It appears someone is cracking easily-guessable passwords of accounts on Wikipedia. Until measures are undertaken to check all accounts for weak passwords and make people use stronger passwords, I encourage everyone whose password is 'weak' to log in now and change your password to something stronger.
Here are some tips for strong passwords:
* Don't use words you would find in the dictionary. * Don't use 'password' or something like that for your password. * Don't use a derivative of your username as a password. * Don't use something like "god" or "fuckyou". They really are very common as passwords. * Don't use the same password as you use for other sites or your email. * Use a mix of upper case and lower case letters. * Use symbols and numbers. * Make it at least 8 characters long.
I hope this is a help to someone.
~Mark Ryan
On 07/05/07, Mark Ryan ultrablue@gmail.com wrote:
Here are some tips for strong passwords:
http://geodsoft.com/howto/password/common.htm http://www.modernlifeisrubbish.co.uk/article/top-10-most-common-passwords
- d.
I've added a question to all en.wp's running RfA that asks candidates if their password is "[[..] alphanumeric? Formed by at least 8 characters? Not by words in the dictionary? Not in the weakest password list?".
On 5/7/07, David Gerard dgerard@gmail.com wrote:
On 07/05/07, Mark Ryan ultrablue@gmail.com wrote:
Here are some tips for strong passwords:
http://geodsoft.com/howto/password/common.htm http://www.modernlifeisrubbish.co.uk/article/top-10-most-common-passwords
- d.
WikiEN-l mailing list WikiEN-l@lists.wikimedia.org To unsubscribe from this mailing list, visit: http://lists.wikimedia.org/mailman/listinfo/wikien-l
On 07/05/07, Snowolf mtazio@gmail.com wrote:
I've added a question to all en.wp's running RfA that asks candidates if their password is "[[..] alphanumeric? Formed by at least 8 characters? Not by words in the dictionary? Not in the weakest password list?".
o lord, not another question on RFA.
I did just add to [[Wikipedia:Administrators]] a note -
Administrators, bureaucrats, checkusers, stewards and oversighters discovered to have cryptographically weak passwords will have their privileges removed on grounds of site security. This means that if your password can be cracked by the developers, they will take away your admin bit before someone "borrows" it for malicious purposes.
http://en.wikipedia.org/wiki/Wikipedia:Administrators#Becoming_an_administra...
I've added a comment in the wikitext that this is since the Main Page was deleted and Tubgirl put in the sitenotice ;-)
- d.
;-)
Brion is checking actual admins, but it would be ironic if the new ones would make the same mistake ;-)
On 5/7/07, David Gerard dgerard@gmail.com wrote:
On 07/05/07, Snowolf mtazio@gmail.com wrote:
I've added a question to all en.wp's running RfA that asks candidates if their password is "[[..] alphanumeric? Formed by at least 8 characters?
Not
by words in the dictionary? Not in the weakest password list?".
o lord, not another question on RFA.
I did just add to [[Wikipedia:Administrators]] a note -
Administrators, bureaucrats, checkusers, stewards and oversighters discovered to have cryptographically weak passwords will have their privileges removed on grounds of site security. This means that if your password can be cracked by the developers, they will take away your admin bit before someone "borrows" it for malicious purposes.
http://en.wikipedia.org/wiki/Wikipedia:Administrators#Becoming_an_administra...
I've added a comment in the wikitext that this is since the Main Page was deleted and Tubgirl put in the sitenotice ;-)
- d.
WikiEN-l mailing list WikiEN-l@lists.wikimedia.org To unsubscribe from this mailing list, visit: http://lists.wikimedia.org/mailman/listinfo/wikien-l
I did just add to [[Wikipedia:Administrators]] a note -
Administrators, bureaucrats, checkusers, stewards and oversighters discovered to have cryptographically weak passwords will have their privileges removed on grounds of site security. This means that if your password can be cracked by the developers, they will take away your admin bit before someone "borrows" it for malicious purposes.
Is that true? If the recent check of all en admins passwords is anything to go by, they are simply forced to change their password, they aren't desysopped.
On 08/05/07, Thomas Dalton thomas.dalton@gmail.com wrote:
I did just add to [[Wikipedia:Administrators]] a note -
Administrators, bureaucrats, checkusers, stewards and oversighters discovered to have cryptographically weak passwords will have their privileges removed on grounds of site security. This means that if your password can be cracked by the developers, they will take away your admin bit before someone "borrows" it for malicious purposes.
Is that true? If the recent check of all en admins passwords is anything to go by, they are simply forced to change their password, they aren't desysopped.
Not yet, looks like. I'd suspect it's likely for the future.
- d.
I've just been asked on my RfA.: Is your password alphanumeric? Formed by at least 8 characters? Not by words in the dictionary? Not in the [http://geodsoft.com/howto/password/common.htm weakest password list]? (just answer ''yes'' plz)''' and I have answered "It meet the requirements of being secure to a greater degree than those specified. I have followed the discussion of this both on WP and on the wikien-l list and I do not think there is agreement yet on just what the requirement should be and how it should be worded"
On 5/7/07, David Gerard dgerard@gmail.com wrote:
On 08/05/07, Thomas Dalton thomas.dalton@gmail.com wrote:
I did just add to [[Wikipedia:Administrators]] a note -
Administrators, bureaucrats, checkusers, stewards and oversighters discovered to have cryptographically weak passwords will have their privileges removed on grounds of site security. This means that if your password can be cracked by the developers, they will take away your admin bit before someone "borrows" it for malicious purposes.
Is that true? If the recent check of all en admins passwords is anything to go by, they are simply forced to change their password, they aren't desysopped.
Not yet, looks like. I'd suspect it's likely for the future.
- d.
WikiEN-l mailing list WikiEN-l@lists.wikimedia.org To unsubscribe from this mailing list, visit: http://lists.wikimedia.org/mailman/listinfo/wikien-l
On 5/7/07, David Goodman dgoodmanny@gmail.com wrote:
I've just been asked on my RfA.: Is your password alphanumeric? Formed by at least 8 characters? Not by words in the dictionary? Not in the [http://geodsoft.com/howto/password/common.htm weakest password list]? (just answer ''yes'' plz)''' and I have answered "It meet the requirements of being secure to a greater degree than those specified. I have followed the discussion of this both on WP and on the wikien-l list and I do not think there is agreement yet on just what the requirement should be and how it should be worded"
That sort of questions on RFA are borderly dickery, pseudo trollish, and definitely the wrong way to approach the issue. If I were on RFA, I wouldn't answer it (I wouldn't even pass RFA these days anyway... so *shrug*)
Pedro Sanchez wrote:
That sort of questions on RFA are borderly dickery, pseudo trollish, and definitely the wrong way to approach the issue. If I were on RFA, I wouldn't answer it (I wouldn't even pass RFA these days anyway... so *shrug*)
For what it's worth, I didn't mind answering it. I thought all the RfA questions were interesting and fun.
Even if some question were pseudo-trollish (not that mine were), I think that's fine. I'd rather we were sure that an admin can keep their cool in the face of well-meant but awkward or kooky comments.
William
On 5/7/07, William Pietri william@scissor.com wrote:
Pedro Sanchez wrote:
That sort of questions on RFA are borderly dickery, pseudo trollish, and definitely the wrong way to approach the issue. If I were on RFA, I wouldn't answer it (I wouldn't even pass RFA these days anyway... so *shrug*)
For what it's worth, I didn't mind answering it. I thought all the RfA questions were interesting and fun.
Even if some question were pseudo-trollish (not that mine were), I think that's fine. I'd rather we were sure that an admin can keep their cool in the face of well-meant but awkward or kooky comments.
William
One other problem Wikipedia has. If you log onto Wikipedia on a public computer, your user name stays forever on that public computer--there is no way to not have a computer you use not save your Wikipedia user name. Web sites that do this are just asking for their users' accounts to be hacked--the rest of the universe is probably not as rich and computer savvy as many Wikipedia editors.
People aren't necessarily going around trying to crack admin accounts. I used to all the time sign on to people's accounts on public computers, when I had to spend a lot of time using public computers. I never spent time on password guessing, I simply tried two or three obvious ones. Usually fuckyou or password. I'm not voyeuristic, so I never did anything except log off, but it was curious that I got in more often than not. Try it some time at a public library or other public internet spot, find a web page someone has logged into and guess their password--2/3 of the time you will succeed.
Alphanumeric? fuckyou123, abc123, 123abc, and password123 all go a long way with alphanumeric accounts.
KP
On 5/8/07, K P kpbotany@gmail.com wrote:
One other problem Wikipedia has. If you log onto Wikipedia on a public computer, your user name stays forever on that public computer--there is no way to not have a computer you use not save your Wikipedia user name. Web sites that do this are just asking for their users' accounts to be hacked--the rest of the universe is probably not as rich and computer savvy as many Wikipedia editors.
Not forever, and it's simple to have the 3 most commonbowsers to "forget that data". You just need to learn it. So it's incorrect to state "there is no way to not have a computer you use not save your Wikipedia user name"
OF course, if you don't know how, you can't do it. But it's not impossible and it's not hard either.
People aren't necessarily going around trying to crack admin accounts. I used to all the time sign on to people's accounts on public computers, when I had to spend a lot of time using public computers. I never spent time on password guessing, I simply tried two or three obvious ones. Usually fuckyou or password. I'm not voyeuristic, so I never did anything except log off, but it was curious that I got in more often than not. Try it some time at a public library or other public internet spot, find a web page someone has logged into and guess their password--2/3 of the time you will succeed.
Alphanumeric? fuckyou123, abc123, 123abc, and password123 all go a long way with alphanumeric accounts.
KP _______________________________________________ WikiEN-l mailing list WikiEN-l@lists.wikimedia.org To unsubscribe from this mailing list, visit: http://lists.wikimedia.org/mailman/listinfo/wikien-l
With all this talk about password security, I was just wondering, what is the *maximum* password length?
Thanks, ~~~~
Given that we're now allowing login via HTTPS, how about providing an option for client-certificate-based login?
-- Neil
on 5/8/07 7:16 AM, Neil Harris at usenet@tonal.clara.co.uk wrote:
Given that we're now allowing login via HTTPS, how about providing an option for client-certificate-based login?
Anyone,
Same thread - different question. This message has been placed on my Watch List Page: "For your own security, please choose a secure password." I went ahead and did change my password to a longer, mixed case one. Will this message eventually disappear, or is it telling me I still need to change to to something more secure?
Just asking,
Marc Riddell
On 08/05/07, Marc Riddell michaeldavid86@comcast.net wrote:
Same thread - different question. This message has been placed on my Watch List Page: "For your own security, please choose a secure password." I went ahead and did change my password to a longer, mixed case one. Will this message eventually disappear, or is it telling me I still need to change to to something more secure?
If you hit the "[dismiss]" link at the end, you shouldn't see it again while you're logged-in, unless/until it's updated with a different message.
- d.
on 5/8/07 7:53 AM, David Gerard at dgerard@gmail.com wrote:
On 08/05/07, Marc Riddell michaeldavid86@comcast.net wrote:
Same thread - different question. This message has been placed on my Watch List Page: "For your own security, please choose a secure password." I went ahead and did change my password to a longer, mixed case one. Will this message eventually disappear, or is it telling me I still need to change to to something more secure?
If you hit the "[dismiss]" link at the end, you shouldn't see it again while you're logged-in, unless/until it's updated with a different message.
David,
Thanks for replying. In this case there is no "dismiss" link.
Marc
On 08/05/07, Marc Riddell michaeldavid86@comcast.net wrote:
Thanks for replying. In this case there is no "dismiss" link.
Odd, it just worked for me ... might be an odd Javascript issue. I'm using Firefox 2 on Windows XP here.
In any case, you can indeed ignore it if your password is better :-)
- d.
on 5/8/07 8:10 AM, David Gerard at dgerard@gmail.com wrote:
On 08/05/07, Marc Riddell michaeldavid86@comcast.net wrote:
Thanks for replying. In this case there is no "dismiss" link.
Odd, it just worked for me ... might be an odd Javascript issue. I'm using Firefox 2 on Windows XP here.
In any case, you can indeed ignore it if your password is better :-)
Thanks, David,
No surprise if it's a Javascript issue. I have it enabled, but at times it gets very cranky. Oh well, patience is the only virtue I have left ;-).
Marc
On 08/05/07, Marc Riddell michaeldavid86@comcast.net wrote:
Same thread - different question. This message has been placed on my Watch List Page: "For your own security, please choose a secure password."
It also says "...or see this guide for help..." where "this guide" is http://meta.wikimedia.org/wiki/Don%27t_leave_your_fly_open . I think that's a remarkably stupid name for something that's going to appear on the top of everyone's watchlist. It clearly marks out Wikipedia as being dominated by tactless male geeks who have difficulty with understanding appropriate social interaction, which is an image we should be doing our best to move away from at high speed.
