Anthony DiPierro wrote:
On 10/13/05, David Gerard <dgerard at gmail.com> wrote:
- Remember that a small number of the developers (those who have
access to the database) already have this power and use it. They control the horizontal, they control the vertical, they see all and know all — because they have to have complete control in order to administer a top-50 website. But they respect the privacy policy, because that's what you do as a sysadmin. The proposal is to extend access to just one power, so as to avoid a bottleneck of too few people for the job.
Do you really think there are people at other top-50 websites with unlogged and unfettered access to this sort of information? If so, do you think they had to go through any background checks, and sign a non-disclosure agreement? It certainly *is* possible to set up a system so that *no single person* can "see all and know all". I would hope all the other top-50 websites have set up such a system.
You can either try to Taylorise the process of trusting people, or you can get in people you trust. Sysadmins *could* do any destructive thing they want. But they pretty much *don't*. I wonder why that is.
Usually it works that the sysadmins have the access they need to keep stuff working. Around here, where all day every day is a "WTF?!" moment, the present process seems to work. I'm sure you can outline many reasons why the present way of doing things is utterly broken and can't possibly work in theory, never mind that it does in practice.
You don't actually know much about systems administration in practice, do you?
- d.
On 10/13/05, David Gerard dgerard@gmail.com wrote:
You can either try to Taylorise the process of trusting people, or you can get in people you trust. Sysadmins *could* do any destructive thing they want. But they pretty much *don't*. I wonder why that is.
If sysadmins can do any destructive thing they want, then you haven't created a very secure system. As for why they don't, it depends which sysadmins you're talking to. Certainly the fact that their actions are logged and that they'd lose their job and face criminal charges if they did something destructive has something to do with the reason a sysadmin at Yahoo or Google is unlikely to do something destructive.
Usually it works that the sysadmins have the access they need to keep
stuff working. Around here, where all day every day is a "WTF?!" moment, the present process seems to work. I'm sure you can outline many reasons why the present way of doing things is utterly broken and can't possibly work in theory, never mind that it does in practice.
Apparently it doesn't work that well in practice, and that's why you're talking about changing the way things work. From my own experience, the site is quite flaky, and from your statement above CheckUser sometimes takes 5 hours to process. Doesn't sound like things are working very well to me.
You don't actually know much about systems administration in practice, do
you?
I've been the lead administrator for multi-million dollar systems, so yes, I know a lot about how systems administration works in practice.
- d.
Anthony
"Anthony DiPierro" wikispam@inbox.org wrote: [snip]
If sysadmins can do any destructive thing they want, then you haven't created a very secure system.
Pick the most secure version of UNIX you can find.
Log in as root.
Invoke the following: $ rm -r /
How destructive do you actually want?
(I recall hearing a story of how somebody did this and, having interrupted the process mid-destroy, managed with the help of some friends to resurrect the system because he happened to have a copy of EMACS running (i.e. loaded into memory and not susceptible to instant deletion) and was therefore able to type in various vital system files by reading the hex off another terminal. I wish I could back it up with a URL, but it's the end of my work day here, and I'm going home :-)
On 13/10/05, Phil Boswell phil.boswell@gmail.com wrote:
"Anthony DiPierro" wikispam@inbox.org wrote: [snip]
If sysadmins can do any destructive thing they want, then you haven't created a very secure system.
Pick the most secure version of UNIX you can find.
Log in as root.
Invoke the following: $ rm -r /
How destructive do you actually want?
(I recall hearing a story of how somebody did this and, having interrupted the process mid-destroy, managed with the help of some friends to resurrect the system because he happened to have a copy of EMACS running (i.e. loaded into memory and not susceptible to instant deletion) and was therefore able to type in various vital system files by reading the hex off another terminal. I wish I could back it up with a URL, but it's the end of my work day here, and I'm going home :-)
http://groups.google.com/group/alt.folklore.computers/msg/7746ec4c7cd47ffd (or Message-ID:_n7z!pk@rpi.edu) sounds like what you mean, I think.
