Printable Version of Topic

Click here to view this topic in its original format

_ The ArbCom-L Leaks _ Hilarious security theater

Posted by: Vigilant

From here:
http://en.wikipedia.org/wiki/Wikipedia_talk:Arbitration_Committee#R.e._security_going_forward

"By this time, I think every arbitrator has wiped their hard drives and reinstalled their systems (or if they haven't, they should have, Jehochman is right that even top-of-the-line security software can miss things), so even a thorough forensic inspection of everyone's computer would be pointless."

Risker is so wrong on this, it's barely believable.

What has happened is that, if the leaker is a current ARBCOM member, they have buried all evidence (and even the possibility discussion) of of whomever was the real leaker.

"Oh no, I formatted my drive as Risker reccomended! No need to look here..."

One would think, that a group whose only product/project is an online database on a set of clustered servers would have true security professionals on staff before letting community volunteers have access, apparently unrestricted, to sensitive personal data.

Look at Sony, who was lax with hard security, and the extreme beatings that were administered in the press and blogs for their failure to safeguard customer data.

Shameful wikimedia foundation, just shameful.

Posted by: EricBarbour

That's how Arbcom rolls. That's how they've always rolled, apparently. Risker is just following in the footsteps of fellow liars and bullshitters.

It goes right back to the first Arbcom, installed by The Glorious Wales Himself, specifically to "settle disputes". They ended up spending far more time backpedaling, prevaricating, wikilawyering, and covering each other's asses than they actually did "settling disputes". If you don't believe me, look at their http://en.wikipedia.org/wiki/Wikipedia:Requests_for_arbitration/Theresa_knott_vs._Mr-Natural-Health. And in those early days, they at least got to the point quickly.

Go and look at any http://en.wikipedia.org/wiki/Wikipedia:Arbitration/Index/Cases, after 2005 especially. You see talk, talk, talk. Followed by a long list of votes on what Wikipedia is/isn't, what Wikipedia editors should do, what Arbcom is supposed to do (ha ha!), and assorted drivel. Which is bizarre, by the standards of most "courts of law" or similar adjudicative organizations--they typically don't put their reason for existing to a vote, on every bloody decision.

Then, if you're lucky, at the bottom of all that crap, you might find a "decision" somewhere. (A lot of Arb decisions just died and were closed, because someone gave up. No one has done a full exploration of the results of Arbcom decisions, yet. I bet that's partly because they would be embarrassed by the resulting revelations.)

Posted by: Zoloft

I will quote http://en.wikipedia.org/w/index.php?title=Wikipedia_talk:Arbitration_Committee&diff=prev&oldid=437803646 here without further comment:

QUOTE

Wikipedia Review Tarpit

There may be another "confidential" archive containing personal or derogatory information about Wikipedia editors: the Wikipedia Review Tarpit, the 300 Club, and other confidential areas. It could be a problem waiting to happen, and one which would affect many of the same people as has the ArbCom leak. Perhaps people with accounts in both places who are concerned about respecting the privacy and human dignity of others could make similar efforts there. For example, it'd be helpful if admins there make sure that there isn't excessively personal information about editors in the confidential archives. Will Beback 02:24, 5 July 2011 (UTC)

Posted by: EricBarbour

QUOTE
There may be another "confidential" archive containing personal or derogatory information about Wikipedia editors: the Wikipedia Review Tarpit, the 300 Club, and other confidential areas. It could be a problem waiting to happen, and one which would affect many of the same people as has the ArbCom leak. Perhaps people with accounts in both places who are concerned about respecting the privacy and human dignity of others could make similar efforts there. For example, it'd be helpful if admins there make sure that there isn't excessively personal information about editors in the confidential archives. Will Beback 02:24, 5 July 2011 (UTC)

Yes, there is another confidential area, Mr. McWhiney.

Wouldn't you like to know what's going on in there, Mr. McWhiney.

Since when have you ever given a damn about "human dignity", Mr. McWhiney?

