Since Friday, we've had a slow but steady stream of admin account
compromises on WMF projects. The hacker group OurMine has taken credit
for these compromises.
We're fairly sure now that their mode of operation involves searching
for target admins in previous user/password dumps published by other
hackers, such as the 2013 Adobe hack. They're not doing an online
brute force attack against WMF. For each target, they try one or two
passwords, and if those don't work, they go on to the next target.
Their success rate is maybe 10%.
When they compromise an account, they usually do a main page
defacement or similar, get blocked, and then move on to the next target.
Today, they compromised the account of a www.mediawiki.org admin, did
a main page defacement there, and then (presumably) used the same
password to log in to Gerrit. They took a screenshot, sent it to us,
but took no other action.
So, I don't think they are truly malicious -- I think they are doing
it for fun, fame, perhaps also for their stated goal of bringing
attention to poor password security.
Indications are that they are familiarising themselves with MediaWiki
and with our community. They probably plan on continuing to do this
for some time.
We're doing what we can to slow them down, but admins and other users
with privileged access also need to take some responsibility for the
security of their accounts. Specifically:
* If you're an admin, please enable two-factor authentication.
<https://meta.wikimedia.org/wiki/H:2FA>
* Please change your password, if you haven't already changed it in
the last week. Use a new password that is not used on any other site.
* Please do not share passwords across different WMF services, for
example, between the wikis and Gerrit.
(Cross-posted to wikitech-l and wikimedia-l, please copy/link
elsewhere as appropriate.)
-- Tim Starling
Wikimedia is among the 17 organizations in Google Code-in (GCI) 2016!
GCI starts on November 28th. It's a contest for 13-17 year old students
working on small tasks and a great opportunity to let new contributors
make progress and help with smaller tasks on your To-Do list!
What we want you to do:
BECOME A MENTOR:
1. Go to https://www.mediawiki.org/wiki/Google_Code-in_2016 and add
yourself to the mentor's table.
2. Get an invitation email to register on the contest site.
PROVIDE SMALL TASKS:
* Do your docs on your wiki need some improvements?
* Does your template or gadget code needs some updates?
* Do you have small and self-contained bugs you'd love to get fixed?
* Does your UI have small design issues?
* Do your old bugs welcome some testing?
We want your tasks in the following areas: code, outreach/research,
documentation/training, quality assurance, user interface/design.
1. Create a Phabricator task (which would take you 2-3h to complete) or
pick an existing Phabricator task you'd mentor.
2. Add the "Google-Code-In-2016" project tag.
3. Add a comment "I will mentor this in #GCI2016".
Looking for task ideas? Check the "easy" tasks in Phabricator:
https://www.mediawiki.org/wiki/Annoying_little_bugs offers links.
Make sure to cover expectations and deliverables in your task.
And once the contest starts on Nov 28, be ready to answer and review
contributions quickly.
Any questions? Just ask, we're happy to help.
Thank you for your help broadening our contributor base!
*Inverencial PeaceAlangi Derick Ndimnain*
Hello everyone,
There will be an upcoming MediaWiki and VisualEditor Wikimedia workshop
coming up in Buea in this month of November 2016. The date is not yet fixed
so we are still working on a comfortable day for the event. In this event,
we will be bringing in newbies into the activities of the Wikimedia
Foundation and tech them VisualEditor (what is used in writing articles on
Wikipedia) and installation of MediaWiki(for newbies interested in
developing on Wikimedia projects).
If you are interested in this event and want to help as a volunteer, kindly
send an email to "wikimediacugcameroon(a)gmail.com" to show your concern and
we will reply with a task we have for you. For more information about the
event, check out the Phabricator task[1] and make comments or open up a
discussion concerning the preparation of the workshop.
If in case you don't know about the Wikimedia Community User Group
Cameroon, please do read about it [2]
[1] https://phabricator.wikimedia.org/T149893
[2] https://meta.wikimedia.org/wiki/Wikimedia_Community_User_Group_Cameroon
*Inverencial PeaceAlangi Derick Ndimnain*