[Wikimedia-l] Dells are backdored

Can we please stop paying the Microsoft and NSA taxes and start buying
datacenter equipment which costs a lot less? Cubieboard/Cubietrucks for
instance?

Ref.:
http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html

Best regards,
James
_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>

On 29 December 2013 12:55, James Salsman <[hidden email]> wrote:

> Can we please stop paying the Microsoft and NSA taxes


The WMF doesn't.





Using non standard data center equipment is a great way to add costs.

As for security given the limited resources the WMF has whenever GCHQ, FSB
and MSS have wanted to get in they have and there is nothing we can do
about this.
_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>

On Sun, Dec 29, 2013 at 5:17 AM, geni <[hidden email]> wrote:
Naw, it's a great idea.  Let's switch to building our own ARM-based
servers (by the way, which have already been a flop commercially),
using only unproven, low-volume available motherboards and having to
buy and assemble all of the rest of the components.  And then of
course, we need to design our own cases... and since these have such a
low performance, we'll need to have a lot more rack and datacenter
space, of course which comes with a cost... and we'll have to figure
out how to run our caching layers which require large amounts of
memory... and our storage layers which require large amounts of disk
space.....  At that point we'll probably need to redesign those boards
which are incapable of doing these things, so we'll need a team of
hardware engineers, plus a deal with a manufacturing plant.

So... I think with about a 100 million dollar per year research budget
we can do this.  Who's ponying up? ;)


> As for security given the limited resources the WMF has whenever GCHQ, FSB
> and MSS have wanted to get in they have and there is nothing we can do
> about this.
> _______________________________________________
> Wikimedia-l mailing list
> [hidden email]
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>



--
Leslie Carr
Wikimedia Foundation
AS 14907, 43821
http://as14907.peeringdb.com/

_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>

On Sun, Dec 29, 2013 at 4:55 AM, James Salsman <[hidden email]> wrote:

> Can we please stop paying the Microsoft and NSA taxes and start buying
> datacenter equipment which costs a lot less? Cubieboard/Cubietrucks for
> instance?
>
> Ref.:
>
> http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html
>
>

Cubie are not credible enterprise-grade hardware; having made the
suggestion indicates you don't understand what large server farm design and
operations are all about.

One can see signs of a movement towards enterprise-grade lower power CPU
systems such as Atom, ARM, and Via chip mini-servers.  It's not there yet.
 Both hardware and OS issues with the ARMs, and hardware with the others.


--
-george william herbert
[hidden email]
_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>

2013/12/29 Leslie Carr <[hidden email]>
Funny huh?

If we use free software, I don't see why we can't move to open-source
hardware ASAP.

_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>

On Sun, Dec 29, 2013 at 2:25 PM, Emilio J. Rodríguez-Posada <
[hidden email]> wrote:
Well, I think Leslie just listed a few, but I'll recap:
- low-availability
- Requires in house assembly
- Requires in house design capacity
- Substantially more rack and datacenter space required
- Insufficient for caching and storage layers
- Cost of manufacturing.

pb
_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>

On 29/12/2013 22:41, Philippe Beaudette wrote:
Add to the list people that know what they are doing.


_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>

On 29/12/13 23:55, James Salsman wrote:
> Can we please stop paying the Microsoft and NSA taxes and start buying
> datacenter equipment which costs a lot less? Cubieboard/Cubietrucks for
> instance?
>
> Ref.:
> http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html
>

That article doesn't say Dell equipment has a back door, it just says
that there is surveillance software or hardware designed to work with
Dell equipment. It doesn't even say that Dell equipment is especially
vulnerable.

"There is no information in the documents seen by SPIEGEL to suggest
that the companies whose products are mentioned in the catalog
provided any support to the NSA or even had any knowledge of the
intelligence solutions."

-- Tim Starling


_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tinfoil hat time!

Yes, the NSA stuff is a big deal, but saying that we're paying taxes to
Microsoft and the NSA?  Even if you mean taxes in a figurative sense,
someone would be getting money from the WMF to buy hardware, and if the
NSA can backdoor Dell, they could easily backdoor whatever hardware that
gets used instead, if they really wanted to.

Arguably, cheaper or in-house hardware could end up being easier to
backdoor or exploit.
- --
Sincerely,
Andrew "FastLizard4" Adams
<https://en.wikipedia.org/wiki/User:FastLizard4>
<[hidden email]>
GPG Key ID: 0x221A627DD76E2616

On 12/29/2013 4:55 AM, James Salsman wrote:
> Can we please stop paying the Microsoft and NSA taxes and start buying
> datacenter equipment which costs a lot less? Cubieboard/Cubietrucks for
> instance?
>
> Ref.:
> http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html
>
> Best regards,
> James