Posted by: Ottava

Something in the first post got me thinking: what is to keep the leaker from, say, dropping little hints to an Arbitrator that they might not like in order to try and get the paranoid to mob attack that individual? It would seem a perfect win - 1. expose ArbCom secrets, 2. embarrass the WMF, 3. get rid of an Arb, and 4. make everyone so paranoid that they are no longer able to operate effectively.

We don't really know the motivation behind getting the information or exposing it. The only way for the Arbitrators to combat the above would be to take a position of "who cares if it was exposed" and preempt future releases by putting up some info from the major cases not yet released. That would take the thunder out of a leaker. Instead, they seem to be falling into a situation that the first paragraph could take advantage of and really hurt some people.

Posted by: Herschelkrustofsky

QUOTE(EricBarbour @ Fri 8th July 2011, 1:21pm) *

QUOTE
There may be another "confidential" archive containing personal or derogatory information about Wikipedia editors: the Wikipedia Review Tarpit, the 300 Club, and other confidential areas. It could be a problem waiting to happen, and one which would affect many of the same people as has the ArbCom leak. Perhaps people with accounts in both places who are concerned about respecting the privacy and human dignity of others could make similar efforts there. For example, it'd be helpful if admins there make sure that there isn't excessively personal information about editors in the confidential archives. Will Beback 02:24, 5 July 2011 (UTC)

Yes, there is another confidential area, Mr. McWhiney.

Wouldn't you like to know what's going on in there, Mr. McWhiney.

Since when have you ever given a damn about "human dignity", Mr. McWhiney?


A more interesting question might be how Mr. McWhiney knows about the 300 Club. The simplest answer would be that he has an account here with over 300 posts. Or a buddy that does.

Posted by: SpiderAndWeb

Is it *that* hard to pull up the server logs and check which arbitrator username/password was used to pull the mailing list archives??

Posted by: the fieryangel

QUOTE(SpiderAndWeb @ Fri 8th July 2011, 8:36pm) *

Is it *that* hard to pull up the server logs and check which arbitrator username/password was used to pull the mailing list archives??


Apparently, yes.

Unbelievable as it may seem, they ARE as incompetent as we had imagined...

Posted by: Sololol

QUOTE(Ottava @ Fri 8th July 2011, 4:24pm) *

Something in the first post got me thinking: what is to keep the leaker from, say, dropping little hints to an Arbitrator that they might not like in order to try and get the paranoid to mob attack that individual? It would seem a perfect win - 1. expose ArbCom secrets, 2. embarrass the WMF, 3. get rid of an Arb, and 4. make everyone so paranoid that they are no longer able to operate effectively.

Good point, nothing is stopping them. They(or someone pretending to be them) may have tried/be trying to do this. I doubt Malice would bother as he doesn't seem interested in targeting a particular Arb. If he were he could easily paste together or even fabricate outrageous evidence.

QUOTE(the fieryangel @ Fri 8th July 2011, 4:46pm) *

Apparently, yes.

Unbelievable as it may seem, they ARE as incompetent as we had imagined...

I can only assume there were too many people accessing the archive to narrow down the candidates. Or they know whose account grabbed the archive but are keeping quiet to avoid further embarrassment. If I were the Arb who passed it to Malice I'd claim to my fellow Arbs I was hacked and ask them to keep quiet about it. If I were the other Arbs I'd engineer the leaker's resignation for other reasons to prevent more drama.

Posted by: EricBarbour

QUOTE(Herschelkrustofsky @ Fri 8th July 2011, 1:27pm) *
A more interesting question might be how Mr. McWhiney knows about the 300 Club. The simplest answer would be that he has an account here with over 300 posts. Or a buddy that does.

General consensus last year was that Matt Bisanz was leaking it to them. Probably a couple of other people doing it too.

QUOTE(Sololol @ Fri 8th July 2011, 1:57pm) *
If I were the Arb who passed it to Malice I'd claim to my fellow Arbs I was hacked and ask them to keep quiet about it. If I were the other Arbs I'd engineer the leaker's resignation for other reasons to prevent more drama.

Which points directly at Iridescent, again. I suspect that's a dry well (but don't quote me)....

