brion vibber (brion @ pobox.com) wrote:
> I've disabled the ability to use blank passwords on wiki accounts.
>
> For a long time we treated accounts very laxly in this regard; there generally
> wasn't _that_ much reason to secure a casual account unless you were one of the
> tiny number of sysops.
>
> In recent years though the number of sysops has exploded, and we've added
> customization features like the user javascript which are cool but potentially
> really annoying if someone gets into your account and messes with them. As a
> small concession to security and accountability, it's time for blank passwords
> to go.
>
> While running some password security checks, I found that a handful of sysop
> accounts had blank passwords. Probably some non-sysop accounts also had blanks.
>
> Affected accounts can reset the password by the automated e-mail
> password gadget on the login form, unless of course they didn't put in an e-mail.
This is seriously wrong. It should be completely reversed.
A lot of people have just lost their account because of this,
and it wasn't even announced that it was coming.
This part of the problem could be reduced if the change was
announced in advance.
However, that's not the full problem.
Many people use blank or trival passwords and don't give their emails.
This is completely reasonable, as it's very hard to remember just
another password (and reusing passwords on different websites is about
as bad as having none),
and even if spamming wasn't a problem, why the heck would any website
need their email in the first place ?
So, while dictionary-checking sysops' passwords make a lot of sense,
there's very little point in limiting passwords of the non-privileged accounts.
(and yeah, /me just lost 2 (rarely used) accounts on fr.wp and de.wp)
On nl: wikipedia we have a user (Torero) who under him quoting the
rights of freedom of speech is insulting the islam and everyone who
doesn't think like him on a regular basis.
Today he wrote:
http://nl.wikipedia.org/w/index.php?title=Overleg:DemoCrates.net&diff=30115…
Allah Akbar is almost the same as Heil Hitler.
This is not the first time he did this. He has insulted the islam and
muslims on multiple occasions. Also he constantly accuses people of
being leftwing etc.
Unfortunately this is "tolerated" on nl: by the mods and anyone else who
do not dare to pose an opposition against these kind of users. And
everytime he apologises some time later. But what does an apology count
for if he keeps on repeating himself time and time again. And again a
user who happens to be muslim is going on wikibreak because of this.
Freedom of speech ?????
Waerth/Walter
brion vibber (brion @ pobox.com) wrote:
> Tomasz Wegrzanowski wrote:
>> So, while dictionary-checking sysops' passwords make a lot of sense,
>> there's very little point in limiting passwords of the
non-privileged accounts.
>
> At the moment we don't have a separate switch for sysops, nor any control which
> would prevent blank-password accounts from being made into sysops. I'd rather
> risk disabling a few accounts temporarily than keep the incredibly dangerous
> sysop accounts open (which could be used potenially to great destructive effect).
Could you elaborate on the "temporarily" part ?
I've disabled the ability to use blank passwords on wiki accounts.
For a long time we treated accounts very laxly in this regard; there generally
wasn't _that_ much reason to secure a casual account unless you were one of the
tiny number of sysops.
In recent years though the number of sysops has exploded, and we've added
customization features like the user javascript which are cool but potentially
really annoying if someone gets into your account and messes with them. As a
small concession to security and accountability, it's time for blank passwords
to go.
While running some password security checks, I found that a handful of sysop
accounts had blank passwords. Probably some non-sysop accounts also had blanks.
Affected accounts can reset the password by the automated e-mail password gadget
on the login form, unless of course they didn't put in an e-mail.
-- brion vibber (brion @ pobox.com)
[For those who are offended by the top posting, please accept my apologies.]
There has been mention on this list of specific concepts of vicarious liability and employer/employee responsibility. Angela has scheduled an open IRC chat on the topic of governance (broadly) which I hope to monitor and participate in if my schedule will allow. I will address solely the point raised by Anthere below:
The initial starting point is "what law applies"; this would be the governing law of the State of Florida, USA, and applicable statutory and controlling authorities in state and US federal jurisdictions. "Who is the client?" I am a licensed Florida lawyer with a private firm representing the Wikimedia Foundation, Inc. through its Board. I do not represent "the community" in any technical legal sense, I answer to the Board and provide advice to the Board.
Anthere (a board member) opines that Gerard's comments represent a "dangerous" interpretation of things. I would like to clarify why I believe she is correct for the most part.
