Hi,
I know it may be too early to ask that, but I promise to send another
notification related this issue in the coming months :)
We started last year to make the Wikimania costs more transparent.
Wikimania is our biggest and the most expensive project. To ask our self
"how much Wikimania costs" we can't only look on the project budget, as the
total cost involve also scholarships (from WMF and chapters)
and delegations of the chapters and the WMF.
We have tracking pages on Meta about Wikimania
2011<http://meta.wikimedia.org/wiki/Wikimania_2011/Budget>and
Wikimania
2012 <http://meta.wikimedia.org/wiki/Wikimania_2012/Budget> (sadly the
organizer team of 2012 didn't updated their costs till now...), and I
opened a new page for Wikimania
2013<http://meta.wikimedia.org/wiki/Wikimania_2013/Budget>
.
So again, I know to some of you this is too early to put the costs
(although the size of the chapters and WMF delegation is known and could be
update also now) - but if you can, do it now. If now, remember to do it
what you have the numbers.
The data requested is your chapter\wmf
delegation<http://meta.wikimedia.org/wiki/Wikimania_2013/Budget#Delegations>
and
the number of scholarships<http://meta.wikimedia.org/wiki/Wikimania/Scholarships/2013>your
chapters gave.
Thanks,
Itzik
A Wikimania committee has been formed to ensure that the legacy of knowledge is effectively and efficiently passed on to the organising teams and to ensure a smooth and successful Wikimania. For more details on the committee and its charter see:
https://meta.wikimedia.org/wiki/Wikimania_Committeehttps://meta.wikimedia.org/wiki/Wikimania_Committee/Charter
This committee can also be reached at
wikimania-com(a)lists.wikimedia.org
Committee members:
• James Forrester (Chair)
• Ellie Young (Secretary)
• Carlos Barcenilla
• Jeromy-Yu Chan (representing WM 2013)
• Florence Devouard
• Orsolya Virág Gyenes (representing WM 2012)
• James Hare
• Deror Avi (representing WM 2011)
• Manuel Schneider
• Muhammad Yahia
Do i realy have to change my password!why?
-original message-
Subject: Wikimania-l Digest, Vol 91, Issue 3
From: wikimania-l-request(a)lists.wikimedia.org
Date: 03/10/2013 21:12
Send Wikimania-l mailing list submissions to
wikimania-l(a)lists.wikimedia.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.wikimedia.org/mailman/listinfo/wikimania-l
or, via email, send a message with subject or body 'help' to
wikimania-l-request(a)lists.wikimedia.org
You can reach the person managing the list at
wikimania-l-owner(a)lists.wikimedia.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Wikimania-l digest..."
Today's Topics:
1. Re: Fwd: [Wikimedia-l] Notification about Wikimedia user
account security issue (Michael Peel)
2. Re: Fwd: [Wikimedia-l] Notification about Wikimedia user
account security issue (Nathan)
3. Re: Fwd: [Wikimedia-l] Notification about Wikimedia user
account security issue (Casey Brown)
4. Re: Fwd: [Wikimedia-l] Notification about Wikimedia user
account security issue (Chris Steipp)
5. Re: Fwd: [Wikimedia-l] Notification about Wikimedia user
account security issue (Michael Peel)
6. Re: Fwd: [Wikimedia-l] Notification about Wikimedia user
account security issue (Risker)
----------------------------------------------------------------------
Message: 1
Date: Thu, 3 Oct 2013 18:17:50 +0100
From: Michael Peel <email(a)mikepeel.net>
To: "Wikimania general list \(open subscription\)"
<wikimania-l(a)lists.wikimedia.org>
Subject: Re: [Wikimania-l] Fwd: [Wikimedia-l] Notification about
Wikimedia user account security issue
Message-ID: <4499360F-43E5-4034-8BC2-ECF6F700BF19(a)mikepeel.net>
Content-Type: text/plain; charset=windows-1252
They look like they're linked into CentralAuth/global accounts/SUL to me…
Thanks,
Mike
On 3 Oct 2013, at 18:06, Risker <risker.wp(a)gmail.com> wrote:
> Please note that it is especially important to change your passwords on the Wikimania wikis where you have accounts. These are non-SUL wikis and changing your SUL password will not effect a change on the Wikimania 2013 and 2014 wikis. Even if you never intend to edit those wikis again, your password and account could still hypothetically be compromised.
>
> I agree with others that the risk is very, very small; nonetheless, it is not non-existent.
