCOMMS/ 16:33, 25 June 2011 (UTC)

I can confirm that we are accelerating the action plans that we had in place to address the mailing list archives, as well as re-evaluating these plans based on the nature of this breach. –xeno^talk 16:45, 25 June 2011 (UTC)

So what was the nature of this breach? What exactly was hacked into? Iridescent's email account? Is that the claim? Malleus Fatuorum 17:14, 25 June 2011 (UTC)

Based on the information we have to date, yes, that appears to have been the case. Kirill ^{[talk] [prof]} 17:17, 25 June 2011 (UTC)

How confident are you that no other arbitrators' email accounts have been equally compromised? Malleus Fatuorum 17:20, 25 June 2011 (UTC)

It's difficult to prove a negative, obviously; but there has been no evidence that indicates any other compromise, and a number of arbitrators have implemented additional security measures (e.g. two-factor authentication) to reduce the risk of a similar compromise in the future. Kirill ^{[talk] [prof]} 17:23, 25 June 2011 (UTC)

The point though is that if you're wrong then this is nothing more than an irrelevant side show. Why would Iridescent have been the only arbitrator to have been targetted? Malleus Fatuorum 17:26, 25 June 2011 (UTC)

You are right that we can't rule anything out at this point - though as indicated by Coren above at #The story so far - the information that we do have available does suggest a breach of an arbitrator's email account that allowed the intruder or intruders to access nearly all of the arbitration-related mailman lists (and archives thereof). It is entirely possible that more than one arbitrator was targeted; all arbitrators have changed or will be changing all their Wikipedia-related passwords as a precaution and are taking further steps to secure their personal infrastructures. Moreover, any arbitrators who are inactive and have not confirmed that this has been done have been or will be removed from the mailing lists as a further precaution. –xeno^talk 17:30, 25 June 2011 (UTC)

Confirmed it how? From a compromised email account? Malleus Fatuorum 17:36, 25 June 2011 (UTC)

We have been verifying that the right people are in control of their email accounts via offline methods (voice-to-voice, and so forth). –xeno^talk 21:17, 25 June 2011 (UTC)

(edit conflict) I have no idea. It's possible that Iridescent was deliberately targeted for some reason, whether related to his security profile or something totally different; or that multiple arbitrators were targeted and Iridescent was simply the first one compromised; or even that the evidence we found of Iridescent's account being compromised was deliberately planted to conceal a completely different attack vector. Unfortunately, it's somewhat speculative unless we (and by "we" I mean the people looking at the audit trail, not necessarily the Committee) can find additional evidence to point in one direction or the other. Kirill ^{[talk] [prof]} 17:33, 25 June 2011 (UTC)

Malleus: One of the first things we did when we found out about the leaks is in general for all of us to look at our own security.. several of us use a service which maintains a log of IP addresses used to access those accounts (which is set to alert us should any unusual IP address access our accounts). The first thing I did, and I know that at least several other Arbs have done is to immediately change ALL our passwords (even for stuff not Wiki-related).. just in case. As Kirill says, however, it's hard to prove a negative. SirFozzie (talk) 17:41, 25 June 2011 (UTC)

This is probably just stating the obvious, but if the way the attacker gained access to Iridescent's (or anyone else's) e-mail account was by installing a keylogger on a computer they regularly use, changing all of their passwords isn't going to be enough to stop the problem. When my online accounts were broken into using this method years ago, the person attacking me was able to use the keylogger to re-record my password every time I changed it. --Captain Occam (talk) 19:27, 25 June 2011 (UTC)

Well, that too.. but I run Spybot S&D every few days already, so it was just a matter of bumping up the check here :/ SirFozzie (talk) 21:24, 25 June 2011 (UTC)

There are ways of hiding these programs so that virus scanners can’t detect them, using things like rootkits and hidden user accounts. (Which is what happened to me.) It all depends on how skilled and determined the attacker is. I wish I could give more specific advice about how to detect them in those cases, but it depends on the operating system and the method of attack that was used.