On 5/8/07, Pedro Sanchez pdsanchez@gmail.com wrote:
On 5/8/07, K P kpbotany@gmail.com wrote:
One other problem Wikipedia has. If you log onto Wikipedia on a public computer, your user name stays forever on that public computer--there is
no
way to not have a computer you use not save your Wikipedia user
name. Web
sites that do this are just asking for their users' accounts to be hacked--the rest of the universe is probably not as rich and computer
savvy
as many Wikipedia editors.
Not forever, and it's simple to have the 3 most commonbowsers to "forget that data". You just need to learn it. So it's incorrect to state "there is no way to not have a computer you use not save your Wikipedia user name"
OF course, if you don't know how, you can't do it. But it's not impossible and it's not hard either.
This is about people who use public computers. Many public computers don't allow you to access browser settings. Many people using public computers are using them because they don't have one at home, these are the people least likely to know how to do this, or that it needs done, even if they were able to access browser settings on the public computer. Wikipedia needs to function in a way that doesn't require you to be a computer geek--it's a rich world, but only for a small elite portion of the people living on it. Wikipedia as a community doesn't seem to think well beyond their limited sphere--this is always disappointing.
KP
On 08/05/07, David Goodman dgoodmanny@gmail.com wrote:
I have answered "It meet the requirements of being secure to a greater degree than those specified. I have followed the discussion of this both on WP and on the wikien-l list and I do not think there is agreement yet on just what the requirement should be and how it should be worded"
--
David Goodman, Ph.D, M.L.S.
I must say, the entire débacle seems most unprofessional and not particularly well managed. We should not even be in this situation at present, nevermind trying to figure out the best response.
Zoney
On 5/8/07, Zoney zoney.ie@gmail.com wrote:
I must say, the entire débacle seems most unprofessional and not particularly well managed. We should not even be in this situation at present, nevermind trying to figure out the best response.
We're not professional. Except for a tiny bunch of people who work for the Foundation, we're all volunteers and our time is not especially coordinated. Wikipedia is what it is, and part of that is that we've grown faster than our organization has.
In particular, our IT resources have always been stretched, and the people we do have have been busy keeping the place running. In a stretched organization, things only get fixed when they become real problems.
All I'm surprised about is that it took this long for someone to try some serious password attempts.
-Matt
On 08/05/07, Matthew Brown morven@gmail.com wrote:
We're not professional. Except for a tiny bunch of people who work for the Foundation, we're all volunteers and our time is not especially coordinated. Wikipedia is what it is, and part of that is that we've grown faster than our organization has.
-Matt
The project should be managed professionally if it is indeed a serious project. Otherwise it's all just a bit of a larf and it'll eventually come crashing down. However, the project *is* taken seriously by those of us involved, and attempts to pass itself off as a serious endeavour. Indeed that mostly works, and so a large section of the media and the public take the project seriously (maybe they shouldn't). That is why I consider it serious for us to be so unprofessional about such a critical issue as site security.
Is there an official line on what needs to be done, and what exactly administrators should do with respect to passwords? Has it been relayed to each and every administrator in a proper fashion? (the email I received was rather informal) Is this information put to new admins (or even ordinary users) in a coherent fashion? I do not think being knowledgable on the subject of password security should be a necessary criterion for a Wikipedia administrator. So there needs to be a definitive process for the uninitiated to follow.
Zoney
On 08/05/07, Matthew Brown morven@gmail.com wrote:
We're not professional. Except for a tiny bunch of people who work for the Foundation, we're all volunteers and our time is not especially coordinated. Wikipedia is what it is, and part of that is that we've grown faster than our organization has.
-Matt
on 5/8/07 8:03 PM, Zoney at zoney.ie@gmail.com wrote:
The project should be managed professionally if it is indeed a serious project. Otherwise it's all just a bit of a larf and it'll eventually come crashing down.
Yes! And anyone not seeing this is either not paying attention, or is living the very definition of denial.
Marc Riddell
Marc Riddell wrote:
The project should be managed professionally if it is indeed a serious project. Otherwise it's all just a bit of a larf and it'll eventually come crashing down.
Yes! And anyone not seeing this is either not paying attention, or is living the very definition of denial.
I'm sure we all look forward to you guys proposing detailed plans of action, or offering donations for more professional staff. Especially given you've concluded that anybody with a different opinion couldn't possibly have, say, actual reasoning behind it, I'm sure you have a solution to share.
William
on 5/9/07 3:39 AM, William Pietri at william@scissor.com wrote:
Marc Riddell wrote:
The project should be managed professionally if it is indeed a serious project. Otherwise it's all just a bit of a larf and it'll eventually come crashing down.
Yes! And anyone not seeing this is either not paying attention, or is living the very definition of denial.
I'm sure we all look forward to you guys proposing detailed plans of action, or offering donations for more professional staff. Especially given you've concluded that anybody with a different opinion couldn't possibly have, say, actual reasoning behind it, I'm sure you have a solution to share.
William,
Actually, there are some ideas taking form, but they're not ready for prime time :-).
Question: Do you believe a city of 10 million people can be successfully managed in the same way as a village of 10?
Marc
Zoney wrote:
On 08/05/07, Matthew Brown morven@gmail.com wrote:
We're not professional. Except for a tiny bunch of people who work for the Foundation, we're all volunteers and our time is not especially coordinated. Wikipedia is what it is, and part of that is that we've grown faster than our organization has.
-Matt
The project should be managed professionally if it is indeed a serious project. Otherwise it's all just a bit of a larf and it'll eventually come crashing down. However, the project *is* taken seriously by those of us involved, and attempts to pass itself off as a serious endeavour. Indeed that mostly works, and so a large section of the media and the public take the project seriously (maybe they shouldn't). That is why I consider it serious for us to be so unprofessional about such a critical issue as site security.
Is there an official line on what needs to be done, and what exactly administrators should do with respect to passwords? Has it been relayed to each and every administrator in a proper fashion? (the email I received was rather informal) Is this information put to new admins (or even ordinary users) in a coherent fashion? I do not think being knowledgable on the subject of password security should be a necessary criterion for a Wikipedia administrator. So there needs to be a definitive process for the uninitiated to follow.
Who are you calling unprofessional? The people who quickly, competently and comprehensively fixed the problem on the server side, or the people who jumped up and down on the lists and wikis about the need for everyone to change their passwords? I think you should make that clear.
-- Tim Starling
On 0, Tim Starling tstarling@wikimedia.org scribbled:
Zoney wrote:
On 08/05/07, Matthew Brown morven@gmail.com wrote:
We're not professional. Except for a tiny bunch of people who work for the Foundation, we're all volunteers and our time is not especially coordinated. Wikipedia is what it is, and part of that is that we've grown faster than our organization has.
-Matt
The project should be managed professionally if it is indeed a serious project. Otherwise it's all just a bit of a larf and it'll eventually come crashing down. However, the project *is* taken seriously by those of us involved, and attempts to pass itself off as a serious endeavour. Indeed that mostly works, and so a large section of the media and the public take the project seriously (maybe they shouldn't). That is why I consider it serious for us to be so unprofessional about such a critical issue as site security.
Is there an official line on what needs to be done, and what exactly administrators should do with respect to passwords? Has it been relayed to each and every administrator in a proper fashion? (the email I received was rather informal) Is this information put to new admins (or even ordinary users) in a coherent fashion? I do not think being knowledgable on the subject of password security should be a necessary criterion for a Wikipedia administrator. So there needs to be a definitive process for the uninitiated to follow.
Who are you calling unprofessional? The people who quickly, competently and comprehensively fixed the problem on the server side, or the people who jumped up and down on the lists and wikis about the need for everyone to change their passwords? I think you should make that clear.
-- Tim Starling
I think he's clearly referring to the community and possibly the Board; elements have not responded particularly calmly and rationally. I don't see any basis on which to criticize the developers - from what I've heard, they/you dropped everything to run the password cracker on admin accounts and begin coding up protection from guessing attacks to add to the login page.
-- Gwern Inquiring minds want to know.
On 5/8/07, Tim Starling tstarling@wikimedia.org wrote:
Who are you calling unprofessional? The people who quickly, competently and comprehensively fixed the problem on the server side, or the people who jumped up and down on the lists and wikis about the need for everyone to change their passwords? I think you should make that clear.
I think he's talking about the fact that it was so easy to mass crack passwords in the first place.
On April 26, Brion announced that an attacker was "mass-abusing accounts with weak passwords" Then, on or about May 6, an admin account is cracked. Doesn't seem like a quick, competent, and comprehensive fix to me.
I'm not sure any individual in particular is to blame. I suppose Brion is supposed to be the one in charge of such things, but in my opinion he doesn't have the staff or budget to do it. Maybe he's the one who has chosen to so much money on hardware and so little on staff, but I suspect that's more a board thing.
I've suggested before that a lease of servers would make a lot more sense than all those capital expenditures, and this is a good example of why that's true.
Anthony
Anthony wrote:
I've suggested before that a lease of servers would make a lot more sense than all those capital expenditures, and this is a good example of why that's true.
Could you say more about that?
When I've looked at server leasing before I could never make the cost numbers work out, as the server lease arrangements were either a) from high-end companies that charged a premium for their gear, or b) were through private lease-what-you-want companies that charged too much for custom deals. But I haven't done mass gear purchases in a while, so I am probably out of touch with how you whippersnappers do it these days. :-)
William
On 5/9/07, William Pietri william@scissor.com wrote:
Anthony wrote:
I've suggested before that a lease of servers would make a lot more sense than all those capital expenditures, and this is a good example of why that's true.
Could you say more about that?
When I've looked at server leasing before I could never make the cost numbers work out, as the server lease arrangements were either a) from high-end companies that charged a premium for their gear, or b) were through private lease-what-you-want companies that charged too much for custom deals. But I haven't done mass gear purchases in a while, so I am probably out of touch with how you whippersnappers do it these days. :-)
You could never make the cost numbers work out compared to what? A lease is pretty much always going to cost more in the long run compared to an outright purchase price, as you're essentially paying to borrow money from someone. But, especially as interest rates are currently low, this type of purchase is perfectly suited to a corporation like Wikimedia which is experiencing such dramatic growth.
Let's say the major fundraisers come twice a year. Let's say a lease can be had for 1/30 the purchase cost per month over 30 months. That's a really high estimate, based on Dell and rounding the cost up, and surely the WMF can do better. Let's assume fundraisers of $40,000, $100,000, $167,000, $300,000, and $500,000 (taken from the financials, rounded, and estimating in order to break up into semi-annual figures). Assume capital expenditures of $35,000, $55,000, $85,000, $150,000, and $275,000 (same methodology).
With a lease, you spend $7000, $18000, $35000, $65000, and $120000 each half year. With the extra cash flow you can easily hire a couple of extra staff members plus pay a few consultants for "one-time" things like security audits. From what I've seen of MediaWiki I have little doubt the code contains serious security flaws, and I think we all know that the system has numerous DOS attack points.
The downside of a lease - there's no capital left over at any stage of the game. But considering that Wikipedia's value is currently about 99.9% goodwill anyway, I wouldn't call that much of a problem.
Anthony
Anthony wrote:
On 5/9/07, William Pietri william@scissor.com wrote:
Anthony wrote:
I've suggested before that a lease of servers would make a lot more sense than all those capital expenditures, and this is a good example of why that's true.
Could you say more about that?
When I've looked at server leasing before I could never make the cost numbers work out, as the server lease arrangements were either a) from high-end companies that charged a premium for their gear, or b) were through private lease-what-you-want companies that charged too much for custom deals. But I haven't done mass gear purchases in a while, so I am probably out of touch with how you whippersnappers do it these days. :-)
You could never make the cost numbers work out compared to what? A lease is pretty much always going to cost more in the long run compared to an outright purchase price, as you're essentially paying to borrow money from someone. But, especially as interest rates are currently low, this type of purchase is perfectly suited to a corporation like Wikimedia which is experiencing such dramatic growth.
Leasing companies do not simply vary their leasing rates with the current market interest rates. Also note that for a tax free company the tax deductibility benefit from lease payments is not there.
Let's say the major fundraisers come twice a year. Let's say a lease can be had for 1/30 the purchase cost per month over 30 months.
Where are you ever going to find a 30-month lease that simply divides the purchase price by 30. The ones that do that tend to have a stiff buy out at the end of the contract. The server will more often than not have a useful life that exceeds the 30 months.
That's a really high estimate, based on Dell and rounding the cost up, and surely the WMF can do better. Let's assume fundraisers of $40,000, $100,000, $167,000, $300,000, and $500,000 (taken from the financials, rounded, and estimating in order to break up into semi-annual figures). Assume capital expenditures of $35,000, $55,000, $85,000, $150,000, and $275,000 (same methodology).
The effects of fundraising should only have an indirect effect on plans. It's far more useful to have a hardware plan that provides regular replacement of equipment that is no longer useful. If we have 30 servers operational at a given time purchasing one replacement server per month would be cheaper than the monthly lease payments on 30 servers.
With a lease, you spend $7000, $18000, $35000, $65000, and $120000 each half year. With the extra cash flow you can easily hire a couple of extra staff members plus pay a few consultants for "one-time" things like security audits. From what I've seen of MediaWiki I have little doubt the code contains serious security flaws, and I think we all know that the system has numerous DOS attack points.
