subject:"Re\: \[Wikimedia\-l\] DEITYBOUNCE and reader logs \(was Re\: Introducing Victoria Coleman, WMF Chief Technology Officer\)"

Re: [Wikimedia-l] DEITYBOUNCE and reader logs (was Re: Introducing Victoria Coleman, WMF Chief Technology Officer)

2016-11-11 Thread Dario Taraborelli

If you want to hear about the results of this research collaboration, or
have additional questions about the data collection approach or the
analysis, I invite you to come and join us at our upcoming showcase on
*Wednesday
11/16. *

https://lists.wikimedia.org/pipermail/analytics/2016-November/005504.html

On Tue, Nov 8, 2016 at 10:42 AM, Dario Taraborelli <
dtarabore...@wikimedia.org> wrote:

>
> On Tue, Nov 8, 2016 at 9:10 AM, James Salsman  wrote:
>
>> I assumed that when an affiliated researcher apart from Foundation
>> staff says, "we have the complete server logs for Wikipedia,"
>> amounting to 17 terabytes per month, that means they possess the
>> information. I am glad to be wrong about that, but I object to the
>> implication that such an assumption based on the plain language of
>> the statement could possibly be made in bad faith.
>>
>
> I am glad we cleared that confusion.
>
>
>> > the terms of our formal collaborations
>> > https://www.mediawiki.org/wiki/Wikimedia_Research/Formal_collaborations
>> > prohibit the sharing of any raw data containing PII (such as
>> > webrequest logs) outside of WMF operated servers,
>>
>> There is nothing on that page which suggests that prohibition.
>>
>
> You're correct that that document doesn't describe in detail the data
> access process. When we start a formal collaboration under an NDA, we have
> an onboarding process that gives researchers restricted access to our
> cluster, covers server access responsibilities and best practices around
> the handling of private data. I'll check with our Legal and Security team
> if we can better document this process.
>
>
>> > as well as the retention of any such data past our data retention
>> > period https://meta.wikimedia.org/wiki/Data_retention_guidelines
>>
>> That page says, "Information (including personal information)
>> collected through participation in a survey or other research
>> conducted by the Wikimedia Foundation will be retained indefinitely
>> for educational, development, or other related purposes, unless
>> otherwise indicated in the privacy policy or statement of such
>> survey or research."
>>
>
> This is for surveys requesting explicit (*opt in*) consent to collect and
> retain specific types of data (such as demographic information) from
> participants, not for data collected by default via our webrequest logs.
> Webrequest logs and instrumentation data is purged/sanitized by default
> within a the 90-day retention window, most often the data sits on our
> servers for a much shorter time and is removed in a shorter time frame.
>
>
>> https://meta.wikimedia.org/w/index.php?title=Talk:2016_Strat
>> egy/Draft_WMF_Strategy=15467086=15466763
>> says that the Foundation's standard research NDAs include an
>> "obligation to return or destroy any copies of confidential
>> information the individual may have upon request by WMF"
>>
>> Does that not imply that such copies are allowed in general?
>>
>
> IANAL so I can't comment on that but I believe this is a clause that's
> part of our NDA to avoid confidential information (not specifically PII) to
> be retained by third parties past the terms of the NDA.
>
>
>> I hope we can move forward to a solution to the general problem.
>>
>> Is there any legitimate research or any other need to save IP
>> addresses associated with HTTP GET web logs to disk prior to
>> creating a secure hash of them?
>>
>
> these are considerations that the analytics / ops team are best suited to
> answer, I encourage you to relay them to analytics-l if you want to have a
> more technical discussion.
>
> HTH,
> Dario
>
>


-- 

*Dario Taraborelli  *Head of Research, Wikimedia Foundation
wikimediafoundation.org • nitens.org • @readermeter

___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,

Re: [Wikimedia-l] DEITYBOUNCE and reader logs (was Re: Introducing Victoria Coleman, WMF Chief Technology Officer)

2016-11-08 Thread Dario Taraborelli

On Tue, Nov 8, 2016 at 9:10 AM, James Salsman  wrote:

> I assumed that when an affiliated researcher apart from Foundation
> staff says, "we have the complete server logs for Wikipedia,"
> amounting to 17 terabytes per month, that means they possess the
> information. I am glad to be wrong about that, but I object to the
> implication that such an assumption based on the plain language of
> the statement could possibly be made in bad faith.
>

I am glad we cleared that confusion.

> > the terms of our formal collaborations
> > https://www.mediawiki.org/wiki/Wikimedia_Research/Formal_collaborations
> > prohibit the sharing of any raw data containing PII (such as
> > webrequest logs) outside of WMF operated servers,
>
> There is nothing on that page which suggests that prohibition.
>

You're correct that that document doesn't describe in detail the data
access process. When we start a formal collaboration under an NDA, we have
an onboarding process that gives researchers restricted access to our
cluster, covers server access responsibilities and best practices around
the handling of private data. I'll check with our Legal and Security team
if we can better document this process.