Posted by: Vigilant

QUOTE(Ottava @ Fri 8th July 2011, 8:24pm) *

Something in the first post got me thinking: what is to keep the leaker from, say, dropping little hints to an Arbitrator that they might not like in order to try and get the paranoid to mob attack that individual? It would seem a perfect win - 1. expose ArbCom secrets, 2. embarrass the WMF, 3. get rid of an Arb, and 4. make everyone so paranoid that they are no longer able to operate effectively.

We don't really know the motivation behind getting the information or exposing it. The only way for the Arbitrators to combat the above would be to take a position of "who cares if it was exposed" and preempt future releases by putting up some info from the major cases not yet released. That would take the thunder out of a leaker. Instead, they seem to be falling into a situation that the first paragraph could take advantage of and really hurt some people.


Far too elaborate for reality.

Only someone with an overdeveloped sense of paranoia would come up with such a convoluted reasoning.

Am I getting through here?

Go write your dissertation.

Posted by: cyofee

QUOTE(Herschelkrustofsky @ Fri 8th July 2011, 10:27pm) *

A more interesting question might be how Mr. McWhiney knows about the 300 Club. The simplest answer would be that he has an account here with over 300 posts. Or a buddy that does.


I don't have the eponymous 300 posts nor any friends here but I've known of the 300 club for quite some time. I always thought it was almost public knowledge, along with the fact that there supposedly aren't any smoking guns hidden there.

Posted by: radek

QUOTE

It goes right back to the first Arbcom, installed by The Glorious Wales Himself, specifically to "settle disputes". They ended up spending far more time backpedaling, prevaricating, wikilawyering, and covering each other's asses than they actually did "settling disputes". If you don't believe me, look at their http://en.wikipedia.org/wiki/Wikipedia:Requests_for_arbitration/Theresa_knott_vs._Mr-Natural-Health. And in those early days, they at least got to the point quickly.


Heh. Now there are 3RR requests that are longer than that.

Also interesting that this was a "Alternative Medicine" case. Seven years later...

Posted by: Bielle

QUOTE(cyofee @ Sat 9th July 2011, 9:39am) *

I don't have the eponymous 300 posts nor any friends here but I've known of the 300 club for quite some time. I always thought it was almost public knowledge, along with the fact that there supposedly aren't any smoking guns hidden there.


You do now have 300 posts. tongue.gif

Posted by: gomi

QUOTE(Bielle @ Sat 9th July 2011, 9:31am) *
QUOTE(cyofee @ Sat 9th July 2011, 9:39am) *
I don't have the eponymous 300 posts nor any friends here but I've known of the 300 club for quite some time. I always thought it was almost public knowledge, along with the fact that there supposedly aren't any smoking guns hidden there.
You do now have 300 posts. tongue.gif

Merely having made 300 posts here on the Review has not for some time been sufficient for access to certain more restricted areas of the forum. One also must be trustworthy, loyal, helpful, friendly, courteous, kind, obedient, cheerful, thrifty, brave, clean, and reverent. biggrin.gif

Posted by: powercorrupts

QUOTE(gomi @ Sat 9th July 2011, 6:57pm) *

QUOTE(Bielle @ Sat 9th July 2011, 9:31am) *
QUOTE(cyofee @ Sat 9th July 2011, 9:39am) *
I don't have the eponymous 300 posts nor any friends here but I've known of the 300 club for quite some time. I always thought it was almost public knowledge, along with the fact that there supposedly aren't any smoking guns hidden there.
You do now have 300 posts. tongue.gif

Merely having made 300 posts here on the Review has not for some time been sufficient for access to certain more restricted areas of the forum. One also must be trustworthy, loyal, helpful, friendly, courteous, kind, obedient, cheerful, thrifty, brave, clean, and reverent. biggrin.gif


I wondered why I never got an invite to this 'exclusive club' Poetlister kindly pointed out to me via email ("I see you've not been invited"). Before then I must admit I'd never heard of it. It doesn't impress me though, so yak.gif

Posted by: gomi

QUOTE(powercorrupts @ Sat 9th July 2011, 11:24am) *
I wondered why I never got an invite to this 'exclusive club' Poetlister kindly pointed out to me via email ("I see you've not been invited"). Before then I must admit I'd never heard of it. It doesn't impress me though, so yak.gif

Yes, Poetlister is quite keen to get a peek in there, which was one of the proximate causes for the change in policy.