The downside of a lease - there's no capital left over at any stage of the game. But considering that Wikipedia's value is currently about 99.9% goodwill anyway, I wouldn't call that much of a problem.
Goodwill remains an intangible asset, and that intangible asset needs to be supported by very tangible hardware.. To do a proper analysis of the situation we need to know the cash price for the piece of equipment, the monthly lease payment, any setup fees for the lease, and the contract buyout amount at the end of the lease.
Ec
On 5/9/07, Ray Saintonge saintonge@telus.net wrote:
Anthony wrote:
On 5/9/07, William Pietri william@scissor.com wrote:
Anthony wrote:
I've suggested before that a lease of servers would make a lot more sense than all those capital expenditures, and this is a good example of why that's true.
Could you say more about that?
When I've looked at server leasing before I could never make the cost numbers work out, as the server lease arrangements were either a) from high-end companies that charged a premium for their gear, or b) were through private lease-what-you-want companies that charged too much for custom deals. But I haven't done mass gear purchases in a while, so I am probably out of touch with how you whippersnappers do it these days. :-)
You could never make the cost numbers work out compared to what? A lease is pretty much always going to cost more in the long run compared to an outright purchase price, as you're essentially paying to borrow money from someone. But, especially as interest rates are currently low, this type of purchase is perfectly suited to a corporation like Wikimedia which is experiencing such dramatic growth.
Leasing companies do not simply vary their leasing rates with the current market interest rates. Also note that for a tax free company the tax deductibility benefit from lease payments is not there.
I'm not sure what you mean by the first sentence. Interest rates aren't the only factor in a lease, but they are a factor. As for the tax benefits of leasing, right, that isn't a factor in the WMF decision.
Let's say the major fundraisers come twice a year. Let's say a lease can be had for 1/30 the purchase cost per month over 30 months.
Where are you ever going to find a 30-month lease that simply divides the purchase price by 30. The ones that do that tend to have a stiff buy out at the end of the contract. The server will more often than not have a useful life that exceeds the 30 months.
Here comes the answer:
That's a really high estimate, based on Dell and rounding the cost up, and surely the WMF can do better.
I looked it up on Dell, and then rounded the cost up. The buyout option is for fair market value. If you return the equipment at the end of the lease, you owe nothing. I assumed that the WMF would not want to exercise that option anyway. 30 month old hardware is obsolete.
If you think my numbers are way off, please tell me what numbers you think are more reasonable.
Let's assume fundraisers of $40,000, $100,000, $167,000, $300,000, and $500,000 (taken from the financials, rounded, and estimating in order to break up into semi-annual figures). Assume capital expenditures of $35,000, $55,000, $85,000, $150,000, and $275,000 (same methodology).
The effects of fundraising should only have an indirect effect on plans. It's far more useful to have a hardware plan that provides regular replacement of equipment that is no longer useful. If we have 30 servers operational at a given time purchasing one replacement server per month would be cheaper than the monthly lease payments on 30 servers.
Actually, it'd be about equal. But this isn't at all a realistic scenario. Hardware needs are growing, not static, the servers are not going to fail at such an even rate, and hardware is going to probably last longer than 30 months on average. The first two points favor leasing, the last favors buying.
With a lease, you spend $7000, $18000, $35000, $65000, and $120000 each half year. With the extra cash flow you can easily hire a couple of extra staff members plus pay a few consultants for "one-time" things like security audits. From what I've seen of MediaWiki I have little doubt the code contains serious security flaws, and I think we all know that the system has numerous DOS attack points.
The downside of a lease - there's no capital left over at any stage of the game. But considering that Wikipedia's value is currently about 99.9% goodwill anyway, I wouldn't call that much of a problem.
Goodwill remains an intangible asset, and that intangible asset needs to be supported by very tangible hardware.. To do a proper analysis of the situation we need to know the cash price for the piece of equipment, the monthly lease payment, any setup fees for the lease, and the contract buyout amount at the end of the lease.
As I said before, the contract buyout amount is irrelevant, because I'm assuming the option won't be exercised. If it turns out to the WMF's advantage to exercise the option, then that just swings the situation even *more* in favor of leasing. As for the cash price for the equipment, I took that from the financial statements. The monthly lease payments were estimated as I explained above. The setup fees on such a large contract would be negligible, likely less than half a percent.
As for goodwill being an intangible asset which needs to be supported by hardware right now, that's precisely why leasing is such an attractive option for the WMF.
Anthony
Anthony wrote:
On 5/9/07, Ray Saintonge saintonge@telus.net wrote:
Leasing companies do not simply vary their leasing rates with the current market interest rates. Also note that for a tax free company the tax deductibility benefit from lease payments is not there.
I'm not sure what you mean by the first sentence. Interest rates aren't the only factor in a lease, but they are a factor. As for the tax benefits of leasing, right, that isn't a factor in the WMF decision.
Then work out what the real interest rate is in a lease by summing the present value of each payment and solving the resultant exponential equation for the interest. You will see that the effective interest rate will be considerably more than the current market rate of interest charged by banks on loans.
Let's say the major fundraisers come twice a year. Let's say a lease can be had for 1/30 the purchase cost per month over 30 months.
Where are you ever going to find a 30-month lease that simply divides the purchase price by 30. The ones that do that tend to have a stiff buy out at the end of the contract. The server will more often than not have a useful life that exceeds the 30 months.
Here comes the answer:
That's a really high estimate, based on Dell and rounding the cost up, and surely the WMF can do better.
I looked it up on Dell, and then rounded the cost up. The buyout option is for fair market value. If you return the equipment at the end of the lease, you owe nothing. I assumed that the WMF would not want to exercise that option anyway. 30 month old hardware is obsolete.
Some of our existing hardware is more than 30 months old, and still doing its job. It may not be able to take on the more sophisticated programs, but if it can still be a workhorse doing what it always has done than it is still worth keeping.
If you think my numbers are way off, please tell me what numbers you think are more reasonable.
I'll be glad to use your numbers if you give me real numbers for a specific hardware unit of your choice. As I said before this would be 1. The cash price of the unit, 2. The leasing fees added to the price of the unit, 3. The monthly payments, and 4. The buyout price at the end.
In these assumptions income tax deductibility would be irrelevant for a non-profit company, and sales taxes won't matter as long as they are applied pro-rata on everything.
Let's assume fundraisers of $40,000, $100,000, $167,000, $300,000, and $500,000 (taken from the financials, rounded, and estimating in order to break up into semi-annual figures). Assume capital expenditures of $35,000, $55,000, $85,000, $150,000, and $275,000 (same methodology).
The effects of fundraising should only have an indirect effect on plans. It's far more useful to have a hardware plan that provides regular replacement of equipment that is no longer useful. If we have 30 servers operational at a given time purchasing one replacement server per month would be cheaper than the monthly lease payments on 30 servers.
Actually, it'd be about equal. But this isn't at all a realistic scenario. Hardware needs are growing, not static, the servers are not going to fail at such an even rate, and hardware is going to probably last longer than 30 months on average. The first two points favor leasing, the last favors buying.
Yes, hardware needs are growing, and it's the extra life beyond 30 months that allows you to pay for expanding needs.
With a lease, you spend $7000, $18000, $35000, $65000, and $120000 each half year. With the extra cash flow you can easily hire a couple of extra staff members plus pay a few consultants for "one-time" things like security audits. From what I've seen of MediaWiki I have little doubt the code contains serious security flaws, and I think we all know that the system has numerous DOS attack points.
The downside of a lease - there's no capital left over at any stage of the game. But considering that Wikipedia's value is currently about 99.9% goodwill anyway, I wouldn't call that much of a problem.
Goodwill remains an intangible asset, and that intangible asset needs to be supported by very tangible hardware.. To do a proper analysis of the situation we need to know the cash price for the piece of equipment, the monthly lease payment, any setup fees for the lease, and the contract buyout amount at the end of the lease.
As I said before, the contract buyout amount is irrelevant, because I'm assuming the option won't be exercised. If it turns out to the WMF's advantage to exercise the option, then that just swings the situation even *more* in favor of leasing. As for the cash price for the equipment, I took that from the financial statements. The monthly lease payments were estimated as I explained above. The setup fees on such a large contract would be negligible, likely less than half a percent.
The terminal payout is key to the comparison. To make a true comparison to not buying out the lease at the end one needs to assume that the fair market value for the leased hardware is equal to the fair market value of the purchased hardware if you were to sell it. If it's not realistic to sell that computer then why is the leasing company trying to sell it to you at an inflated price?
Ec
On 5/10/07, Ray Saintonge saintonge@telus.net wrote:
Anthony wrote:
On 5/9/07, Ray Saintonge saintonge@telus.net wrote:
Leasing companies do not simply vary their leasing rates with the current market interest rates. Also note that for a tax free company the tax deductibility benefit from lease payments is not there.
I'm not sure what you mean by the first sentence. Interest rates aren't the only factor in a lease, but they are a factor. As for the tax benefits of leasing, right, that isn't a factor in the WMF decision.
Then work out what the real interest rate is in a lease by summing the present value of each payment and solving the resultant exponential equation for the interest. You will see that the effective interest rate will be considerably more than the current market rate of interest charged by banks on loans.
Of course it is. Interest rates are still a factor though. As interest rates go down, leases tend to become more favorable.
I looked it up on Dell, and then rounded the cost up. The buyout option is for fair market value. If you return the equipment at the end of the lease, you owe nothing. I assumed that the WMF would not want to exercise that option anyway. 30 month old hardware is obsolete.
Some of our existing hardware is more than 30 months old, and still doing its job. It may not be able to take on the more sophisticated programs, but if it can still be a workhorse doing what it always has done than it is still worth keeping.
30 month hardware will still work, but in my experience it's almost never cost effective to buy such hardware instead of buying new.
If you think my numbers are way off, please tell me what numbers you think are more reasonable.
I'll be glad to use your numbers if you give me real numbers for a specific hardware unit of your choice. As I said before this would be 1. The cash price of the unit, 2. The leasing fees added to the price of the unit, 3. The monthly payments, and 4. The buyout price at the end.
Power Edge 6800 Cash price of the unit: $5,000. Leasing fees: $75. Monthly payments: $167/month Buyout price: Fair Market Value
Yes, hardware needs are growing, and it's the extra life beyond 30 months that allows you to pay for expanding needs.
Only if you have the capital to do so in the first place. Wikimedia doesn't. The budget is stretched horribly thin, to the point where unacceptable tradeoffs are being made.
The terminal payout is key to the comparison. To make a true comparison to not buying out the lease at the end one needs to assume that the fair market value for the leased hardware is equal to the fair market value of the purchased hardware if you were to sell it. If it's not realistic to sell that computer then why is the leasing company trying to sell it to you at an inflated price?
Selling used hardware takes effort and costs money. While it's true that the WMF could potentially sell its hardware after 30 months, they wouldn't receive fair market value for it, because of the overhead costs. The fair market value of a server after 30 months is small. The overhead would make such a sale prohibitive.
Anthony
Anthony wrote:
On 5/10/07, Ray Saintonge saintonge@telus.net wrote:
Anthony wrote:
On 5/9/07, Ray Saintonge saintonge@telus.net wrote:
Leasing companies do not simply vary their leasing rates with the current market interest rates. Also note that for a tax free company the tax deductibility benefit from lease payments is not there.
I'm not sure what you mean by the first sentence. Interest rates aren't the only factor in a lease, but they are a factor. As for the tax benefits of leasing, right, that isn't a factor in the WMF decision.
Then work out what the real interest rate is in a lease by summing the present value of each payment and solving the resultant exponential equation for the interest. You will see that the effective interest rate will be considerably more than the current market rate of interest charged by banks on loans.
Of course it is. Interest rates are still a factor though. As interest rates go down, leases tend to become more favorable.
Sure. It's primarily a matter of being competitive with other lessors. How does the rate of interest compare with an ordinary back loan? That is another option for someone with cash flow problems.
I looked it up on Dell, and then rounded the cost up. The buyout option is for fair market value. If you return the equipment at the end of the lease, you owe nothing. I assumed that the WMF would not want to exercise that option anyway. 30 month old hardware is obsolete.
Some of our existing hardware is more than 30 months old, and still doing its job. It may not be able to take on the more sophisticated programs, but if it can still be a workhorse doing what it always has done than it is still worth keeping.
30 month hardware will still work, but in my experience it's almost never cost effective to buy such hardware instead of buying new.
Buying 30-month old hardware is a questionable practice for anything critical, but hardware that was bought new 30 months ago can keep doing the job that it was designated for. This is especially the case if it has consistently behaved well for all that time. My oldest active computer still has Windows 3.11, and was set up in November 1993. I would not give it any important new jobs, but it still works well for what it was intended after 162 months.
If you think my numbers are way off, please tell me what numbers you think are more reasonable.