I believe the technical term is *shudder*...
-- - Andrew Gray andrew.gray@dunelm.org.uk
On 10/13/05, Phil Boswell phil.boswell@gmail.com wrote:
"Anthony DiPierro" wikispam@inbox.org wrote: [snip]
If sysadmins can do any destructive thing they want, then you haven't created a very secure system.
Pick the most secure version of UNIX you can find.
Log in as root.
Invoke the following: $ rm -r /
If I were at home I'd do just that and it'd accomplish nothing, as I have the immutable flag on the / directory. Yes, this flag could be removed if I really wanted to, but there are ways to set up a system so that it requires physical access to do such a thing. But when we're talking about production boxes in a colo, it shouldn't even be possible to log in as root.
How destructive do you actually want?
(I recall hearing a story of how somebody did this and, having interrupted the process mid-destroy, managed with the help of some friends to resurrect the system because he happened to have a copy of EMACS running (i.e. loaded into memory and not susceptible to instant deletion) and was therefore able to type in various vital system files by reading the hex off another terminal. I wish I could back it up with a URL, but it's the end of my work day here, and I'm going home :-) -- Phil [[en:User:Phil Boswell]]
On 10/13/05, Anthony DiPierro wikispam@inbox.org wrote:
But when we're talking about production boxes in a colo, it shouldn't even be possible to log in as root.
Uh, sure, right. So how do you propose to do maintenance on this box?
*Somebody* has to be able to log in as root. That person is capable of destroying the system. Even if the immutable flag is set on the root (because said person can always clear that flag). And if nothing else there's always the technique of taking a shotgun to the server.
Kelly
On 10/13/05, Anthony DiPierro wikispam@inbox.org wrote:
If sysadmins can do any destructive thing they want, then you haven't created a very secure system.
There is always at least one sysadmin at every organization who has the capability to destroy, or at least significantly harm, everything. Only at the very largest organizations -- those with redundant, geographically separated data centers -- is is possible to make this effectively impossible.
Kelly
On 10/13/05, Kelly Martin kelly.lynn.martin@gmail.com wrote:
On 10/13/05, Anthony DiPierro wikispam@inbox.org wrote:
If sysadmins can do any destructive thing they want, then you haven't created a very secure system.
There is always at least one sysadmin at every organization who has the capability to destroy, or at least significantly harm, everything. Only at the very largest organizations -- those with redundant, geographically separated data centers -- is is possible to make this effectively impossible.
You say that it's possible at every organization, then you say it's possible to avoid it at the very largest organizations. The fact is, Wikimedia *is* a large organization, it's getting larger every day, and it should start acting like it.
Kelly
Anthony
On 10/13/05, Anthony DiPierro wikispam@inbox.org wrote:
You say that it's possible at every organization, then you say it's possible to avoid it at the very largest organizations. The fact is, Wikimedia *is* a large organization, it's getting larger every day, and it should start acting like it.
Anthony
Tell me when you get the money together to pay for it.
-- geni
On 10/13/05, geni geniice@gmail.com wrote:
On 10/13/05, Anthony DiPierro wikispam@inbox.org wrote:
You say that it's possible at every organization, then you say it's possible to avoid it at the very largest organizations. The fact is, Wikimedia *is* a large organization, it's getting larger
every
day, and it should start acting like it.
Anthony
Tell me when you get the money together to pay for it.
Give me a pagerank and traffic profile as high as Wikipedia and I'll give you the money.
--
geni
Anthony
On 10/13/05, Anthony DiPierro wikispam@inbox.org wrote:
Give me a pagerank and traffic profile as high as Wikipedia and I'll give you the money.
We're waiting for the money.
Kelly
On 10/13/05, geni geniice@gmail.com wrote:
On 10/13/05, Anthony DiPierro wikispam@inbox.org wrote:
The fact is, Wikimedia *is* a large organization, it's getting larger every
day, and it should start acting like it.
