[MediaWiki-l] Some Unanswered Questions

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

[MediaWiki-l] Some Unanswered Questions

Fred Bauder-2
We can guess, of course, and some of us are very good guessers, but here:

http://www.scientificamerican.com/article.cfm?id=5-basic-unknowns-nsa-black-hole-prism

Fred


_______________________________________________
MediaWiki-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Some Unanswered Questions

Brion Vibber
Did you mean to post this on Wikimedia-l? Probably a bit offtopic for the
software list. :)

(And no, MediaWiki does not contain any NSA backdoors. But for all you
know, your server's BIOS might!)

-- brion


On Tue, Jun 11, 2013 at 11:20 AM, Fred Bauder <[hidden email]>wrote:

> We can guess, of course, and some of us are very good guessers, but here:
>
>
> http://www.scientificamerican.com/article.cfm?id=5-basic-unknowns-nsa-black-hole-prism
>
> Fred
>
>
> _______________________________________________
> MediaWiki-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
_______________________________________________
MediaWiki-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Some Unanswered Questions

Petr Bena
Of course there is no backdoor for CIA, nor NSA.

Everybody knows mediawiki is controlled by KGB

On Tue, Jun 11, 2013 at 8:34 PM, Brion Vibber <[hidden email]> wrote:

> Did you mean to post this on Wikimedia-l? Probably a bit offtopic for the
> software list. :)
>
> (And no, MediaWiki does not contain any NSA backdoors. But for all you
> know, your server's BIOS might!)
>
> -- brion
>
>
> On Tue, Jun 11, 2013 at 11:20 AM, Fred Bauder <[hidden email]>wrote:
>
>> We can guess, of course, and some of us are very good guessers, but here:
>>
>>
>> http://www.scientificamerican.com/article.cfm?id=5-basic-unknowns-nsa-black-hole-prism
>>
>> Fred
>>
>>
>> _______________________________________________
>> MediaWiki-l mailing list
>> [hidden email]
>> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>>
> _______________________________________________
> MediaWiki-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

_______________________________________________
MediaWiki-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Some Unanswered Questions

Chad
In reply to this post by Brion Vibber
Indeed, it'd be pretty hard to do. Since we use git, anyone trying to sneak
something in would break history and likely get noticed.

-Chad
On Jun 11, 2013 2:34 PM, "Brion Vibber" <[hidden email]> wrote:

> Did you mean to post this on Wikimedia-l? Probably a bit offtopic for the
> software list. :)
>
> (And no, MediaWiki does not contain any NSA backdoors. But for all you
> know, your server's BIOS might!)
>
> -- brion
>
>
> On Tue, Jun 11, 2013 at 11:20 AM, Fred Bauder <[hidden email]
> >wrote:
>
> > We can guess, of course, and some of us are very good guessers, but here:
> >
> >
> >
> http://www.scientificamerican.com/article.cfm?id=5-basic-unknowns-nsa-black-hole-prism
> >
> > Fred
> >
> >
> > _______________________________________________
> > MediaWiki-l mailing list
> > [hidden email]
> > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
> >
> _______________________________________________
> MediaWiki-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
_______________________________________________
MediaWiki-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Some Unanswered Questions

Ingo Malchow
Am Dienstag, 11. Juni 2013, 14:42:36 schrieb Chad:
> Indeed, it'd be pretty hard to do. Since we use git, anyone trying to sneak
> something in would break history and likely get noticed.

That is not entirely true. Considering the live website is at best a git clone
and not the main git repo (or just an automatic mirror of the git sources),
all you'd need to get is access to the server, and secretly modifying the live
sources. You could also set up a git merge hook, where git are pulled and on
top of that applies your backdoor again, so the sysadmins won't notice in first
place.
No git commits involved here.
Just food for thoughts ;)

>
> -Chad
>
> On Jun 11, 2013 2:34 PM, "Brion Vibber" <[hidden email]> wrote:
> > Did you mean to post this on Wikimedia-l? Probably a bit offtopic for the
> > software list. :)
> >
> > (And no, MediaWiki does not contain any NSA backdoors. But for all you
> > know, your server's BIOS might!)
> >
> > -- brion
> >
> >
> > On Tue, Jun 11, 2013 at 11:20 AM, Fred Bauder <[hidden email]
> >
> > >wrote:
> > > We can guess, of course, and some of us are very good guessers, but
here:

> > http://www.scientificamerican.com/article.cfm?id=5-basic-unknowns-nsa-blac
> > k-hole-prism>
> > > Fred
> > >
> > >
> > > _______________________________________________
> > > MediaWiki-l mailing list
> > > [hidden email]
> > > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
> >
> > _______________________________________________
> > MediaWiki-l mailing list
> > [hidden email]
> > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
> _______________________________________________
> MediaWiki-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
--
Ingo Malchow
(neverendingo)
New to KDE Software? - get help from http://userbase.kde.org or ask questions
on http://forum.kde.org
_______________________________________________
MediaWiki-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

signature.asc (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Some Unanswered Questions

