Warrantless (government) surveillance of reader activity. Was: Release of squid log data

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Warrantless (government) surveillance of reader activity. Was: Release of squid log data

Gregory Maxwell
I'm splitting threads for a tangent here. Ray brought up an
interesting subject in the log thread.

On 9/15/07, Ray Saintonge <[hidden email]> wrote:
> Trust and signatures are not enough.  How will they react if a
> government demands the release of private information?  If we determine
> that we will not release it in the absence of a court order, what
> recourse do we have if the acquirers are not willing to resist a
> government order in the courts?  In some jurisdictions there may be no
> such right to challenge such an order.

As it stands right now wide scale illicit surveillance of reader
activity would not be much of a challenge for a well funded group such
as a government, all it requires is the ability to intercept the links
which carry the traffic.

Outside of government activity, ISPs and their employees also have
access to this data.

We could substantially mitigate this risk by scaling our SSL handling
ability able to the point where it can handle a substantial portion of
the traffic coming to our site and then take measures to encourage
readers to do this.  Then someone wishing to intercept reader activity
would be forced to either compromise reader systems, come to us, or
disclose that they know how to break SSL.

Scaling up our SSL handling is possible but not without considerable
capital and non-zero operating costs. Squid can act as a SSL
accelerator, but we may need to purchase addition hardware (crypto
cards, more cpus, etc) and we would need to deal with potentially
buggy paths in the code. ... but these are technical matters which
belong on another list.

The appropriate question for foundation-l is, should we be spending
some money to do something like this?

_______________________________________________
foundation-l mailing list
[hidden email]
http://lists.wikimedia.org/mailman/listinfo/foundation-l
Reply | Threaded
Open this post in threaded view
|

Re: Warrantless (government) surveillance of reader activity. Was: Release of squid log data

Erik Moeller-4
On 9/15/07, Gregory Maxwell <[hidden email]> wrote:
> The appropriate question for foundation-l is, should we be spending
> some money to do something like this?

Doesn't an anonymization network like TOR provide the same value for
readers who need to access Wikipedia securely (and, in this case, also
anonymously)?
--
Toward Peace, Love & Progress:
Erik

DISCLAIMER: This message does not represent an official position of
the Wikimedia Foundation or its Board of Trustees.

_______________________________________________
foundation-l mailing list
[hidden email]
http://lists.wikimedia.org/mailman/listinfo/foundation-l
Reply | Threaded
Open this post in threaded view
|

Re: Warrantless (government) surveillance of reader activity. Was: Release of squid log data

Gregory Maxwell
On 9/15/07, Erik Moeller <[hidden email]> wrote:
> On 9/15/07, Gregory Maxwell <[hidden email]> wrote:
> > The appropriate question for foundation-l is, should we be spending
> > some money to do something like this?
>
> Doesn't an anonymization network like TOR provide the same value for
> readers who need to access Wikipedia securely (and, in this case, also
> anonymously)?

Everyone should have the ability to access Wikipedia in privacy, not
just the few who have the knowledge, patience, and foresight to
install and use TOR.

Tor has a number of significant problems which discourage its use:

(1) Tor is impressively slow and will never be as fast as native
browsing. By Tor's very nature it routes your traffic around the
network. Even if the Tor network stops being overloaded, it will
always be slow compared to direct access.

(2) Today, Tor greatly increases the vulnerability of the users
traffic to interception by groups less trustworthy than governments
and ISPs.*

(3) The total anonymization which is unneeded by many who just don't
want their interests exposed means that our projects will most likely
continue to block editing from Tor.

We can take action to reduce these problems, and completely eliminate
(2),  by running some Tor exists ourselves as I proposed at
http://lists.wikimedia.org/pipermail/wikien-l/2007-September/080667.html

I strongly believe we should run some Wikimedia-only Tor exits, as I
proposed, and I'd be glad to do the work to make it happen. The cost
and difficulty of doing so should be low enough that it could be a
near term project.

But I think it's important that we understand that Tor is not a very
mainstream solution: it requires expertise unavailable to, a level of
protection unneeded by (there is little reason to hide that you are
accessing Wikipedia at all), and performance undesirable to to most
readers.

Saying "You can use Tor to hide what articles you are reading" is a
little bit like saying "You can download the static dumps to hide what
articles you are reading". :) It's true, some may do it, but it's not
very effective.