Anthony
Tell me when you get the money together to pay for it.
geni
I think it got to be a large organization precisely because it didn't act like it.
Sarah
On 10/13/05, slimvirgin@gmail.com slimvirgin@gmail.com wrote:
On 10/13/05, geni geniice@gmail.com wrote:
On 10/13/05, Anthony DiPierro wikispam@inbox.org wrote:
The fact is, Wikimedia *is* a large organization, it's getting
larger every
day, and it should start acting like it.
Anthony
Tell me when you get the money together to pay for it.
geni
I think it got to be a large organization precisely because it didn't act like it.
My apologies to all for taking this thread off-topic. Apparently the majority of people on this list are content with the way things are, and don't think there is any room for improvement, so I'm not going to waste my time on this thread any further.
Sarah
Anthony
Anthony DiPierro (wikispam@inbox.org) [051014 04:54]:
My apologies to all for taking this thread off-topic. Apparently the majority of people on this list are content with the way things are, and don't think there is any room for improvement, so I'm not going to waste my time on this thread any further.
The majority of people on this list are concerned with the content side of en:. Why aren't you saying all this on wikitech-l?
- d.
On 10/13/05, David Gerard fun@thingy.apana.org.au wrote:
Anthony DiPierro (wikispam@inbox.org) [051014 04:54]:
My apologies to all for taking this thread off-topic. Apparently the majority of people on this list are content with the way things are, and don't think there is any room for improvement, so I'm
not
going to waste my time on this thread any further.
The majority of people on this list are concerned with the content side of en:. Why aren't you saying all this on wikitech-l?
Umm, dude, you're the one who initiated the thread.
- d.
Anthony
I don't see how we can compare the security of Wikipedia with that of other Top 50 websites. We already have the "large security hole" that any one can edit and that's what put wikipedia where it is now. Other top 50 websites aren't editable.
Also, however much I like him to be, David, is not scaleable on his own. If Wikipedia grows, so does the need for people with access to IP information to deal swiftly with vandalbots and very much confirmed sockpuppets (not just suspected ones).
The need is there. All we need to agree on is who we give the access to.
IMO giving it to the arbcom so they can swiftly handle cases would be a good thing and perhaps it can be given to a few more trusted people so it's easy to find an active person with such access in an emergency.
--Mgm
MacGyverMagic/Mgm wrote:
I don't see how we can compare the security of Wikipedia with that of other Top 50 websites. We already have the "large security hole" that any one can edit and that's what put wikipedia where it is now. Other top 50 websites aren't editable.
Also, however much I like him to be, David, is not scaleable on his own. If Wikipedia grows, so does the need for people with access to IP information to deal swiftly with vandalbots and very much confirmed sockpuppets (not just suspected ones).
The need is there. All we need to agree on is who we give the access to.
IMO giving it to the arbcom so they can swiftly handle cases would be a good thing and perhaps it can be given to a few more trusted people so it's easy to find an active person with such access in an emergency.
--Mgm _______________________________________________
To go a step further...
Could the arbcom make a decision of agreeing to give check user access to more arbcom members ?
ant
Anthere (anthere9@yahoo.com) [051014 06:28]:
Could the arbcom make a decision of agreeing to give check user access to more arbcom members ?
Easily. The way it came about was that we were asking the devs *lots and lots* for IP checks, they had other things to do (running the site) and so we thought about who could and would do it. I volunteered because I had some idea which way was up in IP checking, and Tim hacked together the Special:CheckUser page.
So basically we need people who could be trusted to keep the IP data confidential and who have some idea how to interpret the results. That's the basic requirement: (a) trustworthiness (b) competence. (a) is the community's problem, but anyone who's ever traced spammers or network abuse would be a good start for (b).
- d.
David Gerard wrote:
Anthony DiPierro wrote:
On 10/13/05, David Gerard <dgerard at gmail.com> wrote:
- Remember that a small number of the developers (those who have
access to the database) already have this power and use it. They control the horizontal, they control the vertical, they see all and know all — because they have to have complete control in order to administer a top-50 website. But they respect the privacy policy, because that's what you do as a sysadmin. The proposal is to extend access to just one power, so as to avoid a bottleneck of too few people for the job.