> > as well as the retention of any such data past our data retention
> > period https://meta.wikimedia.org/wiki/Data_retention_guidelines
>
> That page says, "Information (including personal information)
> collected through participation in a survey or other research
> conducted by the Wikimedia Foundation will be retained indefinitely
> for educational, development, or other related purposes, unless
> otherwise indicated in the privacy policy or statement of such
> survey or research."
>

This is for surveys requesting explicit (*opt in*) consent to collect and
retain specific types of data (such as demographic information) from
participants, not for data collected by default via our webrequest logs.
Webrequest logs and instrumentation data is purged/sanitized by default
within a the 90-day retention window, most often the data sits on our
servers for a much shorter time and is removed in a shorter time frame.

> https://meta.wikimedia.org/w/index.php?title=Talk:2016_
> Strategy/Draft_WMF_Strategy=15467086=15466763
> says that the Foundation's standard research NDAs include an
> "obligation to return or destroy any copies of confidential
> information the individual may have upon request by WMF"
>
> Does that not imply that such copies are allowed in general?
>

IANAL so I can't comment on that but I believe this is a clause that's part
of our NDA to avoid confidential information (not specifically PII) to be
retained by third parties past the terms of the NDA.

> I hope we can move forward to a solution to the general problem.
>
> Is there any legitimate research or any other need to save IP
> addresses associated with HTTP GET web logs to disk prior to
> creating a secure hash of them?
>

these are considerations that the analytics / ops team are best suited to
answer, I encourage you to relay them to analytics-l if you want to have a
more technical discussion.

HTH,
Dario
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,

Re: [Wikimedia-l] DEITYBOUNCE and reader logs (was Re: Introducing Victoria Coleman, WMF Chief Technology Officer)

2016-11-08 Thread James Salsman

Dario,

I assumed that when an affiliated researcher apart from Foundation
staff says, "we have the complete server logs for Wikipedia,"
amounting to 17 terabytes per month, that means they possess the
information. I am glad to be wrong about that, but I object to the
implication that such an assumption based on the plain language of
the statement could possibly be made in bad faith.

> the terms of our formal collaborations
> https://www.mediawiki.org/wiki/Wikimedia_Research/Formal_collaborations
> prohibit the sharing of any raw data containing PII (such as
> webrequest logs) outside of WMF operated servers,

There is nothing on that page which suggests that prohibition.

> as well as the retention of any such data past our data retention
> period https://meta.wikimedia.org/wiki/Data_retention_guidelines

That page says, "Information (including personal information)
collected through participation in a survey or other research
conducted by the Wikimedia Foundation will be retained indefinitely
for educational, development, or other related purposes, unless
otherwise indicated in the privacy policy or statement of such
survey or research."

https://meta.wikimedia.org/w/index.php?title=Talk:2016_Strategy/Draft_WMF_Strategy=15467086=15466763
says that the Foundation's standard research NDAs include an
"obligation to return or destroy any copies of confidential
information the individual may have upon request by WMF"

Does that not imply that such copies are allowed in general?

I hope we can move forward to a solution to the general problem.

Is there any legitimate research or any other need to save IP
addresses associated with HTTP GET web logs to disk prior to
creating a secure hash of them?

___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,

Re: [Wikimedia-l] DEITYBOUNCE and reader logs (was Re: Introducing Victoria Coleman, WMF Chief Technology Officer)

2016-11-08 Thread Dario Taraborelli

Hi James,

> If this does not imply that the logs are copied from Foundation servers,
that is certainly advantageous over the apparent meaning of the language
used.

I am saddened to see that – instead of asking (legitimate) questions to
clarify how data is collected and shared – you are assuming bad faith,
publicly undermining people across multiple teams at Wikimedia – Security,
Legal, Analytics and Research – whose job is to protect the data the WMF
collects for a variety of research and operational purposes.

Let me briefly reinstate what Leila said earlier: the terms of our formal
collaborations

prohibit
the sharing of any raw data containing PII (such as webrequest logs)
outside of WMF operated servers, as well as the retention of any such data
past our data retention period
. If you have
any substantiated concerns about the collection, retention, or sharing of
data for the purpose of this or other projects, I invite you to follow
Leila's advice and file a request.

> But I question whether recording the personally identifying data in the
first place is wise.

Our privacy policy 
explains in detail what WMF considers PII and how we collect it. If you
have questions about the collection and retention of PII, please post them
here . All data that's
collected by the WMF is transparently documented on Wikitech
.

> I understand that there are currently two other university research 
> laboratories
which have similar access. Is that correct?

Current formal collaborations under an NDA are documented on this page

(see
also our FAQ on Meta ).
Specifics of data collection and analysis are described on the
corresponding project page.