Under Florida law (and US law generally), all actions taken by a corporation are done through a series of delegations of authority, all of which have their origin with the Board. The delegation of authority is hierarchical and drawn in an organizational chart as a pyramid, with the Board at the top. [N.B.: to those who would reject this concept out of hand, and insist there should be another way, you may stop reading now. Whether you like it or not, or believe in it philosophically or not, or believe it is morally or ethically superior or inferior to another alternative, I must observe such opinions are _legally_ irrelevant. Under FL/US law, corporate authority is delegated, and this is the law the Board is bound by today. Also, this is not the same as traditional US private corporations with shareholders.]
To date, the Board has maintained tight control for itself in many respects, by which I mean the Board makes many day-to-day decisions. Little is delegated. However, various Wikipedia projects thrive through a community of users/admins/stewards/etc. Chapters also exist and do various things, however, they are generally autonomous associations of users and do not exist as a direct delegated authority of the Foundation. The point is that there is a middle area between the "grassroots" user base and "community" on the one hand, and the Board and those with strict delegated authority on the other. Put another way, there exists the community and its culture, operating norms, etc., and the Foundation and its legal structure, corporate governance, and administrative day-to-day dealings.
Irrespective of name, title, or any other statement of authorization (or lack thereof), it is the case that many people have taken it upon themselves to "act" believing that they are doing so with the consent of WMF. Devolved responsibility _is_ clear in a situation where the Board has directly and explicitly delegated authority to act to a person with the intent that they act as a corporate officer. An example is Brion, the CTO. Brion is tasked with running the technological side of the organization. He is a paid employee of the Foundation and has as his defined job responsibility keeping things up and running. It would be absurd to assume that if a server crashed, Brion would need to get permission from the Board to bring them back up - he has been delegated the authority to do so. It would be equally absurd to suggest that it would be best for the organization to allow anyone who felt like it to have root access - to exercise no restraint on delegation of authority. I ask rhetorically, how best to manage the middle ground between volunteer and board member? That policy question (it is not merely a legal one) implies attention to the fiduciary responsibilities a non-profit organization has to conserve its resources and prevent against liability wherever possible.
>From a corporate liability perspective (with due regard to the fiduciary responsibility owed in this context), risk management is something which requires constant attention and improvement in any organization. To properly obtain insurance to guard against such risk, the question of delegated authority and the actions undertaken by those who affiliate themselves with WMF must be clarified more than it has been to date. That process is underway. It is not in the best interests of the organization to deviate from a known fiduciary responsibility (for example, to decide _not_ obtain director and officer and general liability insurance) but rather a challenge of how best to do it. To comment publicly on what situations would or would not create liability would be foolish and an invitation to those who would do the organization harm. Suffice to say my responsibility to the Foundation is to provide such legal opinions when they are required, within the bounds of attorney-client privilege.
I qualify all of this to the civil context only; if there is anything criminal it should and must be dealt with immediately. As a not-for-profit tax-exempt organization under US law, any situation of the kind is utterly intolerable and will be dealt with swiftly, summarily, and with the fullest measure of cooperation with law enforcement. Political pressure is being brought to bear in the US Senate that would create a level of public scrutiny akin to Sarbanes-Oxley Act (SOX) in the not-for-profit sector. See today's headlines re Enron for treatment in the for-profit context.
To sum up:
*all power to act derives from the Board
*the Board, each Board member, and officers must act consistent with their fiduciary responsibilities under law
*the Board can delegate power to act to officers and committees of the Board, each with defined authority
*the Board is obligated to act to avoid risk or to deal with risk consistent with its fiduciary responsibilities
*specific questions require specific legal advice to the Board which is inappropriate for public discussion
-Brad
-----Original Message-----
From: foundation-l-bounces(a)wikimedia.org [mailto:foundation-l-bounces@wikimedia.org] On Behalf Of Anthere
Sent: Monday, January 30, 2006 2:01 PM
To: foundation-l(a)wikimedia.org
Subject: [Foundation-l] Re: Outsiders on the Board? (was Re: Poll forWikistandards)
Gerard Meijssen wrote:
> Ray Saintonge wrote:
>
>> Tim Starling wrote:
>>
>>> Gerard Meijssen wrote:
>>>
>>>
>>>> I am amazed that you suggest that an officer of the Wikimedia
>>>> Foundation would be personally liable for the work done as an
>>>> officer. I would expect that an officer of an organisation speaks
>>>> for the organisation and as a consequence the organisation is
>>>> liable for the actions of its personnel. Normally someone employed
>>>> by an organisation is liable only when gross incompetence can be
>>>> proven or in cases where the law has been violated to an extend
>>>> where criminal intend can be proven.
