Re: [Wikimedia-l] Fwd: [Publicpolicy] Update on FISA 702 reauthorization

2018-01-21 Thread Craig Franklin 
I think, as Geni says, that even that isn't going to provide any effective
barrier.  If the NSA or other US Government spooks want to get into the
servers, they will, regardless of what hardware it's running on, what
software it uses, or what jurisdiction it is located in.  Anything that the
Foundation does to "protect" itself is just going to be security theatre.
Anyone doing anything that the current or future American administrations
might object to should keep that in mind.  I assume that every place I go
on the Internet is already compromised and act accordingly.

Cheers,
Craig

On 21 January 2018 at 19:13, Yaroslav Blanter  wrote:

> What about moving to another country? Still not an option?
>
> Cheers
> Yaroslav
>
> On Sun, Jan 21, 2018 at 8:38 AM, Lodewijk 
> wrote:
>
> > 1) still don't see the relevance. If better technology is needed, it's
> > needed - that should be independent of any lobbying preferences. It looks
> > like you're just pushing tangents again.
> >
> > 2) You do realize that the FTC and the FEC are very different
> > organizations? But again, it seems you just used this statement as an
> > opportunity to push a tangent.
> >
> > Please don't do that.
> >
> > Thanks,
> > Lodewijk
> >
> > On Sat, Jan 20, 2018 at 2:43 PM, James Salsman 
> wrote:
> >
> > > > 1) I don't quite see how your question about servers and switches
> > relates
> > > > to Stephen's statement. Could you explain for us mere mortals how you
> > > link
> > > > the two?
> > >
> > > The NSA surveillance which was reauthorized by Congress can not depend
> > > on eavesdropping alone with new HTTPS cyphers. It needs compromised
> > > hardware to work, such as has been included in Dell servers since the
> > > Foundation started purchasing them, and the design of which was
> > > overseen by the Foundation's CTO, who worked then at Intel. This
> > > provides us with the know-how, a teachable moment, and an excellent
> > > opportunity to specify and acquire replacement open source hardware
> > > which doesn't have the DIETYBOUNCE / System Management Mode OOB / iAMT
> > > and related backdoors.
> > >
> > > https://www.schneier.com/blog/archives/2014/01/nsa_exploit_of.html
> > >
> > > > 2) I somehow missed the commitment by the WMF to research "FEC
> > > requirements
> > > > of organized advocates for US political candidates' or anything that
> > > > suggests that the WMF may advocate for specific political candidates
> > > (which
> > > > seems a change of course that would be hard to sweep under the rug).
> > > Could
> > > > you quote?
> > >
> > > https://en.wikipedia.org/w/index.php?title=Wikipedia_
> > > talk:Conflict_of_interest=prev=815460492#
> > > Note_from_Wikimedia_Legal
> > >
> > > https://en.wikipedia.org/wiki/User_talk:Slaporte_(WMF)#
> > > Research_topic_request
> > >
> > > ___
> > > Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/
> > > wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/
> > > wiki/Wikimedia-l
> > > New messages to: Wikimedia-l@lists.wikimedia.org
> > > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > > 
> > >
> > ___
> > Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/
> > wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/
> > wiki/Wikimedia-l
> > New messages to: Wikimedia-l@lists.wikimedia.org
> > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > 
> >
> ___
> Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/
> wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/
> wiki/Wikimedia-l
> New messages to: Wikimedia-l@lists.wikimedia.org
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> 
>
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and 
https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,

Re: [Wikimedia-l] Fwd: [Publicpolicy] Update on FISA 702 reauthorization

2018-01-21 Thread geni 
On 21 January 2018 at 12:56, James Salsman  wrote:
> Do you think merely avoiding the most mass-produced and arguably
> widest backdoor is a step in the right direction?

Security though obscurity against state level actors? That is not
going to work. And yes I know you seem to think that exploits are
deliberate back-doors but that position requires an alarming degree of
faith in the competence of the average programmer.


> That they need not risk losing their prized exploit capabilities
> because they can't use them against open source hardware
> makes us safer or less safe than if they could use them but
> we spent less money?