Dario

On Tue, Nov 8, 2016 at 2:01 AM, Thyge  wrote:

> James Salsman wrote:
>
> >
> > If this does not imply that the logs are copied from Foundation
> > servers, that is certainly advantageous over the apparent meaning
> > of the language used.
>
>
> Reading the links you provided, and Robert West's acknowledgements which
> you did not link to, the above strikes me as being creation of drama as
> opposed to asking a question assuming good faith. Since Robert West had
> a Wikimedia Fellowship 1), I assume that he was able to analyze data from
> Wikipedia directly and that no transfer data outside of the WMF has taken
> place. I'm sure Leila Zia is able to clarify.
>
> Regards,
> Thyge - Sir48
>
> 1) https://www.mediawiki.org/wiki/Wikimedia_Research
> ___
> Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/
> wiki/Mailing_lists/Guidelines
> New messages to: Wikimedia-l@lists.wikimedia.org
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> 
>

-- 

*Dario Taraborelli  *Head of Research, Wikimedia Foundation
wikimediafoundation.org • nitens.org • @readermeter

___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,

Re: [Wikimedia-l] DEITYBOUNCE and reader logs (was Re: Introducing Victoria Coleman, WMF Chief Technology Officer)

2016-11-08 Thread Thyge

James Salsman wrote:

>
> If this does not imply that the logs are copied from Foundation
> servers, that is certainly advantageous over the apparent meaning
> of the language used.

Reading the links you provided, and Robert West's acknowledgements which
you did not link to, the above strikes me as being creation of drama as
opposed to asking a question assuming good faith. Since Robert West had
a Wikimedia Fellowship 1), I assume that he was able to analyze data from
Wikipedia directly and that no transfer data outside of the WMF has taken
place. I'm sure Leila Zia is able to clarify.

Regards,
Thyge - Sir48

1) https://www.mediawiki.org/wiki/Wikimedia_Research
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,

Re: [Wikimedia-l] DEITYBOUNCE and reader logs (was Re: Introducing Victoria Coleman, WMF Chief Technology Officer)

2016-11-08 Thread James Salsman

Leila Zia wrote:
>... we are not aware of any reader logs being shipped out of the
> WMF servers.

Page 20 of http://infolab.stanford.edu/~west1/pubs/West_Dissertation-2016.pdf
says, "We have access to Wikimedia’s full server logs, containing all
HTTP requests to Wikimedia projects." Page 19 indicates that this
information includes the "IP address, proxy information, and user agent."

At https://youtu.be/jQ0NPhT-fsE=25m40s Dr. West says, "we have
the complete ... server logs from Wikipedia ... about 14 terabytes of
raw logs per month."

If this does not imply that the logs are copied from Foundation
servers, that is certainly advantageous over the apparent meaning
of the language used. But I question whether recording the personally
identifying data in the first place is wise.

I understand that there are currently two other university research
laboratories which have similar access. Is that correct?

Would anyone in the Foundation have any way to know whether any
of the researchers with access are subject to National Security
Letters, a subpoena from a US or foreign law enforcement agency,
or blackmail, extortion, or bribery, for that matter?

Is creating the MD5 has described on page 19 of Dr. West's
dissertation after filtering bots from the user agents and discarding
the IP address before ever storing the log files to disk an
appropriate solution to this problem?

Should SHA-512 be used instead of MD5?

___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,

Re: [Wikimedia-l] DEITYBOUNCE and reader logs (was Re: Introducing Victoria Coleman, WMF Chief Technology Officer)

2016-11-07 Thread Pine W

Having looked at this situation further, I am glad to say that I did not
find any information in Victoria's background that I considered to be a red
flag.

However, I would appreciate hearing more from Victoria about her
involvement in "Total Information Awareness" [0] and similar programs, past
or present.

I would also appreciate it if the controversial email thread that was
referenced in the article that James linked [1] could be made public.

I'd like to respond to a comment that Katherine made. Katherine said,
"...Her findings and recommendations will also be a matter of public
record, as all government work should be." Please keep in mind that some
information is kept quiet with good reason in government and in other
industries and organizations, including WMF and the Wikimedia community. I
have pressed WMF repeatedly about transparency matters (particularly
regarding its financial expenses, which I believe should be much more
transparent), but even I agree that some information should be confidential.

Based on what I have learned so far, my inclination is to continue to
assume good faith of Victoria and WMF regarding this appointment while
hoping for responses to the queries above. I am glad to have a CTO, and I
am hopeful that all will be well. In my comments in this thread, I am
trying to balance the protection of the community with the wish to welcome
someone who might be an important "net positive" for us and a good fit for
the kind of public service that we do here.

Regards,

Pine

[0] https://en.wikipedia.org/wiki/Total_Information_Awareness
[1] http://www.nytimes.com/2002/ 
11/22/world/threats-responses- surveillance-terror-tracking-
agency-weighed-but-discarded- plan.html
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,

Re: [Wikimedia-l] DEITYBOUNCE and reader logs (was Re: Introducing Victoria Coleman, WMF Chief Technology Officer)

2016-11-07 Thread Leila Zia

Hi James,

On Thu, Nov 3, 2016 at 10:22 AM, James Salsman  wrote:


> The Foundation's main security problem at present is that all of the
> reader logs with IP addresses get shipped off to a lab at Stanford
> which is under NDA,
>

Please create a task in phabricator for this if you have specifics and
share the link here. I've talked to Research (my team), Security, and
Analytics, and we are not aware of any reader logs being shipped out of the
WMF servers.