This is one of the reasons why I think it’s important for Iridescent to figure out how their e-mail account was broken into. When an attacker knows what they’re doing, these sorts of routine security measures like changing passwords and running virus scanners aren’t very effective, because they’re not all that difficult for a sophisticated attacker to anticipate and thwart. The only way to make sure a vulnerability has been closed is to determine exactly how the attacker got in, and make sure you’ve changed whatever it is that made it possible. --Captain Occam (talk) 23:05, 25 June 2011 (UTC)

The most obvious "action plan" would be for all Arbitrators and functionaries to be given @wikipedia.org mail accounts that are to be used only for "company business", and to configure those accounts carefully. OTOH, having read a good bit of the "leaks", perhaps a better solution might be to always talk in public, since everything I've seen seems to be about some people trying to manipulate other people, which isn't really such a great thing for the ideals that most people in this community seem to ascribe to. --SB_Johnny | ^talk 19:20, 25 June 2011 (UTC)

I've been reading too, and it's clear that a significant amount of the material clearly could not ever have been discussed in public (I already knew about some of it, but that's not quite the same thing.) I do take your point that private musings about public disputes can, and probably should, be reduced, but there is still a place for private discussion. And in addition, it's extremely hard to know where to draw the line; or to enforce such a line. Every time an arb says privately on the arb list "hey, you know that's just like that other guy SomeName who acted just like this two years ago", another arb has to say "you can't say that here" ? It's tricky. --Demiurge1000 (talk) 21:18, 25 June 2011 (UTC)

Very little of what's appeared so far is of genuine concern wrt privacy. It's not really even the case that the arbs themselves look all that bad, for the most part. It's more the outsiders who are mailing the list with material that seems to be aimed at making rather petty political gains that are being embarrassed here, and quite frankly I think that the committee would do better by themselves and by the project at large if they would strongly discourage that (and better yet, not spend time discussing it).

I don't see any reason to doubt that the arbitrators are in any way not acting in good faith and out of high ideals, but it's pretty clear that there's some unhealthy groupthink, and that groupthink is likely encouraged when non-arbitrators throw dirty laundry at them. --SB_Johnny | ^talk 11:32, 26 June 2011 (UTC)

"Very little of what's appeared so far is of genuine concern wrt privacy." What? I haven't even bothered reading more than a small fraction of the material that's appeared so far, and even offhand I can think of three separate instances of serious breaches of privacy that would be of great concern to the three people concerned. (I am not talking of things like people's private email addresses being exposed, although such people do still have every right to be annoyed.) So yes, some of what's appeared is very much of genuine concern wrt privacy.

And then of course there's all the material that hasn't appeared so far, but is assumed to be in the hands of the hacker. --Demiurge1000 (talk) 14:41, 26 June 2011 (UTC)

"The hacker" has been fairly selective in his leaking, and has made an open and straightforward effort to comply with The Review's privacy policy, which is aimed narrowly at preventing harm, rather than enabling bad behavior (which WP's policy does, if inadvertently). "The hacker" is doing things you don't like, but he's been more or less ethical about it so far. More will be coming out, of course. Give credit where credit is due, and look for the opportunity to learn from this. --SB_Johnny | ^talk 23:39, 26 June 2011 (UTC)

SG followup

First, I smell socks having fun on this page. Second, could an arb in contact with Iri please ascertain if he e-mailed me from yahoo on June 10? The answer to that question might point to the intruder. Thirdly, best wishes to Iri and Malleus, who has every right to be bugged as heck. Finally, I raised a very long time ago the issue that new arbs should not have access to archived info before their term, particularly in very sensitive cases. Because the entry bar to ArbCom was lowered by the RFC two years ago, and because new arbs can access old cases, I no longer write to ArbCom. SandyGeorgia (Talk) 23:46, 25 June 2011 (UTC)