>>>>
>>>> I am sure that someone can and will explain to what extend an
>>>> employee is personally liable for his actions as an employee of the
>>>> Wikimedia Foundation.
>>>>
>>>
>>> Well, firstly IANAL and secondly most of my legal knowedge comes
>>> from studying Australian law rather than US law. But my
>>> understanding is that civil liability for the action of employees
>>> rests with the corporation or individual employing them. This is
>>> called vicarious liability.
>>>
>> Gerard's response on this seemed naïve. No-one wants to go into a
>> situation where there is a high risk of liability, But these things
>> do happen, and there are situations where the law needs to pierce the
>> corporate veil when the corporate structure is there to assist in the
>> perpetration of a scam. In some cases liability insurance can be
>> purchased, but that too can be expensive. It's also important to
>> remember the level of litigiousness that is found in US society. A
>> plaintiff will often cast a wide net in the hopes of catching the
>> right victim with deep enough pockets to pay for the wrongdoings of a
>> penniless associate. This can be a frightful experience when people
>> with only marginal involvement find themselves put through the
>> expense of defending themselves in court.
>
> As I understand things, there are two types of people in the Wikimedia
> Foundation and its projects.
>
> * There are the person with an official role; they are appointed or
> chosen to their function.
> * There are the persons with no official status as far as the WMF is
> concerned. These include stewards, bureaucrats, admins and users.
>
> Only the first two groups have any protection for what they do within
> the Wikimedia Foundation. They have this protection as they represent
> the Wikimedia Foundation in an official capacity. When something is
> done on any of the projects that results in a legal situation, it is
> the person who will be, when identified, be the one prosecuted.
> Depending on the situation the Wikimedia Foundation or a chapter may
> involve itself, this is not a given.
>
> When a person in his official position gets into a legal situation, it
> typically is the organisation, here the Wikimedia Foundation, who will
> be prosecuted. It is only when a person is criminally negligent or
> involved that there is a ground to prosecute an individual.
>
> This is my understanding of how these things work. The consequence is
> that officers of the WMF or of chapters have protection that all other
> WMF volunteers lack. The fact that statutory laws exist for '''gross'''
> mismanagement is something that we should welcome. Typically it takes
> some effort to qualify as gross mismanagement. Given the people that
> we currently have in official positions this is unlikely to happen.
>
> The only group of people for whom it is not entirely clear to me what
> their status is, are the people who help out on OTRS. Yes, I do know
> how careful these people try to do their job.. :)
>
> Thanks,
> GerardM
My apologies Gerard, but all this seems to me to be a misconception of the whole issue. Not even erroneous, but dangerous actually.
I think it is incorrect to imply that those elected/appointed are somehow "protected" by their position in the Foundation (ie, the Foundation will be prosecuted rather than them as individuals) while "regular editors" lack protection.
I would like to ask Brad here to clarify this issue publicly for you, and for all those who read your statement. Brad, can you help ? Thanks in advance :-)
Anthere
_______________________________________________
foundation-l mailing list
foundation-l(a)wikimedia.org
http://mail.wikipedia.org/mailman/listinfo/foundation-l
-----------------------------------------------------------------------------------------------------------
Disclaimer under IRS Circular 230: Unless expressly stated otherwise in this transmission, nothing contained in this message is intended or written to be used, nor may it be relied upon or used, (1) by any taxpayer for the purpose of avoiding penalties that may be imposed on the taxpayer under the Internal Revenue Code of 1986, as amended and/or (2) by any person to support the promotion or marketing of or to recommend any Federal tax transaction(s) or matter(s) addressed in this message.
If you desire a formal opinion on a particular tax matter for the purpose of avoiding the imposition of any penalties, we will discuss the additional Treasury requirements that must be met and whether it is possible to meet those requirements under the circumstances, as well as the anticipated time and additional fees involved.