Best,
Leila

--
Leila Zia
Senior Research Scientist
Wikimedia Foundation



> Best regards,
> Jim
>
> ___
> Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/
> wiki/Mailing_lists/Guidelines
> New messages to: Wikimedia-l@lists.wikimedia.org
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> 
>
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,

Re: [Wikimedia-l] DEITYBOUNCE and reader logs (was Re: Introducing Victoria Coleman, WMF Chief Technology Officer)

2016-11-06 Thread Gergő Tisza

On Thu, Nov 3, 2016 at 10:19 PM, James Salsman  wrote:
>
> Also I would like to know what "Orwellian philosophy" is
> http://link.springer.com/article/10.1007%2FBF01211002

From the paper (you can find download links with minimal effort): "*George
Orwell tells us of a language so crafted as not to allow the speakers to
think "bad thoughts", thus preventing them from challenging the
totalitarian nightmare of Oceania. This principle, although sinister when
applied to human discourse, is quite benign and we argue beneficial when
dealing with the design of complex artifacts such as real-time computing
systems whose deployment has safety-critical implications.*"

To the extent I understood (which is very limited, I only skimmed it), this
is more of a vague philosophical point which in practice boils down to
"keep the language simple". The technical part of the paper describes an
extension of the classic precondition/postcondition system of program
specification which adds timing information. It does not relate in any way
to surveillance.

(If you are further interested in Orwell's thoughts about the use of
language in politics, Wikipedia has some good articles:
https://en.wikipedia.org/wiki/Newspeak
https://en.wikipedia.org/wiki/Politics_and_the_English_Language )
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,

Re: [Wikimedia-l] DEITYBOUNCE and reader logs (was Re: Introducing Victoria Coleman, WMF Chief Technology Officer)

2016-11-04 Thread Pine W

James, thanks for bringing up that NYTimes article. Having taken a quick
look at it, it does raise some concerns but I would consider it a matter
worthy of further inquiry rather than a red flag. In Wikimedia we have our
own issues with trying to have an "open society" type atmosphere while
keeping a lid on sockpuppetry and other problematic behaviors, and if the
goal of that program was to keep bad-faith individuals out of what should
be highly secure systems then I would be more accepting than I would be if
the goal was to do large scale surveillance of Internet traffic. I would
consider it to be a big deal if someone applying for a WMF role was
involved in facilitating large-scale intrusive surveillance, whether in the
public or private sectors. The program described in that NYTimes link would
be problematic from my perspective, but a bit less so than some of the
other kinds of mass surveillance that have been implemented over the years
by both government and private-sector actors.

I have some other thoughts on this topic, including about Katherine's
comments, but I've got some other time-sensitive issues that I need to
address in the next few days. Hopefully I'll have a chance to comment on
other aspects of this thread by the end of Monday. Other people may want to
share their thoughts in the meantime.

Thanks for your vigilance,

Pine

On Thu, Nov 3, 2016 at 10:19 PM, James Salsman  wrote:

> Katherine Maher wrote:
> >
> >... If you have further questions about Victoria’s work with the U.S.
> > Department of Defense, it is/should soon be a matter of U.S.
> > Congressional record. Her findings and recommendations will also
> > be a matter of public record, as all government work should be.
> > However, the U.S. Congress isn’t always the speediest of
> > institutions, so we will also keep an eye on when they publish
> > further information.
>
> Well, it's in the New York Times under her maiden name:
>
> http://www.nytimes.com/2002/11/22/world/threats-responses-
> surveillance-terror-tracking-agency-weighed-but-discarded-plan.html
>
> "The Pentagon research agency that is exploring how to create a vast
> database of electronic transactions and analyze them for potential
> terrorist activity considered but rejected another surveillance idea:
> tagging Internet data with unique personal markers to make anonymous
> use of some parts of the Internet impossible
>
> "The plan, known as eDNA, called for developing a new version of the
> Internet that would include enclaves where it would be impossible to
> be anonymous while using the network
>
> "Darpa awarded a $60,000 contract to SRI International, a research
> concern based in Menlo Park, Calif., to investigate the concept. SRI
> then convened the workshop in August to evaluate its feasibility
>
> "The workshop was led by Mr. Blaze and Dr. Victoria Stavridou, an SRI
> computer scientist, one of those who had originally discussed the eDNA
> concept with Darpa officials
>
> "At one point, Mr. Blaze reported to the group that he had been
> ''fired'' by Dr. Stavridou, of SRI, from his appointed role of writing
> the report presenting that consensus.
>
> "In e-mail messages, several participants said they believed that Dr.
> Stavridou was hijacking the report and that the group's consensus
> would not be reported to Darpa
>
> "Dr. Stavridou told the other panelists, 'Darpa asked SRI to organize
> the meeting because they have a deep interest in technology for
> identifying network miscreants and revoking their network
> privileges.'"
>
> Also I would like to know what "Orwellian philosophy" is
> http://link.springer.com/article/10.1007%2FBF01211002
>
> ___
> Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/
> wiki/Mailing_lists/Guidelines
> New messages to: Wikimedia-l@lists.wikimedia.org
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> 
>
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,

Re: [Wikimedia-l] DEITYBOUNCE and reader logs (was Re: Introducing Victoria Coleman, WMF Chief Technology Officer)

