It's great that the CTO position was filled.
The blog announcement's biography omitted these details:
"As Director for Security Initiatives for Intel’s Digital Enterprise Group [Victoria Coleman] was responsible for defining the company’s security technology roadmap and translating it to product delivery. During this time, she was instrumental in bringing Intel’s LaGrande Technology across the server processor and chipset product line. Victoria has also had roles as the Director of the Trusted Platform Laboratory and the Trust and Manageability Laboratory in Intel's Corporate Technology Group... In 1995 she authored the landmark UK Ministry of Defence DefStan 00-56 which created the legal framework for the safety of programmable electronic systems procurement by the MoD . In 2004, she founded the Cybersecurity Research Center on behalf of the U.S. Department of Homeland Security."
Source: http://www.potomacinstitute.org/fellows/2138-the-potomac-institute-welcomes-...
Is Victoria willing to comment on
https://www.schneier.com/blog/archives/2014/01/nsa_exploit_of.html
and
https://en.wikipedia.org/w/index.php?title=User_talk:Jimbo_Wales/Archive_208...
please?
A similar thought crossed my mind regarding MediaWiki software. I believe that a number of USG agencies use MediaWiki, and that some of them use it for classified purposes. This is a bit of a two-edged sword; I imagine that they'd want to support the continued development of MediaWiki (which is good for us) but there would be interesting questions about whether they'd also want to introduce and/or keep open security vulnerabilities. I imagine that WMF considered Victoria's government affiliations carefully during the screening process, and I agree it would be nice to hear some clarifications about how WMF can ensure that any potential conflicts of interest are carefully managed.
My first instinct here is to welcome what looks like a person who's a good fit for the job. Victoria would be far from the only person in WMF and the Wikimedia community with ties to government agencies; I would treat this hire with a similar level of care regarding conflicts of interest as we would with any other appointment.
As a general practice, I would prefer declared and public potential conflicts of interests to undisclosed conflicts of interest, and I would suggest that someone being public with their affiliations and potential conflicts should be treated respectfully while keeping an open mind to the possibility that the conflicts may be manageable. In Victoria's case, I would encourage assuming good faith while asking appropriate questions; I feel that it's reasonable for the community to ask some questions to make sure that WMF did in fact consider these issues during the candidate selection process. Perhaps Victoria will have an office hour where the community can have a Q&A with her on these and many other questions that people are likely to have.
Regards,
Pine
Pine
On Wed, Nov 2, 2016 at 12:25 PM, James Salsman jsalsman@gmail.com wrote:
It's great that the CTO position was filled.
The blog announcement's biography omitted these details:
"As Director for Security Initiatives for Intel’s Digital Enterprise Group [Victoria Coleman] was responsible for defining the company’s security technology roadmap and translating it to product delivery. During this time, she was instrumental in bringing Intel’s LaGrande Technology across the server processor and chipset product line. Victoria has also had roles as the Director of the Trusted Platform Laboratory and the Trust and Manageability Laboratory in Intel's Corporate Technology Group... In 1995 she authored the landmark UK Ministry of Defence DefStan 00-56 which created the legal framework for the safety of programmable electronic systems procurement by the MoD . In 2004, she founded the Cybersecurity Research Center on behalf of the U.S. Department of Homeland Security."
Source: http://www.potomacinstitute.org/fellows/2138-the-potomac- institute-welcomes-senior-fellow-victoria-coleman-2
Is Victoria willing to comment on
https://www.schneier.com/blog/archives/2014/01/nsa_exploit_of.html
and
https://en.wikipedia.org/w/index.php?title=User_talk: Jimbo_Wales/Archive_208&oldid=725820016#Massive_expansion_ of_National_Security_Letters
please?
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/ wiki/Mailing_lists/Guidelines New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
Hoi, There are two conflicting approaches to vulnerabilities known to "government"; vulnerabilities make government vulnerable and therefore they need to be handled properly in code. The other approach is that a vulnerability is a vector to attack.
When Mrs Coleman works for the WMF, it follows that when she learns privately about vulnerabilities, they will be fixed discreetly. I am happy with that. When she does not learn about vulnerabilities and does not know about them either, nothing is different for us. When she actively knows about vulnerabilities and vectors to attack MediaWiki and does not share it with developers to fix them, she has a clear conflict of interest and should seek another job.
For me a simple statement that she works for the Wikimedia Foundation and will do everything in her power to make MediaWiki as good as it gets suffices. Anything more will get us in paranoia territory, we should not go there. Thanks, GerardM
On 2 November 2016 at 20:53, Pine W wiki.pine@gmail.com wrote:
A similar thought crossed my mind regarding MediaWiki software. I believe that a number of USG agencies use MediaWiki, and that some of them use it for classified purposes. This is a bit of a two-edged sword; I imagine that they'd want to support the continued development of MediaWiki (which is good for us) but there would be interesting questions about whether they'd also want to introduce and/or keep open security vulnerabilities. I imagine that WMF considered Victoria's government affiliations carefully during the screening process, and I agree it would be nice to hear some clarifications about how WMF can ensure that any potential conflicts of interest are carefully managed.