I'll be glad to use your numbers if you give me real numbers for a specific hardware unit of your choice. As I said before this would be
- The cash price of the unit,
- The leasing fees added to the price of the unit,
- The monthly payments, and
- The buyout price at the end.
Power Edge 6800 Cash price of the unit: $5,000. Leasing fees: $75. Monthly payments: $167/month Buyout price: Fair Market Value
The present value of each payment made at the beginning of each month (p0 to p29) is 167/(1+i/12)^pn where i is the effective interest rate and pn is the payment number. For the sum of these plus the leasing fee to be equal to $5,000 the interest rate would need to be 1.4%. To make the comparisons equal we have to assume that at the end one gets to keep the hardware at no cost.
A $1,000 payout at p30 taken to its present value would mean an implicit interest rate of 14.6%; a $2,000 payout would imply an interest rate of 23.9%.
Yes, hardware needs are growing, and it's the extra life beyond 30 months that allows you to pay for expanding needs.
Only if you have the capital to do so in the first place. Wikimedia doesn't. The budget is stretched horribly thin, to the point where unacceptable tradeoffs are being made.
That may be so, but it's irrelevant to the analysis. One needs to analyse the deal in its own right, and only after that has been done does one determine what one's budget will allow, and whether the cash flow benefit will be worth the extra cost. One also needs to weigh in the possibility of a conventional bank loan.
The terminal payout is key to the comparison. To make a true comparison to not buying out the lease at the end one needs to assume that the fair market value for the leased hardware is equal to the fair market value of the purchased hardware if you were to sell it. If it's not realistic to sell that computer then why is the leasing company trying to sell it to you at an inflated price?
Selling used hardware takes effort and costs money. While it's true that the WMF could potentially sell its hardware after 30 months, they wouldn't receive fair market value for it, because of the overhead costs. The fair market value of a server after 30 months is small. The overhead would make such a sale prohibitive.
If the fair market value of the server is so small after the 30 months, then the payout should be just as small. There would be no point to the lessor taking back old equipment if all it's going to do with it is throw it in the trash, and in some cases even incur recycling costs.
Ec
On 5/11/07, Ray Saintonge saintonge@telus.net wrote:
Anthony wrote:
Of course it is. Interest rates are still a factor though. As interest rates go down, leases tend to become more favorable.
Sure. It's primarily a matter of being competitive with other lessors. How does the rate of interest compare with an ordinary back loan? That is another option for someone with cash flow problems.
A loan isn't a particularly great idea for a non-profit, but it might make sense in this particular instance. I was only comparing leasing to the status quo.
There are an infinite number of possible ways the WMF could solve its cash-flow problems. I'm only presenting one. If you'd like to present another, please do.
30 month hardware will still work, but in my experience it's almost never cost effective to buy such hardware instead of buying new.
Buying 30-month old hardware is a questionable practice for anything critical, but hardware that was bought new 30 months ago can keep doing the job that it was designated for.
Sure. It can. And maybe it would even make sense for the WMF to exercise a buy option at the end of a lease. But if so, that just skews the results *more* in favor of leasing.
The present value of each payment made at the beginning of each month (p0 to p29) is 167/(1+i/12)^pn where i is the effective interest rate and pn is the payment number. For the sum of these plus the leasing fee to be equal to $5,000 the interest rate would need to be 1.4%. To make the comparisons equal we have to assume that at the end one gets to keep the hardware at no cost.
A $1,000 payout at p30 taken to its present value would mean an implicit interest rate of 14.6%; a $2,000 payout would imply an interest rate of 23.9%.
OK... Do you have a point?
Yes, hardware needs are growing, and it's the extra life beyond 30 months that allows you to pay for expanding needs.
Only if you have the capital to do so in the first place. Wikimedia doesn't. The budget is stretched horribly thin, to the point where unacceptable tradeoffs are being made.
That may be so, but it's irrelevant to the analysis. One needs to analyse the deal in its own right, and only after that has been done does one determine what one's budget will allow, and whether the cash flow benefit will be worth the extra cost.
No. The analysis of the deal is completely dependent on the cash-flow situation of the WMF. The exact same deal can be beneficial to some and detrimental to others. I certainly wouldn't lease my desktop machine, for instance. But I don't have cash-flow problems. The WMF does.
One also needs to weigh in the possibility of a conventional bank loan.
Again, I was comparing leasing to the status quo. If the WMF had chosen to get a conventional bank loan, then I would be comparing to that, but they haven't. Of course, conventional banks will finance leases also, so that option also should be weighed in. I'm not about to go to banks and ask them to give me quotes on a hypothetical situation involving a corporation I have control over. I just pulled some numbers from Dell's website, because that's what I had easy access to. The WMF could *definitely* get more favorable leasing terms, by shopping around.
Another possibility is for the WMF to issue bonds to individuals. They could probably get even lower interest rates than from a bank, maybe even could convince people to lend them money at 0%.
The bottom line is that the WMF is not spending enough on competent professionals, and there's no excuse for it.
If the fair market value of the server is so small after the 30 months, then the payout should be just as small. There would be no point to the lessor taking back old equipment if all it's going to do with it is throw it in the trash, and in some cases even incur recycling costs.
Fine, so if the FMV is low enough after 30 months, then you pay it. If it isn't, then you don't. Since we can't know the FMV beforehand, we can't know the true value of the lease. But since the buyout is optional, where the FMV is set can only add positive value to the deal, if it is set too low. So it is safe to assume it will be set fairly or too high, and that the option won't be exercised.
Anthony
On 09/05/07, Tim Starling tstarling@wikimedia.org wrote:
Zoney wrote:
On 08/05/07, Matthew Brown morven@gmail.com wrote:
We're not professional. Except for a tiny bunch of people who work for the Foundation, we're all volunteers and our time is not especially coordinated. Wikipedia is what it is, and part of that is that we've grown faster than our organization has.
-Matt
The project should be managed professionally if it is indeed a serious project. Otherwise it's all just a bit of a larf and it'll eventually
come
crashing down. However, the project *is* taken seriously by those of us involved, and attempts to pass itself off as a serious endeavour. Indeed that mostly works, and so a large section of the media and the public
take
the project seriously (maybe they shouldn't). That is why I consider it serious for us to be so unprofessional about such a critical issue as
site
security.
Is there an official line on what needs to be done, and what exactly administrators should do with respect to passwords? Has it been relayed
to
each and every administrator in a proper fashion? (the email I received
was
rather informal) Is this information put to new admins (or even ordinary users) in a coherent fashion? I do not think being knowledgable on the subject of password security should be a necessary criterion for a
Wikipedia
administrator. So there needs to be a definitive process for the
uninitiated
to follow.
Who are you calling unprofessional? The people who quickly, competently and comprehensively fixed the problem on the server side, or the people who jumped up and down on the lists and wikis about the need for everyone to change their passwords? I think you should make that clear.
-- Tim Starling
I do not fully know the ins and outs of who is responsible, nor do I know all about the good work going on behind the scenes (and maybe that should be better communicated too). All I know is that this problem was not particularly well communicated as I saw it (as someone who suddenly found out about it after the hullaballoo) and there still seemed to be great debate on the best advice for current or new Admins wrt. passwords. Also last time I checked, changing my password took place over an unsecured connection.
As regards myself, well, unless I'm mistaken Wikipedia's modus operandi is still for the most part slashdot-esque nicks rather than real names, and all the trimmings to match. I use this sig on slashdot, so for now, I think it's right at home on the Wikipedia mailing list. I'm not saying that's a good thing.
I could make a point, and go on some crusade for professionalism at Wikipedia, but I still enjoy collaborating on the project at times, and generally those pointing out Wikipedia's pitfalls and inherent problems are hounded regardless of whether it is because they want to see the project be something better. No doubt I should have not bothered to point out my observations of recent events either (as someone who chanced to read about them after the fact having seen a comment on the main page). However, I did think people shouldn't be under any illusions about how it all would look to someone outside.
Zoney
On 09/05/07, Zoney zoney.ie@gmail.com wrote:
nor do I know all about the good work going on behind the scenes (and maybe that should be better communicated too).
Well, OK, I've now read Brian's message further up my unread threads on the mailing list. Pretty much puts that to bed - good to hear of the steps being taken.
Zoney
Zoney wrote:
On 08/05/07, Matthew Brown morven@gmail.com wrote:
We're not professional. Except for a tiny bunch of people who work for the Foundation, we're all volunteers and our time is not especially coordinated. Wikipedia is what it is, and part of that is that we've grown faster than our organization has.
The project should be managed professionally if it is indeed a serious project.
Absolutely not!!!
Otherwise it's all just a bit of a larf and it'll eventually come crashing down.
Had we been so professional from the beginning we would never have risen high enough to be able to come crashing down.
However, the project *is* taken seriously by those of us involved, and attempts to pass itself off as a serious endeavour. Indeed that mostly works, and so a large section of the media and the public take the project seriously (maybe they shouldn't).
Maybe they shouldn't indeed, but they do. We take it seriously because we believe, and not because seriousness is an end in itself. Seriousness without soul is pomposity.
Ec
Zoney wrote:
On 08/05/07, Matthew Brown morven@gmail.com wrote:
We're not professional. Except for a tiny bunch of people who work for the Foundation, we're all volunteers and our time is not especially coordinated. Wikipedia is what it is, and part of that is that we've grown faster than our organization has.
The project should be managed professionally if it is indeed a serious project.
on 5/9/07 12:22 AM, Ray Saintonge at saintonge@telus.net wrote:
Absolutely not!!!
Why not, Ray?
Otherwise it's all just a bit of a larf and it'll eventually come crashing down.
Had we been so professional from the beginning we would never have risen high enough to be able to come crashing down.
Perhaps we need to begin with a definition of "professional", but, in any case, what is your reasoning here?
Marc Riddell
Marc Riddell wrote:
Zoney wrote:
On 08/05/07, Matthew Brown morven@gmail.com wrote:
We're not professional. Except for a tiny bunch of people who work for the Foundation, we're all volunteers and our time is not especially coordinated. Wikipedia is what it is, and part of that is that we've grown faster than our organization has.
The project should be managed professionally if it is indeed a serious project.
on 5/9/07 12:22 AM, Ray Saintonge at saintonge@telus.net wrote:
Absolutely not!!!
Why not, Ray?
The project has had over the last six years proven success despite being run almost exclusively by amateurs. It's contents have stood up well in comparisons with what competitive products there are, and where errors and inaccuracies have been noted it has had a remarkable ability for self-correction. The ludicrously low amount of money spent to maintain the site certainly ensures that it is the most cost-effective site in the world's top ten. While there have been noteworthy gaffes and outrageous entries, these nevertheless represent a miniscule proportion of articles. A certain amount of this must be expected; it cannot be eliminated completely.
The power of the project is not in the product, but in the process. In what has become McLuhan's cliché, "The medium is the message." The medium is hotter than any that McLuhan might ever have imagined. The fact that a broad public can and does now participate in building such a site as this, or any other of the big websites, is evidence of a tremendous paradigm shift in the world of communications. As Kuhn forsaw, a paradigm shift does damage to the old ways, especially to those who would cling to those old ways. People now participate because they can; they work on shaping their future because they can. The effect on the record and movie industries may be viewed by some as sad, but for others it represents new freedom and new self-esteem.
Otherwise it's all just a bit of a larf and it'll eventually come crashing down.
Had we been so professional from the beginning we would never have risen high enough to be able to come crashing down.
Perhaps we need to begin with a definition of "professional", but, in any case, what is your reasoning here?
In it's crudest manifestation a professional is one who is paid to do a job. It is also a person who has "paid his dues" to the established order, and now has the credentials that permit him to repeat past mistakes. Had we been run by professionals from the beginning we might have had the same success as Nupedia. That project was as professional as we are not. It captivated no imaginations. Before we can crash down we need to have overcome the fear of flying that made us airborne in the first place.
Ec
On 08/05/07, Matthew Brown morven@gmail.com wrote:
We're not professional. Except for a tiny bunch of people who work for the Foundation, we're all volunteers and our time is not especially coordinated. Wikipedia is what it is, and part of that is that we've grown faster than our organization has.
Zoney wrote:
The project should be managed professionally if it is indeed a serious project.
on 5/9/07 12:22 AM, Ray Saintonge at saintonge@telus.net wrote:
Absolutely not!!!
Marc Riddell wrote:
Why not, Ray?
on 5/9/07 8:51 PM, Ray Saintonge at saintonge@telus.net wrote:
The project has had over the last six years proven success despite being run almost exclusively by amateurs.
Being "run" by, or being "constructed" by - there is a big difference. And, six years is the blink of an eye when thinking long term.
It's contents have stood up well in comparisons with what competitive products there are, and where errors and inaccuracies have been noted it has had a remarkable ability for self-correction.
I am in no way referring to the contents of the encyclopedia; that is the creative, living part of the project  and that part is superb. I am presenting to the extremely weak structure that is supposed to provide this living part with strength, leadership and shelter. In fact, if the strength of the structure were equal to that of its content, there would be no need for this conversation.
The power of the project is not in the product, but in the process.