2016-11-04 Thread Peter Southwood

https://en.wikipedia.org/wiki/Orwellian

The things that immediately spring to mind are:
Big brother is watching you,
All animals are equal, but some are more equal than others,
Newspeak
Cheers,
P

-Original Message-
From: Wikimedia-l [mailto:wikimedia-l-boun...@lists.wikimedia.org] On Behalf Of 
James Salsman
Sent: Friday, 04 November 2016 7:19 AM
To: Wikimedia Mailing List
Subject: Re: [Wikimedia-l] DEITYBOUNCE and reader logs (was Re: Introducing 
Victoria Coleman, WMF Chief Technology Officer)

Katherine Maher wrote:
>
>... If you have further questions about Victoria’s work with the U.S.
> Department of Defense, it is/should soon be a matter of U.S.
> Congressional record. Her findings and recommendations will also  be a 
>matter of public record, as all government work should be.
> However, the U.S. Congress isn’t always the speediest of  
>institutions, so we will also keep an eye on when they publish  further 
>information.

Well, it's in the New York Times under her maiden name:

http://www.nytimes.com/2002/11/22/world/threats-responses-surveillance-terror-tracking-agency-weighed-but-discarded-plan.html

"The Pentagon research agency that is exploring how to create a vast database 
of electronic transactions and analyze them for potential terrorist activity 
considered but rejected another surveillance idea:
tagging Internet data with unique personal markers to make anonymous use of 
some parts of the Internet impossible

"The plan, known as eDNA, called for developing a new version of the Internet 
that would include enclaves where it would be impossible to be anonymous while 
using the network

"Darpa awarded a $60,000 contract to SRI International, a research concern 
based in Menlo Park, Calif., to investigate the concept. SRI then convened the 
workshop in August to evaluate its feasibility

"The workshop was led by Mr. Blaze and Dr. Victoria Stavridou, an SRI computer 
scientist, one of those who had originally discussed the eDNA concept with 
Darpa officials

"At one point, Mr. Blaze reported to the group that he had been ''fired'' by 
Dr. Stavridou, of SRI, from his appointed role of writing the report presenting 
that consensus.

"In e-mail messages, several participants said they believed that Dr.
Stavridou was hijacking the report and that the group's consensus would not be 
reported to Darpa

"Dr. Stavridou told the other panelists, 'Darpa asked SRI to organize the 
meeting because they have a deep interest in technology for identifying network 
miscreants and revoking their network privileges.'"

Also I would like to know what "Orwellian philosophy" is
http://link.springer.com/article/10.1007%2FBF01211002

___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 
<mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe>

-
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2016.0.7859 / Virus Database: 4664/13342 - Release Date: 11/03/16


___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 
<mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe>

Re: [Wikimedia-l] DEITYBOUNCE and reader logs (was Re: Introducing Victoria Coleman, WMF Chief Technology Officer)

2016-11-03 Thread James Salsman

Katherine Maher wrote:
>
>... If you have further questions about Victoria’s work with the U.S.
> Department of Defense, it is/should soon be a matter of U.S.
> Congressional record. Her findings and recommendations will also
> be a matter of public record, as all government work should be.
> However, the U.S. Congress isn’t always the speediest of
> institutions, so we will also keep an eye on when they publish
> further information.

Well, it's in the New York Times under her maiden name:

http://www.nytimes.com/2002/11/22/world/threats-responses-surveillance-terror-tracking-agency-weighed-but-discarded-plan.html

"The Pentagon research agency that is exploring how to create a vast
database of electronic transactions and analyze them for potential
terrorist activity considered but rejected another surveillance idea:
tagging Internet data with unique personal markers to make anonymous
use of some parts of the Internet impossible

"The plan, known as eDNA, called for developing a new version of the
Internet that would include enclaves where it would be impossible to
be anonymous while using the network

"Darpa awarded a $60,000 contract to SRI International, a research
concern based in Menlo Park, Calif., to investigate the concept. SRI
then convened the workshop in August to evaluate its feasibility

"The workshop was led by Mr. Blaze and Dr. Victoria Stavridou, an SRI
computer scientist, one of those who had originally discussed the eDNA
concept with Darpa officials

"At one point, Mr. Blaze reported to the group that he had been
''fired'' by Dr. Stavridou, of SRI, from his appointed role of writing
the report presenting that consensus.

"In e-mail messages, several participants said they believed that Dr.
Stavridou was hijacking the report and that the group's consensus
would not be reported to Darpa

"Dr. Stavridou told the other panelists, 'Darpa asked SRI to organize
the meeting because they have a deep interest in technology for
identifying network miscreants and revoking their network
privileges.'"

Also I would like to know what "Orwellian philosophy" is
http://link.springer.com/article/10.1007%2FBF01211002

___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,

Re: [Wikimedia-l] DEITYBOUNCE and reader logs (was Re: Introducing Victoria Coleman, WMF Chief Technology Officer)

2016-11-03 Thread Katherine Maher

Hi everyone,

Given Victoria’s many engagements over two decades, we weren’t able to list
everything in the announcement itself.