>
> Risker/Anne
>
> On 3 October 2013 05:36, Orsolya Gyenes <gyenes.orsolya(a)wiki.media.hu> wrote:
> Yeah, I already gotten my mail... great... :(
>
> ~Orsolya
>
>
> 2013/10/3 Katie Chan <katie.chan(a)wikimedia.org.uk>
> FYI, especially since wikimania2013 & wikimania2014 are two of the affected wikis.
>
> ---------- Forwarded message ----------
> From: Erik Moeller <erik(a)wikimedia.org>
> Date: 3 October 2013 06:56
> Subject: [Wikimedia-l] Notification about Wikimedia user account security issue
> To: Wikimedia Mailing List <wikimedia-l(a)lists.wikimedia.org>
>
>
> See also:
> https://meta.wikimedia.org/wiki/October_2013_private_data_security_issue
>
> On October 1, 2013, we learned about an implementation error that made
> private user information (specifically, user email addresses, password
> hashes, session tokens, and last login timestamp) for approximately
> 37,000 Wikimedia project users accessible to volunteers with access to
> the Wikimedia "LabsDB" infrastructure.
>
> LabsDB, launched in May 2013, is designed to give volunteers the
> ability to write tools and generate reports that make use of data from
> our databases in real-time. This supports bottom-up innovation by the
> Wikimedia community. As part of this process, private data is
> automatically redacted before volunteers are given access to the data.
> Unfortunately, for some of Wikimedia’s wikis[1], the database triggers
> used to redact private data failed to take effect due to a schema
> incompatibility, and LabsDB users had access to private user data for
> some user accounts in these specific wiki databases. As of October 1,
> 228 users have access to LabsDB, and the window of availability of
> this data was May 29, 2013 to October 1, 2013.
>
> This issue was discovered and reported by a trusted volunteer, and
> access to the data in question was revoked within 15 minutes of the
> report. We have no evidence to suggest that the private data in
> question was exported in bulk or used for malicious purposes, but we
> cannot definitively exclude the possibility. As a precautionary
> measure, we have invalidated all affected user sessions, and are
> requiring affected users to change their password on their next login.
>
> We have also sent an email notification to affected users with a
> confirmed email address.
>
> We regret this mistake. LabsDB is still a new part of our
> infrastructure, and we will fully audit the redaction process, so as
> to minimize any risk of a future mistake of this nature.
>
> Sincerely,
> Erik Moeller
> Vice President of Engineering & Product Development
>
> Contact information
>
> Should you have any questions, please contact us via email to:
>
> accountsecurity(a)wikimedia.org
>
> You can also reach the Wikimedia Foundation at:
>
> Wikimedia Foundation, Inc.
> 149 New Montgomery Street
> Floor 6
> San Francisco, CA 94105
> United States
> Phone: +1-415-839-6885
> Fax: +1-415-882-0495
>
> [1] List of affected databases: aswikisource bewikisource dewikivoyage
> elwikivoyage enwikivoyage eswikivoyage frwikivoyage guwikisource
> hewikivoyage itwikivoyage kowikiversity lezwiki loginwiki minwiki
> nlwikivoyage plwikivoyage ptwikivoyage rowikivoyage ruwikivoyage
> sawikiquote slwikiversity svwikivoyage testwikidatawiki tyvwiki
> ukwikivoyage vecwiktionary votewiki wikidatawiki wikimania2013wiki
> wikimania2014wiki
>
>
> --
> Erik Möller
> VP of Engineering and Product Development, Wikimedia Foundation
>
> _______________________________________________
> Wikimedia-l mailing list
> Wikimedia-l(a)lists.wikimedia.org
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe>
>
>
>
> --
> Katie Chan
> Volunteer Support Organiser
> Wikimedia UK
> +44 (0) 20 7065 0990
> +44 (0) 7885 980 534
>
> Wikimedia UK is a Charitable Company registered in England and Wales.
> Registered Company No. 6741827. Registered Charity No.1144513.
> Registered Office: 4th Floor, Development House, 56-64 Leonard Street, London EC2A 4LT. United Kingdom.
> Wikimedia UK is the UK chapter of a global Wikimedia movement. The Wikimedia projects are run by the Wikimedia Foundation (who operate Wikipedia, amongst other projects).
>
> Wikimedia UK is an independent non-profit charity with no legal control over Wikipedia nor responsibility for its contents.
