On 2/18/14, Philip Neustrom philip@localwiki.org wrote:
The latest Snowden docs have some great screenshots of the NSA-internal MediaWiki installation Snowden is alleged to have obtained a lot of his material from:
https://firstlook.org/theintercept/article/2014/02/18/snowden-docs-reveal-co...
Looks like a static HTML dump, as a few of the external extension images haven't loaded.
The last details on their technical infrastructure indicated that Snowden used "web crawler" (love the quotes) software to obtain information from their internal wiki:
http://www.nytimes.com/2014/02/09/us/snowden-used-low-cost-tool-to-best-nsa....
What's not mentioned in the NYT piece is that their MediaWiki instance likely didn't have any read-only ACLs set up, or if they did they were buggy (are any of the third-party ACL extensions good?) -- which was perhaps one reason why Snowden was able to access the entire site once he had any access at all?
"If you actually need fancy read restrictions to keep some of your own people from reading each others' writing, MediaWiki is not the right software for you." -brion.
..like, if you're a nation-state's intelligence agency, or something :P
I think it's fascinating that this technical decision[1] by the MediaWiki team long ago may have had such an impact on the world! And much more fascinating that the NSA folks may not have read the docs.
-Philip
http://www.mediawiki.org/wiki/Manual:Preventing_access#Restrict_viewing_of_c... _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
I think its safe to say, that if the NSA wanted to design a secure ACL system for MediaWiki, they are more than capable of doing so. (That said, they also know enough that a system like mediawiki is inappropriate for keeping data with different levels of classification separate, and would either use separate wikis for different classification levels or a different tool).
Of course its hard to know what Snowden did and did not do (Especially when the reporting includes such useless nuggets like "But experts say they may well have been downloaded not by him but by the program acting on his behalf." which make you wonder if these reporters have ever used a computer). The coverage I've read so far seems to suggest that he had legitimate access to the data and didn't exploit implementation details of the security system (Well the technical implementation. Arguably he exploited implementation weaknesses in the social structure that made him a trusted entity in the system with no checks against mass downloading). But again, who knows what really happened.
--bawolff