I can assure you that we carefully considered all of Victoria’s past
experience and, with her full support, vetted her background for areas of
possible concern, as is standard with any new C-level hire. We
overwhelmingly agree that Victoria’s diversity of experience, including her
interest in security and innovation, make her a uniquely qualified
candidate.

Victoria was explicit throughout the hiring process that she wanted to
ensure we were completely and mutually confident in working together. As
part of these conversations, she and I spoke at length about her government
service and security expertise, and the general issues of security,
vulnerabilities, disclosure, and due process. This is an area of personal
passion for me - as some of you know, I spent time advocating on behalf of
digital rights and user security before joining Wikimedia. We had a rich,
informed conversation. I am confident Victoria’s values are Wikimedia’s
values, and that we will work closely together in defending and
strengthening the privacy and security of our platforms for our users.[1]

I believe in the importance of building a diverse team from a variety of
backgrounds. Our community and our projects are possible because of the
diversity of knowledge we have. Some of us will come from government, some
from academia, some from advocacy, some from the private sector, others
from elsewhere. Together, we’re stronger. Victoria's experience with public
service, academia, security, and commercial platforms brings that diversity
of knowledge, and I’m delighted she’ll be sharing it with us.

As for an office hour - it is a little premature for me to ask Victoria to
commit to a date for this until she’s formally onboard and has had some
orientation. However, office hours are generally a great way for people at
the Foundation to get to know more about the communities, and visa versa.
As leader of the Technology department, there will probably be many
opportunities - potentially including office hours - where Victoria can
engage with you on a variety of questions. If we schedule some formal ones,
we will announce them here and through all the other normal channels - but
please do bear with us. Sometimes it does take a little time to get one's
bearings in a world as sprawling and complex as ours.

Katherine

[1] If you have further questions about Victoria’s work with the U.S.
Department of Defense, it is/should soon be a matter of U.S. Congressional
record. Her findings and recommendations will also be a matter of public
record, as all government work should be. However, the U.S. Congress isn’t
always the speediest of institutions, so we will also keep an eye on when
they publish further information.

On Thu, Nov 3, 2016 at 2:37 AM, Gerard Meijssen 
wrote:

> Hoi,
> There are two conflicting approaches to vulnerabilities known to
> "government"; vulnerabilities make government vulnerable and therefore they
> need to be handled properly in code. The other approach is that a
> vulnerability is a vector to attack.
>
> When Mrs Coleman works for the WMF, it follows that when she learns
> privately about vulnerabilities, they will be fixed discreetly. I am happy
> with that. When she does not learn about vulnerabilities and does not know
> about them either, nothing is different for us. When she actively knows
> about vulnerabilities and vectors to attack MediaWiki and does not share it
> with developers to fix them, she has a clear conflict of interest and
> should seek another job.
>
> For me a simple statement that she works for the Wikimedia Foundation and
> will do everything in her power to make MediaWiki as good as it gets
> suffices. Anything more will get us in paranoia territory, we should not go
> there.
> Thanks,
>   GerardM
>
> On 2 November 2016 at 20:53, Pine W  wrote:
>
> > A similar thought crossed my mind regarding MediaWiki software. I believe
> > that a number of USG agencies use MediaWiki, and that some of them use it
> > for classified purposes. This is a bit of a two-edged sword; I imagine
> that
> > they'd want to support the continued development of MediaWiki (which is
> > good for us) but there would be interesting questions about whether
> they'd
> > also want to introduce and/or keep open security vulnerabilities. I
> imagine
> > that WMF considered Victoria's government affiliations carefully during
> the
> > screening process, and I agree it would be nice to hear some
> clarifications
> > about how WMF can ensure that any potential conflicts of interest are
> > carefully managed.
> >
> > My first instinct here is to welcome what looks like a person who's a
> good
> > fit for the job. Victoria would be far from the only person in WMF and
> the
> > Wikimedia community with ties to government agencies; I would treat this
> > hire with a

Re: [Wikimedia-l] DEITYBOUNCE and reader logs (was Re: Introducing Victoria Coleman, WMF Chief Technology Officer)

2016-11-03 Thread James Salsman

Gerard Meijssen wrote:
>
> There are two conflicting approaches to vulnerabilities known
> to"government";  vulnerabilities make government vulnerable
> and therefore they need to be handled properly in code. The
> other approach is that a vulnerability is a vector to attack

Well, the general problem is that government authorities have been
paying malware authors for vulnerabilities which are kept unpatched
for surveillance, which means the malware authors have them too. This
is vigorously denied even after repeated proof. Lesser issues are that
the CALEA law puts constraints on SS7 which make it impossible to
prevent things like caller ID spoofing, and the fact that SSL
certificate authorities are equivalent to key escrow without perfect
forward encryption, which really didn't exist until the RSA compromise
was exposed.

The Foundation's main security problem at present is that all of the
reader logs with IP addresses get shipped off to a lab at Stanford
which is under NDA, but even if we had a perfect warrant canary,
nobody would know if one of the Stanford lab members gets (or has
already been given) a National Security Letter, or if Stanford IT gets
a subpoena on convincing letterhead, or a phone call from Turkey
wanting to deal with their political purge.