-----------------------------------------------------------------------------------------------------------
Confidentiality Disclaimer: This e-mail message and any attachments are private communication sent by a law firm, Fowler White Boggs Banker P.A., and may contain confidential, legally privileged information meant solely for the intended recipient. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution or copying of this communication is strictly prohibited. Please notify the sender immediately by replying to this message, then delete the e-mail and any attachments from your system. Thank you.
>Besides what steward(s) should do, I propose that no discussion on
>desysopping has not to be submitted on meta but on their own projects
>unless desysopping in request is related to two or more projects, or
>at least such discussion might be moved to more appropriate page (like
>requests for comment).
>
>Or, submission of request for desysopping might be qualified only if
>there is already a closed vote on project(s) in question. (sigh)
I agree. There should be no discutions at Requests for permisions. There should be just approved requests which have to be done. Maybe we shuld have a special page for this kind of discutions? It is an idea with Requests for comment. If not, we can do another page.
M
Hmm... anyway.... as a second tought...
(I still support Anthere's proposal)
what will the stewards do afterwards?
There is not so much activity at Requests for permissions nowadays... exception - of course - big discutions about desysoping some users.
M
As you may have seen from
<http://wikimediafoundation.org/wiki/Resolutions>, the Board has
approved the creation of a number of new committees: Financial,
Technical, Executive, Events, Communications, Special projects, Board
expansion committee, and Chapters.
The pages linked from the resolutions page gives some very brief
details about these, and so far there has been no public discussion of
them.
I would like to open up discussion of the Executive Committee since
internally, opinions are very divided on how this committee should be
set up, and I think some additional views might be useful. The two
lines of thought are:
1) small committee: the committee should be made up of between 2 and 4
existing Board
members only
2) large committee: the committee should include the current Board as
well as representatives from other committees and people outside the
other committees.
Does anyone have experience or knowledge of how Executive Committees
in other non-profit organizations are organized? Is there any benefit
of one approach over the other?
Ideas are also welcome on how the Executive Committee should fit in
with the other committees, and whether additional committees are
needed.
Angela.
--- SJ <2.718281828(a)gmail.com> wrote:
> We clearly need an "edit this page!" line of post-its, notebooks, etc.
> That is, the world needs one... Wikipedia may as well provide it. I
> imagine this means finding an outside supplier interested in getting
> involved...
:) FYI - I just created a Wikinews shop as well. See
http://www.cafepress.com/wikipedia/1168362
Those items that have front and back options have the Wikinews logo on front and CITIZEN
JOURNALIST with the Wikinews url on the back.
Other shops later. Must sleep now.
-- mav
> SJ
>
> On 1/29/06, Daniel Mayer <maveric149(a)yahoo.com> wrote:
> > I spent a few hours today updating the Wikipedia CafePress shop tonight (20%
> > from every purchase
> > goes to the foundation). The biggest change was replacing the 'Edit this
> > page' image on the back
> > of items with an image that shows the multi-lingual nature of the project
> > (the 'Edit this page'
> > image is still there, just much reduced in size). Here is the image:
> > http://meta.wikimedia.org/wiki/Image:WikipeidaIntl.PNG
> >
> > All items with front and back options now have a big Wikipedia logo in front
> > and the multi-lingual
> > 'The Free Encyclopedia' logo (see above) on back. A new item that shows this
> > well is a golf shirt:
> > http://www.cafepress.com/wikipedia.46067950
> >
> > I also added a mousepad and clock with the new image:
> > http://www.cafepress.com/wikipedia.46065179
> > http://www.cafepress.com/wikipedia.46066953
> >
> > New items with just the standard logo include a black cap, a khaki cap,
> > teddy bear, and wall
> > clock.
> >
> > Just for fun I also created a "We make the Internet not suck" bumper
> > sticker:
> > http://www.cafepress.com/wikipedia.46073071
> >
> > The full shop is here: http://www.cafepress.com/wikipedia/528088
> >
> > If you have ideas for slogans and artwork, then please add them here:
> > http://meta.wikimedia.org/wiki/Fundraising_ideas/Cafe_Press
> >
> > -- mav
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
> > _______________________________________________
> > Wikipedia-l mailing list
> > Wikipedia-l(a)Wikimedia.org
> > http://mail.wikipedia.org/mailman/listinfo/wikipedia-l
> >
>
>
> --
> ++SJ
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com