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSwOGAAAoJECIaYn3XbiYWLAYP/2ulfGqZnah5G5aEPIrUlJCU
N0Okd65JMzdHQl7Sya2TQkjG6t2d0ggbXNGDlufDvf3nl5IuPVYBxh23RsVhnsIj
rHLKqZEs1ol/7E7r+nrilaJYgzdaSGFQ/Hh5gdN+C1yMc8AILMzbYPTc8h8D145S
8PZm7wynbJT4VRDVDP8XMY6201sj44HUNp0Kg84YtMiL0ZzA+VbYlLIh5koJAk4v
oPeI+KUTy0kSK8KRzp/kv/VCPE5zyOCPIB+RSwVnT2DR14+DMuv/TVn7p8atPlAH
0Tw+BTZu0UxVtLZR7njP8JhzDsslw0C9D2Drsg+iNGbKblMJq5fVqZqyI9MLAJcY
PL7uFE/e2M7Ck38gPRdLemBNBBpJLfleZmujVRr/8jrx4pigy5YmE/U7yVUSGb1Y
JVhTQbtyClrut9faPyYEG6jbeOGLY6/cU6mCJf0R5ksjfQzaFXPkt3bNfCKKlvV9
EhUQ3e16tGbFiHJCyeT0V0MPmllRfumB5vaO+9CFVvLHQUDvSeutbEZUPpdb7fFS
BRTQwhrJeUyK573eMbw71lDlv1M6EniCuxE0pBuzUQpfTZkRPKWJZ0rJKG+/Qw7m
cDpBCWwVQc7vNEVZbk/u9k1J0yef8TQeKawl/Mf+SHcJj9/6qIHSNnmBEtjUkgEW
hFuZwCkX9fL8jEBRP/b3
=AcpO
-----END PGP SIGNATURE-----

_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>

The WMF's servers have nothing to do with Microsoft.

There do exist alternative processor architectures, not even just ARM
(Itanium (probably too expensive), Tilera (massively parallel)), but I
don't think migrating our software (particularly Labs'
virtualization-related software) to them is trivial.

One should also ask whether the NSA is snooping on our transit links and
our peering IXPs (Google is encrypting their own fiber, as well as their
transit links, for that reason).


On Sun, Dec 29, 2013 at 4:55 AM, James Salsman <[hidden email]> wrote:
_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>

When this came up last time, it turned out that there was some kind of
a deal in place, and certainly many if not most published pictures of
the Wikimedia data center feature rows of shiny Dell logos.  But Dell
does support Microsoft and the NSA, obviously, and also supports some
very creative accounting methods to avoid paying taxes with tax
havens. Dell's corporate structure adventures are not the sort of
corporate behavior concordant with a mission to empower anyone other
than Dell stockholders.

If you don't like Cubietrucks, then how about RADXA? At least with
http://dl.radxa.com/rock/docs/hw/RADXA_ROCK_schematic_20130903.pdf
you know exactly what you're getting and it doesn't cost a huge power
bill. We still failover when machines go out of service, and sure the
caches would have different RAM configurations, but the fact is it
doesn't cost more money to switch to ARM, and you jettison a bunch of
legacy x86 crap that nobody uses but take millions of transistors
which need to be powered. Why ask our donors to keep all those useless
transistors warm?

And as much as I personally appreciate Wikimedia staff, I am inclined
to agree with the sentiment that perhaps we should hire more staff
until we get some who believe that it wouldn't cost $100,000 to
transition to less expensive hardware. And maybe some people who know
how to order chassis?

Best regards,
James

_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>

*"And as much as I personally appreciate Wikimedia staff, I am inclined*



*to agree with the sentiment that perhaps we should hire more staff until
we get some who believe that it wouldn't cost $100,000 totransition to less
expensive hardware. And maybe some people who know how to order chassis?"*

What makes you think they don't?

Dan Rosenthal


On Sun, Dec 29, 2013 at 10:55 PM, James Salsman <[hidden email]> wrote:
_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>

"but the fact is it
doesn't cost more money to switch to ARM, and you jettison a bunch of
legacy x86 crap that nobody uses but take millions of transistors
which need to be powered."

ARM is not compatible with a lot of our software, and besides if we really
wanted power efficiency we could instead buy Intel's 14nm chips.
Virtualization also helps.

New servers always cost a lot, and it's not trivial to switch over hundreds
of boxes. That's because you're not going to make ARM CPUs work as drop-in
replacements.


On Sun, Dec 29, 2013 at 7:55 PM, James Salsman <[hidden email]> wrote:
_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>

On 30/12/13 14:55, James Salsman wrote:
> If you don't like Cubietrucks, then how about RADXA? At least with
> http://dl.radxa.com/rock/docs/hw/RADXA_ROCK_schematic_20130903.pdf
> you know exactly what you're getting and it doesn't cost a huge power
> bill.

Maximum 100 Mbps ethernet connection. Also, it doesn't exist yet.

> We still failover when machines go out of service, and sure the
> caches would have different RAM configurations, but the fact is it
> doesn't cost more money to switch to ARM, and you jettison a bunch of
> legacy x86 crap that nobody uses but take millions of transistors
> which need to be powered. Why ask our donors to keep all those useless
> transistors warm?