Do you really think there are people at other top-50 websites with unlogged and unfettered access to this sort of information? If so, do you think they had to go through any background checks, and sign a non-disclosure agreement? It certainly *is* possible to set up a system so that *no single person* can "see all and know all". I would hope all the other top-50 websites have set up such a system.
You can either try to Taylorise the process of trusting people, or you can get in people you trust. Sysadmins *could* do any destructive thing they want. But they pretty much *don't*. I wonder why that is.
Most of them do not do anything wrong because anything they do can be easily seen by ANYONE (sysops and non sysops). And aside from deleting an image, everything they do can be reverted.
If they block, someone else can unblock If they delete a page, someone else can undelete If they protect a page, someone else can unprotect
Reversion of an admin action is actually done pretty frequently.
Also, some sysops make mistakes, but how many were ever unsysoped for their errors ? Hardly any on the english wikipedia.
They pretty much do not do anything destructive, because they are intelligent people who know not to do bad things AND because others can revert what they do. So there can not be any destruction.
And this is why, nothing being definitive, few are punished. I am quite sure that if their action were final, there will be more punishment.
What a check user can do can hardly be checked by anyone. And definitly not by the common user, who have no idea of what is going on. So, how could he complain ? Note that this is in favor of having more check user editors.
Also, a check user can do destructing things, that no other check user can restore. He can publish ips of an editor. And once the information is known, nothing can be done to have people magically forgot the information. It is OUT.
Note that anything a steward can do is visible by anyone as well (on meta log), and can be reverted by anyone as well.
This is NOT the case of check user right now.
Usually it works that the sysadmins have the access they need to keep stuff working. Around here, where all day every day is a "WTF?!" moment, the present process seems to work. I'm sure you can outline many reasons why the present way of doing things is utterly broken and can't possibly work in theory, never mind that it does in practice.
You don't actually know much about systems administration in practice, do you?
Actually, Karynn suggested all checkuser rightsholders should sign a NDA with the Foundation. It could be a good idea...;
Anthere
- d.
WikiEN-l mailing list WikiEN-l@Wikipedia.org To unsubscribe from this mailing list, visit: http://mail.wikipedia.org/mailman/listinfo/wikien-l
Anthere (anthere9@yahoo.com) [051014 04:38]:
David Gerard wrote:
You can either try to Taylorise the process of trusting people, or you can get in people you trust. Sysadmins *could* do any destructive thing they want. But they pretty much *don't*. I wonder why that is.
Most of them do not do anything wrong because anything they do can be easily seen by ANYONE (sysops and non sysops). And aside from deleting an image, everything they do can be reverted. If they block, someone else can unblock If they delete a page, someone else can undelete If they protect a page, someone else can unprotect
I am not talking about Wiki admins/sysops, I mean the people who run the actual servers, i.e. [[system administrator]]s.
- d.
David Gerard wrote:
Anthere (anthere9@yahoo.com) [051014 04:38]:
David Gerard wrote:
You can either try to Taylorise the process of trusting people, or you can get in people you trust. Sysadmins *could* do any destructive thing they want. But they pretty much *don't*. I wonder why that is.
Most of them do not do anything wrong because anything they do can be easily seen by ANYONE (sysops and non sysops). And aside from deleting an image, everything they do can be reverted. If they block, someone else can unblock If they delete a page, someone else can undelete If they protect a page, someone else can unprotect
I am not talking about Wiki admins/sysops, I mean the people who run the actual servers, i.e. [[system administrator]]s.
- d.
I absolutely understand that David. I just want to point out that the fact sysadmins in the real world are extremely cautious with data does not necessarily mean the editors who will be given access to checkuser will be cautious.
As for our *own* sysadmins (well, in our case, basically, our developer team with shell access), they could do destructive things, but they pretty much don't :-) And we trust them :-)