I think of SSL as similar to the level of confidentiality a public
library is understood to offer. Your activities are not secret to the
library, and the public can tell you are visiting the library... but
what you read there is expected to be kept in confidence. Tor is more
like sending friends to get their friends go get books on your
behalf... more private but inconvenient.


*See "Tor Used To Collect Embassy Email Passwords"
http://it.slashdot.org/article.pl?sid=07/09/11/1730258

_______________________________________________
foundation-l mailing list
[hidden email]
http://lists.wikimedia.org/mailman/listinfo/foundation-l
Reply | Threaded
Open this post in threaded view
|

Re: Warrantless (government) surveillance of reader activity. Was: Release of squid log data

Erik Moeller-4
On 9/15/07, Gregory Maxwell <[hidden email]> wrote:
> Everyone should have the ability to access Wikipedia in privacy, not
> just the few who have the knowledge, patience, and foresight to
> install and use TOR.

Well, they do - we're just not actively promoting SSL. Question: Are
we near the limits of the amount of traffic we can handle via SSL, or
might it be worthwhile to experiment with adding a "Secure login" link
to Special:Userlogin?

> We can take action to reduce these problems, and completely eliminate
> (2),  by running some Tor exists ourselves as I proposed at
> http://lists.wikimedia.org/pipermail/wikien-l/2007-September/080667.html

That might be worthwhile; have you spoken to our tech team or Sue about it?

> But I think it's important that we understand that Tor is not a very
> mainstream solution: it requires expertise unavailable to, a level of
> protection unneeded by (there is little reason to hide that you are
> accessing Wikipedia at all), and performance undesirable to to most
> readers.

I think it would definitely be useful to at least be capable of
handling the amount of traffic from having a "secure login" link on
all user login pages. But if it requires significant investments of
time and money to do so, it wouldn't be in my top 5 tech priority
list.
--
Toward Peace, Love & Progress:
Erik

DISCLAIMER: This message does not represent an official position of
the Wikimedia Foundation or its Board of Trustees.

_______________________________________________
foundation-l mailing list
[hidden email]
http://lists.wikimedia.org/mailman/listinfo/foundation-l
Reply | Threaded
Open this post in threaded view
|

Re: Warrantless (government) surveillance of reader activity. Was: Release of squid log data

Gerard Meijssen-3
Hoi,
Let us defer all talk about changing the login functionality until we have
SUL implemented. Let us get SUL soon and first !
Thanks,
   GerardM

On 9/16/07, Erik Moeller <[hidden email]> wrote:

>
> On 9/15/07, Gregory Maxwell <[hidden email]> wrote:
> > Everyone should have the ability to access Wikipedia in privacy, not
> > just the few who have the knowledge, patience, and foresight to
> > install and use TOR.
>
> Well, they do - we're just not actively promoting SSL. Question: Are
> we near the limits of the amount of traffic we can handle via SSL, or
> might it be worthwhile to experiment with adding a "Secure login" link
> to Special:Userlogin?
>
> > We can take action to reduce these problems, and completely eliminate
> > (2),  by running some Tor exists ourselves as I proposed at
> > http://lists.wikimedia.org/pipermail/wikien-l/2007-September/080667.html
>
> That might be worthwhile; have you spoken to our tech team or Sue about
> it?
>
> > But I think it's important that we understand that Tor is not a very
> > mainstream solution: it requires expertise unavailable to, a level of
> > protection unneeded by (there is little reason to hide that you are
> > accessing Wikipedia at all), and performance undesirable to to most
> > readers.
>
> I think it would definitely be useful to at least be capable of
> handling the amount of traffic from having a "secure login" link on
> all user login pages. But if it requires significant investments of
> time and money to do so, it wouldn't be in my top 5 tech priority
> list.
> --
> Toward Peace, Love & Progress:
> Erik
>
> DISCLAIMER: This message does not represent an official position of
> the Wikimedia Foundation or its Board of Trustees.
>
> _______________________________________________
> foundation-l mailing list
> [hidden email]
> http://lists.wikimedia.org/mailman/listinfo/foundation-l
>
_______________________________________________
foundation-l mailing list
[hidden email]
http://lists.wikimedia.org/mailman/listinfo/foundation-l
Reply | Threaded
Open this post in threaded view
|

Re: Warrantless (government) surveillance of reader activity. Was: Release of squid log data

Gwern Branwen
On 2007.09.16 07:21:25 +0200, GerardM <[hidden email]> scribbled 48 lines:
> Hoi,
> Let us defer all talk about changing the login functionality until we have
> SUL implemented. Let us get SUL soon and first !
> Thanks,
>    GerardM

Why should we defer it? It really doesn't seem like a big deal. There are a couple things to discuss here:

#How much load would all logins going through SSL cause? This should be really easy to do - figure out how much work a single SSL login causes, and multiply. Even that crude ballpark estimate is better than nothing.