I could not possibly disagree with more. When the process is more important than the product it creates, you have an exercise. Is the process of writing it more important than the poem?
In it's crudest manifestation a professional is one who is paid to do a job. It is also a person who has "paid his dues" to the established order, and now has the credentials that permit him to repeat past mistakes.
As for the definition of ³professional², I place far less emphasis on the money being exchanged, and much more on the quality of the product produced. Wikipedia, like many creative entities, must consist of two ³professional² groups, those who create the product, and those who provide the structure and leadership for the other group to function within. In WP, the former group is very much alive and doing very well, the latter one (if it exists at all) is in critical condition, bordering on moribund.
Wikipedia, at present, is a "community" in the loosest definition of the term. Rather, it is a construction crew. But, most significantly, it is a construction crew without a foreman. And they are working, essentially, with only the most basic set of blueprints - both of the project, and of the company they are working for. What working plans they do have can change at the slightest whim of one or more of the workers. And, what started out as a cottage has become the Twin Towers. And, like the Towers, its collapse will be the result of the failure of internal support. But, unlike the Towers, its destruction will not come from something that occurs from without, but from what doesn't occur from within.
At the risk of offending and/or alienating those on the crew with authority problems, the company has chosen to allow the crew to fend for itself.
I have lived in communes in the past; some still flourish today. Its members are the definition of anti-authority thinking. But the ones that succeed are led by persons just as anti-authority in their beliefs as the rest, but have the interpersonal skills and trust of the community to lead.
Wikipedia is not what it started out as - but it is trying to function as though it is.
I had a difficult time putting this post together. Then I discovered it was because I was weary of the subject  and I¹ve only been here a little over a year. Do you realize how many times the issue of ³leadership² has been discussed on the Talk Pages and this List!? How many times the subject of ³who¹s in charge² and ³who is Jimmy Wales² and what role does he play in all of this, has been rehashed?
We can flail, commiserate, bemoan, intellectualize, agree, disagreeŠ forever. But, until a leader (that foreman I referred to) is hired, appointed, anointed (or whatever the Foundation does) to actively, and with authority, direct the construction project on a day-to-day basis, the building under construction is a disaster waiting to happen.
Marc Riddell
On 5/11/07, Marc Riddell michaeldavid86@comcast.net wrote:
On 08/05/07, Matthew Brown morven@gmail.com wrote:
We're not professional. Except for a tiny bunch of people who work for the Foundation, we're all volunteers and our time is not especially coordinated. Wikipedia is what it is, and part of that
is
that we've grown faster than our organization has.
Zoney wrote:
The project should be managed professionally if it is indeed a
serious
project.
on 5/9/07 12:22 AM, Ray Saintonge at saintonge@telus.net wrote:
Absolutely not!!!
Marc Riddell wrote:
Why not, Ray?
on 5/9/07 8:51 PM, Ray Saintonge at saintonge@telus.net wrote:
The project has had over the last six years proven success despite being run almost exclusively by amateurs.
Being "run" by, or being "constructed" by - there is a big difference. And, six years is the blink of an eye when thinking long term.
It's contents have stood up well in comparisons with what competitive products there are, and where errors and inaccuracies have been noted it has had a remarkable ability for self-correction.
I am in no way referring to the contents of the encyclopedia; that is the creative, living part of the project  and that part is superb. I am presenting to the extremely weak structure that is supposed to provide this living part with strength, leadership and shelter. In fact, if the strength of the structure were equal to that of its content, there would be no need for this conversation.
The power of the project is not in the product, but in the process.
I could not possibly disagree with more. When the process is more important than the product it creates, you have an exercise. Is the process of writing it more important than the poem?
In it's crudest manifestation a professional is one who is paid to do a job. It is also a person who has "paid his dues" to the established order, and now has the credentials that permit him to repeat past mistakes.
As for the definition of ³professional², I place far less emphasis on the money being exchanged, and much more on the quality of the product produced. Wikipedia, like many creative entities, must consist of two ³professional² groups, those who create the product, and those who provide the structure and leadership for the other group to function within. In WP, the former group is very much alive and doing very well, the latter one (if it exists at all) is in critical condition, bordering on moribund.
Wikipedia, at present, is a "community" in the loosest definition of the term. Rather, it is a construction crew. But, most significantly, it is a construction crew without a foreman. And they are working, essentially, with only the most basic set of blueprints - both of the project, and of the company they are working for. What working plans they do have can change at the slightest whim of one or more of the workers. And, what started out as a cottage has become the Twin Towers. And, like the Towers, its collapse will be the result of the failure of internal support. But, unlike the Towers, its destruction will not come from something that occurs from without, but from what doesn't occur from within.
At the risk of offending and/or alienating those on the crew with authority problems, the company has chosen to allow the crew to fend for itself.
I have lived in communes in the past; some still flourish today. Its members are the definition of anti-authority thinking. But the ones that succeed are led by persons just as anti-authority in their beliefs as the rest, but have the interpersonal skills and trust of the community to lead.
Wikipedia is not what it started out as - but it is trying to function as though it is.
I had a difficult time putting this post together. Then I discovered it was because I was weary of the subject  and I¹ve only been here a little over a year. Do you realize how many times the issue of ³leadership² has been discussed on the Talk Pages and this List!? How many times the subject of ³who¹s in charge² and ³who is Jimmy Wales² and what role does he play in all of this, has been rehashed?
We can flail, commiserate, bemoan, intellectualize, agree, disagreeÅ forever. But, until a leader (that foreman I referred to) is hired, appointed, anointed (or whatever the Foundation does) to actively, and with authority, direct the construction project on a day-to-day basis, the building under construction is a disaster waiting to happen.
For once, I feel that I am in complete agreement with Marc. Consensus doesn't cut it when you have a thousand participants in the discussion rather than a hundred, unless you want to resort to voting - which is effectively a tyranny of the majority.
We need some leaders who can steer this project. Jimbo used to be something of a leader, involved quite a bit in how we crafted our policies, but he's since stepped back and is mainly involved in PR and the occasional policy change for PR purposes (e.g. banning anons from creating new articles). We don't have anyone with a vision of where we are going, and who can steer us and our policies towards that direction.
I'm not saying the community shouldn't be involved in decision-making. But at the same time, I'm not confident that the community can come to a consensus on many of the tough questions facing Wikipedia, because of how controversial these issues are. Whenever there's such a hot-button issue, it's had to come to a point where there are people violating our policies and causing a lot of pain before we can settle the question - thanks to the Arbcom.
Indecision is not always better than making a decision. I'd rather we come to a conclusion on some issues which have been troubling us for a long time - e.g. our deletion processes, our process of granting adminship, how we deal with BLPs, etc. - because even if the conclusion is not to my liking, I have confidence that if we have leader like Jimbo who appreciates the need for change when something isn't working, we will be able to fix the mistakes of our decisions in the long run.
At the moment, we are paralysed on tough questions because when consensus runs into a wall, there's no alternative left. This paralysis is, I think, not entirely desirable, and the only way to end it is to introduce another form of decisionmaking supplementary and/or complementary to the community which can act when consensus doesn't work.
Johnleemk
For once, I feel that I am in complete agreement with Marc. Consensus doesn't cut it when you have a thousand participants in the discussion rather than a hundred, unless you want to resort to voting - which is effectively a tyranny of the majority.
Is a single leader making the final decisions really better than a "tyranny of the majority"? If the right person is chosen as leader, then it could work, but it's very difficult to find such a person.
One option I've been considering recently is some kind of parliament with elected members of the community discussing and making policy decisions. I don't think we've got to the stage where anything like that is needed yet, but if the community continues to grow it will eventually become impossible to involve everyone in every policy decision.
On 11/05/07, Thomas Dalton thomas.dalton@gmail.com wrote:
For once, I feel that I am in complete agreement with Marc. Consensus doesn't cut it when you have a thousand participants in the discussion rather than a hundred, unless you want to resort to voting - which is effectively a tyranny of the majority.
Is a single leader making the final decisions really better than a "tyranny of the majority"? If the right person is chosen as leader, then it could work, but it's very difficult to find such a person.
Actually, the problem on Wikipedia is worse. Voting isn't tyranny of the majority, it's simply an exercise that allows those who can muster up more of a supporting group their way. And the "majority" is really some tiny group (relative to Wikipedia editors or more importantly the public). Then there's "discussion" (which is what people like to push on Wikipedia pointing out how voting is flawed if they think a vote won't go their way); i.e. the most vocal and bullying get their way.
Sorry to sound cynical, but I really think a lot of people are blind to how despotic and anarchic things really are on Wikipedia. It's a wonder anyone stays involved with Wikipedia for long - obviously we must attract a lot of strong-willed and determined individuals as editors.
Zoney
On 12/05/07, Zoney zoney.ie@gmail.com wrote:
On 11/05/07, Thomas Dalton thomas.dalton@gmail.com wrote:
For once, I feel that I am in complete agreement with Marc. Consensus doesn't cut it when you have a thousand participants in the discussion rather than a hundred, unless you want to resort to voting - which is effectively a tyranny of the majority.
Is a single leader making the final decisions really better than a "tyranny of the majority"? If the right person is chosen as leader, then it could work, but it's very difficult to find such a person.
Actually, the problem on Wikipedia is worse. Voting isn't tyranny of the majority, it's simply an exercise that allows those who can muster up more of a supporting group their way. And the "majority" is really some tiny group (relative to Wikipedia editors or more importantly the public). Then there's "discussion" (which is what people like to push on Wikipedia pointing out how voting is flawed if they think a vote won't go their way); i.e. the most vocal and bullying get their way.
That, and that any Administrator can close and rule on "votes" at any point, regardless of whether the discussion/vote is fairly reflected by the closing decision, after which there is often very little comeback, no matter how bad the screwup is.
On 12/05/07, Zoney zoney.ie@gmail.com wrote:
Sorry to sound cynical, but I really think a lot of people are blind to how despotic and anarchic things really are on Wikipedia. It's a wonder anyone stays involved with Wikipedia for long - obviously we must attract a lot of strong-willed and determined individuals as editors.
The typical life cycle of involvement in Wikipedia seems to correspond with that in most online communities. We're not actually unusual in this regard.
(And for those who compare Wikipedia to a MMORPG, we also correspond appallingly well with those.)
I posted the Clay Shirky link already. Nothing that's wrong with Wikipedia's community is in any way novel whatsoever, and its problems are not due to malice or gross negligence - they're entirely natural to social groups, online or off. So here's the Shirky link again, which I asked the list to comment on before: http://www.shirky.com/writings/group_enemy.html And here's my take again: http://davidgerard.co.uk/notes/2007/05/02/revealed-why-the-community-is-on-c...
The only way to stop the Wikipedia community's problems is to kill it off entirely. Disperse it, break it up, reboot it. This may not actually be a good idea, of course.
- d.
David Gerard wrote:
On 12/05/07, Zoney zoney.ie@gmail.com wrote:
Sorry to sound cynical, but I really think a lot of people are blind to how despotic and anarchic things really are on Wikipedia. It's a wonder anyone stays involved with Wikipedia for long - obviously we must attract a lot of strong-willed and determined individuals as editors.
The typical life cycle of involvement in Wikipedia seems to correspond with that in most online communities. We're not actually unusual in this regard.
(And for those who compare Wikipedia to a MMORPG, we also correspond appallingly well with those.)
I posted the Clay Shirky link already. Nothing that's wrong with Wikipedia's community is in any way novel whatsoever, and its problems are not due to malice or gross negligence - they're entirely natural to social groups, online or off. So here's the Shirky link again, which I asked the list to comment on before: http://www.shirky.com/writings/group_enemy.html And here's my take again: http://davidgerard.co.uk/notes/2007/05/02/revealed-why-the-community-is-on-c...
The only way to stop the Wikipedia community's problems is to kill it off entirely. Disperse it, break it up, reboot it. This may not actually be a good idea, of course.
- d.
WikiEN-l mailing list WikiEN-l@lists.wikimedia.org To unsubscribe from this mailing list, visit: http://lists.wikimedia.org/mailman/listinfo/wikien-l
The fact that we can't fix everything doesn't mean we can't fix some things.
Sorry to sound cynical, but I really think a lot of people are blind to how despotic and anarchic things really are on Wikipedia. It's a wonder anyone stays involved with Wikipedia for long - obviously we must attract a lot of strong-willed and determined individuals as editors.
Can you be both despotic and anarchic? Are they not mutually exclusive?
On 12/05/07, Thomas Dalton thomas.dalton@gmail.com wrote:
Sorry to sound cynical, but I really think a lot of people are blind to how despotic and anarchic things really are on Wikipedia. It's a wonder anyone stays involved with Wikipedia for long - obviously we must attract a lot of strong-willed and determined individuals as editors.
Can you be both despotic and anarchic? Are they not mutually exclusive?
Anarchy is your sixth-grade gym class - FOREVER!
- d.