Open source hardware is going to have exploits. From the POV of a
state level actor burning those exploits is cheap since pretty much no
one uses open source hardware. Thus the risk associated with
compromising someone using open source hardware is pretty low. For
someone using something more mainstream the risk is rather higher.
-- 
geni

___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and 
https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,

Re: [Wikimedia-l] Fwd: [Publicpolicy] Update on FISA 702 reauthorization

2018-01-21 Thread James Salsman 
> the WMF doesn't have the resources to prevent a
> state level actor from gaining access to its servers.

Do you think merely avoiding the most mass-produced and arguably
widest backdoor is a step in the right direction?

> Switching to little used, little supported and more expensive
> hardware simply weakens the WMF position even further
> since attackers no longer have to factor in the risk of burning
> a valuable exploit.

That they need not risk losing their prized exploit capabilities
because they can't use them against open source hardware
makes us safer or less safe than if they could use them but
we spent less money?

> What about moving to another country? Still not an option?

https://en.wikipedia.org/wiki/User_talk:Jimbo_Wales/Archive_225#Wikimedia_can_become_fully_independent_of_any_legal_jurisdiction

> the FTC and the FEC are very different organizations?

They both impose speech and behavior restrictions on paid advocates
trying to push their products, services, or candidates. Those
restrictions govern what is legal in the US on Wikipedia pertaining to
COI issues.

Best regards,
Jim

___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and 
https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,

Re: [Wikimedia-l] Fwd: [Publicpolicy] Update on FISA 702 reauthorization

2018-01-21 Thread Yaroslav Blanter 
What about moving to another country? Still not an option?

Cheers
Yaroslav

On Sun, Jan 21, 2018 at 8:38 AM, Lodewijk 
wrote:

> 1) still don't see the relevance. If better technology is needed, it's
> needed - that should be independent of any lobbying preferences. It looks
> like you're just pushing tangents again.
>
> 2) You do realize that the FTC and the FEC are very different
> organizations? But again, it seems you just used this statement as an
> opportunity to push a tangent.
>
> Please don't do that.
>
> Thanks,
> Lodewijk
>
> On Sat, Jan 20, 2018 at 2:43 PM, James Salsman  wrote:
>
> > > 1) I don't quite see how your question about servers and switches
> relates
> > > to Stephen's statement. Could you explain for us mere mortals how you
> > link
> > > the two?
> >
> > The NSA surveillance which was reauthorized by Congress can not depend
> > on eavesdropping alone with new HTTPS cyphers. It needs compromised
> > hardware to work, such as has been included in Dell servers since the
> > Foundation started purchasing them, and the design of which was
> > overseen by the Foundation's CTO, who worked then at Intel. This
> > provides us with the know-how, a teachable moment, and an excellent
> > opportunity to specify and acquire replacement open source hardware
> > which doesn't have the DIETYBOUNCE / System Management Mode OOB / iAMT
> > and related backdoors.
> >
> > https://www.schneier.com/blog/archives/2014/01/nsa_exploit_of.html
> >
> > > 2) I somehow missed the commitment by the WMF to research "FEC
> > requirements
> > > of organized advocates for US political candidates' or anything that
> > > suggests that the WMF may advocate for specific political candidates
> > (which
> > > seems a change of course that would be hard to sweep under the rug).
> > Could
> > > you quote?
> >
> > https://en.wikipedia.org/w/index.php?title=Wikipedia_
> > talk:Conflict_of_interest=prev=815460492#
> > Note_from_Wikimedia_Legal
> >
> > https://en.wikipedia.org/wiki/User_talk:Slaporte_(WMF)#
> > Research_topic_request
> >
> > ___
> > Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/
> > wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/
> > wiki/Wikimedia-l
> > New messages to: Wikimedia-l@lists.wikimedia.org
> > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > 
> >
> ___
> Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/
> wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/
> wiki/Wikimedia-l
> New messages to: Wikimedia-l@lists.wikimedia.org
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> 
>
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and 
https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,