I think Victoria could be very close to the best possible CTO if and
only if she is willing to address these issues openly, including the
Dell PowerEdge DIETYBOUNCE issue. I have very high hopes.

Best regards,
Jim

___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,

Re: [Wikimedia-l] DEITYBOUNCE and reader logs (was Re: Introducing Victoria Coleman, WMF Chief Technology Officer)

2016-11-03 Thread Gerard Meijssen

Hoi,
There are two conflicting approaches to vulnerabilities known to
"government"; vulnerabilities make government vulnerable and therefore they
need to be handled properly in code. The other approach is that a
vulnerability is a vector to attack.

When Mrs Coleman works for the WMF, it follows that when she learns
privately about vulnerabilities, they will be fixed discreetly. I am happy
with that. When she does not learn about vulnerabilities and does not know
about them either, nothing is different for us. When she actively knows
about vulnerabilities and vectors to attack MediaWiki and does not share it
with developers to fix them, she has a clear conflict of interest and
should seek another job.

For me a simple statement that she works for the Wikimedia Foundation and
will do everything in her power to make MediaWiki as good as it gets
suffices. Anything more will get us in paranoia territory, we should not go
there.
Thanks,
  GerardM

On 2 November 2016 at 20:53, Pine W  wrote:

> A similar thought crossed my mind regarding MediaWiki software. I believe
> that a number of USG agencies use MediaWiki, and that some of them use it
> for classified purposes. This is a bit of a two-edged sword; I imagine that
> they'd want to support the continued development of MediaWiki (which is
> good for us) but there would be interesting questions about whether they'd
> also want to introduce and/or keep open security vulnerabilities. I imagine
> that WMF considered Victoria's government affiliations carefully during the
> screening process, and I agree it would be nice to hear some clarifications
> about how WMF can ensure that any potential conflicts of interest are
> carefully managed.
>
> My first instinct here is to welcome what looks like a person who's a good
> fit for the job. Victoria would be far from the only person in WMF and the
> Wikimedia community with ties to government agencies; I would treat this
> hire with a similar level of care regarding conflicts of interest as we
> would with any other appointment.
>
> As a general practice, I would prefer declared and public potential
> conflicts of interests to undisclosed conflicts of interest, and I would
> suggest that someone being public with their affiliations and potential
> conflicts should be treated respectfully while keeping an open mind to the
> possibility that the conflicts may be manageable. In Victoria's case, I
> would encourage assuming good faith while asking appropriate questions; I
> feel that it's reasonable for the community to ask some questions to make
> sure that WMF did in fact consider these issues during the candidate
> selection process. Perhaps Victoria will have an office hour where the
> community can have a Q with her on these and many other questions that
> people are likely to have.
>
> Regards,
>
> Pine
>
> Pine
>
>
> On Wed, Nov 2, 2016 at 12:25 PM, James Salsman  wrote:
>
> > It's great that the CTO position was filled.
> >
> > The blog announcement's biography omitted these details:
> >
> > "As Director for Security Initiatives for Intel’s Digital Enterprise
> > Group [Victoria Coleman] was responsible for defining the company’s
> > security technology roadmap and translating it to product delivery.
> > During this time, she was instrumental in bringing Intel’s LaGrande
> > Technology across the server processor and chipset product line.
> > Victoria has also had roles as the Director of the Trusted Platform
> > Laboratory and the Trust and Manageability Laboratory in Intel's
> > Corporate Technology Group... In 1995 she authored the landmark UK
> > Ministry of Defence DefStan 00-56 which created the legal framework
> > for the safety of programmable electronic systems procurement by the
> > MoD . In 2004, she founded the Cybersecurity Research Center on behalf
> > of the U.S. Department of Homeland Security."
> >
> > Source: http://www.potomacinstitute.org/fellows/2138-the-potomac-
> > institute-welcomes-senior-fellow-victoria-coleman-2
> >
> > Is Victoria willing to comment on
> >
> > https://www.schneier.com/blog/archives/2014/01/nsa_exploit_of.html
> >
> > and
> >
> > https://en.wikipedia.org/w/index.php?title=User_talk:
> > Jimbo_Wales/Archive_208=725820016#Massive_expansion_
> > of_National_Security_Letters
> >
> > please?
> >
> > ___
> > Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/
> > wiki/Mailing_lists/Guidelines
> > New messages to: Wikimedia-l@lists.wikimedia.org
> > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > 
> ___
> Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/
> wiki/Mailing_lists/Guidelines
> New messages to: Wikimedia-l@lists.wikimedia.org
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
>

Re: [Wikimedia-l] DEITYBOUNCE and reader logs (was Re: Introducing Victoria Coleman, WMF Chief Technology Officer)

2016-11-02 Thread Pine W

A similar thought crossed my mind regarding MediaWiki software. I believe
that a number of USG agencies use MediaWiki, and that some of them use it
for classified purposes. This is a bit of a two-edged sword; I imagine that
they'd want to support the continued development of MediaWiki (which is
good for us) but there would be interesting questions about whether they'd
also want to introduce and/or keep open security vulnerabilities. I imagine
that WMF considered Victoria's government affiliations carefully during the
screening process, and I agree it would be nice to hear some clarifications
about how WMF can ensure that any potential conflicts of interest are
carefully managed.