Moved them

Just to let you know, WR moved all of the threads related to this into a subforum under bureaucracy. That's something at least, since they won't be Google-indexed now. Silverseren^C 01:27, 26 June 2011 (UTC)

More Material

Seeing the latest post of Malice is the stuff relating to Jossi from 2009.... This clearly goes further than simply Iri's or Chase Me accounts being compromised. This suggests Malice either had full access to everything and got a dump of it all or still has access to it all. The Resident Anthropologist (talk)•(contribs) 16:49, 26 June 2011 (UTC)

Yes, it appears the mail archives were compromised, which date back to July 2005. We're still not sure if Chase Me's account was hijacked - the blocking was done as a preventative measure, and we're trying to get in touch with him. PhilKnight (talk) 17:07, 26 June 2011 (UTC)

what about Panyd and has anyone tried her? The Resident Anthropologist (talk)•(contribs) 17:28, 26 June 2011 (UTC)

It appears from the section below that Chase me has been in contact with someone from ArbCom. RxS (talk) 19:53, 26 June 2011 (UTC)

It also appears that money changed hands at some point, regardless of where the data originated. Don't know what it means...RxS (talk) 02:20, 27 June 2011 (UTC)

Chase me ladies, I'm the Cavalry de-adminned

This issue is now addressed and permissions returned to Chase me ladies, I'm the Cavalry
The following discussion has been closed. Please do not modify it.
From what I've gathered, Iridescent is being blamed for this arbcom-l leak. It looks like Chase me ladies, I'm the Cavalry has had his on-wiki rights removed, though (and there doesn't seem to be any mention of him on this page). What's the story there? --MZMcBride (talk) 21:08, 25 June 2011 (UTC) Iridescent has not been blamed for this at all; the information we have is that there was a theft of information from his email account which in turn led to the archives being accessed. As we've pointed out several times, this can happen to even the most diligent of internet users, and Wikipedia has long recognized this; it just happens that this compromise was more dramatic than most. Once Iridescent is able to demonstrate that he's in control of his accounts, standard processes take effect. The account of Chase me ladies, I'm the Cavalry had all permissions removed because of unexpected editing activity at a time when he was not responding to contacts through other means, and has been done as a routine precautionary measure. Risker (talk) 21:20, 25 June 2011 (UTC) Does that include OTRS and the various mailing lists, as well as the checkuser, oversight and admin tools? Carcharoth (talk) 21:24, 25 June 2011 (UTC) Yes. –xenotalk 21:40, 25 June 2011 (UTC) Thank-you. I hope you hear from Chase me soon. May I ask if the already-being-discussed action plan you mentioned above (now being pushed forward), includes actually taking action when an arbitrator is inactive for weeks or months on end? I know from experience that it can be hard to push that sort of thing through, but arbs do need to keep their colleagues updated with what is going on, and for action to be taken when that doesn't happen. Carcharoth (talk) 21:48, 25 June 2011 (UTC) Ah, sorry. I wasn't really assigning much ... whatever to the blame. It would've been better to say "found responsible for," I suppose. That's what I intended, at least. Thanks for the clarification regarding Chase me. To answer Carcharoth: it appears that Iridescent's on-wiki accounts have not had any rights removed recently. --MZMcBride (talk) 21:38, 25 June 2011 (UTC) That's probably because it was possible to contact Iridescent through other means. The question I really wanted an answer to was whether it is possible to set up alerts for when a long-term inactive editor starts editing again. I noticed a couple of such editors editing again recently, but only by chance. Carcharoth (talk) 21:43, 25 June 2011 (UTC) Carcharoth, this was brought up during a discussion on WP:VPPRO which has continued in an RFC here. --Tothwolf (talk) 00:26, 26 June 2011 (UTC) No, I think you were assigning blame, MZMcBride, and I suspect many other people are as well. It's human nature to try to assign blame to someone that is known and identifiable even when the genuine cause of trouble is someone unknown, working for reasons that aren't immediately apparent. I've even had people suggest that this was a plot by the people running Wikipedia Review to attract readers since their forum was no longer a must-read, but I don't believe that to be true. Risker (talk) 22:01, 25 June 2011 (UTC) Well, it's perfectly possible to assign blame for a set of actions, even if those actions were accidental or even involuntary. The criminal justice system in most places has no difficulty doing so, at least. It appears that Iridescent is, in the strictest sense, to blame here. I've long respected her as an editor and continue to, but that doesn't shift the burden of responsibility, I don't think. Perhaps the blame wheel should be set to "Arbitration Committee" for a short period? --MZMcBride (talk) 22:08, 25 June 2011 (UTC) Oh my. This is truly sad. You truly must have your pound of flesh, and are taking it out of the easy target. The person to blame is the person who stole the information. I understand you're in communication with that person, MZM. Perhaps you should insist that they own up to their criminal behaviour and turn themselves in to the appropriate authorities. Risker (talk) 22:21, 25 June 2011 (UTC) Que? MZM knows who the attacker was? Georgewilliamherbert (talk) 22:41, 25 June 2011 (UTC) Y'all are being ridiculous. It is perfectly obvious that MZMcBride simply meant that the leak came from Iridescent's account, and that his use of the word "blame" had nothing to do with any intent. Risker, I'm not sure why you're getting so defensive about it, but you're out of line here with the lack of AGF'ing. (Addendum: especially if you know that MZMcBride is in contact with the leaker, and you know that the leaker is someone who is not Iridescent, then by the transitive property you ought to know what he meant. So I'm really not sure where Risker's coming from with all this.) ⇒SWATJester Son of the Defender 22:52, 25 June 2011 (UTC) I think her nose is out of joint because MZM was discussing how to build a database to dump all the checkuser-l files and CU results with the person who is posting all the material on WR. I for one don't blame her, myself.. SirFozzie (talk) 22:49, 25 June 2011 (UTC) Yes, to clarify: a Wikipedia Review user named MaliceAforethought has been leaking the arbcom-l archives. I responded to some of his posts. In general, I imagine most of the Arbitration Committee is pretty pissed (in the "angry" sense!) and annoyed at the moment. This was a huge (if not inevitable) leak. --MZMcBride (talk) 22:56, 25 June 2011 (UTC) (edit conflict) I was about to say that Chase me has been inactive since 28 February 2011, but I now see that the account began editing again yesterday. You could try asking on the user's talk page, but maybe wait and see whether more information emerges here first. From that log, the rights removal was at 19:22, 25 June 2011. The first edit after the months of inactivity was 08:47, 24 June 2011. Incidentally, is there an easy way to see when an inactive editor returns and starts editing again? It would be very useful in situations like this when someone has been inactive for a long period. Kudos to whoever noticed the return and took these precautionary measures. Carcharoth (talk) 21:23, 25 June 2011 (UTC) For administrators, you could watch the daily updates to WP:LOA/I. –xenotalk 23:03, 25 June 2011 (UTC) How does MZM know the emails came from Iri's account? Cool Hand Luke 23:13, 25 June 2011 (UTC) Good question - over to you MZM. Casliber (talk · contribs) 23:17, 25 June 2011 (UTC) Because I was the one to hack iri's account. Dun dun dun. --MZMcBride (talk) 23:38, 25 June 2011 (UTC) Given the circumstances, that is a possibly blockable comment MZM...but I am nonimpartial so wouldn't act upon it. Let's try again shall we? Casliber (talk · contribs) 23:46, 25 June 2011 (UTC) I think MZM is simply going off what was written above at #The story so far. –xenotalk 23:48, 25 June 2011 (UTC) Off with his head! Killiondude (talk) 23:50, 25 June 2011 (UTC) Oh dear. I'd hate to see my block log marred. Heaven help me. --MZMcBride (talk) 23:52, 25 June 2011 (UTC) Pray harder!!! Theo10011 (talk) 00:56, 26 June 2011 (UTC) So my point is, if MZM cannot prove the location of the breach, is it not prudent to cut all unspoken-for logins from the source of, say, the CU logs? I mean, MZM is currently discussing how such logs could be most gainfully published, but I am sure he can imagine the perspective of people who would be horrified by it. Yes? Cool Hand Luke 01:56, 26 June 2011 (UTC) Honestly; MZMcBride you are acting like a child right now; Risker you're not being a help now either. --Addihockey10 e-mail 19:35, 26 June 2011 (UTC) Note: Chase me ladies, I'm the Cavalry has now checked in and his identity has been verified. We're working now to get his global lock lifted. Risker (talk) 19:10, 26 June 2011 (UTC)