Posted by: powercorrupts

QUOTE(gomi @ Sat 9th July 2011, 7:27pm) *

QUOTE(powercorrupts @ Sat 9th July 2011, 11:24am) *
I wondered why I never got an invite to this 'exclusive club' Poetlister kindly pointed out to me via email ("I see you've not been invited"). Before then I must admit I'd never heard of it. It doesn't impress me though, so yak.gif

Yes, Poetlister is quite keen to get a peek in there, which was one of the proximate causes for the change in policy.


If I knew or thought more about it I'd have asked "how did you know?"! Pretty lax of me really - I was trying to suss him with various questions but managed to miss that one. There was a couple of emails in January though for some reason I gave him/her the benefit of the doubt and chatted as anyone would. Whatever anyone says, at that point I personally see what he did as the beginnings of genuine criminal behaviour, because he used that to try and get more personally 'involved' as another person, and it briefly worked. He became a lot less guarded though and tripped over himself pretty quickly - he sent me the picture of the girl a few months after to try and get back on track. I find it just amazing that people can excuse behaviour like that.

As for his accounts, do you have any idea who the 300 club one is? (presumably the older known ones by him are blocked). Actually - what is your policy on socking here? I can understand why most people are entitled to a WR account, as much as anything so you know who they are. But someone like PL is just never going to be able to stop himself from creating socks for one reason or other (which of course is why Abd is so ignorant on the matter).

Posted by: gomi

QUOTE(powercorrupts @ Sat 9th July 2011, 11:54am) *
Actually - what is your policy on socking here? I can understand why most people are entitled to a WR account, as much as anything so you know who they are.

Further discussion of this should probably go into WRR, but we strongly discourage multiple accounts, but we have very limited resources to actively prevent them. This is why we generally do not allow account creation from "free-mail" services like AOL, Yahoo, and Gmail. Multiple accounts do tend to be passively detected by the membership. We don't use the term "sock puppet" for our members, as a rule.

Posted by: It's the blimp, Frank

Has there ever been a serious problem with multiple accounts here, other than PoetGuy?

Posted by: melloden

QUOTE(gomi @ Sat 9th July 2011, 5:57pm) *

QUOTE(Bielle @ Sat 9th July 2011, 9:31am) *
QUOTE(cyofee @ Sat 9th July 2011, 9:39am) *
I don't have the eponymous 300 posts nor any friends here but I've known of the 300 club for quite some time. I always thought it was almost public knowledge, along with the fact that there supposedly aren't any smoking guns hidden there.
You do now have 300 posts. tongue.gif

Merely having made 300 posts here on the Review has not for some time been sufficient for access to certain more restricted areas of the forum. One also must be trustworthy, loyal, helpful, friendly, courteous, kind, obedient, cheerful, thrifty, brave, clean, and reverent. biggrin.gif

You mean there isn't an additional $3.95 processing fee?

Posted by: Tarc

QUOTE(gomi @ Sat 9th July 2011, 1:57pm) *
One also must be trustworthy, loyal, helpful, friendly, courteous, kind, obedient, cheerful, thrifty, brave, clean, and reverent. biggrin.gif


That must be why I have never heard of it. smile.gif

Posted by: It's the blimp, Frank

QUOTE(gomi @ Sat 9th July 2011, 6:27pm) *

QUOTE(powercorrupts @ Sat 9th July 2011, 11:24am) *
I wondered why I never got an invite to this 'exclusive club' Poetlister kindly pointed out to me via email ("I see you've not been invited"). Before then I must admit I'd never heard of it. It doesn't impress me though, so yak.gif

Yes, Poetlister is quite keen to get a peek in there, which was one of the proximate causes for the change in policy.

What makes it different than the other forums?