On 2/18/14, Philip Neustrom <philip(a)localwiki.org> wrote:
The latest Snowden docs have some great screenshots of
the NSA-internal
MediaWiki installation Snowden is alleged to have obtained a lot of his
material from:
https://firstlook.org/theintercept/article/2014/02/18/snowden-docs-reveal-c…
Looks like a static HTML dump, as a few of the external extension images
haven't loaded.
The last details on their technical infrastructure indicated that Snowden
used "web crawler" (love the quotes) software to obtain information from
their internal wiki:
http://www.nytimes.com/2014/02/09/us/snowden-used-low-cost-tool-to-best-nsa…
What's not mentioned in the NYT piece is that their MediaWiki instance
likely didn't have any read-only ACLs set up, or if they did they were
buggy (are any of the third-party ACL extensions good?) -- which was
perhaps one reason why Snowden was able to access the entire site once he
had any access at all?
"If you actually need fancy read restrictions to keep some of your own
people from reading each others' writing, MediaWiki is not the right
software for you." -brion.
..like, if you're a nation-state's intelligence agency, or something :P
I think it's fascinating that this technical decision[1] by the MediaWiki
team long ago may have had such an impact on the world! And much more
fascinating that the NSA folks may not have read the docs.
-Philip
1.
http://www.mediawiki.org/wiki/Manual:Preventing_access#Restrict_viewing_of_…
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
I think its safe to say, that if the NSA wanted to design a secure ACL
system for MediaWiki, they are more than capable of doing so. (That
said, they also know enough that a system like mediawiki is
inappropriate for keeping data with different levels of classification
separate, and would either use separate wikis for different
classification levels or a different tool).
Of course its hard to know what Snowden did and did not do (Especially
when the reporting includes such useless nuggets like "But experts say
they may well have been downloaded not by him but by the program
acting on his behalf." which make you wonder if these reporters have
ever used a computer). The coverage I've read so far seems to suggest
that he had legitimate access to the data and didn't exploit
implementation details of the security system (Well the technical
implementation. Arguably he exploited implementation weaknesses in the
social structure that made him a trusted entity in the system with no
checks against mass downloading). But again, who knows what really
happened.
--bawolff