#Make logins by default go through SSL. We can break this down into two suggestions:
##Make all admins go through SSL by default. I think this is an *extremely* good idea. However expensive a SSL login might be, a few thousand admins infrequently logging in is hardly going to stress the servers comparable to normal editing or bot edits or spiders. Plus, it'd give just a little more protection for account passwords in all situations, not just for those editing through TOR. It's largely transparent to users, has a chance of doing good, etc. (Now, I'm not saying force admins to go through secure.wikimedia.org, just that surely there must be some configuration option or something for the regular en.wikipedia.org login page? This, like the first suggestion, is best answered by those with technical chops.)
##Make all logins go through SSL by default. Sure, why not. The argument against this would seem to be server load, but we need an answer to the first point before we can productively argue this.

We really need some more information here. Is it hard to change the login? I would assume that because you can already log in via SSL through secure.wikimedia.org, the functionality is there and only needs to be enabled for the frontend (as compared to SUL, a backend enhancement involving vast and far-reaching changes), so to speak, but for all I know the login page is actually some hardwired crufty HTML page that barely works and adding an SSL option, default or not, would be a heroic undertaking comparable to that of SUL.

Any of the developers want to comment?

--
gwern
Stallman guest jihad SL-1 VHF DF DSS Juiliett 2.6.2. Kwajalein

_______________________________________________
foundation-l mailing list
[hidden email]
http://lists.wikimedia.org/mailman/listinfo/foundation-l

attachment0 (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Warrantless (government) surveillance of reader activity. Was: Release of squid log data

Austin Hair
In reply to this post by Gerard Meijssen-3
On 9/16/07, GerardM <[hidden email]> wrote:
> Let us defer all talk about changing the login functionality until we have
> SUL implemented. Let us get SUL soon and first !

The functionality being discussed has already been implemented.  The
only change would be the addition of a link to that wiki via the SSL
interface (e.g.,
https://secure.wikimedia.org/wikipedia/en/w/index.php?title=Special:Userlogin),
currently known to only a few who actively care and are sufficiently
well-informed, to a page visible to the less well-informed.

Austin

_______________________________________________
foundation-l mailing list
[hidden email]
http://lists.wikimedia.org/mailman/listinfo/foundation-l
Reply | Threaded
Open this post in threaded view
|

Re: Warrantless (government) surveillance of reader activity. Was: Release of squid log data

Gerard Meijssen-3
In reply to this post by Gwern Branwen
Hoi,
Why we should defer it ? Because it would be good to finish things first. It
is imho really sad that important projects become more time consuming
because they are not finished. What to you seems to be not that big a deal
does cost time and according to earlier remarks it does cost servers. Both
are in short supply.
Thanks,
     GerardM

On 9/16/07, Gwern Branwen <[hidden email]> wrote:

>
> On 2007.09.16 07:21:25 +0200, GerardM <[hidden email]>
> scribbled 48 lines:
> > Hoi,
> > Let us defer all talk about changing the login functionality until we
> have
> > SUL implemented. Let us get SUL soon and first !
> > Thanks,
> >    GerardM
>
> Why should we defer it? It really doesn't seem like a big deal. There are
> a couple things to discuss here:
>
> #How much load would all logins going through SSL cause? This should be
> really easy to do - figure out how much work a single SSL login causes, and
> multiply. Even that crude ballpark estimate is better than nothing.
>
> #Make logins by default go through SSL. We can break this down into two
> suggestions:
> ##Make all admins go through SSL by default. I think this is an
> *extremely* good idea. However expensive a SSL login might be, a few
> thousand admins infrequently logging in is hardly going to stress the
> servers comparable to normal editing or bot edits or spiders. Plus, it'd
> give just a little more protection for account passwords in all situations,
> not just for those editing through TOR. It's largely transparent to users,
> has a chance of doing good, etc. (Now, I'm not saying force admins to go
> through secure.wikimedia.org, just that surely there must be some
> configuration option or something for the regular en.wikipedia.org login
> page? This, like the first suggestion, is best answered by those with
> technical chops.)
> ##Make all logins go through SSL by default. Sure, why not. The argument
> against this would seem to be server load, but we need an answer to the
> first point before we can productively argue this.
>
> We really need some more information here. Is it hard to change the login?
> I would assume that because you can already log in via SSL through
> secure.wikimedia.org, the functionality is there and only needs to be
> enabled for the frontend (as compared to SUL, a backend enhancement
> involving vast and far-reaching changes), so to speak, but for all I know
> the login page is actually some hardwired crufty HTML page that barely works
> and adding an SSL option, default or not, would be a heroic undertaking
> comparable to that of SUL.
>
> Any of the developers want to comment?
>
> --
> gwern
> Stallman guest jihad SL-1 VHF DF DSS Juiliett 2.6.2. Kwajalein
>
> _______________________________________________
> foundation-l mailing list
> [hidden email]
> http://lists.wikimedia.org/mailman/listinfo/foundation-l
>
>
>
_______________________________________________
foundation-l mailing list
[hidden email]
http://lists.wikimedia.org/mailman/listinfo/foundation-l
Reply | Threaded
Open this post in threaded view
|