My first instinct here is to welcome what looks like a person who's a good fit for the job. Victoria would be far from the only person in WMF and the Wikimedia community with ties to government agencies; I would treat this hire with a similar level of care regarding conflicts of interest as we would with any other appointment.
As a general practice, I would prefer declared and public potential conflicts of interests to undisclosed conflicts of interest, and I would suggest that someone being public with their affiliations and potential conflicts should be treated respectfully while keeping an open mind to the possibility that the conflicts may be manageable. In Victoria's case, I would encourage assuming good faith while asking appropriate questions; I feel that it's reasonable for the community to ask some questions to make sure that WMF did in fact consider these issues during the candidate selection process. Perhaps Victoria will have an office hour where the community can have a Q&A with her on these and many other questions that people are likely to have.
Regards,
Pine
Pine
On Wed, Nov 2, 2016 at 12:25 PM, James Salsman jsalsman@gmail.com wrote:
It's great that the CTO position was filled.
The blog announcement's biography omitted these details:
"As Director for Security Initiatives for Intel’s Digital Enterprise Group [Victoria Coleman] was responsible for defining the company’s security technology roadmap and translating it to product delivery. During this time, she was instrumental in bringing Intel’s LaGrande Technology across the server processor and chipset product line. Victoria has also had roles as the Director of the Trusted Platform Laboratory and the Trust and Manageability Laboratory in Intel's Corporate Technology Group... In 1995 she authored the landmark UK Ministry of Defence DefStan 00-56 which created the legal framework for the safety of programmable electronic systems procurement by the MoD . In 2004, she founded the Cybersecurity Research Center on behalf of the U.S. Department of Homeland Security."
Source: http://www.potomacinstitute.org/fellows/2138-the-potomac- institute-welcomes-senior-fellow-victoria-coleman-2
Is Victoria willing to comment on
https://www.schneier.com/blog/archives/2014/01/nsa_exploit_of.html
and
https://en.wikipedia.org/w/index.php?title=User_talk: Jimbo_Wales/Archive_208&oldid=725820016#Massive_expansion_ of_National_Security_Letters
please?
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/ wiki/Mailing_lists/Guidelines New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/ wiki/Mailing_lists/Guidelines New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
Hi everyone,
Given Victoria’s many engagements over two decades, we weren’t able to list everything in the announcement itself.
I can assure you that we carefully considered all of Victoria’s past experience and, with her full support, vetted her background for areas of possible concern, as is standard with any new C-level hire. We overwhelmingly agree that Victoria’s diversity of experience, including her interest in security and innovation, make her a uniquely qualified candidate.
Victoria was explicit throughout the hiring process that she wanted to ensure we were completely and mutually confident in working together. As part of these conversations, she and I spoke at length about her government service and security expertise, and the general issues of security, vulnerabilities, disclosure, and due process. This is an area of personal passion for me - as some of you know, I spent time advocating on behalf of digital rights and user security before joining Wikimedia. We had a rich, informed conversation. I am confident Victoria’s values are Wikimedia’s values, and that we will work closely together in defending and strengthening the privacy and security of our platforms for our users.[1]
I believe in the importance of building a diverse team from a variety of backgrounds. Our community and our projects are possible because of the diversity of knowledge we have. Some of us will come from government, some from academia, some from advocacy, some from the private sector, others from elsewhere. Together, we’re stronger. Victoria's experience with public service, academia, security, and commercial platforms brings that diversity of knowledge, and I’m delighted she’ll be sharing it with us.
As for an office hour - it is a little premature for me to ask Victoria to commit to a date for this until she’s formally onboard and has had some orientation. However, office hours are generally a great way for people at the Foundation to get to know more about the communities, and visa versa. As leader of the Technology department, there will probably be many opportunities - potentially including office hours - where Victoria can engage with you on a variety of questions. If we schedule some formal ones, we will announce them here and through all the other normal channels - but please do bear with us. Sometimes it does take a little time to get one's bearings in a world as sprawling and complex as ours.
Katherine
[1] If you have further questions about Victoria’s work with the U.S. Department of Defense, it is/should soon be a matter of U.S. Congressional record. Her findings and recommendations will also be a matter of public record, as all government work should be. However, the U.S. Congress isn’t always the speediest of institutions, so we will also keep an eye on when they publish further information.
On Thu, Nov 3, 2016 at 2:37 AM, Gerard Meijssen gerard.meijssen@gmail.com wrote:
Hoi, There are two conflicting approaches to vulnerabilities known to "government"; vulnerabilities make government vulnerable and therefore they need to be handled properly in code. The other approach is that a vulnerability is a vector to attack.
When Mrs Coleman works for the WMF, it follows that when she learns privately about vulnerabilities, they will be fixed discreetly. I am happy with that. When she does not learn about vulnerabilities and does not know about them either, nothing is different for us. When she actively knows about vulnerabilities and vectors to attack MediaWiki and does not share it with developers to fix them, she has a clear conflict of interest and should seek another job.