Are there some benchmarks which support this idea? I read

<http://armservers.com/2012/06/18/apache-benchmarks-for-calxedas-5-watt-web-server/>

But it was full of distortions, like comparing the actual power usage
of the ARM system with the TDP of the Intel system, and then using a
workload which saturated the network link of the Intel system versus
the CPU of the ARM system. Maybe this sort of fluff is part of the
reason why Calxeda went bust.

Marketing materials on Calxeda's website indicated that the system was
priced such that it would be more expensive than Intel on a per-MIPS
basis, but that you'd win in the long run through reduced power bills.
It didn't sound like a cheap solution to me.

I read this:

<http://www.theregister.co.uk/2013/12/13/facebook_arm_chips/>

But it was clear that it was only at a prototype stage -- the
benchmarks are not in yet because the development work needs to be
done first. I read this:

<http://www.theregister.co.uk/2013/12/16/google_intel_arm_analysis/>

which speculated that Xeon may still be better for CPU-intensive
tasks, and ARM chips may be useful for storage control. But a
Cubieboard or Radxa can't be used for storage, since they lack the
necessary high-bandwidth connections.

Leslie Carr wrote:
> At that point we'll probably need to redesign those boards
> which are incapable of doing these things, so we'll need a team of
> hardware engineers, plus a deal with a manufacturing plant.

Google and Facebook are apparently taking that route. Maybe some day,
this technology will be available for anyone to buy.

-- Tim Starling


_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>

On Dec 29, 2013, at 9:11 PM, Tim Starling <[hidden email]> wrote:

> Leslie Carr wrote:
>> At that point we'll probably need to redesign those boards
>> which are incapable of doing these things, so we'll need a team of
>> hardware engineers, plus a deal with a manufacturing plant.
>
> Google and Facebook are apparently taking that route. Maybe some day,
> this technology will be available for anyone to buy.
>
> -- Tim Starling


One hears rumors of enterprise grade hardware manufacturers floating product ideas to customers (cough) but rumors persist that paying customers actually calculate bandwidth issues for their applications and generally say no. The ones who say yes tend to be academics in strange corners of the money / compute cluster CPU vs IO trade space, and are ok with building their own.


-george william herbert
[hidden email]

Sent from Kangphone
_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>

> Maximum 100 Mbps ethernet connection....

We should be using fiber, which also costs less power and is orders of
magnitude faster.

If the words "enterprise-class" actually mean something more than
"much larger markup than purchasing components" then go with something
like http://www.marvell.com/company/news/pressDetail.do?releaseID=3576

For example, maybe the http://www.mitac.com/business/gfx_servers.html
people have benchmarks representative of our DB/cache usage patterns.
It's not like we have anything special (or x86-specific, Jasper!)
other than very high bandwidth.

At least put out an RFP, please.

_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>

"It's not like we have anything special (or x86-specific, Jasper!)
other than very high bandwidth."

Wikimedia Labs uses x86 hardware virtualization (just one example). We
already have transit linkages that include fiber, and new fiber is far from
cheap.

You persist in ignoring the costs of buying equipment. In terms of orders
of magnitude, ~500 servers * $200 per server = $100,000 already. That is a
conservative $200/server estimate that also doesn't take into account labor
and other costs. To the level we'd want it, it's at least one more order of
magnitude more expensive (no, we're not going to recover the costs by
selling our existing servers).


On Sun, Dec 29, 2013 at 10:10 PM, James Salsman <[hidden email]> wrote:
_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>

>... Wikimedia Labs uses x86 hardware virtualization (just one example)

How does that tie us to x86?
http://www.eweek.com/servers/arm-server-chips-get-xen-virtualization-support/

>... a conservative $200/server estimate

I have been recommending hardware which costs closer to $70 per
"server" depending on storage and cache architecture options.

_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>

"How does that tie us to x86?"

We don't use Xen, nor is that guaranteed to give us acceptable performance.

"closer to $70"

Please justify that claim (that would be the cost of the CPU or hard disk
alone). You haven't even given us a compelling reason to spend any money at
all on this.


On Sun, Dec 29, 2013 at 10:25 PM, James Salsman <[hidden email]> wrote:
_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>

Putting aside the 'tax' aspect, whether or not there is a backdoor in the
shipped product is not the point of the article you linked to James.

NSA is intercepting hardware deliveries and adding backdoors while it is
enroute from supplier to customer. Buying new equipment gives NSA a new
opportunity to inject backdoors unless WMF has staff watching the entire
manufacturing and delivery process.

The latest revelations give details of only a few of NSAs capabilities.
Eliminating the now known threats, and all the other possible vectors is
not feasible.

A more sensible strategy is to put perimeters around sets of private data,
and watch your own equipment for unusual activity, with more focus on
outbound than was previously thought necessary by most organisations. The
extreme end is using trusted operating systems, tagging all data and
network interfaces & software preventing unapproved data transits.

WMF already has serious network traffic analytics and monitoring. Maybe
some more rules and alerts are needed, but everyone is reviewing how
suspicious they should be of their 'own' internal equipment now.
 On Dec 29, 2013 7:56 PM, "James Salsman" <[hidden email]> wrote:
_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>