>
>
> _______________________________________________
> Wikimania-l mailing list
> Wikimania-l(a)lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikimania-l
>
>
>
> _______________________________________________
> Wikimania-l mailing list
> Wikimania-l(a)lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikimania-l
>
>
> _______________________________________________
> Wikimania-l mailing list
> Wikimania-l(a)lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikimania-l
------------------------------
Message: 2
Date: Thu, 3 Oct 2013 13:18:12 -0400
From: Nathan <nawrich(a)gmail.com>
To: "Wikimania general list (open subscription)"
<wikimania-l(a)lists.wikimedia.org>
Subject: Re: [Wikimania-l] Fwd: [Wikimedia-l] Notification about
Wikimedia user account security issue
Message-ID:
<CALKX9dQcGQ1cKKGqBcpBhEMgHd0och-kYCGMDe13+sHOkLo=TQ(a)mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
On Thu, Oct 3, 2013 at 1:06 PM, Risker <risker.wp(a)gmail.com> wrote:
> Please note that it is especially important to change your passwords on the
> Wikimania wikis where you have accounts. These are non-SUL wikis and
> changing your SUL password will not effect a change on the Wikimania 2013
> and 2014 wikis. Even if you never intend to edit those wikis again, your
> password and account could still hypothetically be compromised.
>
> I agree with others that the risk is very, very small; nonetheless, it is
> not non-existent.
>
> Risker/Anne
It sounds like they've already scrambled the passwords as part of
requiring the password reset procedure. Even if they haven't, Erik's
description of precautionary measures should mean that access to your
Wikimania (etc) accounts is disabled prior to a password reset using
your e-mail, so there's no real risk that someone will get into your
account (unless they can also get into your e-mail).
But normally notices of compromised passwords include standard
language suggesting that users change their passwords for any other
login where they've used similar information, in case the combination
of name and password is sold or someone attempts to use their
knowledge of you to access your information on other sites. Perhaps
that is part of the e-mail notification the WMF sent; if not, it's
good practice.
~Nathan
------------------------------
Message: 3
Date: Thu, 3 Oct 2013 14:43:12 -0400
From: Casey Brown <lists(a)caseybrown.org>
To: "Wikimania general list (open subscription)"
<wikimania-l(a)lists.wikimedia.org>
Subject: Re: [Wikimania-l] Fwd: [Wikimedia-l] Notification about
Wikimedia user account security issue
Message-ID:
<CA+txiSvNqkRE6m8fzxZOjsqS2cCeJUZQctpGwaUi-f4LxyeD+w(a)mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On Thu, Oct 3, 2013 at 1:06 PM, Risker <risker.wp(a)gmail.com> wrote:
> Please note that it is especially important to change your passwords on the
> Wikimania wikis where you have accounts. These are non-SUL wikis and
> changing your SUL password will not effect a change on the Wikimania 2013
> and 2014 wikis. Even if you never intend to edit those wikis again, your
> password and account could still hypothetically be compromised.
Actually, changing your SUL password should change your password on
all your attached Wikimedia wikis accounts. This includes all public
wikis, but does not include private or fishbowl ones. So, for example,
if you also used the same password on wikimaniateamwiki or
foundationwiki, you will need to change it separately there.
On Thu, Oct 3, 2013 at 1:18 PM, Nathan <nawrich(a)gmail.com> wrote:
> But normally notices of compromised passwords include standard
> language suggesting that users change their passwords for any other
> login where they've used similar information, in case the combination
> of name and password is sold or someone attempts to use their
> knowledge of you to access your information on other sites. Perhaps
> that is part of the e-mail notification the WMF sent; if not, it's
> good practice.
This too. If you used the same password combination elsewhere (you
shouldn't, but people often do), then you should change those too.
--
Casey Brown (Cbrown1023)
caseybrown.org
------------------------------
Message: 4
Date: Thu, 3 Oct 2013 13:43:46 -0700
From: Chris Steipp <csteipp(a)wikimedia.org>
To: "Wikimania general list (open subscription)"
<wikimania-l(a)lists.wikimedia.org>
Subject: Re: [Wikimania-l] Fwd: [Wikimedia-l] Notification about
Wikimedia user account security issue
Message-ID:
<CAKcmtDzv5RComj0aQhE1sc7x_peczy99sQsYrA7MNP_qSdKEfA(a)mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
On Thu, Oct 3, 2013 at 10:06 AM, Risker <risker.wp(a)gmail.com> wrote:
> Please note that it is especially important to change your passwords on
> the Wikimania wikis where you have accounts. These are non-SUL wikis and
> changing your SUL password will not effect a change on the Wikimania 2013
> and 2014 wikis. Even if you never intend to edit those wikis again, your
> password and account could still hypothetically be compromised.
>
wikimania2013.wikimedia.org and wikimania2014.wikimedia.org are both part
of SUL, so most users should use their CentralAuth account to login. They
are slightly odd in that we don't give you a cookie for those sites when
you initially login on another wiki, but with SUL2, you *should* get logged
in when you visit the site.