Privacy

In the RH__u case, many asked that all correspondence be made available.

WR's malicious publication of stolen correspondence shows the imprudence and callousness of that demand, which could have led to a death or serious injury.

Let us hope that WR remove the stolen correspondence ASAP, probably to reduce their liability.

Some commentators may wish to retract some of their statements and criticisms of ArbCom during the RH_u case. Sincerely,  Kiefer.Wolfowitz 23:29, 25 June 2011 (UTC)

I've been following this whole thing, and I think this would be as good a place as any to add my two cents. In the year or so that I've been active in this community, I've heard a lot of moaning about how ArbCom is an incompetent mess. Regardless of the merits of the decisions of individual cases, and even the process by which this batch of information was acquired, I think that the one thing that stands out to me is the sheer amount of crap (that refers to both quantity and quality) that must be decided behind the scenes. Obviously, I won't mention any specific cases/leaks, but certain situations just make me wonder how else they could have been resolved without...well... Anyway, I'm sure the Committee will take a lot of flak for certain things but, I guess that if you haven't been there, you don't know what it's like. Just something to remember -- Nolelover ^{Talk·Contribs} 00:09, 26 June 2011 (UTC)

ArbCom was correct in that decision, and I have no serious complaints about any decision I've reviewed. Emphatically,  Kiefer.Wolfowitz 00:13, 26 June 2011 (UTC)

Thank you both for your kind words. It means a lot to us right now. Jclemens (talk) 00:24, 26 June 2011 (UTC)

Agreed. Thanks. SirFozzie (talk) 00:57, 26 June 2011 (UTC)

1) To be fair, at the time, those who "asked that all correspondence be made available" could have no idea of what was going on behind the scenes.

2) Agreed, ArbCom does come out ahead here. Politically, I'd say it's got a major "sympathy backlash" benefit.

3) Life's complicated. Sometimes "National Security" really is about national security. Sometimes it's about covering up corruption. How do you tell beforehand?

-- Seth Finkelstein (talk) 01:43, 26 June 2011 (UTC)

Dear Seth,

A number of alarming statements were publicized on Wikipedia and cited (perhaps too much) during the discussion, as others noted at the time. These statements were denied by those mis-characterizing solidarity as paternalism (or mistaking the "hands-on imperative" for the categorical imperative ...). This episode needs to be remembered in future discussions of vulnerable persons, especially minors.

Nobody has claimed "national security" or denied life's complexity. Nobody has even alleged that this ArbCom has conducted "cover ups", so the relevance of your third point escapes me.  Kiefer.Wolfowitz 02:03, 26 June 2011 (UTC)

Sigh. I used the cliche "National Security" as a way of making the intended point distanced from current emotional issues. The idea is that when a person in power says "We are keeping this information confidential because of (national security, privacy, delicate personal matters, etc.), sometimes that is the truth, but sometimes it is an excuse. HOW CAN YOU TELL? A liar is always going to say that he or she is telling the truth and has someone's best interests at heart. So it doesn't help much to have an instance where people were shown to be telling the truth. The question is what one does when faced with a story. One can't always believe power, as then cover-ups will go uninvestigated. -- Seth Finkelstein (talk) 02:18, 26 June 2011 (UTC)