For me a simple statement that she works for the Wikimedia Foundation and will do everything in her power to make MediaWiki as good as it gets suffices. Anything more will get us in paranoia territory, we should not go there. Thanks, GerardM
On 2 November 2016 at 20:53, Pine W wiki.pine@gmail.com wrote:
A similar thought crossed my mind regarding MediaWiki software. I believe that a number of USG agencies use MediaWiki, and that some of them use it for classified purposes. This is a bit of a two-edged sword; I imagine
that
they'd want to support the continued development of MediaWiki (which is good for us) but there would be interesting questions about whether
they'd
also want to introduce and/or keep open security vulnerabilities. I
imagine
that WMF considered Victoria's government affiliations carefully during
the
screening process, and I agree it would be nice to hear some
clarifications
about how WMF can ensure that any potential conflicts of interest are carefully managed.
My first instinct here is to welcome what looks like a person who's a
good
fit for the job. Victoria would be far from the only person in WMF and
the
Wikimedia community with ties to government agencies; I would treat this hire with a similar level of care regarding conflicts of interest as we would with any other appointment.
As a general practice, I would prefer declared and public potential conflicts of interests to undisclosed conflicts of interest, and I would suggest that someone being public with their affiliations and potential conflicts should be treated respectfully while keeping an open mind to
the
possibility that the conflicts may be manageable. In Victoria's case, I would encourage assuming good faith while asking appropriate questions; I feel that it's reasonable for the community to ask some questions to make sure that WMF did in fact consider these issues during the candidate selection process. Perhaps Victoria will have an office hour where the community can have a Q&A with her on these and many other questions that people are likely to have.
Regards,
Pine
Pine
On Wed, Nov 2, 2016 at 12:25 PM, James Salsman jsalsman@gmail.com
wrote:
It's great that the CTO position was filled.
The blog announcement's biography omitted these details:
"As Director for Security Initiatives for Intel’s Digital Enterprise Group [Victoria Coleman] was responsible for defining the company’s security technology roadmap and translating it to product delivery. During this time, she was instrumental in bringing Intel’s LaGrande Technology across the server processor and chipset product line. Victoria has also had roles as the Director of the Trusted Platform Laboratory and the Trust and Manageability Laboratory in Intel's Corporate Technology Group... In 1995 she authored the landmark UK Ministry of Defence DefStan 00-56 which created the legal framework for the safety of programmable electronic systems procurement by the MoD . In 2004, she founded the Cybersecurity Research Center on behalf of the U.S. Department of Homeland Security."
Source: http://www.potomacinstitute.org/fellows/2138-the-potomac- institute-welcomes-senior-fellow-victoria-coleman-2
Is Victoria willing to comment on
https://www.schneier.com/blog/archives/2014/01/nsa_exploit_of.html
and
https://en.wikipedia.org/w/index.php?title=User_talk: Jimbo_Wales/Archive_208&oldid=725820016#Massive_expansion_ of_National_Security_Letters
please?
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/ wiki/Mailing_lists/Guidelines New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/ wiki/Mailing_lists/Guidelines New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/ wiki/Mailing_lists/Guidelines New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
Gerard Meijssen wrote:
There are two conflicting approaches to vulnerabilities known to"government"; vulnerabilities make government vulnerable and therefore they need to be handled properly in code. The other approach is that a vulnerability is a vector to attack....
Well, the general problem is that government authorities have been paying malware authors for vulnerabilities which are kept unpatched for surveillance, which means the malware authors have them too. This is vigorously denied even after repeated proof. Lesser issues are that the CALEA law puts constraints on SS7 which make it impossible to prevent things like caller ID spoofing, and the fact that SSL certificate authorities are equivalent to key escrow without perfect forward encryption, which really didn't exist until the RSA compromise was exposed.
The Foundation's main security problem at present is that all of the reader logs with IP addresses get shipped off to a lab at Stanford which is under NDA, but even if we had a perfect warrant canary, nobody would know if one of the Stanford lab members gets (or has already been given) a National Security Letter, or if Stanford IT gets a subpoena on convincing letterhead, or a phone call from Turkey wanting to deal with their political purge.
I think Victoria could be very close to the best possible CTO if and only if she is willing to address these issues openly, including the Dell PowerEdge DIETYBOUNCE issue. I have very high hopes.
Best regards, Jim
Hi James,
On Thu, Nov 3, 2016 at 10:22 AM, James Salsman jsalsman@gmail.com wrote:
The Foundation's main security problem at present is that all of the reader logs with IP addresses get shipped off to a lab at Stanford which is under NDA,
Please create a task in phabricator for this if you have specifics and share the link here. I've talked to Research (my team), Security, and Analytics, and we are not aware of any reader logs being shipped out of the WMF servers.
Best, Leila
-- Leila Zia Senior Research Scientist Wikimedia Foundation
Best regards, Jim
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/ wiki/Mailing_lists/Guidelines New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
wikimedia-l@lists.wikimedia.org