However, since SUL2 is relatively new, and you wouldn't get automatically
logged in when visiting the site with the original SUL, I'm guessing many
users visited the wikimania sites for the first time, logged in with their
centralauth username and password, and continued on their way, which is one
of the conditions where the local wiki stores the password hash used to
initially create the account. So there is probably a higher number of users
here who were notified, than on some of the other wikis.
>
> I agree with others that the risk is very, very small; nonetheless, it is
> not non-existent.
>
Totally agree.
>
> Risker/Anne
>
We all know how neat, subtle and effective is the attribution for every edit made on wiki in page history. Is it possible to extend this (at least partly) to the offline activities of Wikipedians (like in organising Wikimania, for example)? Are there any best practices in this regard?
Thanks,
Sundar
"That language is an instrument of human reason, and not merely a medium for the expression of thought, is a truth generally admitted."
- George Boole, quoted in Iverson's Turing Award Lecture
FYI, especially since wikimania2013 & wikimania2014 are two of the affected
wikis.
---------- Forwarded message ----------
From: Erik Moeller <erik(a)wikimedia.org>
Date: 3 October 2013 06:56
Subject: [Wikimedia-l] Notification about Wikimedia user account security
issue
To: Wikimedia Mailing List <wikimedia-l(a)lists.wikimedia.org>
See also:
https://meta.wikimedia.org/wiki/October_2013_private_data_security_issue
On October 1, 2013, we learned about an implementation error that made
private user information (specifically, user email addresses, password
hashes, session tokens, and last login timestamp) for approximately
37,000 Wikimedia project users accessible to volunteers with access to
the Wikimedia "LabsDB" infrastructure.
LabsDB, launched in May 2013, is designed to give volunteers the
ability to write tools and generate reports that make use of data from
our databases in real-time. This supports bottom-up innovation by the
Wikimedia community. As part of this process, private data is
automatically redacted before volunteers are given access to the data.
Unfortunately, for some of Wikimedia’s wikis[1], the database triggers
used to redact private data failed to take effect due to a schema
incompatibility, and LabsDB users had access to private user data for
some user accounts in these specific wiki databases. As of October 1,
228 users have access to LabsDB, and the window of availability of
this data was May 29, 2013 to October 1, 2013.
This issue was discovered and reported by a trusted volunteer, and
access to the data in question was revoked within 15 minutes of the
report. We have no evidence to suggest that the private data in
question was exported in bulk or used for malicious purposes, but we
cannot definitively exclude the possibility. As a precautionary
measure, we have invalidated all affected user sessions, and are
requiring affected users to change their password on their next login.
We have also sent an email notification to affected users with a
confirmed email address.
We regret this mistake. LabsDB is still a new part of our
infrastructure, and we will fully audit the redaction process, so as
to minimize any risk of a future mistake of this nature.
Sincerely,
Erik Moeller
Vice President of Engineering & Product Development
Contact information
Should you have any questions, please contact us via email to:
accountsecurity(a)wikimedia.org
You can also reach the Wikimedia Foundation at:
Wikimedia Foundation, Inc.
149 New Montgomery Street
Floor 6
San Francisco, CA 94105
United States
Phone: +1-415-839-6885
Fax: +1-415-882-0495
[1] List of affected databases: aswikisource bewikisource dewikivoyage
elwikivoyage enwikivoyage eswikivoyage frwikivoyage guwikisource
hewikivoyage itwikivoyage kowikiversity lezwiki loginwiki minwiki
nlwikivoyage plwikivoyage ptwikivoyage rowikivoyage ruwikivoyage
sawikiquote slwikiversity svwikivoyage testwikidatawiki tyvwiki
ukwikivoyage vecwiktionary votewiki wikidatawiki wikimania2013wiki
wikimania2014wiki
--
Erik Möller
VP of Engineering and Product Development, Wikimedia Foundation
_______________________________________________
Wikimedia-l mailing list
Wikimedia-l(a)lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
<mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe>
--
Katie Chan
Volunteer Support Organiser
Wikimedia UK
+44 (0) 20 7065 0990
+44 (0) 7885 980 534
Wikimedia UK is a Charitable Company registered in England and Wales.
Registered Company No. 6741827. Registered Charity No.1144513.
Registered Office: 4th Floor, Development House, 56-64 Leonard Street,
London EC2A 4LT. United Kingdom.
Wikimedia UK is the UK chapter of a global Wikimedia movement. The
Wikimedia projects are run by the Wikimedia Foundation (who operate
Wikipedia, amongst other projects).
Wikimedia UK is an independent non-profit charity with no legal control
over Wikipedia nor responsibility for its contents.