Re: Warrantless (government) surveillance of reader activity. Was: Release of squid log data

Austin Hair
On 9/16/07, GerardM <[hidden email]> wrote:
> Why we should defer it ? Because it would be good to finish things first. It
> is imho really sad that important projects become more time consuming
> because they are not finished. What to you seems to be not that big a deal
> does cost time and according to earlier remarks it does cost servers. Both
> are in short supply.

Adding these links costs five minutes of non-developer time.  Any wiki
administrator can do this.

How much additional server capacity is required, and the resulting
cost-benefit analysis, is what's being discussed.  At any rate, we're
looking at administrator time, not developer time.

Austin

_______________________________________________
foundation-l mailing list
[hidden email]
http://lists.wikimedia.org/mailman/listinfo/foundation-l
Reply | Threaded
Open this post in threaded view
|

Re: Warrantless (government) surveillance of reader activity. Was: Release of squid log data

Gerard Meijssen-3
Hoi,
Does that mean that any of the developers will be involved ? I doubt it ..
When they are indeed not involved, how do you get and check your numbers.

PS I am not saying that this might not be a good idea. What I am saying is
that we should not pile more on the existing workload when there is so much
stuff that needs finishing.
Thanks,
    GerardM

On 9/16/07, Austin Hair <[hidden email]> wrote:

>
> On 9/16/07, GerardM <[hidden email]> wrote:
> > Why we should defer it ? Because it would be good to finish things
> first. It
> > is imho really sad that important projects become more time consuming
> > because they are not finished. What to you seems to be not that big a
> deal
> > does cost time and according to earlier remarks it does cost servers.
> Both
> > are in short supply.
>
> Adding these links costs five minutes of non-developer time.  Any wiki
> administrator can do this.
>
> How much additional server capacity is required, and the resulting
> cost-benefit analysis, is what's being discussed.  At any rate, we're
> looking at administrator time, not developer time.
>
> Austin
>
> _______________________________________________
> foundation-l mailing list
> [hidden email]
> http://lists.wikimedia.org/mailman/listinfo/foundation-l
>
_______________________________________________
foundation-l mailing list
[hidden email]
http://lists.wikimedia.org/mailman/listinfo/foundation-l
Reply | Threaded
Open this post in threaded view
|

Re: Warrantless (government) surveillance of reader activity. Was: Release of squid log data

Anthony-73
In reply to this post by Austin Hair
On 9/16/07, Austin Hair <[hidden email]> wrote:

> On 9/16/07, GerardM <[hidden email]> wrote:
> > Let us defer all talk about changing the login functionality until we have
> > SUL implemented. Let us get SUL soon and first !
>
> The functionality being discussed has already been implemented.  The
> only change would be the addition of a link to that wiki via the SSL
> interface (e.g.,
> https://secure.wikimedia.org/wikipedia/en/w/index.php?title=Special:Userlogin),
> currently known to only a few who actively care and are sufficiently
> well-informed, to a page visible to the less well-informed.
>
That would be fairly useless, as logging in to secure.wikimedia.org
doesn't log you in to en.wikipedia.org.  And if it did, it would
essentially defeat the whole purpose of logging in securely.

_______________________________________________
foundation-l mailing list
[hidden email]
http://lists.wikimedia.org/mailman/listinfo/foundation-l