I replied at User_talk:Seth_Finkelstein#Economics_of_truth.  Kiefer.Wolfowitz 05:58, 26 June 2011 (UTC)

I'm old enough to remember Oliver North's surprise that the emails he thought he'd deleted weren't really gone after all. We're all old enough to remember Wikileaks. Emails aren't secure. Even diaries can be subpoenaed. Whatever we write, even our most personal thoughts, can turn up in public. The point being that no one should write an email, especially one that goes to a mailing list, which includes anything they'd be embarrassed to see made public. I suggest that ArbCom members should avoid using disparaging nicknames or making comments, even in "private" conversations. That said, in the little I've seen of the leaked documents the ArbCom seems to maintain their professionalism even when discussing problem users.   Will Beback  talk  04:49, 26 June 2011 (UTC)

My company basically says the same thing about e-mails. Even so, if someone has betrayed the trust of arbcom here and/or hacked into it, a few snippy comments are a small problem by comparison. ←Baseball Bugs ^{What's up, Doc?} carrots→ 05:05, 26 June 2011 (UTC)

Notification of this compromise to personal information

I think the discussions here are sufficient to conclude that the information that has been publicly leaked is genuine. There seem to be suggestions that still more information could have been accessed before the leak was plugged, so there may be more disclosures yet to come. Given that ArbCom receives private and personal information from editors and others, and may be privy to private information related to Wikipedia (alternate accounts, real names, email addresses, etc), it seems that it is incumbent on ArbCom and/or the WMF to alert editors that their personal information may be or may already have been revealed. I don't mean this in a legal sense, although I am not certain that the privacy laws of some countries would not come into play in this instance. The have been several high-profile data breaches recently and one of the lessons that should have been learned from those incidents is that it is important to alert users quickly to allow them to take whatever steps are necessary to protect their privacy and security.

Now that the barn door is locked and the horses bolted, it may be wise to let some people know that those unsightly horses that they thought were safely hidden away may be popping up in public places soon. At the very least, I would have hoped that there would have been a site-wide announcement by now. It should be fairly easy to send out a message to every account that has emailed ArbCom to let them know that those emails may soon become public. Legal issues aside, I think the WMF has a responsibility to minimize the damage that this leak may cause others. Delicious carbuncle (talk) 15:35, 26 June 2011 (UTC)

Click the "Reply to all" option in the Email sever? The Resident Anthropologist (talk)•(contribs) 17:34, 26 June 2011 (UTC)

I have absolutely no doubt that information leaked so far is genuine. Malleus Fatuorum 22:09, 26 June 2011 (UTC)

A site-wide message might be overkill and mistargeted (in particular, affected people may not be editing now, or ignore an unspecific message). But I would agree that it would be prudent (if understandably painful) to notify people who have emailed to the list, that their emails may become public due to a data-breach. Though this sort of thing should be run by staff counsel for the particulars of the message, so a short delay for legal review would be understandable. -- Seth Finkelstein (talk) 23:58, 26 June 2011 (UTC)

I haven't done a side-by-side comparison, but I'm not aware of any discrepancies. A message for the ArbCom noticeboard has been drafted and is awaiting approval. PhilKnight (talk) 00:00, 27 June 2011 (UTC)

Indeed, my personal impression is that of what's been published, any editing that has been done has been to remove "the boring bits". The majority of Arbcom-L traffic is substantially more mundane than what's been posted, being routine "can the last two of you vote?" or "I agree with that wording" or "Someone besides me want to respond?" sorts of things. I've not read everything posted, but I haven't seen myself misquoted yet. Jclemens (talk) 02:29, 27 June 2011 (UTC)

The only thing I've noticed is a few missing headers which make it unclear who is saying what. –xeno^talk 02:35, 27 June 2011 (UTC)

Legal action

If/once the intruder is identified, could the WMF be pursuing legal action against the responsible party or parties? Or is this not a possibility at all? I'm not familiar with the relevant U.S. and state laws, but would the WMF even be an involved party in this, and is Geoff Brigham going to make any statement about this soon? /ƒETCHCOMMS/ 01:18, 27 June 2011 (UTC)