On 5/12/07, David Gerard dgerard@gmail.com wrote:
On 12/05/07, Thomas Dalton thomas.dalton@gmail.com wrote:
Sorry to sound cynical, but I really think a lot of people are blind to how despotic and anarchic things really are on Wikipedia. It's a wonder anyone stays involved with Wikipedia for long - obviously we must attract a lot of strong-willed and determined individuals as editors.
Can you be both despotic and anarchic? Are they not mutually exclusive?
Anarchy is your sixth-grade gym class - FOREVER!
For people who *don't* waste too much time online, that'd be from http://somethingpositive.net/sp12102002.shtml.
-Kat who has at various points been accused of bias against webcomics, no less
On 5/13/07, Kat Walsh kat@mindspillage.org wrote:
For people who *don't* waste too much time online, that'd be from http://somethingpositive.net/sp12102002.shtml.
-Kat who has at various points been accused of bias against webcomics, no less
I think saying I read "something positive thus can't be biased against webcomics" is a bit like saying I have an Abba album thus don't hate all of Eurovision (incidentally now a Balkan country has won is there any chance they will stop dividing so we don't have to redraw all the maps again?)
G'day geni,
On 5/13/07, Kat Walsh kat@mindspillage.org wrote:
For people who *don't* waste too much time online, that'd be from http://somethingpositive.net/sp12102002.shtml.
-Kat who has at various points been accused of bias against webcomics, no less
I think saying I read "something positive thus can't be biased against webcomics" is a bit like saying I have an Abba album thus don't hate all of Eurovision (incidentally now a Balkan country has won is there any chance they will stop dividing so we don't have to redraw all the maps again?)
Well, arguably you'd have to be very bloody favourably inclined towards webcomics if you were to read /Something Positive/, so, yes, in this case, Kat has a very good point.
(And who doesn't love Eurovision, anyway?)
On 13/05/07, Mark Gallagher m.g.gallagher@student.canberra.edu.au wrote:
(And who doesn't love Eurovision, anyway?)
Eurovision is fantastic, provided you don't take it seriously... :-) I happened to be at a friend-of-a-friend's birthday drinks last night; fortunately, the pub we were in is targeted at students, so they showed it :) I think I successfully predicted over half of the 12 points; I knew I was going to have a good night when the first country announcing its votes was Montenegro, and they gave their 12 points to... well, I don't need to tell you, do I? ;)
On 12/05/07, Thomas Dalton thomas.dalton@gmail.com wrote:
Sorry to sound cynical, but I really think a lot of people are blind to
how
despotic and anarchic things really are on Wikipedia. It's a wonder
anyone
stays involved with Wikipedia for long - obviously we must attract a lot
of
strong-willed and determined individuals as editors.
Can you be both despotic and anarchic? Are they not mutually exclusive?
Amazingly, on Wikipedia they aren't. Various areas are not only one or the other, but seem to switch between the two depending on whether a group of people or an individual have the upper hand there, or a lot of people are trying to get the upper hand on the others.
Zoney
On 13/05/07, Zoney zoney.ie@gmail.com wrote:
Amazingly, on Wikipedia they aren't. Various areas are not only one or the other, but seem to switch between the two depending on whether a group of people or an individual have the upper hand there, or a lot of people are trying to get the upper hand on the others.
A question: is Wikipedia the first online community you've been deeply involved in?
(Not that this is a bad thing on your part, I'm just asking. I suspect that this being the case for a lot of people is a lot of the perception of the problem. I just find myself repeatedly surprised at people talking about Wikipedia's problems as if they're novel in any way.)
- d.
A question: is Wikipedia the first online community you've been deeply involved in?
(Not that this is a bad thing on your part, I'm just asking. I suspect that this being the case for a lot of people is a lot of the perception of the problem. I just find myself repeatedly surprised at people talking about Wikipedia's problems as if they're novel in any way.)
I've been involved in plenty of online communities, but none quite like Wikipedia. Even if the basic problems are the same, the standard solutions often don't apply. For example, in most online communities its not a problem to have admins (or the equivalent) taking charge of things as opposed to just doing janitorial work as they do on Wikipedia. Wikipedia admins giving orders would be very unpopular. Also, there is the simple matter that Wikipedia is much bigger than most online communities. Whenever I've been involved in an online community that was too big for true consensus driven decision making to work there has always been people (usually paid staff) in absolute charge. Wikipedia doesn't have that (the foundation don't intervene in the day-to-day running).
On 13/05/07, Thomas Dalton thomas.dalton@gmail.com wrote:
I've been involved in plenty of online communities, but none quite like Wikipedia. Even if the basic problems are the same, the standard solutions often don't apply.
Yes, that's the dilemma.
For example, in most online communities its not a problem to have admins (or the equivalent) taking charge of things as opposed to just doing janitorial work as they do on Wikipedia. Wikipedia admins giving orders would be very unpopular. Also, there is the simple matter that Wikipedia is much bigger than most online communities. Whenever I've been involved in an online community that was too big for true consensus driven decision making to work there has always been people (usually paid staff) in absolute charge. Wikipedia doesn't have that (the foundation don't intervene in the day-to-day running).
Indeed. We have old problems without new solutions.
But that they're old problems suggests it's not simply someone being negligent or malicious.
- d.
But that they're old problems suggests it's not simply someone being negligent or malicious.
Or it could be that there are negligent and malicious people in other online communities too... Just because people have done something before doesn't make it ok for people to do it now.
On 13/05/07, Thomas Dalton thomas.dalton@gmail.com wrote:
But that they're old problems suggests it's not simply someone being negligent or malicious.
Or it could be that there are negligent and malicious people in other online communities too... Just because people have done something before doesn't make it ok for people to do it now.
Of course. But Wikipedia being unique in some ways doesn't make it necessarily unique in other ways. Reread the Shirky essay. All this has happened before.
(The hard bit of Shirky's prescription is how not to bite the newbies.)
- d.
On 13/05/07, Zoney zoney.ie@gmail.com wrote:
Amazingly, on Wikipedia they aren't. Various areas are not only one or the other, but seem to switch between the two depending on whether a group of people or an individual have the upper hand there, or a lot of people are trying to get the upper hand on the others.
on 5/13/07 1:13 PM, David Gerard at dgerard@gmail.com wrote:
A question: is Wikipedia the first online community you've been deeply involved in?
(Not that this is a bad thing on your part, I'm just asking. I suspect that this being the case for a lot of people is a lot of the perception of the problem. I just find myself repeatedly surprised at people talking about Wikipedia's problems as if they're novel in any way.)
David,
Do you believe the problems outlined in this and other posts exist in WP?
Whether WP is a person's first or fiftieth online community to be involved in, if you do believe the problems exist, how do your comments work toward resolving them?
Marc
On 13/05/07, Marc Riddell michaeldavid86@comcast.net wrote:
on 5/13/07 1:13 PM, David Gerard at dgerard@gmail.com wrote:
On 13/05/07, Zoney zoney.ie@gmail.com wrote:
Amazingly, on Wikipedia they aren't. Various areas are not only one or the other, but seem to switch between the two depending on whether a group of people or an individual have the upper hand there, or a lot of people are trying to get the upper hand on the others.
A question: is Wikipedia the first online community you've been deeply involved in? (Not that this is a bad thing on your part, I'm just asking. I suspect that this being the case for a lot of people is a lot of the perception of the problem. I just find myself repeatedly surprised at people talking about Wikipedia's problems as if they're novel in any way.)
Do you believe the problems outlined in this and other posts exist in WP? Whether WP is a person's first or fiftieth online community to be involved in, if you do believe the problems exist, how do your comments work toward resolving them?
I think it works better in understanding whether they're something truly unique or manifestations of something that's come before. If the former, it may be problem people (remove a McCarthyish list of wikicommunists or whatever). If the latter, it may be emergent behaviour requiring deeper work to solve or work around.
That is, solving the problems is helped by better ascertaining their nature.
- d.
on 5/13/07 3:41 PM, David Gerard at dgerard@gmail.com wrote:
On 13/05/07, Marc Riddell michaeldavid86@comcast.net wrote:
on 5/13/07 1:13 PM, David Gerard at dgerard@gmail.com wrote:
On 13/05/07, Zoney zoney.ie@gmail.com wrote:
Amazingly, on Wikipedia they aren't. Various areas are not only one or the other, but seem to switch between the two depending on whether a group of people or an individual have the upper hand there, or a lot of people are trying to get the upper hand on the others.
A question: is Wikipedia the first online community you've been deeply involved in? (Not that this is a bad thing on your part, I'm just asking. I suspect that this being the case for a lot of people is a lot of the perception of the problem. I just find myself repeatedly surprised at people talking about Wikipedia's problems as if they're novel in any way.)
Do you believe the problems outlined in this and other posts exist in WP? Whether WP is a person's first or fiftieth online community to be involved in, if you do believe the problems exist, how do your comments work toward resolving them?
I think it works better in understanding whether they're something truly unique or manifestations of something that's come before. If the former, it may be problem people (remove a McCarthyish list of wikicommunists or whatever). If the latter, it may be emergent behaviour requiring deeper work to solve or work around.
That is, solving the problems is helped by better ascertaining their nature.
David,
You still seem to be avoiding the key issue presented in this part of the thread: Is there, or is there not, a need in WP for a strong and formal structure of hands-on, day-to-day leadership?
Marc
Marc Riddell schreef:
You still seem to be avoiding the key issue presented in this part of the thread: Is there, or is there not, a need in WP for a strong and formal structure of hands-on, day-to-day leadership?
I don't think a formal structure of day-to-day leadership would be beneficial for WP, but there is no proof either way... yet.
Fortunately, our competitors have just started an experiment... http://en.citizendium.org/wiki/CZ:Editorial_Council_Rules_of_Procedure/Amend...
Eugene
On 5/13/07, Eugene van der Pijll eugene@vanderpijll.nl wrote:
Marc Riddell schreef:
You still seem to be avoiding the key issue presented in this part of the thread: Is there, or is there not, a need in WP for a strong and formal structure of hands-on, day-to-day leadership?
I don't think a formal structure of day-to-day leadership would be beneficial for WP, but there is no proof either way... yet.
Fortunately, our competitors have just started an experiment... http://en.citizendium.org/wiki/CZ:Editorial_Council_Rules_of_Procedure/Amend...
Eugene
Smells like institutional masturbation. ~~~~
On 14/05/07, Gabe Johnson gjzilla@gmail.com wrote:
On 5/13/07, Eugene van der Pijll eugene@vanderpijll.nl wrote:
I don't think a formal structure of day-to-day leadership would be beneficial for WP, but there is no proof either way... yet. Fortunately, our competitors have just started an experiment... http://en.citizendium.org/wiki/CZ:Editorial_Council_Rules_of_Procedure/Amend...
Smells like institutional masturbation. ~~~~
That's unduly unkind, I think. Rather, I suspect it's a case of overlearning from what Larry sees as the failures of Wikipedia.
It'll be interesting to see how they go. There's room for any number of free-content wiki-based encyclopedias.
- d.
On 5/14/07, David Gerard dgerard@gmail.com wrote:
That's unduly unkind, I think. Rather, I suspect it's a case of overlearning from what Larry sees as the failures of Wikipedia.
Kind of the "second-system effect" as applied to online encyclopedias, I guess - seeing the bugs more readily than the good features.
-Matt
On 13/05/07, Marc Riddell michaeldavid86@comcast.net wrote:
You still seem to be avoiding the key issue presented in this part of the thread: Is there, or is there not, a need in WP for a strong and formal structure of hands-on, day-to-day leadership?
Answer: I'm not sure it would be workable, and I suspect it would kill the golden goose.
- d.
David Gerard wrote:
On 13/05/07, Marc Riddell michaeldavid86@comcast.net wrote:
You still seem to be avoiding the key issue presented in this part of the thread: Is there, or is there not, a need in WP for a strong and formal structure of hands-on, day-to-day leadership?
Answer: I'm not sure it would be workable, and I suspect it would kill the golden goose.
- d.
WikiEN-l mailing list WikiEN-l@lists.wikimedia.org To unsubscribe from this mailing list, visit: http://lists.wikimedia.org/mailman/listinfo/wikien-l
I'm not entirely sure you're right. I think these things kind of have a natural progression. The earliest one was the "freewheeling frontier" phase, and for a while, that worked pretty well. But that doesn't necessarily scale all that well, even when it's initially successful. I think we've probably outgrown it. Look at how many new things reach hopeless deadlock-even when a majority of editors support them!
Ad-hoc, village-council style governance works great for a village. Wouldn't do so well for New York City. To a certain extent, it's very BITEy as well-instead of being able to tell well-intentioned people "Here's the rulebook, go read it", we tell them "Oh, well, you'll learn all the unspoken rules-as you trip over them."
On 13/05/07, Todd Allen toddmallen@gmail.com wrote:
Ad-hoc, village-council style governance works great for a village. Wouldn't do so well for New York City. To a certain extent, it's very BITEy as well-instead of being able to tell well-intentioned people "Here's the rulebook, go read it", we tell them "Oh, well, you'll learn all the unspoken rules-as you trip over them."
Yeah. This is why process is in fact important. Etc etc. If I had an answer I'd be posting it far and wide.
