I aggree with JP Béland: the computer security obviously affects the Wikimedia users, but imho we shouldn’t do more than we can and let the responsability of their own security to the users -- although we should contribute for a decent security.
For the specific topic you brought about 0-days, I’m not personnaly surprised, this type of market was revealed some time ago, see for instance http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/.
~ Seb35
Le Tue, 20 Aug 2013 07:30:09 +0200, JP Béland lebo.beland@gmail.com a écrit:
I'm not sure what is your point here. How exactly readers of Wikimedia projects are at risk here because of that story? Are you trying to say it is the Foundation responsibility to protect the readers from the vulnerabilities of their operating systems?
JP Béland
2013/8/19 James Salsman jsalsman@gmail.com
While the trickling release of Edward Snowden's revelations from bad to worse in weekly incremental steps has been enormously effective in swaying public opinion, it has made formulating a meaningful response very difficult.
A few weeks ago we learned that the FBI has been purchasing personal computer operating system vulnerabilities from gray and black-hat hackers on the black market, often for several tens of thousands of dollars each, and leaving them unreported and thereby unpatched for use in future surveillance operations: http://blogs.wsj.com/digits/2013/08/01/how-the-fbi-hacks-criminal-suspects/
Unfortunately, this means that the vulnerabilities remain available to the criminal computer crime underground, affecting everyone including Foundation project readers and contributors alike.
Very recently a well respected group of researchers characterized this state of affairs as "preferable" to the complexity of additional surveillance network and systems infrastructure: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2312107
This is a false dichotomy which directly places Foundation project readers and editors at risk, but does so along with virtually everyone else who uses personal computer or smartphone equipment. However, I think it is an important aspect to address because none of the other recent eavesdropping revelations put people at risk to organized computer crime, blackmail, and extortion in the same way.
Is there any reason to exclude action on a particular issue just because it effects everyone else along with our users? _______________________________________________ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
That the FBI has been buying security vulnerability exploits on the black market for several tens of thousands of dollars each, leaving them unreported and unpatched for use in surveillance, is by far the worst of the privacy revelations of past months. Even the worst plausible NSA abuses from X-KEYSCORE queries specifically targeting Wikipedia editors and readers don't create the economic demand and exploit libraries opening everyone using any kind of a personal computer or smartphone up to blackmail and extortion by organized crime and exposure of all files and communications to anyone with sufficient ability to pay.
To the extent that the community and Foundation want to mount and effective response to the abuses exposed by the recent revelations, I am merely suggesting that we should focus on those which put our users at greatest risk.
On Tuesday, August 20, 2013, Seb35 wrote:
I aggree with JP Béland: the computer security obviously affects the Wikimedia users, but imho we shouldn’t do more than we can and let the responsability of their own security to the users -- although we should contribute for a decent security.
For the specific topic you brought about 0-days, I’m not personnaly surprised, this type of market was revealed some time ago, see for instance <http://www.forbes.com/sites/**andygreenberg/2012/03/23/** shopping-for-zero-days-an-**price-list-for-hackers-secret-** software-exploits/http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/
.
~ Seb35
Le Tue, 20 Aug 2013 07:30:09 +0200, JP Béland lebo.beland@gmail.com a écrit:
I'm not sure what is your point here. How exactly readers of Wikimedia projects are at risk here because of that story? Are you trying to say it is the Foundation responsibility to protect the readers from the vulnerabilities of their operating systems?
JP Béland
2013/8/19 James Salsman jsalsman@gmail.com
While the trickling release of Edward Snowden's revelations from bad to
worse in weekly incremental steps has been enormously effective in swaying public opinion, it has made formulating a meaningful response very difficult.
A few weeks ago we learned that the FBI has been purchasing personal computer operating system vulnerabilities from gray and black-hat hackers on the black market, often for several tens of thousands of dollars each, and leaving them unreported and thereby unpatched for use in future surveillance operations: http://blogs.wsj.com/digits/**2013/08/01/how-the-fbi-hacks-** criminal-suspects/http://blogs.wsj.com/digits/2013/08/01/how-the-fbi-hacks-criminal-suspects/
Unfortunately, this means that the vulnerabilities remain available to the criminal computer crime underground, affecting everyone including Foundation project readers and contributors alike.
Very recently a well respected group of researchers characterized this state of affairs as "preferable" to the complexity of additional surveillance network and systems infrastructure: http://papers.ssrn.com/sol3/**papers.cfm?abstract_id=2312107http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2312107
This is a false dichotomy which directly places Foundation project readers and editors at risk, but does so along with virtually everyone else who uses personal computer or smartphone equipment. However, I think it is an important aspect to address because none of the other recent eavesdropping revelations put people at risk to organized computer crime, blackmail, and extortion in the same way.
Is there any reason to exclude action on a particular issue just because it effects everyone else along with our users? ______________________________**_________________ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/**mailman/listinfo/wikimedia-lhttps://lists.wikimedia.org/mailman/listinfo/wikimedia-l , mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
______________________________**_________________ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/**mailman/listinfo/wikimedia-lhttps://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
______________________________**_________________ Advocacy_Advisors mailing list Advocacy_Advisors@lists.wikimedia.org https://lists.wikimedia.org/**mailman/listinfo/advocacy_**advisorshttps://lists.wikimedia.org/mailman/listinfo/advocacy_advisors
publicpolicy@lists.wikimedia.org