On Thu, Sep 5, 2013 at 6:44 PM, Dan Collins <[email protected]> wrote: > At least OTRS and mailman belong inside our security "bubble" of control, > where the only people with access are ops and they can be properly secured. > The security risk of those applications potentially introducing and > attacker to all our data is minimal compared to the much greater risk of > placing our user names, passwords, email addresses, and highly private OTRS > queues in the hands of a third party including all their technicians, not > to mention their security practices that we have no control over. > > As for the other question. If the nsa sends a letter to WordPress then they > can get the email address and IP of someone who posted a post or comment to > our blog. Probably the password too. If we host it over SSL then there's no > way for them to know even that a given user commented, and if we did SSL > right (maybe in another ten years) no one would know whether an IP was anon > browsing, a checkuser or oversight, or reading our highly sensitive OTRS > queues.
http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?hp In which it is disclosed that, unsurprisingly, SSL poses no real challenge for the NSA. In any case, I find it hard to imagine a plausible scenario in which the NSA would be interested in a commenter on the WMF blog. (My previous post in this thread was sarcastic, in case that was unclear). _______________________________________________ Wikimedia-l mailing list [email protected] Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[email protected]?subject=unsubscribe>