- d.
On 13/05/07, Marc Riddell michaeldavid86@comcast.net wrote:
You still seem to be avoiding the key issue presented in this part of the thread: Is there, or is there not, a need in WP for a strong and formal structure of hands-on, day-to-day leadership?
on 5/13/07 5:15 PM, David Gerard at dgerard@gmail.com wrote:
Answer: I'm not sure it would be workable, and I suspect it would kill the golden goose.
David,
In what ways could the existence of a designated, day-to-day leader be unworkable in WP? I believe, without such a leader, the goose you refer to will inevitably lose its way.
Marc
On 14/05/07, Marc Riddell michaeldavid86@comcast.net wrote:
on 5/13/07 5:15 PM, David Gerard at dgerard@gmail.com wrote:
On 13/05/07, Marc Riddell michaeldavid86@comcast.net wrote:
You still seem to be avoiding the key issue presented in this part of the thread: Is there, or is there not, a need in WP for a strong and formal structure of hands-on, day-to-day leadership?
Answer: I'm not sure it would be workable, and I suspect it would kill the golden goose.
In what ways could the existence of a designated, day-to-day leader be unworkable in WP? I believe, without such a leader, the goose you refer to will inevitably lose its way.
I'm not clear on how this is supposed to actually work and how to get people to go along with it. Changing words on a policy page doesn't change thoughts or behaviours. It probably wouldn't be too hard to get lots of people to leave. Of course, the addictive power of wikicrack may be more powerful than I'm estimating.
- d.
Marc Riddell wrote:
On 13/05/07, Marc Riddell michaeldavid86@comcast.net wrote:
You still seem to be avoiding the key issue presented in this part of the thread: Is there, or is there not, a need in WP for a strong and formal structure of hands-on, day-to-day leadership?
on 5/13/07 5:15 PM, David Gerard at dgerard@gmail.com wrote:
Answer: I'm not sure it would be workable, and I suspect it would kill the golden goose.
David,
In what ways could the existence of a designated, day-to-day leader be unworkable in WP? I believe, without such a leader, the goose you refer to will inevitably lose its way.
Marc
WikiEN-l mailing list WikiEN-l@lists.wikimedia.org To unsubscribe from this mailing list, visit: http://lists.wikimedia.org/mailman/listinfo/wikien-l
This thread suggests me to offer you this link for consideration: http://www.theatlantic.com/doc/200609/wikipedia/4
I have seen several leaders rise and fall in the history of Wikipedia. But if they now do not have impact any more, they did at some point and left a powerful inprint. All but one became leaders out of their own abilities in leadership. Only one leader was designated in our past. He went away over 5 years ago. Dozen of people had more influence that him since then, but he stays a reference, at least in the press; I remember when he left (and I am glad he did - we did not need him any more, he was making more troubles than resolving them). But when a leader is designated, it is difficult to have authority on him, and removing him requires efforts and creates pain. I would rather recommand to help natural leaders rise by themselves.
On 13/05/07, Marc Riddell michaeldavid86@comcast.net wrote:
You still seem to be avoiding the key issue presented in this part of the thread: Is there, or is there not, a need in WP for a strong and formal structure of hands-on, day-to-day leadership?
on 5/13/07 5:15 PM, David Gerard at dgerard@gmail.com wrote:
Answer: I'm not sure it would be workable, and I suspect it would kill the golden goose.
Marc Riddell wrote:
David,
In what ways could the existence of a designated, day-to-day leader be unworkable in WP? I believe, without such a leader, the goose you refer to will inevitably lose its way.
Marc
on 5/14/07 8:01 AM, Florence Devouard at Anthere9@yahoo.com wrote:
This thread suggests me to offer you this link for consideration: http://www.theatlantic.com/doc/200609/wikipedia/4
I have seen several leaders rise and fall in the history of Wikipedia. But if they now do not have impact any more, they did at some point and left a powerful inprint. All but one became leaders out of their own abilities in leadership. Only one leader was designated in our past. He went away over 5 years ago. Dozen of people had more influence that him since then, but he stays a reference, at least in the press; I remember when he left (and I am glad he did - we did not need him any more, he was making more troubles than resolving them). But when a leader is designated, it is difficult to have authority on him, and removing him requires efforts and creates pain. I would rather recommand to help natural leaders rise by themselves.
Florence,
Thank you very much for the link. It filled a large gap of WP history for me, most especially its leadership.
It's clear the Community has been burned in the past in the area of leadership. For this reason alone, presenting the idea of a "leader" in WP could be met with a great degree of skepticism, even hostility.
"Natural leaders" will rise in the Project; they are its Group Leaders. And, when decisions need to be made within their particular Group, they have the skills to muster agreement within the Group to make them. However, when the problems presenting involve the inter-workings of several of these Groups, much less the entire Project - these leaders need a Leader.
As to history: Entrepreneurs can make very poor managers. This is not a fault but a characteristic. The challenge, the thrill, the rush, if you will, for the entrepreneur is the startup, taking an idea and making it real. Once the work is created, the idea of managing it day to day can be, well, boring. It is like having the architect/builder of a structure stay and manage its day-to-day operation.
However, a responsibility of that entrepreneur, must be to leave someone in charge of its operation. I can see from the link you provided, that those left with the day-to-day leadership - to put it simply - were more interested in protecting their own (apparently fragile) egos, than in protecting - much less nurturing - the Project.
The Leader I am speaking of is a person with a passion for the Project and its people, but detached from its content. Someone with the patience, interest and skills to manage the day-to-day activities of a Project. They should not be involved in any active editing of any Article in the Project. Their role is strictly a problem-solving one. A person that, when all the dust settles, at whose feet the daily buck does stop.
This person may be difficult to find, but I do not believe impossible. The person can come from within the Project or from without. However, if from within, that person would need to stop all editing of content, and devote all of their time and energy to helping those who are.
My main intent with this thread was to get some serious, creative minds thinking about what I see is a serious problem confronting the future of WP and its people.
Marc Riddell
On 14/05/07, Marc Riddell michaeldavid86@comcast.net wrote:
The Leader I am speaking of is a person with a passion for the Project and its people, but detached from its content. Someone with the patience, interest and skills to manage the day-to-day activities of a Project. They should not be involved in any active editing of any Article in the Project. Their role is strictly a problem-solving one. A person that, when all the dust settles, at whose feet the daily buck does stop. This person may be difficult to find, but I do not believe impossible. The person can come from within the Project or from without. However, if from within, that person would need to stop all editing of content, and devote all of their time and energy to helping those who are. My main intent with this thread was to get some serious, creative minds thinking about what I see is a serious problem confronting the future of WP and its people.
At the moment I see it as several communities inhabiting the same space and banging into each other in areas where one assumes control over an area and another disputes that. Rather than a single coherent community.
I'm still getting my head around the actual problem. Let's continue this thread for a while. Anyone else want to describe the elephant as they see it?
- d.
On 14/05/07, Marc Riddell michaeldavid86@comcast.net wrote:
The Leader I am speaking of is a person with a passion for the Project and its people, but detached from its content. Someone with the patience, interest and skills to manage the day-to-day activities of a Project. They should not be involved in any active editing of any Article in the Project. Their role is strictly a problem-solving one. A person that, when all the dust settles, at whose feet the daily buck does stop. This person may be difficult to find, but I do not believe impossible. The person can come from within the Project or from without. However, if from within, that person would need to stop all editing of content, and devote all of their time and energy to helping those who are. My main intent with this thread was to get some serious, creative minds thinking about what I see is a serious problem confronting the future of WP and its people.
on 5/14/07 3:03 PM, David Gerard at dgerard@gmail.com wrote:
At the moment I see it as several communities inhabiting the same space and banging into each other in areas where one assumes control over an area and another disputes that. Rather than a single coherent community.
Actually, you are right, David; WP is more like a Nation of States, or a Continent of Countries (and, that's as far as I'm willing to go with the geographic analogies :-)). And each one will, rightfully, guard their own turf. This I see as fine; it gives WP the diversity reflective of the real world. But, what must exist is a common ethic, a common purpose - and let those be the elements of a common culture. But, in any case, when States and/or Countries are at war, it diminishes their resources, diverts their true purpose, and, most critically, costs lives.
Let's continue this thread for a while. Anyone else want to describe the elephant as they see it?
Yes, folks, please jump in.
Marc
On 13/05/07, David Gerard dgerard@gmail.com wrote:
On 13/05/07, Zoney zoney.ie@gmail.com wrote:
Amazingly, on Wikipedia they aren't. Various areas are not only one or
the
other, but seem to switch between the two depending on whether a group
of
people or an individual have the upper hand there, or a lot of people
are
trying to get the upper hand on the others.
A question: is Wikipedia the first online community you've been deeply involved in?
(Not that this is a bad thing on your part, I'm just asking. I suspect that this being the case for a lot of people is a lot of the perception of the problem. I just find myself repeatedly surprised at people talking about Wikipedia's problems as if they're novel in any way.)
- d.
I say "amazing" because these problems should have been headed off far earlier on in this project, because it is a serious endeavour.
Wikipedia is not a discussion forum, MMORPG, fan club or indeed primarily a community at all. It should not be run the same way as those, allowing the same problems. More particularly, it should be "run", not expected to magically "work". I think the latter is a rather flawed ideology, although unfortunately it seems many on Wikipedia subscribe to it (e.g. "the more people involved with an article the better it gets", "we keep getting more people therefore the articles will get better"). We don't even have consistent editorial standards as a result of this organisational strategy, which seems to be some bizarre belief in a magical "evolution" of management. I think the "Wikipedia:" pages put the lie to this working.
Essentially, the "wiki" technology is fantastic for collaborative editing, but I think people have got carried away with it and erroneously belief that the evolution of content through such collaboration is a paradigm that can be extended to the management of the project.
Zoney
On 14/05/07, Zoney zoney.ie@gmail.com wrote:
Wikipedia is not a discussion forum, MMORPG, fan club or indeed primarily a community at all. It should not be run the same way as those, allowing the same problems. More particularly, it should be "run", not expected to magically "work". I think the latter is a rather flawed ideology, although unfortunately it seems many on Wikipedia subscribe to it (e.g. "the more people involved with an article the better it gets", "we keep getting more people therefore the articles will get better"). We don't even have consistent editorial standards as a result of this organisational strategy, which seems to be some bizarre belief in a magical "evolution" of management. I think the "Wikipedia:" pages put the lie to this working.
Mmm. A lot of the problem is that communities emerge whether you want them to or not. This is the tyranny of structurelessness. You can't declare a corporate culture.
Essentially, the "wiki" technology is fantastic for collaborative editing, but I think people have got carried away with it and erroneously belief that the evolution of content through such collaboration is a paradigm that can be extended to the management of the project.
So how to fix it? If I had a solution I'd be diving in head first. A solution that won't lead to lots of people getting up and leaving, i.e. making it effectively a different project starting from the same database?
This would be easier if forking and remerging were more feasible.
- d.
David Gerard wrote:
On 14/05/07, Zoney zoney.ie@gmail.com wrote:
Wikipedia is not a discussion forum, MMORPG, fan club or indeed primarily a community at all. It should not be run the same way as those, allowing the same problems. More particularly, it should be "run", not expected to magically "work". I think the latter is a rather flawed ideology, although unfortunately it seems many on Wikipedia subscribe to it (e.g. "the more people involved with an article the better it gets", "we keep getting more people therefore the articles will get better"). We don't even have consistent editorial standards as a result of this organisational strategy, which seems to be some bizarre belief in a magical "evolution" of management. I think the "Wikipedia:" pages put the lie to this working.
Mmm. A lot of the problem is that communities emerge whether you want them to or not. This is the tyranny of structurelessness. You can't declare a corporate culture.
Essentially, the "wiki" technology is fantastic for collaborative editing, but I think people have got carried away with it and erroneously belief that the evolution of content through such collaboration is a paradigm that can be extended to the management of the project.
So how to fix it? If I had a solution I'd be diving in head first. A solution that won't lead to lots of people getting up and leaving, i.e. making it effectively a different project starting from the same database?
This would be easier if forking and remerging were more feasible.
- d.
WikiEN-l mailing list WikiEN-l@lists.wikimedia.org To unsubscribe from this mailing list, visit: http://lists.wikimedia.org/mailman/listinfo/wikien-l
Why isn't it? It's all GFDL, and any fork would have to remain GFDL.
On 14/05/07, Todd Allen toddmallen@gmail.com wrote:
David Gerard wrote:
This would be easier if forking and remerging were more feasible.
Why isn't it? It's all GFDL, and any fork would have to remain GFDL.
Yabbut how to merge effectively afterwards. See scenario of doom, which assumes a collapse of the organisation and how to save the encyclopedia from it: http://davidgerard.co.uk/notes/2007/04/10/disaster-recovery-planning/
Ideally I'd like it if the best answer to "Wikipedia is doomed" is "so what?"