Daniel Friesen-2
In reply to this post by Petr Bena
On Tue, 11 Jun 2013 11:42:00 -0700, Petr Bena <[hidden email]> wrote:

> Of course there is no backdoor for CIA, nor NSA.
>
> Everybody knows mediawiki is controlled by KGB

T_T I was going to insert a joke about it really being controlled by  
<insert relevant Australian organization here> due to Tim's "easter egg"  
on Special:Version but it looks like  
https://gerrit.wikimedia.org/r/#/c/54319/ got rid of it.

>
> On Tue, Jun 11, 2013 at 8:34 PM, Brion Vibber <[hidden email]> wrote:
>> Did you mean to post this on Wikimedia-l? Probably a bit offtopic for  
>> the
>> software list. :)
>>
>> (And no, MediaWiki does not contain any NSA backdoors. But for all you
>> know, your server's BIOS might!)
>>
>> -- brion
>>
>>
>> On Tue, Jun 11, 2013 at 11:20 AM, Fred Bauder  
>> <[hidden email]>wrote:
>>
>>> We can guess, of course, and some of us are very good guessers, but  
>>> here:
>>>
>>>
>>> http://www.scientificamerican.com/article.cfm?id=5-basic-unknowns-nsa-black-hole-prism
>>>
>>> Fred
>>>
>>>
>>> _______________________________________________
>>> MediaWiki-l mailing list
>>> [hidden email]
>>> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>>>
>> _______________________________________________
>> MediaWiki-l mailing list
>> [hidden email]
>> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
> _______________________________________________
> MediaWiki-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l


--
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/]


_______________________________________________
MediaWiki-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Some Unanswered Questions

Chad
In reply to this post by Ingo Malchow
On Tue, Jun 11, 2013 at 3:16 PM, Ingo Malchow <[hidden email]> wrote:
> Am Dienstag, 11. Juni 2013, 14:42:36 schrieb Chad:
>> Indeed, it'd be pretty hard to do. Since we use git, anyone trying to sneak
>> something in would break history and likely get noticed.
>
> That is not entirely true. Considering the live website is at best a git clone
> and not the main git repo (or just an automatic mirror of the git sources),
> all you'd need to get is access to the server, and secretly modifying the live
> sources.

Well yes, but...

> You could also set up a git merge hook, where git are pulled and on
> top of that applies your backdoor again, so the sysadmins won't notice in first
> place.
> No git commits involved here.
> Just food for thoughts ;)
>

Which would subsequently show up on git-status. And if you tried to add
your $secretFile to .gitignore, there'd be a change to .gitignore in the tree.

Impossible to do? No. But hard to do without tipping someone off, yeah,
I'd say so. Heck, we spot the problem all the time when someone goes
and makes a live hack without committing.

-Chad

_______________________________________________
MediaWiki-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Some Unanswered Questions

Daniel Friesen-2
On Tue, 11 Jun 2013 13:18:57 -0700, Chad <[hidden email]> wrote:

> Which would subsequently show up on git-status. And if you tried to add
> your $secretFile to .gitignore, there'd be a change to .gitignore in the  
> tree.

.git/info/exclude

> Impossible to do? No. But hard to do without tipping someone off, yeah,
> I'd say so. Heck, we spot the problem all the time when someone goes
> and makes a live hack without committing.
>
> -Chad


--
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/]


_______________________________________________
MediaWiki-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Some Unanswered Questions

Tim Starling-2
In reply to this post by Ingo Malchow
On 12/06/13 05:16, Ingo Malchow wrote:

> Am Dienstag, 11. Juni 2013, 14:42:36 schrieb Chad:
>> Indeed, it'd be pretty hard to do. Since we use git, anyone trying to sneak
>> something in would break history and likely get noticed.
>
> That is not entirely true. Considering the live website is at best a git clone
> and not the main git repo (or just an automatic mirror of the git sources),
> all you'd need to get is access to the server, and secretly modifying the live
> sources. You could also set up a git merge hook, where git are pulled and on
> top of that applies your backdoor again, so the sysadmins won't notice in first
> place.
> No git commits involved here.
> Just food for thoughts ;)

Like Brion said, this is the MediaWiki list, so what you can do on a
single live website is not really relevant.

It would probably be possible to insert a back door into MediaWiki, in
the form of a non-obvious arbitrary script execution vulnerability. If
it was done with care, by an agent planted long in advance, it would
look like an honest mistake, if it was detected. But if I was running
the CIA/NSA/FBI, I could imagine more interesting places to put agents.

-- Tim Starling


_______________________________________________
MediaWiki-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l