My first instinct here is to welcome what looks like a person who's a good
fit for the job. Victoria would be far from the only person in WMF and the
Wikimedia community with ties to government agencies; I would treat this
hire with a similar level of care regarding conflicts of interest as we
would with any other appointment.

As a general practice, I would prefer declared and public potential
conflicts of interests to undisclosed conflicts of interest, and I would
suggest that someone being public with their affiliations and potential
conflicts should be treated respectfully while keeping an open mind to the
possibility that the conflicts may be manageable. In Victoria's case, I
would encourage assuming good faith while asking appropriate questions; I
feel that it's reasonable for the community to ask some questions to make
sure that WMF did in fact consider these issues during the candidate
selection process. Perhaps Victoria will have an office hour where the
community can have a Q with her on these and many other questions that
people are likely to have.

Regards,

Pine

Pine

On Wed, Nov 2, 2016 at 12:25 PM, James Salsman  wrote:

> It's great that the CTO position was filled.
>
> The blog announcement's biography omitted these details:
>
> "As Director for Security Initiatives for Intel’s Digital Enterprise
> Group [Victoria Coleman] was responsible for defining the company’s
> security technology roadmap and translating it to product delivery.
> During this time, she was instrumental in bringing Intel’s LaGrande
> Technology across the server processor and chipset product line.
> Victoria has also had roles as the Director of the Trusted Platform
> Laboratory and the Trust and Manageability Laboratory in Intel's
> Corporate Technology Group... In 1995 she authored the landmark UK
> Ministry of Defence DefStan 00-56 which created the legal framework
> for the safety of programmable electronic systems procurement by the
> MoD . In 2004, she founded the Cybersecurity Research Center on behalf
> of the U.S. Department of Homeland Security."
>
> Source: http://www.potomacinstitute.org/fellows/2138-the-potomac-
> institute-welcomes-senior-fellow-victoria-coleman-2
>
> Is Victoria willing to comment on
>
> https://www.schneier.com/blog/archives/2014/01/nsa_exploit_of.html
>
> and
>
> https://en.wikipedia.org/w/index.php?title=User_talk:
> Jimbo_Wales/Archive_208=725820016#Massive_expansion_
> of_National_Security_Letters
>
> please?
>
> ___
> Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/
> wiki/Mailing_lists/Guidelines
> New messages to: Wikimedia-l@lists.wikimedia.org
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> 
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,

Re: [Wikimedia-l] DEITYBOUNCE and reader logs (was Re: Introducing Victoria Coleman, WMF Chief Technology Officer)

Re: [Wikimedia-l] DEITYBOUNCE and reader logs (was Re: Introducing Victoria Coleman, WMF Chief Technology Officer)

Re: [Wikimedia-l] DEITYBOUNCE and reader logs (was Re: Introducing Victoria Coleman, WMF Chief Technology Officer)

Re: [Wikimedia-l] DEITYBOUNCE and reader logs (was Re: Introducing Victoria Coleman, WMF Chief Technology Officer)

Re: [Wikimedia-l] DEITYBOUNCE and reader logs (was Re: Introducing Victoria Coleman, WMF Chief Technology Officer)

Re: [Wikimedia-l] DEITYBOUNCE and reader logs (was Re: Introducing Victoria Coleman, WMF Chief Technology Officer)

Re: [Wikimedia-l] DEITYBOUNCE and reader logs (was Re: Introducing Victoria Coleman, WMF Chief Technology Officer)

Re: [Wikimedia-l] DEITYBOUNCE and reader logs (was Re: Introducing Victoria Coleman, WMF Chief Technology Officer)

Re: [Wikimedia-l] DEITYBOUNCE and reader logs (was Re: Introducing Victoria Coleman, WMF Chief Technology Officer)

Re: [Wikimedia-l] DEITYBOUNCE and reader logs (was Re: Introducing Victoria Coleman, WMF Chief Technology Officer)

Re: [Wikimedia-l] DEITYBOUNCE and reader logs (was Re: Introducing Victoria Coleman, WMF Chief Technology Officer)

Re: [Wikimedia-l] DEITYBOUNCE and reader logs (was Re: Introducing Victoria Coleman, WMF Chief Technology Officer)

Re: [Wikimedia-l] DEITYBOUNCE and reader logs (was Re: Introducing Victoria Coleman, WMF Chief Technology Officer)

Re: [Wikimedia-l] DEITYBOUNCE and reader logs (was Re: Introducing Victoria Coleman, WMF Chief Technology Officer)

Re: [Wikimedia-l] DEITYBOUNCE and reader logs (was Re: Introducing Victoria Coleman, WMF Chief Technology Officer)

Re: [Wikimedia-l] DEITYBOUNCE and reader logs (was Re: Introducing Victoria Coleman, WMF Chief Technology Officer)

16 matches

Site Navigation

Mail list logo

Footer information