Fetchcomms brings up an important point. I may have missed it, but if the WMF General Counsel, Geoff Brigham, has not yet commented regarding this illegal action, then he should be asked to make a statement to inform the community regarding the WMF legal position regarding this matter. I also feel that ArbCom deserves praise and support during this stressful period. Jusdafax 01:56, 27 June 2011 (UTC)

WMF has made Geoff aware of the situation, and we've been told there's going to be a big meeting on Monday on how to proceed. Jclemens (talk) 02:25, 27 June 2011 (UTC)

I can confirm that Geoff is aware. Beyond that, I don't know much. Philippe Beaudette, Wikimedia Foundation (talk) 03:48, 27 June 2011 (UTC)

ArbCom deserves praise and support?! Amazing. They've failed in one of their two fundamental duties, despite having the benefit of one lot of hindsight; and they don't even seem to understand what they've done wrong (or even that they have done anything wrong). These guys doubtless mean well, but they were way out of their depth here, and the complete lack of contrition displayed here by some of the most long-standing arbs is (or would be, if it wasn't what we've come to expect) really astounding.--Kotniski (talk) 06:36, 27 June 2011 (UTC)

Anyone can be hacked these days, my friend, even the US Government and the biggest corporations in the world... Considering none of the ArbCom members make a dime off their stressful, time-consuming work, my statement stands. I don't know you, nor your history, but I find it doubtful you are a past member of ArbCom. Do you think it possible, on reflection, that moderation and the key WP concept of Agf might be the path of wisdom? To put it perhaps a bit more harshly, you comment is less than helpful, at best. Jusdafax 07:21, 27 June 2011 (UTC)

DMCA for emails?

Could one of you arbitrators issue a DMCA notice to Wikipedia Review? Nyttend (talk) 01:20, 27 June 2011 (UTC)

Does the Committee own the copyright? Or do the individuals who corresponded own copyright to the individual emails? In the first case, how did the committee acquire the copyright? In the second, wouldn't the individual senders be required to initiated the DMCA take downs? And then who gave the committee permission to archive the emails, and if the emails were licensed under terms open enough for the committee to archive and redistribute the emails, are you sure that Wikipedia review can't post them too? In the future, if an email is forwarded to the committee and the original sender DMCA's the committee, would the committee be willing to remove the email from the archives, would they even have the technical capability? Would DMCAing the emails attracted broader media attention? Would it do any good? The whole DMCA thing seems like an enormous can of worms that perhaps should go unopened. Monty₈₄₅ 01:34, 27 June 2011 (UTC)

I'm sure WMF is looking at all their options in this case. The Resident Anthropologist (talk)•(contribs) 01:37, 27 June 2011 (UTC)

• Attention all WR folks: About a million years ago, I Opposed one RfA based largely on the fact that the nominee was a WR regular. Many WR folks (some well-known and respected here) chimed in and said how valuable WR is. I was taken aback at the rush to defend WR. HERE IS YOUR CHANCE TO BE MATURE AND RESPONSIBLE. JUST DON'T LET ANYONE PUBLISH PRIVATE MATERIAL. delete immediately. Ban user who posts. That is the only adult thing to do, and the only ethical thing. All else is shameless, in the truest sense of the word. 'Nuff said.  – Ling.Nut 01:41, 27 June 2011 (UTC)

• That's just bollocks Ling.Nut. Malleus Fatuorum 01:53, 27 June 2011 (UTC)

