refs tpo/tpa/tails/sysadmin#18165

service/schleuder.md

@@ -175,5 +175,192 @@ To migrate a schleuder list, go through the following steps:
 
 ## References for sysadmins
 
-- Known lists: The list of Schleuder lists can be found in [hiera](https://gitlab.tails.boum.org/tails/puppet-code/-/blob/production/hieradata/node/mta.chameleon.eyaml?ref_type=heads)
-- [Schleuder lists Threat Model](service/schleuder/threat-model)
+### Known lists
+
+The list of Schleuder lists can be found in [hiera](https://gitlab.tails.boum.org/tails/puppet-code/-/blob/production/hieradata/node/mta.chameleon.eyaml?ref_type=heads)
+
+### Threat model
+
+#### ci
+
+Used to organize around the Tails CI.
+
+No sensitive data.
+
+Interruption not so problematic.
+
+If hosted on lizard, interruption is almost not a problem at all: there won't be anything
+to report about or discuss if lizard is down.
+
+Requirements:
+    Confidentiality: low
+    Availability: low
+    Integrity: low
+
+→ puscii
+
+#### rm
+
+- Used to organize around the Tails release management.
+- advance notice for embargoed (tor) security issues and upcoming Firefox chemspill releases
+- Jenkins failure/recovery notifications for release branches (might contain
+  some secrets about our CI infra occasionally)
+
+Interruption effect? Probably none: small set of members who also have direct communication channels and often use them instead of the mailing list
+
+Requirements:
+    Confidentiality: medium--high
+    Availability: low
+    Integrity: low
+
+→ Tails infra
+
+#### fundraising
+
+- list of donors
+- discussion with past & potential sponsors
+- daily rate of each worker
+- internal view of grants budget
+
+Requirements:
+    Confidentiality: medium--high
+    Availability: medium--high
+    Integrity: medium--high
+
+→ puscii
+
+#### accounting
+
+- contributors' private/identifying personal info
+- contracts
+- accounting
+- expenses reimbursement
+- management and HR stuff
+- administrativa and fiscal info
+- discussion with current sponsors
+
+Requirements:
+    Confidentiality: high
+    Availability: medium--high
+    Integrity: high
+
+→ Tails infra
+
+#### press
+
+Public facing address to talk to the press and organize the press team.
+
+No sensitive data.
+
+Interruption can be problematic in case of fire to communicate with the outside.
+
+Requirements:
+    Confidentiality: medium
+    Availability: medium--high (high in case of fire)
+    Integrity: medium--high
+
+→ puscii
+
+#### bugs
+
+Public facing address to talk to the users and organize the team.
+
+Contains sensitive data (whisperback reports and probably more).
+
+Interruption can be problematic in case of fire to communicate with the outside ?
+
+Requirements:
+    Confidentiality: high
+    Availability: medium--high (high in case of fire)
+    Integrity: high
+
+→ Tails infra but availability issue ⇒ needs mitigation
+
+#### tails@
+
+- internal discussions between Tails "wizards"
+- non-technical decision making e.g. process
+- validating new members for other teams
+- sponsorship requests
+
+Requirements:
+    Confidentiality: medium--high
+    Availability: medium--high (very high in case of fire)
+    Integrity: high
+
+→ puscii but integrity issue ⇒ needs mitigation (revocation procedure?)
+
+#### summit
+
+- internal community discussions
+
+Requirements:
+    Confidentiality: medium
+    Availability: medium
+    Integrity: low
+
+→ puscii
+
+#### sysadmins
+
+- monitoring alerts
+- all kinds of email sent to root e.g. cron
+- occasionally some secret that could give access to our infra?
+
+Requirements:
+    Confidentiality: high (depending on the occasional secret, else medium)
+    Availability: medium--high (in case of fire, there are other means
+    for sysadmins to reach each other, and for other Tails people who can/should do
+    something about it to reach them; outsiders rarely contact Tails sysadmins
+    for sysadmin stuff anyway)
+    Integrity: high
+
+→ Tails infra
+
+#### mirrors
+
+- discussion with mirror operators
+- enabling/disabling mirrors (mostly public info)
+
+Requirements:
+    Confidentiality: low--medium
+    Availability: low--medium (medium in case of fire) <- do we have backup contacts?
+                              Yes, all the contact info for mirror operators
+                              is in a public Git repo and they are technically skilled
+                              people who'll find another way to reach us
+                              => I would say low--medium even in case of fire.
+    Integrity: medium (impersonating this list can lead mirror operators to misconfigure
+                      their mirror => DoS i.e. users cannot download Tails; although
+                      that same attack would probably work on many mirror operators
+                      even without signing the email…)
+
+→ puscii
+
+### Basic threats
+
+compromise of schleuder list -> confidentiality & integrity
+
+schleuder list down -> availability
+
+
+### Basic Scenarios
+
+#### 1. List confidentiality compromised due to compromised member/admin mailbox + pgp key
+
+This can happen unnoticed
+
+#### 2. List integrity compromised due to compromised member/admin mailbox + pgp key
+
+This will be noticed as the resend notifies the list
+
+#### 3. List confidentiality compromised due to server compromise
+
+This can happen unnoticed
+
+#### 4. List integrity compromised due to compromised member/admin mailbox + pgp key
+
+This can happen unnoticed
+
+#### 5. List availability down because of misconfiguration
+
+#### 6. List availability down because of server down