[Wikimedia-l] PRISM

Marc A. Pelletier marc at uberbox.org
Tue Jun 11 14:41:07 UTC 2013 

On 06/11/2013 08:19 AM, Anthony wrote:
> Putting everything in a single database which can be accessed by a single
> developer is a choice.

It is, also, the only *reasonable* choice given the resources at our
disposal.

I've contracted with CSIS in the past and had the immense "pleasure" of
working with true MLS systems.  They are extraordinarily expensive, a
nightmare to maintain (the change request cycle necessarily works at the
scale of months), and requires about two to three times the staff to
manage (because the SA can't be the same person as the SO who can also
not be the one performing the actual operations; that's not counting
that MLS may partition things further if there are different authorities
involved).

The WMF protects itself not by partitioning roles and security domains,
but by making sure that as much of everything is transparent as is
possible, and with normal due diligence and care in selecting those
persons who have access to the rest.

Put another way: I can see at /least/ two dozen vectors for the NSA (or
whichever acronym agency you prefer) to get at every single octet under
WMF control without us being able to even know about it.  We purchase
and use off-the-shelf equipment, do not have to source to every bit of
firmware in our datacenters (let alone the ability to *audit* any of
it), our hardware is on premises we do not have physical control over,
and all our communications are transmitted over packet switched networks
constructed out of untrustable parts and under the control of
innumerable parties we have no control over.

Fixing any /one/ of those holes would cost tens of times our current
total operating budget, and would be essentially burned money unless
they were all closed -- which turns out to not be possible at all given
that we actually *want* the world-at-large to be able to, you know, use
our stuff?

There is nothing we can do about any of this beyond continuing to be
careful and trust in all the numerous employees and volunteer of the WMF
(most of whom are outside the US) to start yelling very loudly if
something fishy is going on.  So let's store the tinfoil hats and get
back to work, please?

-- Marc

More information about the Wikimedia-l mailing list