[WikiEN-l] Please change your passwords.

Rob Church robchur at gmail.com
Wed May 9 03:01:04 UTC 2007 

On 09/05/07, wikien-l-request at lists.wikimedia.org
<wikien-l-request at lists.wikimedia.org> wrote:
> Message: 8
> Date: Wed, 9 May 2007 01:03:31 +0100
> From: Zoney <zoney.ie at gmail.com>
> Subject: Re: [WikiEN-l] Please change your passwords.
> To: "English Wikipedia" <wikien-l at lists.wikimedia.org>
> Message-ID:
>         <4418c60e0705081703s16605974id0e134c9b91435f at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed

> The project should be managed professionally if it is indeed a serious
> project. Otherwise it's all just a bit of a larf and it'll eventually come
> crashing down. However, the project *is* taken seriously by those of us
> involved, and attempts to pass itself off as a serious endeavour. Indeed
> that mostly works, and so a large section of the media and the public take
> the project seriously (maybe they shouldn't). That is why I consider it
> serious for us to be so unprofessional about such a critical issue as site
> security.

Please explain how we are going to fund this "professional"
management? As someone involved with the development of the software
powering the Wikimedia projects, I am mildly insulted at the
insinuation that we're all a bunch of amateurs. At the technical
level, at least, a lot of time and effort has been invested into
pulling off the damn impossible, that is, keeping an Alexa top 10 web
site running, accepting thousands of reads and edits per second, with
an IT budget that would cause the technical staff of companies below
us on the list to, ah, "void their bladders" with laughter.

> Is there an official line on what needs to be done, and what exactly
> administrators should do with respect to passwords? Has it been relayed to
> each and every administrator in a proper fashion? (the email I received was
> rather informal) Is this information put to new admins (or even ordinary
> users) in a coherent fashion? I do not think being knowledgable on the
> subject of password security should be a necessary criterion for a Wikipedia
> administrator. So there needs to be a definitive process for the uninitiated
> to follow.

As far as I'm aware, the Chief Technical Officer made an official
announcement regarding the issue on the technical mailing list, and
perhaps others, and asked for this information to be passed onto
individual communities. This means that we trust the established lines
of communication; village pumps, the Wikipedia Signpost, the usual
fora for announcements...we trust those to work.

The actual responsibility for communication throughout the Foundation,
between the Board and the communities, and the development and system
administration teams and those communities lies with the
Communications Committee, who do not, as far as I can see, appear to
have provided any advice to communities on this issue. This means, in
my opinion, that they have failed to act within their remit.

You're also inflating the position of administrator, all of you, in
saying that they are the only accounts worth protecting with decent
passwords. Pure bosh; a compromised bot account is just as harmful,
because a properly flagged bot is able to bypass captchas and make
edits which do not immediately show up on many change lists, including
recent changes, and watchlists.

At the end of the day, an administrator is just a user who is able to
delete pages and images and edit a few protected pages. All of this
can be undone; it's just a matter of how much it inconveniences us to
restore order. I would also point out that unauthorised access to the
CheckUser tool, in itself, does not consitute a serious problem,
although it is a complicated privacy issue; the disclosure of
information gained through the tool is much more damaging than some
user who may have cracked David Gerard's password (in a parallel
dimension, of course) knowing that, zomg, Kelly Martin is Jimbo!

> ~()____) This message will self-destruct in 5 seconds...

I have to chuckle at the fact that someone is ranting about
"professionalism" and presentation, and then signs their emails with
something like that.


Rob Church

More information about the WikiEN-l mailing list