Breaking my rule for not using humor on Wikipedia discussions: Oh, please, please, send a DMCA notice to Wikipedia Review. This whole dull, dreary, tawdry, mostly downright boring event, desperate needs some fireworks and popcorn. I can think of little that would liven it up better than the prospect of some good old fashioned CENSORSHIP flames, where everyone can smugly rant STREISAND EFFECT !!!. The media narrative desperately needs to be changed, from "Evil cracker breaks into confidential archives, yielding only painful personal material and showing people trying to handle very difficult issues with laudable sensitivity", to "Wikipedia administrators try to cover-up embarrassing revelations, using legal threats, but they will be defeated by the forces of freedom on the Internet - wiki-wikileaks forever!". Yes, yes, critics everywhere will thank you for this, do it now, bloggers are standing by. -- Seth Finkelstein (talk) 02:08, 27 June 2011 (UTC)

^ ResidentAntropologist 03:00, 27 June 2011 (UTC)

• [2]  – Ling.Nut 03:23, 27 June 2011 (UTC)

←Baseball Bugs ^{What's up, Doc?} carrots→ 03:43, 27 June 2011 (UTC)

 Dislike Eagles 24/7 (C) 05:59, 27 June 2011 (UTC)

Conformity to generally accepted standards for the security of private information

While it's literally true that no system is perfectly secure and anything connected to the internet could be hacked, such excuses miss the point entirely. No responsible financial institution or merchant would invite customers to submit non-public personal information such as credit card, bank account, or social security numbers via ordinary email or any other insecure form of online transmission. Secure websites utilizing Transport Layer Security or equivalent strong cryptography are a generally accepted means of handling information which requires privacy. Yet until recently, arbcom invited editors unfamiliar with proper security practices to send "any private material intended for the Committee's attention" to the arbcom mailing list. Compounding the problem, the "private material" thereby solicited was redistributed via insecure, unencrypted email, as were passwords giving access to arbcom's entire email archive since 2004. This was in no way necessary, since a secure messaging facility could have been added to the mediawiki interface, much as banks which allow online account access normally provide a secure mail feature for encrypted transmission of customer service requests. Distribution of such messages could have been confined to the secure arbcom wiki, to which access would be provided only using arbitrators' primary account passwords, eliminating the man-in-the-middle attack on password distribution. Suggestions that editors sufficiently naive to trust arbcom to provide a generally accepted level of information security deserve whatever fate befalls them are misplaced. The community should expect arbitrators to act in a responsible manner worthy of the trust reposed in them. 71.131.18.216 (talk) 06:17, 27 June 2011 (UTC)

While your suggestions are interesting and reflect some knowledge of information security theory and practice, there is absolutely no indication that transport security was at issue here. Likewise, I'm not sure how retrieving a stored password from a mailbox constitutes a MITM attack. Indeed, if the issue wasn't with stored email, in mailbox or archived format, then the leak has been going on for quite some time indeed. Jclemens (talk) 06:39, 27 June 2011 (UTC)

We obviously don't know exactly how this particular security breach occurred. What's certain is that the attacker could have retrieved Iridescent's password when arbcom emailed it to him in plaintext format, then waited until now to publish the stolen material to throw investigators off the trail. The other salient possibility is that Iridescent's computer was one of all too many improperly secured Windows installations, making it easy to hack and install a keylogger. Financial institutions that handle private information don't make this mistake either. Even with hackers highly motivated by the prospect of stealing thousands of credit card numbers, such breaches are relatively rare, since banks normally have professional IT staff to secure their servers. Since the WMF also employs such personnel, it would be advisable to have them instruct arbitrators, checkusers, etc, in the correct way to secure their computers. Hacking a system with a clean operating system installation, an effective firewall, and good anti-virus software is probably sufficiently difficult to be beyond the capabilities of "MaliceAforethought". While using security tokens to augment the password protection provided on the arbcom wiki almost certainly would have prevented this problem, much more could have and can still be done without requiring two-factor authentication. Security of private information online has been a studied problem in e-commerce for over a decade. It's time for arbcom to utilize some of the solutions developed, instead of relying on plaintext content and password distribution to arbitrators' computers which the WMF has made no effort to secure. 71.131.18.216 (talk) 07:26, 27 June 2011 (UTC)