On 09/05/07, wikien-l-request(a)lists.wikimedia.org
<wikien-l-request(a)lists.wikimedia.org> wrote:
Message: 8
Date: Wed, 9 May 2007 01:03:31 +0100
From: Zoney <zoney.ie(a)gmail.com>
Subject: Re: [WikiEN-l] Please change your passwords.
To: "English Wikipedia" <wikien-l(a)lists.wikimedia.org>
Message-ID:
<4418c60e0705081703s16605974id0e134c9b91435f(a)mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
The project should be managed professionally if it is
indeed a serious
project. Otherwise it's all just a bit of a larf and it'll eventually come
crashing down. However, the project *is* taken seriously by those of us
involved, and attempts to pass itself off as a serious endeavour. Indeed
that mostly works, and so a large section of the media and the public take
the project seriously (maybe they shouldn't). That is why I consider it
serious for us to be so unprofessional about such a critical issue as site
security.
Please explain how we are going to fund this "professional"
management? As someone involved with the development of the software
powering the Wikimedia projects, I am mildly insulted at the
insinuation that we're all a bunch of amateurs. At the technical
level, at least, a lot of time and effort has been invested into
pulling off the damn impossible, that is, keeping an Alexa top 10 web
site running, accepting thousands of reads and edits per second, with
an IT budget that would cause the technical staff of companies below
us on the list to, ah, "void their bladders" with laughter.
Is there an official line on what needs to be done,
and what exactly
administrators should do with respect to passwords? Has it been relayed to
each and every administrator in a proper fashion? (the email I received was
rather informal) Is this information put to new admins (or even ordinary
users) in a coherent fashion? I do not think being knowledgable on the
subject of password security should be a necessary criterion for a Wikipedia
administrator. So there needs to be a definitive process for the uninitiated
to follow.
As far as I'm aware, the Chief Technical Officer made an official
announcement regarding the issue on the technical mailing list, and
perhaps others, and asked for this information to be passed onto
individual communities. This means that we trust the established lines
of communication; village pumps, the Wikipedia Signpost, the usual
fora for announcements...we trust those to work.
The actual responsibility for communication throughout the Foundation,
between the Board and the communities, and the development and system
administration teams and those communities lies with the
Communications Committee, who do not, as far as I can see, appear to
have provided any advice to communities on this issue. This means, in
my opinion, that they have failed to act within their remit.
You're also inflating the position of administrator, all of you, in
saying that they are the only accounts worth protecting with decent
passwords. Pure bosh; a compromised bot account is just as harmful,
because a properly flagged bot is able to bypass captchas and make
edits which do not immediately show up on many change lists, including
recent changes, and watchlists.
At the end of the day, an administrator is just a user who is able to
delete pages and images and edit a few protected pages. All of this
can be undone; it's just a matter of how much it inconveniences us to
restore order. I would also point out that unauthorised access to the
CheckUser tool, in itself, does not consitute a serious problem,
although it is a complicated privacy issue; the disclosure of
information gained through the tool is much more damaging than some
user who may have cracked David Gerard's password (in a parallel
dimension, of course) knowing that, zomg, Kelly Martin is Jimbo!
~()____) This message will self-destruct in 5
seconds...
I have to chuckle at the fact that someone is ranting about
"professionalism" and presentation, and then signs their emails with
something like that.
Rob Church