- d.
on 5/14/07 7:07 AM, David Gerard at dgerard@gmail.com wrote:
On 14/05/07, Zoney zoney.ie@gmail.com wrote:
Wikipedia is not a discussion forum, MMORPG, fan club or indeed primarily a community at all. It should not be run the same way as those, allowing the same problems. More particularly, it should be "run", not expected to magically "work". I think the latter is a rather flawed ideology, although unfortunately it seems many on Wikipedia subscribe to it (e.g. "the more people involved with an article the better it gets", "we keep getting more people therefore the articles will get better"). We don't even have consistent editorial standards as a result of this organisational strategy, which seems to be some bizarre belief in a magical "evolution" of management. I think the "Wikipedia:" pages put the lie to this working.
Mmm. A lot of the problem is that communities emerge whether you want them to or not. This is the tyranny of structurelessness. You can't declare a corporate culture.
Essentially, the "wiki" technology is fantastic for collaborative editing, but I think people have got carried away with it and erroneously belief that the evolution of content through such collaboration is a paradigm that can be extended to the management of the project.
So how to fix it? If I had a solution I'd be diving in head first. A solution that won't lead to lots of people getting up and leaving, i.e. making it effectively a different project starting from the same database?
This would be easier if forking and remerging were more feasible.
David,
Right now I am digesting the posts to this thread that came overnight (it was overnight for me, anyway) and am composing some responses. But, to respond very quickly to yours here:
You have voiced your concern about people leaving WP if certain changes in organization were to take place. That depends on why they were here in the first place. If a person is here to honestly help in building the project, I believe they would welcome some form of order to help them accomplish it. Those persons who are here for other reasons will find it more difficult to forward their agenda if they find this order gets in the way of that agenda; and they will move on to another online project to play in.
More later (I'm still working on my first cup of coffee of the morning :-)
Marc
On 14/05/07, Marc Riddell michaeldavid86@comcast.net wrote:
You have voiced your concern about people leaving WP if certain changes in organization were to take place. That depends on why they were here in the first place. If a person is here to honestly help in building the project, I believe they would welcome some form of order to help them accomplish it. Those persons who are here for other reasons will find it more difficult to forward their agenda if they find this order gets in the way of that agenda; and they will move on to another online project to play in.
That's why I think it's profitable to think "can I derive this policy from NPOV, NOR and V?" It drives things back to basics very quickly.
- d.
On 5/7/07, Snowolf mtazio@gmail.com wrote:
I've added a question to all en.wp's running RfA that asks candidates if their password is "[[..] alphanumeric? Formed by at least 8 characters? Not by words in the dictionary? Not in the weakest password list?".
If they answer any of those questions, that reflects very badly on their understanding of security.
-- Jake Nelson [[en:User:Jake Nelson]]
On 5/7/07, Snowolf mtazio@gmail.com wrote:
I've added a question to all en.wp's running RfA that asks candidates if their password is "[[..] alphanumeric? Formed by at least 8 characters? Not by words in the dictionary? Not in the weakest password list?".
Careful: most of these factors trade off against each other.
For example, an S/KEY pass phrase looks like "TWIG LET IFFY DATE RON CARL". All dictionary words, easy to type and remember... Yet it contains 64bits of entropy, which is far better than what you usually get when you tell people "mixed character classes, at least 8 characters, not words in the dictionary".
Most people given those restrictions type out letter patterns on the keyboard. Cracking programs like john the ripper have rules systems which predict such patterns with frightening accuracy.
The correct advice should be to use a phrase instead of a 'word'. "i like fluffy rice at 6am!" is a reasonably strong password. Throw in a short random string and you have something that isn't practicably crackable even by someone targeting only your account.... at that point someone who wanted to control your acocunt would have an easier time tricking you into running a password grabbing trojan.
Gregory Maxwell wrote:
Most people given those restrictions type out letter patterns on the keyboard. Cracking programs like john the ripper have rules systems which predict such patterns with frightening accuracy.
But those predictions are only useful if the attacker has unlimited login attempts. If we're taking the step of asking users (and admins) to pick stronger passwords, we should absolutely at the same time be taking steps in software to detect repeated login failures and (a) lock out the account, (b) slow way down, and/or (c) notify the (real) user.
On 5/7/07, Steve Summit scs@eskimo.com wrote:
detect repeated login failures and (a) lock out the account,
Which makes it trivial for someone with no account and no password to any account to effectively block all admins.
(b) slow way down,
Doable.
and/or (c) notify the (real) user.
Who doesn't have any ability to affect the login failures, or likely know where they're coming from, and you just spam them...
IP-based throttles and restricting the same IP from connecting to multiple different accounts are the main things that come to mind... how that works with the massively shared IPs (like those country-wide gateways) is another question. I can think of some ways that might deal with it, but the technical detail gets a little complex.
-- Jake Nelson [[en:User:Jake Nelson]]
On 5/7/07, Steve Summit scs@eskimo.com wrote:
Gregory Maxwell wrote:
Most people given those restrictions type out letter patterns on the keyboard. Cracking programs like john the ripper have rules systems which predict such patterns with frightening accuracy.
But those predictions are only useful if the attacker has unlimited login attempts. If we're taking the step of asking users (and admins) to pick stronger passwords, we should absolutely at the same time be taking steps in software to detect repeated login failures and (a) lock out the account, (b) slow way down, and/or (c) notify the (real) user.
Doesn't work so well.. If it's a limit of "x per interval" the attacker can just be patient, use many IPs and try many accounts. If it's a limit of "x and then lockout" it's trivial to DOS accounts.
Don't get me wrong, we need to do both: have stronger passwords and dampen attacks.
But what we should be telling people is: "Use the longest pass*phrase* you can easily type. Common words are okay as long as the phrase is unpredictable and long."
"mask omen boom irma smug tore" is a very strong password. "I hate people in 1979- they wear big pantz" is also a strong password.
Yes, "gWXi$a09" is strong too, but when you try to tell people to use passwords like that you get "10qpalz," which isn't strong.
There likely is a good reason not to do this related to the volume of traffic *overall*, but in normal use how many http requests for this string will be seen?
Special:Userlogin
As in,
http://en.wikipedia.org/w/index.php?title=Special:Userlogin*
How many should you be seeing? Couldn't they script up a tool administrator/development level to see what IPs are tagging that sort of string more than x times per minute or something? Or, perhaps, should the Login function log IPs used for *attempted* logins vs. a given user name? You could then with Special:Checkuser see who/what is trying to login as whom.
Gregory Maxwell wrote:
But what we should be telling people is: "Use the longest pass*phrase* you can easily type... Yes, "gWXi$a09" is strong too, but when you try to tell people to use passwords like that you get "10qpalz," which isn't strong.
Well, I'm not so sure either works. I'm one of the more security-conscious people I know, and I don't bother with strong passwords (let alone passphrases) when I register at ordinary websites -- the risk just isn't there. If you tell me to pick a strong password I'll just laugh at you.
And if you violently disagree with me here -- that's my point. This may be an irresponsible attitude of mine, maybe I really *should* be using strong passwords on every ordinary website I register with, but: I bet I'm not alone.
If your security strategy depends on users picking a certain kind of password, you'd better enforce it in software, because I doubt you'll get enough voluntary compliance otherwise.
On 5/7/07, Steve Summit scs@eskimo.com wrote:
Gregory Maxwell wrote:
But what we should be telling people is: "Use the longest pass*phrase* you can easily type... Yes, "gWXi$a09" is strong too, but when you try to tell people to use passwords like that you get "10qpalz," which isn't strong.
Well, I'm not so sure either works. I'm one of the more security-conscious people I know, and I don't bother with strong passwords (let alone passphrases) when I register at ordinary websites -- the risk just isn't there. If you tell me to pick a strong password I'll just laugh at you.
And if you violently disagree with me here -- that's my point. This may be an irresponsible attitude of mine, maybe I really *should* be using strong passwords on every ordinary website I register with, but: I bet I'm not alone.
If your security strategy depends on users picking a certain kind of password, you'd better enforce it in software, because I doubt you'll get enough voluntary compliance otherwise.
WikiEN-l mailing list WikiEN-l@lists.wikimedia.org To unsubscribe from this mailing list, visit: http://lists.wikimedia.org/mailman/listinfo/wikien-l
One would hope you'd think differently, if you had administrative or other privileged access to that website? I agree with you in most cases, my NYTimes password is just abcd1234. I couldn't care less if anyone else uses the account. But if I were responsible for editing and maintaining the site, you better bet I'd pick a much better one.
Todd Allen wrote:
On 5/7/07, Steve Summit scs@eskimo.com wrote:
Gregory Maxwell wrote:
But what we should be telling people is: "Use the longest pass*phrase* you can easily type... Yes, "gWXi$a09" is strong too, but when you try to tell people to use passwords like that you get "10qpalz," which isn't strong.
Well, I'm not so sure either works. I'm one of the more security-conscious people I know, and I don't bother with strong passwords (let alone passphrases) when I register at ordinary websites -- the risk just isn't there. If you tell me to pick a strong password I'll just laugh at you.
And if you violently disagree with me here -- that's my point. This may be an irresponsible attitude of mine, maybe I really *should* be using strong passwords on every ordinary website I register with, but: I bet I'm not alone.
If your security strategy depends on users picking a certain kind of password, you'd better enforce it in software, because I doubt you'll get enough voluntary compliance otherwise.
WikiEN-l mailing list WikiEN-l@lists.wikimedia.org To unsubscribe from this mailing list, visit: http://lists.wikimedia.org/mailman/listinfo/wikien-l
One would hope you'd think differently, if you had administrative or other privileged access to that website? I agree with you in most cases, my NYTimes password is just abcd1234. I couldn't care less if anyone else uses the account. But if I were responsible for editing and maintaining the site, you better bet I'd pick a much better one.
Which is an argument for crats asking users to confirm they have changed their password to something strong before sysopping them. When most people create wikipedia accounts they haven't got responsibility in mind. That's the reason I've got a crap username. I just logged on thinking, I want to edit a few things here in a spare ten minutes, and grabbed the first name that came into my head - and my password was.... wait for it.... 'glasgow'.
A request for me to use a strong one, would have been bet with 'shrug'
"Doc glasgow"
On 5/7/07, Steve Summit scs@eskimo.com wrote:
Well, I'm not so sure either works. I'm one of the more security-conscious people I know, and I don't bother with strong passwords (let alone passphrases) when I register at ordinary websites -- the risk just isn't there. If you tell me to pick a strong password I'll just laugh at you.
Indeed. My password on all Wikimedia sites, except Commons and enwiki, is the same and is the same as the stupid low-security password that I use on a bazillion other websites. Why? Because none of these sites matter, and going to the trouble of creating distinct passwords for each is silly. My Commons password (where I am an admin) and my enwiki (where I used to be an admin) are different and are chosen from my "moderate security" scheme. Neither qualifies for high security passwords; my highest security passwords are reserved for things related to financial services (e.g. banks, credit cards, brokerages, etc.) and for my work accounts.
Security is a tradeoff. Nobody applies maximum security to everything; you choose a level of security that provides a reasonable compromise between complexity and risk.
That said, I think people should avoid using absurdly weak passwords on websites -- "password" should be just plain out regardless of the irrelevancy of the site in question, unless you really do not care at all about being impersonated -- and people with elevated rights should elevate their password complexity correspondingly. In the Wikimedia context, this would seem to me to be especially true for people who are subject to the Foundation's identification requirements: if you have access to protected information, your password should have an appropriate level of complexity.
Kelly
Remember Soft Security.
The biggest defense Wikipedia has is its undamageability and the goodwill of the vast majority of the contributors. Remember that when we have discussions about security.
On 5/7/07, Steve Summit scs@eskimo.com wrote:
Gregory Maxwell wrote:
Most people given those restrictions type out letter patterns on the keyboard. Cracking programs like john the ripper have rules systems which predict such patterns with frightening accuracy.
But those predictions are only useful if the attacker has unlimited login attempts. If we're taking the step of asking users (and admins) to pick stronger passwords, we should absolutely at the same time be taking steps in software to detect repeated login failures and (a) lock out the account, (b) slow way down, and/or (c) notify the (real) user.
WikiEN-l mailing list WikiEN-l@lists.wikimedia.org To unsubscribe from this mailing list, visit: http://lists.wikimedia.org/mailman/listinfo/wikien-l
Mark Ryan wrote:
It appears someone is cracking easily-guessable passwords of accounts on Wikipedia. Until measures are undertaken to check all accounts for weak passwords and make people use stronger passwords, I encourage everyone whose password is 'weak' to log in now and change your password to something stronger.
Here are some tips for strong passwords:
- Don't use words you would find in the dictionary.
- Don't use 'password' or something like that for your password.
- Don't use a derivative of your username as a password.
- Don't use something like "god" or "fuckyou". They really are very
common as passwords.
- Don't use the same password as you use for other sites or your email.
- Use a mix of upper case and lower case letters.
- Use symbols and numbers.
- Make it at least 8 characters long.
I hope this is a help to someone.
:-D It only helps to guarantee that anyone following all these steps will never remember a damn one.
Ec